Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SEC05 Security Resource Centre Certification Procedure"

From EGIWiki
Jump to navigation Jump to search
(33 intermediate revisions by 2 users not shown)
Line 7: Line 7:
|Doc_title = Security Resource Centre Certification Procedure
|Doc_title = Security Resource Centre Certification Procedure
|Doc_link = https://wiki.egi.eu/wiki/SEC05_Security_Resource_Centre_Certification_Procedure
|Doc_link = https://wiki.egi.eu/wiki/SEC05_Security_Resource_Centre_Certification_Procedure
|Version = 1.1 - 30 September 2014
|Version = 2.0 - August 22th, 2017
|Policy_acronym = CSIRT
|Policy_acronym = CSIRT
|Policy_name = EGI CSIRT
|Policy_name = EGI CSIRT
|Contact_group =  EGI CSIRT
|Contact_group =  EGI CSIRT
|Doc_status = Approved
|Doc_status = Discussion
|Approval_date= November 27 2014
|Approval_date= January 30th, 2017 (1.2 version)
|Procedure_statement = Security Resource Centre Certification Procedure applies to Resource Centres under certification process and re-certification of suspended Resource Centres (sites). This step of the security certification procedure checks that the resources under certification do not contain known CRITICAL software vulnerabilities.   
|Procedure_statement = Security Resource Centre Certification Procedure applies to Resource Centres under certification process and re-certification of suspended Resource Centres (sites). This step of the security certification procedure checks that the resources under certification do not contain known CRITICAL software vulnerabilities.   
}}  
}}  
Line 36: Line 36:
| RC<br>  
| RC<br>  
|  
|  
Ask the ARGO/SAM EGI Support (through GGUS http://ggus.eu/) to '''enable security monitoring of the site.''' <br>
Make sure that the site is up to date with regard to security patches. In case of re-certification due to suspension following a critical vulnerability, make sure that the recommendations in the corresponding EGI SVG advisory have been followed.
|  
|  
|- valign="top"
|- valign="top"
Line 42: Line 42:
| RC
| RC
|  
|  
Once monitoring is enabled, RC asks EGI CSIRT (by sending a mail to csirt@rt.egi.eu) for '''security assessment.'''  
Follow instructions on [https://wiki.egi.eu/wiki/EGI_CSIRT:Pakiti_client Pakiti client wiki]: '''install and run the pakiti client on a random Worker Node'''. In case of re-certification due to suspension following a critical vulnerability, '''run Pakiti on the affected node(s)'''.
| <br>
| <br>
|- valign="top"
|- valign="top"
| 3  
| 3  
| RC
|
Check on https://pakiti.egi.eu/host.php?h=${hostname} that the report was sent and that no critical vulnerability was found. If one is found, and is not mitigated, go back to step 1.
| <br>
|- valign="top"
| 4
| RC
|
Notify the EGI CSIRT by sending an email to abuse<AT> egi.eu with the OC in Cc. Explain in detail any mitigation deployed, if any.
| <br>
|- valign="top"
| 5
| EGI&nbsp;CSIRT  
| EGI&nbsp;CSIRT  
| If no security alert is raised via the monitoring over 3 consecutive calendar days period, '''the EGI CSIRT will communicate back a positive assessment'''.  
| '''EGI CSIRT Verify the results and communicate back a positive assessment including the OC in Cc'''.
|
|- valign="top"
| 6
| OC
| Report in the GGUS ticket (if any), opened for tracking the certification process, the result of the assessment. [[PROC09]] can continue
|  
|  
|}
|}
Line 63: Line 80:
| RC<br>  
| RC<br>  
|  
|  
'''Fill the '''[https://www.surveymonkey.com/r/Cloud_Security_Questionnaire_for_Resource_Centres '''''EGI&nbsp;security survey''&nbsp;'''] and inform EGI Operations (operations@egi.eu)<br>
'''Fill the '''[https://www.surveymonkey.com/r/Cloud_Security_Questionnaire_for_Resource_Centres '''''EGI&nbsp;security survey''&nbsp;'''] and inform EGI Operations (operations<AT>egi.eu) either by adding it in copy to the GGUS ticket used for tracking the certification process or by opening a new one (Support Unit: Operations)


*This survey contains the basic security related checks which must be carried out with Cloud Resource providers offering “Infrastructure-as-a-Service” clouds based on the execution of virtual machine images.
*This survey contains the basic security related checks which must be carried out with Cloud Resource providers offering “Infrastructure-as-a-Service” clouds based on the execution of virtual machine images.
Line 70: Line 87:
|- valign="top"
|- valign="top"
| 2  
| 2  
| EGI Operations  
| EGI Operations
|  
|  
'''Send filled in survey to EGI CSIRT'''
'''Check the filled in survey and send it to EGI CSIRT (abuse<AT>egi.eu).


| <br>
| <br>
Line 94: Line 111:
! Date  
! Date  
! Comments
! Comments
|-
| 2.0
| Alessandro Paolini
| 2017-08-22
| The steps in the HTC part have been better detailed. Cloud part: EGI Operation is involved again for retrieving the online survey and sending it to EGI CSIRT.
|-
| 1.2
| Alessandro Paolini
| 2017-01-30
| Specified the email address for contacting the EGI CSIRT.
|-
|-
|  
|  
| Alessandro Paolini
| 2016-10-26
| modified the procedure for HTC RCs, as proposed by EGI CSIRT at the [https://indico.egi.eu/indico/event/2810/ September 2016 OMB].
|-
|  
|  
|  
| Alessandro Paolini
|  
| 2016-03-22
| modified the steps 1 and 2 for CLOUD RCs: the survey is sent to the NGI which forward it to EGI CSIRT
|}
|}

Revision as of 13:07, 23 August 2017

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators


Title Security Resource Centre Certification Procedure
Document link https://wiki.egi.eu/wiki/SEC05_Security_Resource_Centre_Certification_Procedure
Last modified 2.0 - August 22th, 2017
Policy Group Acronym CSIRT
Policy Group Name EGI CSIRT
Contact Group EGI CSIRT
Document Status Discussion
Approved Date January 30th, 2017 (1.2 version)
Procedure Statement Security Resource Centre Certification Procedure applies to Resource Centres under certification process and re-certification of suspended Resource Centres (sites). This step of the security certification procedure checks that the resources under certification do not contain known CRITICAL software vulnerabilities.
Owner Owner of procedure


Introduction


This page provides steps to certify Resource Centre from security point of view, as part of PROC09 Resource Centre Registration and Certification procedure. The monitoring is performed using the tools used by the EGI CSIRT and enabled upon request of Resource Centre.

This step of the security certification procedure checks that the resources under certification do not contain known CRITICAL software vulnerabilities.

Steps

HTC (Grid) Resource Center


Responsible Action Prerequisites, if any
1
RC

Make sure that the site is up to date with regard to security patches. In case of re-certification due to suspension following a critical vulnerability, make sure that the recommendations in the corresponding EGI SVG advisory have been followed.

2 RC

Follow instructions on Pakiti client wiki: install and run the pakiti client on a random Worker Node. In case of re-certification due to suspension following a critical vulnerability, run Pakiti on the affected node(s).


3 RC

Check on https://pakiti.egi.eu/host.php?h=${hostname} that the report was sent and that no critical vulnerability was found. If one is found, and is not mitigated, go back to step 1.


4 RC

Notify the EGI CSIRT by sending an email to abuse<AT> egi.eu with the OC in Cc. Explain in detail any mitigation deployed, if any.


5 EGI CSIRT EGI CSIRT Verify the results and communicate back a positive assessment including the OC in Cc.
6 OC Report in the GGUS ticket (if any), opened for tracking the certification process, the result of the assessment. PROC09 can continue

Cloud Resource Center


Responsible Action Prerequisites, if any
1
RC

Fill the EGI security survey  and inform EGI Operations (operations<AT>egi.eu) either by adding it in copy to the GGUS ticket used for tracking the certification process or by opening a new one (Support Unit: Operations)

  • This survey contains the basic security related checks which must be carried out with Cloud Resource providers offering “Infrastructure-as-a-Service” clouds based on the execution of virtual machine images.
2 EGI Operations

Check the filled in survey and send it to EGI CSIRT (abuse<AT>egi.eu).


3
EGI CSIRT

the EGI CSIRT will communicate back an assessment result.

In case of issues EGI CSIRT contact RC to better understand situation.


Revision history

Version Authors Date Comments
2.0 Alessandro Paolini 2017-08-22 The steps in the HTC part have been better detailed. Cloud part: EGI Operation is involved again for retrieving the online survey and sending it to EGI CSIRT.
1.2 Alessandro Paolini 2017-01-30 Specified the email address for contacting the EGI CSIRT.
Alessandro Paolini 2016-10-26 modified the procedure for HTC RCs, as proposed by EGI CSIRT at the September 2016 OMB.
Alessandro Paolini 2016-03-22 modified the steps 1 and 2 for CLOUD RCs: the survey is sent to the NGI which forward it to EGI CSIRT