EGI CSIRT:Central emergency suspension
|EGI-CSIRT web site||EGI-CSIRT Public wiki||EGI-CSIRT Contacts||EGI-CSIRT Activities||EGI-CSIRT Private wiki|
Central emergency suspension procedure
The document describing the central emergency suspension procedure is available at EGI CSIRT Operational Procedure for Compromised Certificates.
Argus Infrastructure Deployment
- Central Argus Instance at CERN
- NGI Argus Instance: EGI CoreArgus Service Group
- All NGIs should run a Argus instance
- NGIs that don't have a Site/RC that uses Argus don't need to run a Argus service
- NGI Argus instance should be registered in GOC DB with service type ngi.ARGUS
- The NGI-Argus servers have to be configured/maintained carefully. A potential attacker getting privileged access to this system could block all jobs that are submitted to the sites using this NGI-Argus service.
- NGI-Argus Systems contain personal data and shall limit access this service to the site Argus (like) systems in the NGI.
- ACLs can be constructed by pulling the list of egi.Argus'es for the resp. NGI from goc-db
- Site Argus Instance
- Sites in the NGIs pull policies from NGI Argus
- Small sites that don't have the expertise to run a local Argus could use the NGI Argus
- Site Argus instance should be registered in GOC DB with service type emi.ARGUS
- Non Argus Sites/RCs
- Pull the list directly from NGI-Argus, feed it into their fabric management, deploy it at all services at the RC
- Scripts Documentation available at Nikhef wiki Argus_Global_Banning_Setup_Overview
NGI Argus Monitoring
The eu.egi.Argus-DNs metric checks if an Argus server is properly configured and still pulling suspension information from the Central Argus Instance.
Every day the Central Argus Instance suspends a new DN: the probe verifies if this DN is present on the NGI argus.
The return values of that probe can indicate the following problems:
|Return value||Problem||Potential solution|
|ARGUS WARN - connection error||The probe was not able to connect to the Argus server||Please make sure that the argus pap port (8150) is accessible remotely from argo-mon.egi.eu, argo-mon2.egi.eu and argo-mon-test.cro-ngi.hr|
|ARGUS WARN - Authorization error||The probe was able to connect but was denied access||Please make sure that the following certificates are given the "POLICY_READ_LOCAL|POLICY_READ_REMOTE|CONFIGURATION_READ" permissions are given to "/DC=EU/DC=EGI/C=HR/O=Robots/O=SRCE/CN=Robot:firstname.lastname@example.org" and "/DC=EU/DC=EGI/C=GR/O=Robots/O=Greek Research and Technology Network/CN=Robot:email@example.com"|
|ARGUS CRIT - Expected DN not found!||The probe didn't find a recent DN in the Argus configuration||Please check your argus logs to see what is blocking the synchronization|
|ARGUS WARN - Found outdated DN||The probe only found an outdate DN and not the current one||Please check your argus logs to see what is delaying the synchronization. The synchronization delay might be too long|
|ARGUS OK - Found expected DN||Everything is good!|
The code of this probe can be found on the public repository of the security probes
For more details on the Argus configuration see bellow.
Site Arguses (or equivalent solutions) should not be exposed to the internet and thus cannot be directly monitored However the EGI CSIRT is considering submitting jobs from suspended DNs, but such monitoring of the sites' emergency suspension systems is not yet in place.
Support is provided through ARGUS Support unit in GGUS
Documentation on possible problems and solutions with certain deployment scenarios are in Nikhef wiki, Argus Global Banning Setup Overview