security update
DESCRIPTION
Security Update. Mingchao Ma HEPSYSMAN - Security 1 st July 2009. Overview. Security service challenge 3 (SSC 3) Security incident handling procedure Security monitoring Security training and dissemination. SSC3. EGEE Tier1 sites have been tested twice by OSCT; - PowerPoint PPT PresentationTRANSCRIPT
Security Update
Mingchao MaHEPSYSMAN - Security
1st July 2009
Overview
• Security service challenge 3 (SSC 3)• Security incident handling procedure• Security monitoring• Security training and dissemination
21/04/23 Mingchao Ma, RAL 2
SSC3• EGEE Tier1 sites have been tested
twice by OSCT;• Regional runs at Tier2 sites done by
ROC security officers– UKI, SEE, Benelux and Italy completed
• Regional run at OSG done• Regional run at NDGF planned
21/04/23 Mingchao Ma, RAL 3
21/04/23 Mingchao Ma, RAL4
SSC3 Result – Tier1 Sites
SSC3: Analysis• All sites (besides one) improved• Sites that scored good in the first run
improved in the second run• Sites that did not score very well in the first
run improved a lot• Most sites (besides one) enjoyed the
opportunity to test their response capabilities and even reveal operational problems
21/04/23 Mingchao Ma, RAL 5
21/04/23 Mingchao Ma, RAL 6
SSC3 Result – UKI Tier2 Sites
SSC - Plans• To run a modified SSC3
– Ex: treat IP W.X.Y.Z as malicious
• Storage SSC– Under discussion– Some concerns on the logging
capabilities of Storage middleware
• Re-run SSC3 on Tier2 sites
21/04/23 Mingchao Ma, RAL 7
Incident Handling• Security Incident Response Policy
– http://www.jspg.org/wiki/Security_Incident_Response_Policy (draft)
• The revised EGEE incident handling procedure– In final stage– http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=
1&materialId=0&confId=56981
– Change of reporting channels• for reporting incident• for support
– Specify timeframe of each steps• E.g. to report incident within 4 hours after detection
– Templates for reporting a incident
• Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure
21/04/23 Mingchao Ma, RAL 8
GridPP Incident Handling Procedure
• Communication channel– Was – A list of security contact emails– Change to:
for incident alert/report/notification
for discussion/support
• Feedback/Comments are welcome!
21/04/23 Mingchao Ma, RAL 9
NGS Incident Handle Procedure
21/04/23 Mingchao Ma, RAL 10
• Communication channel– Was and
– Change to:
for incident alert/report/notification
for discussion/support
• Feedback/Comments are welcome!
Cross-Grid Incident Handling• GRID-SEC
– A coordinated response to cross-grid security incidents, follows the NSP-SEC model,
– http://cern.ch/grid-sec– A closed mailing list hosted by NCSA, USA– To strengthen communication between a small
group of experts at connected academic grids– Maximum two representatives from the same
Grid infrastructure– Currently include: OSG, TeraGrid, NDGF and EGEE
21/04/23 Mingchao Ma, RAL 11
Cooperation between Grid (OSCT) and NREN CSIRTs
• Collected a list of NREN CSIRT contacts information• To participate NREN CSIRTs activities• To encourage the cooperation between ROC security
contact and local NREN CSIRT team(s)• Also encourage the cooperation between site security
contacts and their organization security/CSIRT teams• Consider to become a trusted introducer? (eg. EGEE
OSCT)
21/04/23 Mingchao Ma, RAL 12
Security Monitoring• Some SAM security tests available
– CRL and file permission checks– Results only available to security contacts
• Port the test to the Nagios-based framework– ROC (or even project/VO) level Nagios will perform the test– Results must be encrypted, access policy defined– Focus on project/ROC level monitoring– More information can be found in
https://twiki.cern.ch/twiki/pub/LCG/OSCT-EGEEIII-tasks/security-monitoring-v0.12.pdf
• Further security probes to be developed– Call for Nagios-based security probe
• Based on risk analysis and/or previous incidents
21/04/23 Mingchao Ma, RAL 13
Patch Monitoring - Pakiti• The Pakiti software is freely available from sourceforge
– www.sf.net/projects/pakiti– used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC)– currently being re-designed, significant changes expected during
this summer
• Pakiti campaign– Many sites not applying security patches (vanilla SL3
distributions!), a wide range exploits exist in the wild– OSCT is establishing a Pakiti server to collect and evaluate
information about the sites’patching status– we only use the “public” interface, by sending a job– any authorized user can do the same
• The middle-term goal is to move the Pakiti framework to Nagios
21/04/23 Mingchao Ma, RAL 14
Traceability of users• Tools to analyze log files
– Collecting information about actions of particular user– Focused on site-level, to be performed by sysadmins– Work in progress – some “filters” already available
• Tools to analyze data from the L&B database– grid/VO level– Complete information about user’s activities on the grid– Intended for VO managers– Work planned, not started yet
• More info at– http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&m
aterialId=slides&confId=49905
21/04/23 Mingchao Ma, RAL 15
Security Training & Dissemination• gLite Service reference cards
– https://twiki.cern.ch/twiki/bin/view/EGEE/ServiceReferenceCards
21/04/23 Mingchao Ma, RAL 16
•gLite-AMGA - ARDA Metadata Catalog •glite-BDII - Berkeley Database Information Index •glite-CREAM_CE - gLite CREAM Computing Element•glite-DPM - Disk Pool Manager •glite-FTS - File Transfer Service •glite-LFC - LCG File Catalog •gLite-LB - Logging and Bookkeeping service •glite-MON - Monitoring System Collector Server•glite-PX - MyProxy server •glite-UI - User Interface •glite-VOBOX - Virtual Organisation Node •glite-VOMS - Virtual Organisation Membership System •gLite-WMS - Workload Management Service •glite-WN - Worker Node •lcg-CE - LCG Computing Elements•gLExec - gLExec (both for WN and CE)
Service reference cards• Each service card has a “security information”
section– Access control Mechanism description (authentication &
authorization) – How to block/ban a user – Network Usage – Firewall configuration – Security recommendations – Security incompatibilities – List of externals (packages are NOT maintained by Red Hat
or by gLite) – Other security relevant comments
21/04/23 Mingchao Ma, RAL 17
Security Trainings• Target system managers and administrators, NOT end
users;• No dedicated budget for security training;
– Incorporate training into other conferences/events;
• Past training events– EGEE’07, 1st -5th October 2007, Budapest – EGEE’08, 22nd -26th September 2008, Istanbul– Security training at Laboratory APC, France, 2nd -3rd April 2009– Security training at ISGC 2009, Taipei, 19th April 2009
• Upcoming training events– Security workshop at RAL, UK, 1st July, 2009– GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep. 2009– EGEE’09, 21-25 September 2009, Barcelona
• Some ROCs are planning trainings in their regions as well
21/04/23 Mingchao Ma, RAL 18
21/04/23 Mingchao Ma, RAL 19
Security Page• Still in very early stage, will be hosted
at OSCT website• Topics cover
– Security policies, procedures– Security monitoring– Middleware security– OS security– Network security– Trust (CA, PKI and IGTF)– Forensics– … …
• TERENA training material21/04/23 Mingchao Ma, RAL 20
Question?
21/04/23 Mingchao Ma, RAL 21