June 13-16, 2023

iRODS User Group Meeting 2023

Chapel Hill, NC

Advanced Training:

Auditing

Alan King, Senior Software Developer

Justin James, Senior Applications Engineer

iRODS Consortium

Getting Started

sudo apt-get -y install \
   irods-externals-cmake3.21.4-0 \
   irods-externals-clang13.0.0-0 \
   irods-externals-qpid-proton0.36.0-1 \
   irods-externals-fmt8.1.1-0 \
   irods-dev
export PATH=/opt/irods-externals/cmake3.21.4-0/bin:$PATH

Install and configure build tools

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
sudo apt-get install -y docker-ce
sudo usermod -aG docker ${USER}

Install Docker

Setup Auditing Rule Engine Plugin

Clone the auditing REP repository and build packages:

cd

git clone https://github.com/irods/irods_rule_engine_plugin_audit_amqp -b 4-3-0-stable

mkdir build_audit

cd build_audit

cmake ../irods_rule_engine_plugin_audit_amqp

make package

sudo dpkg -i irods-rule-engine-plugin-audit-amqp_4.3.0.1-1~focal_amd64.deb

Setup Auditing Rule Engine Plugin

Edit /etc/irods/server_config.json

  • add a new stanza to the rule_engines array after irods_rule_engine_plugin-irods_rule_language-instance

  • add the audit namespace

        "rule_engines": [
            {             

               "instance_name": "irods_rule_engine_plugin-irods_rule_language-instance",
                ...

                ...
                "shared_memory_instance": "irods_rule_language_rule_engine"
            },
            {
                "instance_name": "irods_rule_engine_plugin-audit_amqp-instance",
                "plugin_name": "irods_rule_engine_plugin-audit_amqp",
                "plugin_specific_configuration" : {
                     "amqp_location" : "ANONYMOUS@localhost:5672",
                     "amqp_topic" : "audit_messages",
                     "pep_regex_to_match" : "audit_.*"
                 }
           },

           {
                "instance_name": "irods_rule_engine_plugin-cpp_default_policy-instance",

...

...

    "rule_engine_namespaces": [
        "", 
        "audit_"
    ], 

Setup Monitoring

Clone the irods/contrib repository and build the Docker image:

cd

git clone https://github.com/irods/contrib

cd ~/contrib/irods_audit_elk_stack

DOCKER_BUILDKIT=1 docker build -t irods/irods_audit_elk_stack .

docker run -dit -p 8080:15672 -p 5672:5672 -p 80:5601 -p 9200:9200 irods/irods_audit_elk_stack

Tracking What We've Done

  • We installed the audit plugin which generates events for every dynamic policy enforcement point executed
     
  • We started a docker container with the following software:
    • RabbitMQ - message broker to catch events
    • Not-Logstash - to read the events and write to DB
    • Elasticsearch - database to store the events
    • Kibana - visualization tool

Tracking What We've Done

  • Visit http://<ip> where ip is the public IP for your VM
  • Click on Analytics -> Dashboard

Tracking What We've Done

You have a visualization of what is happening in your iRODS zone.

 

You can see the bytes written and received, connections, top users, etc.

 

These are just a sample of what can be visualized.

 

All of the data is in the Elastic database and can be queried for additional interesting patterns or characteristics.

Tracking Origin of a File

Now let's say we want to track the origin (provenance) of some files in our system.

 

We have PEPs stored in our Elastic database that provide an audit trail for us.

 

Before we get started, let's install jq so that we can parse the JSON output of an elasticsearch query.

sudo apt-get -y install jq

Tracking Who Wrote to the File

curl -XGET 'localhost:9200/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
     "_source": [ "@timestamp", "user_user_name", "obj_path" ],
     "sort" : [
         {"@timestamp":{"order": "asc"}}
     ],
     "size" :10000,
     "query": {
         "bool":  {
             "must": [
                 { "match": { "rule_name": "audit_pep_api_data_obj_put_pre" } },
                 { "match_phrase": { "obj_path": "tempZone/home/rods/stickers.jpg" } }
             ]
        }
     }
 }' | jq ".hits.hits[] | ._source"

Search for put activity on /tempZone/home/rods/stickers.jpg

Tracking Who Wrote to the File

This query returns the following five records showing the user rods put stickers.jpg five times:

{
  "@timestamp": "2018-05-30T20:13:01.331Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2018-05-30T21:02:59.350Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2018-05-30T21:03:16.370Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2018-05-30T21:03:31.671Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2018-05-30T21:12:01.143Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}

Tracking Read Access to the File

curl -XGET 'localhost:9200/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
     "_source": [ "@timestamp", "user_user_name", "obj_path" ],
     "sort" : [
         {"@timestamp":{"order": "asc"}}
     ],
     "size" :10000,
     "query": {
         "bool":  {
             "must": [
                 { "match": { "rule_name": "audit_pep_api_data_obj_get_pre" } },
                 { "match_phrase": { "obj_path": "tempZone/home/rods/stickers.jpg" } }
             ]
        }
     }
 }' | jq ".hits.hits[] | ._source"

Search for read activity on /tempZone/home/rods/stickers.jpg

Look for all the "pre" PEPs

Search for all the "pre" PEPs that have been executed today, but exclude any authentication PEPs

curl -XGET 'localhost:9200/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
     "_source": [ "@timestamp", "rule_name" ],
     "sort" : [
         {"@timestamp":{"order": "asc"}}
     ],
     "size" :10000,
     "query": {
         "bool": {
             "must" : {
                  "regexp": {"rule_name": "audit_pep_api_.*_pre"}
              },
              "must_not" : {
                    "regexp": {"rule_name": "audit_pep_api_auth.*_pre"}
               }
          }
      }
 }' | jq ".hits.hits[] | ._source"