On Tue, May 17, 2005 at 09:01:05AM +0100, Sansum, RA (Andrew) wrote:
> Yes - we must have the DN which created/modified the file. I rather
> suspect we may fail the LCG security service challenge if we cannot
> say who created a susect file.
>
> As Alessandra says - there would be all kinds of legal issues if we found
> something like stolen software/child porn on the SE and could not say who
> put it there.
I had a look at /opt/d-cache/billing and it doesn't keep *any* information
about direct gsiftp file transfers. Is there an option to increase logging
or something similar?
I wonder if any of the other protocols (which ones are available?) can log
any information. Are all of them gsi enabled? If not it might not be possible
to get a DN at all for them. For example if your pool nodes are in a machine
with user access (WN/CE/whatever) it's trivial to use a userland nfs program
(nfsshell for example) to access any file in the system without logging or
permission checking. People that are planning to use free space from their
WNs should be aware of this.
Kostas
|