Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > |
EGI central banning setup for NGI_IT sitesThe purpose of deploying the central banning over sites is to implement the EGI CSIRT central emergency suspension policy![]() Site with ArgusSites running their own Argus can add the NGI_IT Argus as a remote Policy Administration Point (PAP).
Using pap-admin utility to add NGI_IT PAP to your ArgusAdd NGI_IT PAP (aka ngi_it)pap-admin add-pap ngi_it argus-it.cnaf.infn.it "/C=IT/O=INFN/OU=Host/L=CNAF/CN=argus-it.cnaf.infn.it"
Enable new NGI_IT PAP (aka ngi_it)
pap-admin enable-pap ngi_it
Make the new ngi_it PAP as the default one
pap-admin set-paps-order ngi_it default
Set polling interval to 1 hour
pap-admin set-polling-interval 3600
List local policy with new PAP
pap-admin lp --all
Preventing yaim overwrites for added PAPsYaim is unable to configure and add new PAPs (no yaim variables provided) so running yaim on the Argus server can potentially remove added PAPs. To avoid such situation sites should perform the procedure to add NGI_IT PAP everytime they run yaim on the Argus server. You can script the procedure or use a configuration management tool like Puppet to automate such procedure.Site without ArgusSite without Argus server can download the ban policy file publicly available here![]() /etc/lcas/ban_users.db
Site can cron the download to have it schedelued in the background. For instance you can place in cron.d the following snippet:
cat /etc/cron.d/fetch-banlist # Fetch ban list from central NGI repository # and add DNs to ban_users.db file 10 1 * * * root wget http://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -O - > /etc/lcas/ban_users.db |