There should be a GridPP security person who would look at things like
this but the post hasn't been filled yet. As in many other areas these
are issues that should be addressed by EGEE/LCG as a whole but if they
aren't then we should tackle them in GridPP to give our Grid added
value.
John
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Simon George
> Sent: 14 June 2005 16:00
> To: [log in to unmask]
> Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a
> certificate at site level ??]
>
> Will this (or at least the part of it that works) be added to
> the manual
> install instructions or the yaim configuration?
>
> I see many people are rightly concerned with using this
> opportunity to
> improve the incident response process. I am also very concerned about
> how to ensure that any resulting site configuration
> recommendations are
> deployed everywhere.
>
> I don't believe it is practical to expect every admin of a
> new site to
> to read the whole wiki in case there is something essential
> in there. I
> myself have a rather ad-hoc and incomplete collection of
> security-related changes to my site configuration which I
> just happened
> to notice on mailing lists. I suspect many people are the
> same. Can this
> be done more automatically please? Some ideas:
>
> - a final step added to the installation guide that says
> where to find
> extra info about tweaking your set up to make it secure (just the
> gocwiki security faq?)
> - a well-maintained list of these these things (Is the
> gocwiki security
> faq comprehensive? Is it someone's job to make sure?)
> - a weekly security bulletin with the latest issues and
> solutions sent
> to all site contacts (perhaps just links to the new items on
> the page above)
> - how about using the yum/apt LCG updates respository to distribute
> security fixes automatically? (I'm sure most people are aware
> that rpms
> can contain scripts as well as files.)
>
> Cheers,
> Simon
>
> Coles, J (Jeremy) wrote:
> > All
> >
> > There are concerns about a recent user incident regarding
> ssh keys. To
> > be sure to stop such activities in the future please follow the
> > guidelines here:
> >
> >
> http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from
> _creating_
> > ssh_back_doors
> >
> > It is insufficient to expect to black list users for
> experimenting and
> > we ought to be aware of potential problem areas and remove them.
> >
> > Regards,
> > Jeremy
> >
> >
> >
> >
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes
> > [mailto:[log in to unmask]] On Behalf Of Cornwall, LA (Linda)
> > Sent: 13 June 2005 16:56
> > To: [log in to unmask]
> > Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a
> certificate at
> > site level ??]
> >
> > Looks like a vulnerability to me - if someone can leave an ssh key
> > behind!
> > So simple. Another reason not to recycle accounts.
> >
> > Linda
> >
> >
> >>-----Original Message-----
> >>From: Testbed Support for GridPP member institutes [mailto:TB-
> >>[log in to unmask]] On Behalf Of owen maroney
> >>Sent: 13 June 2005 16:52
> >>To: [log in to unmask]
> >>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> >
> > site
> >
> >>level ??]
> >>
> >>
> >>
> >>-------- Original Message --------
> >>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> >
> > level ??
> >
> >>Date: Mon, 13 Jun 2005 16:49:31 +0100
> >>From: owen maroney <[log in to unmask]>
> >>Reply-To: LHC Computer Grid - Rollout
> >
> > <[log in to unmask]>
> >
> >>To: [log in to unmask]
> >>References:
> >><[log in to unmask]>
> >> <[log in to unmask]>
> >>
> >>Hi,
> >>
> >>Hmm.
> >>
> >>Just checked the CE here and found that at 12:43 today
> someone copied
> >>ssh keys into ~/.ssh
> >>
> >>This seems fairly clearly an abuse of someones certificate.
> >>
> >>I am entirely happen to 'name' this person. I suggest
> other sites may
> >>want to check ls -latrh /home/*/.ssh
> >>
> >>Owen.
> >>
> >>Dan Schrager wrote:
> >>
> >>
> >>>I could give you the details of the certificate.
> >>>There is someone that had tried to bypass the certificate
> >
> > authentication
> >
> >>>by inserting ssh keys into the ~/.ssh directory to which
> it had been
> >>>mapped on our public CE.
> >>>
> >>>Until further checks I will postpone the "name and shame" policy...
> >>>
> >>>
> >>>
> >>>Bly, MJ (Martin) wrote:
> >>>
> >>>
> >>>>I suppose it is politic to ask: if you feel the need to urgently
> >>>>blacklist a user, should we all be doing the same?
> >>>>Martin.
> >>>>
> >>>>-----Original Message-----
> >>>>From: LHC Computer Grid - Rollout
> >>>>[mailto:[log in to unmask]] On Behalf Of
> Dan Schrager
> >>>>Sent: Monday, June 13, 2005 3:57 PM
> >>>>To: [log in to unmask]
> >>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at
> site level
> >
> > ??
> >
> >>>>
> >>>>Hi everybody,
> >>>>
> >>>>There is an urgent need at our site to blacklist a certificate.
> >>>>
> >>>>Please advice how can this be done at local, gatekeeper(?) level.
> >>>>
> >>>>Regards,
> >>>>Dan
> >>>>
> >>>>
> >>
> >>--
> >>======================================================
> >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>
> >>Tel. (+44)20 759 47802
> >>
> >>Imperial College London
> >>High Energy Physics Department
> >>The Blackett Laboratory
> >>Prince Consort Road, London, SW7 2BW
> >>===================================
> >>
> >>
> >>
> >>--
> >>======================================================
> >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>
> >>Tel. (+44)20 759 47802
> >>
> >>Imperial College London
> >>High Energy Physics Department
> >>The Blackett Laboratory
> >>Prince Consort Road, London, SW7 2BW
> >>===================================
>
|