Will this (or at least the part of it that works) be added to the manual
install instructions or the yaim configuration?
I see many people are rightly concerned with using this opportunity to
improve the incident response process. I am also very concerned about
how to ensure that any resulting site configuration recommendations are
deployed everywhere.
I don't believe it is practical to expect every admin of a new site to
to read the whole wiki in case there is something essential in there. I
myself have a rather ad-hoc and incomplete collection of
security-related changes to my site configuration which I just happened
to notice on mailing lists. I suspect many people are the same. Can this
be done more automatically please? Some ideas:
- a final step added to the installation guide that says where to find
extra info about tweaking your set up to make it secure (just the
gocwiki security faq?)
- a well-maintained list of these these things (Is the gocwiki security
faq comprehensive? Is it someone's job to make sure?)
- a weekly security bulletin with the latest issues and solutions sent
to all site contacts (perhaps just links to the new items on the page above)
- how about using the yum/apt LCG updates respository to distribute
security fixes automatically? (I'm sure most people are aware that rpms
can contain scripts as well as files.)
Cheers,
Simon
Coles, J (Jeremy) wrote:
> All
>
> There are concerns about a recent user incident regarding ssh keys. To
> be sure to stop such activities in the future please follow the
> guidelines here:
>
> http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_
> ssh_back_doors
>
> It is insufficient to expect to black list users for experimenting and
> we ought to be aware of potential problem areas and remove them.
>
> Regards,
> Jeremy
>
>
>
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Cornwall, LA (Linda)
> Sent: 13 June 2005 16:56
> To: [log in to unmask]
> Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> site level ??]
>
> Looks like a vulnerability to me - if someone can leave an ssh key
> behind!
> So simple. Another reason not to recycle accounts.
>
> Linda
>
>
>>-----Original Message-----
>>From: Testbed Support for GridPP member institutes [mailto:TB-
>>[log in to unmask]] On Behalf Of owen maroney
>>Sent: 13 June 2005 16:52
>>To: [log in to unmask]
>>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>
> site
>
>>level ??]
>>
>>
>>
>>-------- Original Message --------
>>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
>
> level ??
>
>>Date: Mon, 13 Jun 2005 16:49:31 +0100
>>From: owen maroney <[log in to unmask]>
>>Reply-To: LHC Computer Grid - Rollout
>
> <[log in to unmask]>
>
>>To: [log in to unmask]
>>References:
>><[log in to unmask]>
>> <[log in to unmask]>
>>
>>Hi,
>>
>>Hmm.
>>
>>Just checked the CE here and found that at 12:43 today someone copied
>>ssh keys into ~/.ssh
>>
>>This seems fairly clearly an abuse of someones certificate.
>>
>>I am entirely happen to 'name' this person. I suggest other sites may
>>want to check ls -latrh /home/*/.ssh
>>
>>Owen.
>>
>>Dan Schrager wrote:
>>
>>
>>>I could give you the details of the certificate.
>>>There is someone that had tried to bypass the certificate
>
> authentication
>
>>>by inserting ssh keys into the ~/.ssh directory to which it had been
>>>mapped on our public CE.
>>>
>>>Until further checks I will postpone the "name and shame" policy...
>>>
>>>
>>>
>>>Bly, MJ (Martin) wrote:
>>>
>>>
>>>>I suppose it is politic to ask: if you feel the need to urgently
>>>>blacklist a user, should we all be doing the same?
>>>>Martin.
>>>>
>>>>-----Original Message-----
>>>>From: LHC Computer Grid - Rollout
>>>>[mailto:[log in to unmask]] On Behalf Of Dan Schrager
>>>>Sent: Monday, June 13, 2005 3:57 PM
>>>>To: [log in to unmask]
>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site level
>
> ??
>
>>>>
>>>>Hi everybody,
>>>>
>>>>There is an urgent need at our site to blacklist a certificate.
>>>>
>>>>Please advice how can this be done at local, gatekeeper(?) level.
>>>>
>>>>Regards,
>>>>Dan
>>>>
>>>>
>>
>>--
>>======================================================
>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>
>>Tel. (+44)20 759 47802
>>
>>Imperial College London
>>High Energy Physics Department
>>The Blackett Laboratory
>>Prince Consort Road, London, SW7 2BW
>>===================================
>>
>>
>>
>>--
>>======================================================
>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>
>>Tel. (+44)20 759 47802
>>
>>Imperial College London
>>High Energy Physics Department
>>The Blackett Laboratory
>>Prince Consort Road, London, SW7 2BW
>>===================================
|