Date: Fri, 29 Mar 2024 05:00:38 -0500 (CDT) Message-ID: <1013218902.1532.1711706438021@wiki.ncsa.illinois.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1531_1207066064.1711706438020" ------=_Part_1531_1207066064.1711706438020 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Document Name: NCSA Security Monitoring Policy
=
Version: 1.2
Accountable: James Eyrich=
Authors: Adam Slagell
This policy covers all users of NCSA production systems for external cus=
tomers and any system using NCSA datac=
enter networks. includ=
ing Blue Waters.
NCSA Network Security Policy#HighPerformanceDatacenter(HPDC)Zone=
The primary threat to the security of NCSA production systems comes from= user "identity theft", often exposed as compromised user accounts and cred= entials. Within the existing HPC environments managed by NCSA, 25% of secur= ity incidents stem from user credentials becoming compromised and used by u= nauthorized persons for malicious purposes. This document details the polic= y covering the monitoring of user activity.
The NCSA support staff (e.g. system managers, networking and security te= ams) monitor all NCSA production systems and any system using NCSA da= tacenter networks or related resources. This extends to monitoring a= ll user interactions with these resources including encrypted channels such= as SSH. Secure communication channels may be modified to permit this monit= oring to take place.
All users where such monitoring takes place will be provided notificatio= n of this fact through user agreements, login banners or other mechanisms.<= /p>
The detailed SSH logs, which record most command line input and output a= s well as file transfers, are generally rotated out of use and discarded af= ter approximately 4 weeks unless suspicious activities have occurred. These= logs provide much of the input for the host-based intrusion detection syst= em. For specific security incidents, relevant portions of these logs may be= saved into our incident response tracking system or other areas. Higher-le= vel logs (e.g., network flows, IDS alerts, authentication logs, process acc= ounting, and general system logs) may be held for longer periods of time.= p>
Our intrusion detection/protection systems (IDPS) monitors the SSH comma= nds executed and files down[up]loaded (as part of most everything processed= through STDIN/STDOUT), looking for signs of account compromise. Users will= be informed as soon as possible if inappropriate activities involving thei= r accounts are detected.