FYI. Lukasz
-------- Original Message --------
Subject: Fwd: xrootd - user DN information
Date: Mon, 1 Sep 2014 11:41:38 +0200
From: Romain Wartel <[log in to unmask]>
To: Domenico Giordano <[log in to unmask]>, Matevz Tadel
<[log in to unmask]>
CC: Lukasz Janyst <[log in to unmask]>, Maria Alandes Pradillo
<[log in to unmask]>, Oliver Keeble <[log in to unmask]>,
Andrea Sciaba <[log in to unmask]>, Andrea Manzi <[log in to unmask]>
Domenico, Matevz,
Just to close the loop; Please find the information below. The EGI
CSIRT, as well as WLCG operations coordination are coordinating this issue.
I expect you will be contacted "officially" by the EGI security
vulnerability group (SVG) with an advisory before wednesday with all the
details.
Then we would need you to look into this asap and report back on what
corrective actions can be taken.
Cheers,
Romain.
Begin forwarded message:
> *From: *Romain Wartel <[log in to unmask]
> <mailto:[log in to unmask]>>
> *Subject: **xrootd - user DN information*
> *Date: *1 Sep 2014 10:46:21 GMT+2
> *To: *Maria Alandes Pradillo <[log in to unmask]
> <mailto:[log in to unmask]>>, Oliver Keeble
> <[log in to unmask] <mailto:[log in to unmask]>>
>
> Maria, Oliver,
>
> Here is the information I have regarding the user DN usage for
> monitoring in xrootd.
>
> I think the correct Indico link is
> https://indico.cern.ch/event/197803/session/0/contribution/10/material/slides/0.pdf
>
> Our policy on this topic is at
> https://edms.cern.ch/file/855382/5/JobAccountingDataPolicy-v1.0.pdf
>
> "Each site is responsible for sending its accounting records on a
> regular basis, e.g. daily, with at
> least user DNs encrypted in transport, to a central data base defined
> by the Grid. This database is
> located at an Accounting Data Centre (ADC). The location of the ADC
> needs to be chosen
> carefully according to data privacy laws. "
>
> Cheers,
> Romain.
>
> Begin forwarded message:
>
>> *From: *Sven Gabriel <[log in to unmask] <mailto:[log in to unmask]>>
>> *Subject: **[Irtf] more atlas fun*
>> *Date: *1 Sep 2014 08:14:12 GMT+2
>> *To: *IRTF <[log in to unmask] <mailto:[log in to unmask]>>, David
>> Groep <[log in to unmask] <mailto:[log in to unmask]>>
>> *Reply-To: *Incident Response Task Force <[log in to unmask]
>> <mailto:[log in to unmask]>>
>>
>> This is easy, .. here we have an violation of a couple of our
>> policies on how
>> th handle user privacy data.
>>
>> "....The xrootd monitoring infrastructure sends user DN information and
>> all user actions in cleartext over UDP packets across to SLAC in the
>> US for monitoring. They are even open about it: .."
>>
>> https://indico.cern.ch/event/197803/session/0/material/slides/0
>>
>> ... Mitigation can be done by blocking OUTBOUND UDP apckets on each
>> DPM xrootd host, in particular the headnode, but this is obviously not
>> done by default.
>>
>> DROP udp -- anywhere anywhere udp spt:53193
>> DROP udp -- anywhere anywhere udp spt:55721
>> DROP udp -- anywhere atl-prod05.slac.stanford.edu
>> <http://atl-prod05.slac.stanford.edu>
>> ...."
>>
>> Does IRTF wants to send out an advisory to all sites to apply the
>> same FW
>> rules?
>>
>> Cheers,
>> Sven
>> --
>> ========
>> Sven Gabriel
>>
>> Nikhef, Dutch National Institute for Sub-atomic Physics
>> Group Computer Technology / Room: H1.59
>> Phone: +31 20 5925103
>> Science Park 105 / 1098 XG Amsterdam / The
>> Netherlands_______________________________________________
>> Irtf mailing list
>> [log in to unmask] <mailto:[log in to unmask]>
>> https://mailman.egi.eu/mailman/listinfo/irtf
>
--
Romain Wartel
Security Officer
Worldwide LHC Computing Grid
CERN, IT Department
CH-1211 Geneva 23, Switzerland
http://www.cern.ch/LCG
http://cern.ch/security
<[log in to unmask] <mailto:[log in to unmask]>>
<[log in to unmask] <mailto:[log in to unmask]>>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|