OSCTProcs < LCG

LCG Web>LCGGridDeployment>OSCT>OSCTProcs (2009-07-29, MingchaoMa) (raw view)
---++Operational Security Coordination Team

*DRAFT* work in progress.

This topic contains guidance and notes for the OSCT on handling security advisories and incidents.

---+++Incidents Reported on the Security CSIRTS list (project-lcg-security-csirts@in2p3.fr)

Incidents should be handled according to the [[https://edms.cern.ch/file/428035/LAST_RELEASED/Incident_Response_Guide.pdf][agreed incident handling process]]. The OSCT-DC has responsibilities defined [[OSCT-1#RespIHP][here]].

---+++Advisories Received from the Grid Security Vulnerability Group ([[http://www.gridpp.ac.uk/gsvg/][GSVG]])  
_Please note that the GSVG process leading to public disclosure and the target-date time windows have not yet been officially approved by the project._

Advisories which have been assessed by the GSVG Risk Assessment Team (GSVG-RAT) will be sent to the OSCT at project-lcg-security-support@cern.ch. 

GSVG-RAT classifies each vulnerability according to a scale of risk as LOW, MEDIUM, HIGH and EXTREMELY CRITICAL (further details of the classification scheme are available [[http://www.gridpp.ac.uk/gsvg/][on the GSVG site]]). 

Not all GSVG advisories will be sent to the OSCT. The OSCT receives advisories where either action to mitigate the vulnerability at Grid sites is anticipated or a known vulnerability will not be patched before it reaches its _target date_. Also, if the GSVG is notified of vulnerabilities which are *already public* then the OSCT is notified immediately of the result of the assessment.

For LOW, MEDIUM and HIGH vulnerabilities a completed vulnerability advisory will be available. In view of the urgency, notification of an EXTREMELY CRITICAL vulnerability is likely to be less complete. The process of the two cases are documented separately below

---++++ GSVG severity EXTREMELY CRITICAL vulnerability advisory handling by OSCT

On receipt of an EXTREMELY CRITICAL advisory the following responsibles and/or deputies should be contacted immediately either by email or a follow-up telephone call to attend a telephone conference call  _contact details to be provided_-

      * Ian Bird - Head of LCG/EGEE Operations (SA1)
      * Maite Barroso Lopez - Manager Operations 
      * Nicholas Thackrey - Deputy Manager Operations 
      * Markus Schulz - Manager Certification and Testing (SA3)
      * Laurence Field - Deputy Manager Certification and Testing
      * Claudio Grandi - Manager gLite Middleware development
      * John White - Deputy Manager gLite Middleware development
      * Ake Edlund - Head of Security EGEE
      * Dave Kelsey - Deputy Head of Security EGEE, Chair JSPG
      * Mingchao Ma -  Deputy LCG/EGEE Security Officer
      * Romain Wartel - LCG/EGEE Security Officer, OSCT Chair
      * ROC Security Contacts and ROC Managers
      * relevant contacts from the GSVG should also be contacted to be available for advice.

The meeting will decide on an appropriate course of action including the assignment of responsibilities for -
   * co-ordination actions
   * content of advisories to be distributed
   * mitigation measures

---++++ GSVG severity LOW, MEDIUM and HIGH vulnerability advisory handling by OSCT

GSVG advisories will contain: 
   * a description of the vulnerability
   * the severity assigned by GSVG-RAT
   * a unique identifier for tracking
   * the so-called _target date_, which is the date the GSVG makes the advisory fully public on its website and mailing lists
   * (optionally) advice on fix or mitigating action that can be taken
   * (optionally) additional relevant information

The length of the time-window between the GSVG issuing an advisory and the _target date_ depends on the severity of the vulnerability according to an agreed scale.

The GSVG-RAT can be contacted for clarification by mail at project-egee2-gsvg-rat@cern.ch

In each case, the OSCT, by email or other discussion, must decide on a course of action which may include:
   * Immediate [[OSCTProcsTemplate1][_heads up_]] notice to sites. This would be appropriate in cases where the severity of an issue or the lack of an immediate patch requires that site administrators must be informed to decide on local mitigating action such as restricting or shutting down a grid service. The _heads up_ is designed to act as a warning and give the site administrators the information they need to make an informed decision on local action including a projected timescale for further action.

   * Issue an Operations Advisory notice to sites. In cases where no patch will be made available (such as architectural or design limitations which can only be mitigated by appropriate processes being followed at a site) an appropriate advisory should be issued. Recommended actions such as documentation changes or procedural changes should be forwarded to the responsible parties.
 
   * If and when a patch is available, following build and certification, the normal grid operations release procedure is applied. The GSVG advisory will be included in the release notes at this stage and OSCT may be involved in drafting the content of the notes.

_Heads up_ notices and advisories should be sent as follows -
      * Use the [[https://cic.in2p3.fr/index.php?section=cod&page=broadcast][EGEE broadcast tool]]
      * Select to send to: _Production Site Admin_ and _PPS Site Admin_
      * Do *NOT* send to the LCG Rollout
      * Add into CC: project-lcg-security-contacts@cern.ch *AND* project-lcg-security-support@cern.ch

In case of the EGEE broadcast tool not being available the advisory should be sent to project-lcg-security-contacts@cern.ch *AND* project-lcg-security-support@cern.ch to include a statement that the site administrators should be contacted locally if necessary.

---+++Template advisories
      [[OSCTProcsTemplate1][Example and Template advisory]]

---+++NREN contacts
      [[OSCT-NRENmapping][NRENs/ROCs mapping]]

-- Main.ineilson - 25 Oct 2006
Topic revision: r13 - 2009-07-29 - MingchaoMa
LCG Wikis
LCG Service
Coordination
LCG Grid
Deployment
LCG
Apps Area
Public webs
Welcome Guest
- Cern Search
- TWiki Search
- Google Search
LCG All webs
Copyright &© 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback