Difference between revisions of "SEC03 EGI-CSIRT Critical Vulnerability Handling"
(→Steps) |
(Split in two) |
||
Line 18: | Line 18: | ||
= Overview = | = Overview = | ||
After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, | After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, when sites are asked to take action, and what steps are taken if they do not respond or do not take action. | ||
If a site fails to take action, this may lead to site suspension. | If a site fails to take action, this may lead to site suspension. | ||
Line 37: | Line 37: | ||
= Requirements = | = Requirements = | ||
This procedure applies to Vulnerabilities assessed as CRITICAL by SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: described in the [ | This procedure applies to Vulnerabilities assessed as CRITICAL by SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: described in the [[SEC02|Vulnerability issue handling process]]. | ||
= Steps = | = Steps = | ||
== Vulnerability affecting Resource Center services or resources == | |||
{| class="wikitable" | {| class="wikitable" | ||
!Step# | |||
!Responsible | |||
!Action | |||
!Prerequisites, if any | |||
!Time to comply | |||
|- | |- | ||
|1 | |||
|EGI-CSIRT / SVG | |||
|Send advisory as per [[SEC02|Vulnerability issue handling process]] | |||
|SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | |||
|* | |||
|- | |- | ||
| 1 | |2 | ||
|Resource Center | |||
|Upgrade the affected software to a non vulnerable version or apply mitigations | |||
|Non-vulnerable version available or mitigation described in the advisory | |||
|7 Calendar days after Step 1 | |||
|- | |- | ||
| | |3 | ||
|EGI-CSIRT / Security Monitoring | |||
|Update Security Monitoring to check for vulnerable software versions/configurations | |||
|Vulnerability detectable via Pakiti or other external probles | |||
|7 Calendar days after Step 1 | |||
| | |- | ||
| | |4 | ||
| | |EGI-CSIRT/Security Officer on Duty | ||
| | |For each RC who failed to comply to step 2 within 7 calendar days, the Security Officer on Duty sends a notification to the RC and the NGI Security Officer when applicable | ||
| | |Failure to comply to step 2 within 7 calendar days or vulnerability detected by EGI's Security Monitoring after 7 working days | ||
|* | |||
|- | |||
|5 | |||
|Resource Center | |||
|Any notified RC has to comply to the actions required by the Security Officer on Duty to resolve the vulnerability, in particular, when applicable, manually running the Pakiti client on the vulnerable system after fixing it. | |||
|Vulnerable site notified during step 4 | |||
|3 working days | |||
|- | |||
|6 | |||
|EGI-CSIRT Security Officer | |||
|For each the RC who failed to comply to step 5 within 3 working days, the EGI-CSIRT Security Officer temporarily suspends it from the infrastructure by setting the ''Certification Status'' of this RC to ''Suspended'' in GOC-DB. The EGI-CSIRT Security Officer will inform the NGI and EGI Operations of this action | |||
|Resource center failing to comply to step 5 within 3 working days | |||
|* | |||
|- | |||
|7 | |||
|Resource Center | |||
|Suspended RCs might request recertification as per [https://wiki.egi.eu/wiki/PROC09 PROC09] | |||
|RC suspended in step 6 | |||
|* | |||
|} | |||
A diagram representing this procedure is available [[link%20to%20be%20added|as an image]]. | |||
== Vulnerability affecting Virtual Appliances == | |||
{| class="wikitable" | |||
!Step# | |||
!Responsible | |||
!Action | |||
!Prerequisites, if any | |||
!Time to comply | |||
|- | |- | ||
| | |1 | ||
|EGI-CSIRT / SVG | |||
|Send advisory as per [[SEC02|Vulnerability issue handling process]] | |||
|SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | |||
|* | |||
| | |||
| | |||
| | |||
|- | |- | ||
| | |2 | ||
|EGI-CSIRT | |||
|Set all currently vulnerable endorsed VAs to not-endorsed | |||
|Vulnerable VA | |||
|* | |||
| | |||
| | |||
|- | |- | ||
| | |3 | ||
|VA Endorser | |||
|Endorse new VA, if applicable, after verifying that it is not vulnerable anymore | |||
|Updated VA uploaded by its maintainer | |||
|* | |||
| | |||
| | |||
| | |||
| | |||
|} | |} | ||
Line 130: | Line 132: | ||
| 16. Jul. 2015 | | 16. Jul. 2015 | ||
| | | | ||
|- | |||
| 9 | |||
| Vincent Brillault | |||
| 27. Jul. 2015 | |||
| Split in two | |||
|} | |} |
Revision as of 11:40, 27 July 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | EGI-CSIRT Critical Vulnerability Handling |
Document link | https://documents.egi.eu/document/283 |
Last modified | 8 |
Policy Group Acronym | EGI-CSIRT |
Policy Group Name | EGI-CSIRT |
Contact Group | csirt@mailman.egi.eu |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities. |
Owner | Owner of procedure |
Overview
After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, when sites are asked to take action, and what steps are taken if they do not respond or do not take action. If a site fails to take action, this may lead to site suspension.
Definitions
Please refer to the EGI Glossary for the definitions of the terms used in this procedure.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Entities involved in the procedure
- SVG: svg-rat at mailman.egi.eu
- EGI-CSIRT: csirt at mailman.egi.eu
- NGI-Security-Officer: ngi-security-contacts at mailman.egi.eu
- Resource Center Security Contact: as defined in goc-db
- VM-Endorsers: Contact list does not yet exist
Requirements
This procedure applies to Vulnerabilities assessed as CRITICAL by SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: described in the Vulnerability issue handling process.
Steps
Vulnerability affecting Resource Center services or resources
Step# | Responsible | Action | Prerequisites, if any | Time to comply |
---|---|---|---|---|
1 | EGI-CSIRT / SVG | Send advisory as per Vulnerability issue handling process | SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | * |
2 | Resource Center | Upgrade the affected software to a non vulnerable version or apply mitigations | Non-vulnerable version available or mitigation described in the advisory | 7 Calendar days after Step 1 |
3 | EGI-CSIRT / Security Monitoring | Update Security Monitoring to check for vulnerable software versions/configurations | Vulnerability detectable via Pakiti or other external probles | 7 Calendar days after Step 1 |
4 | EGI-CSIRT/Security Officer on Duty | For each RC who failed to comply to step 2 within 7 calendar days, the Security Officer on Duty sends a notification to the RC and the NGI Security Officer when applicable | Failure to comply to step 2 within 7 calendar days or vulnerability detected by EGI's Security Monitoring after 7 working days | * |
5 | Resource Center | Any notified RC has to comply to the actions required by the Security Officer on Duty to resolve the vulnerability, in particular, when applicable, manually running the Pakiti client on the vulnerable system after fixing it. | Vulnerable site notified during step 4 | 3 working days |
6 | EGI-CSIRT Security Officer | For each the RC who failed to comply to step 5 within 3 working days, the EGI-CSIRT Security Officer temporarily suspends it from the infrastructure by setting the Certification Status of this RC to Suspended in GOC-DB. The EGI-CSIRT Security Officer will inform the NGI and EGI Operations of this action | Resource center failing to comply to step 5 within 3 working days | * |
7 | Resource Center | Suspended RCs might request recertification as per PROC09 | RC suspended in step 6 | * |
A diagram representing this procedure is available as an image.
Vulnerability affecting Virtual Appliances
Step# | Responsible | Action | Prerequisites, if any | Time to comply |
---|---|---|---|---|
1 | EGI-CSIRT / SVG | Send advisory as per Vulnerability issue handling process | SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | * |
2 | EGI-CSIRT | Set all currently vulnerable endorsed VAs to not-endorsed | Vulnerable VA | * |
3 | VA Endorser | Endorse new VA, if applicable, after verifying that it is not vulnerable anymore | Updated VA uploaded by its maintainer | * |
Revision History
Version | Authors | Date | Comments |
---|---|---|---|
8 | Sveng | 16. Jul. 2015 | |
9 | Vincent Brillault | 27. Jul. 2015 | Split in two |