Coordinated file system security via rules

US 9,703,974 B1
Filed: 12/20/2013
Issued: 07/11/2017
Est. Priority Date: 12/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented at least in part by a computing system, the method comprising:

in a computing environment comprising a plurality of hosts accessed by an administrative user identified by a username, at a local host comprising a control plane for software providing a hosted environment for virtual machines, receiving a plurality of file system condition rules from a file system condition rule server;

applying the file system condition rules to a local file system at the local host, wherein the file system condition rules comprise a file system condition rule specifying a permissions detection condition for detecting a violation of the file system condition rule by an offending file or directory in the local file system and a respective action to take upon detection of the violation, and wherein the file system condition rule specifies the username of the administrative user, detecting presence of specified permissions for files or directories accessed or created by the username of the administrative user during a log on session to the control plane of the local host;

detecting the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host;

responsive to detection of the permissions detection condition specified by the file system condition rule, taking the respective action specified by the file system condition rule, wherein the respective action comprises changing permissions of the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host, and wherein the files or directories accessed or created by the username of the administrative user are accessed or created as a result of administrator activities;

further responsive to detection of the permissions detection condition specified by the file system condition rule, sending an alert comprising metadata associated with the permissions detection condition, wherein the metadata comprises a name of the local host and the username, wherein the username identifies an administrator responsible for the permissions detection condition; and

responsive to detection of a threshold number of violations by the username identifying the administrator responsible for the permissions detection condition, sending an alert comprising the username identifying the administrator responsible for the permissions detection condition, whereby administrator activities behavior of the administrator identified by the username is tracked across the plurality of hosts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are disclosed for coordinated file system security via rules. A file system condition rule can specify any of a wide variety of file system conditions related to security risks, such as sensitive information in impermissible locations, impermissible file permissions, stray files, and the like. The rules can be administered at a central location and distributed across machines. The machines can then execute the rules against their local file systems. The rules can further specify actions to be taken, including deleting files, sanitizing files, sending an alert, or the like. Violations can be tracked and analyzed to determine what is causing recurring scenarios. A web service can expose the technologies to cloud service consumers.

Citations

23 Claims

1. A method implemented at least in part by a computing system, the method comprising:
- in a computing environment comprising a plurality of hosts accessed by an administrative user identified by a username, at a local host comprising a control plane for software providing a hosted environment for virtual machines, receiving a plurality of file system condition rules from a file system condition rule server;
  
  applying the file system condition rules to a local file system at the local host, wherein the file system condition rules comprise a file system condition rule specifying a permissions detection condition for detecting a violation of the file system condition rule by an offending file or directory in the local file system and a respective action to take upon detection of the violation, and wherein the file system condition rule specifies the username of the administrative user, detecting presence of specified permissions for files or directories accessed or created by the username of the administrative user during a log on session to the control plane of the local host;
  
  detecting the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host;
  
  responsive to detection of the permissions detection condition specified by the file system condition rule, taking the respective action specified by the file system condition rule, wherein the respective action comprises changing permissions of the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host, and wherein the files or directories accessed or created by the username of the administrative user are accessed or created as a result of administrator activities;
  
  further responsive to detection of the permissions detection condition specified by the file system condition rule, sending an alert comprising metadata associated with the permissions detection condition, wherein the metadata comprises a name of the local host and the username, wherein the username identifies an administrator responsible for the permissions detection condition; and
  
  responsive to detection of a threshold number of violations by the username identifying the administrator responsible for the permissions detection condition, sending an alert comprising the username identifying the administrator responsible for the permissions detection condition, whereby administrator activities behavior of the administrator identified by the username is tracked across the plurality of hosts.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein:
    - the file system condition rules comprise actions deleting a file or directory, actions sending an alert, alert-only actions, and actions removing content; and
      
      at least one of the file system condition rules specifies a triggering event for executing the at least one of the file system condition rules.
  - 3. The method of claim 1 further comprising:
    - after sending an alert for a detected violation to an external event collector, receiving a command to take an action for the local file system; and
      
      responsive to receiving the command, executing the command at the local host for the local file system.
  - 4. The method of claim 1 wherein:
    - the file system condition rules received by the local host are a subset of file system condition rules stored at the file system condition rule server and are designated as applicable to the local host.
  - 5. The method of claim 1 wherein:
    - the administrator activities comprise escalating privileges.

6. A system comprising:
- a rule server comprising one or more processors and memory, the rule server storing a plurality of rules, wherein the rules are associated with respective tags, and the rules comprise a rule specifying a permissions condition for detecting a permissions condition violation by a file or directory in a file system that violates the rule and a respective action to take upon detection of the permissions condition violation, wherein the rule specifies changing permissions of files or directories accessed or created by a given administrative user during a log on session to a local host;
  
  a plurality of hosts coupled to the rule server and configured to receive at least a subset of the rules from the rule server, wherein a given host out of the hosts comprises a rules engine operable to apply the rules at the given host against a local file system, wherein the given host is operable to detect that the given administrative user has logged off, and as a result, detect which files or directories accessed or created in the local file system by the given administrative user during the log on session to the given host violate the rule specifying a permissions condition for detecting a permissions condition, and change permissions of one or more of the files or directories accessed or created by the given administrative user in the local file system during the log on session to the given host;
  
  metadata associated with the permissions condition violation, wherein the metadata comprises a username responsible for the permissions condition violation; and
  
  an alert collector configured to send an alert comprising the username responsive to detection of a threshold number of violations by the username, whereby behavior of an administrator having the username is tracked across the plurality of hosts.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 7. The system of claim 6 wherein:
    - the tags represent machine types;
      
      the hosts are associated with respective machine types via the tags; and
      
      the hosts are configured to periodically fetch rules from the rule server based on their machine type via a host identifier identifying a given host.
  - 8. The system of claim 6 wherein:
    - the condition specifies detecting whether any file at a given location within the local file system has specified plaintext content.
  - 9. The system of claim 6 wherein:
    - the rules comprise a rule specifying a condition for detecting a violation of the rule by a directory in the local file system and a respective action to take upon detection of the violation.
  - 10. The system of claim 6 wherein:
    - the rule is executed responsive to detecting an event associated with the rule.
  - 11. The system of claim 6 wherein:
    - the rules comprise a rule specifying detecting an attribute of a file or directory.
  - 12. The system of claim 11 wherein:
    - at least one of the rules specifies an attribute of a file as a username that last accessed the file;
      
      at least one of the rules specifies an attribute of a file as permissions of the file; and
      
      at least one of the rules specifies an attribute of a file as owner of the file.
  - 13. The system of claim 6 wherein:
    - at least one of the rules specifies enforcing a file whitelist for a location in the local file system;
      
      violation of the file whitelist comprises presence of a file not in the file whitelist;
      
      at least one of the rules specifies enforcing a file blacklist for a location in the local file system; and
      
      violation of the file blacklist comprises presence of a file in the file blacklist.
  - 14. The system of claim 6 wherein:
    - at least one of the rules specifies detecting whether any file in the local file system has one or more specified attributes.
  - 15. The system of claim 6 wherein:
    - the rules engine is operable to take the respective action responsive to detecting the violation of the rule by the file or directory in the file system.
  - 16. The system of claim 15 wherein:
    - at least one of the rules specifies an action of deleting the file; and
      
      at least one of the rules specifies an action of sending an alert about the file.
  - 17. The system of claim 16 wherein:
    - at least one of the rules specifies an action of sanitizing the file; and
      
      at least one of the rules specifies an action of changing attributes of the file.
  - 18. The system of claim 16 wherein:
    - the alert specifies a location and filename for the file and is sent to another computing system for processing.
  - 19. The system of claim 6 wherein:
    - the local file system is maintained as part of a control plane providing a hosted environment for one or more virtual machines.
  - 20. The system of claim 6 wherein:
    - the rule server is configured to provide a subset of the rules to a given host out of the plurality of hosts based on a mapping between tags for the rules and identifiers for the hosts.

21. One or more computer-readable storage media comprising computer-executable instructions causing a computing system to perform a method comprising:
- sending a request to a server for rules;
  
  responsive to the request, receiving, from the server, a rule comprising a condition specifying files or directories accessed by a given administrative user and an action specifying that permissions of files or directories accessed by the given administrative user are to be changed, wherein the rule specifies prohibited permissions and that files or directories accessed by the given administrative user are to have their permissions changed when they satisfy the rule; and
  
  upon detection of an event indicating that the given administrative user has logged off, applying the rule to a local file system for the given administrative user, wherein the applying comprises detecting files or directories accessed by the given administrative user, determining that the detected files or directories have the prohibited permissions specified via the rule and taking an action on the detected files or directories, wherein taking an action comprises changing permissions of the files or directories as specified in the rule.
- View Dependent Claims (22, 23)
- - 22. The one or more computer-readable storage media of claim 21 wherein:
    - at least one of the rules specifies a credit card number format as prohibited plaintext content.
  - 23. The one or more computer-readable storage media of claim 21 wherein:
    - the given administrative user logging off is collected as a parameter for the rule; and
      
      the parameter is used to detect which files were accessed by the given administrative user logging off.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Surkatty, Osman
Primary Examiner(s)
Simitoski, Michael

Application Number

US14/137,368
Time in Patent Office

1,299 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Coordinated file system security via rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated file system security via rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links