Difference between revisions of "SEC03 EGI-CSIRT Critical Vulnerability Handling"
(→Steps) |
(→Steps) |
||
Line 51: | Line 51: | ||
|- valign="top" | |- valign="top" | ||
| 1 | | 1 | ||
! <br> | ! 1 <br> | ||
! EGI-CSIRT / SVG | ! EGI-CSIRT / SVG | ||
! Send advisory with information on resolution / mitigation of the risk arising from the Vulnerability in question to all VM-Endorsers, NGI- and ResourceCenter Security Contacts ( vm-endorsers at nonexist.ing / ngi-security-contacts .at. mailman.egi.eu / site-security-contacts .at. mailman.egi.eu). State explicitly that the mitigation actions have to be taken within 7 Calendar days. | ! Send advisory with information on resolution / mitigation of the risk arising from the Vulnerability in question to all VM-Endorsers, NGI- and ResourceCenter (RC) Security Contacts ( vm-endorsers at nonexist.ing / ngi-security-contacts .at. mailman.egi.eu / site-security-contacts .at. mailman.egi.eu). State explicitly that the mitigation actions have to be taken within 7 Calendar days. | ||
! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | ! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | ||
|- valign="left" | |- valign="left" | ||
| 1 | |||
! 2 <br> | |||
! EGI-CSIRT / SVG | |||
! Set all currently endorsed VMs to un-endorsed. | |||
! SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. | |||
|- | |||
| 2 | | 2 | ||
! 1 | ! 1 <br> | ||
! ResourceCenter | ! ResourceCenter | ||
! If available upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. This step has to be finished within 7 Calendar days from Step-1 | ! If available upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. This step has to be finished within 7 Calendar days from Step-1 | ||
! | |||
|- | |||
! 2 | |||
! 2 <br> | |||
! VM Endorsers | |||
! Re-Endorse VM-Image, if applicable upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. | |||
! | ! | ||
|- | |- | ||
Line 70: | Line 81: | ||
|- | |- | ||
| 4 | | 4 | ||
! 1 | |||
! After 7 calendar days from Step-1 on, EGI-CSIRT will open tickets against RC reported by the EGI's Security Monitoring running a software with a CRITICAL Vulnerability. The Resource has to finish Step 4-2 within 3 Office days or will be temporarily suspended from the infrastructure. | |||
! | |||
|- | |||
| 4 | |||
! 2 | |||
! <br> | ! <br> | ||
! After 7 calendar days from Step-1 on, EGI-CSIRT will open tickets against | ! After 7 calendar days from Step-1 on, EGI-CSIRT will open tickets against RC reported by the EGI's Security Monitoring running a software with a CRITICAL Vulnerability. The Resource has to finish Step 4-2 within 3 Office days or will be temporarily suspended from the infrastructure. | ||
! | ! | ||
|- | |- |
Revision as of 18:26, 16 July 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | EGI-CSIRT Critical Vulnerability Handling |
Document link | https://documents.egi.eu/public/ShowDocument?docid=283&version=7 |
Last modified | 8 |
Policy Group Acronym | EGI-CSIRT |
Policy Group Name | EGI-CSIRT |
Contact Group | csirt@mailman.egi.eu |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities. |
Owner | Owner of procedure |
Overview
After a problem has been assessed as critical, and a solution is available then sites are required to take action. This document primarily defines the procedure from this time, where sites are asked to take action, and what steps are taken if they do not respond or do not take action. If a site fails to take action, this may lead to site suspension.
Definitions
Please refer to the EGI Glossary for the definitions of the terms used in this procedure.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Entities involved in the procedure
- SVG: svg-rat at mailman.egi.eu
- EGI-CSIRT: csirt at mailman.egi.eu
- NGI-Security-Officer: ngi-security-contacts at mailman.egi.eu
- Resource Center Security Contact: as defined in goc-db
Requirements
This procedure applies to Vulnerabilities assessed as CRITICAL by SVG. The assessment process and the resulting required steps to handle vulnerablities is described in: described in the Vulnerability issue handling process.
Steps
The following table describes
Step# | Responsible | Action | Prerequisites, if any | |
---|---|---|---|---|
1 | 1 |
EGI-CSIRT / SVG | Send advisory with information on resolution / mitigation of the risk arising from the Vulnerability in question to all VM-Endorsers, NGI- and ResourceCenter (RC) Security Contacts ( vm-endorsers at nonexist.ing / ngi-security-contacts .at. mailman.egi.eu / site-security-contacts .at. mailman.egi.eu). State explicitly that the mitigation actions have to be taken within 7 Calendar days. | SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. |
1 | 2 |
EGI-CSIRT / SVG | Set all currently endorsed VMs to un-endorsed. | SVG and/or EGI-CSIRT assessed the vulnerability as CRITICAL. |
2 | 1 |
ResourceCenter | If available upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. This step has to be finished within 7 Calendar days from Step-1 | |
2 | 2 |
VM Endorsers | Re-Endorse VM-Image, if applicable upgrade the affected software to a non vulnerable version or apply the mitigations as described in the advisory from Step-1. | |
3 | EGI-CSIRT / Security Monitoring | Update Security Monitoring to check for vulnerable software versions/configurations. This step has to be finished within 7 calendar days from Step-1. | ||
4 | 1 | After 7 calendar days from Step-1 on, EGI-CSIRT will open tickets against RC reported by the EGI's Security Monitoring running a software with a CRITICAL Vulnerability. The Resource has to finish Step 4-2 within 3 Office days or will be temporarily suspended from the infrastructure. | ||
4 | 2 | After 7 calendar days from Step-1 on, EGI-CSIRT will open tickets against RC reported by the EGI's Security Monitoring running a software with a CRITICAL Vulnerability. The Resource has to finish Step 4-2 within 3 Office days or will be temporarily suspended from the infrastructure. |
Revision History
Version | Authors | Date | Comments |
---|---|---|---|