Difference between revisions of "SEC03 EGI-CSIRT Critical Vulnerability Handling"

From EGIWiki
Jump to: navigation, search
(Steps)
 
(43 intermediate revisions by 4 users not shown)
Line 6: Line 6:
 
{{Ops_procedures
 
{{Ops_procedures
 
|Doc_title =  EGI-CSIRT Critical Vulnerability Handling  
 
|Doc_title =  EGI-CSIRT Critical Vulnerability Handling  
|Doc_link = https://documents.egi.eu/document/283
+
|Doc_link = https://wiki.egi.eu/wiki/SEC03
|Version = 8
+
|Version = v8,  8. Sept. 2015
 
|Policy_acronym = EGI-CSIRT
 
|Policy_acronym = EGI-CSIRT
 
|Policy_name = EGI-CSIRT
 
|Policy_name = EGI-CSIRT
 
|Contact_group =  csirt@mailman.egi.eu
 
|Contact_group =  csirt@mailman.egi.eu
|Doc_status = <span style="color:#FF0000"> '''DRAFT''' </span>
+
|Doc_status = Approved
|Approval_date =  
+
|Approval_date = 29.10.2015
 
|Procedure_statement = The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.
 
|Procedure_statement = The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.
 
}}
 
}}
Line 18: Line 18:
 
= Overview  =
 
= Overview  =
  
After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, where sites are asked to take action, and what steps are taken if they do not respond or do not take action.
+
After a problem has been assessed as critical by EGI-CSIRT or SVG, and a solution or a mitigation is available then sites are required to take action.  
If a site fails to take action, this may lead to site suspension.  
+
This procedure describes the needed actions and responsibilities of the involved parties.
  
 
= Definitions  =
 
= Definitions  =
Line 30: Line 30:
  
 
*'''SVG''': svg-rat at mailman.egi.eu
 
*'''SVG''': svg-rat at mailman.egi.eu
*'''EGI-CSIRT''': csirt at mailman.egi.eu
+
*'''EGI-CSIRT Security Officer on Duty''': irtf at mailman.egi.eu
*'''NGI-Security-Officer''':   ngi-security-contacts at mailman.egi.eu
+
*'''NGI Security Officer''': NGI Security E-Mail as defined in GOC-DB
*'''Resource Center Security Contact''': as defined in goc-db
+
*'''Resource Center''': RC CSIRT E-Mail as defined in goc-db
*'''VM-Endorsers''': <span style="color:#FF0000"> Contact list does not yet exist</span>
 
  
 
= Requirements  =
 
= Requirements  =
  
This procedure applies to Vulnerabilities assessed as CRITICAL by SVG.  The assessment process and the resulting required steps to handle vulnerablities is described in: described in the [https://documents.egi.eu/public/ShowDocument?docid=47 Vulnerability issue handling process].
+
This procedure applies to Vulnerabilities assessed as CRITICAL by EGI-CSIRT/SVG.  The assessment process and the resulting required steps to handle vulnerablities is described in: [[SEC02|Vulnerability issue handling process]].
  
 
= Steps  =
 
= Steps  =
  
The following table describes
+
== Vulnerability affecting Resource Center services or resources  ==
 +
[[Image:SEC03-RC.png|thumb|right]]<br>
 +
 
  
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
 
! Step#  
 
! Step#  
! <br>
+
!  
 
! Responsible  
 
! Responsible  
 
! Action  
 
! Action  
! Prerequisites, if any
+
! Prerequisites, if any  
|- style="vertical-align:top;"
+
! Time to comply
 +
|- style="background:LightCyan"
 +
| 1
 +
|
 +
| EGI-CSIRT / SVG
 +
| Send advisory as per [[SEC02|Vulnerability issue handling process]]
 +
| SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
 +
| *
 +
|- style="background:Ivory"
 +
| 2
 +
|
 +
| Resource Center
 +
| Upgrade the affected software to a non vulnerable version or apply mitigations
 +
| Non-vulnerable version available or mitigation described in the advisory
 +
| 7 Calendar days after Step 1
 +
|- style="background:LightCyan"
 +
| 3
 +
|
 +
| EGI-CSIRT / Security Monitoring
 +
| Update Security Monitoring to check for vulnerable software versions/configurations
 +
| Vulnerability detectable via Pakiti or a dedicated nagios probe
 +
| *
 +
|- style="background:LightCyan"
 +
| 4
 +
|
 +
| EGI-CSIRT Security Officer on Duty
 +
| For each RC who failed to comply to step 2, the EGI-CSIRT Security Officer on Duty opens an RT-IR ticket against the RC.
 +
Mails are send from RT-IR to the RC CSIRT E-Mail and the NGI Security E-Mail as set in GOC-DB.
 +
 
 +
| Failure to comply to step 2
 +
| *
 +
|- style="background:Ivory"
 +
| rowspan="2" | 5 <br> <br>
 
| 1
 
| 1
! 1 <br>
+
| Resource Center
! EGI-CSIRT / SVG
+
| Any notified RC has to comply to the actions required by the EGI-CSIRT Security Officer on Duty to resolve the vulnerability.
! Send advisory with information on resolution / mitigation of the risk arising from the Vulnerability in question to all VM-Endorsers, NGI- and ResourceCenter (RC) Security Contacts ( <span style="color:#FF0000"> Vm-endorsers at nonexist.ing </span> / ngi-security-contacts .at. mailman.egi.eu / site-security-contacts .at. mailman.egi.eu). State explicitly that the mitigation actions have to be taken within 7 Calendar days.
+
In particular, RC are expected to respond to the ticket after having fixed the vulnerability and, when applicable, [[EGI CSIRT:Pakiti client|manually run the Pakiti client]].
! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
+
 
|- style="vertical-align:top;"
+
| Vulnerable site notified during step 4
| 1
+
| 3 working days after step 4
! 2 <br>
+
|- style="background:Ivory"
! EGI-CSIRT / SVG
+
| 2
! Set all currently endorsed VMs to un-endorsed.  <span style="color:#FF0000"> Not clear how EGI-CSIRT IRTF can un-endorse VM-images </span>
+
| NGI Security Officer
! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
+
| NGI Security Officer/Management should coordinate the activities in their NGI, in particular follow up with unresponsive sites within the given target times.  
|- valign="top"
+
|
 +
| *
 +
|- style="background:LightCyan"
 +
| 6
 +
|
 +
| EGI-CSIRT Security Officer on Duty
 +
| For each RC who failed to comply to step 5, the EGI-CSIRT Security Officer on Duty temporarily suspends it from the infrastructure by setting the ''Certification Status'' of this RC to ''Suspended'' in GOC-DB. The EGI-CSIRT Security Officer on Duty will inform the NGI Security Officer and EGI Operations of this action
 +
| RC failing to comply to step 5
 +
| *
 +
|- style="background:Ivory"
 +
| 7
 
|  
 
|  
|
+
| Resource Center
|
+
| Suspended RCs might request recertification as per [[PROC09]]  
|
+
| RC suspended in step 6
|-
+
| *
| 2
 
! 1 <br>
 
! ResourceCenter
 
! If available upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. This step has to be finished within 7 Calendar days from Step-1
 
!
 
|- valign="top"
 
| 2
 
! 2 <br>
 
! VM Endorsers
 
! Re-Endorse VM-Image, if applicable upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1.
 
! <span style="color:#FF0000">NOTE:</span> VM-Endorsers-Contact is not yet properly defined
 
|-valign="top"
 
|
 
|
 
|
 
|
 
|-
 
| 3
 
! <br>
 
! EGI-CSIRT / Security Monitoring
 
! Update Security Monitoring to check for vulnerable software versions/configurations. This step has to be finished within 7 calendar days from Step-1.
 
!
 
|- valign="top"
 
|
 
|
 
|
 
|
 
|-
 
| 4
 
! 1
 
! EGI-CSIRT IRTF
 
! After 7 calendar days from Step-1 on, the Security Officer on Duty opens tickets against RCs reported by EGI's Security Monitoring running a software configuration with a CRITICAL Vulnerability. The RC has to finish Step 4-2 within 3 Office days or will be temporarily suspended from the infrastructure. In these communications the resp. NGI and EGI Operations will be CC'd
 
!
 
|- valign="top"
 
| 4
 
! 2
 
! RC
 
! The RC has to finish the actions requested in the ticket (Step 4-1) within 3 Office days or will be temporarily suspended from the infrastructure. Besides other actions the RC has to acknowledge the ticket and might be asked to install and run the security monitoring probe manually on the reported nodes.
 
!
 
|- valign="top"
 
|
 
|
 
|
 
|
 
|- valign="top"
 
| 5
 
!
 
! RC / EGI Operations
 
! Suspended RCs might request recertification by contacting: operations-support .at. mailman.egi.eu , see  [https://wiki.egi.eu/wiki/PROC09 PROC09]
 
!
 
|-valign="top"
 
 
|}
 
|}
 +
 +
A diagram representing this procedure is available [https://wiki.egi.eu/w/images/e/e5/SEC03-RC.pdf as an pdf].
  
 
= Revision History  =
 
= Revision History  =
Line 127: Line 121:
 
|-
 
|-
 
| 8
 
| 8
| Sveng
+
| Sven Gabriel, Vincent Brillault
| 16. Jul. 2015
+
| 8. Sept. 2015
|  
+
| Migrated from old document, adapted durations, made steps simpler, clarified emails
 
|}
 
|}

Latest revision as of 14:04, 2 November 2015

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators


Title EGI-CSIRT Critical Vulnerability Handling
Document link https://wiki.egi.eu/wiki/SEC03
Last modified v8, 8. Sept. 2015
Policy Group Acronym EGI-CSIRT
Policy Group Name EGI-CSIRT
Contact Group csirt@mailman.egi.eu
Document Status Approved
Approved Date 29.10.2015
Procedure Statement The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.
Owner Owner of procedure


Overview

After a problem has been assessed as critical by EGI-CSIRT or SVG, and a solution or a mitigation is available then sites are required to take action. This procedure describes the needed actions and responsibilities of the involved parties.

Definitions

Please refer to the EGI Glossary for the definitions of the terms used in this procedure.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Entities involved in the procedure

  • SVG: svg-rat at mailman.egi.eu
  • EGI-CSIRT Security Officer on Duty: irtf at mailman.egi.eu
  • NGI Security Officer: NGI Security E-Mail as defined in GOC-DB
  • Resource Center: RC CSIRT E-Mail as defined in goc-db

Requirements

This procedure applies to Vulnerabilities assessed as CRITICAL by EGI-CSIRT/SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: Vulnerability issue handling process.

Steps

Vulnerability affecting Resource Center services or resources

SEC03-RC.png



Step# Responsible Action Prerequisites, if any Time to comply
1 EGI-CSIRT / SVG Send advisory as per Vulnerability issue handling process SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. *
2 Resource Center Upgrade the affected software to a non vulnerable version or apply mitigations Non-vulnerable version available or mitigation described in the advisory 7 Calendar days after Step 1
3 EGI-CSIRT / Security Monitoring Update Security Monitoring to check for vulnerable software versions/configurations Vulnerability detectable via Pakiti or a dedicated nagios probe *
4 EGI-CSIRT Security Officer on Duty For each RC who failed to comply to step 2, the EGI-CSIRT Security Officer on Duty opens an RT-IR ticket against the RC.

Mails are send from RT-IR to the RC CSIRT E-Mail and the NGI Security E-Mail as set in GOC-DB.

Failure to comply to step 2 *
5

1 Resource Center Any notified RC has to comply to the actions required by the EGI-CSIRT Security Officer on Duty to resolve the vulnerability.

In particular, RC are expected to respond to the ticket after having fixed the vulnerability and, when applicable, manually run the Pakiti client.

Vulnerable site notified during step 4 3 working days after step 4
2 NGI Security Officer NGI Security Officer/Management should coordinate the activities in their NGI, in particular follow up with unresponsive sites within the given target times. *
6 EGI-CSIRT Security Officer on Duty For each RC who failed to comply to step 5, the EGI-CSIRT Security Officer on Duty temporarily suspends it from the infrastructure by setting the Certification Status of this RC to Suspended in GOC-DB. The EGI-CSIRT Security Officer on Duty will inform the NGI Security Officer and EGI Operations of this action RC failing to comply to step 5 *
7 Resource Center Suspended RCs might request recertification as per PROC09 RC suspended in step 6 *

A diagram representing this procedure is available as an pdf.

Revision History

Version Authors Date Comments
8 Sven Gabriel, Vincent Brillault 8. Sept. 2015 Migrated from old document, adapted durations, made steps simpler, clarified emails