Security Assessment

SAM Security Monitoring

Completed tests

  • None.

Pilot tests in Production

Pilot tests in Validation

  • Check if files or directories included in environment variables have 'w' permission flag in Other group (CE-wn-sec-fp)

Tests in-work

  • Checking the permissions of the filesystem (world writable files/dir taken from the environment variables, ownership of common configuration files, etc.) (Developer: David Collados)

Tests being considered

  • Monitor processes that escaped from their process tree.
  • Checking the validity of host cert, permissions thereof (?)
  • Checking the validity of CAs (?)
  • Checking the validity of gridmaps (?)
  • Checking the clock skew (?)
  • Checking the output of the "last" command (If a WN is accessed only by the pool account users or for administrative purposes, we should have no users other than "root") (?)
  • Verify the main system RPMs (ex: SysVinit, coreutils) with "rpm --verify"
  • Checking the patching status of the WN

Source code auditing

Penetration tests

  • Testing potential remote vulnerabilities of network services (ex: blasting WMS network services with funny data)
  • Trying to escalate as root on CEs/WNs
  • Trying to obtain/use someone else's identity
  • Trying to tamper with someone else's data

Findings will be reported to the Grid Security Vulnerability Group.

-- Romain Wartel

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2007-10-31 - DavidCollados
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback