Spring is coming up fast and, in a deeply rooted tradition for house husbands and housewives, the time has come for a spring clean. Thoroughly cleaning the rooms, repainting some walls, fixing broken tiles, pimping up and beautifying your property, getting rid of unused clothes (or those which changed size and do not fit anymore), throwing out things that are just accumulating dust. And, while you’re at it, why not also take a look at your digital belongings, in particular those hosted by CERN?
Digital resources deserve some housekeeping too. A clean-up. Some fixing. Or to be thrown away, purged and deleted. For good. Experience has shown that creating/spawning digital resources is easy and usually comes with a need. The incentive to create is a given. But once a device, virtual machine, container, website, program or application is deployed and up and running, the incentive to maintain it diminishes. If the resource does its job, why bother? In many cases, the resources are sitting around idle, still consuming power and CPU cycles, blocking disk space, eating network bandwidth and posing a growing computer security risk. The most recent vulnerability (“log4shell”) has once more demonstrated the problem: when we asked people to fix that vulnerability in certain “Openshift containers”, and there were dozens, about 50% of the owners replied by saying “I don’t need that anymore and deleted it”. 50%. 50% of resources idle …
Thus, spring has arrived and we would like to encourage you to use your freshly gained energy to review your digital resources. Help us to save energy, licence costs, disk space and CPU cycles, and help us to reduce CERN’s exposure to cyberthreats and its consequential attack surface. Please go through the following list and ensure that your resources are up to date and fully patched (see our Bulletin article on “Beauty under the hood”), or just purge resources that are no longer needed:
- For your accounts, in particular secondary and service accounts, go to https://account.cern.ch/account/ Management/MyAccounts.aspx. You can delete individual accounts by selecting the account and then clicking on “Delete Account” on the right-hand side. In case of service accounts, please check with potential co-users first.
- For your devices (PCs, laptops, smartphones, etc.), go to https://network.cern.ch/sc/fcgi/sc. fcgi?Action=SelectForDisplay (CERN network only) and search for your surname. You can delete individual devices by selecting the device and then clicking on “[Remove This Device]” at the bottom of the page.
- For your websites (including Sharepoint, Drupal and Openshift projects), go to https://webservices-portal.web.cern.ch/my-sites. You can delete individual websites by selecting the website and then clicking “Delete [SITE NAME]” in the left-hand sidebar, but, please, check with potential co-moderators first!
- For your databases, go to either https://resources.web.cern.ch/ resources/Manage/DbOnDemand/ Resources.aspx for Databases on Demand (DBoD) or https://resources.web.cern.ch/ resources/Manage/Oracle/ Resources.aspx for Oracle databases. You can delete individual DBoD instances by clicking “[delete]” to the right of the database or by selecting the Oracle database and then clicking “Delete Account” on the right-hand side.
- For your e-groups, go to https://e-groups.cern.ch/e-groups/EgroupsSelectShowEgroups OfMember.do#. You can delete individual e-groups by selecting the e-group and then clicking the “Delete” button at the bottom of the page, but, please, check with potential co-admins first!
- For your virtual machines (VMs), go to https://openstack.cern.ch/project/ and purge them from all projects and tenants. Puppet-managed VMs should be deleted via the “ai-kill” command.
- For outer perimeter firewall openings, follow the instructions for either your devices or virtual machines. For devices, select the device, then click on “[Update this Information]” at the bottom of the page, and then finally move to the “Central Firewall Configuration” section of the new page and tick the “Remove” box and hit the “Send Request: UPDATE INFORMATION>>>” button at the bottom at the page. For virtual machines, consult your Puppet configuration (https://configdocs.web.cern.ch/ firewall/cern.html). Finally, if your device or virtual machine is part of a firewall set (https://security.web.cern.ch/services /en/firewall.shtml), just remove it from that set via the set management web page at https://landb.cern.ch/landb/portal /sets/displaySets; or remove it from the corresponding Hiera “cernfw_landbset” (https://configdocs.web.cern.ch/ firewall/cern.html).
- For your subscriptions, go to https://resources.web.cern.ch/ resources/Manage/ListServices.aspx. You can reconfigure or unsubscribe from individual services by selecting the service and following the instructions on the following page.
If you have worked through the list until here, well done and thanks a lot! This is deeply appreciated for the sake of reducing CERN’s environmental impact and computer security attack surface. Thank you for your spring-cleaning efforts!
_____
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.