Advanced Training:
Auditing
May 28-31, 2024
iRODS User Group Meeting 2024
Amsterdam, Netherlands
Alan King, Senior Software Developer
Martin Flores, Software Developer
iRODS Consortium
Getting Started
Install Docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
sudo apt-get install -y docker-ce
sudo usermod -aG docker ${USER}
Install the auditing rule engine plugin
sudo apt-get -y install irods-rule-engine-plugin-audit-amqp
Setup the iRODS Audit Plugin
Edit /etc/irods/server_config.json
.
Add a new stanza to the rule_engines
array, after the irods_rule_language
plugin.
"rule_engines": [
{
"instance_name": "irods_rule_engine_plugin-irods_rule_language-instance",
...
...
"shared_memory_instance": "irods_rule_language_rule_engine"
},
{
"instance_name": "irods_rule_engine_plugin-audit_amqp-instance",
"plugin_name": "irods_rule_engine_plugin-audit_amqp",
"plugin_specific_configuration" : {
"amqp_location" : "ANONYMOUS@localhost:5672",
"amqp_topic" : "audit_messages",
"pep_regex_to_match" : "pep_(api|resource)_.*"
}
},
{
"instance_name": "irods_rule_engine_plugin-cpp_default_policy-instance",
...
Setup Monitoring
Launch the prebuilt Docker image from https://github.com/irods/contrib:
docker run -d -p 8080:15672 -p 5672:5672 -p 80:5601 -p 9201:9200 irods/irods_audit_elk_stack
You now have a docker container instance running within your virtual machine which is running the following services:
-
RabbitMQ - Message broker that stores the AMQP messages
-
Elasticsearch - Database that stores the AMQP messages
-
not-logstash - Reads messages from RabbitMQ and writes them to Elasticsearch
-
Kibana - A data visualization dashboarding tool for ElasticSearch
The newly configured audit plugin is generating AMQP messages for every 'api' and 'resource' dynamic policy enforcement point executed in the iRODS server.
Tracking What We've Done
- Visit http://<ip> where ip is the public IP for your VM
- Click on Analytics -> Dashboard
Tracking What We've Done
You have a visualization of what is happening in your iRODS zone.
You can see the bytes written and received, connections, top users, etc.
These are just a sample of what can be visualized.
All of the data is in the Elastic database and can be queried for additional interesting patterns or characteristics.
Tracking Origin of a File
Now let's say we want to track the origin (provenance) of some files in our system.
We have PEPs stored in our Elastic database that provide an audit trail for us.
Before we get started, let's install jq so that we can parse the JSON output of an elasticsearch query.
sudo apt-get -y install jq
Tracking Who Wrote to the File
curl -XGET 'localhost:9201/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
"_source": [ "@timestamp", "user_user_name", "obj_path" ],
"sort" : [
{"@timestamp":{"order": "asc"}}
],
"size" :10000,
"query": {
"bool": {
"must": [
{ "match": { "rule_name": "audit_pep_api_data_obj_put_pre" } },
{ "match_phrase": { "obj_path": "tempZone/home/rods/stickers.jpg" } }
]
}
}
}' | jq ".hits.hits[] | ._source"
Search for put activity on /tempZone/home/rods/stickers.jpg
Tracking Who Wrote to the File
This query returns the following five records showing the user rods put stickers.jpg five times:
{ "@timestamp": "2024-05-20T20:13:01.331Z", "obj_path": "/tempZone/home/rods/stickers.jpg", "user_user_name": "rods" } { "@timestamp": "2024-05-20T21:02:59.350Z", "obj_path": "/tempZone/home/rods/stickers.jpg", "user_user_name": "rods" } { "@timestamp": "2024-05-20T21:03:16.370Z", "obj_path": "/tempZone/home/rods/stickers.jpg", "user_user_name": "rods" } { "@timestamp": "2024-05-20T21:03:31.671Z", "obj_path": "/tempZone/home/rods/stickers.jpg", "user_user_name": "rods" } { "@timestamp": "2024-05-20T21:12:01.143Z", "obj_path": "/tempZone/home/rods/stickers.jpg", "user_user_name": "rods" }
Tracking Read Access to the File
curl -XGET 'localhost:9201/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
"_source": [ "@timestamp", "user_user_name", "obj_path" ],
"sort" : [
{"@timestamp":{"order": "asc"}}
],
"size" :10000,
"query": {
"bool": {
"must": [
{ "match": { "rule_name": "audit_pep_api_data_obj_get_pre" } },
{ "match_phrase": { "obj_path": "tempZone/home/rods/stickers.jpg" } }
]
}
}
}' | jq ".hits.hits[] | ._source"
Search for read activity on /tempZone/home/rods/stickers.jpg
Look for all the "pre" PEPs
Search for all the "pre" PEPs that have been executed today, but exclude any authentication PEPs
curl -XGET 'localhost:9201/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d' { "_source": [ "@timestamp", "rule_name" ], "sort" : [ {"@timestamp":{"order": "asc"}} ], "size" :10000, "query": { "bool": { "must" : { "regexp": {"rule_name": "audit_pep_api_.*_pre"} }, "must_not" : { "regexp": {"rule_name": "audit_pep_api_auth.*_pre"} } } } }' | jq ".hits.hits[] | ._source"
Questions?
UGM 2024 - Auditing
By iRODS Consortium
UGM 2024 - Auditing
iRODS User Group Meeting 2024 - Advanced Training Module
- 238