From EGIWiki
Jump to: navigation, search


public team pages| Incident Response Task Force (IRTF) | Security Drills Group (SDG) | Security Monitoring Group (SMG) |
public pages | Mission | Incident reporting | Dissemination | Alerts | Operational notices | Monitoring | Security challenges | Policies | Contacts |


Security Monitoring Group

Long-term Objectives

Security monitoring is a key component to security. The EGI CSIRT works to provide the EGI, NGI and site security staff with tools and procedures to detect and contain security incidents as well as weaknesses that could lead to a compromise. In doing so, the EGI CSIRT collaborates closely with the sites and NGI, however it does not provide replacements for site and NGI level monitoring. Even though the results developed are primarily ment for EGI, they are designed and developed so that they could be utilized on the site and/or NGI level as well.

The EGI CSIRT strives to collect various information from the infrastructure, even using own probes and sensors or by combining results generated by other systems (e.g., accounting) on different levels of the infrastructure. The data collected will be evaluated based on current needs and risks, and alarms raised accordingly. The security monitoring system will provide both high-level overview to get a quick notion about the infrastructure as well as a sufficient level of details necessary to sort out security issues detected. The system will archive and evaluate history to follow and forecast trends in security.

Security monitoring will also provide mechanisms and tools to assist inincident containment, for example to gather important log records. Information about users' activities will be used to identify last actions performed by a user to e.g. estimate the sites possibly infected. A way of (semi)automated processing of alerts and warnings issued by the EGI security groups will be investigate and possibly developed.

In order to accomplish the objectives, the EGI CSIRT will develop own tools, mainly to grid specific areas and use existing tools if possible and advise on their usage. Developed probes are not intrusive and do not attempt tocircumvent any security mehanisms and are not resource intensive. Results collected by these probes are only available to the EGI CSIRT members and communicated to the appropriate site security contacts. We will also provide recommendations and advisories to the sites and NGI as to how to combine existing technologies to provide efficient local security monitoring. When applicable, collaboration will be established with similar groups of NREN CSIRTs. The tools should be seamlessly integrated with common operational mechanisms used routinely by the security and operations.

Information Sources

The primary sources information on CVEs for pakiti are:

Monitoring probes

The results produced by the security monitoring tools are available from the EGI Security dashboard, which records the outputs of the following probes:

Any ERROR state are expected to get fixed within two businnes days. Any WARNINGs must be addressed within a month.


Monitoring of security patches using Pakiti

Security monitoring with Nagios

Site level tools

Security Dashboard



Personal tools