Difference between revisions of "EGI CSIRT:Central emergency suspension"
Jump to navigation
Jump to search
Argus Infrastructure Deployment
Argus Monitoring
Argus Support
Documentation
(No difference)
|
Revision as of 16:28, 18 December 2014
EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
This page describe status of implementation of EGI Central emergency suspension infrastructure.
Central emergency suspension procedure
The document describing the central emergency suspension procedure is available at EGI CSIRT Operational Procedure for Compromised Certificates.
Argus Infrastructure Deployment
Argus Deployment
- Central Argus Instance at CERN
- NGI Argus Instance: EGI CoreArgus Service Group
- All NGIs should run a Argus instance
- NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service
- NGI Argus instance should be registered in GOC DB with service type emi.ARGUS
- The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service.
- Site Argus Instance
- Sites in the NGIs pull policies from NGI Argus
- Small sites that don't have the expertise to run a local Argus could use the NGI Argus
- No Argus site directly uses the central Argus at CERN.
- Site Argus instance should be registered in GOC DB with service type emi.ARGUS
Non Argus Infrastructures/NGIs/RCs
- Non Argus Sites/RCs
- Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC
- Scripts Documentation available at Nikhef wiki Argus_Global_Banning_Setup_Overview
Argus Monitoring
Argus Support
Support is provided through ARGUS Support unit in GGUS
- INFN supports PAP component
- Could take PDP + PEPd on board if e.g. INDIGO-DataCloud gets approved
- NIKHEF supports C clients
- Used e.g. by gLExec
- EGI
- Release management, staged rollout, deployment
campaigns - 1st and 2nd level support
- Scale testing with partner sites
- MW Readiness Validation activity
- MW Readiness Validation activity
- Release management, staged rollout, deployment
Potential new partners
- CESNET
- Testing, maybe development
- UNICORE
- Connection via CANL
- ARC
- Client needs fixing
Documentation
Documentation on possible problems and solutions with certain deployment scenarios are in Nikhef wiki, Argus Global Banning Setup Overview
Workplan
Members:
- Sven Gabriel (EGI CSIRT)
- Małgorzata Krakowian (EGI Operations)
- Peter Solagna (EGI Operations)
- Cristina Aiftimiei (EGI Operations)
- Emir Imamagic (Monitoring)
- V. Brillaut (Monitoring probes)
- NGI Argus Services are deployed (coordinated by EGI Operations, action on NGIs, ggus tickets opened) DONE
- Information of the NGI Argus services is in the appropriate format in goc db (action on goc-db/NGIs, coordinated by EGI Operations)DONE
- Monitoring that NGI-Argus services have updated banning information, monitoring results available to EGI-CSIRT for example via security dashboard (coordinated by EGI Operations, action on Nagios Monitoring group) Remark: probe is available from V. Brillaut
- Test if ban information propagates to the sites services: CE/SE/WMS (action on EGI-CSIRT)
- ?