17:00:29 #startmeeting security 17:00:32 Meeting started Thu May 5 17:00:29 2016 UTC and is due to finish in 60 minutes. The chair is elmiko. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:34 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:35 o/ 17:00:36 The meeting name has been set to 'security' 17:00:40 o/ 17:00:42 #link https://etherpad.openstack.org/p/security-agenda 17:00:58 #link https://etherpad.openstack.org/p/security-agenda 17:01:00 hi 17:01:12 yo 17:01:18 no meeting? 17:01:27 why not? 17:01:42 no, i thought you had a conflict with *this* meeting 17:01:52 oh, yeah I dropped. It sucked 17:01:55 yes or no? 17:02:02 yes, this meeting is on! 17:02:02 meeting? 17:02:05 haha 17:02:10 hi all 17:02:13 elmiko: you are the boss 17:02:21 let's fix that 17:02:23 tkelsey: Why not summit this time? 17:02:24 #chair tmcpeak 17:02:25 Current chairs: elmiko tmcpeak 17:02:35 #topic summit recap 17:02:40 hi all 17:02:48 hey lhinds 17:02:48 michaelxin: couldn't make it this time :-( 17:02:54 lhinds: hi 17:03:00 missed all you folks :( 17:03:08 tkelsey: we missed you 17:03:11 missed you too tkelsey ! 17:03:19 bandit hackfest wasn't the same 17:03:29 true dat 17:03:29 virtual hugs tkelsey 17:03:33 so, quick summit recap 17:03:34 haha, you mean no one decided to change-all0th-things 17:03:41 lol 17:04:13 we had some really nice sessions, got the kolla TA underway, had some bandit hacking, BYOK sessions, and even a sec-doc session! 17:04:25 +1 17:04:26 nice :) 17:04:33 did we do the TM on Friday? 17:04:42 michaelxin: yeah part of it 17:04:46 any highlights from summit that folks want to mention? 17:05:05 the threat modeling was interesting 17:05:10 curious about the perspective of others 17:05:19 I did not find the room 17:05:20 working with a project like Kolla on our first rev is really useful 17:05:22 i missed that one 17:05:24 do we have a new PDF for sec doc? 17:05:26 I'd be interested if any kolla folk are here and what they thought 17:05:35 nsun1 - we do not 17:05:37 nsun1: no, not yet. we are still working on a solution 17:05:37 sec docs is cool 17:05:52 Good to know that people are really using our security notes 17:05:55 There is an issue building pdf's with the way we have RST guides set up. My understanding is there is no demand 17:05:56 +1 17:05:58 so one issue with threat modeling is we didn't get it done 17:06:02 we definitely need more time 17:06:13 I think we ended up with an hour and half to actually do the work and needed more 17:06:22 good note 17:06:26 Schedule it on last day is not a good idea. 17:06:44 #info the kolla threat analysis/modeling could have used more time 17:06:44 I'd say we need at least 3 hours of actual work, once everybody is on board with threat modeling and knows why we're doing it 17:06:58 I have a few minor nits as well that I already sent to hyakuhei and dg__ 17:07:08 where are the videos for sec sessions of Austin summit? 17:07:16 Centralizing the docs - especially diagrams - will help 17:07:35 yeah and having them ahead of time too 17:07:36 And having a well-described walkthrough and levelsetting script will also help 17:07:46 sicarie: +1 17:07:53 nsun1: we don't have them collected, but you should be able to find them here https://www.openstack.org/videos/ 17:07:59 extra +1 for using the term "levelsetting" 17:08:22 We noticed that the kolla team was very willing to do each component, but once one was done they were not clear on where to go next 17:08:47 tmcpeak: just working on my 'thought leader' vocabulary 17:09:00 hah 17:09:00 one day i hope to be able to talk forever and say absolutely nothing 17:09:18 haha 17:09:20 Kolla is also a bit of a special case. A lot of their solution is based on what we'd consider third party dependencies like containers, ansible, etc 17:09:40 well very little of it is native kolla aiui 17:09:52 tmcpeak: and kolla doesn't expose a service controller 17:10:08 right 17:10:15 it's very different from what i would imagine of most TAs in openstack 17:10:51 so, it sounds like we have *loads* of good ideas to add onto dg_'s TA review 17:10:56 with kolla we ended up modeling "deployment of a general service in a container" with Keystone I believe, and then documented "snowflakes" or places where the security model diverges from the simple case 17:11:42 tmcpeak: is this captured somewhere like etherpad? 17:11:51 yeah the kolla etherpad, one sec 17:11:59 any other summit related topics to discuss, or should we roll into the regular agenda? 17:12:01 https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis 17:12:15 #link https://etherpad.openstack.org/p/kolla-newton-summit-threat-analysis 17:12:16 we are also full steam on getting projects involved with Bandit 17:12:19 but we can discuss during Bandit 17:12:25 ohyea, good point tmcpeak 17:12:28 thanks elmiko 17:12:34 #topic anchor 17:12:42 #link https://review.openstack.org/#/q/anchor+status:open,n,z 17:12:51 We might want to schedule a meetup (lunch/dinner) for security. 17:12:55 not on last day 17:13:02 michaelxin: yeah agreed 17:13:07 tkelsey: i think you are the only anchor rep here, anything to say? 17:13:11 michaelxin: +1 17:13:27 dg_ is on his way 17:13:35 ooh nice, we'll swing back then 17:13:45 4mins away, can we postpone the achor section for a bit please 17:13:49 #topic bandit 17:13:52 #link https://review.openstack.org/#/q/bandit+status:open,n,z 17:13:59 tkelsey, tmcpeak, browne 17:14:02 what's up =) 17:14:05 so one of the things we really need to do is get projects involved 17:14:17 so bandit gate has been added to castellan (or is about to be) 17:14:27 I think thats all on my radar actually 17:14:29 added to python-openstackclient as well 17:14:34 oh nice :) 17:14:36 at the summit a few of us took an individual project, ran Bandit with a suggested rule set, filed appropriate bugs, added appropriate nosecs, and then proposed the change to actually add the Bandit gate 17:14:39 and part of their pep8 gate 17:14:41 yep, i need to get back to bandit evangelism 17:14:53 this is a huge push for larger projects though 17:14:59 we were discussing a few options 17:15:01 Will continue what's left 17:15:03 tkelsey: do you have a link for either merges? 17:15:11 tmcpeak: rather than adding nosec's for the initial though, i thought we should just use excluded tests? 17:15:11 castellan or python-openstackclient? 17:15:15 like exclude all failing tests initially in the gate 17:15:18 yeah 17:15:28 ack 17:15:29 sicarie: the summit etherpad had a list of priority projects 17:15:31 elmiko: no, not nosec for that. Adding nosec for places they should actually be used 17:15:38 ahh, gotcha 17:15:53 sicarie: https://review.openstack.org/#/c/310917/ 17:15:53 browne: thanks - any thought to making a blog post on "here's how you add bandit to your project"? 17:15:55 I did one for Kolla, there are a few places for things like jinja2 templating that I looked at the code and found it's not an issue, so added the proper nosec for them 17:15:56 thx 17:16:05 sicarie++ 17:16:12 sicarie: +1 17:16:14 yeah that's a good idea 17:16:20 I'm actually happy to write that 17:16:27 sicarie: we kinda talked about a template in that meeting. but agree we need that 17:16:40 #action tmcpeak write blog post about adding bandit to your project 17:16:46 elmiko: +1 17:16:54 ha, good for the security blog 17:16:58 definitely 17:17:16 any other bandit stuff? 17:17:36 nothing from me for the time being 17:17:36 think that's it 17:17:39 #topic syntribos 17:17:42 #link https://review.openstack.org/#/q/status:open+project:openstack/syntribos,n,z 17:17:49 mdong, michaelxin you're up! 17:18:16 Our current focus is on improving existing security tests. 17:18:37 mdong: and ccneil are leading the efforts. 17:19:06 There are a couple of them finished with CRs 17:19:16 Oh, please welcome vinaypotluri to the team 17:19:25 he is from Intel 17:19:35 hi vinaypotluri, brief intro? 17:19:35 thank you :) 17:19:36 welcome vinaypotluri :) 17:19:42 welcome vinaypotluri 17:19:44 Now, we have four people working on this project: two from Intel and two from Rackspace. 17:20:05 nice 17:20:25 Im a new college grad started working with intel on openstack security. 17:20:36 cool, welcome =) 17:20:39 I'm a novice in security 17:20:46 o/ sorry I'm late guys 17:20:54 They just finished their training 17:21:04 dg___: no worries, we're gonna circle back around to anchor 17:21:05 Started working on the project today 17:21:15 awesome 17:21:15 mdong: ccneil: Anything else to add on? 17:21:53 oh, rahulunair has been leading the efforts also to remove parts of opencafe from the project 17:22:16 and ccneill has started writing unittests for syntribos 17:22:35 great, thanks 17:22:39 #topic anchor 17:22:42 #link https://review.openstack.org/#/q/anchor+status:open,n,z 17:22:47 dg___: you're up! 17:22:52 Hey everybody 17:23:24 so anchor, we had a talk on this in the PKI session at the summit, very positive sesh. I'll send out a summary to -dev at some point soon 17:23:45 +1 17:23:53 tldr: we are aiming to integrate anchor into devstack and come up with a 'TLS by default' demo 17:24:06 that would be very cool 17:24:08 dg___: Have you tested my devstack plugin? 17:24:10 interesting 17:24:23 this is building on the work Daviey did last year, which has been languishing in my queue for far too long 17:24:30 Daviey - not yet 17:24:33 meh, only 8 months 17:24:33 soon :) 17:24:37 lol 17:24:47 babies are cooked quicker than reviews happen 17:24:57 truth 17:25:13 ok, so we suck, sorry 17:25:18 will aim to do better in future 17:25:39 however, thats not the way we really sucked today - a user internally mailed me saying 'the wiki page says this is frozen and it doesnt work' 17:26:00 whoa 17:26:05 lolwut 17:26:21 I pushed through a patch to the config today to unbreak anchor, so the example in the readme works, stan is going to look at it soon to fix the issue 17:26:32 but they have a point on the wiki, its very out of date 17:26:33 any idea on the cause? 17:26:51 either a broken example or a broken validator 17:27:11 anyway, anchor now works if you clone it from github, not sure on pypi 17:27:17 and we'll fix the wiki soon 17:27:29 i think thats all the anchor comedy for one week. todo: suck less 17:27:46 #action dg___ make anchor suck less 17:27:50 ;P 17:27:54 ty 17:27:58 haha 17:28:07 unsuck it 17:28:12 #topic OSSN 17:28:18 #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z 17:28:25 we had part of a session on this too 17:28:34 oh nice, quick recap? 17:28:55 there were a fair amount of participants that aren't involved in OSSP 17:29:09 Should I do rate limit update here, or during the docs topic? 17:29:10 discussion around how to make it into a more standard format so it can be consumed with certain industry standard tools 17:29:18 lhinds: update would be great 17:29:32 sure, will let you fin the recap :) 17:29:45 we had some cross over in the sec-doc session with ossns as well 17:29:52 I was hoping to get more insight into how people are currently using OSSN and how we can make them uses it more, but didn't get much from that 17:30:09 obviously the parseable thing would be cool but we aren't there and don't have enough bandwidth for it now 17:30:17 great idea from the doc session was to incorporate links to the notes into the guide 17:30:29 +1 17:30:42 tmcpeak one of the things that came out of the docs session was we needed closer linkups to operators, to make sure they know the OSSNs exist 17:30:57 oh, btw #link https://github.com/OpenSCAP/scap-security-guide/tree/master/OpenStack/RHEL-OSP/7/input/oval 17:31:03 ahh cool, how should we make that happen? 17:31:09 you will recognize some of those 17:31:32 ＋1 17:31:34 good work lhinds 17:31:37 lhinds++ 17:31:47 tmcpeak tbd 17:32:07 lhinds this is legit 17:32:27 it scan then be run under the OpenSCAP tool 17:32:37 very cool 17:33:01 we do something like this in the opnfv under functional testing, it deploys the scanner, runs, pulls down a nice html report, and then cleans env 17:33:10 happy to share with anyone if its useful 17:33:29 yeah this looks very useful 17:33:34 also other dists can be covered, so its not eclusive RH stuff 17:33:42 s/eclusive/exclusive 17:34:02 nice, maybe worthy of a blog post? 17:34:12 would be great to raise visibility 17:34:16 yeah, sure..good idea 17:34:20 +1 17:34:34 +1 17:34:39 can I has hashtag actions ? 17:34:47 ＋1 17:34:51 #action lhinds openscap blog 17:34:55 lhinds: if you haven't seen it, look at https://github.com/openstack-security/openstack-security.github.io 17:34:58 not sure if need chair 17:35:17 thanks elmiko , will clone 17:35:20 #action lhinds make post about openscap on security blog 17:35:22 #action lhinds openscap blog 17:35:27 lol, wonderful 17:35:28 all the actions 17:35:33 double action 17:35:36 hehe, not sure how many actions lhinds is signed up for now 17:35:47 lhinds: yea, just make a pr against that repo, we'll get to it 17:35:52 cool 17:36:03 rate limiting.. 17:36:10 shoot 17:36:30 so I just wanted to check, the plan is to do the OSSN, but also a section in the security guide. 17:36:45 i want to say yes 17:36:51 I think it makes sense to push them at the same time, I can do this I expect over the weekend. 17:36:54 Rate limiting is missing from the scguide 17:37:04 and also a deep topic 17:37:09 It's so deployment-specific I have avoided it 17:37:14 yea 17:37:18 I don't know how to give good advice for a generalized approach 17:37:25 +1 17:37:30 I also researched it and with help of the rackers on openrepose, I got it to rate limit the token revocation attacks 17:37:31 but i would totally love someone with more knowledge than me taking that on 17:37:38 "you should always strive to limit the rates" 17:37:51 lhinds: awesome, I'd love to see a review on that! 17:37:53 so is the recommendation to use repose? 17:37:56 so I can put a guides for that particular weak point. 17:37:58 or are there other options 17:38:14 i would say, lets get the OSSN out, and not necessarily link to the sec-guide work. but we should try to get them out relatively close together 17:38:15 I think repose is great, but it can get pretty involved 17:38:28 a section for the guide would be really good 17:38:32 I think it will need keystone core to look at it as well, it only blocks DELETE , not GET, POST etc. 17:38:33 ccneill: repose might be a tough sell 17:38:41 There are many other options 17:38:42 right. it being Java and all.. 17:38:45 yea, i just don't want to see the OSSN get hung up waiting for the sec-guide part 17:38:51 +1 17:38:52 if they hit the api with more then x a minute, they get blocked for a minute 17:39:08 elmiko, I can have them both done early next week 17:39:09 the issues that are coming up now point to exactly why we should hash this out on the sec-guide review 17:39:14 lhinds: excellent! 17:39:30 I guess with reviews, it might two and fro a bit. 17:39:31 lhinds: great work on all this, thanks for taking it on 17:39:36 the other thing I wanted to check out... 17:40:04 should I provide guidance for all projects?....glance, neutron etc? 17:40:28 or only OSSN'ed stuff (the other was noVNC that I found?) 17:40:31 was the bug scoped to a single project? 17:40:39 elmiko, keystone 17:40:47 we should probably stick with that scoping, for now 17:40:56 but there is one on noVNC as well 17:41:24 hmm, if we can hit both with the same ossn i /think/ that is ok. but we should dbl check with hyakuhei 17:41:42 i'd say, go for both in the ossn, and we can fix in review 17:41:46 if necessary 17:41:56 sure, well I keep keep the guide section on keystone, and do a general overview and point them to the repose docs which are good. 17:42:06 +1 17:42:13 if demand is there, we can then expound further 17:42:25 ok..that's it 17:42:27 anything else on OSSNs? 17:42:45 #topic publicity 17:42:47 #link https://etherpad.openstack.org/p/security-raising-profile 17:42:53 tmcpeak: anything to discuss here? 17:42:59 nah, don't think so 17:43:03 that was easy 17:43:08 seems like there was a lot of good attendance at the summit 17:43:15 excellent! 17:43:16 people are interested at least in a cursory way 17:43:23 the publicity is working =) 17:43:31 getting commitment to contribute is different though 17:43:38 always ;) 17:43:48 I was toying with submitting something to http://events.linuxfoundation.org/events/linux-security-summit 17:44:03 nice 17:44:10 that'd be cool 17:44:32 however even if i did, I'd be unable to go 17:44:40 if Vancouver is above your pay grade, surely Toronto is too? ;) 17:44:58 doh 17:45:06 sicarie submit it and see what happens 17:45:08 that hurts, tmcpeak :) 17:45:13 :P 17:45:48 speaking of hurt 17:45:50 #topic docs 17:45:57 #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z 17:46:01 lol 17:46:04 so.... 17:46:04 great transition elmiko 17:46:07 So we had a really good design sesh at Austin 17:46:12 +1 17:46:31 We added a doc core to help with reviews 17:46:36 woot! 17:46:42 SO we have 4 now that can do docs-specs review 17:46:46 +1 17:46:47 i missed that part, who did we add? 17:46:52 Shilla Saebi 17:46:56 excellent! 17:46:59 I hope I spelled that right 17:47:21 Yep, she's very good 17:47:27 some great suggestions came out of that session too 17:47:34 +1 17:47:43 OSSN links into sec-guide 17:47:52 more concrete examples, when possible 17:47:54 One of the unfortunate aspects is that the last order of books (based off the pdf) was just a few in April of 2015 17:48:01 ouch 17:48:09 And with the knowledge that none of the other docs have a pdf 17:48:15 We decided to shelve that idea 17:48:20 Unless there's great demand 17:48:23 the pdf idea? 17:48:24 If there is, please let me know 17:48:26 yeah 17:48:30 ahh, too bad 17:48:35 Agreed 17:48:38 but understandable 17:48:41 I thought it was an asset, even if was versioned 17:48:49 The other thing is that I spoke with the Neutron docs lead 17:49:05 And Edgar is going to get a few reviews on the Neutron chapter, which is the one I was most concerned about 17:49:13 awesome 17:49:16 SO I'm going to start pinging him with annoying regularity next week :) 17:49:21 haha 17:49:29 we should publish the guide as books and give them freely on next summit! :-) 17:49:38 that would be nuts! 17:49:42 if we found sponsors 17:49:45 :-( 17:49:47 michaelxin: we need a pdf version to be able to do that! 17:49:54 no no, nuts in a good way =) 17:50:03 elmiko: haha 17:50:04 apparently the secguide was one of the best selling versions, but there's no demand for it anymore - probably due to the changes 17:50:05 ;) 17:50:27 yea, who knows how much demand there would be if we had the pipeline running again and could produce regular updagtes 17:50:38 that's all I have - I'll let elmiko wrap up docs 17:50:40 true 17:50:52 not much more from me, but making another pdf would be cool 17:51:02 agreed - i'd really like to :) 17:51:08 #topic blog 17:51:09 #link https://github.com/openstack-security/openstack-security.github.io 17:51:22 no hyakuhei, tmcpeak any updates? 17:51:35 seems like we've got a few new post ideas from this meeting 17:51:38 but otherwise no 17:51:54 yup, good that it keeps chugging away =) 17:52:03 #topic threat analysis 17:52:13 i know we talked about this earlier, are there any links we should add? 17:52:32 sorry I missed the earlier discussion, did you catch the links to the TA blog posts? 17:52:43 Anchor TA and TA Process? 17:52:54 i don't think so, post again 17:53:09 we can never get enough of these links ;) 17:53:17 #link http://openstack-security.github.io/collaboration/2016/04/26/threat-analysis-process.html 17:53:18 +1 - love links 17:53:36 #link http://openstack-security.github.io/threatanalysis/2016/02/07/anchorTA.html 17:53:57 dg___++ 17:54:19 leaves us 5min to spare for AOB 17:54:21 #topic AOB 17:54:25 On OSSNs, the last patch set on 0063 needs some reviews please: https://review.openstack.org/#/c/267800/ 17:54:53 cool, will check it out 17:55:27 maybe a wrap? 17:55:35 what about midcycle? 17:55:38 oooh 17:55:41 good point 17:55:53 do we have any host volunteers? 17:56:16 i don't think my house is big enough =( 17:56:22 I've got a van down by the river... 17:56:25 haha 17:56:26