Security Duty Templates
From GridPP Wiki
Dashboard checking e-mail examples
This first template was agreed as the one to use at the UKNGI security meeting on 3rd October 2017. The others are old, and probably no longer needed. But we should discuss again before deleting.
EGI Security Monitoring - High Risk Vulnerability at <site> Send to csirt e-mail from appropriate site. (CC ukngi-security@cern.ch ) Dear Security Contact for <site>, This is a friendly notification, that according to the EGI monitoring, one or more of your worker nodes are vulnerable to <CVE-yyyy-nnnn>/<SVG-yyyy-nnnn>. This is a vulnerability in <software> which the EGI SVG considers 'High' risk and issued an advisory about on <date>. The advisory can be seen at https://wiki.egi.eu/wiki/SVG:Advisory-SVG-(CVE-)yyyy-nnnnnn <as appropriate> The latest result was reported by the node <Node-name> (nnn.nnn.nnn.nnn) at dd/mm/yyyy hh:mm <modify as appropriate to particular alert > <It might be that these are unpatched nodes that have come back online, or new nodes have been installed.> You should be able to view information on your site via the EGI Security dashboard: https://operations-portal.egi.eu/csiDashboard Please take a look and take corrective action as necessary. If you think our monitoring has produced a false positive please let us know. You may check whether any worker nodes are vulnerable via this dashboard at any time. Thank you, <Name>
Security Monitoring - Pakiti Problem at <site> <CVE-yyyy-nnnn> Send to csirt e-mail from appropriate site. (CC UKNGI-Security AT jiscmail.ac.uk ) Dear Security Contacts for <site>, According to our monitoring there is a Pakiti Monitoring alert for one or more Worker nodes at your site <site>. Your site reports <CVE-yyyy-nnnn> <any more details as appropriate> The latest result was reported by the node <Node-name> (nnn.nnn.nnn.nnn) at dd/mm/yyyy hh:mm <modfiy as appropriate to particular alert> You should be able to view information on your site via the EGI Security dashboard: https://operations-portal.egi.eu/csiDashboard Please take a look and take corrective action if necessary. If you think our monitoring has produced a false positive, or your site is behaving as intended please let us know. Thank you, <Name>
Security Monitoring - NAGIOS Problem at <site> Send to csirt e-mail from appropriate site. (CC UKNGI-Security AT jiscmail.ac.uk ) Dear Security Contacts for <site>, According to our monitoring there is a Nagios alert for one or more Worker nodes at your site <site>. Your site reports <xxxx>, which is <yyyy> <any more details as appropriate> The latest result was reported by the node <Node-name> (nnn.nnn.nnn.nnn) at dd/mm/yyyy hh:mm <modfiy as appropriate to particular alert> You should be able to view information on your site via the EGI Security dashboard: https://operations-portal.egi.eu/csiDashboard Please take a look and take corrective action if necessary. If you think our monitoring has produced a false positive, or your site is behaving as intended please let us know. Thank you, <Name>
Security Monitoring - NAGIOS Problem at <site> Send to csirt e-mail from appropriate site. (CC UKNGI-Security AT jiscmail.ac.uk ) Dear Security Contacts for <site>, According to our monitoring there is a Nagios alert on one or more Worker nodes at your site <site>. Your site reports WN-Permissions-ops, which is indicates that a file has world write permission. The latest result was reported by the node <Node-name> (nnn.nnn.nnn.nnn) at <date and time> You should be able to view information on your site via the EGI Security dashboard: https://operations-portal.egi.eu/csiDashboard You should be able to view information on your site via the EGI Security dashboard: https://operations-portal.egi.eu/csiDashboard Please take a look and take corrective action if necessary. If you think our monitoring has produced a false positive, or your site is behaving as intended please let us know. If you think the file should be world writable, please let us know why it is not a problem. Thank you, <Name>
