EGI CSIRT:Central emergency suspension
EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
This page describe status of implementation of EGI Central emergency suspension infrastructure.
Central emergency suspension procedure
The document describing the central emergency suspension procedure is available at EGI CSIRT Operational Procedure for Compromised Certificates.
Argus Infrastructure Deployment
Argus Deployment
- Central Argus Instance at CERN
- NGI Argus Instance: EGI CoreArgus Service Group
- All NGIs should run a Argus instance
- NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service
- NGI Argus instance should be registered in GOC DB with service type emi.ARGUS
- The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service.
- Site Argus Instance
- Sites in the NGIs pull policies from NGI Argus
- Small sites that don't have the expertise to run a local Argus could use the NGI Argus
- No Argus site directly uses the central Argus at CERN.
- Site Argus instance should be registered in GOC DB with service type emi.ARGUS
Non Argus Infrastructures/NGIs/RCs
- Non Argus Sites/RCs
- Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC
- Scripts Documentation available at Nikhef wiki Argus_Global_Banning_Setup_Overview
Argus Monitoring
Goal: Nagios probe for NGI Argus run centrally (secmon.egi.eu)
Note: as discussed, I believe, during one of our meetings, the getAllPaps requires the ListPapsOperation right.
What to monitor:
- System UP
- Fetch the suspension list from those argus servers
- Try to submit a job with a suspended DN - this would only look at a single component where the proxy-certificates are used. We need to look at gacl/l,scas at CE, WMS, SEs (perhaps more).
- Last update of ban information fetched from the central instance at CERN. - will not be run against argus services, here we only want to monitor that the ban information gets updated.
Argus Support
Support is provided through ARGUS Support unit in GGUS
- INFN supports PAP component
- Could take PDP + PEPd on board if e.g. INDIGO-DataCloud gets approved
- NIKHEF supports C clients
- Used e.g. by gLExec
- EGI
- Release management, staged rollout, deployment
campaigns - 1st and 2nd level support
- Scale testing with partner sites
- MW Readiness Validation activity
- MW Readiness Validation activity
- Release management, staged rollout, deployment
Potential new partners
- CESNET
- Testing, maybe development
- UNICORE
- Connection via CANL
- ARC
- Client needs fixing
Documentation
Documentation on possible problems and solutions with certain deployment scenarios are in Nikhef wiki, Argus Global Banning Setup Overview
Workplan
Members:
- Sven Gabriel (EGI CSIRT)
- Małgorzata Krakowian (EGI Operations)
- Peter Solagna (EGI Operations)
- Cristina Aiftimiei (EGI Operations)
- Emir Imamagic (Monitoring)
- V. Brillaut (Monitoring probes)
- NGI Argus Services are deployed (coordinated by EGI Operations, action on NGIs, ggus tickets opened) DONE
- Information of the NGI Argus services is in the appropriate format in goc db (action on goc-db/NGIs, coordinated by EGI Operations)DONE
- Monitoring that NGI-Argus services have updated banning information, monitoring results available to EGI-CSIRT for example via security dashboard (coordinated by EGI Operations, action on Nagios Monitoring group) Remark: probe is available from V. Brillaut
- Test if ban information propagates to the sites services: CE/SE/WMS (action on EGI-CSIRT)
- ?