Difference between revisions of "EGI-InSPIRE:SA1.2-QR16"
Line 43: | Line 43: | ||
--> | --> | ||
* Monitoring - Proposed Pakiti clients on services for Heartbleed. Argus monitoring probe developed. Preparing for monitoring training in CF 2014. | * Monitoring - Proposed Pakiti clients on services for Heartbleed. Argus monitoring probe developed. Preparing for monitoring training in CF 2014. | ||
The Software Vulnerability Group (SVG) continues to handle reported vulnerabilities. This quarter 6 new vulnerabilities were reported, including the OpenSSL heartbleed vulnerability, which SVG was involved in alongside CSIRT. This was considered 'Critical'. The WN tarball was found to contain this vulnerability, and this was fixed promptly. SVG issued 4 advisories (partly as a result of resolution of vulnerabilities reported prior to this reporting quarter, and 2 CSIRT alerts were also issued (drafted by SVG). A further vulnerability was found in Torque and SVG members produced another new version in the 'SVG fixes' area of the AppDB area of the EGI UMD. https://appdb.egi.eu/store/software/software.vulnerability.group | |||
SVG members have been involved in producing 2 questionnaires related to EGI Federated Cloud Security. One for technology providers, and one for Cloud Resource Providers. These questionnaires are aimed at ensuring that the emerging Cloud infrastructure is able to comply with EGI Security Policies, and provide a similar level of assurance concerning security as the EGI Infrastructure based on Grid Technology. | |||
= 3. Issues and Mitigation = <!-- fill the table below | = 3. Issues and Mitigation = <!-- fill the table below |
Revision as of 16:59, 25 April 2014
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Inspire reports menu: | Home • | SA1 weekly Reports • | SA1 Task QR Reports • | NGI QR Reports • | NGI QR User support Reports |
1. Task Meetings
Date (dd/mm/yyyy) | Url Indico Agenda | Title | Outcome |
---|---|---|---|
15/04/2014 | https://www.egi.eu/indico/conferenceDisplay.py?confId=2163 | EGI CSIRT team face to face meeting (15-17th April 2014) in Abingdon, UK. | Review activities of the previous months and plans for the Horizon 2020 and the next few months |
03/04/2014 | https://www.egi.eu/indico/conferenceDisplay.py?confId=2149 | EGI SVG meeting | Mostly discussions on 3rd party software and support. |
06/03/2014 | https://www.egi.eu/indico/conferenceDisplay.py?confId=2087 | EGI CSIRT team monthly meeting | Review activities of the previous month and plan for the coming month |
20/02/2014 | https://www.egi.eu/indico/conferenceDisplay.py?confId=2077 | EGI SVG meeting | Review open vulnerabilities, discussion on future planning and discussion on Cloud issues and questionnaire for EGI federated cloud providers |
Weekly Video conference meetings (every Monday) | Minutes recorded in EGI CSIRT private wiki (not publicly accessible) | IRTF weekly meeting | Operational security issues are reviewed weekly |
2. Main Achievements
- Monitoring - Proposed Pakiti clients on services for Heartbleed. Argus monitoring probe developed. Preparing for monitoring training in CF 2014.
The Software Vulnerability Group (SVG) continues to handle reported vulnerabilities. This quarter 6 new vulnerabilities were reported, including the OpenSSL heartbleed vulnerability, which SVG was involved in alongside CSIRT. This was considered 'Critical'. The WN tarball was found to contain this vulnerability, and this was fixed promptly. SVG issued 4 advisories (partly as a result of resolution of vulnerabilities reported prior to this reporting quarter, and 2 CSIRT alerts were also issued (drafted by SVG). A further vulnerability was found in Torque and SVG members produced another new version in the 'SVG fixes' area of the AppDB area of the EGI UMD. https://appdb.egi.eu/store/software/software.vulnerability.group
SVG members have been involved in producing 2 questionnaires related to EGI Federated Cloud Security. One for technology providers, and one for Cloud Resource Providers. These questionnaires are aimed at ensuring that the emerging Cloud infrastructure is able to comply with EGI Security Policies, and provide a similar level of assurance concerning security as the EGI Infrastructure based on Grid Technology.
3. Issues and Mitigation
Issue Description | Mitigation Description |
---|---|
4. Plans for the next period
- monitoring - mechanism to evaluate results from Pakiti and Nagios to provide single result. Site wide pakiti and document rules and procedures.