EGI CSIRT:Monitoring:EGIPakiti

From EGIWiki
Revision as of 15:59, 14 September 2011 by Dfouosso (talk | contribs)
Jump to: navigation, search


| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination



EGI Pakiti gathers list of installed packages from selected worker nodes from all sites in the EGI using Pakiti client, which is run by the Nagios probe. Pakiti client also reports host name, running kernel and its site name. Because Nagios probes run on randomly selected worker node of the site, Pakiti purges every night reports older than one day.

Pakiti has implemented ACL, so only administrators (members of EGI CSIRT team) can view and change everything in the Pakiti GUI. List of administrators is managed by hand, if you want to be added, write mail to michalp@ics.muni.cz. Site security-officers can only view results regarding their site. List of security-officers is synchronized every night with the GOCDB.

Views

  • Sites (default) - list of all monitored sites. List includes site name, country, number of hosts currently stored in the Pakiti DB and statistical data about average and worst number of unpatched packaged according to the security repository and CVEs. View can be filtered by the country. Site name is a link to the detailed view on the hosts from this site.
  • Hosts - shows all hosts currently stored in the Pakiti DB. View can be sorted by the tag, host name, time of report, running kernel and OS.
  • Hosts by tag - shows hosts, which have installed package vulnerable to the CVE, which was tagged by the EGI CSIRT team. Tags can be EGI-Critical, EGI-High, Critical, Warning. Tags with prefix EGI has impact on the EGI infrastructure. By default the view shows all tags.
  • Hosts by package - this view can show all hosts, which have installed particular package. View can be filtered by the site name.
  • CVE by site - this view can show all hosts, which have package which is vulnerable to the selected CVE. View can be filtered by host architecture, RedHat release and site name.

Configuration

  • Settings - currently quite complicated, so leave it on Michal:-)
  • Exceptions - If some local administrator compile its own package and leave the version of the package untouched (only add some additional text), the package will be marked as vulnerable. On this page exceptions can be defined. Select the CVE and the tick the package, which contains the fix, this package will be omitted from the listing of the CVEs.
  • CVE Tags - On this page, the CVE can be tagged as EGI-Critical, EGI-High, Critical or Warning. Tags prefixed with EGI has impact on the EGI infrastructure.
  • ACL - This page is divided into two parts. First shows list of persons, who have access to the particular site. This list is automatically synchronized with the GOCDB, but entries can be added manually. You have to provide user name, DN of the certificate in format '/C=bla/O=bla/...' and select site. The second part of the page contains list of DNs of Pakiti administrators, should be the same list as EGI CSIRT members.

Alternative views

 tag - EGI-Critical or EGI-High
 country - name of the country
 site - name of the site
 cve - CVE name
 type - csv (default) or xml (xsd is available at http://pakiti.egi.eu/pakiti.xsd)
 Example: https://pakiti.egi.eu/api/tags_sites.php?tag=EGI-Critical&site=CBPF&cve=CVE-2009-3547
  • CVE statistics - (https://pakiti.egi.eu/api/cve_stats.php) shows list of sites vulnerable to the CVEs tagged as EGI-Critical from the beginning of the November 2010. Output can be filtered using these options:
 tag - EGI-Critical or EGI-High
 country - name of the country
 site - name of the site
 cve - CVE name
 type - csv (default) or xml (xsd is available at http://pakiti.egi.eu/pakiti.xsd)
 from_date - set the start date
 to_date - set the end date
 Example: https://pakiti.egi.eu/api/cve_stats.php?tag=EGI-Critical&from_date=2010-11-30