[
https://issues.apache.org/jira/browse/EAGLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15067456#comment-15067456
]
John Scheibmeir commented on EAGLE-96:
--------------------------------------
Brainstorming a little here with regard to desired end state.
Knox proxy is employed on several hosts behind a load balancer.
Each proxy instance forwards its auditing data to a central activity monitor
(ala Eagle). Eagle may treat the multiple inputs as single logical stream for
criteria evaluation.
Eagle would understand the Knox audit file format.
Within Eagle I would either leverage standard activity monitor patterns if they
exist or code new items for Knox.
Example patterns could include:
1) more than x failed logon attempts for same user within y amount of time from
same endpoint (knox client) [brute force password]
2) more than x failed logon attempts for mutliple users within y amount of time
from same endpoint (knox client) [brute force user/password]
3) more than x permission errors for single user or single endpoint within y
amount of time [probing data paths potentially for data to steal]
4) more than x bytes transferred out via knox (?? - is this audited in knox)
[improperly extracting or stealing data]
Eagle may also reformat logs into standard format (e.g. Splunk) and forward
accordingly such that other systems may also leverage data/etc
> Support activity monitoring for Knox
> ------------------------------------
>
> Key: EAGLE-96
> URL: https://issues.apache.org/jira/browse/EAGLE-96
> Project: Eagle
> Issue Type: Bug
> Reporter: Arun Manoharan
>
> The Knox Gateway provides a single access point for all REST interactions
> with Hadoop clusters. It will be valuable to monitor the access events
> happening in knox gateway and see if there is an anomaly and generate an
> alert.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
