-
Notifications
You must be signed in to change notification settings - Fork 0
/
imagetrust-policy.xml
157 lines (153 loc) · 8.87 KB
/
imagetrust-policy.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % sharedents SYSTEM "shared-entities.xml" >
%sharedents;
]>
<chapter id="imagetrust-policy">
<info>
<author>
<firstname>David</firstname>
<surname>Kelsey</surname>
</author>
</info>
<title>Policy on the Endorsement of a &vmi;</title>
<para>The master copy of this document can be found here https://edms.cern.ch/document/1080777</para>
<para>This copy of the document was taken from Draft v1.4b writern on 21 May 2010</para>
<section id="imagetrust-policy-intro">
<title>Introduction</title>
<para>This document describes the security-related policy requirements for the generation and endorsement of a
trusted &vmi; for use on the Grid.</para>
<para>The aim is to enable Grid Sites to trust and instantiate endorsed VM images that have been generated
elsewhere.</para>
<para>The virtualisation model addressed here is the use of virtual Grid worker nodes that act in a similar way
to real worker nodes. Virtualisation provides an efficient way of managing different configurations of
worker node, e.g. the operating system used, and importantly different pre-configured application
environments for the &vo;'s. The model addressed here, therefore, simply provides a different way of
running authorized &vo; work, transparent to the end user, exactly the same as if the user payload was
running on a real worker node. There should be no need to place more restrictions on virtual worker
nodes running endorsed images as defined by this policy, than on real worker nodes in terms of access to
trusted local services at the site.</para>
<para>This policy does not compel Sites to instantiate images endorsed in accordance with this policy nor limit
the rights of a Site to decide to instantiate a VM image generated by any other non-compliant procedures,
should they so desire. The Site is still bound by all applicable Grid security policies and is required to
consider the security implications of such an action on other Grid participants.</para>
</section>
<section id="imagetrust-policy-definitions">
<title>Definitions</title>
<para>The following terms are defined.</para>
<itemizedlist>
<listitem><emphasis>VM base image:</emphasis> A VM image, including a complete operating system and all general
middleware, libraries, compilers, programmes and utilities. All kernel and root-level
configurations, including any that may be &vo;-specific, are included here.</listitem>
<listitem><emphasis>&vo; environment:</emphasis> The &vo;-specific middleware, application software, libraries, utilities, data
and configuration which may be necessary to provide the appropriate environment for use by
members of a &vo;. No kernel modifications or root-level configurations are included here.</listitem>
<listitem><emphasis>VM complete image:</emphasis> The VM image resulting from the combination of the VM base image and
the &vo; environment (if any).</listitem>
<listitem><emphasis>Globally Unique Identifier:</emphasis> A unique identifier for a VM complete image.</listitem>
<listitem><emphasis>Endorser:</emphasis> An individual who confirms that a particular VM complete image has been produced
according to the requirements of this policy and states that the image can be trusted.</listitem>
</itemizedlist>
</section>
<section>
<title id="imagetrust-policy-requirements">Policy Requirements</title>
<para>An Endorser should be one of a limited number of authorised and trusted individuals appointed either by
a &vo; or a Site. The appointing &vo; or Site must assume responsibility for the actions of the Endorser and
must ensure that he/she is aware of the requirements of this policy.</para>
<section>
<title>Policy Requirements on the Endorser</title>
<para>By acting as an Endorser you agree to the conditions laid down in this document and other referenced
documents, which may be revised from time to time.</para>
<para></para>
<para></para>
<para></para>
<para></para>
<para></para>
<para></para>
<para></para>
<para></para>
<para></para>
<para></para>
</section>
<section>
<title>Policy Requirements on the Endorser</title>
<orderedlist numeration="arabic">
<listitem>
<para>You are held responsible by the Grid and by the Sites for checking and confirming that a VM
complete image has been produced according to the requirements of this policy and that there is
no known reason, security-related or otherwise, why it should not be trusted.</para>
</listitem>
<listitem>
<para>You recognise that VM base images, &vo; environments and VM complete images, must be
generated according to current best practice, the details of which may be documented elsewhere
by the Grid. These include but are not limited to:
</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Any image generation tool used must be fully patched and up to date;</para>
</listitem>
<listitem>
<para>All operating system security patches must be applied to all images and be up to date;</para>
</listitem>
<listitem>
<para>Images are assumed to be world-readable and as such must not contain any confidential
information.</para>
</listitem>
<listitem>
<para>there should be no installed accounts, host/service certificates, ssh keys or user
credentials of any form in an image.</para>
</listitem>
<listitem>
<para>Images must be configured such that they do not prevent Sites from meeting the fine-
grained monitoring and control requirements defined in the Grid Security Traceability
and Logging policy to allow for security incident response.</para>
</listitem>
<listitem>
<para>the image must not prevent Sites from implementing local authorisation and/or policy
decisions, e.g. blocking the running of Grid work for a particular user.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>You must disclose to the Grid or to any Site on request the procedures and practices you use for
checking and endorsing images.</para>
</listitem>
<listitem>
<para>You must provide and maintain an up to date digitally signed list of your currently endorsed
images together with the metadata relating to each VM image, as defined in the VM Image
Catalogue document.</para>
</listitem>
<listitem>
<para>You must keep an auditable history of every image endorsed including the Globally Unique
Identifier, date/time of generation and full list of OS/packages/versions in both the VM Base
Image and &vo; Environment. This must be made available to sites on demand.</para>
</listitem>
<listitem>
<para>You must remove images from the approved list whenever a problem is found, e.g. a new
security update is required. This removal must also be recorded locally in your auditable history.</para>
</listitem>
<listitem>
<para>You are responsible for handling all problems related to the inclusion of any licensed software in
a VM image. You shall ensure that any software included in a VM image which is used for its
intended purposes, complies with applicable license conditions and you shall hold the Site
running the image free and harmless from any liability with respect thereto.</para>
</listitem>
<listitem>
<para>You must assist the Grid in security incident response and must have a security vulnerability
assessment process in place.</para>
</listitem>
<listitem>
<para>You recognise that the Grid, the Sites, and/or the &vo;'s reserve the right to block any endorsed
image or terminate any instance of a &vm; and associated user workload for
administrative, operational or security reasons.</para>
</listitem>
<listitem>
<para>You recognise that if a Site runs an image which no longer appears on your list of endorsed
images, that you are not responsible for any consequences of this beyond the time of your
removal of the image from the list.</para>
</listitem>
</orderedlist>
</section>
</section>
</chapter>