Advanced Training:

Auditing

May 28-31, 2024

iRODS User Group Meeting 2024

Amsterdam, Netherlands

Alan King, Senior Software Developer

Martin Flores, Software Developer

iRODS Consortium

Getting Started

Install Docker

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
sudo apt-get install -y docker-ce
sudo usermod -aG docker ${USER}

Install the auditing rule engine plugin

sudo apt-get -y install irods-rule-engine-plugin-audit-amqp

Setup the iRODS Audit Plugin

Edit /etc/irods/server_config.json.

 

Add a new stanza to the rule_engines array, after the irods_rule_language plugin.

        "rule_engines": [
            {            

               "instance_name": "irods_rule_engine_plugin-irods_rule_language-instance",
                ...

                ...
                "shared_memory_instance": "irods_rule_language_rule_engine"
            },
            {
                "instance_name": "irods_rule_engine_plugin-audit_amqp-instance",
                "plugin_name": "irods_rule_engine_plugin-audit_amqp",
                "plugin_specific_configuration" : {
                     "amqp_location" : "ANONYMOUS@localhost:5672",
                     "amqp_topic" : "audit_messages",
                     "pep_regex_to_match" : "pep_(api|resource)_.*"
                 }
           },

           {
                "instance_name": "irods_rule_engine_plugin-cpp_default_policy-instance",

...

Setup Monitoring

Launch the prebuilt Docker image from https://github.com/irods/contrib:

docker run -d -p 8080:15672 -p 5672:5672 -p 80:5601 -p 9201:9200 irods/irods_audit_elk_stack

You now have a docker container instance running within your virtual machine which is running the following services:

  • RabbitMQ - Message broker that stores the AMQP messages

  • Elasticsearch - Database that stores the AMQP messages

  • not-logstash - Reads messages from RabbitMQ and writes them to Elasticsearch

  • Kibana - A data visualization dashboarding tool for ElasticSearch​

The newly configured audit plugin is generating AMQP messages for every 'api' and 'resource' dynamic policy enforcement point executed in the iRODS server.

Tracking What We've Done

  • Visit http://<ip> where ip is the public IP for your VM
  • Click on Analytics -> Dashboard

Tracking What We've Done

You have a visualization of what is happening in your iRODS zone.

 

You can see the bytes written and received, connections, top users, etc.

 

These are just a sample of what can be visualized.

 

All of the data is in the Elastic database and can be queried for additional interesting patterns or characteristics.

Tracking Origin of a File

Now let's say we want to track the origin (provenance) of some files in our system.

 

We have PEPs stored in our Elastic database that provide an audit trail for us.

 

Before we get started, let's install jq so that we can parse the JSON output of an elasticsearch query.

sudo apt-get -y install jq

Tracking Who Wrote to the File

curl -XGET 'localhost:9201/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
     "_source": [ "@timestamp", "user_user_name", "obj_path" ],
     "sort" : [
         {"@timestamp":{"order": "asc"}}
     ],
     "size" :10000,
     "query": {
         "bool":  {
             "must": [
                 { "match": { "rule_name": "audit_pep_api_data_obj_put_pre" } },
                 { "match_phrase": { "obj_path": "tempZone/home/rods/stickers.jpg" } }
             ]
        }
     }
 }' | jq ".hits.hits[] | ._source"

Search for put activity on /tempZone/home/rods/stickers.jpg

Tracking Who Wrote to the File

This query returns the following five records showing the user rods put stickers.jpg five times:

{
  "@timestamp": "2024-05-20T20:13:01.331Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2024-05-20T21:02:59.350Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2024-05-20T21:03:16.370Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2024-05-20T21:03:31.671Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}
{
  "@timestamp": "2024-05-20T21:12:01.143Z",
  "obj_path": "/tempZone/home/rods/stickers.jpg",
  "user_user_name": "rods"
}

Tracking Read Access to the File

curl -XGET 'localhost:9201/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
     "_source": [ "@timestamp", "user_user_name", "obj_path" ],
     "sort" : [
         {"@timestamp":{"order": "asc"}}
     ],
     "size" :10000,
     "query": {
         "bool":  {
             "must": [
                 { "match": { "rule_name": "audit_pep_api_data_obj_get_pre" } },
                 { "match_phrase": { "obj_path": "tempZone/home/rods/stickers.jpg" } }
             ]
        }
     }
 }' | jq ".hits.hits[] | ._source"

Search for read activity on /tempZone/home/rods/stickers.jpg

Look for all the "pre" PEPs

Search for all the "pre" PEPs that have been executed today, but exclude any authentication PEPs

curl -XGET 'localhost:9201/irods_audit/_search?pretty' -H 'Content-Type: application/json' -d'
{
     "_source": [ "@timestamp", "rule_name" ],
     "sort" : [
         {"@timestamp":{"order": "asc"}}
     ],
     "size" :10000,
     "query": {
         "bool": {
             "must" : {
                  "regexp": {"rule_name": "audit_pep_api_.*_pre"}
              },
              "must_not" : {
                    "regexp": {"rule_name": "audit_pep_api_auth.*_pre"}
               }
          }
      }
 }' | jq ".hits.hits[] | ._source"

Questions?