 
EGEE Security Coordination Group (SCG) meeting
----------------------------------------------
Phone conference - Friday 23 May 2008 11:00 CEST

Present: David Groep, Romain Wartel, John White
Christoph Witzig and Dave Kelsey (chair and minutes)
Apologies: Linda Cornwall

1. Outstanding issues from last meeting (18th April)
None that won't be covered later in this meeting.

2. Roundtable reports

OSCT (RW)
---------

- Security Service Challenge 3 (SSC3) has been run & completed for EGEE
Tier1s and is on-going at the US Tiers.

* Detailed results:
https://osct.web.cern.ch/osct/ssc3/scores.html
* Summary presentation:
http://indico.cern.ch/materialDisplay.py?sessionId=1&materialId=3&confId=20229
* Main findings:
   - Heterogeneous results
   - ~1/3 of the Tier1s unable to block the malicious DN
   - ~2/3 of the Tier1s unable to kill the malicious processes
   - Only 1 site killed all malicious processes without unplugging the WN
   - Debriefing still in progress.

- Training/dissemination

In collaboration with Christoph, a Wiki page has been created very
recently to provide security recommendations to site administrators. All
relevant developers and experts are asked to contribute!

http://goc.grid.sinica.edu.tw/gocwiki/Security_recommendations_for_grid_services

- Alice/xrootd: port range

Alice is requesting all sites supporting the Alice VO to open a new port
range (~ 1000 ports) on all disc servers to enable WAN xrootd transfers.

In terms of security, while this is certainly NOT a step forward, it is
difficult to argue this will drastically change the situation provided
5000 other ports are already opened. 

Sites can choose to implement, to re-use the GLOBUS_TCP_PORT_RANGE, or
to negotiate directly with Alice. This xrootd port range should be added
to the the LCG port table.

- Alice/xrootd: security model

This has extensively been discussed recently. Alice has developed a
security envelope for authorization, to enable WAN access to xrootd
services. Part of this includes the dCache xrootd plugin: - the dCache
developers believe GSI (=authentication) is required and needs to be
developed to secure its xrootd plugin - the Alice experts do not agree 

Both seem to agree the authorization part is fine, the discussion is
about the authentication. The Security Coordination Group should produce
recommendations (draft circulating now), both to explain what
development strategy should be adopted in the short/long term, and to
clarify the situation for the sites. 
(see agenda item later in this meeting)

Also, some discussions between Alice and dCache experts should be
organised. Would this fall in the MWSG's scope?

- Debian OpenSSL

The OSCT has issued a security alert to all sites about the Debian
OpenSSL security vulnerability. All details are available at:
http://osct.web.cern.ch/osct/alerts/openssl-16-05-2008.txt

More information on this topic is available in the EUGridPMA report.

- Whitelisting WLCG machines hosts

Several sites in the recent years have requested the ability to have the
list of subnets of all sites participating in the grid, to enable some
level of network filtering. While quite simple in theory, the exact
boundaries of WLCG are unclear and several services would not be
covered. Further investigations are needed to evaluate the cost/benefit
of this proposal.

Discussion and other matters:

RW has asked Maite for access to PPT staff effort numbers for the security
task. This is not possible because of data privacy issues. However, a report
can be produced and distributed to us (quarterly?).

re: meeting between dCache and ALICE developers. CW is willing to arrange 
and/or attend but its not clear that MWSG is the right forum. 
This issue has been discussed for a long time and progress is needed.
(see below for SCG recommendation on this).



MWSG (CW)
---------

1. Work on the new authorization service progressing, but at a somewhat
slow pace. Draft design documents have been written for the four
components (policy administration point PAP, policy decision point PDP,
policy enforcement point PEP, environment execution service EES). The
final design document will be discussed within the group in early July. 

2. xrootd issue with Alice: see mail 5/21/2008 5:59PM. 

3. The next MWSG meeting will take place at EGEE08, where joint meetings
with OSCT have been requested (see Romain's mail 5/22/2008 10:22AM). 

4. Workplan for implementing the recommendations of the authorization
study has been started together with J.White and F.Giacomini. 

Discussion: 

CW adds plans for the next month:
a. Chase up on the CSRF mail that went out to developers with only one
response. JW, RW and CW have produced a list of web applications and
will chase the developers individually.
b. continue work on the web page howto blacklist users.


JRA1 (JW)
---------

- glexec-on-WN 

The various methods to deploy/configure glexec on the worker nodes were
presented to the GDB and TCG. This deployment is to go to selected PPS
sites for the experiments "frameworks" to be tested. Gerben has produced
some documentation on how to effect these configurations. 

- SCAS

Work has progressed and the SCAS client has been developer-tested and 
has met the internally-set milestone. The server code is now under test 
and has to meet the SA3-set performance targets.

- Other

* Many security configurations produced for glexec/LCAS/LCMAPS...  
  certification has started.

* Just a reminder about PEB (AMB) task number 13 ... "Collect EGEE policy
  in one document for e-Infrastructures group." Dave K. has been made
  aware and we'll get it sorted out by the end of June.

Discussion:

gLexec/WN configuration, as presented to TCG and GDB, will be used in
the short-term for testing the various pilot job frameworks. Medium-term
solution is SCAS, while the longer-term solution is the new AuthZ
framework.


GSVG (LC)
---------

No report this time. Linda has been away for two weeks.


EUGridPMA (DG)
--------------

- Impact of CVE-2008-0166
   The impact assessment of this vulnerability started on May 13th first
   by reviewing the actual CA root keys. One affected CA was found on
   May 14th and new key material generated (due to the design of this
   CA, replacing the vulnerable root cert did not directly affect the
   validity of end-entity certs).
   May 14th also saw the first request to CAs to verify all their EE
   certs, and a checking tool was distributed on May 15th.

   The responsiveness of CAs (time between request and time between their
   *confirmation* that all affacted certs were revoked) is as always
   exponential. Most CAs (approx. 90%) had responded by Friday 16th
   afternoon. 5 CAs came in on Monday, 2 on Wednesday, and one is still
   pending.
   What we'll do to GridCanada is not yet decided, but if by today there
   is no response I think a new Distribution without GridCanada is
   appropriate. Herve promised a response by Friday 22nd -- and the
   update time for an IGTF distribution is at least 4 days as well.

   A list of CAs with number of affected certs is available.

   Handling this incidents (which effectively took me out for the
   week) also showed that there is a ROBAB-vulnerable single point
   of failure in the EUGridPMA. I'll try and address that one next
   week and ask for backup volunteers...

- Release 1.21
   This was the first "critical" update released to EGEE in a long time.
   The process was started on Friday (together with the OSCT advisory),
   and by friday evening it was on the PPS.
   Then, the SAM team took another 3 days to fix their tests and come up
   with the announcement. The 1-day count-down started only Monday
   afternoon. Should we force the SAM team to work over the week-end?

   Actual impact is limited to a few Java services only, though -- no job
   submission or actual data storage was possible, and products using
   the gLite trust manager were also safe.

- IGTF communications
   Some individuals in OSG have tried to exercise the communications
   channels of the IGTF and have come up with worrisome results. In
   the EUGridPMA meeting next week we will discuss improvements.
   Note that EUGridPMA direct communications did work, but the IGTF
   "overarching" channels did not. Oops.

- Next week is the EUGridPMA meeting. On the agenda are
   AuthZ operations WG and a session on the use of our IGTF
   credentials for community portals &c. Maybe the PMA is a place
   where the work from the stalled "TCG Portal WG" can be reanimated?
   I don't expect videoconf to actually work, sorry.


Discussion:

As mentioned above, DG has still not heard from the Canadian CA
following this incident. This will be discussed next week at the
EUGridPMA meeting. RW/DK will raise the issue with TRIUMF and encourage
them to inform their CA how critical this is for them.


JSPG (DK)
---------

1. Four policy documents very close to final approval. 

CA Approval
Multi User Pilot Jobs
VO Operations 
Traceability and Logging

Will be signed-off by JSPG next week (at its F2F meeting).

2. Meeting of JSPG is at CERN next week. Thurs/Friday 29/30 May See
http://indico.cern.ch/conferenceDisplay.py?confId=31918

Other items on the agenda include: 

Work on other old VO policies (registration, management etc)
User-level accounting
Plans for EGEE-III and moving towards EGI.



3. Debian/SSL security incident
-------------------------------

Extensive communications have happened on this during the last week and a bit.
Covered here in more detail in the OSCT and EUGridPMA reports.


4. xrootd/dCache GSI
--------------------

The ALICE security model (for using xrootd).

This matter had been discussed by e-mail before the meeting.

The following two paragraphs are repeated from RW's OSCT report:

Alice has developed a security envelope for authorization, to enable WAN
access to xrootd services. Part of this includes the dCache xrootd
plugin: - the dCache developers believe GSI (=authentication) is
required and needs to be developed to secure its xrootd plugin - the
Alice experts do not agree 

Both seem to agree the authorization part is fine, the discussion is
about the authentication. The Security Coordination Group should produce
recommendations (draft circulating now), both to explain what
development strategy should be adopted in the short/long term, and to
clarify the situation for the sites.

After more discussion, SCG approved the following recommendations:
-------------------------------------------------------------------------
a) The current dCache/xrootd implementation is known to be insecure and
enables anonymous write operations on the disk servers under some
conditions. To address this, ALICE has developed and deployed a limited
token-based authorization scheme. Although this does not address all
security concerns it is perceived to be a valuable improvement. SCG
recommends that this should therefore be enabled at all affected sites,
i.e. those sites that provide a publicly accessible xrootd service to
ALICE. Exact instructions to enable this feature will be provided by
ALICE. 

b) GSI authentication in xrootd is an essential component to ensure a
sufficient level of security and to meet the requirements of the Grid
(EGEE/WLCG) Traceability and Logging security policy, in particular the
fact that all resource providers need to have the ability to identify
the original user initiating any action. 

c) The SCG, therefore, strongly recommends that a GSI authentication
component in dCache/xrootd should be developed and encourages the dCache
developers to present a timeline for this. Once this component is ready
and properly tested, it should be deployed on all dCache/xrootd
implementations. 
-------------------------------------------------------------------------


5. MSA1.4 Security Assessment Plan
----------------------------------

Coordinated by STFC (LC). A month 2 milestone (June 08).
DK reported that metrics are being worked on in the UK for GridPP
on both security incident response and handling of security vulnerabilities
by GSVG. These will be included in this document. There are also the metrics
presented by RW on the results of SSC3 at the Tier 1s - also to be included.

LC will prepare a proposed scope of the "Assessment" activity and a draft TOC
hopefully next week after she returns to work.

All are invited to send ideas to the SCG list.


6. Requests for meetings at EGEE'08
-----------------------------------

Romain has forwarded the security inter-activity requests to the EGEE-08 committee.

- 90 min for a JSPG/GSVG session
       - should not overlap other SA1 sessions

- 3 x 90 min for a "Joint MWSG and OSCT Security session"
       - should not overlap other SA1 sessions
       - It is important the room is big enough (we expect ~ 100 people)
       - 2 x 90 min security training for EGEE members
       - 1 x 90 min presentations from the two groups

- 2 x 90 min for an OSCT session (group status, progress, etc.)
       - May clash with other SA1 sessions

- 2 x 90 min for a MWSG session (group status, progress, etc.)
       - May clash with other SA1 sessions

Discussion:

It was noted that the JSPG/GSVG session should also involve
SA1, VOs and Other Grids and should seat ~ 100 people.
Romain will feed this in.

DK informed that LC may well want a small GSVG closed meeting.
JW said this should be possible, but "across the road" in
the University.


7. AOB
------
JW showed the link to the new EGEE-III web site security page.
http://technical.eu-egee.com/index.php?id=146

ACTION: All security group chairs to check and confirm text is OK

DK asked JW about agenda for EGEE-II review. Dates of rehearsals 
etc fixed but no agenda yet.


8. Date of next meeting
-----------------------
Phone conference.
Friday 27th June at 11:00 CEST.

DPK
26 May 2008