Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI CSIRT:Central emergency suspension"

From EGIWiki
Jump to navigation Jump to search
(Deprecate page)
Tag: Replaced
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{New-Egi-csirt-header}} {{TOC_right}}  
{{New-Egi-csirt-header}}


<br>
{{DeprecatedAndMovedTo|new_location=https://confluence.egi.eu/display/EGIBG/Central+emergency+suspension}}
 
This page describe status of implementation of EGI&nbsp;Central emergency suspension infrastructure.
 
<br>
 
== Central emergency suspension procedure  ==
 
The document describing the central emergency suspension procedure is available at [https://documents.egi.eu/secure/ShowDocument?docid=1018 EGI CSIRT Operational Procedure for Compromised Certificates]. <br>
 
== Argus Infrastructure Deployment <br>  ==
 
=== Argus Deployment  ===
 
*'''Central Argus Instance''' at CERN
*'''NGI Argus Instance''': [https://goc.egi.eu/portal/index.php?Page_Type=Service_Group&id=1184 EGI CoreArgus Service Group]<br>
**All NGIs should run a Argus instance
**NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service
**NGI Argus instance should be registered in GOC&nbsp;DB&nbsp;with service type <span style="vertical-align: middle;">emi.ARGUS                                </span>
**The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service.
*'''Site Argus Instance'''
**Sites in the NGIs pull policies from NGI Argus
**Small sites that don't have the expertise to run a local Argus could use the NGI Argus
**No Argus site directly uses the central Argus at CERN.
**Site Argus instance should be registered in GOC&nbsp;DB&nbsp;with service type <span style="vertical-align: middle;">emi.ARGUS                                </span>
 
=== Non Argus Infrastructures/NGIs/RCs  ===
 
*Non Argus Sites/RCs
**Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC
**Scripts Documentation available at [http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview Nikhef wiki Argus_Global_Banning_Setup_Overview ]
 
== Argus Monitoring<br>  ==
 
'''Goal:''' Nagios probe for NGI Argus run centrally (secmon.egi.eu)
 
'''Note:''': *ONLY* the <span style="color:#FF0000"> NGI-Argus servers should accept nagios probes </span>.
 
'''Note:''' Site-Argus systems <span style="color:#FF0000"> must not </span> expose this service to the internet.
 
* Probe: https://rt.egi.eu/guest/Ticket/Attachment/354893/1515343/argus-fetch.py
 
(The main modification is the addition of a loop: instead of listing the "default" PAP, it's first listing all the PAPs using "getAllPaps" on "/pap/services/PAPManagementService?wsdl"
 
Note: as discussed, I believe, during one of our meetings, the getAllPaps requires the ListPapsOperation right.)
 
 
'''What to monitor:'''
 
*System UP
**Fetch the suspension list from those argus servers
**Try to submit a job with a suspended DN - this would only look at a single component where the proxy-certificates are used. We need to look at gacl/l,scas at CE, WMS, SEs (perhaps more).
*Last update of ban information fetched from the central instance at CERN. - will not be run against argus services, here we only want to monitor that the ban information gets updated.
 
== Argus Support<br>  ==
 
Support is provided through [[GGUS:ARGUS FAQ|ARGUS&nbsp;Support unit]] in GGUS
 
<br>
 
#INFN supports PAP component
#*Could take PDP + PEPd on board if e.g. INDIGO-DataCloud gets approved
#NIKHEF supports C clients
#*Used e.g. by gLExec
#EGI
#*Release management, staged rollout, deployment<br>campaigns
#*1st and 2nd level support
#*Scale testing with partner sites
#**MW Readiness Validation activity <br>
 
Potential new partners<br>
 
#CESNET
#*Testing, maybe development
#UNICORE
#*Connection via CANL
#ARC
#*Client needs fixing
 
== Documentation<br>  ==
 
Documentation on possible problems and solutions with certain deployment scenarios are in [http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview Nikhef wiki, Argus Global Banning Setup Overview]
 
== Workplan  ==
 
Members:
 
*Sven Gabriel (EGI&nbsp;CSIRT)
*Małgorzata Krakowian (EGI Operations)
*Peter Solagna (EGI Operations)
*Cristina Aiftimiei (EGI Operations)
*Emir Imamagic (Monitoring)
*V. Brillaut (Monitoring probes)<br>
 
<br><br>
 
#NGI Argus Services are deployed (coordinated by EGI Operations, action on NGIs, ggus tickets opened) '''DONE'''
#Information of the NGI Argus services is in the appropriate format in goc db (action on goc-db/NGIs, coordinated by EGI Operations)'''DONE'''
#Monitoring that NGI-Argus services have updated banning information, monitoring results available to EGI-CSIRT for example via security dashboard (coordinated by EGI Operations, action on Nagios Monitoring group) Remark: probe is available from V. Brillaut
#Test if ban information propagates to the sites services: CE/SE/WMS (action on EGI-CSIRT)
#?<br>
 
<br>
 
<br>
 
<br>

Latest revision as of 15:04, 21 October 2021