Hi all,
I'll quickly start off with the reminder that the security-discussion list is a thing, and good practice to use for any conversation that might get sensitive.
To answer one of Winnie's question - I do not believe there is currently any official UK (or WLCG) WN Security Guidelines (I could be wrong). Terry's point that the job should leave nothing behind on a node bar a footprint in the logs is very true.
Requesting such a document be created, or this be the subject of some form of talk or training, seems like a good idea. Although I suspect that any best-practice would be very batch-system dependent.
I'll take this opportunity to wish you all a Happy Christmas and a Merry New Year again, have a fantastic break all!
Cheers,
Matt
On 19/12/2019 11:02, Terry Froy wrote:
>
> Hi Winnie,
>
> I would definitely say that disallowing user-created cron/at jobs on worker nodes is the right thing to do.
>
> No job (or output from a job), excepting admin-controlled logging, should persist on a worker node once the job has completed execution and any resulting output has been successfully transferred.
>
> Happy to be corrected by anyone or even Mr. UK Grid Security himself when he awakens from his Christmas slumber 😉
>
> Regards,
> Terry
>
> --
>
> Terry Froy
>
> Cluster Systems Manager, Particle Physics
>
> Queen Mary University of London
>
> Tel: +44 (0)207 882 6560
>
> E-mail: [log in to unmask] <mailto:[log in to unmask]>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Testbed Support for GridPP member institutes <[log in to unmask]> on behalf of Winnie Lacesso <[log in to unmask]>
> *Sent:* 19 December 2019 09:52
> *To:* [log in to unmask] <[log in to unmask]>
> *Subject:* WLCG WN security question
> Good morning!
>
> I asked this of UK Grid Security, but got an auto-reply that he's out of
> office till Jan 2020.
>
> Dr Yves Coppens (was BHAM, now long gone) built original Bristol WLCG
> site (2004), & as I inherited it from him, one of the things he'd
> configured in building WLCG WN was:
>
> # disallow malicious user jobs to create atjobs & crontabs
> touch /etc/cron.allow
> touch /etc/at.allow
>
> I assumed that was part of some WLCG security "best practice" in WN
> build/config. Does anyone know, is it still true (recommended if not
> required for WLCG WN)?
>
> If so, is there some WLCG WN build/config security "best practice"
> checklist? (We're building a batch of new WN so think to check all the
> things to-do)
>
> I took a look at
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gridpp.ac.uk%2Fwiki%2FSecurity_Information&data=02%7C01%7C%7C8fff408c63784b8eefcd08d784692e2a%7C569df091b01340e386eebd9cb9e25814%7C0%7C0%7C637123459602668605&sdata=WqiXFco6YBF%2F3%2BMZ8Y%2BtC8%2BcF4yXryxukS69lT5sCVk%3D&reserved=0 <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gridpp.ac.uk%2Fwiki%2FSecurity_Information&data=02%7C01%7Cm.doidge%40lancaster.ac.uk%7C6a349537b33c4b5ba67e08d78472f6df%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637123501611223158&sdata=DY1FQuGEMv4MZlmYHczkpR4RR%2FtPuVBTbFGZZhQF3Yw%3D&reserved=0>
> but didn't see anything (obvious) like this?
>
> Grateful for anyone's advice!
>
> ########################################################################
>
> To unsubscribe from the TB-SUPPORT list, click the following link:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DTB-SUPPORT%26A%3D1&data=02%7C01%7C%7C8fff408c63784b8eefcd08d784692e2a%7C569df091b01340e386eebd9cb9e25814%7C0%7C0%7C637123459602668605&sdata=eIuTFk9g0%2B2tQTmIcts5xJV5C3WnriTTQawnsZ%2BqD3k%3D&reserved=0 <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DTB-SUPPORT%26A%3D1&data=02%7C01%7Cm.doidge%40lancaster.ac.uk%7C6a349537b33c4b5ba67e08d78472f6df%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637123501611223158&sdata=dCX9%2FEkM83xu1GRQ9LH77Fs%2BoxGGhWd8J66rD2UvPpQ%3D&reserved=0>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> To unsubscribe from the TB-SUPPORT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DTB-SUPPORT%26A%3D1&data=02%7C01%7Cm.doidge%40lancaster.ac.uk%7C6a349537b33c4b5ba67e08d78472f6df%7C9c9bcd11977a4e9ca9a0bc734090164a%7C1%7C0%7C637123501611233156&sdata=lQa%2FbsPwNU0tfn6onL461F0udXitzTBZGvN5dGMXWWA%3D&reserved=0>
>
########################################################################
To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1
|