17:00:13 <hyakuhei> #startmeeting Security
17:00:14 <openstack> Meeting started Thu Jun 23 17:00:13 2016 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:18 <openstack> The meeting name has been set to 'security'
17:00:31 <sigmavirus24> o/
17:00:37 <dg___> o/
17:00:39 <Daviey> \o
17:00:51 <michaelxin> o/
17:01:14 <mdong> o/
17:01:21 <mhayden> /o/
17:01:25 <unrahul> o/
17:01:47 <browne> o/
17:02:19 <hyakuhei> Hey michaelxin welcome back :)
17:03:09 <hyakuhei> So last week we decided to shuffle the agenda a little bit to speed things along when we don’t have lots to go over
17:03:15 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda
17:03:32 <michaelxin> hyakuhei: Thanks.
17:03:40 <woodster_> o/
17:04:02 <hyakuhei> Hey woodster_
17:04:12 <hyakuhei> ok so the first standing item is now Syntribos
17:04:17 <Daviey> hyakuhei: why is Anchor / Bandit AOB?
17:04:22 * woodster_ waves!
17:04:55 <vinaypotluri> o/
17:04:59 <hyakuhei> Daviey: because they’re pretty stable now, not much exciting stuff happening with them
17:05:03 <hyakuhei> hello vinaypotluri !
17:05:17 <hyakuhei> Nice to see you here Daviey :)
17:05:24 <michaelxin> we are working to make Syntribos better
17:05:26 <Daviey> hyakuhei: nice to see you aswell :)
17:05:32 <vinaypotluri> hello there hyakuhei>
17:05:35 <michaelxin> ccneil and mdong
17:05:43 <ccneill> o/
17:05:44 <hyakuhei> #topic Syntribuos
17:05:45 <mdong> so this week on Syntribos we’ve had a bunch of CR’s merged
17:05:49 <hyakuhei> £topic syntribos
17:05:51 <hyakuhei> ffs
17:05:51 <ccneill> yep
17:05:57 <michaelxin> Anyway, we are still working on the improvements
17:06:00 <hyakuhei> I’m not even drinking today
17:06:15 <hyakuhei> That’s very cool, michaelxin ccneill mdong
17:06:24 <michaelxin> One is about signals and detection rates
17:06:26 <hyakuhei> What’s the next big milestone for Syntribos ?
17:06:27 <mdong> we’ve been doing some work on the output
17:06:36 <michaelxin> Another is about reporting.
17:06:53 <michaelxin> We are planning to get the first stable version ready
17:07:03 <michaelxin> That's our big milestone.
17:07:05 <ccneill> I think we're almost done with the basic checks that we want to implement
17:07:13 <ccneill> we have some refactoring changes to do for tests
17:07:36 <ccneill> and I think we're close to done with implementing reporting how we want (with minimum confidences/severities)
17:08:08 <ccneill> I think we'll have something stable, though not quite finished (we can still implement more tests as we go along) within the next few weeks
17:08:16 <hyakuhei> it would be awesome to see this at the summit! I’m sure that’d be a popular presentation
17:08:29 <ccneill> I think we'll be able to remove opencafe within the next few weeks as well
17:08:54 <ccneill> we're still trying to figure out how best to structure some convenience methods to make test-writing easy and not have a lot of boilerplate code to import the same checks over and over
17:08:59 <michaelxin> We are also using the broken API as our testbed.
17:09:12 <michaelxin> Some improvement will be done on the broken API.
17:09:33 <ccneill> hyakuhei: I think we're going to hold off on presenting until we've gotten it a little more stable, so that we're not distracted by trying to present while we're still working to get the basic pieces together
17:09:54 <ccneill> but we'll definitely try to present something as soon as we feel confident in the tool and have some results to back it up
17:10:15 <hyakuhei> That’s a fair approach - no pressure from me I just think it’s an exciting project
17:11:16 <ccneill> we're inching closer and closer :)
17:11:17 <michaelxin> hyakuhei: +1
17:11:54 <hyakuhei> Cool. Any more syntribos things ?
17:12:03 <ccneill> if anyone has spare cycles to check out some CRs, it would be very handy right now
17:12:16 <ccneill> this CR is the basis for all the signals work we're doing: https://review.openstack.org/#/c/331286/
17:12:46 <ccneill> since it's a dependency for most of the other CRs we're working on right now, we want to get it merged as soon as we can, but we also don't want to rush it
17:12:55 <hyakuhei> Interesting. tkelsey may be interested in that
17:13:24 <ccneill> any help, nitpicks, etc. are appreciated :)
17:14:01 <hyakuhei> Of course :) I’ve added Tim as a review in my absence.
17:14:14 <ccneill> since signals underlie most of the changes we'll be making to improve test writing, we want to change them as little as possible after this CR
17:14:39 <ccneill> I think that's it for us
17:14:40 <hyakuhei> Makes sense.
17:15:24 <hyakuhei> #topic OSSN
17:15:50 <hyakuhei> So we asked for contributions to this last week but not much happened, tmcpeak is away
17:16:01 <hyakuhei> and I’ve been tied up
17:16:15 <hyakuhei> but I’m still looking for more contributors
17:17:36 <hyakuhei> I was considering modifying the template
17:17:42 <hyakuhei> to include authors names / org
17:17:59 <hyakuhei> wondering if putting peoples names on things might make them more interesting
17:18:24 <hyakuhei> Any thoughts on OSSN?
17:18:49 <hyakuhei> #topic Midcycle
17:19:41 <hyakuhei> hmm just looking for more info
17:19:44 <hyakuhei> but I don’t have any
17:19:49 <hyakuhei> looks like we’ve got space at IBM
17:19:55 <ccneill> re: OSSN, I think you're right that giving credit will probably help get more contributions from people who haven't contributed before
17:20:07 <ccneill> hyakuhei: nice, so we're on at IBM Austin for sure?
17:20:18 <hyakuhei> Cool, I’ll run it by nkinder
17:21:13 <hyakuhei> I suspect this will be a short meeting today :)
17:21:19 <hyakuhei> #topic docs
17:21:27 <sicarie> steady-state
17:21:34 <hyakuhei> Sweet, no fires?
17:21:39 <sicarie> a good compliance change coming in, but I'm still swamped on my end for 2 more weeks
17:21:42 <sicarie> not yet :)
17:21:56 <hyakuhei> Mail me when the review is up ?
17:22:05 <sicarie> will do
17:22:13 <hyakuhei> Cheers
17:22:15 <sicarie> initial is up, i'll shoot it your way
17:22:31 <hyakuhei> Excellent!
17:23:03 <sicarie> #link: https://review.openstack.org/#/c/330647/
17:23:29 <hyakuhei> I don’t have any more info on TA either. Been a bit of a busy week!
17:23:52 <dg___> likewise
17:24:04 <dg___> its very high on my list, but unfortunately Im massively swamped with the day job
17:24:43 <hyakuhei> ditto
17:24:50 <hyakuhei> #topic AOB
17:25:03 <hyakuhei> Don’t have much to add about Anchor other than people are trying to use it more
17:25:30 <ccneill> yay
17:25:33 <ccneill> who's using it?
17:25:52 <michaelxin> Is the dates for mid-cycle finalized?
17:26:05 <hyakuhei> Need to check with Fernando
17:26:13 <vinaypotluri> sorry for stupid questions but is AOB Anchor and Bandit ?
17:26:35 <hyakuhei> Good question, it’s any other business
17:26:37 <ccneill> "Any other business"
17:26:46 <vinaypotluri> ok
17:26:47 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda
17:27:18 <hyakuhei> ANything on Bandit ?
17:27:40 <hyakuhei> Or ideas for the blog
17:28:03 <sicarie> dg___ has an idea for the blog :)
17:28:19 <hyakuhei> Oh…..
17:28:47 <dg___> wait what now?
17:28:50 <hyakuhei> lol
17:29:16 <dg___> remind me sicarie...
17:30:06 <hyakuhei> sicarie: trollin?
17:31:15 <dg___> hyakuhei more on that one next week, we need to line some stuff up internally before we publish
17:31:21 <hyakuhei> ok buddy
17:31:38 <mhayden> hyakuhei: have you thought of making an openstack-ansible role for anchor?
17:31:49 <hyakuhei> I HAVE! :D
17:31:49 <mhayden> we could ask if someone has interest in using it
17:31:57 <Daviey> How about a Kolla role for anchor? :)
17:32:11 * mhayden sees a squirrel
17:32:16 <hyakuhei> We already have some AppArmor profiles but roling it into deployment magic would be an excellent next step
17:32:23 <sicarie> sorry, got waylaid by a drive-by discussion, was not trolling
17:32:37 <Daviey> Well... the biggest part is missing.. and that is client side handling and rotation, right?
17:32:40 <hyakuhei> Esepecially now it has slightly less stupid container script
17:32:58 <hyakuhei> Daviey: cathead is a thing but the certmonger guys are actually super keen to make it work
17:33:07 <Daviey> sure
17:33:20 <hyakuhei> #link https://github.com/admiyo/anchor-certmonger-helper
17:33:48 <hyakuhei> though I think HP got good mileage out of using cron.d
17:35:12 <hyakuhei> mhayden: what would a good next step for an openstack-ansible role? Suggest anything that’d be a good role to copy / build on
17:35:49 <mhayden> hyakuhei: we could use some of the scaffolding from the sahara or zaqar roles
17:35:58 <hyakuhei> Cool!
17:35:59 <mhayden> would just need a spec proposed with the work detailed out there
17:36:15 <mhayden> i've written those before for OSA, so i can help if needed
17:36:15 <hyakuhei> I’ll take a look at that hopefully early next week though I’ll have to fit it around some traffic
17:36:34 <hyakuhei> Sweet thank you!
17:36:34 <Daviey> I wasplanning to POC anchor in kolla.. but i'm weeks away from looking at that
17:36:50 <hyakuhei> Cool!
17:36:54 <Daviey> If yoi do some stuff as part of openstack-ansible, i'd love to see it
17:37:18 <hyakuhei> Sounds good
17:37:21 <hyakuhei> Ok, anything else to cover today?
17:37:39 <mhayden> so, i figure i'd offer an update on the security role for OSA
17:37:46 <hyakuhei> sweet!
17:37:53 <mhayden> there's support there now for RHEL 7, CentOS 7, Ubuntu 16.04
17:38:00 <mhayden> (and existing support for 14.04 remains)
17:38:29 <mhayden> and someone in the community is proposing a spec to rebase the RHEL7/centos/16.04 work on the soon-to-be-released stig for RHEL 7
17:38:31 <hyakuhei> That’s awesome
17:38:48 <mhayden> so if anyone is interested in offering opinions there, i'll let y'all know when the time comes
17:39:15 <hyakuhei> lol I don’t have opinions but I’ll try to take a look
17:39:40 <hyakuhei> Anything else ?
17:39:40 <mhayden> thanks -- that's it for now
17:40:00 <hyakuhei> Sweet, thanks mhayden ! useful stuff!
17:40:15 <mhayden> de nada
17:40:15 <hyakuhei> Ok I think that’s a wrap!
17:40:24 <hyakuhei> #endmeeting