Wednesday, 2014-07-02

*** voodookid has joined #openstack-security00:34
*** ved_lad has quit IRC00:38
nkinder_voodookid: hey, I checked out the service users on my RDO Icehouse install00:44
nkinder_voodookid: they're all set to /sbin/nologin00:44
nkinder_voodookid: so typical service/daemon users00:44
voodookidokay, I am writing a quick python thing to see what happens with Shell=True with an account with /bin/nologin, bin/false, etc00:44
voodookidmainly for my own edification00:45
voodookidthank you, very much00:45
voodookidI want to help out, but I feel like I am going to ask some simple questions that are going to elicit some eye rolls00:45
voodookidthis is a pre-emptive "thank you" for helping out00:48
voodookidah, shoot, okay, even if shell=True, the subprocess module will execute anything in args00:52
voodookidand the user's shell is /bin/false00:52
voodookidso that is not a great protection anyway00:55
nkinder_voodookid: yeah, it doesn't help00:57
voodookidsame with nologin as a shell as well. Well, the more you know00:58
voodookidnkinder_: I am still looking to help. If you have underserved areas of development and visibility, please point me at them.00:59
nkinder_voodookid: according to the Popen python docs, "On Unix with shell=True, the shell defaults to /bin/sh"00:59
*** bdpayne has quit IRC00:59
nkinder_voodookid: so it's not consulting /etc/passwd00:59
nkinder_voodookid: so what are your interests and goals around OpenStack?01:00
nkinder_voodookid: are you just trying to learn more about it? Looking to do development on a core project? Something else?01:00
nkinder_voodookid: given you're on this channel and you were looking at the CA code in Nova, I take it you are interested in security01:01
voodookidI am a security engineer who is starting to work with Openstack, both professionally, as well as in my own projects. I tend to notice the same mistakes in mutiple open source projects in regards to a SDLC and security handling in general, so I would like to help out as early as possible. Bugs get more expensive the older they get, so I would like to help catch and fix them as soon as possible as well as offer some helpful s01:03
nkinder_voodookid: There is a lot of interesting work and areas to get involved.  Finding something that you are truly interested in will make it enjoyable/rewarding.01:03
nkinder_voodookid: Ok, well there are a few efforts we have going on in the security group that you might find interesting...hreat modelling01:04
nkinder_make that thread modeling...01:04
nkinder_it's been a long day and my fingers have checked out... threat modeling01:04
nkinder_there's been a pass at Keystone, but we want it to cover the other projects01:05
nkinder_voodookid: there's some info here -
nkinder_voodookid: there is also a code-level auditing if you're more of a developer01:05
*** voodookid1 has joined #openstack-security01:06
nkinder_voodookid1: whoops, must have lost you.  What was the last thing you saw from me?01:06
voodookid1nkinder_: no worries, my wireless is also checked out01:06
voodookid1the pass at KEystone01:06
nkinder_voodookid: there's some info here -
nkinder_voodookid: there is also a code-level auditing if you're more of a developer type01:06
voodookid1I know that is the imaging service, do you mean, where would I attack if I wanted to get at something?01:07
nkinder_voodookid: keystone is the authorization service.  If stores users, handles authentication, and maps the users to roles on a given project01:07
voodookid1nkinder_: reading the doc01:07
nkinder_it then gives the user an authorization token01:07
voodookid1ah, gotcha, sorry, still learning the names of various projects01:07
nkinder_voodookid: no worries.  There are a bunch of them, and it takes a bit to wrap your head around which is which01:08
nkinder_voodookid: the goal of the security audit effort is to analyze code and produce a summary of security related info.  Here's an example from an audit I did of keystone -
nkinder_voodookid: tmcpeak is working on doing that type of audit of Glance01:09
*** voodookid has quit IRC01:09
nkinder_voodookid: the real goals for that effort are to not just provide a summary of security info for compliance, but to identify areas of weakness that can be improved by the development teams01:10
*** voodookid1 is now known as voodookid01:11
voodookidokay, I am reading up on it now as well as checking out latest Keystone01:11
voodookid"Keystone doesn't have an home-brewed encryption implementations, everything is used from Python Standard libraries or third party libraries." <---awesome. First thing I look for "I rolled my own hash algo"01:12
voodookid"My own version of MD5"01:12
nkinder_voodookid: yeah, absolutely.01:13
nkinder_voodookid: in my view, OpenStack has grown rather organically with no real coordination around security01:13
nkinder_voodookid: so for example, every project has their own SSL/TLS client side code instead of a single shared implementation01:14
nkinder_voodookid: so if a bug hits, it may require 10+ patches that are all slightly different instead of 1 patch in a centralized module that handles SSL/TLS01:15
voodookidsuch is the way of most projects. You can drag a horse to water, but you cannot make it drink. Same with devs, I think identifying those areas, putting security people on it who have dev skills (or want to develop those, such as myself) you will still get the gains. I have yet to meet a developer who was good at security if they were not already "in" to security. Most of them are security folks who develop. Not the other wa01:16
nkinder_that particular issue is starting to get addressed now01:16
voodookidand yeah, I was noticing that too. I am noticing some repeat code01:16
voodookidnot boiler plate, but same basic functionality01:16
nkinder_voodookid: one of the grand visions is to eventually have established security guidelines/standards that each project needs to follow01:17
nkinder_voodookid: but we need to see where we're at currently and start a cleanup effort (which is slow-going)01:17
nkinder_voodookid: if you're interested in the auditing effort, I've summed it up here -
* voodookid is watching nkinder_ 's video01:18
nkinder_voodookid: when you're done, this shows the current projects that are/aren't covered -
voodookidnkinder_: "Integreated Projects" and "Incubated" are covered?01:29
nkinder_voodookid: the more the merrier01:29
nkinder_voodookid: integrated are the core projects01:29
voodookidah, okay, and incubated are a work in progress?01:30
nkinder_incubated are on their way to integrated (hopefully)01:30
nkinder_incubated have to be improved for incubation, so they're in a "trial period" so to speak01:30
voodookidah, okay, and there are other projects out there that are not even listed? This is just what the security team has and what they are working on01:30
nkinder_boy... s/improved/approved/01:30
nkinder_stackforge is anything goes, which is where most projects start01:31
nkinder_they're not really a part of OpenStack, but they are OpenStack related projects01:31
voodookidah, okay01:31
nkinder_integrated is what OpenStack really is, and incubated are in their way to being an official part of OpenStack01:31
nkinder_voodookid: I'd recommend seeing what catches your interest from the integrated list, as those are most important to cover01:33
voodookidgotcha, that is what I am looking at now01:33
nkinder_voodookid: nova and neutron are pretty complex areas01:33
voodookidI have looked at nova, but just barely01:34
nkinder_cinder might be a good one to start with01:34
voodookidI am looking keystone right now, mainly because authN/Z stuff is where I get stoked on01:34
nkinder_heh, that's my area of interest too01:34
voodookidbcrypt, scrypt, PBKPF2, OpenLDAP/Kerberos, SAML (blegh), etc01:35
nkinder_I come from an LDAP server developer background01:35
voodookidso many cool things01:35
voodookid*PBKDF2, my fingers lurv to write that wrong01:36
nkinder_heh... they basically needed a whole new acronym when it's really multiple rounds of SHA01:37
*** voodookid has quit IRC02:34
*** voodookid has joined #openstack-security02:54
*** voodookid has quit IRC03:01
*** bdpayne has joined #openstack-security05:33
*** bdpayne has quit IRC05:52
*** jkraj has joined #openstack-security08:40
*** jkraj has quit IRC12:55
*** nkinder_ has quit IRC13:08
*** nkinder_ has joined #openstack-security13:56
*** paulmo has joined #openstack-security14:04
*** jkraj has joined #openstack-security14:31
*** voodookid has joined #openstack-security14:40
openstackgerritChristian Berendt proposed a change to openstack/security-doc: Fixed wrong usage of links
*** tmcpeak has joined #openstack-security15:30
paulmotmcpeak: Did you get the () line continuation stuff worked out yesterday btw?15:40
tmcpeakpaulmo: yeah, I just shortened the variable name :)15:41
paulmohaha that works.  If you want an example of what to do I'm happy to show you btw.15:42
tmcpeakok, just for giggles15:42
tmcpeakhow would you wrap this line with parenthesis15:42
tmcpeakpaulmo: if 'shell=True' in line_no_sp and 'subprocess' in line_no_sp:15:43
paulmoI'll assume indention is causing that to go past 79 chars15:43
tmcpeakthe old variable name, instead of line_no_sp was15:44
paulmoOk, I went overboard just to show:15:45
paulmoif ('shell=True' in15:45
paulmo    line_no_sp and15:45
paulmo    'subprocess' in15:45
paulmo    line_no_sp):15:45
paulmoThat is an easy one. :)15:46
tmcpeakahh ok, so wrap the whole thing in parens and then you can put line breaks wherever you want?15:46
paulmoIt isn't always quite so easy but for the most part, that can work.15:46
paulmo(like breaking up a 500 character single string for example)15:47
tmcpeakoh yeah, how does that work?15:48
tmcpeakI saw examples on stackforge about that15:48
tmcpeakstring = "bla bla"15:48
tmcpeakstring += "bla bla"15:48
paulmoLet me write up a quick example :)15:48
paulmoYou can do something like this (just make the strings longer to show the wrapping issue):15:50
paulmomy_text = ("0123456789012345678901234567890"15:50
paulmo           "abcdefghijklmnopqrstuvwxyz")15:50
paulmo(ugh the indention is off but I lined up both strings)15:50
tmcpeakthat's cool15:51
paulmoOnce you see a few examples, it is really easy eh?15:51
tmcpeakyeah, good stuff15:51
tmcpeakpaulmo: thanks!15:51
tmcpeakbtw, why the holy war against \15:51
paulmoThat is an OpenStack religious issue I guess… it isn't a PEP8 requirement.  I'm not sure what the history is.15:51
tmcpeakahh, well good to know so I can play along15:52
paulmoMost HACKING.rst's will explicitly call that out.15:52
tmcpeakyeah, that's actually how I know I had to shorten the line :)15:52
tmcpeakrunning hacking against my own hacking rule15:53
paulmoHack the hacking rule! haha15:53
*** bdpayne has joined #openstack-security15:58
*** bdpayne has quit IRC16:05
*** bdpayne has joined #openstack-security16:35
*** ved_lad has joined #openstack-security17:25
*** openstackgerrit has quit IRC17:49
*** openstackgerrit has joined #openstack-security17:49
openstackgerritA change was merged to openstack/security-doc: Renamed bk-openstack-sec-guide.xml to bk-openstack-security-guide.xml
*** ved_lad has quit IRC18:33
*** nkinder_ has quit IRC19:14
openstackgerritChristian Berendt proposed a change to openstack/security-doc: Update to clouddocs-maven-plugin 2.1.1
openstackgerritA change was merged to openstack/security-doc: Further translation setup
openstackgerritAndreas Jaeger proposed a change to openstack/security-doc: Fix buildlang
*** ved_lad has joined #openstack-security20:03
openstackgerritA change was merged to openstack/security-doc: Fix buildlang
*** ved_lad has quit IRC20:15
*** jkraj has quit IRC20:46
*** nkinder_ has joined #openstack-security20:50
bdpayneSo who wants to port this to OpenStack?
*** ved_lad has joined #openstack-security22:01
*** paulmo has quit IRC22:05
voodookidbdpayne: I saw this, freaking rad. What do you think it woudl take?22:08
bdpayneprobably quite a bit of work22:10
tmcpeakwoah, this looks pretty cool22:42
*** tmcpeak has quit IRC23:08
*** voodookid has quit IRC23:25
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from global requirements

Generated by 2.14.0 by Marius Gedminas - find it at!