|
|
| (68 intermediate revisions by 5 users not shown) |
| Line 4: |
Line 4: |
| [[Category:Operations Procedures]] | | [[Category:Operations Procedures]] |
|
| |
|
| {{Ops_procedures | | {{DeprecatedAndMovedTo|new_location=https://confluence.egi.eu/display/EGIPP/SEC03+EGI-CSIRT+Critical+Vulnerability+Handling}} |
| |Doc_title = EGI-CSIRT Critical Vulnerability Handling | |
| |Doc_link = https://documents.egi.eu/public/ShowDocument?docid=283&version=7
| |
| |Version = 8
| |
| |Policy_acronym = EGI-CSIRT
| |
| |Policy_name = EGI-CSIRT
| |
| |Contact_group = csirt@mailman.egi.eu
| |
| |Doc_status = DRAFT
| |
| |Approval_date =
| |
| |Procedure_statement = The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.
| |
| }}
| |
| | |
| = Overview =
| |
| | |
| After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, where sites are asked to take action, and what steps are taken if they do not respond or do not take action.
| |
| If a site fails to take action, this may lead to site suspension.
| |
| | |
| = Definitions =
| |
| | |
| Please refer to the [[Glossary|EGI Glossary]] for the definitions of the terms used in this procedure.
| |
| | |
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
| |
| | |
| = Entities involved in the procedure =
| |
| | |
| *'''SVG''': svg-rat at mailman.egi.eu
| |
| *'''EGI-CSIRT''': csirt at mailman.egi.eu
| |
| *'''NGI-Security-Officer''': ngi-security-contacts at mailman.egi.eu
| |
| *'''Resource Center Security Contact''': as defined in goc-db
| |
| | |
| = Requirements =
| |
| | |
| This procedure applies to Vulnerabilities assessed as CRITICAL by SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: described in the [https://documents.egi.eu/public/ShowDocument?docid=47 Vulnerability issue handling process].
| |
| | |
| = Steps =
| |
| | |
| The following table describes
| |
| | |
| {| class="wikitable"
| |
| |-
| |
| ! Step#
| |
| ! <br>
| |
| ! Responsible
| |
| ! Action
| |
| ! Prerequisites, if any
| |
| |- valign="top"
| |
| | 1
| |
| ! <br>
| |
| ! EGI-CSIRT / SVG
| |
| ! Send advisory with information on resolution / mitigation of the risk arising from the Vulnerability in question to all NGI and ResourceCenter Security Contacts ( ngi-security-contacts .at. mailman.egi.eu / site-security-contacts .at. mailman.egi.eu) State explicitly that the mitigation actions have to be taken within 7 Calendar days.
| |
| ! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
| |
| |- valign="left"
| |
| | 2
| |
| ! <br>
| |
| ! Resource Center
| |
| ! Issue advisory on resolution / mitigation of the risk arising from the Vulnerability in question.
| |
| ! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
| |
| |-
| |
| | 3
| |
| ! <br>
| |
| ! EGI-CSIRT / Security Monitoring
| |
| ! Update Critical Vulnerability Information in pakiti / security dashboard
| |
| ! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
| |
| |-
| |
| |}
| |
| | |
| = Revision History =
| |
| {| class="wikitable"
| |
| |-
| |
| ! Version !! Authors !! Date !! Comments
| |
| |-
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |}
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.