emergency suspension list
play

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, - PowerPoint PPT Presentation

Nov 18, 2023 •201 likes •334 views

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy Emergency suspension Suspended DN cant submit jobs to sites Automated Suspension: Fast: Delays configurable & known in advance Completely

  1. Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy

  2. Emergency suspension • Suspended DN can’t submit jobs to sites • Automated Suspension: – “Fast”: Delays configurable & known in advance – Completely automated: • No human communication delays • Works outside working hours • Uniform response guaranteed • Unbanning also automated: – False positive cost controlled – Uniform state, no suspension left behind HEPiX Spring 2014, Annecy Vincent Brillault 2

  3. Suspension procedures • Old procedure: – Detect something (e.g. BitCoin mining) – Forensics & Analysis of incident – Escalate with other sites if needed – Contact the user & the VO – If malicious activity confirmed, not from user: • Ask all sites to ban the DN • Notify the CA of the potential Certificate compromise HEPiX Spring 2014, Annecy Vincent Brillault 3

  4. Suspension procedures • New procedure: – Detect something – Rapid analysis (check for false positive) – Add the user to the emergency suspension list – Forensics & Analysis of incident – Escalate with other sites if needed – Contact the user & the VO – Remove from suspension list if user recognize activity (e.g. Bitcoin “testing”) or false positive HEPiX Spring 2014, Annecy Vincent Brillault 4

  5. Suspension new procedure • Faster response: – Smaller resource losses – Reduce propagation & escalation risks • Potential false positive: – Initial analysis decreases the probability – Cost: • Depends on list diffusion delays • Configurable/controllable HEPiX Spring 2014, Annecy Vincent Brillault 5

  6. Suspension Infrastructure • Hierarchical infrastructure: – Central servers hosted by CERN – (EGI) Relays hosted by each NGI – (EGI) sites contact only their own NGI • Hierarchical rules: – Central rules: WLCG/EGI/OSG security officers – NGI rules: NGI security officers – Sites rules: Site adminitrators HEPiX Spring 2014, Annecy Vincent Brillault 6

  7. Argus • Old EGEE project • gLExec integration (Argus-PEP) • Argus-PAP: – Local ACLs – Pulls remote rules • Support: – Authors have dropped the project – Future support by INFN HEPiX Spring 2014, Annecy Vincent Brillault 7

  8. Suspension Infrastructure • Privacy (on central list): – x509 authentication – Only accredited clients can get the suspension list • Interoperability: – Argus: soap interface, can be fetched by curl! – Raw YAML list available at CERN (ACL on demand) HEPiX Spring 2014, Annecy Vincent Brillault 8

  9. Monitoring • Delay propagation to Argus nodes: – Special (invalid) DN banned every day – Nagios probe – EGI will monitor NGI Argus nodes • Suspension testing ? – Would require a valid banned DN – Not foreseen in close future HEPiX Spring 2014, Annecy Vincent Brillault 9

  10. Future Potential Evolutions • Propagate Emergency Suspension list to VOs: – Simultaneous automatic suspension on VO side – Protects resources managed by VOs – Redundancy • Kill jobs of suspended users? – Running malicious jobs are currently not killed! – No easy solution with current infrastructure… HEPiX Spring 2014, Annecy Vincent Brillault 10

  11. Questions ? Author/more info 11

  12. Fetching the list • Curl: curl --cacert /etc/grid-security/certificates/CERN-TCA.pem --cert $CERT --key $KEY -H 'SOAPAction: ""' -H "Content-Type: text/xml; charset=utf- 8" -H "Content-type: text/xml; charset=utf-8" -H 'Soapaction:""' -X POST -d '<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns2="http://services.pap.authz.glite.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP- ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP- ENV:Header/><ns1:Body><ns2:listPolicies><papAlias>default</papAlias></ns2:listPolicies></ns1:Body></SOAP-ENV:Envelope>' 'https://lcg- argus.cern.ch:8150/pap/services/XACMLPolicyManagementService?wsdl' – XACML output (can be parsed by XML parsers) • Python: – ‘Simple’ solution using soap & xml libs – Ask me the code ;) HEPiX Spring 2014, Annecy Vincent Brillault 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Civil and Administrative Proceedings Fact-based Suspension and Debarment Actions Lauren Lovett,

Civil and Administrative Proceedings Fact-based Suspension and Debarment Actions Lauren Lovett,

2016 Suspension and Debarment Workshop Sponsored by CIGIE and ISDC US Patent &amp; Trademark Office, Alexandria, VA Friday November 18, 2016 Suspension, Debarment and Coordination of Remedies: Effective Lifecycle Communication is the Key

435 views • 22 slides
Suspension Why Should we use Alternatives to Suspension? Heres Why: Suspending kids is

Suspension Why Should we use Alternatives to Suspension? Heres Why: Suspending kids is

Alternatives to Suspension Why Should we use Alternatives to Suspension? Heres Why: Suspending kids is unproductive for academics Some kids get suspended on purpose to get out of work or away from something they do not want to

279 views • 13 slides
Suspension and Debarment and the Acquisition Workforce: What You Need to Know Maria Swaby

Suspension and Debarment and the Acquisition Workforce: What You Need to Know Maria Swaby

U.S. General Services Administration Suspension and Debarment and the Acquisition Workforce: What You Need to Know Maria Swaby Director of Suspension and Debarment (GSA) Danielle Muenzfeld Acquisition Integrity Associate (GSA) Todays

887 views • 56 slides
The Objective A simple and cost-sustainable suspension mechanism, offering a reversible remedy

The Objective A simple and cost-sustainable suspension mechanism, offering a reversible remedy

The Objective A simple and cost-sustainable suspension mechanism, offering a reversible remedy (suspension + lock), without requiring expert appointment in default cases, with sufficient registrant protections that any unwarranted result could be

546 views • 3 slides
Suspension in Early Childhood Programs in Pennsylvania Means for Children with ASD August 8,

Suspension in Early Childhood Programs in Pennsylvania Means for Children with ASD August 8,

Reduce Suspension &amp; Expulsion What Reduction of Expulsion and Suspension in Early Childhood Programs in Pennsylvania Means for Children with ASD August 8, 2018 Tom Wolf, Governor &gt; Pedro A. Rivera, Secretary of Education | Teresa D.

485 views • 22 slides
Example: List filter -&gt; (val ns (List withAll: (1 2 3 4 5))) List( 1 2 3 4 5 ) -&gt; (ns

Example: List filter -&gt; (val ns (List withAll: (1 2 3 4 5))) List( 1 2 3 4 5 ) -&gt; (ns

Example: List filter -&gt; (val ns (List withAll: (1 2 3 4 5))) List( 1 2 3 4 5 ) -&gt; (ns filter: [block (n) ((n mod: 2) = 0)]) List( 2 4 ) Classes codify different forms of data No interrogation about form! Design process still works 1.

412 views • 20 slides
(Hnge- und Spannbandbrcken) 12.05.2020 ETH Zrich | Chair of Concrete Structures and

(Hnge- und Spannbandbrcken) 12.05.2020 ETH Zrich | Chair of Concrete Structures and

Suspension Bridges (Hnge- und Spannbandbrcken) 12.05.2020 ETH Zrich | Chair of Concrete Structures and Bridge Design | Bridge Design 1 Common aspects Suspension bridges Overview Suspension bridges (types of suspension bridges)

819 views • 56 slides
SAE Baja: Concept Generation &amp; Selection Suspension and Steering Benjamin Bastidos, Victor

SAE Baja: Concept Generation &amp; Selection Suspension and Steering Benjamin Bastidos, Victor

SAE Baja: Concept Generation &amp; Selection Suspension and Steering Benjamin Bastidos, Victor Cabilan, Jeramie Goodwin, William Mitchell, Eli Wexler Wednesday, October 30, 2013 Overview Introduction Suspension Concept Designs o

458 views • 22 slides
12-1 Using an Array to Implement a List Space Management: Size vs. Capacity Idea: allocate

12-1 Using an Array to Implement a List Space Management: Size vs. Capacity Idea: allocate

Implementing a List in Java Two implementation approaches are most commonly used for simple lists: CSC 143 Java List via Arrays Linked list Java Interface List&lt;E&gt; concrete classes ArrayList, LinkedList List

510 views • 9 slides
Welcome to the Nordic POA seminar 2016! Practical issues. Emergency escape In case of

Welcome to the Nordic POA seminar 2016! Practical issues. Emergency escape In case of

Welcome to the Nordic POA seminar 2016! Practical issues. Emergency escape In case of emergency, follow List of attendants &amp; badges. Lunch Will be served in the restaurant 12:30-13:30. WiFi pwd: Radisson_Guest

404 views • 12 slides
Simulating and Prototyping a Formula SAE Race Car Suspension System Mark Holveck 01, Rodolphe

Simulating and Prototyping a Formula SAE Race Car Suspension System Mark Holveck 01, Rodolphe

Simulating and Prototyping a Formula SAE Race Car Suspension System Mark Holveck 01, Rodolphe Poussot 00, Harris Yong 00 Progress Report January 6, 2000 MAE 339/439 Advisor: Prof. Bogdonoff Role of a Race Car Suspension System

591 views • 31 slides
In In Sc School hool Su Suspension spension Susquehanna Township High School 2014-2015 In

In In Sc School hool Su Suspension spension Susquehanna Township High School 2014-2015 In

In In Sc School hool Su Suspension spension Susquehanna Township High School 2014-2015 In In-Sc School hool Suspension pension Mrs. Jackie McCoy Mrs. Heather Adams ISS S Exp xpecta ectatio tions ns Respect yourself, the

469 views • 17 slides
An eye on emergency Eye Emergency App 2.0 Emergency Care Institute Leadership Forum 25 th

An eye on emergency Eye Emergency App 2.0 Emergency Care Institute Leadership Forum 25 th

An eye on emergency Eye Emergency App 2.0 Emergency Care Institute Leadership Forum 25 th August 2017 Sarah Jane Waller, Ophthalmology Network Manager Agency for Clinical Innovation @eyes_surg_aci @nswaci True or False? Pirates used

607 views • 12 slides
The Suspension Calculus Andrew Gacek Department of Computer Science University of Minnesota

The Suspension Calculus Andrew Gacek Department of Computer Science University of Minnesota

The Suspension Calculus Andrew Gacek Department of Computer Science University of Minnesota November 2, 2006 Masters Thesis Defense Andrew Gacek The Suspension Calculus Outline Using the Lambda Calculus for Representation 1 The

435 views • 22 slides
Emergency Action Pl ans What should you do in an emergency situation? An Emergency Action Plan

Emergency Action Pl ans What should you do in an emergency situation? An Emergency Action Plan

Emergency Action Pl ans What should you do in an emergency situation? An Emergency Action Plan (EAP ) is a written document required by OSHA. The purpose of an Emergency Action Plan ( EAP) is to facilitate and organize employer and

532 views • 27 slides
Suspension bridge on floating foundations When is the technology ready? Johannes Veie

Suspension bridge on floating foundations When is the technology ready? Johannes Veie

Suspension bridge on floating foundations When is the technology ready? Johannes Veie 22.09.2015 Multispan suspension bridge on floating foundations Introduction Teknologidagene 2015 22/09/2015 + = Multispan suspension bridge on floating

370 views • 22 slides
Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation Defense Bo Tang Committee Members: Dr. Ravi Sandhu, Chair Dr. Kay Robbins Dr. Gregory White Dr. Weining Zhang Dr. Jaehong Park 07/31/2014

539 views • 51 slides
Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications Yuri Demchenko SNE Group, University of Amsterdam On behalf of Y. Demchenko, C. de Laat, O. Koeroo, H. Sagehaug MGC 2008 - 6th

488 views • 31 slides
Managing the U. S. CMS HL-LHC Upgrades Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager

Managing the U. S. CMS HL-LHC Upgrades Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager

Managing the U. S. CMS HL-LHC Upgrades Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager February 2, 2016 Director's Review - Managing the U. S. CMS HL-LHC Upgrades V. O'Dell, 2

597 views • 11 slides
Serving Medicaid Beneficiaries Who Need Long-term Services and Supports: Better Outcomes at Lower

Serving Medicaid Beneficiaries Who Need Long-term Services and Supports: Better Outcomes at Lower

Center for Studying Disability Policy Serving Medicaid Beneficiaries Who Need Long-term Services and Supports: Better Outcomes at Lower Costs Presenters Discussant Victoria Peebles, Mathematica Debra Lipson, Mathematica Carol Irvin,

566 views • 53 slides
Report from the Project Manager Bill Boroski Contractor Project Manager Contractor Project

Report from the Project Manager Bill Boroski Contractor Project Manager Contractor Project

Report from the Project Manager Bill Boroski Contractor Project Manager Contractor Project Manager USQCD All-Hands Meeting Brookhaven National Laboratory April 16-17, 2010 Outline Outline Completion of the initial computing project

475 views • 16 slides
ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is

ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is divided into two halves: Basics of

935 views • 51 slides
TEEP BOF Problem Statement draft-liu-opentrustprotocol-usecase IETF 100 th , Singapore IETF 100

TEEP BOF Problem Statement draft-liu-opentrustprotocol-usecase IETF 100 th , Singapore IETF 100

TEEP BOF Problem Statement draft-liu-opentrustprotocol-usecase IETF 100 th , Singapore IETF 100 - TEEP BoF 1 Background Hardware based security is desirable Todays processor technology supports various isolation concepts. Well

344 views • 18 slides
Welcome to: QIA Tutorial: Quality Improvement and LEAN The webinar will begin momentarily! Lean

Welcome to: QIA Tutorial: Quality Improvement and LEAN The webinar will begin momentarily! Lean

Welcome to: QIA Tutorial: Quality Improvement and LEAN The webinar will begin momentarily! Lean Healthcare: Simplify Process, Develop People, Improve Quality March 20, 2018 Welcome/Opening Remarks Jeanine Pilgrim, Quality Improvement Director

238 views • 23 slides

More recommend