Sunday, March 17, 2013

LIGO Wiki Approved for InCommon Research & Scholarship Category

One challenge with federated identity is arranging for attribute release from identity providers, a process that used to involve working with each identity provider (for details see the paper on TeraGrid's federated identity experiences). To address this, InCommon has created the Research and Scholarship Category for service providers. By applying and being approved to be a member of this category, as the LIGO Wiki has done, a service provider gains immediate attribute release from over 40 identity providers in one step. Hence, the Research and Scholarship Category is a key step by InCommon to improve the ease by which cyberinfrastructure can leverage identity federation.

Thursday, March 14, 2013

OSG article on their use of Pakiti to manage patching

An important part of operating a trustworthy cyberinfrastructure software stack is managing security patches for that software. Kevin Hill of the OSG Security team wrote an article in the February OSG Newsletter on OSG's use of Pakiti. Kevin's article follows (republished with permission).

Introducing Patiki

Pakiti is a Web-based application you can set up for your site that summarizes the patching status of machines at your site. Pakiti also knows about security specific updates, and can show which systems need security updates vs. other software updates, as well as link to the relevant CVEs to easily see which vulnerabilities apply to your systems and how critical these vulnerabilities are. CVE (Common Vulnerabilities and Exposure) is a dictionary of publicly known information security vulnerabilities and exposures kept by Pakiti does not install any updates itself.

Pakiti was developed at CERN, and is now available in the OSG v3 software release. The OSG security team has been running a central Pakiti server to monitor a few different hosts at various sites, and now any OSG site can set up their own Pakiti server without making their sites’ vulnerability information available off site. The Pakiti client that is installed on monitored systems is a simple bash script that should not interfere with normal operations. The data sent to your site's Pakiti server is essentially the output of 'rpm -qa', as well as the operating system release version.

The Pakiti homepage is OSG-specific installation instructions are available at:

~Kevin Hill, OSG Security Team

Friday, March 8, 2013

OSG All Hands Meeting, DOE NGNS PI Meeting, Talk at ISI

I will be at the OSG All Hands Meeting next week presenting the OSG's work in establishing a new public key infrastructure. The following week I'll be at the DOE NGNS PI meeting and then visiting ISI where I'll be giving a talk on CTSC (details to come).

If you'd like to meet with me at any of those venues about CTSC or any of my work, please drop me an email.

                                   - Von