Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Security Survey

Date: Wed, 02 Sep 2009 09:16:18 -0500 (CDT)
From: Steven Timm <timm@xxxxxxxx>
Subject: Re: [Condor-users] Security Survey

A couple years ago at Condor Week there was talk of transitioning
to a signed payload, i.e. that it would be possible for the user
to sign an executable and that condor could be configured to run
only signed, authenticated executables.  If I understood it correctly
it would be similar to the mechanism Windows uses when it asks you
if you trust content from a certain software publisher.

Does anyone know if anything has come of that?

Condor already has got "integrity" check so that you can verify
that the executable that the startd is starting is the same
one that the submitter sent.

Steve Timm



On Wed, 2 Sep 2009, James Osborne wrote:

Dear All

We were wondering what kinds of precautions users of Condor on Windows
take when they allow multiple submit machines to send executables to run
on execute nodes, one particular case we are currently investigating is
Matlab and the behaviour of a self extracting Matlab code which causes our
heuristic antivirus package (Kaspersky) to report a hidden installation
e.g. a Trojan.  We are loath to disable any of the features of our
antivirus package however the user that runs the code still needs those
jobs to run so we were wondering what kinds of security precautions other
Condor administrators are taking on their Condor pool to balance the need
to provide a secure workstation service to cf 8000 users whilst at the
same time allowing Matlab codes to run.  We are also interested in a straw
poll of the kinds of antivirus package that other sites have deployed and
their strategies for coping with interesting jobs like this Matlab self
extractor.  One idea we have come up with is a testing regime which
ultimately puts the blame on the end user should they run a Trojan like
program and damage execute nodes in a testing sandpit before they run on
the production pool.  Do other sites out there have a similar testing
regime for codes ?  We have been doing some testing before letting user
codes run on the production pool for a number of years now

Thanks in advance for any advice you can give...

Best regards

James

_________________________________________

Dr James Osborne
Condor Project Manager
Advanced Research Computing @ Cardiff (ARCCA)

Cardiff University
Redwood Building
King Edward VII Avenue
Cardiff CF10 3NB

Tel +44(0)29 2087 4657
Email osborneja1@xxxxxxxxxxxxx
www.cardiff.ac.uk/arcca
_________________________________________


--
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.

References:
- [Condor-users] Security Survey
  - From: James Osborne

Prev by Date: [Condor-users] Security Survey
Next by Date: Re: [Condor-users] Request: Run hook scripts in the context of the user who will execute the job on Windows
Previous by thread: [Condor-users] Security Survey
Next by thread: [Condor-users] dos box popups on condor_q
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] Security Survey