18:00:17 #startmeeting OpenStack Security Group 18:00:18 Meeting started Thu Jan 24 18:00:17 2013 UTC. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:19 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:21 The meeting name has been set to 'openstack_security_group' 18:00:37 good morning / evening to everyone 18:00:46 welcome to the first security group meeting 18:01:05 I'd like to start with a few house keeping items... 18:01:23 #topic House Keeping 18:01:57 We're using the MeetBot for auto generated mintues 18:02:00 #link http://wiki.debian.org/MeetBot 18:02:19 We'll have weekly meetings, starting today 18:02:39 Where are we archiving those minutes? 18:02:44 #info Meetings should last 30 min (or less) 18:03:15 #info I'll post the meeting minutes online after each meeting 18:03:17 #link http://wiki.openstack.org/Meetings/OpenStackSecurity 18:03:32 Perfect. Thanks. 18:03:59 #info I encourage everyone to subscribe to the mailing list, if you haven't already: openstack-ossg@lists.launchpad.net 18:04:08 you can do this through the launchpad group 18:04:18 #link https://launchpad.net/~openstack-ossg 18:04:30 we'll talk more about the mailing list in a few... 18:04:56 so, before we dive into other topics, let's do some introductions 18:05:01 #topic Introductions 18:05:16 I can start 18:05:59 #info Many of you have met me at the summit / online… I'm Bryan Payne and I'm working at Nebula… OpenStack and related security tasks are my day to day job 18:06:14 who else do we have joining us today? 18:06:41 #info Security Architect at HP. Started OSSG with Bryan. Speaking at summits etc. 18:07:14 morning @hyakuhei 18:07:16 #info I'm Matt Tesauro, I am the lead of the product security engineers at Rackspace. Was at the last summit and will be at the next. OpenStack is also part of my normal work with Rackspce 18:07:42 nice to have you hear Matt 18:08:02 #info I'm Laura Glendenning, I'm a software developer at JHU Applied Physics Lab and am currently leading our OpenStack project here. I was at the last summit and my team is working on security-related features. 18:08:03 anyone else here today? I heard from several others that planned on attending 18:08:04 #info Esteban Gutierrez, IT security for Intel. Working on security requirements for openstack deployments. 18:08:37 Greetings everyone! I am Malini Bhandaru from Intel, and my focus is security too 18:08:48 great, I was planning to talk about some Intel and APL work later in the meeting, you guys can keep me honest 18:08:49 #info I'm Lars Lehtonen, I'm mostly working around Swift in our deployment right now. 18:08:53 Greetings, Randy Perryman with Dell. Work on the Crowbar Team doing actual Deployments of Openstack in the field. 18:09:27 ok, looks like we have a nice group… thank for the introductions all 18:09:39 let's dive into some topics 18:09:49 #topic Mailing list 18:10:21 #info We currently have a mailing list setup on launchpad, but there is a move afoot to change this to a mailman list 18:10:39 @hyakuhei, can you report on the status for that? 18:11:11 #info In progress. It got lots in the summit setup noise - I'll email Stefano about it again. 18:11:20 sounds good 18:11:25 Is this Mailman list OpenStack hosted? 18:11:28 yeah 18:11:40 do we need a separate mailing list? [OSSG] won't work with dev? 18:11:43 the idea here is to allow for integration with the bug tracking system 18:12:01 so bugs can be marked "security" and we will get a notification 18:12:13 chatter can happen on dev or on our list, as people see fit 18:12:24 ok - nice. how many bugs do we have? last I checked, we had three 18:12:30 That allows us to build out some pretty cool security tooling. 18:13:29 Those are OSN bugs, that's a bit different. That's us using Launchpad for Security notes. 18:13:29 right 18:13:29 in the future, we'll get notified (hopefully) of bugs and patches that are security relevant and could benefit from review by someone in this group 18:13:49 ok, so moving on... 18:13:53 ok 18:13:58 #topic Security Notes 18:14:20 #info We have been asked to occasionally provide "Security Notes" for the OpenStack community 18:14:48 this is lightweight security configuration guidance 18:14:53 These are like advisories for configuration / common things people do wrong that compromises the security of their OpenStack deployment. 18:14:58 perhaps not quite a CVE, but best practices 18:15:20 So a Security FAQ page? 18:15:24 so basically bits of what would be a hardening guide? 18:15:26 No. 18:15:32 there is one note already in progress 18:15:34 #link https://bugs.launchpad.net/osn/+bug/1098582 18:15:35 Launchpad bug 1098582 in osn "Note: Security impact of Libvirt/LXC usage" [High,Confirmed] 18:15:55 That is the one from last week, right? 18:16:04 that's right 18:16:31 largely these will be little advisories to help people make good decisions 18:16:57 #info these are designed to be more timely than the security guide… and sometime that we can produce on demand and/or as we see the need 18:16:57 Thank You for the clarification. 18:17:12 do we have a link to the work in progress? 18:17:20 that's the link above 18:17:41 that is for the LXC security note… I would encourage everyone to take a pass and provide some feedback 18:17:51 we'd like to get that one out the door soon 18:18:13 apparently many people are using LXC's and thinking that they are getting KVM style isolation… but they aren't, of course 18:18:48 #topic Security Guide 18:19:02 thanks - what is the plan for arriving a template? does this need to wait for a common agreed templat for OSN? 18:19:27 Could a list of live items such as that one above exist as a list on the main security group page? This would be a list of "hot" items. 18:19:38 #info @hyakuhei has put together a repo and some initial templates for the security guide 18:19:57 yeah, let's speak to those questions 18:20:02 I see that very much being in the bootstrap stage. 18:20:22 the template is basically to have a nice common way to present this info 18:20:31 work there is needed, but we didn't want to hold up getting the first note out for that 18:20:52 so, plan looks like first OSN will be out, while the template will be in work. 18:20:54 contributions are certainly welcome in putting together template for that… probably just a simple plain text format that will work for email / web site posting 18:20:58 Bootstracp is fine as long as we don't preclude future growth in its implementation. Better to iterate to what works best for all 18:21:04 hopefully from second one, we can follow the template. 18:21:11 that's right 18:21:29 as for putting items on the website, I think that makes sense 18:21:35 we should put together a section for that 18:21:37 hyakuhei - can u point to the wip for template please? so that we can provide feebadk 18:22:25 OSN template or Hardening Guide? 18:22:40 template 18:22:43 OSN template and related -- https://bugs.launchpad.net/osn 18:22:45 #link https://bugs.launchpad.net/osn 18:23:00 It's largely captured in the LXC note linked previously. 18:23:01 * bdpayne changed the topic too quickly ;-) 18:23:16 Basically MD with whatever topics made sense. 18:23:52 ok… moving on to discuss hardening guide 18:24:00 #link https://github.com/hyakuhei/OSSG_Hardening_Guide 18:24:17 this is the git repo with the skel latex code for the guide 18:24:35 #info Note the outline.txt file as a first cut at the guide outline 18:25:05 #action We should review that outline and get happy with it so that we can begin working on the writing as a group 18:25:22 Yeah, there's virtually no content right now but it's easy to see how this could build out to be something incredibly useful to the community. 18:25:34 Exactly 18:25:55 Please excuse the shonky makefile... 18:26:02 Looks like a good start though. 18:26:07 I see that we are running a little short on time… I'd like to push through a couple of additional topics in our last 5 min 18:26:11 may be i missed it - what is the goal for the hardening guide? hows it differnt from OSN? 18:26:20 ah, sorry... 18:26:40 hardening guide is designed to be a single document with advice for deploying OS securely 18:26:58 whereas the OSN's are one off security best practice advice… more timely 18:27:22 ok - do we plan to include any internal notes (known threats. mitigations etc) in this? or is it for external users? 18:27:22 Presumably the audience in OpenStack implementors, correct? 18:27:39 @mtesauro that's correct 18:28:04 @sriramhere not sure what you mean, audience will be cloud implementors / cloud admins that are working with OS 18:28:42 i got the answer; what i meant to say is, if we know of a known threat, we will still publish it, so that cloud admins can be aware of that 18:28:49 ok, just a few final mentions here 18:28:51 and possibly incorporate our mitigation ideas 18:29:06 that will have to be handled on a case by case basis 18:29:35 in general, I would say we provide advice to deploy in a way that offeres layered security and helps mitigate attacks 18:29:54 thanks 18:30:14 One additional item, not on the agenda... 18:30:37 #info Beyond my work with OpenStack, I'm also heavily involved in OWASP - International OpenSource Foundation working on application security 18:30:45 #info I have just started an OWASP OpenStack Security project with the goal of bringing the two communities together. 18:31:04 sorry, my irc connection just hicup'd 18:31:16 There's an Apache-like approval process with OWASP projects which will close at COB today (central time US GMT-6) 18:31:48 @mtesauro Any specific proposals for OS? 18:31:54 @mtesauro That's interesting. 18:31:59 After that, I'll be actively recruiting from the OWASP community to add to the OSSG work. 18:31:59 @mtesauro, I take it you have that created on the OWASP site? and will it be Appsec focused? 18:31:59 bpayne - u had few final mentions, 18:32:19 yeah, we are basically out of time 18:32:28 let me just close this out and we can have more discussion next week 18:32:36 After the approval completes today, there will be a OWASP project page on their site + mail list for the project. 18:32:44 I assume we can take items to the mailing list as well? 18:32:50 #topic Storage Encryption 18:32:52 will link that to OSSG as well 18:33:18 groovy 18:33:54 There's a bunch of app sec people at OWASP which could lend a hand with OpenStack work 18:35:10 #link https://blueprints.launchpad.net/swift/+spec/encrypted-objects 18:35:20 #link https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes 18:35:31 both of those are worth getting some eyes from this group 18:35:42 we should discuss more on the mailing list and at next week's meeting 18:35:52 Thank you!!! Would appreciate feedback 18:36:01 #info that's all I had for today… thanks everyone for attending! 18:36:05 Additional storage encryption info here http://lists.openstack.org/pipermail/openstack-dev/2013-January/004439.html 18:36:27 #endmeeting