Difference between revisions of "EGI-InSPIRE:SA1.2-QR11"

From EGIWiki
Jump to: navigation, search
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Template:Op menubar}}
+
{{Template:EGI-Inspire menubar}}
 +
 
 
{{Template:Inspire_reports_menubar}}
 
{{Template:Inspire_reports_menubar}}
 
{{TOC_right}}
 
{{TOC_right}}
[[Category:SA1 Task QR Reports]]
+
 
 
= 1. Task Meetings = <!--
 
= 1. Task Meetings = <!--
 
Notes. Report here all task-specific meetings held. This includes (a) face-to-face meetings and (b) phone meetings. Make sure that for all task meetings participants are ALWAYS recorded either on indico from the registrants’ list, or in the minutes.  
 
Notes. Report here all task-specific meetings held. This includes (a) face-to-face meetings and (b) phone meetings. Make sure that for all task meetings participants are ALWAYS recorded either on indico from the registrants’ list, or in the minutes.  
Line 60: Line 61:
 
PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (AVOID BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN AN OVERALL REPORT)
 
PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (AVOID BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN AN OVERALL REPORT)
 
-->  
 
-->  
The incident response team handled two security incidents during the quarter
+
The incident response team handled one minor security incident involving a site in Estonia during the quarter and issued just one security advisory.  
and issued two security advisories.
 
 
 
The security monitoring team was also asked by Open Science Grid to
 
host a Pakiti service to monitor their machines. A pilot operation has been started
 
and its impact will be evaluated.  New custom security probes were developed as required for monitoring
 
software now beyond end of life and for the NGI SAM instance.
 
Establishment of a dedicated Nagios box to monitor MW components.  
 
  
SSC6 - report still needed
+
This relatively quiet period in terms of incidents was however used to make very good progress on the monitoring, persuading, and even forcing, all Resource Centres to upgrade or replace software that was no longer supported for security updates. A large number of components of gLite 3.2 were required to be removed by 1st November 2012. An intense upgrade campaign was necessary with many of the SA1.2 staff very actively involved both from the monitoring and the incident teams. This was very successful in that the vast majority of sites upgraded before the deadline and the remaining small number voluntarily removed the services from production. There was no requirement to suspend a site. The final components of gLite 3.2 had to be upgraded or removed before the end of January 2013. Again this campaign was very successful. We are now planning for the handling of the end of life of EMI 1 by the end of April 2013.
Preparing for  
 
  
Preparations have been made for the next EGI-CSIRT security tutorial to happen
+
The upgrading of all EGI instances of WMS services which were still affected by the two vulnerabilities handled in the last quarter was also completed early in the quarter.  
at the GridKa summer school (August) and at the Technical Forum (September).
 
These will include hands-on forensics exercises.
 
  
The Software Vulnerability Group handled 4 new vulnerabilities during the quarter
+
The security monitoring activity was very busy during the quarter, developing and deploying new custom security probes as required for monitoring for deployed software beyond end of support and also for implementing NGI SAM instances. A dedicated Nagios box was established to monitor middleware components.  
and issued or updated five advisories, one of which was High Risk.
 
  
Discussions between CSIRT, SVG, and OMB agreed the approach to sites running
+
After the successful run of security service challenge SSC6 last quarter, there has been little activity in this area during this quarter, partly because we still await upgrades and modifications to the special RTIR service used for monitoring progress in these service challenges and partly because of all the activity on middleware ugrade campaigns. Plans have been made for a number of NGI SSCs which will happen in 2013.  
software for which security support has ended. A general advisory on this was issued
 
by CSIRT and a further advisory has been drafted on the timeline for migration
 
away from gLite 3.2 middleware components.
 
  
Planning for ISGC 2013 - seecurity workshop and talks (Security Operations and SCI)
+
The Software Vulnerability Group handled more than ten new vulnerabilities during the quarter and issued or updated five advisories, one of which was High Risk. Work on the procedure for handling compromised certificates has started as has work to define the handling of software vulnerabilities in the period beyond the end of the EMI and IGE projects.
  
Submission of a poster on User Security for the April 2013 EGI Community Forum
+
Preparations have been made for the next EGI-CSIRT security tutorial to happen at the ISGC2013 conference in Taipei in March 2013. An abstract on EGI security operations was also submitted to the conference and accepted for oral presentation. A poster on Security Training and best practice from the point of view of end users is being prepared for the April 2013 EGI Community Forum meeting.
  
Planning for central emergency user suspension service. Policy and deployment mechanisms - mini project
+
It has long been recognised that the deployment of a centrally run emergency user suspension service would be extremely useful for the CSIRT during the handling of an ongoing security incident. The suspension of a compromised user identity, from the authorisation point of view, defined in one place and then automatically rolled out to all sites and services in a short period of time is currently missing. Technology, in the form of Argus, is now available to implement such a service. It also seems relatively straight forward to copy central suspension lists into other authorisation services. Discussions were held during this quarter with Operations, SPG and the OMB and deployment mechanisms are being planned.
  
Define workplan for 2013
+
Members of TSA1.2 participated in a WLCG security meeting at FNAL in the USA on the 17-18 December. This brought together security staff from EGI, OSG and NDGF and included full discussion of many operational security and policy issues. Members of the IRTF participated in the TF-CSIRT/FIRST meeting in Lisbon at the end of January, including running the security hands-on training event.
  
Participate in WLCG sec meeting at FNAL (17-18 Dec)
+
Finally, the team has been planning for the evolution of the security global task beyond the end of EGI-InSPIRE as input to the EGI workshop held at the end of January looking at the evolution of all such operational tasks.
 
 
Work on procedure for handling compromised certificates
 
 
 
Central user banning meeting (13 Dec) and present to OMB on 18 Dec
 
Propose mini-projects
 
 
 
Planning for Global tasks evolution beyond EGI-InSPIRE
 
and workshop
 
  
 
= 3. Issues and Mitigation = <!-- fill the table below
 
= 3. Issues and Mitigation = <!-- fill the table below
Line 118: Line 97:
  
 
= 4. Plans for the next period = <!-- provide your text below. PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (NO BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN A REPORT) -->
 
= 4. Plans for the next period = <!-- provide your text below. PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (NO BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN A REPORT) -->
Work will continue on the improvements of the RT/RTIR ticketing system, e.g. to facilitate better reporting.
+
The improvements to the RT/RTIR ticketing system for the tracking of security service challenges will be finalised.
 
 
The Site Certification Procedure will be revised to include the required security items and a procedure will be developed for the handling of compromised certificates.  
 
  
Work will continue on requiring the timely migration from unsupported software.
+
Work will continue on requiring the timely migration from unsupported software, this time for the retirement of EMI 1 middleware and services, by the end of April 2013.
  
Work will continue on Pakiti V3 and the move to site-wide security monitoring.
+
SSC6 will be fully analysed and one or two NGIs will perform national SSCs.
  
SSC6 will be performed at approximately 40 sites across EGI and more NGIs will perform the national variant of SSC5.
+
The new release (an alpha release) of Pakiti will take place this next quarter. Developments will be made to security monitoring to track all SVG and CSIRT alerts and advisories as required.
  
Security training will be given at the GridKa school and the Technical Forum.
+
The EGI CSIRT operational procedure for compromised certificates will be finalised and submitted for approval. The SVG handling procedure for post EMI/IGE will be completed.
These will include hands-on training in forensics.
 
  
The annual review of the SVG issue handling procedure will be performed.
+
Security training will be given at the ISGC2013 conference in Taipei in March 2013 and SA1.2 staff will attend the EGI Community Forum to facilitate discussions on security issues.

Latest revision as of 17:43, 6 January 2015

EGI Inspire Main page


Inspire reports menu: Home SA1 weekly Reports SA1 Task QR Reports NGI QR Reports NGI QR User support Reports



1. Task Meetings

Date (dd/mm/yyyy) Url Indico Agenda Title Outcome
15/11/20112 https://www.egi.eu/indico/conferenceDisplay.py?confId=1250 EGI SVG Monthly meeting Review activities of the previous month and plan for the coming month
22/11/2012 https://www.egi.eu/indico/conferenceDisplay.py?confId=1255 EGI CSIRT team Monthly meeting Review activities of the previous month and plan for the coming month
13/12/2012 https://www.egi.eu/indico/conferenceDisplay.py?confId=1256 EGI CSIRT team monthly meeting Review activities of the previous month and plan for the coming month
20/12/2012 https://www.egi.eu/indico/conferenceDisplay.py?confId=1285 EGI SVG Monthly meeting Review activities of the previous month and plan for the coming month
17/01/2013 https://www.egi.eu/indico/conferenceDisplay.py?confId=1300 EGI SVG Monthly meeting Review activities of the previous month and plan for the coming month
18/01/2013 https://www.egi.eu/indico/conferenceDisplay.py?confId=1297 EGI CSIRT team monthly meeting Review activities of the previous month and plan for the coming month
Weekly EVO meetings (every Monday) Minutes recorded in EGI CSIRT private wiki (not publicly accessible) IRTF weekly meeting Operational security issues are reviewed weekly
Weekly EVO meetings (every Monday) https://indico.egi.eu/indico/categoryDisplay.py?categId=71 "Monitoring & follow up of sites running unsupported software" - joint with EGI Operations Status of the Sites upgrading to supported software are reviewed weekly

2. Main Achievements

The incident response team handled one minor security incident involving a site in Estonia during the quarter and issued just one security advisory.

This relatively quiet period in terms of incidents was however used to make very good progress on the monitoring, persuading, and even forcing, all Resource Centres to upgrade or replace software that was no longer supported for security updates. A large number of components of gLite 3.2 were required to be removed by 1st November 2012. An intense upgrade campaign was necessary with many of the SA1.2 staff very actively involved both from the monitoring and the incident teams. This was very successful in that the vast majority of sites upgraded before the deadline and the remaining small number voluntarily removed the services from production. There was no requirement to suspend a site. The final components of gLite 3.2 had to be upgraded or removed before the end of January 2013. Again this campaign was very successful. We are now planning for the handling of the end of life of EMI 1 by the end of April 2013.

The upgrading of all EGI instances of WMS services which were still affected by the two vulnerabilities handled in the last quarter was also completed early in the quarter.

The security monitoring activity was very busy during the quarter, developing and deploying new custom security probes as required for monitoring for deployed software beyond end of support and also for implementing NGI SAM instances. A dedicated Nagios box was established to monitor middleware components.

After the successful run of security service challenge SSC6 last quarter, there has been little activity in this area during this quarter, partly because we still await upgrades and modifications to the special RTIR service used for monitoring progress in these service challenges and partly because of all the activity on middleware ugrade campaigns. Plans have been made for a number of NGI SSCs which will happen in 2013.

The Software Vulnerability Group handled more than ten new vulnerabilities during the quarter and issued or updated five advisories, one of which was High Risk. Work on the procedure for handling compromised certificates has started as has work to define the handling of software vulnerabilities in the period beyond the end of the EMI and IGE projects.

Preparations have been made for the next EGI-CSIRT security tutorial to happen at the ISGC2013 conference in Taipei in March 2013. An abstract on EGI security operations was also submitted to the conference and accepted for oral presentation. A poster on Security Training and best practice from the point of view of end users is being prepared for the April 2013 EGI Community Forum meeting.

It has long been recognised that the deployment of a centrally run emergency user suspension service would be extremely useful for the CSIRT during the handling of an ongoing security incident. The suspension of a compromised user identity, from the authorisation point of view, defined in one place and then automatically rolled out to all sites and services in a short period of time is currently missing. Technology, in the form of Argus, is now available to implement such a service. It also seems relatively straight forward to copy central suspension lists into other authorisation services. Discussions were held during this quarter with Operations, SPG and the OMB and deployment mechanisms are being planned.

Members of TSA1.2 participated in a WLCG security meeting at FNAL in the USA on the 17-18 December. This brought together security staff from EGI, OSG and NDGF and included full discussion of many operational security and policy issues. Members of the IRTF participated in the TF-CSIRT/FIRST meeting in Lisbon at the end of January, including running the security hands-on training event.

Finally, the team has been planning for the evolution of the security global task beyond the end of EGI-InSPIRE as input to the EGI workshop held at the end of January looking at the evolution of all such operational tasks.

3. Issues and Mitigation

Issue Description Mitigation Description

4. Plans for the next period

The improvements to the RT/RTIR ticketing system for the tracking of security service challenges will be finalised.

Work will continue on requiring the timely migration from unsupported software, this time for the retirement of EMI 1 middleware and services, by the end of April 2013.

SSC6 will be fully analysed and one or two NGIs will perform national SSCs.

The new release (an alpha release) of Pakiti will take place this next quarter. Developments will be made to security monitoring to track all SVG and CSIRT alerts and advisories as required.

The EGI CSIRT operational procedure for compromised certificates will be finalised and submitted for approval. The SVG handling procedure for post EMI/IGE will be completed.

Security training will be given at the ISGC2013 conference in Taipei in March 2013 and SA1.2 staff will attend the EGI Community Forum to facilitate discussions on security issues.