Friday, 2016-07-29

vinaypotlurisometimes "Happiness is seeing jenkins pass !"00:16
vinaypotluriunrahul: thank you for modifying tox.ini00:18
*** deblike has joined #openstack-security00:20
*** ccneill has quit IRC00:20
*** sdake has quit IRC00:23
*** deblike has quit IRC00:24
*** tmcpeak has quit IRC00:28
openstackgerritMerged openstack/security-doc: Adds rate-limiting section to API endpoint section
*** jamielennox is now known as jamielennox|away00:49
*** jass93 has quit IRC00:58
*** elo has quit IRC00:59
*** browne has quit IRC01:01
*** davidjd-gh has joined #openstack-security01:01
*** davidjd-gh has left #openstack-security01:02
*** elo has joined #openstack-security01:11
*** jass93 has joined #openstack-security01:12
*** sdake has joined #openstack-security01:13
*** sdake has quit IRC01:13
*** tmcpeak has joined #openstack-security01:13
*** sdake has joined #openstack-security01:13
*** sdake_ has joined #openstack-security01:15
*** sdake has quit IRC01:18
*** davidjd-gh has joined #openstack-security01:27
*** davidjd-gh has left #openstack-security01:27
openstackgerritMerged openstack/syntribos: Added signals to results output
openstackgerritMerged openstack/syntribos: Added string presence check
*** jamielennox|away is now known as jamielennox01:34
*** deblike has joined #openstack-security01:46
*** deblike has quit IRC01:51
*** sdake_ has quit IRC02:19
*** tmcpeak has quit IRC02:22
openstackgerritOpenStack Proposal Bot proposed openstack/anchor: Updated from global requirements
*** jamielennox is now known as jamielennox|away02:32
*** elo has quit IRC02:56
*** yuanying_ has quit IRC02:57
*** elo has joined #openstack-security02:59
*** yuanying has joined #openstack-security03:51
*** Nikolay_St has joined #openstack-security03:53
*** browne has joined #openstack-security04:02
*** browne has quit IRC04:10
*** elo has quit IRC04:56
*** elo has joined #openstack-security05:00
openstackgerritRahul U Nair proposed openstack/syntribos: Adding unique_id to tests
*** amitkqed has quit IRC05:19
*** amitkqed has joined #openstack-security05:20
*** Nikolay_St has quit IRC05:27
*** tesseract- has joined #openstack-security06:37
*** pcaruana has joined #openstack-security06:45
*** Nikolay_St has joined #openstack-security07:18
*** vinaypotluri has quit IRC07:51
openstackgerritAastha Dixit proposed openstack/syntribos: List available test types in --help output
*** tkelsey has joined #openstack-security08:30
*** NanKe has joined #openstack-security08:45
*** donald1 has joined #openstack-security10:07
*** sdake has joined #openstack-security10:25
*** donald1 has quit IRC10:47
*** sdake has quit IRC11:27
*** aastha has quit IRC11:29
*** NanKe has quit IRC12:41
*** NanKe has joined #openstack-security12:46
*** _elmiko is now known as elmiko12:48
*** edmondsw has joined #openstack-security12:54
*** NanKe has quit IRC13:05
*** nkinder has joined #openstack-security13:16
*** cleong has joined #openstack-security13:22
*** Vivek has quit IRC13:22
*** catintheroof has quit IRC13:42
*** deblike has joined #openstack-security13:49
*** tmcpeak has joined #openstack-security13:50
*** edmondsw has quit IRC13:56
*** deblike has quit IRC13:57
*** edmondsw has joined #openstack-security14:34
*** mdong has joined #openstack-security14:55
*** ccneill has joined #openstack-security14:57
*** vinaypotluri has joined #openstack-security15:17
*** aastha has joined #openstack-security15:17
*** austin987 has quit IRC15:34
*** sdake has joined #openstack-security15:39
*** Nikolay_St has quit IRC15:40
*** austin987 has joined #openstack-security15:48
*** unrahul has joined #openstack-security16:01
*** pcaruana has quit IRC16:01
openstackgerritAastha Dixit proposed openstack/syntribos: Adding additional fields to debug log
mhaydenhas anyone in here worked with CCIs and STIGs?16:16
tmcpeakI heard my man mhayden is the STIG expert16:17
mhaydeni'm looking over the RHEL 7 draft STIG and the numbering is totally different than the RHEL 6 ones :/16:17
tmcpeakthat's suboptimal16:17
mhaydenRHEL 6 was V-XXXXX and now it's RHEL-07-#####16:17
tmcpeaksuper unhelpful :\16:17
mhaydenhowever, they all tie back to CCIs, which are standardized from NIST 800-5316:17
mhaydenso part of me is wondering if i should use the CCI #'s as a key16:18
mhaydenand correlate the individual STIG rules to those16:18
tmcpeakif those are static that seems the best choice16:18
mhaydenthey're based on NIST 800-53, which is revised less often :P16:18
tmcpeakrenumbering stigs seems pointless, hopefully that was a one time change and not a usual thing16:21
mhaydenit's easier when you only deal with one os in an ansible role16:23
mhaydeni'll send something to the ML in the hopes that someone has been down this road before16:23
*** tesseract- has quit IRC16:30
*** jamielennox|away is now known as jamielennox16:32
*** mdong has quit IRC16:56
*** mdong has joined #openstack-security16:57
*** austin987 has quit IRC17:02
*** ccneill has quit IRC17:12
*** deblike has joined #openstack-security17:14
*** jamielennox is now known as jamielennox|away17:35
*** tkelsey has quit IRC17:37
*** Nikolay_St has joined #openstack-security17:39
*** Nikolay_St has quit IRC18:13
*** Nikolay_St has joined #openstack-security18:30
*** tkelsey has joined #openstack-security18:33
openstackgerritGrant Murphy proposed openstack/bandit: Add check for httpoxy vulnerability
*** tkelsey has quit IRC18:38
*** sdake has quit IRC18:47
*** cleong has quit IRC19:05
*** elo has quit IRC19:06
*** elo has joined #openstack-security19:07
*** sdake has joined #openstack-security19:35
*** edmondsw has quit IRC19:35
*** ccneill has joined #openstack-security19:45
openstackgerritCharles Neill proposed openstack/syntribos: Renaming BaseTestCase/BaseFuzzTestCase methods
*** sdake has quit IRC19:59
gmurphysigmavirus: tmcpeak: will add tests for that httpoxy test. i wonder if i should look for specific version string also?20:29
tmcpeakgmurphy: lolwut20:29
tmcpeakI will not20:29
gmurphylol no20:29
gmurphyi just was saying i will add tests.20:30
tmcpeakoh, haha20:30
tmcpeakI thought you were telling sigma I was going to add them20:30
gmurphybut more asking should we be concerned about a specific version of the import20:30
gmurphyi imagine this will get patched eventually20:30
tmcpeakwhat's the backstory on this issue?20:31
gmurphybut tbh you probably shouldn't be using cgi20:31
tmcpeakis there a link you have to something20:31
tmcpeakr/netsec ?20:31
tmcpeakoh, I thought the issue was just using cgi :P20:31
tmcpeakoh god20:31
tmcpeaka logo20:31
gmurphywell it is because cgi. but yeah. specifically handler passing HTTP_PROXY to client cgi script etc.20:32
gmurphywe just detected the import for the Go version.20:33
tmcpeakI wonder if we ought to be looking at strings then20:33
tmcpeakthat specific environment variable would be referenced as a string, wouldn't it?20:33
gmurphynot necessarily20:33
gmurphylike the cgi script might not actually reference it20:33
gmurphybut say the cgi script uses requests to make a http call20:34
gmurphyan attacker can inject an intermediate proxy by setting the HTTP_PROXY header to and intercept that request20:34
gmurphy <- or what this says20:34
* tmcpeak reads20:34
*** tkelsey has joined #openstack-security20:34
tmcpeakhow does the attacker set HTTP_PROXY?20:35
gmurphythat is just set in os.environ by CGIHandler  etc20:36
gmurphyso when cgi script executes20:36
tmcpeakso an attacker makes a request, and then CGI takes that header and just stores the value in an environment variable all subsequent requests use?20:36
gmurphyrequests.get( ) will automatically pick up the proxy environment variable and use that for the request20:36
tmcpeakso as an attacker I make one request with that header and then all subsequent requests use my header value?20:37
tmcpeakas an actual proxy20:37
gmurphyyes requests by the cgi script in that specific request context20:37
tmcpeaklol, oh, that's fun20:37
gmurphyso if your making backend calls etc20:38
gmurphythey would be routed by attacker controlled url20:38
gmurphywas just a fun / easy test to implement20:38
gmurphybut then i was like should we limit these import checks to specific versions20:38
gmurphylike are any of the xml issues fixed in a newer version of those libraries?20:39
tmcpeakyeah somebody just posted that very issue today I think20:39
*** tkelsey has quit IRC20:39
tmcpeakwhat's the status of defusedxml and all that jazz20:39
gmurphyso how about this.20:39
gmurphyi add this test for now20:39
gmurphyand add a fixme to review recommended versions for all blacklisted imports etc20:40
gmurphysomething like that20:40
tmcpeakseems reasonable20:40
*** elo has quit IRC21:14
aasthahey ccneill what exactly is updating test anatomy section thats mentioned in trello documentation card.21:15
ccneillwe need to change the calls so that they reflect our new command line options21:16
ccneillwe're also missing a section explaining that you can use variables like "{variable_name:default_value}" in URLs (e.g. "/api/v1/user/{user_id:123}/resource/{resource_id:1234}")21:17
ccneillwe should probably work together as a team to come up with all the deficiencies in each of those files21:17
ccneillI just wanted to start adding rough action items for us to define more specifically later21:17
ccneilllooks like Jenkins is still feeling lazy today..21:21
*** elo has joined #openstack-security21:22
*** deblike has quit IRC21:23
openstackgerritGrant Murphy proposed openstack/bandit: Add check for httpoxy vulnerability
*** elo has quit IRC21:27
*** davidjd-gh has joined #openstack-security21:32
*** davidjd-gh has left #openstack-security21:32
*** elmiko is now known as _elmiko21:32
openstackgerritRahul U Nair proposed openstack/syntribos: List available test types in --help output
aasthaokay. we can discuss about it in our next week's design session. yep jinkins is in friday mood today!! :D21:49
ccneilllol yep yep21:54
*** elo has joined #openstack-security21:56
*** whitewabbit has joined #openstack-security22:09
*** whitewabbit has quit IRC22:11
ccneillgoing on 2 hours for a +V on the BTC/BFTC renaming CR :(22:31
unrahul:) , one of those days.. I guess it would be like when we waited for the tox patch to get merged.22:32
ccneillyeah, it must just have a big backlog to work through or something..22:32
unrahuli thought moving to zuul , fixed lot of these issues..22:32
ccneillnot sure exactly what this dashboard is telling me, but it SEEMS to suggest it's geting slammed right now22:33
ccneillah, yeah the zuul job queue at the bottom left looks like there are a bunch of backlogged jobs, but it also looks like everyone's headed home for the day and not adding new jobs lol22:35
ccneillwell, on that note, I think I'm gonna call it a day myself. y'all have a good weekend!22:36
unrahul:D. at least that is a positive sign, that it wont break.22:36
unrahulcool, good weekend ccneill22:37
*** tkelsey has joined #openstack-security22:37
*** ccneill has left #openstack-security22:37
*** ccneill has quit IRC22:37
*** dave-mccowan has quit IRC22:38
*** tkelsey has quit IRC22:42
*** davidjd-gh has joined #openstack-security22:55
*** davidjd-gh has left #openstack-security22:56
*** Nikolay_St has quit IRC23:22
*** mdong has quit IRC23:30
*** davidjd-gh has joined #openstack-security23:37
*** davidjd-gh has left #openstack-security23:37
openstackgerritMerged openstack/syntribos: Renaming BaseTestCase/BaseFuzzTestCase methods

Generated by 2.14.0 by Marius Gedminas - find it at!