|
|
| (10 intermediate revisions by 3 users not shown) |
| Line 5: |
Line 5: |
| | * How to [[Report_Security_Incident | Report a Security Incident]] | | * How to [[Report_Security_Incident | Report a Security Incident]] |
| | * How to [[Report_Software_Vulnerability | Report a Software Vulnerability ]] | | * How to [[Report_Software_Vulnerability | Report a Software Vulnerability ]] |
| | + | * How to [[Generate_Emergency_Credential_Suspension | Generate Emergency Argus Credential Suspension on the UK NGI Argus ]] |
| | | | |
| − | ==Security 'How To' and other useful info== | + | ==EGI documents and Links == |
| | | | |
| − | * [[Security monitoring/updates]]
| + | GridPP sites are certified as part of the EGI infrastructure, hence the EGI security policies and procedures apply to GridPP sites. |
| − | * [[How to ban/blacklist user on CE and SE]]
| + | |
| − | * [[Glexec, LCAS, LCMAPS and Pilot Job]]
| + | |
| − | * [http://www.gridpp.ac.uk/deployment/users/myproxy.html How can I renew a proxy used by an automated process?]
| + | |
| − | * [[Linux Kernel: 64-bit Compatibility Mode Stack Pointer Underflow CVE-2010-3081]]
| + | |
| | | | |
| − | | + | * [https://confluence.egi.eu/display/EGIPP/EGI+Information+Security+Management+ISM '''EGI Security Management'''] |
| − | ==EGI documents and Links ==
| + | |
| − | | + | |
| − | GridPP sites are certified as part of the EGI infrastructure, hence the EGI security policies and procedures apply to GridPP sites.
| + | |
| | | | |
| | ===CSIRT=== | | ===CSIRT=== |
| | | | |
| − | * [http://www.egi.eu/about/policy/groups/EGI_Computer_Security_Incident_Response_Team_EGI_CSIRT.html '''EGI Computer Security Incident Response Team description'''] | + | * [http://csirt.egi.eu/ '''EGI Computer Security Incident Response Team'''] |
| | | | |
| − | * [https://documents.egi.eu/document/710 '''EGI Security Incident Handling Procedure''' ] | + | * [https://confluence.egi.eu/display/EGIPP/SEC01+EGI+CSIRT+Security+Incident+Handling+Procedure '''EGI Security Incident Response Procedure'''] |
| − | | + | |
| − | * [https://wiki.egu.eu/CSIRT '''EGI CSIRT Wiki''']
| + | |
| | | | |
| | ===SVG=== | | ===SVG=== |
| | | | |
| − | * [http://www.egi.eu/about/policy/groups/Software_Vulnerability_Group_SVG.html '''EGI Software Vulnerability Group description'''] | + | * [https://ims.egi.eu/pages/viewpage.action?pageId=82380236 '''EGI Software Vulnerability Group '''] |
| | | | |
| − | * [https://wiki.egi.eu/wiki/SVG '''EGI Software Vulnerability Group Wiki'''] | + | * [https://documents.egi.eu/document/3867 '''EGI Software Vulnerability Issue Handling '''] |
| | | | |
| − | * [https://documents.egi.eu/document/717 '''EGI Software Vulnerability Issue Handling Process '''] | + | * [https://ims.egi.eu/display/EGIBG/Software+Security+Checklist '''Software Security Checklist'''] for avoiding common problems |
| | | | |
| | ===SPG=== | | ===SPG=== |
| | | | |
| − | * [http://www.egi.eu/about/policy/groups/Security_Policy_Group_SPG.html '''EGI Security Policy Group Description'''] | + | * [https://confluence.egi.eu/display/EGIBG/SPG '''EGI Security Policy Group Description'''] This contains information on the Security policy group and detailed policies which apply to GridPP sites. |
| | | | |
| − | * [https://wiki.egi.eu/wiki/SPG '''Security Policy Group Wiki'''] This contains detailed policies which apply to GridPP sites.
| + | ==Security 'How To' and other useful info== |
| | | | |
| − | ===SCG===
| + | (This is under review.) |
| | | | |
| − | * [http://www.egi.eu/about/policy/groups/Security_Coordination_Group_SCG.html '''EGI Security Co-ordination Group description '''] | + | * [[Security system errors and workarounds]] |
| | + | * [[Security monitoring/updates]] |
| | + | * [[How to ban/blacklist user on CE and SE]] |
| | + | * [[Glexec, LCAS, LCMAPS and Pilot Job]] |
| | + | * [http://www.gridpp.ac.uk/deployment/users/myproxy.html How can I renew a proxy used by an automated process?] |
| | + | * [[Linux Kernel: 64-bit Compatibility Mode Stack Pointer Underflow CVE-2010-3081]] |
| | | | |
| − | ==Some of Mingchao Ma's Security Related Presentations and Training talks== | + | ==Info for the UKNGI Security Team== |
| | | | |
| − | * [http://www.gridpp.ac.uk/gridpp24/SecurityGridPP24.pdf GridPP Tier2 Sites Security Review], April 2010, GridPP24 Collaboration Meeting | + | * [[Security_Duty]] |
| − | * [http://event.twgrid.org/isgc2010/slides/security/Manage_Security_and_Handle_Security_Incident.pdf Manage Security and Handle Security Incident training talk], March 2010, International Symposium on Grid Computing (ISGC) security training workshop
| + | * [[SD_rota | Security Duty Rota]] |
| − | * [http://hepwww.rl.ac.uk/sysman/June2010/talks/Day2/HEPSYSMAM_Workshop_Ma.pdf Security Incident Investigation training talk], June 2010 UK HEPSYSMAN workshop | + | |
| − | * [http://hepwww.rl.ac.uk/sysman/Nov2010/talks/HEPSYSMAM_Workshop_Ma.pdf Risk Assessment training talk], November 2010 UK HEPSYSMAN workshop
| + | |
| | | | |
| − | == GridPP SSC6 Common Issues and Recommendations== | + | ===OLD STUFF=== |
| | | | |
| − | ===DN banning/suspension===
| + | This is probably not so useful anymore |
| − | A considerable number of sites were unsuccessful at banning the compromised DN on their first attempt. This was complicated by inconsistent documentation, a diverse number of configuration files and limited ability to test banning configurations.
| + | |
| | | | |
| − | In the future, Argus is intended to provide a central service to manage authorisation decisions within the site. This should ease the large number of different configuration settings which are currently required to completely block a DN from CE, WMS and SE nodes. EGI-CSIRT is also developing a central user banning capability linked to Argus which should result in sites not having to perform any specific action to block a compromised DN. A few sites found it useful to additionally temporarily block a locally available DN as this allowed them to test if the blocking configuration was complete.
| + | [[OLD STUFF | OLD STUFF]] |
| − | | + | |
| − | Since this was a common problem for the sites involved in the challenge we are planning to conduct a lightweight exercise in user banning across all sites in the near future. This is expected to consist simply of a request to all sites to ban a test DN from their resources, that will then be checked remotely, and any issues worked through with sites. The principle is that this will be very much an exercise intended to help, not a test.
| + | |
| − | | + | |
| − | ===Security contact information and acknowledgement===
| + | |
| − | | + | |
| − | A number of sites included their University CERT team within the recipients list of their site-security-contacts email address. This was particularly valuable at smaller sites where there was limited resource available from the local admins and should be standard practice at all GridPP sites.
| + | |
| − | | + | |
| − | ===Network monitoring===
| + | |
| − | | + | |
| − | No sites demonstrated any network monitoring from their sites. Whilst the large volumes of data transfer conducted within GridPP precludes full PCAP forensic capture of network traffic it should be possible to collect summary data such as Argus (qosient) or Netflow/Sflow statistics. Whilst the SSC malware simply performed some clear text HTTP and traceroutes real malware may perform more nefarious actions. It would be immensely useful for site admins to be able to relate network activity to a user DN (in the same way as storage or CPU currently is attributed).
| + | |
| − | | + | |
| − | In a previous run of the exercise, one site managed to include useful network connection information gleaned from firewalls logs collected by their upstream (site level) network. While many sites will not have access to similar logging we would encourage all sites to:
| + | |
| − | | + | |
| − | * Investigate what, if any, network monitoring is carried out by their site networking or security teams, and whether it is possible to access such logs in the event of an incident.
| + | |
| − | | + | |
| − | * To consider flow monitoring features that may be available in their existing network equipment (e.g. cluster core switches)
| + | |
| − | | + | |
| − | * To share any examples of interesting good practice with other sites.
| + | |
| − | | + | |
| − | ==EGI TF 2011 Security Training Session==
| + | |
| − | | + | |
| − | * [https://www.egi.eu/indico/sessionDisplay.py?sessionId=57&confId=452#20110922 2 talks about Middleware Security]
| + | |
| − | * [https://www.egi.eu/indico/sessionDisplay.py?sessionId=57&confId=452#20110923 6 talks about Operational Security]
| + | |
| − | | + | |
| − | ==Info for the UKNGI Security Team==
| + | |
| − | | + | |
| − | * [[Security_Duty]]
| + | |
| − | * [[SD_rota | Security Duty Rota]]
| + | |
| | | | |
| | __NOTOC__ | | __NOTOC__ |
These apply to GridPP and NGS.
GridPP sites are certified as part of the EGI infrastructure, hence the EGI security policies and procedures apply to GridPP sites.
