 |
 |
Yes, this is common to all xrootd detailed monitoring. DN is sent in u stream (user session creation) which is used together with t and f streams. It also affects the dCache monitoring plugin that replicates the f stream functionality. Matevz On 9/1/14 3:04 PM, Oliver Keeble wrote: > > This is not a DPM issue - it's the xrootd fstream which sends out this > information so standard xrootd installations will also be affected. dCache may > be different, I don't know if they implemented this themselves or not. > > On 01/09/14 13:48, Andrea Manzi wrote: >> Hi Romain, >> do you know if the problem affects only DPM-xrootd or all xrootd >> deployments are affected ? >> thanks >> Andrea >> >> On 01 Sep 2014, at 11:41, Romain Wartel <[log in to unmask] >> <mailto:[log in to unmask]>> wrote: >> >>> Domenico, Matevz, >>> >>> Just to close the loop; Please find the information below. The EGI >>> CSIRT, as well as WLCG operations coordination are coordinating this >>> issue. >>> I expect you will be contacted "officially" by the EGI security >>> vulnerability group (SVG) with an advisory before wednesday with all >>> the details. >>> >>> Then we would need you to look into this asap and report back on what >>> corrective actions can be taken. >>> >>> Cheers, >>> Romain. >>> >>> >>> Begin forwarded message: >>> >>>> *From: *Romain Wartel <[log in to unmask] >>>> <mailto:[log in to unmask]>> >>>> *Subject: **xrootd - user DN information* >>>> *Date: *1 Sep 2014 10:46:21 GMT+2 >>>> *To: *Maria Alandes Pradillo <[log in to unmask] >>>> <mailto:[log in to unmask]>>, Oliver Keeble >>>> <[log in to unmask] <mailto:[log in to unmask]>> >>>> >>>> Maria, Oliver, >>>> >>>> Here is the information I have regarding the user DN usage for >>>> monitoring in xrootd. >>>> >>>> I think the correct Indico link is >>>> https://indico.cern.ch/event/197803/session/0/contribution/10/material/slides/0.pdf >>>> >>>> >>>> Our policy on this topic is at >>>> https://edms.cern.ch/file/855382/5/JobAccountingDataPolicy-v1.0.pdf >>>> >>>> "Each site is responsible for sending its accounting records on a >>>> regular basis, e.g. daily, with at >>>> least user DNs encrypted in transport, to a central data base defined >>>> by the Grid. This database is >>>> located at an Accounting Data Centre (ADC). The location of the ADC >>>> needs to be chosen >>>> carefully according to data privacy laws. " >>>> >>>> Cheers, >>>> Romain. >>>> >>>> Begin forwarded message: >>>> >>>>> *From: *Sven Gabriel <[log in to unmask] <mailto:[log in to unmask]>> >>>>> *Subject: **[Irtf] more atlas fun* >>>>> *Date: *1 Sep 2014 08:14:12 GMT+2 >>>>> *To: *IRTF <[log in to unmask] <mailto:[log in to unmask]>>, David >>>>> Groep <[log in to unmask] <mailto:[log in to unmask]>> >>>>> *Reply-To: *Incident Response Task Force <[log in to unmask] >>>>> <mailto:[log in to unmask]>> >>>>> >>>>> This is easy, .. here we have an violation of a couple of our >>>>> policies on how >>>>> th handle user privacy data. >>>>> >>>>> "....The xrootd monitoring infrastructure sends user DN information and >>>>> all user actions in cleartext over UDP packets across to SLAC in the >>>>> US for monitoring. They are even open about it: .." >>>>> >>>>> https://indico.cern.ch/event/197803/session/0/material/slides/0 >>>>> >>>>> ... Mitigation can be done by blocking OUTBOUND UDP apckets on each >>>>> DPM xrootd host, in particular the headnode, but this is obviously not >>>>> done by default. >>>>> >>>>> DROP udp -- anywhere anywhere udp spt:53193 >>>>> DROP udp -- anywhere anywhere udp spt:55721 >>>>> DROP udp -- anywhere atl-prod05.slac.stanford.edu >>>>> <http://atl-prod05.slac.stanford.edu/> >>>>> ...." >>>>> >>>>> Does IRTF wants to send out an advisory to all sites to apply the >>>>> same FW >>>>> rules? >>>>> >>>>> Cheers, >>>>> Sven >>>>> -- >>>>> ======== >>>>> Sven Gabriel >>>>> >>>>> Nikhef, Dutch National Institute for Sub-atomic Physics >>>>> Group Computer Technology / Room: H1.59 >>>>> Phone: +31 20 5925103 >>>>> Science Park 105 / 1098 XG Amsterdam / The >>>>> Netherlands_______________________________________________ >>>>> Irtf mailing list >>>>> [log in to unmask] <mailto:[log in to unmask]> >>>>> https://mailman.egi.eu/mailman/listinfo/irtf >>>> >>> >>> >>> >>> -- >>> Romain Wartel >>> Security Officer >>> Worldwide LHC Computing Grid >>> CERN, IT Department >>> CH-1211 Geneva 23, Switzerland >>> >>> http://www.cern.ch/LCG >>> http://cern.ch/security >>> <[log in to unmask] <mailto:[log in to unmask]>> >>> <[log in to unmask] <mailto:[log in to unmask]>> >>> >> > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1