NCSA wiki will be offline Friday, Apr 19, 2024, from 1700 hours until Sun, Apr 21, 2024 in order to upgrade Confluence.
| Panel |
|---|
Document Name: NCSA Security Monitoring Policy Approved: 2008 by the Office of the CIOStatus: Active Principal Author: Adam Slagell, CISO Approved by: Dr. William T.C. Kramer, Blue Waters Deputy Director |
Scope
This policy covers all users of NCSA HPC systems and Blue Waters Systems (test and development clusters, i.e. Blueprint, and Blue Waters HPC)production systems for external customers, including Blue Waters.
Introduction & Purpose
The primary threat to the security of NCSA production systems comes from user "identity theft", often exposed as compromised user accounts and credentials. Within the existing HPC environments managed by NCSA, 25% of security incidents stem from user credentials becoming compromised and used by unathorized unauthorized persons for malicious purposes. This document details the policy covering the monitoring of user activity.
Policy Statement
The NCSA and Blue Waters support staff (e.g. system managers, Incident Response & Security Team (IRST)) monitors all NCSA and Blue Waters production systems, in particular the HPC clusters networking and security teams) monitor all NCSA production systems and related resources. This extends to monitoring all user interactions with these resources including encrypted channels such as SSH. Secure communications communication channels may be modified to permit this monitoring to take place.
All users of Blue Waters and other HPC resources where such monitoring takes place will be provided periodic notification that such monitoring is in placenotification of this fact through user agreements, login banners or other mechanisms.
Process Details
Log Retention
The detailed SSH logs, which record most command line input and output as well as file transfers, are generally rotated out of use and discarded after approximately 4 weeks unless suspected activites suspicious activities have occurred. These logs provide much of the input for the host-based intrusion detection system. For specific security incidents, relevant portions of these logs may be saved into our incident response tracking system or other areas. Higher-level logs (e.g., network flows, IDS alerts, authentication logs, process accounting, and general system logs) may be held for longer periods of time.
Host-based Intrusion Detection System (HIDS)
...
Our intrusion detection/protection systems (IDPS) monitors the SSH commands executed and files down\[up\]loaded (as part of most everything processed though through STDIN/STDOUT), looking for signs of account compromise. Users will be informed as soon as possible if inappropriate activites activities involving their account accounts are detected.