Security Monitoring in a Nagios world

Slides:



Advertisements
Similar presentations
Mobile Agents for Integrating Cloud-Based Business Processes with On-Premises Systems and Devices Janis Grundspenkis Antons Mislēvičs Department of Systems.
Advertisements

LHC Experiment Dashboard Main areas covered by the Experiment Dashboard: Data processing monitoring (job monitoring) Data transfer monitoring Site/service.
EGI: SA1 Operations John Gordon EGEE09 Barcelona September 2009.
HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Monitoring the Grid at local, national, and Global levels Pete Gronbech GridPP Project Manager ACAT - Brunel Sept 2011.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The network monitoring in grid context Operations.
02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.
WLCG Nagios and the NGS. We have a plan NGS is using a highly customised version of the (SDSC written) INCA monitoring framework. It was became too complicated.
And Tier 3 monitoring Tier 3 Ivan Kadochnikov LIT JINR
James Casey, CERN, IT-GT-TOM 1 st ROC LA Workshop, 6 th October 2010 Grid Infrastructure Monitoring.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Nagios for Grid Services E. Imamagic, SRCE.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Grid Monitoring Tools Alexandre Duarte CERN.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operations Automation Team James Casey EGEE’08.
CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE-EGI Grid Operations Transition Maite.
EGEE-III INFSO-RI Enabling Grids for E-sciencE Overview of STEP09 monitoring issues Julia Andreeva, IT/GS STEP09 Postmortem.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Wojciech Lapka SAM Team CERN EGEE’09 Conference,
Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.
INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.
SAM Sensors & Tests Judit Novak CERN IT/GD SAM Review I. 21. May 2007, CERN.
Julia Andreeva on behalf of the MND section MND review.
Service Availability Monitor tests for ATLAS Current Status Tests in development To Do Alessandro Di Girolamo CERN IT/PSS-ED.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI How to integrate portals with the EGI monitoring system Dusan Vudragovic.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks APEL CPU Accounting in the EGEE/WLCG infrastructure.
PIC port d’informació científica EGEE – EGI Transition for WLCG in Spain M. Delfino, G. Merino, PIC Spanish Tier-1 WLCG CB 13-Nov-2009.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Ops Portal New Requirements.
CERN IT Department CH-1211 Genève 23 Switzerland t CERN IT Monitoring and Data Analytics Pedro Andrade (IT-GT) Openlab Workshop on Data Analytics.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Regional Nagios Emir Imamagic /SRCE EGEE’09,
Open Science Grid OSG Resource and Service Validation and WLCG SAM Interoperability Rob Quick With Content from Arvind Gopu, James Casey, Ian Neilson,
ATLAS Off-Grid sites (Tier-3) monitoring A. Petrosyan on behalf of the ATLAS collaboration GRID’2012, , JINR, Dubna.
SAM Status Update Piotr Nyczyk LCG Management Board CERN, 5 June 2007.
1 Models for Monitoring James Casey, CERN WLCG Service Reliability Workshop 27th November, 2007.
NGI France-Grilles: Infrastructure evolution H. Cordier.
GOCDB Handover + Status Update Quite heavy GGUS ticketing traffic; responding to user issues has been quite timely, especially in first few weeks (expected.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
SAM architecture EGEE 07 Service Availability Monitor for the LHC experiments Simone Campana, Alessandro Di Girolamo, Nicolò Magini, Patricia Mendez Lorenzo,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Dashboard for Operations Cyril L’Orphelin.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Update on Service Availability Monitoring (SAM) Marian Babik, David Collados,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Regional tools use cases overview Peter Solagna – EGI.eu On behalf of the.
Monitoring Working Group Update Grid Deployment Board 5 th December, CERN Ian Neilson.
TSA1.4 Infrastructure for Grid Management Tiziana Ferrari, EGI.eu EGI-InSPIRE – SA1 Kickoff Meeting1.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operational Tools M2 Update James Casey.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Status of the SAM/Nagios/GSTAT Components.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Nagios Grid Monitor E. Imamagic, SRCE OAT.
Transition to EGI PSC-06 Istanbul Ioannis Liabotis Greece GRNET
Daniele Bonacorsi Andrea Sciabà
WLCG IPv6 deployment strategy
Centralized Management for Barracuda Networks products
NGI and Site Nagios Monitoring
POW MND section.
Global Banning List and Authorization Service
Operational Tools Update OMB 27/07/2010
Evolution of SAM in an enhanced model for monitoring the WLCG grid
Advancements in Availability and Reliability computation Introduction and current status of the Comp Reports mini project C. Kanellopoulos GRNET.
March Availability Report for EGEE Sites based on Nagios
Operations & Coordination Tools
A Messaging Infrastructure for WLCG
Maite Barroso, SA1 activity leader CERN 27th January 2009
Discussions on group meeting
Publishing ALICE data & CVMFS infrastructure monitoring
TS4.10 Comp Reports A new approach to Computing Availability/Reliability reports for EGI Progress Report C. Kanellopoulos GRNET 9/14/2018.
Solutions for federated services management EGI
Operational Tools & Middleware Versions Monitoring
DGAS Today and tomorrow
ARGO Central Monitoring
Kashif Mohammad Deputy Technical Co-ordinator (South Grid) Oxford
Site availability Dec. 19 th 2006
Presentation transcript:

Security Monitoring in a Nagios world Chistos Triantafyllidis OSCT F2F meeting

Overview Changes from SAM to Nagios Requirements from OSCT side Work roadmap Missing parts Security monitoring in a Nagios world

From SAM to Nagios SAM infrastructure SAM UI SAM DB Job submits / SE probes Monitor probe results Feeding SAM DB SAM DB Keeps result information for all probes SAM web interface / PI Read only access to the results or the monitored topology Security monitoring in a Nagios world

From SAM to Nagios Nagios infrastructure Nagios UI MyEGEE Can be the same as the Nagios BOX Job submits / SE probes Monitor probe results Local Metric Store DB Message broker network MyEGEE Read only access to the results or the monitored topology Security monitoring in a Nagios world

Changes in new infrastructure Multi-level monitoring model Project level (to be deprecated) Hosted at CERN “lcgadmin” role for tests ROC/NGI level Hosted at ROCs/NGIs Validation procedure NGI/ROC VO groups Site level (optional) Hosted at sites Results are published to the MQ for consumers Central DB Web interface(?) Security monitoring in a Nagios world

Changes in new infrastructure Flexibility Nagios probes can be easily added/removed At any level No SAM validation MDDB Can deploy probe configuration at any level Message Broker Network Allows the aggregation of results from any level to any level Used for integration with other tools GGUS Operations Portal Security monitoring in a Nagios world

Requirements from OSCT side Secure transfer of results From probed node to the Nagios instance From Nagios instance to any other consumer Restricted ACLs for Nagios ROC / NGI Security officers Site administrators Ability to enforce new checks Without time consuming validations Easily deployed Security monitoring in a Nagios world

Work roadmap Secure transfer of results ActiveMQ DOES support SSL encryption for connections But this is not enforced for EVERY connection Thus weaker side defines the system’s security Long discussions with both OSCT and OAT Decided encryption on message level Results encrypted on the probed node (WN) decrypted on the probing node (Nagios) Never being transferred un-encrypted over network Security monitoring in a Nagios world

Work roadmap Worked close with Emir (OAT) Created a prototype Nagios’s host certificate is sent to the WNs A simple shell wrapper is encrypting the result Use of basic OpenSSL commands The results are marked as being “encrypted” Special handler at Nagios side Decryption Non republished back to MQ Created a prototype Relies on the latest org.sam probes Included at the latest org.sam.sec probes Only a pakiti probe is included Security monitoring in a Nagios world

Work roadmap ACLs for Nagios In principal Nagios supports ACLs Not clear if ACLs can be used for some services only This an AP for OAT side Proposed work-around scenarios A dummy host per site GR-01-AUTH-secured A dummy host per host with security monitoring probes ce01.grid.auth.gr-secured cream-ce01.grid.auth.gr-secured Security monitoring in a Nagios world

Work roadmap Ability to enforce new probes New probes need definition in the MDDB Should be easy via web interface And the probe code deployed at the Nagios intances Source of security monitoring probes managed by OSCT Currently developed/used by AUTH (OSCT activity) Separate package Will be built centrally as all other OAT packages Source is available Koji package to be built Jobs are submitted seperately of the normal CE probes We can’t break their stuff They can’t break our stuff No hard validation needed Security monitoring in a Nagios world

Missing parts Secure transfer of results Restricted ACLs for Nagios From probed node to the Nagios instance Done From Nagios instance to any other consumer MyEGEE uses local DB connection No other consumers are used Restricted ACLs for Nagios This is an AP for OAT Ability to enforce new checks Theoretical in place Not ever used for our probes Security monitoring in a Nagios world

Missing parts Transition of current SAM probes There are 3 SAM probes currently SW check Pakiti Done Permissions check Done but not committed yet  Depends on the ACLs issue CA/CRL check Code is almost migrated Security monitoring in a Nagios world

Missing parts Alerting Management of ACLs Do we need special alerting function? No discussion for this yet Probably this is a good place to do this Management of ACLs Currently done via GOCDB Is this sufficient? Do we need another source? Secure publish of results to MQ Central DB Web front-end (?) Security monitoring in a Nagios world

Questions? Thank you… Security monitoring in a Nagios world

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.