Difference between revisions of "SEC03 EGI-CSIRT Critical Vulnerability Handling"
|Line 36:||Line 36:|
= Requirements =
= Requirements =
This procedure applies to Vulnerabilities assessed as CRITICAL by EGI-CSIRT/SVG. The assessment process and the resulting required steps to handle vulnerablities is described in:
This procedure applies to Vulnerabilities assessed as CRITICAL by EGI-CSIRT/SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: [[SEC02|Vulnerability issue handling process]].
= Steps =
= Steps =
Revision as of 11:47, 14 September 2015
|Main||EGI.eu operations services||Support||Documentation||Tools||Activities||Performance||Technology||Catch-all Services||Resource Allocation||Security|
|Documentation menu:||Home •||Manuals •||Procedures •||Training •||Other •||Contact ►||For:||VO managers •||Administrators|
|Title||EGI-CSIRT Critical Vulnerability Handling|
|Policy Group Acronym||EGI-CSIRT|
|Policy Group Name||EGI-CSIRT|
|Procedure Statement||The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.|
|Owner||Owner of procedure|
After a problem has been assessed as critical by EGI-CSIRT or SVG, and a solution or a mitigation is available then sites are required to take action. This procedure describes the needed actions and responsibilities of the involved parties.
Please refer to the EGI Glossary for the definitions of the terms used in this procedure.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Entities involved in the procedure
- SVG: svg-rat at mailman.egi.eu
- EGI-CSIRT Security Officer: irtf at mailman.egi.eu
- NGI Security Officer: NGI Security E-Mail as defined in GOC-DB
- Resource Center: RC CSIRT E-Mail as defined in goc-db
This procedure applies to Vulnerabilities assessed as CRITICAL by EGI-CSIRT/SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: Vulnerability issue handling process.
Vulnerability affecting Resource Center services or resources
|Step#||Responsible||Action||Prerequisites, if any||Time to comply|
|1||EGI-CSIRT / SVG||Send advisory as per Vulnerability issue handling process||SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.||*|
|2||Resource Center||Upgrade the affected software to a non vulnerable version or apply mitigations||Non-vulnerable version available or mitigation described in the advisory||7 Calendar days after Step 1|
|3||EGI-CSIRT / Security Monitoring||Update Security Monitoring to check for vulnerable software versions/configurations||Vulnerability detectable via Pakiti or a dedicated nagios probe||7 Calendar days after Step 1|
|4||EGI-CSIRT Security Officer||For each RC who failed to comply to step 2, the Security Officer opens an RT-IR ticket against the RC.
Mails are send from RT-IR to the RC CSIRT E-Mail and the NGI Security E-Mail as set in GOC-DB.
|Failure to comply to step 2||*|
|5||Resource Center||Any notified RC has to comply to the actions required by the Security Officer to resolve the vulnerability.
In particular, RC are expected to respond to the ticket after having fixed the vulnerability and, when applicable, manually run the Pakiti client.
|Vulnerable site notified during step 4||3 working days after step 4|
|5 bis||NGI Security Officer||NGI Security Officer/Management should coordinate the activities in their NGI, in particular follow up with unresponsive sites within the given target times.||*|
|6||EGI-CSIRT Security Officer||For each RC who failed to comply to step 5, the EGI-CSIRT Security Officer temporarily suspends it from the infrastructure by setting the Certification Status of this RC to Suspended in GOC-DB. The EGI-CSIRT Security Officer will inform the NGI Security Officer and EGI Operations of this action||RC failing to comply to step 5||*|
|7||Resource Center||Suspended RCs might request recertification as per PROC09||RC suspended in step 6||*|
A diagram representing this procedure is available as an pdf.
|8||Sven Gabriel, Vincent Brillault||8. Sept. 2015||Migrated from old document, adapted durations, made steps simpler, clarified emails|