EGEE Security Coordination Group (SCG) meeting ---------------------------------------------- Phone conference - Friday 18 April 2008 11:00 CEST Present: Linda Cornwall, David Groep, Romain Wartel, Christoph Witzig and Dave Kelsey (chair) Apologies: John White 1. Outstanding issues from last meeting (12th March) None that won't be covered later in this meeting. 2. Roundtable reports MWSG (CW) --------- a. Authorization study: presented revised recommendations to TCG, which were accepted by TCG on March 12, 2008. Implementation plan outstanding -> change from CG to FG (changes in pattern matching libraries in progress). b. MWSG meeting in Bologna: Highlights: Very good presentations by D.Salomoni and R.Wartel --> connection between MWSG and OSCT should be a priority for 2008 with the goal of coordinated presentations at EGEE08. See mail with TODO-list on mwsg mailing lists from April 4, 2008 6:26PM. c. CSRF: One reply on my request. Follow-up needed (in progress). Prorities for April: a. CSRF follow-up b. HOWTO blacklist webpage c. Implementation plan for authZ recommendations together with FG. Discussion: Only one reply had been received to date following the mail on CSRF. CW and RW will compile a list of all web interfaces and contact responsible people individually requesting a response. CW will follow up with FG (JRA1 leader) in May. OSCT (RW) --------- - The OSCT-5 meeting took place in Lyon. Minutes and presentations available from: http://indico.cern.ch/conferenceDisplay.py?confId=29322 Several key topics discussed, including the initial EGEE-III planning. - Security Service Challenge 3 (SSC3) on-going. Some technical issues to submit the job at some sites have been encountered, and resolution takes much longer than expected. - A new monitoring tool to detect vulnerable packages at the sites is being produced. Test deployment expected early May. - Feedback from the MWSG meeting: the need for better controls and improved traceability was acknowledged No new security incident was reported in March. Discussion: CW asked when the template for the "blacklist" web will be ready. RW stated that it depends who in OSCT does the work but it won't take long. GSVG (LC) --------- Issue handling -------------- I have gone through the open issues and looked at status: Rough breakdown open issues - 10th April 2008 Disclosed* Gen$ IN work 3rd P Other Before TD Total Pre EGEE-II 7 14 4 1 1 n/a 27 After 7 2 5 6 4 4 28 --------------------------------------------------------------------- Total 14 16 9 7 5 4 55 --------------------------------------------------------------------- * disclosed as reached TD http://www.gridpp.ac.uk/gsvg/advisories/ Some in work, some just disclosed Gen$ General concerns, mostly well known. In document In work - or waiting patch release - mostly should be O.K when 3.1 fully out and changes inhead are out. 2 Moderate/High, rest Low. For post EGEE-II these past TD. Other - includes 2 glexec coding - close when reviewer happy. The rest probably not/no longer vulnerabilities - re-check before closing. 133 issues entered altogether, since activity started. 55 open, 78 closed. Should be able to close about 12 more when glite 3.1/code in head fully rolled out. There seems to be a problem getting work already done by developers into production. Possibly the integration and test team may have too much to do for the size of the team. Documenting general concerns: I have put together the more general concerns which are not straightforward bugs in a document, aimed at MWSG, TCG, and SCG. It is not a highly polished document, but intended to summarise the points that have been around for some time but have not been fully resolved. These are all rather well known, I'm sure there will be no surprises to anyone. They remain open until solutions are found. EUGridPMA (DG) -------------- DG apologises for the lack of a written report. TAGPMA decided to change the SLCS profile. SLCS CAs will now have to issue CRLs. But if all certificates issued have lifetimes shorter than 24 hours this CRL can be static and empty with a lifetime of one year. Compromised certs with lifetimes longer than 24 hours must be revoked via a CRL. EUGridPMA will discuss this in its May meeting. If all agreed will need to come into force within about 6 months. LC noted that GSVG has discussed the problem of proxies with lifetime longer than 24 hours. All agree that once the WMS with appropriate proxy renewal works we should persuade VOs to move back to 24 hour maximum lifetime. DG has had several requests for guidance as to what certificates should be used for web portals - personal certs vs host certs etc? The EGEE WG on portals seems to have come to a halt, so this issue will be on the agenda for the May EUGridPMA meeting. JSPG (DK) --------- There has been little progress on the current draft policy documents, as I (the only funded participant) have been busy on other things - attending MWSG in Bologna, TAGPMA and APGrids PMA meetings, and chairing and presenting at the ISGC 2008 conference. On the latter point, I did make useful contacts with both Japanese (NAREGI) and Australian Grid people. I learned for example that the Australian Grid use our Grid AUP (slightly modified). I plan to involve more of these people in EGEE-III updates on JSPG policy. Jim Basney (from NCSA and of MyProxy fame) has joined JSPG as the OSG representative (to replace Bob Cowles). There is a face to face JSPG meeting at CERN on 29/30 May, when amongst other things we will discuss plans for the EGEE-III era, e.g. yet another simplification of the policy set and making more useful to many NGI stakeholders. We need to expand the membership of JSPG to cover more NGI input. Before the May meeting, we will finalise the current set of draft policy documents and seek project approval and adoption. 3. EGEE-III planning -------------------- LC reports that she still does not know the names of people who will work on GSVG. RW informs us that Maite (SA1 leader) has asked him to manage the security task in SA1. This will involve coordinating the input to the SA1 quarterly report (from all partners working on the task) and attending SA1 monthly meetings. The first task is to prepare some slides for the EGEE-III transition meeting in May (for OSCT, GSVG, PMA and JSPG). LC also asks for access to the PPT staff bookings on TSA1.4 and its sub-tasks. RW says that he will ask for access to this and make sure we all have access to enable easier management of the sub-tasks. DK reminds that we have several security related deliverables in EGEE-III. He will distribute the full list by mail. Two of these belong to SCG: a. MSA1.4 Security Assessment Plan. Coordinated by STFC (LC). Month 2. b. DJRA1.2 Report on EGEE-III Security. SWITCH (CW). Month 22 LC will prepare a proposed scope of the "Assessment" activity and a draft TOC. All are invited to send ideas to the SCG list. Month 2 is getting close! 4. Other security issues ------------------------ LC raised 4 issues a. Dependencies/3rd party software distributed by EGEE. If a vulnerability is found, there is an inevitable delay in fixing the EGEE version, after being announced by the 3rd party. As in 4) below there seems to be a delay getting things certified too. Can we reduce re-packaging of 3rd party stuff? Possibly SCG is not the ideal forum, but John might like to comment. Discussion: LC will discuss with Oliver Keeble. RW requests that she should also request signing of RPMs - DG reminds this has to be manual after certification and not an automatic process. b. Testing and Certification. I note that some of the open issues should be fixed when 3.1 is fully rolled out. I understand that this is because they are not certified. I have also heard that there are some EGEE services, e.g. R-GMA that are not certified for SL4 yet, but SL3 is no longer maintained thus any Linux security problems do not get patched. Hence services are running on potentially insecure Linux. What is the current status? Is there a plan to resolve this e.g. with more manpower for EGEE-III? Also noticed an e-mail exchange where people are talking of SL5. Discussion: Security support for SL3 continues into 2009. It is SLC3 which has ended support. CentOS will continue security patching until 2012 (like Red Hat). LC will also discuss this with Oliver K. c. Testing and policy. For one issue we were unable to test the fix because we required a revoked certificate from someone who was allowed to enter data in that system. (Etics) This is difficult to test, we would require a user to get a second certificate from a CA and revoke it, and we have had to simply trust that the service has correctly got CRL checking in place and close it. Maybe we need to find a way of testing that services are deployed correctly, e.g. by checking with revoked certificates. There remains the problem of it being against policy to carry out certain tests, which may reveal vulnerabilities that we should be fixing. Discussion: DG informs that there are no policy issues stopping CAs issuing more than one certificate to a single person. Doing so with the same DN may or may not be possible depending on the implementation. d. Tools to allow site administrators to test. For some issues, sites do not like yaim doing too much to the configuration, yet this leaves the possibility that some sites (especially when smaller sites join) are not configured securely. A suggestion has been made that tools are provided for the use of sites, which site administrators run on their own sites, which alert them to possible security configuration problems but do nothing else. Discussion: RW agrees that at least a "warning" should be issued. Forbidding world-readable config files may be better than a very (too) specific requirement which causes problems for sites. LC to continue discussions with the YAIM developers. 5. AOB ------ None 6. Date of next meeting ----------------------- Phone conference. Friday 23rd May at 11:00 CEST. DPK 18 Apr 2008