On Sun, Apr 24, 2005 at 01:22:30PM +0200, Jeff Templon wrote:
> You want to keep your own log files for legal/security purposes. If
> there is an incident, the gatekeeper log is probably the only thing you
> have that links activity on your site to a specific incoming user DN.
>
> In most EU countries, *the resource owner* is responsible for all damage
> originating from his/her site *unless* (s)he can provide evidence
> tracing to the real culprit. VOs are not legal entities so it's not
> enough to say "it was somebody from CMS".
Thats interesting, what does it happen if your only log is just
an ssh connection from a "random" ip address? If the "hacker"
managed to delete the ssh logs will you go after the poor soul
that was using the account legally?
The following "attack" will work with quite a few lcg sites for
example
for SITE in $LCGSITES; do
uberftp -a gsi -H $SITE "get .ssh/id_rsa $SITE-id_rsa"
done
sleep "enough time for the account to be recycled a few times"
use the key...
Kostas
|