Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI CSIRT:Incident reporting

From EGIWiki
Jump to navigation Jump to search
Baustelle.png This page is under construction.


| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination



The EGI security incident handling procedure is being developed. Once it is approved by EGI PMB (due at end of July), this page will be updated with the new approved procedure


OSCT developed an EGEE Incident Response Procedure that must be used as the roadmap for the incident response actions.

For you convinience, we had reproduced incident reporting templates from the original document at this page.

Initial HEADS-UP message

This template is aimed at notifying the grid participants soon after the incident has been discovered (heads-up), as described in Step 3 of the incident response procedure.

From: <YOUR_EMAIL_ADDRESS@YOUR_ORGANISATION>
To: project-egee-security-csirts@in2p3.fr
Subject: Security incident suspected at <YOUR SITE>

** PLEASE DO NOT REDISTRIBUTE ** EGEE-<DATE> (ex: EGEE-20090531)
** This message is sent to the EGEE CSIRTs and must NOT be publicly archived **

Dear CSIRTs,
It seems a security incident has been detected at <YOUR SITE>.
Summary of the information available so far:

<Ex: A malicious SSH connection was detected from 012.012.012.012.
The extent of the incident is unclear for now, and more information
will be published in the coming hours as forensics are progressing
at our site.  However, all sites should check for successful
SSH connections from 012.012.012.012 as a precautionary measure.>

Follow-up message

This template can be used to provide a detailed view of the incident, and may be completed and reposted as the investigation progresses, as described in Step 5 of the incident response procedure.

From: <YOUR_EMAIL_ADDRESS@YOUR_ORGANISATION>
To: project-egee-security-csirts@in2p3.fr
Subject: Security incident suspected at <YOUR SITE>

** PLEASE DO NOT REDISTRIBUTE ** EGEE-<DATE> (ex: EGEE-20090531)
** This message is sent to the EGEE CSIRTs and must NOT be publicly archived **

Dear CSIRTs,
It seems a security incident has been detected at <YOUR SITE>.

- Short summary of the incident
<Provide a high level overview of the incident>

- Host(s) affected
< List of compromised hosts and/or hosts running suspicious user code.
ex: grid-worker-node-124.mysite.org (123.123.123.123)>

- Host(s) used as a local entry point to the site (ex: UI or WMS IP
  address)
<The host that the attacker is likely to have used to access the site.
ex: grid-ui-101.mysite.org (123.123.123.124)>

- Remote IP address(es) of the attacker
<The remote host from where the attacker is likely to have connected from.
ex: 123.adsl.somecorp.com (012.012.012.012)>

- Evidence of the compromise, including timestamps (ex: suspicious files
  or log entry)
<Ex: the attacker logged in has root from 123.adsl.somecorp.com. Times
are UTC: Mar 24 12:00:09 grid-ui-101 sshd[13896]: Accepted password for
root from 012.012.012.012>

- What was lost, details of the attack
< Provide available details on the extent of the compromise. For ex:
System logs revealed the attacker guested the root password of
grid-ui-101 on Mar 24 12:00:09 (UTC) after hundreds of attempts. Then,
the attacker [...] etc.>

- If available and relevant, the list of other sites possibly affected
<Ex: firewall logs reveals suspicious SSH connections from the
compromised node to grid-ui.friendlysite.org on Mar 24 13:01:03 (UTC).
friendlysite.org has been contacted.>

- Possible vulnerabilities exploited by the attacker
<Ex: the attacker exploited a weak root password and gained further
access by exploiting CVE-20090123 against [...] etc.>

- The actions taken to resolve the incident
<Ex: Disk images have been saved, hosts have been reinstalled from
scratched with new, strong root passwords, and SSH has been configured
to prevent "root" logins with password.>

- Recommendations for other sites, actions suggested
<Ex: Sites should check and report any successful SSH connection
grid-ui-101 between Mar 24 12:00:09 (UTC) and Mar 24 17:00:00 (UTC).  It
is also recommended to avoid direct SSH access, and to configure sshd
with "PermitRootLogin without-password".>

- Timeline of the incident
<Ex:
2009-03-24 09:12:43 Multiple SSH connection attempts from 012.012.012.012
2009-03-24 12:00:09 Attacker connects as root on grid-ui-101.mysite.org
                    from 012.012.012.012
2009-03-24 13:01:03 SSH scan from grid-ui-101 against
                    grid-ui.friendlysite.org
[...]
2009-03-24 15:00:00 Site security team investigating
2009-03-24 15:34:00 EGEE CSIRTs informed via
                    project-egee-security-csirts@in2p3.fr
[...]>

Source

Parts of this article came from the OSCT wiki, this was written by the EGEE Operational Security Coordination Team.