12:03:15 <jaosorior> #startmeeting TripleO Security Squad
12:03:16 <openstack> Meeting started Wed Apr  4 12:03:15 2018 UTC and is due to finish in 60 minutes.  The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:03:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:03:20 <openstack> The meeting name has been set to 'tripleo_security_squad'
12:03:42 <jaosorior> #topic Work progress update
12:03:53 <jaosorior> Hi folks!
12:04:05 <lhinds> hey jaosorior
12:04:17 <jaosorior> So, thanks for joining the Security Squad meeting. First, I would like to give a small update on how things are going
12:04:48 <jaosorior> I've been mostly doing work on getting TripleO to use TLS by default on the public interfaces
12:05:00 <jaosorior> The undercloud patches have merged, as well as the patches to get it as a default in the containerized undercloud
12:05:08 <jaosorior> so: classic and containerized
12:05:16 <jaosorior> I've been a little stuck on the overcloud though
12:06:04 <jaosorior> The main problem being that the current code that I have https://review.openstack.org/#/c/554926/ relies on the undercloud having the CA file generated, and that way it detects if we can use the same CA, and get the certs from there.
12:06:21 <openstackgerrit> Sagi Shnaidman proposed openstack-infra/tripleo-ci master: DNM: test ci roles  https://review.openstack.org/558790
12:06:30 <jaosorior> If no TLS is enabled in the undercloud, then we don't request the certs for the overcloud... BUT this kinda complicates things on what defaults should we use for the endpoints and such
12:06:48 <jaosorior> and it makes it hard to detect if the deployer overwrote those endpoints at some point
12:06:52 <jaosorior> so I need to come up with a solution for that
12:07:21 <jaosorior> one idea I had is to always deploy the local CA certificate in the undercloud: https://review.openstack.org/#/c/558768/ which is failing for some reason (need to investigate it)
12:07:47 <jaosorior> that way we would always have the CA available, and we could just change the defaults for the overcloud to use https
12:07:58 <jaosorior> hope I didn't go too deep into details
12:08:09 <jaosorior> but again, if anybody is interested in joining that effort, reach out
12:08:15 <jaosorior> and also I really appreciate reviews and ideas
12:08:44 <jaosorior> any questions/feedback?
12:08:56 <lhinds> do you have the patches you staged jaosorior ?
12:09:10 <lhinds> or topic
12:09:29 <lhinds> sorry, i see them now :-/
12:09:44 <jaosorior> lhinds: I've been adding most of the patches to the etherpad https://etherpad.openstack.org/p/tripleo-security-squad but also I'm using a topic for them
12:09:59 <jaosorior> https://review.openstack.org/#/q/topic:public-tls-default+(status:open+OR+status:merged)
12:10:02 <lhinds> ack, got it jaosorior - me being slow
12:10:04 <jaosorior> public-tls-default is the topic
12:10:05 <trozet> jaosorior: do you mind approving https://review.openstack.org/#/c/558664/ ?
12:10:14 <ooolpbot> URGENT TRIPLEO TASKS NEED ATTENTION
12:10:15 <ooolpbot> https://bugs.launchpad.net/tripleo/+bug/1757556
12:10:15 <openstack> Launchpad bug 1757556 in tripleo "timeouts in neutron are causing ssh failures in tempest test instances" [Critical,Triaged]
12:10:57 <jaosorior> trozet: done.
12:11:07 <trozet> jaosorior: ty
12:11:10 <jaosorior> #topic Any other business
12:11:25 <jaosorior> that was all from my side (on the progress update bit)
12:11:33 <jaosorior> does anybody else have anything you would like to bring up to the meeting?
12:11:56 <lhinds> I can provide a small update (not much as I was away last week)
12:12:07 <jaosorior> Sure
12:12:32 <jaosorior> lhinds: should I add a topic so it's easier to follow in the logs?
12:12:44 <lhinds> #topic Limit TripleO users
12:12:52 <jaosorior> #topic Limit TripleO users
12:12:57 <lhinds> thx !
12:13:01 <jaosorior> lhinds: I don't recall the command to make you admin too
12:13:11 <lhinds> #chair donaldduck
12:13:16 <lhinds> > #chair donaldduck
12:13:21 <jaosorior> lol ok
12:13:58 <lhinds> So I am yet to make a start on this, but have been thinking about my approach. I will start sketching it out in the following this week I hope:
12:13:59 <lhinds> https://etherpad.openstack.org/p/tripleo-audit-limit-track
12:14:29 <lhinds> can you hash topic Security Hardening pls jaosorior
12:14:48 <jaosorior> #topic Security Hardening
12:15:18 <lhinds> I need to look at the following patch and get this in a better state, its pretty horrible at the moment.
12:15:21 <lhinds> #link https://review.openstack.org/#/c/444804/6
12:15:39 <lhinds> this will expose more values in tht for puppet-auditd
12:15:45 <jaosorior> nice
12:16:07 <lhinds> I also need to do some patches in DIB to allow a grub2.conf entry to start auditd early in system boot.
12:16:30 <lhinds> the idea being audit starts early on in the boot cycle, before the services it tracks.
12:16:40 <lhinds> That's it for me.
12:16:45 <lhinds> thx jaosorior
12:17:00 <jaosorior> lhinds: if you do patches, or have ideas you would like help on, feel free to put it in the etherpad so it's easier for people to track
12:17:08 <jaosorior> at least that way I could review them easier :)
12:17:18 <lhinds> jaosorior: just did that, added the auditd patch.
12:17:21 <jaosorior> awesome
12:17:24 <jaosorior> thansk
12:17:24 <lhinds> great minds think alike :)
12:17:32 <jaosorior> #topic Any other business (again)
12:18:14 <jaosorior> Just in case someone else has something to bring up
12:18:49 <lhinds> nothing from me.
12:18:59 <jaosorior> alee, raildo, owalsh ?
12:19:05 <raildo> nothing from my side
12:19:13 <owalsh> nothing from me
12:19:22 <jaosorior> alrighty
12:19:26 <jaosorior> Thanks for joining folks!
12:19:29 <jaosorior> #endmeeting