Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI CSIRT:Central emergency suspension

From EGIWiki
Jump to navigation Jump to search
EGI-CSIRT web site EGI-CSIRT Public wiki EGI-CSIRT Contacts EGI-CSIRT Activities EGI-CSIRT Private wiki




This page describe status of implementation of EGI Central emergency suspension infrastructure.


Central emergency suspension procedure

The document describing the central emergency suspension procedure is available at EGI CSIRT Operational Procedure for Compromised Certificates.

Argus Infrastructure Deployment

Argus Deployment

  • Central Argus Instance at CERN
  • NGI Argus Instance: EGI CoreArgus Service Group
    • All NGIs should run a Argus instance
    • NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service
    • NGI Argus instance should be registered in GOC DB with service type emi.ARGUS
    • The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service.
    • NGI-Argus Systems contain personal data and shall limit access this service to the site Argus (like) systems in the NGI.
    • ACLs can be constructed by pulling the list of egi.Argus'es for the resp. NGI from goc-db
  • Site Argus Instance
    • Sites in the NGIs pull policies from NGI Argus
    • Small sites that don't have the expertise to run a local Argus could use the NGI Argus
    • Site Argus instance should be registered in GOC DB with service type emi.ARGUS

Non Argus Infrastructures/NGIs/RCs

Argus Monitoring

Goal: Nagios probe for NGI Argus run centrally (secmon.egi.eu)

Note:: *ONLY* the NGI-Argus servers should accept nagios probes .

Note: Site-Argus systems must not expose this service to the internet.

List of Services to monitor with Nagios: Goc-DB NGI-Argus Servers

(The main modification is the addition of a loop: instead of listing the "default" PAP, it's first listing all the PAPs using "getAllPaps" on "/pap/services/PAPManagementService?wsdl"

Note: as discussed, I believe, during one of our meetings, the getAllPaps requires the ListPapsOperation right.)


What to monitor:

  • System UP
    • Fetch the suspension list from those argus servers
    • Try to submit a job with a suspended DN - this would only look at a single component where the proxy-certificates are used. We need to look at gacl/l,scas at CE, WMS, SEs (perhaps more).
  • Last update of ban information fetched from the central instance at CERN. - will not be run against argus services, here we only want to monitor that the ban information gets updated.

Argus Support

Support is provided through ARGUS Support unit in GGUS


  1. INFN supports PAP component
    • Could take PDP + PEPd on board if e.g. INDIGO-DataCloud gets approved
  2. NIKHEF supports C clients
    • Used e.g. by gLExec
  3. EGI
    • Release management, staged rollout, deployment
      campaigns
    • 1st and 2nd level support
    • Scale testing with partner sites
      • MW Readiness Validation activity

Potential new partners

  1. CESNET
    • Testing, maybe development
  2. UNICORE
    • Connection via CANL
  3. ARC
    • Client needs fixing

Documentation

Documentation on possible problems and solutions with certain deployment scenarios are in Nikhef wiki, Argus Global Banning Setup Overview

Workplan

Members:

  • Sven Gabriel (EGI CSIRT)
  • Małgorzata Krakowian (EGI Operations)
  • Peter Solagna (EGI Operations)
  • Cristina Aiftimiei (EGI Operations)
  • Emir Imamagic (Monitoring)
  • V. Brillaut (Monitoring probes)



  1. NGI Argus Services are deployed (coordinated by EGI Operations, action on NGIs, ggus tickets opened) DONE
  2. Information of the NGI Argus services is in the appropriate format in goc db (action on goc-db/NGIs, coordinated by EGI Operations)DONE
  3. Monitoring that NGI-Argus services have updated banning information, monitoring results available to EGI-CSIRT for example via security dashboard (coordinated by EGI Operations, action on Nagios Monitoring group) Remark: probe is available from V. Brillaut
  4. Test if ban information propagates to the sites services: CE/SE/WMS (action on EGI-CSIRT)
  5. ?