TGQR 2010Q2 Report.pdf - Teragridforum.org
TGQR 2010Q2 Report.pdf - Teragridforum.org
TGQR 2010Q2 Report.pdf - Teragridforum.org
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.6.7 SDSC<br />
SDSC put our Dash resource into production on April 1 for Startup allocations. Dash is<br />
precursor experimental system for Gordon coming in 2011.<br />
8.6.8 UC/ANL<br />
The UChicago/Argonne RP has continued to host repo.teragrid.<strong>org</strong>, which includes the TeraGridwide<br />
CVS repository.<br />
8.7 GIG Operations<br />
The GRAM5 usage collector software was updated on globus-usage.teragrid.<strong>org</strong>. Ongoing<br />
support of MyProxy and Kerberos servers for TeraGrid at NCSA, the mail.teragrid.<strong>org</strong> server, as<br />
well as the MyProxy, GSI-OpenSSH, and GSI-SSHTerm software used by TeraGrid continued.<br />
This includes regular maintenance as well as addressing incoming support tickets. The CIC IDM<br />
WG TeraGrid Pilot, worked with the TeraGrid Security WG to obtain sign-off on the Federated<br />
IDM Security Incident Response Policy. After updating the policy to address the TG Security<br />
WG's comments, the TG Security WG voted to approve the policy (8 in favor, 3 abstain). The<br />
policy was also presented at the InCommon Campus Authentication & Middlware Planning<br />
meeting on June 22, 2010.<br />
8.8 Security<br />
8.8.1 Security Working Group<br />
Summary of Security Incidents: There were five compromised user accounts and two login node<br />
compromises. A machine used by science gateway developers was compromised which lead to<br />
other account credentials being captured. In some instances the attackers inserted unauthorized<br />
SSH keys into users directories to allow alternate methods of access. The Incident Response<br />
team has disabled all of the accounts involved and audited TeraGrid productions machines for the<br />
known fraudulent SSHKeys. Securing Community Account<br />
Revisited: Victor Hazlewood has been documenting community account usage on the TG.<br />
Currently, documentation of the use cases for 22 science gateways is provided at Teragrid Forum<br />
wiki Science Gateway Use Cases site<br />
A summary of software used and security methods employed for the user accounts used at the<br />
RPs is available in the Summary Table at this website. We are planning on setting up a meeting to<br />
discuss community account management and implementation in the near future with Victor and<br />
Nancy. Goal is to establish some standards or commonly accepted positions relating to<br />
community accounts, for example: Community account cannot have an interactive shell session<br />
on productions machines).<br />
Accessing the community account information page: With the move of the Teragrid webserver to<br />
LifeRay complete, the access control permissions for specific areas of the website needed to be<br />
re-defined. The docs group contacted Jim Marsteller to ask who should have access to the science<br />
gateway info page. Since this page is used to look up contact information for community<br />
accounts, ever member of the incident response team requires access to this page. Jim supplied<br />
the docs group the names of all of those on the TG security contact list so they have access.<br />
Vetted/Unvetted Process Review: The Core2 working group team has been working on an<br />
implementation document for Vetted & Unvetted TGUP accounts in order to move forward with<br />
improving the account creation process with TGUP. The security working group was asked to<br />
review the document and provide comments. Jim sent Maytal the security working group's<br />
comments on May 35th. One of the major questions is whether the pops reconciliation process<br />
will still have a TG staff member vetting the authenticity of a user generated account request.<br />
88