Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Monitoring in a Nagios world

Published byGeorgina Charles Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Monitoring in a Nagios world"— Presentation transcript:

1 Security Monitoring in a Nagios world
Chistos Triantafyllidis OSCT F2F meeting

2 Overview Changes from SAM to Nagios Requirements from OSCT side
Work roadmap Missing parts Security monitoring in a Nagios world

3 From SAM to Nagios SAM infrastructure SAM UI SAM DB
Job submits / SE probes Monitor probe results Feeding SAM DB SAM DB Keeps result information for all probes SAM web interface / PI Read only access to the results or the monitored topology Security monitoring in a Nagios world

4 From SAM to Nagios Nagios infrastructure Nagios UI MyEGEE
Can be the same as the Nagios BOX Job submits / SE probes Monitor probe results Local Metric Store DB Message broker network MyEGEE Read only access to the results or the monitored topology Security monitoring in a Nagios world

5 Changes in new infrastructure
Multi-level monitoring model Project level (to be deprecated) Hosted at CERN “lcgadmin” role for tests ROC/NGI level Hosted at ROCs/NGIs Validation procedure NGI/ROC VO groups Site level (optional) Hosted at sites Results are published to the MQ for consumers Central DB Web interface(?) Security monitoring in a Nagios world

6 Changes in new infrastructure
Flexibility Nagios probes can be easily added/removed At any level No SAM validation MDDB Can deploy probe configuration at any level Message Broker Network Allows the aggregation of results from any level to any level Used for integration with other tools GGUS Operations Portal Security monitoring in a Nagios world

7 Requirements from OSCT side
Secure transfer of results From probed node to the Nagios instance From Nagios instance to any other consumer Restricted ACLs for Nagios ROC / NGI Security officers Site administrators Ability to enforce new checks Without time consuming validations Easily deployed Security monitoring in a Nagios world

8 Work roadmap Secure transfer of results
ActiveMQ DOES support SSL encryption for connections But this is not enforced for EVERY connection Thus weaker side defines the system’s security Long discussions with both OSCT and OAT Decided encryption on message level Results encrypted on the probed node (WN) decrypted on the probing node (Nagios) Never being transferred un-encrypted over network Security monitoring in a Nagios world

9 Work roadmap Worked close with Emir (OAT) Created a prototype
Nagios’s host certificate is sent to the WNs A simple shell wrapper is encrypting the result Use of basic OpenSSL commands The results are marked as being “encrypted” Special handler at Nagios side Decryption Non republished back to MQ Created a prototype Relies on the latest org.sam probes Included at the latest org.sam.sec probes Only a pakiti probe is included Security monitoring in a Nagios world

10 Work roadmap ACLs for Nagios In principal Nagios supports ACLs
Not clear if ACLs can be used for some services only This an AP for OAT side Proposed work-around scenarios A dummy host per site GR-01-AUTH-secured A dummy host per host with security monitoring probes ce01.grid.auth.gr-secured cream-ce01.grid.auth.gr-secured Security monitoring in a Nagios world

11 Work roadmap Ability to enforce new probes
New probes need definition in the MDDB Should be easy via web interface And the probe code deployed at the Nagios intances Source of security monitoring probes managed by OSCT Currently developed/used by AUTH (OSCT activity) Separate package Will be built centrally as all other OAT packages Source is available Koji package to be built Jobs are submitted seperately of the normal CE probes We can’t break their stuff They can’t break our stuff No hard validation needed Security monitoring in a Nagios world

12 Missing parts Secure transfer of results Restricted ACLs for Nagios
From probed node to the Nagios instance Done From Nagios instance to any other consumer MyEGEE uses local DB connection No other consumers are used Restricted ACLs for Nagios This is an AP for OAT Ability to enforce new checks Theoretical in place Not ever used for our probes Security monitoring in a Nagios world

13 Missing parts Transition of current SAM probes
There are 3 SAM probes currently SW check Pakiti Done Permissions check Done but not committed yet  Depends on the ACLs issue CA/CRL check Code is almost migrated Security monitoring in a Nagios world

14 Missing parts Alerting Management of ACLs
Do we need special alerting function? No discussion for this yet Probably this is a good place to do this Management of ACLs Currently done via GOCDB Is this sufficient? Do we need another source? Secure publish of results to MQ Central DB Web front-end (?) Security monitoring in a Nagios world

15 Questions? Thank you… Security monitoring in a Nagios world

Download ppt "Security Monitoring in a Nagios world"

Similar presentations

Mobile Agents for Integrating Cloud-Based Business Processes with On-Premises Systems and Devices Janis Grundspenkis Antons Mislēvičs Department of Systems.

Mobile Agents for Integrating Cloud-Based Business Processes with On-Premises Systems and Devices Janis Grundspenkis Antons Mislēvičs Department of Systems.
LHC Experiment Dashboard Main areas covered by the Experiment Dashboard: Data processing monitoring (job monitoring) Data transfer monitoring Site/service.

LHC Experiment Dashboard Main areas covered by the Experiment Dashboard: Data processing monitoring (job monitoring) Data transfer monitoring Site/service.
EGI: SA1 Operations John Gordon EGEE09 Barcelona September 2009.

EGI: SA1 Operations John Gordon EGEE09 Barcelona September 2009.
HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.

HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Monitoring the Grid at local, national, and Global levels Pete Gronbech GridPP Project Manager ACAT - Brunel Sept 2011.

Monitoring the Grid at local, national, and Global levels Pete Gronbech GridPP Project Manager ACAT - Brunel Sept 2011.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks The network monitoring in grid context Operations.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The network monitoring in grid context Operations.
02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.

02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.
WLCG Nagios and the NGS. We have a plan NGS is using a highly customised version of the (SDSC written) INCA monitoring framework. It was became too complicated.

WLCG Nagios and the NGS. We have a plan NGS is using a highly customised version of the (SDSC written) INCA monitoring framework. It was became too complicated.
And Tier 3 monitoring Tier 3 Ivan Kadochnikov LIT JINR 17.05.2012.

And Tier 3 monitoring Tier 3 Ivan Kadochnikov LIT JINR
James Casey, CERN, IT-GT-TOM 1 st ROC LA Workshop, 6 th October 2010 Grid Infrastructure Monitoring.

James Casey, CERN, IT-GT-TOM 1 st ROC LA Workshop, 6 th October 2010 Grid Infrastructure Monitoring.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Nagios for Grid Services E. Imamagic, SRCE.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Nagios for Grid Services E. Imamagic, SRCE.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Grid Monitoring Tools Alexandre Duarte CERN.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Grid Monitoring Tools Alexandre Duarte CERN.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Operations Automation Team James Casey EGEE’08.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operations Automation Team James Casey EGEE’08.
CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.

CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks EGEE-EGI Grid Operations Transition Maite.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE-EGI Grid Operations Transition Maite.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org Overview of STEP09 monitoring issues Julia Andreeva, IT/GS 09.07.2009 STEP09 Postmortem.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Overview of STEP09 monitoring issues Julia Andreeva, IT/GS STEP09 Postmortem.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Wojciech Lapka SAM Team CERN EGEE’09 Conference,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Wojciech Lapka SAM Team CERN EGEE’09 Conference,
Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.

Similar presentations

Ads by Google