Closed Bug 1459256 Opened 7 years ago Closed 5 years ago

The de-duplication of the EIS runbooks

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: michalpurzynski1, Assigned: weir)

Details

As agreed on May 4, in a MOC-EIS meeting, we need to do some de-duplication of runbooks and ideally have them shared between the MOC and the EIS. What would you say, if those lived in the MOC space exclusively? Let's get a list of runbooks here and decide on them, one by one.
Assignee: nobody → asmith
Status: NEW → ASSIGNED
Thanks for creating this michal`! This was a recent one I bumped into: https://mana.mozilla.org/wiki/display/MOC/Open+Port+Policy+Violation+Alert+Runbook https://mana.mozilla.org/wiki/display/SECURITY/Open+Port+Policy+Violation And for the foxsignal escalation on 4/13 from Jen Simmons, we found that there are several escalation/process docs scattered about mana on purpose/function/handling of notifications coming through that email. Of note, is ensuring that all these places indicate that this also pages the MOC via PagerDuty so replies including foxsignal can make things pretty noisy for the On-Call.
Our process is defined that anything escalated to MOC must have a runbook, so nothing should be sent to MOC that doesn't already have a runbook and escalation process defined. If it is, then our process is broken. Specific things in the Security space are for EIS engineers, while runbooks in the MOC space are for MOC escalation.
(In reply to Michal Purzynski [:michal`] (use NEEDINFO) from comment #2) > Seems to be fine > > https://mana.mozilla.org/wiki/display/MOC/ > Open+Port+Policy+Violation+Alert+Runbook > https://mana.mozilla.org/wiki/display/MOC/MFA+Decline+Alerts+Runbook > https://mana.mozilla.org/wiki/display/MOC/Duo+Security+Runbook > https://mana.mozilla.org/wiki/display/MOC/ > Duosecurity+MFA+Bypass+Codes+Used+to+Log+in+Runbook > https://mana.mozilla.org/wiki/display/MOC/ > Open+Port+Policy+Violation+Alert+Runbook > > > Seems to be empty > https://mana.mozilla.org/wiki/display/MOC/Auto- > rm+SSH+Private+Keys+Notification This never materialized into an actual alert as far as I know. :alm built an initial scanning module for mozdef and I haven't heard anything about that recently. Please let us know if there is still effort to alert on found suspicious private keys. > > > Do we have clear instructions what to do about things that aren't in any > runbook being escalated to MOC? For example, how to escalate the foxsignal > or what to do when someone signals the fox? I think the issue is searching "foxsignal" in mana yields several documents and it is not clear how to handle events.
(In reply to Keegan Ferrando [:fauweh] from comment #4) > (In reply to Michal Purzynski [:michal`] (use NEEDINFO) from comment #2) > > Do we have clear instructions what to do about things that aren't in any > > runbook being escalated to MOC? For example, how to escalate the foxsignal > > or what to do when someone signals the fox? > > I think the issue is searching "foxsignal" in mana yields several documents > and it is not clear how to handle events. Michal, this issue of foxsignal handling seems to be the only outstanding item. Any thoughts here on how to get a consistent set of instructions here?
Flags: needinfo?(mpurzynski)
Let's talk it at the next MOC:EIS bi-weekly.
Flags: needinfo?(mpurzynski)
Assignee: asmith → tweir
Component: MOC: Projects → General
Product: Infrastructure & Operations → Enterprise Information Security
QA Contact: mcristofi
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.