Date: Thu, 28 Mar 2024 10:54:35 +0100 (CET) Message-ID: <804857675.1858.1711619675485@czmuims01.ops.egi.eu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1857_1674954475.1711619675484" ------=_Part_1857_1674954475.1711619675484 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Please follow the EGI Security Incident Handling = Procedure to report a security incident to = ;abuse at egi.eu (CSIRT= PGP key). Below you will find some explanations about that incident re= sponse procedure.
Sites must report an incident or possible incident to abuse at egi.eu (a= t least within 4 hours after the suspected incident has been discovered).= p>
You will find it useful to print the SEC= 01-RC.pdf
There is also a Forensics Howto=
page.
The initial HEADS-UP, which you should aim to send as soon as the incide= nt has been discovered, should contain the minimum information that would a= llow the EGI CSIRT to notify all members of the EGI Infrastructure and clos= e collaborations about the incident, in order to contain it. This email wil= l, in most cases, be forwarded as-is (plus EGI case number) to all security= contacts.
FROM: <you> TO: abuse@egi.eu SUBJECT: [TLP:AMBER] Security incident suspected at <site>=20 ** AMBER Information =E2=80=93 Limited Distribution = ** ** This may be shared with trusted security teams on a need-to-know basis *= * ** see https://go.egi.eu/tlp for distribution restrictions ** Dear EGI CSIRT, A suspected security incident has been detected at <SiteName>. Summary of the information available so far: <Ex: A malicious SSH connection was detected from 012.012.012.012. The e= xtent of the incident is unclear for now, and more information will be published in the coming hours= as forensics are progressing at our site. However, all sites should check for successful SSH= connection from 012.012.012.012 as a precautionary measure.>
This template can be used to provide a detailed view of the incident, an= d may be completed and resent as the investigation progresses. The data in = this email will, in most cases, be forwarded to all security contacts, but = some filtering might be applied if deemed necessary
FROM: <you> TO: abuse@egi.eu SUBJECT: [TLP:AMBER] Security incident suspected at <site> ** AMBER Information =E2=80=93 Limited Distribution = ** ** This may be shared with trusted security teams on a need-to-know basis *= * ** see https://go.egi.eu/tlp for distribution restrictions ** Dear EGI CSIRT, A security incident has been detected at <SiteName>. - Short summary of the incident <Provide a high-level overview of the incident> - Host(s) affected <List of compromised hosts and/or hosts running suspicious user code. ex: grid-worker-node-124.mysite.org (123.123.123.123)> - Host(s) used as a local entry point to the site (ex: UI or WMS IP address= ) <The host that the attacker is likely to have used to access the site. ex: grid-ui-101.mysite.org (123.123.123.124)> - Remote IP address(es) of the attacker <The remote host from where the attacker is likely to have connected fro= m. ex: 123.adsl.somecorp.com (012.012.012.012)> - Evidence of the compromise, including timestamps (ex: suspicious files=20 or log entry) <Ex: the attacker logged in has root from 123.adsl.somecor= p.com.=20 Times are UTC: Mar 24 12:00:09 grid-ui-101 sshd[13896]: Accepted password for root=20 from 012.012.012.012> - What was lost, details of the attack <Provide available details on the extent of the compromise. Ex: System logs revealed the attacker guessed the root password of=20 grid-ui-101 on Mar 24 12:00:09 (UTC) after hundreds of attempts. Then, the attacker [...] etc.> - If available and relevant, the list of other sites possibly affected <Ex: firewall logs reveal suspicious SSH connections from the compromise= d node to grid- ui.friendlysite.org on Mar 24 13:01:03 (UTC). friendlysite.org has been con= tacted.> - Possible vulnerabilities exploited by the attacker <Ex: the attacker exploited a weak root password and gained further acce= ss by exploiting CVE-2009- 1234 against [...] etc.> - Actions taken to resolve the incident <Ex: Disk images have been saved, hosts have been reinstalled from scrat= ch with new, strong root passwords, and SSH has been configured to prevent "root" logins with passwo= rd.> - Recommendations for other sites, actions suggested <Ex: Sites should check and report any successful SSH connection from gr= id-ui-101 between Mar 24 12:00:09 (UTC) and Mar 24 17:00:00 (UTC). It is also recommended to avoid direct SSH access, and to configure sshd wi= th "PermitRootLogin without-password".> - Timeline of the incident <Ex: 2009-03-24 09:12:43 UTC Multiple SSH connection attempts from 12.012.012.01= 2 2009-03-24 12:00:09 UTC Attacker connects as root on grid-ui-101.mysite.org= from 012.012.012.012 2009-03-24 13:01:03 UTC SSH scan from grid-ui-101 against grid-ui.friendlys= ite.org [...] 2009-03-24 15:00:00 UTC Site security team investigating 2009-03-24 15:34:00 UTC EGI security contacts informed [...]>
EGI-CSIRT developed the EGI Security Incident Han= dling Procedure. The document have been approved by EGI OMB and PMB. EG= I sites must follow this procedure when handling security incident.
The "Security Incident Handling Procedure" define site and incident coor= dinator responsibilities when handling Grid-related security incident. We s= trongly encourage our security contacts and system administrators to have a= printing copy of this procedure.