OSG Security ReviewOSG Security ReviewMine Altunay Mine Altunay June 19, 2008June 19, 2008

June 19, 2008 2

Security OverviewSecurity Overview

• Current Initiatives Incident response procedure – top priority (WBS 2.1.2 and 2.3.) OSG Registration Policy and Requirements from members (WBS 2.3.1)

VO, and Site requirements, collected policies? OSG Core Assets/Software in VDT Stack (WBS 2.1.7)

OSG security Officer’s duty wrt VDT’s consumers DOEGrids RA workflow – introducing requested notifications (WBS 2.2) VO incident response teams (WBS 2.1.1 and 2.1.2) Command Line Security Management Tools (WBS 2.1.1) Banning tool requirements. With CDIGS. (WBS 2.1.9) Including OSG Staff contact info into OIM (WNBS 2.1.1 and 2.1.2) Grid Tactical Plan (FNAL) and MOU with VO services/Privilege Project (WBS 2.1.9) ST&E control deadlines are approaching (WBS 2.1.1)

• Accomplishments Since Last Report (some in progress) Items completed from the roadmap (WBS 2.1.4)

Proxy Clean-Up for Jobs – completed. A bug in Globus is found Proxy clean-up for storage is under investigation

Incident Response procedure – first draft completed Security plan revision against NIST guidelines – completed (WBS 2.1.4) Privacy Policy has been discussed at the board, comments are being addressed

(WBS 2.3) For implementation, I will ask Suchandra’s help

JSPG meeting, 4 policies are approved and comments sent to WLCG (WBS 2.3, 2.3.2, 2.3.1)

June 19, 2008

Forensics/Auditing tool Splunk (WBS 2.1.9.1) Initial coding for testing completed Data transfer from Gratia to Splunk is being worked on

NSF report to Large facilities User’s meeting at BNL. Invited Security contacts with Jemise. Good

participation and raised awareness• Vulnerabilities/incidents

Debian openSSL problem Report completed. Post-mortem actions: IGTF incident response procedures, LIGO’s openSSH library

error mode

RPath problem: fix has been released. Report is in progress. Post-mortem actions: Comm problems with EGEE. Announcement sent to Linux

comm. Discussing SELinux and VDT. Changing VDT build practice to prevent this from happening again

IGTF distribution problem: Newly accredited CAs and site policies. Still in discussion

INFN root exploit – joint report with EGEE is completed and sent to facility The team is discussing the post-mortem actions listed

3

June 19, 2008

Security Overview

• Issues / Concerns Effort: incident and vulnerability response and discussion takes a considerable

amount of time from other work. Pending initiatives Confusion over VDT/OSG relationship Specific to past months : increasing time spent on fermi lab duties. Lay-offs and

other procedures Cooperation with other area coordinators: OSG 1.0 stalled many initiatives due to

lack of effort

4

June 19, 2008

Initiatives/Concerns from the Last Report

• Initiatives OSG Security roadmap

Technical and operational needs for long and short term (WBS 2.1.4) Incident Mitigation Plans (WBS 2.3) AuthN needs: GSI auth problems, CRLs, proxy clean up and VOMS-GUMS authN

(WBS 2.1.1 and 2.1.9 and 2.1.9.1) AuthZ needs: Banning tool, Uniform FQAN, MyProxy, AC validation (a request doc

is written with Privilege project) (WBS 2.1.1 and 2.1.9 and 2.1.9.1) More fire drills and site education (WBS 2.1) Forensics -- splunk, incident training Certify tool

Policy work JSPG and OSG policies – incident response policy has priority (WBS 2.1.2 and

2.3.) Revising old security plan against NIST guidelines (WBS 2.1.4) Risk assessment (WBS 2.1.4, 2.3)

• Issues / Concerns Effort– Jim and Ron already started – very helpful Incident sharing and privacy concerns, latest incident at INFN

Lack of security education, and incidents We need more fire drills and discuss OSG responsibilities

Lack of attendance at security meetings – our facility team

Color code: Completed, Work has started, No work

5