Friday, 2016-12-02

*** bpokorny has quit IRC00:01
*** bpokorny has joined #openstack-security00:02
*** hongbin has quit IRC00:02
*** bpokorny has quit IRC00:07
*** ayoung has quit IRC00:07
*** lamt has quit IRC00:14
*** jamielennox is now known as jamielennox|away00:17
*** jamielennox|away is now known as jamielennox00:23
*** ayoung has joined #openstack-security00:28
*** diazjf has joined #openstack-security00:33
*** bpokorny has joined #openstack-security00:38
*** bpokorny has quit IRC00:42
*** bpokorny has joined #openstack-security00:42
*** ccneill has quit IRC00:43
*** bpokorny has quit IRC00:45
*** bpokorny has joined #openstack-security00:45
*** jamielennox is now known as jamielennox|away00:46
*** jamielennox|away is now known as jamielennox00:53
*** ccneill has joined #openstack-security01:01
*** dave-mccowan has joined #openstack-security01:24
*** ccneill has quit IRC01:25
*** bpokorny_ has joined #openstack-security01:33
*** bpokorny has quit IRC01:37
*** bpokorny_ has quit IRC01:38
*** browne has quit IRC01:50
*** diazjf has quit IRC02:02
*** knangia has quit IRC02:04
*** dave-mccowan has quit IRC02:20
*** dave-mccowan has joined #openstack-security02:29
*** yuanying_ has quit IRC02:48
*** yuanying has joined #openstack-security02:52
*** jamielennox is now known as jamielennox|away03:11
*** diazjf has joined #openstack-security03:12
*** diazjf has quit IRC03:16
*** browne has joined #openstack-security03:17
*** browne has quit IRC03:18
*** jamielennox|away is now known as jamielennox03:20
*** browne has joined #openstack-security03:22
*** dave-mccowan has quit IRC03:28
*** jamielennox is now known as jamielennox|away03:30
*** jamielennox|away is now known as jamielennox03:37
*** yuanying has quit IRC03:44
*** browne has quit IRC03:47
*** openstackgerrit has joined #openstack-security05:03
openstackgerritOpenStack Proposal Bot proposed openstack/anchor: Updated from global requirements
*** diazjf has joined #openstack-security05:14
*** gouthamr has joined #openstack-security05:43
*** gouthamr has quit IRC06:05
*** diazjf has quit IRC06:20
*** gouthamr has joined #openstack-security06:23
*** openstackgerrit has quit IRC06:33
*** jamielennox is now known as jamielennox|away07:18
*** edaught has quit IRC07:32
*** rcernin has joined #openstack-security07:40
*** jamielennox|away is now known as jamielennox07:44
*** Serlex has joined #openstack-security08:31
*** Serlex has quit IRC09:25
*** tkelsey has joined #openstack-security09:36
*** shohel has joined #openstack-security09:42
*** tkelsey has quit IRC09:48
*** rcernin has quit IRC09:49
*** rcernin has joined #openstack-security09:50
*** jerlique has joined #openstack-security10:04
*** tesseract has joined #openstack-security10:27
*** tesseract is now known as Guest7998610:27
*** Serlex has joined #openstack-security10:33
*** openstackgerrit has joined #openstack-security11:32
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals
*** rcernin has quit IRC12:12
*** rcernin has joined #openstack-security12:15
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals
*** shohel has quit IRC12:49
*** liverpooler has joined #openstack-security13:03
*** rcernin has quit IRC13:06
*** rcernin has joined #openstack-security13:08
*** lamt has joined #openstack-security13:17
*** shohel has joined #openstack-security13:20
*** dave-mccowan has joined #openstack-security13:20
*** dave-mcc_ has joined #openstack-security13:32
*** _elmiko is now known as elmiko13:33
*** dave-mccowan has quit IRC13:35
*** liverpooler has quit IRC14:19
*** rcernin has quit IRC14:33
*** liverpooler has joined #openstack-security14:38
*** rcernin has joined #openstack-security14:41
*** jamielennox is now known as jamielennox|away14:45
*** gouthamr_ has joined #openstack-security14:48
*** edmondsw_ has joined #openstack-security14:49
*** gouthamr has quit IRC14:49
*** edmondsw_ has quit IRC14:50
*** rcernin has quit IRC14:55
*** rcernin has joined #openstack-security14:58
*** dave-mcc_ has quit IRC14:58
*** dave-mccowan has joined #openstack-security15:11
*** edmondsw has joined #openstack-security15:18
*** shohel has quit IRC15:19
*** cleong has joined #openstack-security15:22
*** i13487492 has joined #openstack-security15:29
*** i13487492 has left #openstack-security15:30
*** openstackgerrit has quit IRC15:33
*** xin9972 has joined #openstack-security15:35
*** hongbin has joined #openstack-security15:39
*** tkelsey has joined #openstack-security15:43
*** mvaldes has joined #openstack-security15:44
*** edmondsw has quit IRC15:49
*** Guest79986 has quit IRC15:54
*** ccneill has joined #openstack-security16:04
*** rcernin has quit IRC16:05
*** jmckind has joined #openstack-security16:26
*** nkinder has quit IRC16:34
*** bpokorny has joined #openstack-security16:35
*** Serlex has quit IRC16:36
*** ccneill has quit IRC16:36
*** gouthamr_ has quit IRC16:37
*** gouthamr has joined #openstack-security16:37
*** ccneill has joined #openstack-security16:38
*** gouthamr has quit IRC16:41
*** gouthamr has joined #openstack-security16:41
*** diazjf has joined #openstack-security16:42
*** diazjf has quit IRC16:43
*** diazjf has joined #openstack-security16:44
*** rcernin has joined #openstack-security16:45
*** nkinder has joined #openstack-security16:47
*** tkelsey has quit IRC17:06
*** mdong has joined #openstack-security17:06
*** bpokorny has quit IRC17:12
*** bpokorny has joined #openstack-security17:13
*** bpokorny has quit IRC17:17
*** bpokorny has joined #openstack-security17:22
*** openstackgerrit has joined #openstack-security17:27
*** edaught has joined #openstack-security17:28
*** xin99721 has joined #openstack-security17:31
*** xin9972 has quit IRC17:31
*** xin99721 has quit IRC17:33
*** xin9972 has joined #openstack-security17:34
*** gouthamr has quit IRC17:44
*** gouthamr has joined #openstack-security17:44
*** rcernin has quit IRC17:45
*** rcernin has joined #openstack-security17:46
*** diazjf has quit IRC18:13
*** gouthamr_ has joined #openstack-security18:16
*** gouthamr has quit IRC18:17
*** knangia has joined #openstack-security18:19
*** JAHoagie has joined #openstack-security18:19
*** JAHoagie has quit IRC18:19
*** liverpooler is now known as the_dark_lord_mo18:52
*** the_dark_lord_mo is now known as liverpooler18:52
*** diazjf has joined #openstack-security19:16
*** mvaldes has quit IRC19:31
*** mvaldes has joined #openstack-security19:31
*** serverascode has quit IRC19:34
*** jraim has quit IRC19:34
*** johnsom has quit IRC19:34
*** mvaldes1 has joined #openstack-security19:36
*** mvaldes has quit IRC19:37
*** edtubill has joined #openstack-security19:37
openstackgerritRahul U Nair proposed openstack/syntribos: Removing download count shield
*** diazjf has quit IRC19:39
*** bpokorny has quit IRC19:42
*** bpokorny has joined #openstack-security19:42
*** gouthamr_ has quit IRC19:42
*** jraim has joined #openstack-security19:43
*** gouthamr has joined #openstack-security19:44
*** diazjf has joined #openstack-security19:46
*** bpokorny has quit IRC19:46
*** serverascode has joined #openstack-security19:50
*** cleong has quit IRC19:54
*** cleong has joined #openstack-security19:54
openstackgerritRahul U Nair proposed openstack/security-doc: Removing an extra space after fullstop
*** johnsom has joined #openstack-security20:19
*** diazjf has quit IRC20:30
dotplusI'm having a bit of trouble getting syntribos configured. I'm using a config file: that seems pretty minimal and is based right off the doc. If I do `syntribos --config-file venv/.syntribos/identity.conf list_tests`, it lists all the tests happily. but if I run try to run/dry_run, syntribos complains "was not initialized".20:30
dotplushave I missed something?20:30
*** diazjf has joined #openstack-security20:32
*** knangia has quit IRC20:34
mdongI can help with that! Syntribos requires that you initialize it before running, which can be done by just running “syntribos init” from the command line before running20:34
mdongsee for the documentation on this part20:34
dotplusyes, I know that. init is to create the structure, & download payloads/templates. But I'm in an isolated CI environment, so that's not possible. syntribos allows you to set it all up manually, which is what I have done.20:36
unrahulDid you download syntribos from pypi or from github ?20:38
dotpluspypi. 0.3.020:38
dotplusam I hitting a known and/or fixed problem? that means I need head of master?20:38
unrahulso are you running syntribos from the .syntribos dir inside ur virtualenv or from you home dir  ?20:39
dotplusinside the venv20:39
mdongwhen you initialized Syntribos, did you supply a custom install root?20:39
mdongor did you follow the default prompts20:40
dotplusI *didn't* init, because I need to lay down specific config.20:40
*** bpokorny has joined #openstack-security20:43
*** mvaldes1 has quit IRC20:43
dotplusI have replicated what init would have done.20:43
mdongGotcha. Supply the directories you created with the —custom_install_root flag20:44
mdongand that should be enough20:44
mdongor actually, to run it, it would be the --syntribos-custom_root flag20:44
mdongor add “custom_root=<whatever>” to your config file in the [syntribos] section20:46
dotplusbut what is the custom root in my example venv/.syntribos?20:46
unrahulso I created a virtulenv, install syntribos, created a `.syntribos` dir, syntribos.conf file, templates, payloads dirs etc inside the virtenv and was able to run syntribos20:46
*** bpokorny has quit IRC20:47
mdongyep! the path to your .syntribos folder should do it20:47
unrahulit would be the path of your venv dir20:47
*** mvaldes has joined #openstack-security20:48
dotplusunrahul: in your example, the syntribos.conf file, templates, payloads dirs etc should be inside venv/.syntribos/ ?20:51
dotplusok, I'll go verify. thanks20:51
unrahulsure, let us know if you have any trouble20:51
dotplusum. does it have to be called 'syntribos.conf'? I going to be testing various endpoints, so I have identoty.conf, network.conf, compute.conf, etc.21:13
*** gouthamr has quit IRC21:14
unrahulyou could call the file anything21:14
unrahulprovided you explicit call the config file21:14
unrahulsyntribos --config-file file_name {command}21:14
dotplusI had a quick glance through utils/ and it looks like  the is_syntribos_initialized() method is looking for FILE21:15
dotplusyeah, that's what I had originally21:15
unrahulalso, as long as you have explicitly provided the file paths to all dirs (templates, payloads, logs etc) it should be fine where ever the locations are21:15
unrahulwhich env are you using? Ubuntu ?21:15
dotpluswhat looks suspicious to me is that list_tests can succeed, but [dry_]run cannot.21:17
unrahulmm...  let me see if I can recreate the env in my local21:17
dotplusI'm wondering whether the initialization test is bogus/broken21:18
unrahulmdong:  any thoughts ?21:18
unrahuldotplus:  it works well on mac/debain based machines and a few other that we had tested..21:18
mdonglist_tests doesn’t call is_syntribos_initialized(), so that would be why list_tests works and run doesn't21:18
mdongbut Syntribos expects to find a folder where it wants to install them, if you want to point Syntribos somewhere else, you’d need to supply that to the —syntribos-custom_root flag21:19
dotplusright. is the only way for the init check to return True. but I'm not using a filename that is the same as get_default_conf_file21:20
unrahulso it seems the file has to be named syntribos.conf , I missed that part21:24
dotplusShould that line 281  be 'if os.path.exists(thecli_specified_conf_file):'?21:24
mdongas a sanity check, if you just create an empty file called “syntribos.conf”, it should work21:26
unrahulI guess you could do a simlink for now to the config file, depending upon which conf you want to use.. ¯\_(ツ)_/¯21:26
mdongto satisfy the initialization check, but otherwise you should be able to reference whatever config file you want on the command line21:26
mdongit looks like the initialization check is just checking for the existence of the file in the syntribos root directory21:26
unrahulyup meanwhile we will fix this and push an update21:27
dotplusbut yes, that works21:27
dotplusI can submit a patch to gerrit if you want21:28
dotplusbtw, thanks for your assistance, both of you. nice to get verification I'm not crazy21:39
*** edtubill has quit IRC21:39
dotpluspresumably somewhere in the data available to is a var that contains the value of --config-file?21:40
unrahul:) , we welcome it, If you can submit the patch, we shall verify it and merge it21:41
*** diazjf has quit IRC21:41
unrahulthe config-file is stored in the CONF object, we are using oslo_config to manage our configuration values21:41
*** jmckind has quit IRC21:42
mdongthanks for using syntribos! it’s obviously a work-in-progress so any bugs that are brought to our attention are much appreciated!21:42
dotplusok, I'll dig and pick it out of there.21:42
mdongand the value you’re looking for is CONF.config_file21:42
dotplusthis might take me a bit, because it will be my first OS patch. And while my broader team is working on OS heavily, I'm focussed on our tooling/infra.21:43
*** bpokorny has joined #openstack-security21:43
unrahulnice, just curious what are using syntribos for ? internal testing of openstack?21:44
mdongbut we also allow for a —config-dir option, so the line should probably read “if os.path.exists(get_default_conf_file()) or CONF.config_file or CONF.config-dir”21:44
dotplusunrahul: I work for Cisco Metacloud.21:45
dotplusso "sort of internal"21:45
unrahulcool, let us know  what you think, every feedback at this stage would help21:46
mdong+1 ^21:46
dotplusI'm just building/improving CI infra at the moment, so I'm not the person who will actually *use* syntribos or even look at the reports/results. I'm just getting ready for those who will wants jobs automated.21:48
*** bpokorny has quit IRC21:48
dotplusbut, absolutely, in time, I'm sure some of our infosec folk will want to get deeper involved21:49
mdongOh, that21:49
unrahulcool.. making syntribos CI friendly is one of our short term goals, so let us know if you see any specific things that you would like to see in syntribos .. we could start a discussion21:49
mdongthat’s awesome*! using syntribos as part of CICD is one of our goals so it’s great to hear!21:49
*** diazjf has joined #openstack-security21:55
dotplusso apart from this bug the first feedback I have is that I'd like to see the templates and payloads come from the same place as the software - they are an integral part. I know you're trying to make syntribos non-openstack-specific and that's great. But I think "community-sourced" payloads/templates for openstack projects (and for anything else anyone wants to create) could still come from
unrahulyup.. this is a temporary measure, we are moving to official templates and payloads repos for openstack in a few days21:57
dotplusah ok.21:58
unrahulit would be under
unrahulthis would allow us to easily package the tool and keep the `non-code` part of the tool on separate repos21:59
unrahulit would be under
dotplusthat makes more sense, I assumed it was a typo:)21:59
unrahul+1 :)22:00
dotplussince syntribos doesn't actually know anything about the endpoint except what the payload/templates "teach" it, I need to ensure that I point syntribos at say, nova specific payloads/templates when I'm testing nova? or does it somehow work out how to ignore data for cinder/glance/whatever when testing nove?22:01
mdongthe former, nothing in syntribos stops you from pointing glance payloads at nova endpoints22:03
*** bpokorny has joined #openstack-security22:04
*** bpokorny has quit IRC22:04
dotplusput more succintly: do I need to set templates=openstack-templates-master/templates/nova or just to openstack-templates-master/templates/ ?22:04
*** bpokorny has joined #openstack-security22:04
dotplusI haven't even looked at payloads/templates and don't really know what the distinction it. I mean, I get that they are "data required to attack API endpoints", but that's about it22:05
*** bpokorny has quit IRC22:09
mdongif you’re just testing nova, it would be templates=openstack-templates-master/templates/nova22:10
dotplusgot it. I was planning on having a separate config-file for each endpoint and running separate scans as individual Jenkins jobs22:11
mdongtemplate are basically HTTP requests for an API endpoint, the payload is what syntribos injects into the the request22:11
*** bpokorny has joined #openstack-security22:16
*** cleong has quit IRC22:18
*** jamielennox|away is now known as jamielennox22:22
*** edtubill has joined #openstack-security22:23
*** mvaldes has quit IRC22:36
*** elmiko is now known as _elmiko22:37
*** bpokorny has quit IRC22:41
*** bpokorny has joined #openstack-security22:42
*** bpokorny has quit IRC22:47
*** edtubill has quit IRC22:47
*** dave-mccowan has quit IRC22:55
*** xin9972 has quit IRC23:04
*** dave-mccowan has joined #openstack-security23:16
*** lamt has quit IRC23:23
*** hongbin has quit IRC23:26
*** diazjf has quit IRC23:29
ccneillsome light reading for a Friday: dozens of appsec security resources :)
*** bpokorny has joined #openstack-security23:41
*** ccneill has quit IRC23:51
*** ccneill has joined #openstack-security23:52
*** ccneill has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!