pakiti patching status system
play

Pakiti Patching Status System Michal Prochzka OSCT F2F Meeting - - PowerPoint PPT Presentation

Mar 24, 2024 •349 likes •596 views

Enabling Grids for E-sciencE Pakiti Patching Status System Michal Prochzka OSCT F2F Meeting - Amsterdam www.eu-egee.org INFSO-RI-508833 History Enabling Grids for E-sciencE Yumit Written by Steve Traylen (RAL) Client has to

  1. Enabling Grids for E-sciencE Pakiti – Patching Status System Michal Procházka OSCT F2F Meeting - Amsterdam www.eu-egee.org INFSO-RI-508833

  2. History Enabling Grids for E-sciencE • Yumit – Written by Steve Traylen (RAL) – Client has to have root privileges • Pakiti v1.0 – Improved Yumit by Romain Wartel • Pakiti v2.0 – Re-scoped the tool to focus on security patches – Support for OVAL data – Client does not need root privileges • Pakiti v2.1 – Current version • Future: Pakiti v3.0 INFSO-RI-508833 OSCT F2F Amsterdam 2

  3. Pakiti v2.1 Overview Enabling Grids for E-sciencE • Provides information about – Installed packages and theirs versions on the monitored hosts – If the installed packages are up to date – List of vulnerabilities of the concrete package version – Package that represents currently running kernel INFSO-RI-508833 OSCT F2F Amsterdam 3

  4. Vulnerabilities Definition Sources Enabling Grids for E-sciencE • OS Repositories – Each Linux OS vendor maintains package repositories – It contains the most recent version of the packages – Some are distinguished as security, updates, extra repositories • OVAL Definitions – Language using XML for describing the conditions, when a vulnerability (CVE) is applicable on the host system – RedHat, SuSE, Sun Solaris currently publishes OVAL – Format is not identical across different OS vendors – More info at http://oval.mitre.org INFSO-RI-508833 OSCT F2F Amsterdam 4

  5. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 5

  6. Server internals Enabling Grids for E-sciencE • Server receives the list of installed packages from the host • Checks whether the host reporting right hostname (based on IP) • Stores list of installed packages in the DB Do not store *-doc, *-dev/devel and user selected packages – • If asynchronous mode is disabled, then checks each package during reporting, if it is up to date • If the client requests reporting, then the list of outdated packages is sent back to the client • In asynchronous mode, packages are checked using script recalculate_vulnerabilities.php (can be run by the cron) • The script recalculates only affected hosts INFSO-RI-508833 OSCT F2F Amsterdam 6

  7. Server Capabilities Enabling Grids for E-sciencE • Support for Oses using dpkg and rpm (APT, RPM repositories) • Checks hosts packages against OS vendor repositories • Checks RH based system against RH OVAL definitions • Selects package, that represents running kernel • Shows when the host reported for the last time • Compute statistics for the host and domain • Uses dpkg and rpm cmp function ported to the PHP • Grouping hosts by the domain, TLD and tag • Searching hosts by installed package • Searching hosts by concrete CVE • Anonymous view on the concrete domain results INFSO-RI-508833 OSCT F2F Amsterdam 7

  8. Pakiti Client Enabling Grids for E-sciencE • Simple bash script • Transfers data over HTTPs – Openssl or Curl can be used • Can be run in various ways – Crontab job – Nagios/SAM probe • Bash script is configurable – Build-in configuration – Or separate configuration file /etc/pakiti2/pakiti2-client.conf INFSO-RI-508833 OSCT F2F Amsterdam 8

  9. Pakiti Client Configuration Enabling Grids for E-sciencE servers_name = pakiti.server.com:443 pakiti2.server.com:8443 # CA Path, where is located certificate of the CA which issued SSL certificate for the Pakiti server ca_certificate = /etc/grid-security/certificates # The client certificate and the key #host_cert = /etc/ssl/host.pem # Connection method: 'curl' or 'openssl' (default) or 'stdout' connection_method = openssl openssl_path = /usr/bin/openssl #curl_path = /usr/bin/curl # Put something small that can identify your site/host/team, without spaces. tag = TEST # Does the client should report back the list of packages needs upgrade?# (default 0 - off) report = 1 INFSO-RI-508833 OSCT F2F Amsterdam 9

  10. Pakiti Server Configuration Enabling Grids for E-sciencE ● Interesting options ● store_devel_packages ● store_doc_packages ● ignore_packages_list ● anonymous_links ● anonymous_link_lifetime ● ext_pages_outdated ● asynchronous_mode INFSO-RI-508833 OSCT F2F Amsterdam 10

  11. Production Enabling Grids for E-sciencE ● Pakiti v2.1 runs on the EGEE ● https://pakiti.cern.ch (restricted access) ● Currently monitors around 1200 hosts per day ● The test is executed by the SAM probe ● Hosts are purged every day, because SAM probes land on a different hosts of the sites ● Before the hosts are purged, the backup is made ● Server runs in synchronous mode, the processing of one host takes from 0,5s to 12s, depends on the number of hosts, which reporting at the same time ● It provides only representative sample, we assume that the clusters are homogeneous, which isn't always true ● Christos tested successfully Nagios probes INFSO-RI-508833 OSCT F2F Amsterdam 11

  12. Other Installations Enabling Grids for E-sciencE ● MetaCentrum – Czech National Grid Infrastructure ● Approximately 1000 hosts are monitored ● Fermilab ● Approximately 1900 hosts are monitored ● Department of Particle Physics, University of Oxford ● Using Pakiti 1.0.1 – 140 hosts ● Currently migrating to the Pakiti 2.1 ● OSG, FZK, ... INFSO-RI-508833 OSCT F2F Amsterdam 12

  13. Pakiti v3 Enabling Grids for E-sciencE ● Transaction DB ● New DB scheme – faster operations ● Configurable OVAL parser ● ACL ● History ● More reporting and statistical views ● Notifications ● We have prototype of the v3 ● The design and prototype were made by: me:-), Daniel, Christos and Karol Pogonowski INFSO-RI-508833 OSCT F2F Amsterdam 13

  14. Open Problems Enabling Grids for E-sciencE • Client authentication • Hierarchy of the Pakiti servers INFSO-RI-508833 OSCT F2F Amsterdam 14

  15. Enabling Grids for E-sciencE Demo INFSO-RI-508833 OSCT F2F Amsterdam 15

  16. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 16

  17. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 17

  18. Anonymous Links Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 18

  19. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 19

  20. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 20

  21. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 21

  22. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 22

  23. Enabling Grids for E-sciencE INFSO-RI-508833 OSCT F2F Amsterdam 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PAKITI Patching Status System A Race for Security: Identifying Vulnerabilities on 50 000 Hosts

PAKITI Patching Status System A Race for Security: Identifying Vulnerabilities on 50 000 Hosts

EGI-InSPIRE PAKITI Patching Status System A Race for Security: Identifying Vulnerabilities on 50 000 Hosts Faster then Attackers Michal Prochzka 1 , Daniel Kouil 1 , Romain Wartel 2 , Christos Kanellopoulos 3 , Christos Triantafyllidis 3 1

444 views • 21 slides
Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Introduction Background information SNE Research Project 2 Kernel patching Evaluation Android patching from the MDM Proof of concept Android patching From a Mobile Device Management perspective Cedric Van Bockhaven cbockhaven@os3.nl

466 views • 20 slides
User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira (formerly at) SUSE Labs joao.moreira@lsc.ic.unicamp.br Software has bugs, and bugs have to be fixed + security issues + execution degradation + undefined

941 views • 46 slides
Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology E-mail: geoffrey.patching@psy.lu.se The Bayes Factor The Bayes factor ( BF ) is the likelihood ratio of the evidences given the hypotheses ! # | % !

601 views • 13 slides
Reference management using Zotero System 1: Printout System 1: Status update System 2: PDFs in

Reference management using Zotero System 1: Printout System 1: Status update System 2: PDFs in

Reference management using Zotero System 1: Printout System 1: Status update System 2: PDFs in folders System 3: EndNote System 4: JabRef My requirements Free of cost Cross-platform Tagging w/ topics Opensource Taking

389 views • 10 slides
Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara Katz, RN, MSN President, BK Healthcare Consulting, LLC www.bkhealthconsulting.com Learning

596 views • 32 slides
PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success

PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success

Cyber Security | Compliance | Industrial Computing PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success of our customers by developing innovative technology solutions that optimize and protect

557 views • 37 slides
Federal Aviation Administration Overview Wide Area Augmentation System (WAAS) Status

Federal Aviation Administration Overview Wide Area Augmentation System (WAAS) Status

Federal Aviation Administration Overview Wide Area Augmentation System (WAAS) Status Local Area Augmentation System (LAAS) Status Automated Dependent Surveillance Broadcast (ADS-B) Status eLoran Royal Institute of Navigation

460 views • 30 slides
The CBM Experiment at FAIR and its Silicon Tracking System status of development

The CBM Experiment at FAIR and its Silicon Tracking System status of development

The CBM Experiment at FAIR and its Silicon Tracking System status of development Compressed Baryonic Matter Status of experiment preparation Silicon Tracking System Johann M. Heuser GSI Helmholtz Center for Heavy Ion Research,

647 views • 50 slides
Restructuring Scientific Software using Semantic Patching with Coccinelle Michele MARTONE

Restructuring Scientific Software using Semantic Patching with Coccinelle Michele MARTONE

Restructuring Scientific Software using Semantic Patching with Coccinelle Michele MARTONE Leibniz Supercomputing Centre Garching bei M unchen, Germany Potsdam, de-RSE Conference June 4, 2019 (@LRZ.de) 1 / 57 Description de-RSE@Potsdam,

854 views • 64 slides
An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim

An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim

An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim Hartley, Foivos Zakkak, first.last@manchester.ac.uk Christos Kotselidis, Mikel Lujan MPLR19 2019-10-22 Call-Sites Direct branching Indirect

266 views • 15 slides
Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue University / CERIAS 09/20/12 Dannie Stanley Rick Porter Shane Snyder Zhui Deng Systems & Security Research CERDEC Applied Communication

434 views • 39 slides
Collaboratively Patching Linked Data A Patch Repository for Linked Datasets Magnus Knuth,

Collaboratively Patching Linked Data A Patch Repository for Linked Datasets Magnus Knuth,

Collaboratively Patching Linked Data A Patch Repository for Linked Datasets Magnus Knuth, Johannes Hercher, and Harald Sack Hasso Plattner Institute, University of Potsdam USEWOD Workshop @ WWW 2012 April 17, 2012 - Lyon, France Outline 2

325 views • 13 slides
Current system status Wetherell: 23 GL Pamamaroo: 74 GL Total storage: 97 GL Active

Current system status Wetherell: 23 GL Pamamaroo: 74 GL Total storage: 97 GL Active

Current system status Wetherell: 23 GL Pamamaroo: 74 GL Total storage: 97 GL Active Lower Darling Storage volume: 66 GL Copi Hollow: 10.2 GL Menindee, Cawndilla and Tandure active storage exhausted Current system status

194 views • 7 slides
IT Project status Summary 1. What was the situation of the FEI IT System prior to mid 2010 ?

IT Project status Summary 1. What was the situation of the FEI IT System prior to mid 2010 ?

13/12/2011 IT Project status Summary 1. What was the situation of the FEI IT System prior to mid 2010 ? 2. What has been done since ? 3. Improve user experience: FEI web site 4. FEI Entry System project FEI IT Project status - 10/12/2011

720 views • 8 slides
ADVANCED ACCESS ADVANCED ACCESS CONTENT SYSTEM CONTENT SYSTEM (AACS) (AACS) AACS Status

ADVANCED ACCESS ADVANCED ACCESS CONTENT SYSTEM CONTENT SYSTEM (AACS) (AACS) AACS Status

ADVANCED ACCESS ADVANCED ACCESS CONTENT SYSTEM CONTENT SYSTEM (AACS) (AACS) AACS Status Update Presented to BDA CPG November 7, 2013 Topics to be discussed Topics to be discussed AACS Status AACS Status Key Generation Facility Key

404 views • 27 slides
Defined Benefit Advice CP19/25 Stockport September 2019 This information is for UK financial

Defined Benefit Advice CP19/25 Stockport September 2019 This information is for UK financial

Classification: Public Defined Benefit Advice CP19/25 Stockport September 2019 This information is for UK financial advisers only and should Not be distributed to or relied upon by another person. Classification: Public KEY LEARNING

509 views • 49 slides
SAMAGRA VEDIKA -- TELANGANAS INTEGRATED PLATFORM Using Big data, ML, Graph data base FOR

SAMAGRA VEDIKA -- TELANGANAS INTEGRATED PLATFORM Using Big data, ML, Graph data base FOR

SAMAGRA VEDIKA -- TELANGANAS INTEGRATED PLATFORM Using Big data, ML, Graph data base FOR BETTER CITIZEN SERVICE DELIVERY AND TRANSPARENCY, ACCOUNTABLE AND EFFICIENT GOVERNANCE ITE&C DEPARTMENT GOVERNMENT OF TELANGANA Few of ew of the

1.16k views • 26 slides
Britvic plc Gerald Corbett Chairman Agenda Financial performance John Gibney Britvic and the

Britvic plc Gerald Corbett Chairman Agenda Financial performance John Gibney Britvic and the

Interim results 2012 Britvic plc Gerald Corbett Chairman Agenda Financial performance John Gibney Britvic and the market review Paul Moody Group Finance Director John Gibney Group performance +1.7% (6.9)% (60)bps (8.7)% +26.6%

735 views • 40 slides
AMNT Members Survey 2017 Current Overview No. of Members = 715 ( 10% increase since Aug.16 )

AMNT Members Survey 2017 Current Overview No. of Members = 715 ( 10% increase since Aug.16 )

AMNT Members Survey 2017 Current Overview No. of Members = 715 ( 10% increase since Aug.16 ) Pension Schemes represented = 516 Pension schemes in value = 682bn Respondents to Survey = 185 (prev. = 119) RepresenKng 1.26b (prev. = 113.5bn) A

508 views • 12 slides
Risky Business: Ignore the UK Pensions Regulator at Your Peril May 30, 2012 Philip Sutton ,

Risky Business: Ignore the UK Pensions Regulator at Your Peril May 30, 2012 Philip Sutton ,

Risky Business: Ignore the UK Pensions Regulator at Your Peril May 30, 2012 Philip Sutton , Partner +44 121 222 3541 philip.sutton@squiresanders.com Stephen D. Lerner , Partner +1 513 361 1220 Stephen.lerner@squiresanders.com Sandra E.

296 views • 28 slides
and Families SFY 2019 Budget Presentation Presented by: Ken Schatz, Commissioner February 7,

and Families SFY 2019 Budget Presentation Presented by: Ken Schatz, Commissioner February 7,

Department for Children and Families SFY 2019 Budget Presentation Presented by: Ken Schatz, Commissioner February 7, 2018 Ag Agen ency of of Hu Human Ser Servic ices, FY 2019 SUMMARY & HIGHLIGHTS De Department for or Child

442 views • 30 slides
Enable Midstream Partners, LP Fourth Quarter 2019 Conference Call February 19, 2020

Enable Midstream Partners, LP Fourth Quarter 2019 Conference Call February 19, 2020

Enable Midstream Partners, LP Fourth Quarter 2019 Conference Call February 19, 2020 Forward-looking Statements Some of the information in this presentation may contain forward-looking statements. Forward-looking statements give our current

352 views • 24 slides
Implementation of the Youth Assessment and Screening Instrument (YASI) in Wisconsin Devon Lee

Implementation of the Youth Assessment and Screening Instrument (YASI) in Wisconsin Devon Lee

1 Implementation of the Youth Assessment and Screening Instrument (YASI) in Wisconsin Devon Lee DCF Bureau of Youth Services WI SPD Annual Conference November 8, 2019 2 Presentation Overview 1. Research Evidence and Reasons for adopting a

461 views • 34 slides

More recommend