Coordinated file system security via rules
First Claim
1. A method implemented at least in part by a computing system, the method comprising:
- in a computing environment comprising a plurality of hosts accessed by an administrative user identified by a username, at a local host comprising a control plane for software providing a hosted environment for virtual machines, receiving a plurality of file system condition rules from a file system condition rule server;
applying the file system condition rules to a local file system at the local host, wherein the file system condition rules comprise a file system condition rule specifying a permissions detection condition for detecting a violation of the file system condition rule by an offending file or directory in the local file system and a respective action to take upon detection of the violation, and wherein the file system condition rule specifies the username of the administrative user, detecting presence of specified permissions for files or directories accessed or created by the username of the administrative user during a log on session to the control plane of the local host;
detecting the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host;
responsive to detection of the permissions detection condition specified by the file system condition rule, taking the respective action specified by the file system condition rule, wherein the respective action comprises changing permissions of the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host, and wherein the files or directories accessed or created by the username of the administrative user are accessed or created as a result of administrator activities;
further responsive to detection of the permissions detection condition specified by the file system condition rule, sending an alert comprising metadata associated with the permissions detection condition, wherein the metadata comprises a name of the local host and the username, wherein the username identifies an administrator responsible for the permissions detection condition; and
responsive to detection of a threshold number of violations by the username identifying the administrator responsible for the permissions detection condition, sending an alert comprising the username identifying the administrator responsible for the permissions detection condition, whereby administrator activities behavior of the administrator identified by the username is tracked across the plurality of hosts.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system are disclosed for coordinated file system security via rules. A file system condition rule can specify any of a wide variety of file system conditions related to security risks, such as sensitive information in impermissible locations, impermissible file permissions, stray files, and the like. The rules can be administered at a central location and distributed across machines. The machines can then execute the rules against their local file systems. The rules can further specify actions to be taken, including deleting files, sanitizing files, sending an alert, or the like. Violations can be tracked and analyzed to determine what is causing recurring scenarios. A web service can expose the technologies to cloud service consumers.
-
Citations
23 Claims
-
1. A method implemented at least in part by a computing system, the method comprising:
-
in a computing environment comprising a plurality of hosts accessed by an administrative user identified by a username, at a local host comprising a control plane for software providing a hosted environment for virtual machines, receiving a plurality of file system condition rules from a file system condition rule server; applying the file system condition rules to a local file system at the local host, wherein the file system condition rules comprise a file system condition rule specifying a permissions detection condition for detecting a violation of the file system condition rule by an offending file or directory in the local file system and a respective action to take upon detection of the violation, and wherein the file system condition rule specifies the username of the administrative user, detecting presence of specified permissions for files or directories accessed or created by the username of the administrative user during a log on session to the control plane of the local host; detecting the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host; responsive to detection of the permissions detection condition specified by the file system condition rule, taking the respective action specified by the file system condition rule, wherein the respective action comprises changing permissions of the files or directories accessed or created by the username of the administrative user during the log on session to the control plane of the local host, and wherein the files or directories accessed or created by the username of the administrative user are accessed or created as a result of administrator activities; further responsive to detection of the permissions detection condition specified by the file system condition rule, sending an alert comprising metadata associated with the permissions detection condition, wherein the metadata comprises a name of the local host and the username, wherein the username identifies an administrator responsible for the permissions detection condition; and responsive to detection of a threshold number of violations by the username identifying the administrator responsible for the permissions detection condition, sending an alert comprising the username identifying the administrator responsible for the permissions detection condition, whereby administrator activities behavior of the administrator identified by the username is tracked across the plurality of hosts. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a rule server comprising one or more processors and memory, the rule server storing a plurality of rules, wherein the rules are associated with respective tags, and the rules comprise a rule specifying a permissions condition for detecting a permissions condition violation by a file or directory in a file system that violates the rule and a respective action to take upon detection of the permissions condition violation, wherein the rule specifies changing permissions of files or directories accessed or created by a given administrative user during a log on session to a local host; a plurality of hosts coupled to the rule server and configured to receive at least a subset of the rules from the rule server, wherein a given host out of the hosts comprises a rules engine operable to apply the rules at the given host against a local file system, wherein the given host is operable to detect that the given administrative user has logged off, and as a result, detect which files or directories accessed or created in the local file system by the given administrative user during the log on session to the given host violate the rule specifying a permissions condition for detecting a permissions condition, and change permissions of one or more of the files or directories accessed or created by the given administrative user in the local file system during the log on session to the given host; metadata associated with the permissions condition violation, wherein the metadata comprises a username responsible for the permissions condition violation; and an alert collector configured to send an alert comprising the username responsive to detection of a threshold number of violations by the username, whereby behavior of an administrator having the username is tracked across the plurality of hosts. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. One or more computer-readable storage media comprising computer-executable instructions causing a computing system to perform a method comprising:
-
sending a request to a server for rules; responsive to the request, receiving, from the server, a rule comprising a condition specifying files or directories accessed by a given administrative user and an action specifying that permissions of files or directories accessed by the given administrative user are to be changed, wherein the rule specifies prohibited permissions and that files or directories accessed by the given administrative user are to have their permissions changed when they satisfy the rule; and upon detection of an event indicating that the given administrative user has logged off, applying the rule to a local file system for the given administrative user, wherein the applying comprises detecting files or directories accessed by the given administrative user, determining that the detected files or directories have the prohibited permissions specified via the rule and taking an action on the detected files or directories, wherein taking an action comprises changing permissions of the files or directories as specified in the rule. - View Dependent Claims (22, 23)
-
Specification