[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Security Survey

A couple years ago at Condor Week there was talk of transitioning
to a signed payload, i.e. that it would be possible for the user
to sign an executable and that condor could be configured to run
only signed, authenticated executables.  If I understood it correctly
it would be similar to the mechanism Windows uses when it asks you
if you trust content from a certain software publisher.

Does anyone know if anything has come of that?

Condor already has got "integrity" check so that you can verify
that the executable that the startd is starting is the same
one that the submitter sent.

Steve Timm

On Wed, 2 Sep 2009, James Osborne wrote:

Dear All

We were wondering what kinds of precautions users of Condor on Windows
take when they allow multiple submit machines to send executables to run
on execute nodes, one particular case we are currently investigating is
Matlab and the behaviour of a self extracting Matlab code which causes our
heuristic antivirus package (Kaspersky) to report a hidden installation
e.g. a Trojan.  We are loath to disable any of the features of our
antivirus package however the user that runs the code still needs those
jobs to run so we were wondering what kinds of security precautions other
Condor administrators are taking on their Condor pool to balance the need
to provide a secure workstation service to cf 8000 users whilst at the
same time allowing Matlab codes to run.  We are also interested in a straw
poll of the kinds of antivirus package that other sites have deployed and
their strategies for coping with interesting jobs like this Matlab self
extractor.  One idea we have come up with is a testing regime which
ultimately puts the blame on the end user should they run a Trojan like
program and damage execute nodes in a testing sandpit before they run on
the production pool.  Do other sites out there have a similar testing
regime for codes ?  We have been doing some testing before letting user
codes run on the production pool for a number of years now

Thanks in advance for any advice you can give...

Best regards



Dr James Osborne
Condor Project Manager
Advanced Research Computing @ Cardiff (ARCCA)

Cardiff University
Redwood Building
King Edward VII Avenue
Cardiff CF10 3NB

Tel +44(0)29 2087 4657
Email osborneja1@xxxxxxxxxxxxx

Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.