And sorry for the wider discussion already started :)
On Fri, 17 Jun 2005, Alessandra Forti // EOJ wrote:
> Hello Ian,
>
> hope this helps at least to start a wider discussion.
>
>> B) Whilst not grid-specific in its nature, technical information on how to
>> contain the behaviour was not available and/or not sufficiently
>> publicised.
>> The OSCT will review and update where necessary. For the incident in
>> question
>> a reference has been created here:
>> http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_ssh_back_doors
>> (Thanks Steve Traylen).
>> An additional source of general security information is published here:
>> http://goc.grid-support.ac.uk/gridsite/operations/security_info.php
>> and here:
>> https://cic.in2p3.fr/index.php?id=roc&subid=roc_security&js_status=2
>
> The information on the security pages is too general and doesn't help sys
> admin who in these situations want just to have a receipe like the one you
> pointed out in wiki. The security receipes IMO shouldn't go in wiki. Wiki is
> a good tool but as a sys admin what I really want is a comprehensive site
> about security, somewhere where to rush to consult if something happens and
> that I can trust it works. The receipes should be reviewed and tried, as it
> was the original receipe on wiki was not completely secure, it has now been
> changed but this demonstrates how important it is that security receipes are
> reviewed.
>
> The receipes should be also appended to the installation notes in an
> apropriate security section as highly recommended. I wouldn't put them as
> default in the configuration as someone might want to do because they might
> interfere with already existing security setups at sites. For example I don't
> like that the lcg/egee installation tools manipulate iptables nor the
> sshd_config. Receipes should contain what to do and why it is suggested to do
> so.
>
>> C) Availability of contact data for VO management and access to user
>> contact
>> data for site administrators (currently only readily available through
>> mail
>> contact with the VO) is unclear. This needs to be addressed, no immediate
>> solution is available but I will add a web page with contact points for
>> this
>> and A) above together with their purpose.
>
> I think it is a bad idea that site administrators contact users directly.
> There is a structure let's use it. Site admin should contact the ROC and the
> ROC should send an email to project-lcg-security-contacts (or csirts in case
> of real incident) and start an investigation. A procedure like this should be
> described in the security pages as well. If the ROCs or OSCT are aware of
> something going on before any of the sys admin realiase it (like it seemed to
> be in this case) they should send an email to the above mailing lists even if
> they know that what is happening is not malicious (they might know it but
> anybody else doesn't).
>
> Any other comment obviously welcome.
>
> thanks.
>
> cheers
> alessandra
>
>>
>> I would welcome feedback on any aspect to help in improving procedures for
>> the
>> future.
>>
>> Ian
>>
>> | Ian Neilson, LCG/EGEE Security Officer
>> | Grid Deployment Group, CERN
>> | Tel: +41 (0)22 76 74929
>>
>>
>>
>>
>
>
--
********************************************
* Dr Alessandra Forti *
* Technical Coordinator - NorthGrid Tier2 *
* http://www.hep.man.ac.uk/u/aforti *
********************************************
|