|
|
| Line 1: |
Line 1: |
| {{Template:Op menubar}} {{Template:GO menubar}} {{TOC_right}} | | {{Template:Op menubar}} {{Template:GO menubar}} |
|
| |
|
| [[Category:Infrastructure_Oversight|*]] | | [[Category:Infrastructure_Oversight|*]] |
|
| |
|
| = Work instruction to follow Security Vulnerability handling RT tickets =
| | {{DeprecatedAndMovedTo|new_location=https://confluence.egi.eu/display/EGIPP/WI07+Security+Vulnerability+handling}} |
| | |
| The purpose of this page is to provide instructions to the EGI Operations team members part of the operations-vulnerability-handling SSO group on how to handle Security Vulnerability identified by [[IRTF]].
| |
| | |
| The main idea behind this handling is to make sure that sites are aware of the issue and working on it.
| |
| Usually, sites that are showing good intention are not penalized even if the progress is not strictly within the procedure: [[SEC03_EGI-CSIRT_Critical_Vulnerability_Handling|SEC03]].
| |
| | |
| {| align="center" cellspacing="0" cellpadding="5" border="1" | |
| |-
| |
| ! Step
| |
| ! Action
| |
| |-
| |
| | 1
| |
| | [[IRTF]] is responsible for:
| |
| * looking at [https://pakiti.egi.eu/ Pakiti] and [https://operations-portal.egi.eu/ROD#csi Security dashboard].
| |
| * looking for false positives
| |
| * creating new [https://rt.egi.eu/ RT] tickets in the Vulnerability Handling queue with a due date of 3 days.
| |
| |-
| |
| | 2a
| |
| | If there is no acknowledgement or answer from the site:
| |
| * 1 working day before the due date, EGI Operations send another reminder via the [http://go.egi.eu/rt_vulnhand Vulnerability Handling Queue in RT] using the '''Reply''' action.
| |
| <nowiki>Dear security contact for XX-XX-XXX,
| |
| | |
| This is a friendly reminder that we didn't receive any update about this ticket!
| |
| | |
| Thanks,</nowiki>
| |
| * .5 working day before the due date, EGI Operations send a last reminder, potentially including operational contacts in addition to security contacts. In such case, in case of an answer, verify that the security contact is still valid
| |
| * After the due date, suspend the site
| |
| |-
| |
| | 2b
| |
| | If there is an acknowledgement, but no solution announced:
| |
| * 1 working day before the due date, EGI Operations checks [https://pakiti.egi.eu/ Pakiti]:
| |
| ** If there is no change, ask for progress/for an update, insisting
| |
| ** If the vulnerability disappeared from [https://pakiti.egi.eu/ Pakiti], ask for a confirmation that the vulnerability was fixed and that it's not simply the affected node not being reached by the Nagios probe (which usually reach different nodes every day)
| |
| |-
| |
| | 3
| |
| | After the due date, if there is still no answer/solution announced, EGI Operations suspend the site
| |
| |-
| |
| | 4
| |
| | If a solution is said to be deployed:
| |
| * If it's a mitigation:
| |
| ** If different from any mentioned in the advisory escalate to [[IRTF]]
| |
| ** If it's the same, EGI Operations wait for up to a day and check the security dashboard
| |
| * If it's a simple package/kernel update, EGI Operations check [https://pakiti.egi.eu/ Pakiti]:
| |
| ** If there is a report for the affected node(s) without any vulnerability, thanks and close the ticket
| |
| ** If the last report for the affected node(s) is still from before the update, ask to run the Pakiti client by following [[EGI_CSIRT:Pakiti_client]].
| |
| *** If the vulnerability then disappear from [https://pakiti.egi.eu/ Pakiti], with or without any other message, close the ticket
| |
| |}
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.