18:00:01 #startmeeting OpenStack Security Group 18:00:02 Meeting started Thu Jan 31 18:00:01 2013 UTC. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:03 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:05 The meeting name has been set to 'openstack_security_group' 18:00:28 #info Welcome security group! 18:00:57 In our meeting last week, we were a bit rushed at the end, so I wanted to pick up there and see if there was any discussion 18:01:21 But first, one quick house keeping item 18:01:30 #topic LXC Security Note 18:01:48 #link https://bugs.launchpad.net/osn/+bug/1098582 18:01:50 Launchpad bug 1098582 in osn "Note: Security impact of Libvirt/LXC usage" [High,Confirmed] 18:02:36 #info This security note is about ready to go, looking for final comments and then we'll release it. 18:02:47 Any comments / discussion on the note? 18:04:24 Hrm, before I continue… do we have people attending the security meeting? 18:04:44 You're talking about the note here https://bugs.launchpad.net/osn/+bug/1098582 right? 18:04:45 Launchpad bug 1098582 in osn "Note: Security impact of Libvirt/LXC usage" [High,Confirmed] 18:04:55 Yes, i am here for security meeting 18:04:55 high, yes, that's the one 18:05:12 great, glad to see some folks here 18:05:14 I'm here as well 18:05:24 The final version (2013-01-23) looks fine to me 18:05:33 ok, thanks 18:05:52 Is that some sort of markdown/asciidoc-ish markup or just nice text formatting on the ###'s 18:06:07 #info If anyone has further feedback on the note, please get it in by the end of the day today 18:06:38 I think that's markdown 18:07:01 #topic Storage Encryption 18:07:14 Cool. We should probably note that somewhere in case someone want to consume and format the notes externally 18:07:15 ok, let's pick up where we left off last week 18:07:30 sure, makes sense mtesauro 18:08:03 #info There are two open proposals for different kinds of storage encryption right now 18:08:23 #info object encryption (swift) by Intel 18:08:26 #link https://blueprints.launchpad.net/swift/+spec/encrypted-objects 18:08:36 #info volume encryption (cinder) by APL 18:08:46 #link https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes 18:09:00 has anyone reviewed these? any discussion, thoughts, comments, etc? 18:09:27 i have not reviewed. still trying to get my bearings in this community. :) 18:09:50 I haven't gotten to that yet but its on my short list. Should have comments by next meeting 18:09:54 np, I actually have some thoughts one where people can participate and help out 18:10:16 ok, sounds good… I think that storage encryption is useful and a nice addition to openstack 18:10:31 I've certainly heard from lots of users that it is desired 18:10:42 agree. i think it will really help build confidence in user community 18:10:49 I wonder if there's utility is trying to get some symmetry between these two proposals 18:10:50 if done well, that is 18:10:59 Both of them involve key managers, so that should be discussed at some point 18:10:59 or if it is better to wait and do that later 18:11:24 indeed 18:11:48 #action Let's all try to review these and think about how they will fit together over the next week 18:12:12 any other thoughts on storage encryption? 18:12:34 do we have a security policy in mind which describes threats we are, and are not, trying to address with encryption? 18:12:45 good question 18:12:49 the short answer is no 18:13:07 but I did provide some comments on the APL proposal this morning, asking questions about just that 18:13:22 this is another area where I think it would be useful to get some alignment between the proposals 18:13:31 and, really, for openstack at large 18:13:31 We received the feedback. Thank you. 18:13:55 yes, in my experience, security policy should be precursor to any evaluation discussion 18:14:37 it is nice to know the problem that we're trying to solve with encryption 18:14:43 coming up with a general security policy for all of openstack would be a huge project 18:14:56 don't have to boil the ocean 18:15:03 just deal with encryption for now. 18:15:03 but, I do agree that some more crisp understanding of the threats being addressed is good 18:15:11 yeah, agreed 18:15:39 maybe a good topic for upcoming summit? 18:15:45 #action Let's refine the security models for the storage encryption schemes 18:15:52 sure 18:16:09 I always like to see more security discussion at the summit 18:16:11 :-) 18:16:54 #topic Open Discussion 18:17:05 in the meantime, i will try to review the proposals 18:17:21 Any feedback would be much appreciated 18:17:27 #info so I wanted to open up the discussion a bit to see what other security related things are on people's minds and where the group can help 18:18:28 there is one that has caught my attention 18:18:41 #info python code in rootwrap 18:18:44 #link https://blueprints.launchpad.net/oslo/+spec/nova-rootwrap-python-exec 18:19:31 based on what I saw at the last summit, I think that there's probably a lot of security work going on within openstack 18:19:46 and probably a lot going on in silos 18:20:19 ... probably at differing levels of competency. 18:20:32 well, sure… hopefully that's where we can help 18:20:46 where has everyone been involved to date? 18:21:42 i am still very new to group and am still in (rapid) learning mode 18:21:58 np 18:22:09 this is something worth thinking about for everyone 18:22:31 Is there a project that addresses overall security status from instrumentation and/or integrity point of view? 18:22:44 (also new to the group, btw) 18:22:59 not sure what you are getting at with that question 18:23:20 but, in terms of openstack, we are the only active security effort that I'm aware of … and we're just getting started ;-) 18:23:40 there is the vulnerability management team, but they are more reactive 18:23:47 (a good thing, but complementary) 18:23:51 Example: given a particular compute node, is there any finger printing of the configuration state? 18:24:00 I've been testing the OpenStack implementation at Rack - mostly dynamic testing of API's as well as code reviews, etc. 18:24:13 Some infrastructure work as well but mostly in the AppSec space. 18:24:20 ok, great 18:24:35 that's certainly a big piece of what I think is needed 18:24:43 fuzzing, code review, blueprint review, etc 18:24:46 i agree. 18:24:57 #topic Next Steps 18:25:19 #info So, I wanted to call out a few specific places where I think people can help today 18:25:40 1) we need help putting together the hardening guide 18:25:55 #link https://github.com/hyakuhei/OSSG_Hardening_Guide 18:26:20 First steps there are reviewing the outline.txt file and then helping to write sections 18:26:34 Anyone that is interested, please drop me a line and I'll get you engaged 18:26:47 2) I'd like to see about pairing OSSG members with the core projects 18:27:15 Is there a timeline when things are planned to be done for the hardening guide? 18:27:25 When do you want feedback by? 18:27:26 This way we can more easily track where the security problems are, and bring information back to the group about when code reviews are needed, etc 18:27:45 I'd like to get the hardening guide in some alpha form by the summit 18:28:01 And it will surely continue to grow from there 18:28:19 ok 18:28:41 So, if you are already engaged in a core project, then perhaps you could be the OSSG rep 18:28:49 just a liaison between the projects 18:29:08 if you aren't, but are interested, then perhaps start getting engaged and see if it's a good fit 18:29:31 #topic Final Words 18:29:39 anything else? 18:29:51 Has anyone looked at what the DISA STIGs provide? We can probably embrace and extend quite a bit from there. 18:30:20 I have not, but perhaps you can send some pointers? 18:30:31 nor i. 18:30:36 #link www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf (RHEL) 18:31:03 ok, we can continue discussion via email, on the dev channel 18:31:05 thanks guys 18:31:12 one question. 18:31:12 #endmeeting