 |
 |
We do need user DN for monitoring and popularity applications. Cheers Julia On Mon, 1 Sep 2014, Lukasz Janyst wrote: > AFAIK, most of dCache sites use xrootd proxies, so they are likely > affected, so is EOS, but fstreams have not been configured for Castor. > > Is it sufficient that we encrypt the fstreams or do you want us not to > send the DNs at all? > > Cheers, > Lukasz > > On 09/01/2014 03:04 PM, Oliver Keeble wrote: >> >> This is not a DPM issue - it's the xrootd fstream which sends out this >> information so standard xrootd installations will also be affected. >> dCache may be different, I don't know if they implemented this >> themselves or not. >> >> On 01/09/14 13:48, Andrea Manzi wrote: >>> Hi Romain, >>> do you know if the problem affects only DPM-xrootd or all xrootd >>> deployments are affected ? >>> thanks >>> Andrea >>> >>> On 01 Sep 2014, at 11:41, Romain Wartel <[log in to unmask] >>> <mailto:[log in to unmask]>> wrote: >>> >>>> Domenico, Matevz, >>>> >>>> Just to close the loop; Please find the information below. The EGI >>>> CSIRT, as well as WLCG operations coordination are coordinating this >>>> issue. >>>> I expect you will be contacted "officially" by the EGI security >>>> vulnerability group (SVG) with an advisory before wednesday with all >>>> the details. >>>> >>>> Then we would need you to look into this asap and report back on what >>>> corrective actions can be taken. >>>> >>>> Cheers, >>>> Romain. >>>> >>>> >>>> Begin forwarded message: >>>> >>>>> *From: *Romain Wartel <[log in to unmask] >>>>> <mailto:[log in to unmask]>> >>>>> *Subject: **xrootd - user DN information* >>>>> *Date: *1 Sep 2014 10:46:21 GMT+2 >>>>> *To: *Maria Alandes Pradillo <[log in to unmask] >>>>> <mailto:[log in to unmask]>>, Oliver Keeble >>>>> <[log in to unmask] <mailto:[log in to unmask]>> >>>>> >>>>> Maria, Oliver, >>>>> >>>>> Here is the information I have regarding the user DN usage for >>>>> monitoring in xrootd. >>>>> >>>>> I think the correct Indico link is >>>>> https://indico.cern.ch/event/197803/session/0/contribution/10/material/slides/0.pdf >>>>> >>>>> >>>>> Our policy on this topic is at >>>>> https://edms.cern.ch/file/855382/5/JobAccountingDataPolicy-v1.0.pdf >>>>> >>>>> "Each site is responsible for sending its accounting records on a >>>>> regular basis, e.g. daily, with at >>>>> least user DNs encrypted in transport, to a central data base defined >>>>> by the Grid. This database is >>>>> located at an Accounting Data Centre (ADC). The location of the ADC >>>>> needs to be chosen >>>>> carefully according to data privacy laws. " >>>>> >>>>> Cheers, >>>>> Romain. >>>>> >>>>> Begin forwarded message: >>>>> >>>>>> *From: *Sven Gabriel <[log in to unmask] <mailto:[log in to unmask]>> >>>>>> *Subject: **[Irtf] more atlas fun* >>>>>> *Date: *1 Sep 2014 08:14:12 GMT+2 >>>>>> *To: *IRTF <[log in to unmask] <mailto:[log in to unmask]>>, David >>>>>> Groep <[log in to unmask] <mailto:[log in to unmask]>> >>>>>> *Reply-To: *Incident Response Task Force <[log in to unmask] >>>>>> <mailto:[log in to unmask]>> >>>>>> >>>>>> This is easy, .. here we have an violation of a couple of our >>>>>> policies on how >>>>>> th handle user privacy data. >>>>>> >>>>>> "....The xrootd monitoring infrastructure sends user DN information >>>>>> and >>>>>> all user actions in cleartext over UDP packets across to SLAC in the >>>>>> US for monitoring. They are even open about it: .." >>>>>> >>>>>> https://indico.cern.ch/event/197803/session/0/material/slides/0 >>>>>> >>>>>> ... Mitigation can be done by blocking OUTBOUND UDP apckets on each >>>>>> DPM xrootd host, in particular the headnode, but this is obviously not >>>>>> done by default. >>>>>> >>>>>> DROP udp -- anywhere anywhere udp spt:53193 >>>>>> DROP udp -- anywhere anywhere udp spt:55721 >>>>>> DROP udp -- anywhere atl-prod05.slac.stanford.edu >>>>>> <http://atl-prod05.slac.stanford.edu/> >>>>>> ...." >>>>>> >>>>>> Does IRTF wants to send out an advisory to all sites to apply the >>>>>> same FW >>>>>> rules? >>>>>> >>>>>> Cheers, >>>>>> Sven >>>>>> -- >>>>>> ======== >>>>>> Sven Gabriel >>>>>> >>>>>> Nikhef, Dutch National Institute for Sub-atomic Physics >>>>>> Group Computer Technology / Room: H1.59 >>>>>> Phone: +31 20 5925103 >>>>>> Science Park 105 / 1098 XG Amsterdam / The >>>>>> Netherlands_______________________________________________ >>>>>> Irtf mailing list >>>>>> [log in to unmask] <mailto:[log in to unmask]> >>>>>> https://mailman.egi.eu/mailman/listinfo/irtf >>>>> >>>> >>>> >>>> >>>> -- >>>> Romain Wartel >>>> Security Officer >>>> Worldwide LHC Computing Grid >>>> CERN, IT Department >>>> CH-1211 Geneva 23, Switzerland >>>> >>>> http://www.cern.ch/LCG >>>> http://cern.ch/security >>>> <[log in to unmask] <mailto:[log in to unmask]>> >>>> <[log in to unmask] <mailto:[log in to unmask]>> >>>> >>> >> > > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1