Daniel Kouril, EGI CSIRT meeting, 9.9.2016 RT report Daniel Kouril, EGI CSIRT meeting, 9.9.2016
Current status Upgrade finished RTIR more invasive then expected DB retained (history, ticket numbers, etc.) Several artifacts, nothing serious Massticket adapted to use the new API RTIR more invasive then expected Dictates/expects workflows, handling tickets, etc. (bulk operations, naming of functions, …) Creating tickets improved (to be enabled) Adding of Site and NGI contacts from GOC DB Should allow for controlling access as discussed earlier Reporting – Sven?
Daniel Kouril, EGI CSIRT meeting, 9.9.2016 Security monitoring Daniel Kouril, EGI CSIRT meeting, 9.9.2016
Components Nagios – secmon Pakiti Security Dashboard Operated by GRNET (NGI_GR), security core task Pakiti Operated by CESNET (NGI_CZ), security core task Security Dashboard Operated by NGI_FRANCE, core task on operations portal Coordination – CESNET
Secmon status Issues with current instance Information from Pakiti not kept by Pakiti probe Failures of the submission system 2016-09-04: - 2016-09-05: 64 2016-09-06: 129 (expired certificate) 2016-09-07: 165 2016-09-08: 169 2016-09-09: 146 (ARC CE issues, certificate again?)
Secmon status Service based on SAM, not supported anymore Transition to ARGO difficult WN framework not supported on SL6 Implications on dashboard not clear atm No effort for development from GRNET Until a solution a find we can stick with current instance (based on SL5!)
Certification of sites Supporting infrastructure is gone BDII, WMS, registration portal We can’t send monitoring jobs to non-production sites anymore (we were the only ones) Suggested to join security tests with normal certification ones and use the same procedure NGI will make sure tests are performed Sites is put into production, with immediate downtime declared (3 days) If no issue appears, it’s in production NGIs are complaining about the manual work, EGI to find a solution
Leftovers IanN: wants more compact view Sophie: more query options/ views Toby: feature request for pakiti.egi.eu -redirect to https! Sven: change "Pakiti-Check" test name to the CVE Dashboards send notifications now Reports can be generated regularly
Secant – VM assessment Pilot ready, sandboxed environment prepared Verified on CESNET cloud Testing of EGI VA’s pending VM catcher development Manual tests of couple AppDB Vas Majority closed, only external tests possible To be investigated
<. xml version="1. 0" encoding="UTF-8" <?xml version="1.0" encoding="UTF-8"?> <SECANT> <NMAP_TEST status="OK"><ports><extraports state="closed" count="999"> <extrareasons reason="resets" count="999"/> </extraports> <port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port> </ports> </NMAP_TEST> <NTP_AMPLIFICATION_TEST status="FAIL"/> <SSH_AUTH_TEST status="OK">SSH password authentication is not allowed</SSH_AUTH_TEST> <LYNIS_TEST status="OK"> <WARNINGS> <LYNIS>Version of Lynis is very old and should be updated </LYNIS> <AUTH-9228>pwck found one or more errors/warnings in the password file </AUTH-9228> <PKGS-7390>apt-get check returned a non successful exit code. </PKGS-7390> <NETW-2705>Couldn't find 2 responsive nameservers </NETW-2705> </WARNINGS> <SUGGESTIONS> <BOOT-5122>Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) </BOOT-5122> …… </SUGGESTIONS> </LYNIS_TEST> <PAKITI_TEST status="OK">No vulnerable packages.</PAKITI_TEST> </SECANT>