17:03:22 <hyakuhei> #startmeeting openstack security group
17:03:23 <openstack> Meeting started Thu Mar 12 17:03:22 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:26 <openstack> The meeting name has been set to 'openstack_security_group'
17:03:29 <sicarie> o/
17:03:34 <tkelsey> o/
17:03:34 <bdpayne> o/
17:03:36 <ljfisher> o/
17:03:38 <hyakuhei> Hey everyone, full house today!
17:03:40 <dave-mccowan> o/
17:03:49 <nkinder> hey all
17:03:52 <dwyde> o/
17:04:06 <bknudson> hi
17:04:33 <tmcpeak> glad to see the prodigal nkinder
17:04:42 <hyakuhei> woot! hey nkinder !
17:04:59 <d-9> hey guys
17:05:08 <ukbelch> hullo!
17:05:13 <elmiko> serious full house today =)
17:05:16 <hyakuhei> ok agenda for today, I actually don’t have much, lots of things that were in flight are still erm, flying.
17:05:19 <d-9> nkinder hope youre feeling better
17:05:23 <nkinder> 2 weeks in a row is a record for me this year I think!
17:05:26 <hyakuhei> tmcpeak: nkinder: bdpayne any updates?
17:05:31 <nkinder> d-9: thx
17:05:35 <tmcpeak> small Bandit update
17:05:50 <nkinder> hyakuhei: nothing big.  We can talk about the OSSN template and "affected software/services"
17:05:50 <bdpayne> I have a brief book update
17:06:18 <hyakuhei> ok cool, anything else?
17:06:30 <hyakuhei> tkelsey: How’s anchor coming along?
17:06:46 <tkelsey> yeah, it going well :) 87% coverage or there about
17:07:06 <tkelsey> still pushing tests
17:07:21 <hyakuhei> Jolly good, thanks for getting the functional tests in too!
17:07:34 <hyakuhei> Nice to know it actually works, as well as passing unit tests :P
17:07:35 <tkelsey> ah yes, good to have those
17:08:02 <hyakuhei> ok, lets talk about the book before what I suspect will be a longer OSSN discussion
17:08:05 <hyakuhei> #topic security guide
17:08:17 <bdpayne> so a few updates
17:08:45 <bdpayne> we are working towards a book release that is aligned with the release coming out next fall
17:08:47 <bdpayne> whatever that is, L?
17:08:49 * bdpayne loses track
17:08:53 <sicarie> Liberty
17:08:57 <bdpayne> thanks ;-)
17:09:20 <bdpayne> one of the big things we want there is to fill out the content specific to openstack core services such as Nova, Cinder, Keystone, etc
17:09:47 <bdpayne> and one of the big things we want within _that_ is to have good recommendations around the policy.json files
17:09:55 <bdpayne> so... if you have knowledge and are able to help with such things
17:10:00 <bdpayne> we'd love some assistance
17:10:01 <bdpayne> :-)
17:10:17 <sicarie> +1
17:10:29 <bdpayne> to get involved, just ping me here in IRC, email me, or similar
17:10:32 <bdpayne> that's about all that I have
17:10:42 <nkinder> bdpayne: I can lend some assistance around policy.json
17:10:50 <bdpayne> nkinder that would be great, thanks
17:10:58 <bdpayne> I'll ping you :-)
17:11:02 <nkinder> bdpayne: sounds good
17:11:03 <bknudson> I've got the policy.json mapping doc'ed for keystone.
17:11:03 <hyakuhei> bdpayne: There’s (likely) going to be a talk on that at the summit :)
17:11:16 <bknudson> not sure if we want that for every service.
17:11:27 <bdpayne> yes, I was thinking I'd ping the author of that talk hyakuhei
17:11:29 <nkinder> bknudson: yeah, that is a nice change
17:11:46 <bdpayne> bknudson you have a pointer to that?  just curious...
17:11:48 <bknudson> might be better to have it in the docs rather than in policy.json.
17:11:52 <bdpayne> ... curious what it looks like
17:12:07 <hyakuhei> Sweet. Ok lets talk about OSSN format?
17:12:09 <nkinder> bdpayne: https://review.openstack.org/#/c/155919/
17:12:13 <bknudson> #link https://review.openstack.org/#/c/155919/
17:12:20 <bdpayne> thatnks, take it away OSSN
17:12:30 <hyakuhei> #topic OSSN
17:12:36 <bknudson> nkinder: still fast.
17:12:45 <hyakuhei> nkinder: wwantto introduce it?
17:13:00 <nkinder> I saw some of the discussion hyakuhei was havint with tmcpeak on the "affected services" format in OSSNs
17:13:21 <nkinder> Typically, we go for a comma separated list like "nova, glance"
17:13:33 <nkinder> we also have versions in there - "icehouse, juno"
17:13:41 <tmcpeak> link in question: https://review.openstack.org/163041
17:13:44 <tmcpeak> #link https://review.openstack.org/163041
17:13:55 <nkinder> the idea is that a simple format can be parsed
17:14:18 <hyakuhei> So you can search for (with some tool that doesn’t exist) all OSSNs affecting “Keystone” for example
17:14:19 <nkinder> ...hence a tool could be written to check to see if an OSSN applies to a deployment
17:14:30 <hyakuhei> exactly
17:14:32 <nkinder> Yep
17:14:46 <hyakuhei> Now at the moment, we also basically present OSSNs to the world in that same format
17:14:47 <nkinder> So we also have strange cases like the FREAK or POODLE OSSNs...
17:15:03 * hyakuhei shuts up. Please continue nkinder
17:15:07 <nkinder> For these, we basically say "Affects all the things"
17:15:15 <nkinder> which is accurate
17:15:46 <nkinder> basically, these issues don't fit the mold, as they affect databases, message brokers, crypto libraries, etc.
17:16:16 <nkinder> Here's my opinion on it...
17:16:28 <nkinder> Today's OSSN format is really intended to be consumed by humans
17:16:31 <nkinder> ...not tools
17:16:48 <nkinder> We want to get to a parseable format where tools make sense, but we're not there.
17:17:09 <tmcpeak> to get that I think we'd want something more like tags
17:17:10 <nkinder> I think having a structured format alongside of the "human" format is where we need to end up
17:17:14 <gmurphy> you could maybe take a similar approach to what the vmt are doing with ossa
17:17:22 <hyakuhei> So my question is do we want to continue with a do everything format. Or write something more ‘meta’ that gets parsed into various outputs
17:17:27 <hyakuhei> gmurphy: I was hoping you’d chime in
17:17:31 <nkinder> gmurphy: yeah, I looked at some formats
17:17:32 <gmurphy> we have the advisory content in yaml (parsable) and then render that to .rst
17:17:33 <hyakuhei> How does the VMT do it
17:17:39 <nkinder> hyakuhei: transformation would be ideal
17:17:48 <nkinder> one master format, spit out all of the other ones we want
17:17:53 <d-9> +1
17:17:54 <hyakuhei> nkinder: I think I agree, though it does raise the bar for entry a little
17:17:55 <gmurphy> just a sphinx plugin i wrote
17:18:01 <gmurphy> it is very low tech but does the job
17:18:08 <hyakuhei> gmurphy: got any links we could look at (git etc)?
17:18:24 <gmurphy> think we just populate a jinja template using values from the yaml file
17:18:28 <gmurphy> yeah
17:18:31 <gmurphy> one sec
17:18:53 <gmurphy> #link http://git.openstack.org/cgit/openstack/ossa/tree/
17:18:59 <gmurphy> is the top level project
17:19:19 <nkinder> yeah, that looks nice
17:19:26 <gmurphy> and this is the crappy plugin - http://git.openstack.org/cgit/openstack/ossa/tree/doc/source/_exts/vmt.py
17:19:45 <gmurphy> which basically fills in this template http://git.openstack.org/cgit/openstack/ossa/tree/doc/source/_exts/rst.jinja
17:19:55 <hyakuhei> That’s a lot more readable than I thought it would be (the yaml)
17:20:08 <elmiko> yaml seems nice for the root format
17:20:10 <gmurphy> yeah. eventually i want to get the ossa data version information more accurate
17:20:10 <nkinder> So I can get behind something basic like this
17:20:13 <hyakuhei> do you have a gates to test the yaml isn’t horribly broken etc?
17:20:14 <tmcpeak> chair6: see how much better yaml is than JSON? :P
17:20:25 <gmurphy> so i can run a db query etc
17:20:25 <hyakuhei> tmcpeak: quite or we put you back in the corner.
17:20:25 <nkinder> I was looking at things like CVRF last year...
17:20:35 <d-9> hyakuhei still bitter about yaml..
17:20:39 <nkinder> which is a nice standard, but probably more heavyweight than we need
17:20:43 <hyakuhei> +1
17:20:52 <nkinder> ...though we can always transform yaml to CVRF if there is a need in the future
17:21:01 <gmurphy> yeah exactly
17:21:11 <nkinder> I think hyakuhei comment about a low bar is important
17:21:34 <hyakuhei> So you take yaml and munge it into jinja
17:21:41 <hyakuhei> at which point it can become whatever you want?
17:21:58 <gmurphy> yeah.
17:21:59 <gmurphy> basically
17:22:30 <hyakuhei> nkinder: yeah, but at least with a format like yaml we could have the gate do more automated checks than it does today possibly ?
17:22:43 <nkinder> yeah, I think so
17:22:48 <hyakuhei> and also little trip hazards like trailing whitespace and line length go away
17:23:36 <nkinder> do we want to publish the yaml somewhere too (besides git)?
17:23:42 <hyakuhei> There’d be a body of work to convert (manually or by magic) existing OSSN into whatever the new format is too
17:23:47 <gmurphy> for ossa ?
17:23:48 <nkinder> That way a tool can be used to scan the yaml from a known location
17:24:08 <nkinder> hyakuhei: I think that would be manual...
17:24:09 <gmurphy> yeah security.openstack.org = output of that project
17:24:14 <hyakuhei> nkinder: +1
17:24:25 <hyakuhei> only a few hours work split between a couple of us
17:24:26 <tmcpeak> could probably get at least 80% of the work done with a little magic
17:24:46 <nkinder> yeah, shouldn't be too bad with 45 notes
17:25:11 <nkinder> ok, well POC of yaml and a conversion to something close to what we publish today is the first step
17:25:23 <nkinder> I can work with gmurphy on that
17:25:41 <nkinder> steal whatever I can, then tweak it :)
17:26:06 <gmurphy> yep. go for it.
17:26:25 <gmurphy> ping me if you have any problems.
17:26:38 <nkinder> gmurphy: will do
17:27:07 <hyakuhei> nkinder: are you going to put the yaml poc in git? Easiest place to review/comment I imagine
17:27:28 <hyakuhei> I mean security-doc on git, obviously
17:27:56 <nkinder> hyakuhei: yes, yaml in git
17:28:03 <nkinder> it will be the "source" format
17:28:22 <nkinder> we will need to tweak the gate jobs too
17:28:29 <hyakuhei> Yeah
17:28:35 <hyakuhei> This is quite exciting :)
17:29:20 <hyakuhei> Anything else on OSSN today?
17:29:46 <tmcpeak> I copied bdpayne's note, it's all his fault
17:29:50 <hyakuhei> #topic Any Other Business
17:29:53 <nkinder> Nothing notable.  There's stuff in the queue, some assigned (I think everyone who owns something is aware that it needs to be done)
17:30:10 <hyakuhei> Great! Yeah I’ve got one that I hope to write tomorrow
17:30:16 <hyakuhei> (not really sure where the week went)
17:30:42 <tmcpeak> hyakuhei: you know what I'm going to ask, don't you?
17:31:34 <hyakuhei> The developer guidelines
17:31:37 <tmcpeak> yep :)
17:31:46 <tmcpeak> where are we going to put them, what's the next step
17:31:48 <hyakuhei> Yeah they’re waiting on the discussions I’m having about making the OSSG OpenStack proper
17:32:01 <hyakuhei> As right now we don’t have a sensible place to publish them other than the wiki
17:32:12 <tmcpeak> well wiki could be good
17:32:16 <hyakuhei> We _could_ put them there for now
17:32:19 <tmcpeak> lots of OpenStack guidance goes there
17:32:30 <hyakuhei> Yeah and lots of stuff gets lost in the noise
17:32:37 <tmcpeak> true
17:32:46 <hyakuhei> If you want to create a wiki page under security and move them over I’m happy with that
17:32:57 <tmcpeak> what's the end game?
17:33:02 <hyakuhei> Though ideally I want them nicely formatted and linked somewhere off security.openstack.org
17:33:18 <hyakuhei> They look so pretty in GH Markdown :(
17:33:29 <tmcpeak> that sounds worthwhile, so that's blocked on your discussion about integrating OSSG as a proper group?
17:34:18 <hyakuhei> It would complicate things unduly to try to push stuff there right now
17:34:23 <hyakuhei> So wiki is fine
17:34:37 <tmcpeak> ok, should we publish them as is or do we need to do more editing?
17:34:42 <tmcpeak> some of them aren't consistent with the others
17:34:45 <tmcpeak> for example XSS
17:34:58 <hyakuhei> There’s some work required on some. I don’t have the time to do that this week.
17:35:09 <tmcpeak> like this: https://github.com/openstack-security/Developer-Guidance/blob/master/xss.md
17:35:15 <hyakuhei> sicarie: You’re a doc ninja, do you have any cycles next week to look at the content?
17:35:20 <sicarie> sure
17:35:41 <tmcpeak> awesome!
17:35:43 <hyakuhei> Yeah the XSS one isn’t great I’ll see if ukbelch can re-write it to be more inline with the others
17:36:04 <ukbelch> sure
17:36:26 <tmcpeak> whoever did this: https://github.com/openstack-security/Developer-Guidance/blob/master/todo.md thank you
17:37:02 <d-9> no worries
17:37:24 <tmcpeak> Bandit version pin imminent! code freeze is tomorrow EOD
17:37:34 <hyakuhei> oooh
17:37:41 <tmcpeak> then Monday I'm going to try really really hard to break it
17:37:42 <tkelsey> good stuff tmcpeak
17:37:48 <tmcpeak> then version pin Monday by EOD
17:37:52 * bknudson needs to get keystone change ready.
17:38:20 <tmcpeak> if anybody else can carve out time to try to break Bandit Monday, that would be awesome
17:38:59 <gmurphy> tmcpeak: have you run it over all the things in openstack/*?
17:39:06 <tmcpeak> gmurphy: yep, mostly
17:39:23 <tmcpeak> I'm probably missing some of the oslos, and my versions might be a bit old, but yeah, I've run against most projects
17:39:41 <gmurphy> ok. cool.
17:40:30 <tmcpeak> that's probably it for Bandit this week
17:42:09 <tmcpeak> anything else guys?
17:43:58 <gmurphy> well at some stage i want to revist the ossa metrics stuff.
17:44:13 <hyakuhei> gmurphy: yeah that’s the one thing we didn’t manage at the mid-cycle
17:44:20 <hyakuhei> Maybe we can try to get a design session on it
17:44:31 <gmurphy> well me and jamie did a few -> https://etherpad.openstack.org/p/ossg-metrics
17:44:52 <hyakuhei> So we’re still in tuning what was your feel for it at the moment
17:45:16 <gmurphy> we both got pretty similar answers for some things
17:45:31 <gmurphy> a couple were ambiguous / it depends type things
17:45:41 <gmurphy> but with the ossa data in a git repo
17:45:54 <hyakuhei> That looks pretty good actually
17:46:02 <gmurphy> we could submit scores and nit the differences in rewiew
17:46:25 <bknudson> the IBM x-force team also has cvss scores for the vulnerabilities.
17:46:49 <gmurphy> cool. would be interesting to pull that info in too.
17:47:18 <gmurphy> i guess what i would ultimately like to get to is - is the proposed standard more accurate than cvss etc
17:47:38 <hyakuhei> gmurphy: I like that idea
17:47:51 <hyakuhei> well CVSSv2 is completely inappropriate for cloud applications
17:48:00 <gmurphy> and we have the cvss info from red hat.. i'll pull in the xforce stuff too one rainy day..
17:48:04 <gmurphy> yeah. i agree.
17:48:05 <hyakuhei> hypervisor breakouts rank ~5 I think
17:48:13 <hyakuhei> “local privesc”
17:48:25 <gmurphy> but hopefully we could demonstrate that with pretty graphs :-)
17:48:33 <hyakuhei> Ok so actions regardinging metrics?
17:49:02 <gmurphy> well if anybody else wants to jump on that etherpad and have a go at rating those vulns that would be good
17:49:27 <tmcpeak> cool, I'll have a stab at it
17:49:30 <hyakuhei> tmcpeak: sicarie - either of you have time?
17:49:32 <hyakuhei> excellent
17:49:36 <gmurphy> otherwise i will try to build a bigger sample base
17:49:50 <gmurphy> and compare against cvss
17:49:54 <sicarie> hyakuhei I could probably take a look next week
17:50:15 <hyakuhei> That’d be great!
17:50:25 <hyakuhei> ok I think that’s a wrap, any last minute stuff?
17:50:59 <hyakuhei> Cool, thanks everyone!
17:51:02 <hyakuhei> #endmeeting