These were accepted.
A reminder to ALL to keep going with those "pandemic" actions!
It was agreed that OpenVPN should be added to the list of pandemic services with George taking on responsibility for producing the documentation.
Done. Certainly doesn't seem to do any harm. Action changed to making this run when DICE workstations sleep/shutdown and deferred until OpenAFS 1.6.6 or later is the default on DICE machines
Now mirrored to loghosts
The three machine round-robin now involves one virtual machine at each of our three sites (rather than three virtual machines in the Forum, as before.)
Confirmed - we do support this though the manner in which we do so has still to be firmed up
Patches are in gerrit and will be incorporated in OpenAFS-1.6.8 (now in pre-release)
Patch provided (during meeting)
Blog articles suggested:
Report from Computing Executive Group
Reports from units
Topics for discussion
Graham pointed out that if all members of a Unit were felled by a pandemic, there would be no-one reading Unit emails and receiving Nagios alerts. This is obviously a problem. All Units have arranged that Unit Nagios alerts are received by anyone with that Unit's role so the obvious first step is for the pandemic substitutes to give themselves the role of the Unit which normally has responsibility for the services they are concerned with. Similarly, they should add themselves to the appropriate mailing lists. Graham and Craig will come up with the means to do this and publicise them.
By the time of the meeting, all DICE managed servers and client should have been running the patched version of the SSL libraries though of course certificates still needed to be renewed and services restarted.
There was some discussion over which services were actually vulnerable (https was the only one positively confirmed) and how self-managed machines should be scanned with the objective of closing the firewall holes of any machines at risk.
In the end, it was agreed that Graham would produce a scanning tool, User Support would do the actual scanning and firewall hole closing and Stephen would write the blog article covering the issue and our response.
Stephen has produced a wiki page detailing how to push out urgent security fixes the next time something like this happens
SSL Vulnerability (see discussion above).
The next meeting will be on 26th April 2014 at 10:00 in IF-4.31, chaired by George.
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh