The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "EGI CSIRT:Central emergency suspension"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
{{New-Egi-csirt-header}} {{TOC_right}} | {{New-Egi-csirt-header}} {{TOC_right}} | ||
== Central emergency suspension procedure == | == Central emergency suspension procedure == | ||
| Line 11: | Line 5: | ||
The document describing the central emergency suspension procedure is available at [https://documents.egi.eu/secure/ShowDocument?docid=1018 EGI CSIRT Operational Procedure for Compromised Certificates]. <br> | The document describing the central emergency suspension procedure is available at [https://documents.egi.eu/secure/ShowDocument?docid=1018 EGI CSIRT Operational Procedure for Compromised Certificates]. <br> | ||
== Argus Infrastructure Deployment | == Argus Infrastructure Deployment == | ||
*'''Central Argus Instance''' at CERN | *'''Central Argus Instance''' at CERN | ||
*'''NGI Argus Instance''': [https://goc.egi.eu/portal/index.php?Page_Type=Service_Group&id=1184 EGI CoreArgus Service Group]<br> | *'''NGI Argus Instance''': [https://goc.egi.eu/portal/index.php?Page_Type=Service_Group&id=1184 EGI CoreArgus Service Group]<br> | ||
**All NGIs should run a Argus instance | ** All NGIs should run a Argus instance | ||
**NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service | ** NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service | ||
**NGI Argus instance should be registered in GOC DB with service type | ** NGI Argus instance should be registered in GOC DB with service type ngi.ARGUS | ||
**The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service. | ** The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service. | ||
** NGI-Argus Systems contain personal data and shall limit access this service to the site Argus (like) systems in the NGI. | ** NGI-Argus Systems contain personal data and shall limit access this service to the site Argus (like) systems in the NGI. | ||
** ACLs can be constructed by pulling the list of egi.Argus'es for the resp. NGI from goc-db | ** ACLs can be constructed by pulling the list of egi.Argus'es for the resp. NGI from goc-db | ||
*'''Site Argus Instance''' | *'''Site Argus Instance''' | ||
**Sites in the NGIs pull policies from NGI Argus | ** Sites in the NGIs pull policies from NGI Argus | ||
**Small sites that don't have the expertise to run a local Argus could use the NGI Argus | ** Small sites that don't have the expertise to run a local Argus could use the NGI Argus | ||
**Site Argus instance should be registered in GOC DB with service type | ** Site Argus instance should be registered in GOC DB with service type emi.ARGUS | ||
* Non Argus Sites/RCs | |||
** Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC | |||
** Scripts Documentation available at [http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview Nikhef wiki Argus_Global_Banning_Setup_Overview ] | |||
*Non Argus Sites/RCs | |||
**Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC | |||
**Scripts Documentation available at [http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview Nikhef wiki Argus_Global_Banning_Setup_Overview ] | |||
== Argus Monitoring | == Argus Monitoring == | ||
=== NGI Argus Monitoring === | |||
''' | The ''eu.egi.Argus-DNs'' metric checks if an Argus server is properly configured and still pulling suspension information from the Central Argus Instance. | ||
Every day the Central Argus Instance suspends a new DN: the probe verifies if this DN is present on the NGI argus. | |||
The return values of that probe can indicate the following problems: | |||
{| class="wikitable" | |||
|- | |||
! Return value | |||
! Problem | |||
! Potential solution | |||
|- | |||
| ARGUS WARN - connection error | |||
| The probe was not able to connect to the Argus server | |||
| Please make sure that the argus pap port (8150) is accessible remotely from argo-mon.egi.eu, argo-mon2.egi.eu and argo-mon-test.cro-ngi.hr | |||
|- | |||
| ARGUS WARN - Authorization error | |||
| The probe was able to connect but was denied access | |||
| Please make sure that the following certificates are given the "POLICY_READ_LOCAL|POLICY_READ_REMOTE|CONFIGURATION_READ" permissions are given to "/DC=EU/DC=EGI/C=HR/O=Robots/O=SRCE/CN=Robot:argo-egi@cro-ngi.hr" and "/DC=EU/DC=EGI/C=GR/O=Robots/O=Greek Research and Technology Network/CN=Robot:argo-egi@grnet.gr" | |||
|- | |||
| ARGUS CRIT - Expected DN not found! | |||
| The probe didn't find a recent DN in the Argus configuration | |||
| Please check your argus logs to see what is blocking the synchronization | |||
|- | |||
| ARGUS WARN - Found outdated DN | |||
| The probe only found an outdate DN and not the current one | |||
| Please check your argus logs to see what is delaying the synchronization. The synchronization delay might be too long | |||
|- | |||
| ARGUS OK - Found expected DN | |||
| Everything is good! | |||
| | |||
|} | |||
For more details on the Argus configuration see bellow. | |||
=== Site Monitoring === | |||
Site Arguses (or equivalent solutions) should not be exposed to the internet and thus cannot be directly monitored | |||
However the EGI CSIRT is considering submitting jobs from suspended DNs, but such monitoring of the sites' emergency suspension systems is not yet in place. | |||
== Argus Support == | |||
== Argus Support | |||
Support is provided through [[GGUS:ARGUS FAQ|ARGUS Support unit]] in GGUS | Support is provided through [[GGUS:ARGUS FAQ|ARGUS Support unit]] in GGUS | ||
== Documentation == | |||
== Documentation | |||
Documentation on possible problems and solutions with certain deployment scenarios are in [http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview Nikhef wiki, Argus Global Banning Setup Overview] | |||
Revision as of 16:35, 30 May 2017
| EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
Central emergency suspension procedure
The document describing the central emergency suspension procedure is available at EGI CSIRT Operational Procedure for Compromised Certificates.
Argus Infrastructure Deployment
- Central Argus Instance at CERN
- NGI Argus Instance: EGI CoreArgus Service Group
- All NGIs should run a Argus instance
- NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service
- NGI Argus instance should be registered in GOC DB with service type ngi.ARGUS
- The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service.
- NGI-Argus Systems contain personal data and shall limit access this service to the site Argus (like) systems in the NGI.
- ACLs can be constructed by pulling the list of egi.Argus'es for the resp. NGI from goc-db
- Site Argus Instance
- Sites in the NGIs pull policies from NGI Argus
- Small sites that don't have the expertise to run a local Argus could use the NGI Argus
- Site Argus instance should be registered in GOC DB with service type emi.ARGUS
- Non Argus Sites/RCs
- Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC
- Scripts Documentation available at Nikhef wiki Argus_Global_Banning_Setup_Overview
Argus Monitoring
NGI Argus Monitoring
The eu.egi.Argus-DNs metric checks if an Argus server is properly configured and still pulling suspension information from the Central Argus Instance.
Every day the Central Argus Instance suspends a new DN: the probe verifies if this DN is present on the NGI argus.
The return values of that probe can indicate the following problems:
| Return value | Problem | Potential solution |
|---|---|---|
| ARGUS WARN - connection error | The probe was not able to connect to the Argus server | Please make sure that the argus pap port (8150) is accessible remotely from argo-mon.egi.eu, argo-mon2.egi.eu and argo-mon-test.cro-ngi.hr |
| ARGUS WARN - Authorization error | The probe was able to connect but was denied access | POLICY_READ_REMOTE|CONFIGURATION_READ" permissions are given to "/DC=EU/DC=EGI/C=HR/O=Robots/O=SRCE/CN=Robot:argo-egi@cro-ngi.hr" and "/DC=EU/DC=EGI/C=GR/O=Robots/O=Greek Research and Technology Network/CN=Robot:argo-egi@grnet.gr" |
| ARGUS CRIT - Expected DN not found! | The probe didn't find a recent DN in the Argus configuration | Please check your argus logs to see what is blocking the synchronization |
| ARGUS WARN - Found outdated DN | The probe only found an outdate DN and not the current one | Please check your argus logs to see what is delaying the synchronization. The synchronization delay might be too long |
| ARGUS OK - Found expected DN | Everything is good! |
For more details on the Argus configuration see bellow.
Site Monitoring
Site Arguses (or equivalent solutions) should not be exposed to the internet and thus cannot be directly monitored However the EGI CSIRT is considering submitting jobs from suspended DNs, but such monitoring of the sites' emergency suspension systems is not yet in place.
Argus Support
Support is provided through ARGUS Support unit in GGUS
Documentation
Documentation on possible problems and solutions with certain deployment scenarios are in Nikhef wiki, Argus Global Banning Setup Overview