Security Assessment
SAM Security Monitoring
Completed tests
Pilot tests in Production
Pilot tests in Validation
- Check if files or directories included in environment variables have 'w' permission flag in Other group (CE-wn-sec-fp)
Tests in-work
- Checking the permissions of the filesystem (world writable files/dir taken from the environment variables, ownership of common configuration files, etc.) (Developer: David Collados)
Tests being considered
- Monitor processes that escaped from their process tree.
- Checking the validity of host cert, permissions thereof (?)
- Checking the validity of CAs (?)
- Checking the validity of gridmaps (?)
- Checking the clock skew (?)
- Checking the output of the "last" command (If a WN is accessed only by the pool account users or for administrative purposes, we should have no users other than "root") (?)
- Verify the main system RPMs (ex: SysVinit, coreutils) with "rpm --verify"
- Checking the patching status of the WN
Source code auditing
- Analyzing the VOMS source code (current being done)
- Using standard tools to audit the gLite WMS, gLite CE, MyProxy source code
Penetration tests
- Testing potential remote vulnerabilities of network services (ex: blasting WMS network services with funny data)
- Trying to escalate as root on CEs/WNs
- Trying to obtain/use someone else's identity
- Trying to tamper with someone else's data
Findings will be reported to the Grid Security Vulnerability Group.
-- Romain Wartel