210 likes | 439 Vues
Security Update. Mingchao Ma HEPSYSMAN - Security 1 st July 2009. Overview. Security service challenge 3 (SSC 3) Security incident handling procedure Security monitoring Security training and dissemination. SSC3. EGEE Tier1 sites have been tested twice by OSCT;
E N D
Security Update Mingchao Ma HEPSYSMAN - Security1st July 2009
Overview • Security service challenge 3 (SSC 3) • Security incident handling procedure • Security monitoring • Security training and dissemination Mingchao Ma, RAL
SSC3 • EGEE Tier1 sites have been tested twice by OSCT; • Regional runs at Tier2 sites done by ROC security officers • UKI, SEE, Benelux and Italy completed • Regional run at OSG done • Regional run at NDGF planned Mingchao Ma, RAL
SSC3 Result – Tier1 Sites Mingchao Ma, RAL
SSC3: Analysis • All sites (besides one) improved • Sites that scored good in the first run improved in the second run • Sites that did not score very well in the first run improved a lot • Most sites (besides one) enjoyed the opportunity to test their response capabilities and even reveal operational problems Mingchao Ma, RAL
SSC3 Result – UKI Tier2 Sites Mingchao Ma, RAL
SSC - Plans • To run a modified SSC3 • Ex: treat IP W.X.Y.Z as malicious • Storage SSC • Under discussion • Some concerns on the logging capabilities of Storage middleware • Re-run SSC3 on Tier2 sites Mingchao Ma, RAL
Incident Handling • Security Incident Response Policy • http://www.jspg.org/wiki/Security_Incident_Response_Policy (draft) • The revised EGEE incident handling procedure • In final stage • http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialId=0&confId=56981 • Change of reporting channels • for reporting incident • for support • Specify timeframe of each steps • E.g. to report incident within 4 hours after detection • Templates for reporting a incident • Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure Mingchao Ma, RAL
GridPP Incident Handling Procedure • Communication channel • Was • A list of security contact emails • Change to: for incident alert/report/notification for discussion/support • Feedback/Comments are welcome! Mingchao Ma, RAL
NGS Incident Handle Procedure • Communication channel • Was and • Change to: for incident alert/report/notification for discussion/support • Feedback/Comments are welcome! Mingchao Ma, RAL
Cross-Grid Incident Handling • GRID-SEC • A coordinated response to cross-grid security incidents, follows the NSP-SEC model, • http://cern.ch/grid-sec • A closed mailing list hosted by NCSA, USA • To strengthen communication between a small group of experts at connected academic grids • Maximum two representatives from the same Grid infrastructure • Currently include: OSG, TeraGrid, NDGF and EGEE Mingchao Ma, RAL
Cooperation between Grid (OSCT) and NREN CSIRTs • Collected a list of NREN CSIRT contacts information • To participate NREN CSIRTs activities • To encourage the cooperation between ROC security contact and local NREN CSIRT team(s) • Also encourage the cooperation between site security contacts and their organization security/CSIRT teams • Consider to become a trusted introducer? (eg. EGEE OSCT) Mingchao Ma, RAL
Security Monitoring • Some SAM security tests available • CRL and file permission checks • Results only available to security contacts • Port the test to the Nagios-based framework • ROC (or even project/VO) level Nagios will perform the test • Results must be encrypted, access policy defined • Focus on project/ROC level monitoring • More information can be found in https://twiki.cern.ch/twiki/pub/LCG/OSCT-EGEEIII-tasks/security-monitoring-v0.12.pdf • Further security probes to be developed • Call for Nagios-based security probe • Based on risk analysis and/or previous incidents Mingchao Ma, RAL
Patch Monitoring - Pakiti • The Pakiti software is freely available from sourceforge • www.sf.net/projects/pakiti • used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC) • currently being re-designed, significant changes expected during this summer • Pakiti campaign • Many sites not applying security patches (vanilla SL3 distributions!), a wide range exploits exist in the wild • OSCT is establishing a Pakiti server to collect and evaluate information about the sites’patching status • we only use the “public” interface, by sending a job • any authorized user can do the same • The middle-term goal is to move the Pakiti framework to Nagios Mingchao Ma, RAL
Traceability of users • Tools to analyze log files • Collecting information about actions of particular user • Focused on site-level, to be performed bysysadmins • Work in progress – some “filters” already available • Tools to analyze data from the L&B database • grid/VO level • Complete information about user’s activities on the grid • Intended for VO managers • Work planned, not started yet • More info at • http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=slides&confId=49905 Mingchao Ma, RAL
Security Training & Dissemination • gLite Service reference cards • https://twiki.cern.ch/twiki/bin/view/EGEE/ServiceReferenceCards • gLite-AMGA - ARDA Metadata Catalog • glite-BDII - Berkeley Database Information Index • glite-CREAM_CE - gLite CREAM Computing Element • glite-DPM - Disk Pool Manager • glite-FTS - File Transfer Service • glite-LFC - LCG File Catalog • gLite-LB - Logging and Bookkeeping service • glite-MON - Monitoring System Collector Server • glite-PX - MyProxy server • glite-UI - User Interface • glite-VOBOX - Virtual Organisation Node • glite-VOMS - Virtual Organisation Membership System • gLite-WMS - Workload Management Service • glite-WN - Worker Node • lcg-CE - LCG Computing Elements • gLExec - gLExec (both for WN and CE) Mingchao Ma, RAL
Service reference cards • Each service card has a “security information” section • Access control Mechanism description (authentication & authorization) • How to block/ban a user • Network Usage • Firewall configuration • Security recommendations • Security incompatibilities • List of externals (packages are NOT maintained by Red Hat or by gLite) • Other security relevant comments Mingchao Ma, RAL
Security Trainings • Target system managers and administrators, NOT end users; • No dedicated budget for security training; • Incorporate training into other conferences/events; • Past training events • EGEE’07, 1st -5th October 2007, Budapest • EGEE’08, 22nd -26th September 2008, Istanbul • Security training at Laboratory APC, France, 2nd -3rd April 2009 • Security training at ISGC 2009, Taipei, 19th April 2009 • Upcoming training events • Security workshop at RAL, UK, 1st July, 2009 • GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep. 2009 • EGEE’09, 21-25 September 2009, Barcelona • Some ROCs are planning trainings in their regions as well Mingchao Ma, RAL
Security Page • Still in very early stage, will be hosted at OSCT website • Topics cover • Security policies, procedures • Security monitoring • Middleware security • OS security • Network security • Trust (CA, PKI and IGTF) • Forensics • … … • TERENA training material Mingchao Ma, RAL
Question? Mingchao Ma, RAL