Hello Ian,
hope this helps at least to start a wider discussion.
> B) Whilst not grid-specific in its nature, technical information on how to
> contain the behaviour was not available and/or not sufficiently publicised.
> The OSCT will review and update where necessary. For the incident in question
> a reference has been created here:
> http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_ssh_back_doors
> (Thanks Steve Traylen).
> An additional source of general security information is published here:
> http://goc.grid-support.ac.uk/gridsite/operations/security_info.php
> and here: https://cic.in2p3.fr/index.php?id=roc&subid=roc_security&js_status=2
The information on the security pages is too general and doesn't help sys
admin who in these situations want just to have a receipe like the one you
pointed out in wiki. The security receipes IMO shouldn't go in wiki. Wiki
is a good tool but as a sys admin what I really want is a comprehensive
site about security, somewhere where to rush to consult if something
happens and that I can trust it works. The receipes should be reviewed and
tried, as it was the original receipe on wiki was not completely secure,
it has now been changed but this demonstrates how important it is that
security receipes are reviewed.
The receipes should be also appended to the installation notes in an
apropriate security section as highly recommended. I wouldn't put them as
default in the configuration as someone might want to do because they
might interfere with already existing security setups at sites. For
example I don't like that the lcg/egee installation tools manipulate
iptables nor the sshd_config. Receipes should contain what to do and why
it is suggested to do so.
> C) Availability of contact data for VO management and access to user contact
> data for site administrators (currently only readily available through mail
> contact with the VO) is unclear. This needs to be addressed, no immediate
> solution is available but I will add a web page with contact points for this
> and A) above together with their purpose.
I think it is a bad idea that site administrators contact users directly.
There is a structure let's use it. Site admin should contact the ROC and
the ROC should send an email to project-lcg-security-contacts (or csirts
in case of real incident) and start an investigation. A procedure like
this should be described in the security pages as well. If the ROCs or
OSCT are aware of something going on before any of the sys admin realiase
it (like it seemed to be in this case) they should send an email to the
above mailing lists even if they know that what is happening is not
malicious (they might know it but anybody else doesn't).
Any other comment obviously welcome.
thanks.
cheers
alessandra
>
> I would welcome feedback on any aspect to help in improving procedures for the
> future.
>
> Ian
>
> | Ian Neilson, LCG/EGEE Security Officer
> | Grid Deployment Group, CERN
> | Tel: +41 (0)22 76 74929
>
>
>
>
--
********************************************
* Dr Alessandra Forti *
* Technical Coordinator - NorthGrid Tier2 *
* http://www.hep.man.ac.uk/u/aforti *
********************************************
|