Detonator scans for self-managed machines

  1. Go through the SM164, SM197 and Wire T scans to identify red/amber warnings.
  2. Run scans on individual IP's where such warnings are found and produce a report.
  3. Identify a named person responsible for individual IP's scanned above and ensure machine is allocated correctly in inventory.
  4. Contact these individuals by sending them a copy of the report and explain that we require a timely response. It will also need to be explained to them that failure to do so may result in us taking suitable action e.g. closing firewall holes.
  5. Confirm with individuals which OS they are running, that regular security patches are applied and which URLs are hosted. If machines are not being suitably maintained, we should give a reasonable time for this to be corrected but explain to individuals that we may have to take suitable action.
  6. Update Detonator Reports.
  7. Once an explanation/resolution has been received, update the detonator website.
  8. If a response is not received, prompt the named user.
    1. If a response is not received in a reasonable period, escalate to HoC.
    2. If a response is still not received in a reasonable period, HoC will escalate further.
  9. Once contact has been made with the users of machines with red/amber warnings, identify contacts for machines with green warnings to complete the contact list.
  10. For existing firewall holes, add an ipfilter.contact resource.

Firewall hole requests

  • Confirm what it is needed for and whether it can be restricted to a specific range.
  • Ensure that there is an RT ticket created to record decisions/progress.
  • Pass the request to RAT for initial consideration. They are best placed to assess the user's requirements.
  • If necessary, Inf Unit can provide advice on the mechanism for opening/restricting firewall holes.
  • If RAT suggest an alternative solution, contact the user with explanation and proposed solution.
    1. If the user still feels that the hole is required, escalate to HoC.
  • If the firewall hole is opened:
    1. Explain to the requestor that the machine will be scanned.
    2. Explain that, as a minimum, security updates must be applied.
    3. Confirm the name of the person responsible for the machine and explain that they must respond to scan results.
    4. Explain that we must be told of change of responsibility.
    5. If the firewall hole relates to resources served via names URL(s)
      1. Confirm which URLs are to be hosted (could use an additional ipfilter resource to record this)
      2. Explain that we must be told of additional URLs.
  • Once hole is opened follow review procedures.

-- AlisonDownie - 16 Jan 2014

Topic revision: r6 - 08 Sep 2014 - 13:34:32 - GrahamDutton
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies