Security Service Challenge level 2 (SSC_2)
This WIKI contains instructions, recommendations and suggestions
that are relevant for the LCG/EGEE Security Service Challenge level 2 (SSC_2).
The objective
Security Service Challenge level 2 (SSC_2) challenges the Storage Elelments (SE).
The goal of the LCG/EGEE Security Service Challenge (SSC), is to investigate whether sufficient information is available to be able conduct an audit trace as part of an incident response, and to ensure that appropriate communications channels are available.
Material for the Test OPerator (TOP)
We have provided a tool kit containing software and detailed instructions for executing the SSC_2. The material is available for download
here.
A
ReadMe provides a brief description of the material.
Alerting and Reporting
The submission of SSC_2 challenge alerts will use the GGUS ticketing system.
An alert is deemed acknowledged when it enters the
in progress state.
Stages of the SSC_2
The SSC_2 is executed in two stages
- The Grid Operation Center targets the principal Site of each of the LCG/EGEE Regional Operation Centers (ROC);
- Each ROC targets the individual Sites within the ROC. The ROC Security Contact is responsible for coordinating the execution of this stage.
Stage 1
The initial ticket was filled in with the following elements:
- The short description is: Security Service Challenge (SSC_2) for <ROC-name>/<Site-name>
- The description is: This is a test of the type "Security Service Challenge". This ticket shall be assigned to "Security Management". The ROC Security Contact is responsible for coordinating a solution to the problem. The particulars of the SSC are supplied in the attachment of this ticket.
- The priority is: less urgent
- It is DTEAM specific problem
- The particulars about what has been seen, as well as the specific questions are in the attachment of the initial alert. A skeleton of the attachment used at Stage_1 is shown below:
A sequence of storage operations has been executed on your site as
part of a Security Service Challenge (SSC). The particulars of the
operations are listed below:
Distinguished Name (DN) of Grid credentials used by the submitter:
/C=xy/O=GRID/CN=MR X 1234
Date:
2006-10-11
Approximate time interval: between:
07:30 -and- 07:50 (UTC)
Affected storage element:
se_12345.xxx.yyy
---------------------------------------------------------
Please investigate and respond by providing the following information:
1). Which sequence of storage operations were executed by the
challenger in the specified time interval (UTC)?
2). What was the IP-address of the User Interface (UI) which was used
for the job submission?
---------------------------------------------------------
Stage 2
The contents of the various elements of the ticket must adapted according to the operational environment of each individual region.
Following the proposal made at the debriefing from Stage_1, it was decided to provide a little more guidance in the formulation of
the questions about what operations had been executed. The modified skeleton text is shown below. The text should me completed
and inserted into the attachment of the GGUS ticket.
A sequence of seven storage operations have been executed on your site as
part of a Security Service Challenge (SSC). The particulars of the operations
are listed below:
Distinguished Name (DN) of Grid credentials used by the submitter:
/C=xy/O=GRID/CN=MR X 1234
Date:
2007-01-09
Approximate time interval: between:
07:30 -and- 07:50 (UTC)
Affected storage element:
se_12345.xxx.yyy
---------------------------------------------------------
Three of the operations implied transport (Grid FTP) of data. Two were
"directory lookup" type operations. Two were attempts to "delete file".
The configuration at your Site may not include logging of all these
storage operations.
Gather as much information about the operations executed by the DN in
the time interval. Use available logging and other information sources
at your own discretion.
1). For each of the identified storage operation, please indicate:
- The exact time (UTC);
- The type of operation;
- The URLs, filenames, catalog names and filepaths involved.
2). Please indicate the IP-address of the User Interface (UI) that
was used for the Job Submission?
---------------------------------------------------------
Follow-up
- If TOP has not received a relevant acknowledgment before the end of the following working day, then the GGUS ticket will be resubmitted.
- If TOP has not received a relevant acknowledgment within a further 24 hour delay, then the Site will be contacted by means of the telephone number registered in the GOCDB.
- If no response has been received within five working days from the submission of the initial alert, then the challenge for that Site will be marked as incomplete.
Debriefing Reports
After completion of each Stage of the SSC_2, the participating ROCs are asked to provide feedback from the exercise. Comments may go further than the execution of SSC_2 proper and also provide suggestions for other, future challenges. Based on the input, the final SSC_2 debriefing report will be compiled, circulated among its contributors and eventually
published here.
Links to related information
SSC_2 Stage_1: Summary of Job Submissions
SSC_2 Stage_1: Debriefing Report
SSC_2 Stage_2: Material for TOP
SSC_2 Stage_2: ReadMe for TOP
SSC_2: Google map of participating sites
SSC_2_Stage_2_Report_AsiaPacific.pdf: Comprehensive SSC_2 Stage 2 Report from
AsiaPacific . It also contains a brief account on how that ROC overcame some of the hurdles.
AsiaPacific SSC_2 Stage 2 Website: This reference also contains some guidance for resolution of the challenge.
SSC_2 Stage_2: CERN ROC Summary of Job Submissions
___________
Updates:
2007-06-05 (psa) added material from
AsiaPacific
2007-03-08 (psa) added link to Google map
2007-01-08 (psa) added reference to the Debriefing Report from Stage_1
2006-11-21 (psa) added more elements from the execution of Stage_1
2006-08-15 (psa) initial writing