ARCHIVED: Security and accounting requirements and recommendations for XSEDE Science Gateways

The following security requirements and recommendations are intended to help developers and administrators of Extreme Science and Engineering Discovery Environment (XSEDE) Science Gateways prevent and recover from security incidents and accidental misuse of resources:

Requirements

• Whether a threat is confirmed or suspected, notify the XSEDE Help Desk (or call 1-866-907-2383) immediately if you think your Science Gateway or its community account has been compromised.
• Keep your Science Gateway contact information current on the list of current Science Gateways so XSEDE staff can contact you when necessary.
• Institute a user registry.
• Include user attributes in community credentials (using GridShib SAML tools).

Recommendations

• Devise a credential management strategy.
• Collect accounting statistics.
• Maintain an audit trail (i.e., keep a Gateway log).
• Provide the ability to restrict job submissions on a per-user basis.
• Safeguard and validate programs, scripts, and input.
• Protect passwords locally and over the network.
• Use proper precautions for SSH keys without passwords (using SSH keys without passwords is not recommended; if they are stolen, anyone can use them).
• Perform risk and vulnerability assessment.
• Perform routine backups.
• Develop an incident response plan, and review and update it regularly.
• Establish a contingency plan for disasters and security events that could cause total loss or lockdown of the server.
• Use a file integrity assessment tool, such as Tripwire or SAMHAIN (open source) to monitor changes to critical system files.
• Run a vulnerability scanner, such as Nessus, against your Gateway's operating system and applications to ensure they are properly patched.
• Use community accounts instead of individual accounts.

Further information above these recommendations is available under "Security and Accounting for XSEDE gateways" in The Role of the Developer on the XSEDE website.