Security Update

Mingchao MaHEPSYSMAN - Security

1st July 2009

Overview

• Security service challenge 3 (SSC 3)• Security incident handling procedure• Security monitoring• Security training and dissemination

20/04/23 Mingchao Ma, RAL 2

SSC3• EGEE Tier1 sites have been tested

twice by OSCT;• Regional runs at Tier2 sites done by

ROC security officers– UKI, SEE, Benelux and Italy completed

• Regional run at OSG done• Regional run at NDGF planned

20/04/23 Mingchao Ma, RAL 3

20/04/23 Mingchao Ma, RAL4

SSC3 Result – Tier1 Sites

SSC3: Analysis• All sites (besides one) improved• Sites that scored good in the first run

improved in the second run• Sites that did not score very well in the first

run improved a lot• Most sites (besides one) enjoyed the

opportunity to test their response capabilities and even reveal operational problems

20/04/23 Mingchao Ma, RAL 5

20/04/23 Mingchao Ma, RAL 6

SSC3 Result – UKI Tier2 Sites

SSC - Plans• To run a modified SSC3

– Ex: treat IP W.X.Y.Z as malicious

• Storage SSC– Under discussion– Some concerns on the logging

capabilities of Storage middleware

• Re-run SSC3 on Tier2 sites

20/04/23 Mingchao Ma, RAL 7

Incident Handling• Security Incident Response Policy

– http://www.jspg.org/wiki/Security_Incident_Response_Policy (draft)

• The revised EGEE incident handling procedure– In final stage– http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=

1&materialId=0&confId=56981

– Change of reporting channels• for reporting incident• for support

– Specify timeframe of each steps• E.g. to report incident within 4 hours after detection

– Templates for reporting a incident

• Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure

20/04/23 Mingchao Ma, RAL 8

GridPP Incident Handling Procedure

• Communication channel– Was – A list of security contact emails– Change to:

for incident alert/report/notification

for discussion/support

• Feedback/Comments are welcome!

20/04/23 Mingchao Ma, RAL 9

NGS Incident Handle Procedure

20/04/23 Mingchao Ma, RAL 10

• Communication channel– Was and

– Change to:

for incident alert/report/notification

for discussion/support

• Feedback/Comments are welcome!

Cross-Grid Incident Handling• GRID-SEC

– A coordinated response to cross-grid security incidents, follows the NSP-SEC model,

– http://cern.ch/grid-sec– A closed mailing list hosted by NCSA, USA– To strengthen communication between a small

group of experts at connected academic grids– Maximum two representatives from the same

Grid infrastructure– Currently include: OSG, TeraGrid, NDGF and EGEE

20/04/23 Mingchao Ma, RAL 11

Cooperation between Grid (OSCT) and NREN CSIRTs

• Collected a list of NREN CSIRT contacts information• To participate NREN CSIRTs activities• To encourage the cooperation between ROC security

contact and local NREN CSIRT team(s)• Also encourage the cooperation between site security

contacts and their organization security/CSIRT teams• Consider to become a trusted introducer? (eg. EGEE

OSCT)

20/04/23 Mingchao Ma, RAL 12

Security Monitoring• Some SAM security tests available

– CRL and file permission checks– Results only available to security contacts

• Port the test to the Nagios-based framework– ROC (or even project/VO) level Nagios will perform the test– Results must be encrypted, access policy defined– Focus on project/ROC level monitoring– More information can be found in

https://twiki.cern.ch/twiki/pub/LCG/OSCT-EGEEIII-tasks/security-monitoring-v0.12.pdf

• Further security probes to be developed– Call for Nagios-based security probe

• Based on risk analysis and/or previous incidents

20/04/23 Mingchao Ma, RAL 13

Patch Monitoring - Pakiti• The Pakiti software is freely available from sourceforge

– www.sf.net/projects/pakiti– used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC)– currently being re-designed, significant changes expected during

this summer

• Pakiti campaign– Many sites not applying security patches (vanilla SL3

distributions!), a wide range exploits exist in the wild– OSCT is establishing a Pakiti server to collect and evaluate

information about the sites’patching status– we only use the “public” interface, by sending a job– any authorized user can do the same

• The middle-term goal is to move the Pakiti framework to Nagios

20/04/23 Mingchao Ma, RAL 14

Traceability of users• Tools to analyze log files

– Collecting information about actions of particular user– Focused on site-level, to be performed by sysadmins– Work in progress – some “filters” already available

• Tools to analyze data from the L&B database– grid/VO level– Complete information about user’s activities on the grid– Intended for VO managers– Work planned, not started yet

• More info at– http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&m

aterialId=slides&confId=49905

20/04/23 Mingchao Ma, RAL 15

Security Training & Dissemination• gLite Service reference cards

– https://twiki.cern.ch/twiki/bin/view/EGEE/ServiceReferenceCards

20/04/23 Mingchao Ma, RAL 16

•gLite-AMGA - ARDA Metadata Catalog •glite-BDII - Berkeley Database Information Index •glite-CREAM_CE - gLite CREAM Computing Element•glite-DPM - Disk Pool Manager •glite-FTS - File Transfer Service •glite-LFC - LCG File Catalog •gLite-LB - Logging and Bookkeeping service •glite-MON - Monitoring System Collector Server•glite-PX - MyProxy server •glite-UI - User Interface •glite-VOBOX - Virtual Organisation Node •glite-VOMS - Virtual Organisation Membership System •gLite-WMS - Workload Management Service •glite-WN - Worker Node •lcg-CE - LCG Computing Elements•gLExec - gLExec (both for WN and CE)

Service reference cards• Each service card has a “security information”

section– Access control Mechanism description (authentication &

authorization) – How to block/ban a user – Network Usage – Firewall configuration – Security recommendations – Security incompatibilities – List of externals (packages are NOT maintained by Red Hat

or by gLite) – Other security relevant comments

20/04/23 Mingchao Ma, RAL 17

Security Trainings• Target system managers and administrators, NOT end

users;• No dedicated budget for security training;

– Incorporate training into other conferences/events;

• Past training events– EGEE’07, 1st -5th October 2007, Budapest – EGEE’08, 22nd -26th September 2008, Istanbul– Security training at Laboratory APC, France, 2nd -3rd April 2009– Security training at ISGC 2009, Taipei, 19th April 2009

• Upcoming training events– Security workshop at RAL, UK, 1st July, 2009– GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep. 2009– EGEE’09, 21-25 September 2009, Barcelona

• Some ROCs are planning trainings in their regions as well

20/04/23 Mingchao Ma, RAL 18

20/04/23 Mingchao Ma, RAL 19

Security Page• Still in very early stage, will be hosted

at OSCT website• Topics cover

– Security policies, procedures– Security monitoring– Middleware security– OS security– Network security– Trust (CA, PKI and IGTF)– Forensics– … …

• TERENA training material20/04/23 Mingchao Ma, RAL 20

Question?

20/04/23 Mingchao Ma, RAL 21