Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:RAT Issue Handling Instructions"

From EGIWiki
Jump to navigation Jump to search
Line 1: Line 1:
{{svg-header}}
{{svg-header}}


(NOTE THIS IS IN WORK, BEING UPDATED 27th April 2016)


This page is intended for [[SVG:RAT | RAT]] members to provide a summary of what to do when a software vulnerability has been reported. It is intended as a practical summary, to help the RAT carry out the process. Note that this is a first draft, and will probably change/improve as we follow the process.
This page is intended for [[SVG:RAT | RAT]] members to provide a summary of what to do when a software vulnerability has been reported. It is intended as a practical summary, to help the RAT carry out the process, in particular if the SVG chair is not available.


There is now also a plan to enter all types of vulnerability that are relevant to the EGI infrastructure in the report-vulnerability tracker, including those relating to the Linux operating system and software which comes with it, to allow a consistent risk assessment for all software vulnerablilitiesSome CSIRT members have joint the RAT, and contact with relevant software providers of the for this will be handled mainly by the CSIRT members in the RAT. Of course, all RAT members will be asked for their opinion on the risk.  
The full process is described in the [https://documents.egi.eu/document/2538 EGI Software Vulnerability Issue Handling Process ]
   
This page is a simple 'how to'.  


The full process is described in the Software Vulnerability Isssue handling [https://documents.egi.eu/public/RetrieveFile?docid=717  process document]
Also note that common sense may be used - as not all issues are straight forward. The most important thing to remember is not to release information publicly that may be useful to an attacker.  


Also note that common sense may be used - as not all issues are straight forward. The most important thing to remember is not to release information publicly that may be useful to an attacker. This is intended to help the RAT handle standard vulnerability bugs in the middleware distributed by the EGI UMD (or IGE).
[[SVG:RAT Issue Handling Templates | Issue Handling Templates ]] are available to help the RAT inform appropriate people.


[[SVG:RAT Issue Handling Templates | Issue Handling Templates ]] are available to help the RAT inform appropriate people
Note that contact details i.e. e-mail addresses for the various software providers will be forwarded to the RAT and updated when necessary.


== When a new issue is reported ==
== When a new issue is reported ==
Line 19: Line 20:
* Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker.
* Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker.


* If the issue is public and/or it concerns the operating system or software which comes with the operating system, add the csirt sub-group as admin cc.
* Acknowledge the reporter by e-mail, to ensure the reporter knows a real SVG member has seen it. Template ReporterAfterReport cc the Rat.


* Acknowlege the Reporter - Let the reporter know that a real person is aware that the vulnerability has been reported - template ReporterAfterReport cc the Rat.
* Alert the RAT - Template RATAfterReport


*For issues concerning Grid middleware, or other software which comes with the middleware distributions 
* Alert the software provider unless:--
**Contact sofware provider and/or developers (according to instructions/contacts for particular software provider) - template SoftwareProviderAfterReport
** The report is clearly invalid
**Add developer(s) as adminCC in the Request Tracker - so they can fully participate
** The technology provider clearly knows about this issue
 
I.e. in most cases where the issue has not been announced publicly.  Template SoftwareProviderAfterReport


* For issues concerning the operating system or software which comes with the operating system (most non SLA software)
* In the case of VO specific vulnerabilities, also alert the VO Security Officer (Found in the VO-ID card in the ops portal)
**add CSIRT sub-group (RAT additions) to admin cc for the tracker issue
**CSIRT sub-group and SVG will decide who/how to contact the software provider


* Alert the RAT - template RATAfterReport.
*For issues concerning Grid middleware, or Cloud Middleware Distribution, or other software which comes with the middleware distributions r others connected with the project with an EGI SSO ID
**Add developer(s) as adminCC in the Request Tracker - so they can fully participate


This should be done as soon as possible.
This should be done as soon as possible.
Line 37: Line 39:
== Investigate Issue ==
== Investigate Issue ==


Some RAT members with appropriate knowlege and experience, along with the software provider and developers should investigate the issue, establish whether it is real, and what the effects of an exploit might be.   
Some RAT members with appropriate knowlege and experience, along with the software provider and developers should investigate the issue, establish whether it is real, and what the effects of an exploit might be.  Now that a much wider variety of software is installed in the EGI infrastructure it is not reasonable to expect RAT members to be expert in all of it, and we are likely to need to rely more on the software providers to investigate.


For issues which concern operating systems, it will be mainly csirt members who carry out the investigation - some of these are in the RAT too.
For issues which are announced publicly, the RAT duty is to try and establish the effect in the EGI infrastructure as much as possible.  


Information found should be summarized in the Request Tracker item.   
Information found should be summarized in the Request Tracker item.   
Line 53: Line 55:
The Risk should be discussed on the RAT mailing list.  
The Risk should be discussed on the RAT mailing list.  


The Risk category is established by vote, each RAT members opinion of the Risk Category (Critical, High, Moderate or Low) is treated as their Vote. Apart from the case of 'Critical' issues - RAT members should have a least 24 hours to respond. The minimum number of RAT members who should normally look at the issue to establish the risk is 3 - although in most cases it is hoped that more will respond.
The Risk category is established by vote, each RAT members opinion of the Risk Category (Critical, High, Moderate or Low) is treated as their Vote. Apart from the case of 'Critical' issues - RAT members should be given 2 days to respond. The minimum number of RAT members who should normally look at the issue to establish the risk is 3 - although in most cases it is hoped that more will respond.
If any member considers the issue to be critical - all RAT members who are at work should give priority to looking at the issue - and give their opinion on the risk.   
If any member considers the issue to be critical - all RAT members who are at work should give priority to looking at the issue - and give their opinion on the risk.   


Line 62: Line 64:
== Set Target Date ==
== Set Target Date ==


After the risk category is established, the risk is set in the request tracker, and the target date is set.  
After the risk category is established, the risk is set in the request tracker.  


* critical 3 days (a special process is carried out)
If the issue has not been fixed, the target date is set.
 
* critical - a special process is carried out.
* High 6 weeks
* High 6 weeks
* Moderate 4 months
* Moderate 4 months
Line 73: Line 77:
== Informing relevant people ==
== Informing relevant people ==


* For issues concerning Grid Middleware (EMI/IGE etc)
** Inform appropriate developers, software provider, packaging people, and EGI middleware unit - template  FixingAlertAfterRisk  
** Inform appropriate developers, software provider, packaging people, and EGI middleware unit - template  FixingAlertAfterRisk  
** Add the software provider, packaging people, EGI middleware unit people  as adminCC to the item
** Add the software provider, packaging people, EGI middleware unit people  as adminCC to the item
** Use the Contacts document  (ListOfContacts) to find the correct people.


* For issues concerning operating systems, or software which comes with the operating system, CSIRT members will normally ask software providers for a solution according to urgency.
* For issues concerning operating systems, or software which comes with the operating system, CSIRT/IRTF members will normally ask software providers for a solution according to urgency in the unlikely event of something which is reported to us rather than announced.  


The SVG RAT aims to get to this point within 4 working days, but within at most 1 working day for critical vulnerabilities.  
The SVG RAT aims to get to this point within 4 working days, but within at most 1 working day for critical vulnerabilities.  
Line 85: Line 87:


The advisory should be drafted - it should alert the sites as to the problem the vulnerability may cause - but not provide information to allow an attacker to exploit the problem.
The advisory should be drafted - it should alert the sites as to the problem the vulnerability may cause - but not provide information to allow an attacker to exploit the problem.
It should state what sites should do, if anything.
If the issue is 'High' or 'Critical' and not public it should be 'AMBER'


Template AdvisoryTemplateGeneral
Template AdvisoryTemplateGeneral
Line 98: Line 103:
The advisory should be released on the target date or when the problem is fixed.
The advisory should be released on the target date or when the problem is fixed.


The advisory should also be sent to the EGI CSIRT Team, Site security contacts, and NGI security contacts, and copied to the NOC managers (as defined in the [https://documents.egi.eu/public/RetrieveFile?docid=717 process document] )
The advisory should also be sent to the Site security contacts, and NGI security contacts, and copied to the NOC managers, EGI CSIRT Team, and the RAT  (as defined in the [https://documents.egi.eu/public/RetrieveFile?docid=2538 process document] )
 
If the issue is 'High' or 'Critical' and not public it should be 'AMBER' and NOT put on the wiki.
 
It is usually set to 'WHITE' and put on the wiki 2 weeks later.


== Close issue ==
== Close issue ==
Line 107: Line 116:


* When the problem is fixed in the software available to the EGI infrastructure and an advisory  
* When the problem is fixed in the software available to the EGI infrastructure and an advisory  
has been issued.
has been issued and on the wiki.  


* If a decision has been made not to fix - in this case an advisory will be issued
* If a decision has been made not to fix - in this case an advisory may still be issued


* If the issue turns out to be operational - and not a software problem. An advisory will be sent out in conjuction with CSIRT.
* If the issue turns out to be operational - and not a software problem. An advisory will be sent out in conjuction with CSIRT.

Revision as of 15:30, 27 April 2016

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

RAT Issue Handling Instructions


(NOTE THIS IS IN WORK, BEING UPDATED 27th April 2016)

This page is intended for RAT members to provide a summary of what to do when a software vulnerability has been reported. It is intended as a practical summary, to help the RAT carry out the process, in particular if the SVG chair is not available.

The full process is described in the EGI Software Vulnerability Issue Handling Process

This page is a simple 'how to'.

Also note that common sense may be used - as not all issues are straight forward. The most important thing to remember is not to release information publicly that may be useful to an attacker.

Issue Handling Templates are available to help the RAT inform appropriate people.


When a new issue is reported

The RAT member on duty should:

  • Enter into the Request Tracker - If the issue was not reported via the tracker, including adding a cc to the reporter in the tracker.
  • Acknowledge the reporter by e-mail, to ensure the reporter knows a real SVG member has seen it. Template ReporterAfterReport cc the Rat.
  • Alert the RAT - Template RATAfterReport
  • Alert the software provider unless:--
    • The report is clearly invalid
    • The technology provider clearly knows about this issue

I.e. in most cases where the issue has not been announced publicly. Template SoftwareProviderAfterReport

  • In the case of VO specific vulnerabilities, also alert the VO Security Officer (Found in the VO-ID card in the ops portal)
  • For issues concerning Grid middleware, or Cloud Middleware Distribution, or other software which comes with the middleware distributions r others connected with the project with an EGI SSO ID
    • Add developer(s) as adminCC in the Request Tracker - so they can fully participate

This should be done as soon as possible.

Investigate Issue

Some RAT members with appropriate knowlege and experience, along with the software provider and developers should investigate the issue, establish whether it is real, and what the effects of an exploit might be. Now that a much wider variety of software is installed in the EGI infrastructure it is not reasonable to expect RAT members to be expert in all of it, and we are likely to need to rely more on the software providers to investigate.

For issues which are announced publicly, the RAT duty is to try and establish the effect in the EGI infrastructure as much as possible.

Information found should be summarized in the Request Tracker item.

This phase is complete when the situation is established, including the effect in the EGI environment.

Risk Assessment

If the issue is valid request a risk assessment to the RAT - template RATRequestRiskAssessment

RAT members should then look at this issue if they are able to, and provide their opinion of the Risk.

The Risk should be discussed on the RAT mailing list.

The Risk category is established by vote, each RAT members opinion of the Risk Category (Critical, High, Moderate or Low) is treated as their Vote. Apart from the case of 'Critical' issues - RAT members should be given 2 days to respond. The minimum number of RAT members who should normally look at the issue to establish the risk is 3 - although in most cases it is hoped that more will respond. If any member considers the issue to be critical - all RAT members who are at work should give priority to looking at the issue - and give their opinion on the risk.

The Risk category and reasons should be summarized in the Request Tracker item.

If the Risk is 'Critical' then SVG and CSIRT will jointly handle the problem. Some notes SVG-CSIRT Critical Vulnerability Notes will help to decide what to do next.

Set Target Date

After the risk category is established, the risk is set in the request tracker.

If the issue has not been fixed, the target date is set.

  • critical - a special process is carried out.
  • High 6 weeks
  • Moderate 4 months
  • Low 1 year

Inform the reporter of the issue of the outcome - template ReporterAfterRisk

Informing relevant people

    • Inform appropriate developers, software provider, packaging people, and EGI middleware unit - template FixingAlertAfterRisk
    • Add the software provider, packaging people, EGI middleware unit people as adminCC to the item
  • For issues concerning operating systems, or software which comes with the operating system, CSIRT/IRTF members will normally ask software providers for a solution according to urgency in the unlikely event of something which is reported to us rather than announced.

The SVG RAT aims to get to this point within 4 working days, but within at most 1 working day for critical vulnerabilities.

Draft Advisory

The advisory should be drafted - it should alert the sites as to the problem the vulnerability may cause - but not provide information to allow an attacker to exploit the problem. It should state what sites should do, if anything.

If the issue is 'High' or 'Critical' and not public it should be 'AMBER'

Template AdvisoryTemplateGeneral

The advisory should be agreed between the software providers, probably including the developers and the RAT.

Be willing to help

While it is not an SVG RAT activity to fix vulnerabilities - RAT members should be willing to give advice where appropriate if developers need it.

Release Advisory

The advisory should be released on the target date or when the problem is fixed.

The advisory should also be sent to the Site security contacts, and NGI security contacts, and copied to the NOC managers, EGI CSIRT Team, and the RAT (as defined in the process document )

If the issue is 'High' or 'Critical' and not public it should be 'AMBER' and NOT put on the wiki.

It is usually set to 'WHITE' and put on the wiki 2 weeks later.

Close issue

The issue is normally closed:

  • If problem is found to be invalid
  • When the problem is fixed in the software available to the EGI infrastructure and an advisory

has been issued and on the wiki.

  • If a decision has been made not to fix - in this case an advisory may still be issued
  • If the issue turns out to be operational - and not a software problem. An advisory will be sent out in conjuction with CSIRT.

Note that closing an issue means setting it to 'resolved' in the EGI RT tracker. Prior to setting to 'resolved' enter a 'reply to requestors' (selection box above the comment box) to make it clear why it has been resolved, for example 'This has been resolved by version x of software released on <date>.

| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |


| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |


Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:RAT_Issue_Handling_Instructions&oldid=87260"