Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SEC03 EGI-CSIRT Critical Vulnerability Handling"

From EGIWiki
Jump to navigation Jump to search
(Deprecate page, content moved to CSIRT space in confluence)
Tag: Replaced
 
(44 intermediate revisions by 5 users not shown)
Line 4: Line 4:
[[Category:Operations Procedures]]
[[Category:Operations Procedures]]


{{Ops_procedures
{{DeprecatedAndMovedTo|new_location=https://confluence.egi.eu/display/EGIPP/SEC03+EGI-CSIRT+Critical+Vulnerability+Handling}}
|Doc_title =  EGI-CSIRT Critical Vulnerability Handling
|Doc_link = https://documents.egi.eu/document/283
|Version = 8
|Policy_acronym = EGI-CSIRT
|Policy_name = EGI-CSIRT
|Contact_group =  csirt@mailman.egi.eu
|Doc_status = <span style="color:#FF0000"> '''DRAFT''' </span>
|Approval_date =
|Procedure_statement = The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities.
}}
 
= Overview  =
 
After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, where sites are asked to take action, and what steps are taken if they do not respond or do not take action.
If a site fails to take action, this may lead to site suspension.
 
= Definitions  =
 
Please refer to the [[Glossary|EGI Glossary]] for the definitions of the terms used in this procedure.
 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
 
= Entities involved in the procedure  =
 
*'''SVG''': svg-rat at mailman.egi.eu
*'''EGI-CSIRT''':  csirt at mailman.egi.eu
*'''NGI-Security-Officer''':  ngi-security-contacts at mailman.egi.eu
*'''Resource Center Security Contact''': as defined in goc-db
*'''VM-Endorsers''': <span style="color:#FF0000"> Contact list does not yet exist</span>
 
= Requirements  =
 
This procedure applies to Vulnerabilities assessed as CRITICAL by SVG.  The assessment process and the resulting required steps to handle vulnerablities is described in: described in the [https://documents.egi.eu/public/ShowDocument?docid=47 Vulnerability issue handling process].
 
= Steps  =
 
The following table describes
 
{| class="wikitable"
|-
! Step#
! <br>
! Responsible
! Action
! Prerequisites, if any
|- style="vertical-align:top;"
| 1
! 1 <br>
! EGI-CSIRT / SVG
! Send advisory with information on resolution / mitigation of the risk arising from the Vulnerability in question to all VM-Endorsers, NGI- and ResourceCenter (RC) Security Contacts ( <span style="color:#FF0000"> Vm-endorsers at nonexist.ing </span> / ngi-security-contacts .at. mailman.egi.eu / site-security-contacts .at. mailman.egi.eu). State explicitly that the mitigation actions have to be taken within 7 Calendar days.
! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
|- style="vertical-align:top;"
| 1
! 2 <br>
! EGI-CSIRT / SVG
! Set all currently endorsed VMs to un-endorsed.  <span style="color:#FF0000"> Not clear how EGI-CSIRT IRTF can un-endorse VM-images </span>
! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL.
|- valign="top"
|
|
|
|
|-
| 2
! 1 <br>
! ResourceCenter
! If available upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. This step has to be finished within 7 Calendar days from Step-1
!
|- valign="top"
| 2
! 2 <br>
! VM Endorsers
! Re-Endorse VM-Image, if applicable upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1.
! <span style="color:#FF0000">NOTE:</span> VM-Endorsers-Contact is not yet properly defined
|-valign="top"
|
|
|
|
|-
| 3
! <br>
! EGI-CSIRT / Security Monitoring
! Update Security Monitoring to check for vulnerable software versions/configurations. This step has to be finished within 7 calendar days from Step-1.
!
|- valign="top"
|
|
|
|
|-
| 4
! 1
! EGI-CSIRT IRTF
! After 7 calendar days from Step-1 on, the Security Officer on Duty opens tickets against RCs reported by EGI's Security Monitoring running a software configuration with a CRITICAL Vulnerability. The RC has to finish Step 4-2 within 3 Office days or will be temporarily suspended from the infrastructure. In these communications the resp. NGI and EGI Operations will be CC'd
!
|- valign="top"
| 4
! 2
! RC
! The RC should perform the actions requested in the ticket (Step 4-1) within 3 Office days or will be temporarily suspended from the infrastructure. Besides other actions the RC has to acknowledge the ticket and might be asked to install and run the security monitoring probe manually on the reported nodes.
! Suspending a RC is done by the EGI-CSIRT Security Officer by setting the ''Certification Status'' of this site to ''Suspended'' in GOC-DB
|- valign="top"
|
|
|
|
|- valign="top"
| 5
!
! RC / EGI Operations
! Suspended RCs might request recertification by contacting: operations-support .at. mailman.egi.eu , see  [https://wiki.egi.eu/wiki/PROC09 PROC09]
!
|-valign="top"
|}
 
= Revision History  =
{| class="wikitable"
|-
! Version !! Authors !! Date !! Comments
|-
| 8
| Sveng
| 16. Jul. 2015
|
|}

Latest revision as of 10:41, 10 December 2021