Document control
Procedure reviews
The following table is updated after every review of this procedure.
Table of contents
Overview
This procedure provides steps to certify Resource Centre from security point of view, as part of PROC09 Resource Centre Registration and Certification procedure. The monitoring is performed using the tools used by the EGI CSIRT and enabled upon request of Resource Centre.
This step of the security certification procedure checks that the resources under certification do not contain known CRITICAL software vulnerabilities.
Definitions
Please refer to the EGI Glossary for the definitions of the terms used in this procedure.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Entities involved in the procedure
- RC (Resource Centre Operations Manager): A person who is responsible for initiating the certification process by applying for membership to a Resource Infrastructure (e.g site administrator).
OC (Operations Centre - Resource Infrastructure): An entity which is technically responsible for carrying out the Resource Centre certification part of the procedure, once the membership is approved.
A list of EGI Operations Centres with their respective contact information is available from the GOCDB (access restricted - grid certificate needed)
EGI CSIRT (Computer Security Incident Response Team): EGI entity which is technically responsible for carrying out
- EGI SDIS: EGI Foundation Service Delivery and Information Security team, formerly EGI Operations
Triggers
Steps
HTC (Grid) Resource Centre
Step# | Responsible | Action | Prerequisites, if any | |
---|---|---|---|---|
1 | RC | Make sure that the site is up to date with regard to security patches. In case of re-certification due to suspension following a critical vulnerability, make sure that the recommendations in the corresponding EGI SVG advisory have been followed. | ||
2 | RC | Follow instructions on Pakiti client: install and run the pakiti client on a random Worker Node. In case of re-certification due to suspension following a critical vulnerability, run Pakiti on the affected node(s). | ||
3 | RC | Check on https://pakiti.egi.eu/host.php?h=${hostname} that the report was sent and that no critical vulnerability was found. If one is found, and is not mitigated, go back to step 1. | ||
4 | RC | Notify the EGI CSIRT by sending an email to abuse<AT> egi.eu with the OC in Cc. Explain in detail any mitigation deployed, if any. | ||
5 | EGI CSIRT | EGI CSIRT Verify the results and communicate back a positive assessment including the OC in Cc. | ||
6 | OC | Report in the GGUS ticket (if any), opened for tracking the certification process, the result of the assessment. PROC09 can continue |
Cloud Resource Centre
Step# | Responsible | Action | Prerequisites, if any | |
---|---|---|---|---|
1 | RC | Fill the EGI security survey and inform EGI Operations (operations<AT>egi.eu) either by adding it in copy to the GGUS ticket used for tracking the certification process or by opening a new one (Support Unit: Operations)
| ||
2 | EGI SDIS (Operations) | Check the filled in survey and send it to EGI CSIRT (abuse<AT>egi.eu). | ||
3 | EGI CSIRT | The EGI CSIRT will communicate back an assessment result. In case of issues EGI CSIRT contact RC to better understand situation. |