Difference between revisions of "EGI-InSPIRE:SA1.2-QR15"

From EGIWiki
Jump to: navigation, search
m (2. Main Achievements)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Template:Op menubar}} {{Template:Inspire_reports_menubar}} {{TOC_right}}  
+
{{Template:EGI-Inspire menubar}}
 +
 
 +
{{Template:Inspire_reports_menubar}}
 +
{{TOC_right}}
 
= 1. Task Meetings = <!--
 
= 1. Task Meetings = <!--
 
Notes. Report here all task-specific meetings held. This includes (a) face-to-face meetings and (b) phone meetings. Make sure that for all task meetings participants are ALWAYS recorded either on indico from the registrants’ list, or in the minutes.  
 
Notes. Report here all task-specific meetings held. This includes (a) face-to-face meetings and (b) phone meetings. Make sure that for all task meetings participants are ALWAYS recorded either on indico from the registrants’ list, or in the minutes.  
Line 15: Line 18:
 
| https://www.egi.eu/indico/conferenceDisplay.py?confId=1924  
 
| https://www.egi.eu/indico/conferenceDisplay.py?confId=1924  
 
| EGI CSIRT team face to face meeting (2-3 Dec 2013) in Bergen Aan Zee, NL  
 
| EGI CSIRT team face to face meeting (2-3 Dec 2013) in Bergen Aan Zee, NL  
| Review activities of the previous month and plan for the coming month
+
| Review activities of the previous months and plan for the remainder of EGI-InSPIRE
 
|-
 
|-
 
| 09/01/2014  
 
| 09/01/2014  
 
| https://www.egi.eu/indico/conferenceDisplay.py?confId=2023
 
| https://www.egi.eu/indico/conferenceDisplay.py?confId=2023
| EGI SVG monthly meeting  
+
| EGI SVG meeting  
| Review activities of the previous quarter and plan for the coming quarter
+
| Review open vulnerabilities, discussion on Cloud issues and questionnaire for EGI federated cloud providers
 
|-
 
|-
 
| 30/01/2014
 
| 30/01/2014
Line 37: Line 40:
 
PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (AVOID BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN AN OVERALL REPORT)
 
PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (AVOID BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN AN OVERALL REPORT)
 
-->
 
-->
 
DRAFT at this point.
 
  
 
The work of the EGI CSIRT (TSA1.2), as ever, is split into several sub-groups, each of which is reported on here. The whole team continues to  
 
The work of the EGI CSIRT (TSA1.2), as ever, is split into several sub-groups, each of which is reported on here. The whole team continues to  
Line 44: Line 45:
 
This meeting also involved participation by security experts from PRACE and EUDAT, continuing our growing collaboration with these infrastructures.
 
This meeting also involved participation by security experts from PRACE and EUDAT, continuing our growing collaboration with these infrastructures.
  
For the Incident Response Task Force (IRTF) xx security incidents were handled during the quarter. This is more than in recent quarters and confirms the need
+
For the Incident Response Task Force (IRTF) two security incidents were handled during the quarter. EGI-20140113-01 is an open incident involving the unauthorized use of Biomed resources. EGI-20140121-01 involved hosts at a site which were used for NTP-based dDOS attacks on third parties. These hosts were not compromised; they were just improperly configured and this is not a Grid related incident. A couple of smaller incident reports were received but these were closed early since they were not relevant to EGI operations.
to chase sites with the timely application of security patches. ?Provide breakdown of types of incident?.  
+
 
The IRTF continued to track new security vulnerabilities in operating systems and other  
 
The IRTF continued to track new security vulnerabilities in operating systems and other  
non-Grid software, and chase sites who were vulnerable to previously announced problems.  
+
non-Grid software, and chase sites who were vulnerable to previously announced problems.
 +
One site failed to keep to the agreed time lines and was also found to be very non-communicative. This site was suspended at the start of December and had to subsequently be re-certified.
  
 
The CSIRT has been an accredited member of the TERENA Trusted Introducer scheme since October 2012. We are now carrying out the necessary steps to achieve full  
 
The CSIRT has been an accredited member of the TERENA Trusted Introducer scheme since October 2012. We are now carrying out the necessary steps to achieve full  
certification. An on-site visit happened in January 2014 with detailed investigation of our polices and procedures. We are awaiting the report from this vist to
+
certification. An on-site visit happened in January 2014 with detailed investigation of our polices and procedures. We are awaiting the report from this visit to
 
see what changes are required for full certification.
 
see what changes are required for full certification.
  
Line 58: Line 60:
  
 
For the monitoring team, further testing of site-wide monitoring took place at the pilot site (KIT, Germany). Work also continued on improving the combination
 
For the monitoring team, further testing of site-wide monitoring took place at the pilot site (KIT, Germany). Work also continued on improving the combination
of data from Pakiti and the NAGIOS probes to allow better viewing of security issues in a single place. A new security Nagios server was deployed with the latest
+
of data from Pakiti and the Nagios probes to allow better viewing of security issues in a single place. A new security Nagios server was deployed with the latest
release of SAM (update 22).  New NAGIOS probes were developed and deployed as required to monitor new critical vulnerabilities from SVG.  
+
release of SAM (update 22).  New Nagios probes were developed and deployed as required to monitor new critical vulnerabilities from SVG.  
  
 
The Software Vulnerability Group (SVG) continues to handle reported vulnerabilities. This quarter was somewhat quieter than recent times with 6 new  
 
The Software Vulnerability Group (SVG) continues to handle reported vulnerabilities. This quarter was somewhat quieter than recent times with 6 new  
 
vulnerabilities being addressed,  
 
vulnerabilities being addressed,  
 
including one high-risk issue. The other five issues were moderate risk or below.  
 
including one high-risk issue. The other five issues were moderate risk or below.  
SVG issued two advisories that went to all EGI sites and one advisory to the EGI federated clouds team.
+
An 'SVG fixes' area was provided in the AppDB area of the EGI UMD.  
To help deal with vulnerabilities still not patched in production code, the SVG produced an interim special version of Torque.
+
https://appdb.egi.eu/store/software/software.vulnerability.group
 +
A version of Torque which did not contain any known vulnerabilities was produced and placed in this SVG fixes area.  
 
All outstanding security assessments were completed and it has been decided that the next component to be assessed will be CVMFS if volunteer effort becomes
 
All outstanding security assessments were completed and it has been decided that the next component to be assessed will be CVMFS if volunteer effort becomes
 
available.
 
available.
Line 75: Line 78:
  
 
Two members of the CSIRT attended a workshop of the EGI federated cloud team in Oxford in January. Presentations were given on the importance of operational security
 
Two members of the CSIRT attended a workshop of the EGI federated cloud team in Oxford in January. Presentations were given on the importance of operational security
and a questionnaire for Cloud providers has been produced. It is clear that considerable work needs to be done on policies and procedures for the federated cloud  
+
and a questionnaire for Cloud providers has been produced. It is clear that considerable work needs to be done on security policies and procedures for the federated cloud  
 
service. New procedures for certification of cloud providers are required and we need to develop a new test suite to check basic traceability of actions and developments
 
service. New procedures for certification of cloud providers are required and we need to develop a new test suite to check basic traceability of actions and developments
 
in security monitoring are likely to be required.
 
in security monitoring are likely to be required.
Line 97: Line 100:
 
= 4. Plans for the next period = <!-- provide your text below. PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (NO BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN A REPORT) -->  
 
= 4. Plans for the next period = <!-- provide your text below. PLEASE PROVIDE TEXT IN A GOOD EDITED FORM (NO BULLET LISTS OF SHORT ITEMS THAT REQUIRE EXPANSION WHEN INSERTED IN A REPORT) -->  
  
[[Category:SA1_Task_QR_Reports]]
 
  
DRAFT at this point.
 
  
During the next quarter, the EGI CSIRT team will continue to work on all if its current activities in the same sub-groups.  
+
During the next quarter (Q16), the EGI CSIRT team will continue to work on all of its current activities in the same sub-groups.  
 
A face to face meeting of the whole team may be held in April if we can find a suitable date and location, if not it will have to happen after the end of EGI-InSPIRE.  
 
A face to face meeting of the whole team may be held in April if we can find a suitable date and location, if not it will have to happen after the end of EGI-InSPIRE.  
 
This meeting will review all our plans for security after EGI-InSPIRE, including the changes needed to cope with security in the EGI federated cloud service.
 
This meeting will review all our plans for security after EGI-InSPIRE, including the changes needed to cope with security in the EGI federated cloud service.
Line 116: Line 117:
 
security incident and vulnerability handling.
 
security incident and vulnerability handling.
  
SVG will prepare a report on the vulnerability assessments that have happened, referring back to the original plans made in early 2011.  
+
SVG will prepare a report on the vulnerability assessments that have happened recently. If volunteer effort is available a security assessment of the CVMFS component will take place. More engagement with the EGI Federated cloud team is required,  
It should be noted that all the software which was planned to be assessed in this original plan has had their assessments completed or
+
including participation in the RAT.  
they are currently in progress. Plans will be made for which pieces of software should have priority for the future, assuming this activity is able continue. 
 
This will probably include one or more of Data Management and software enabling cloud federation. Engagement with the EGI Federated cloud team is required,  
 
including invitations to join the RAT.  
 
  
 
Work will continue on the deployment and testing of the Emergency Suspension mechanisms, using the deployed NGI Argus instances.
 
Work will continue on the deployment and testing of the Emergency Suspension mechanisms, using the deployed NGI Argus instances.
Line 127: Line 125:
 
in May.
 
in May.
  
Work will continue on forming a better understanding of the requirements for security policy and procedures in federated clouds, if effort and funding for this
+
Work will continue on the changes required for security policy and procedures in federated clouds, if effort and funding for this
activity can be found.
+
activity can be found. A security threat risk assessment for  
A security threat risk assessment for  
 
 
federated clouds will happen as part of the general review of the EGI security risk assessment.
 
federated clouds will happen as part of the general review of the EGI security risk assessment.

Latest revision as of 17:44, 6 January 2015

EGI Inspire Main page


Inspire reports menu: Home SA1 weekly Reports SA1 Task QR Reports NGI QR Reports NGI QR User support Reports



1. Task Meetings

Date (dd/mm/yyyy) Url Indico Agenda Title Outcome
02/12/2013 https://www.egi.eu/indico/conferenceDisplay.py?confId=1924 EGI CSIRT team face to face meeting (2-3 Dec 2013) in Bergen Aan Zee, NL Review activities of the previous months and plan for the remainder of EGI-InSPIRE
09/01/2014 https://www.egi.eu/indico/conferenceDisplay.py?confId=2023 EGI SVG meeting Review open vulnerabilities, discussion on Cloud issues and questionnaire for EGI federated cloud providers
30/01/2014 https://www.egi.eu/indico/conferenceDisplay.py?confId=2045 EGI CSIRT team monthly meeting Review activities of the previous month and plan for the coming month
Weekly Video conference meetings (every Monday) Minutes recorded in EGI CSIRT private wiki (not publicly accessible) IRTF weekly meeting Operational security issues are reviewed weekly

2. Main Achievements

The work of the EGI CSIRT (TSA1.2), as ever, is split into several sub-groups, each of which is reported on here. The whole team continues to meet monthly by video conference, except that the November and December meetings were combined into one two-day face to face meeting at the start of December. This meeting also involved participation by security experts from PRACE and EUDAT, continuing our growing collaboration with these infrastructures.

For the Incident Response Task Force (IRTF) two security incidents were handled during the quarter. EGI-20140113-01 is an open incident involving the unauthorized use of Biomed resources. EGI-20140121-01 involved hosts at a site which were used for NTP-based dDOS attacks on third parties. These hosts were not compromised; they were just improperly configured and this is not a Grid related incident. A couple of smaller incident reports were received but these were closed early since they were not relevant to EGI operations.

The IRTF continued to track new security vulnerabilities in operating systems and other non-Grid software, and chase sites who were vulnerable to previously announced problems. One site failed to keep to the agreed time lines and was also found to be very non-communicative. This site was suspended at the start of December and had to subsequently be re-certified.

The CSIRT has been an accredited member of the TERENA Trusted Introducer scheme since October 2012. We are now carrying out the necessary steps to achieve full certification. An on-site visit happened in January 2014 with detailed investigation of our polices and procedures. We are awaiting the report from this visit to see what changes are required for full certification.

For the Security Drills team, we were still not able to run the planned NGI Security Service Challenges (SSC) in Germany and Italy. The final technical preparations required should now happen in February allowing the national SSC campaigns to happen soon after. A challenge of the NGI security communication infrastructure has been prepared and will take place during the next quarter.

For the monitoring team, further testing of site-wide monitoring took place at the pilot site (KIT, Germany). Work also continued on improving the combination of data from Pakiti and the Nagios probes to allow better viewing of security issues in a single place. A new security Nagios server was deployed with the latest release of SAM (update 22). New Nagios probes were developed and deployed as required to monitor new critical vulnerabilities from SVG.

The Software Vulnerability Group (SVG) continues to handle reported vulnerabilities. This quarter was somewhat quieter than recent times with 6 new vulnerabilities being addressed, including one high-risk issue. The other five issues were moderate risk or below. An 'SVG fixes' area was provided in the AppDB area of the EGI UMD. https://appdb.egi.eu/store/software/software.vulnerability.group A version of Torque which did not contain any known vulnerabilities was produced and placed in this SVG fixes area. All outstanding security assessments were completed and it has been decided that the next component to be assessed will be CVMFS if volunteer effort becomes available.

Work on the deployment of Emergency Suspension continues. About half of the NGIs have now deployed a national Argus server and testing of this infrastructure continues.

Plans have been made for a number of future training and dissemination events. Plans are well advanced for a one-day training event at the ISGC 2014 event in Taipei in March 2014. A similar event is also proposed for the EGI Community Forum in May (Helsinki).

Two members of the CSIRT attended a workshop of the EGI federated cloud team in Oxford in January. Presentations were given on the importance of operational security and a questionnaire for Cloud providers has been produced. It is clear that considerable work needs to be done on security policies and procedures for the federated cloud service. New procedures for certification of cloud providers are required and we need to develop a new test suite to check basic traceability of actions and developments in security monitoring are likely to be required.

3. Issues and Mitigation

Issue Description Mitigation Description
Funding and effort for operational security in EGI Federated Clouds. Lots of work to do. We need more effort and funding. We will discuss with the EGI.eu management.


4. Plans for the next period

During the next quarter (Q16), the EGI CSIRT team will continue to work on all of its current activities in the same sub-groups. A face to face meeting of the whole team may be held in April if we can find a suitable date and location, if not it will have to happen after the end of EGI-InSPIRE. This meeting will review all our plans for security after EGI-InSPIRE, including the changes needed to cope with security in the EGI federated cloud service.

Apart from the usual ongoing regular operational duties, the following items are mentioned.

For IRTF, planning will continue for incident handling beyond the end of EGI-InSPIRE. Joint discussions on this topic with PRACE and EUDAT will continue. The full certification of the CSIRT in TERENA Trusted Introducer will continue once the report of the site visit is available.

For the Security Drills team, the German and Italian NGI SSC will be performed. Plans will be made for the next set of NGI SSC's. The challenge of the NGI security communication infrastructure will take place.

A full-blown proposal for the deployment of the site-wide monitoring system in EGI will be provided. Monitoring and probes will be developed as required by security incident and vulnerability handling.

SVG will prepare a report on the vulnerability assessments that have happened recently. If volunteer effort is available a security assessment of the CVMFS component will take place. More engagement with the EGI Federated cloud team is required, including participation in the RAT.

Work will continue on the deployment and testing of the Emergency Suspension mechanisms, using the deployed NGI Argus instances.

Various security training courses will be given. These will include ISGC 2014 in Taipei (March 2014) and the EGI Community Forum in May.

Work will continue on the changes required for security policy and procedures in federated clouds, if effort and funding for this activity can be found. A security threat risk assessment for federated clouds will happen as part of the general review of the EGI security risk assessment.