#openstack-meeting log

18:00:01 <bdpayne> #startmeeting OpenStack Security Group
18:00:02 <openstack> Meeting started Thu Jan 31 18:00:01 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:05 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:28 <bdpayne> #info Welcome security group!
18:00:57 <bdpayne> In our meeting last week, we were a bit rushed at the end, so I wanted to pick up there and see if there was any discussion
18:01:21 <bdpayne> But first, one quick house keeping item
18:01:30 <bdpayne> #topic LXC Security Note
18:01:48 <bdpayne> #link https://bugs.launchpad.net/osn/+bug/1098582
18:01:50 <uvirtbot> Launchpad bug 1098582 in osn "Note: Security impact of Libvirt/LXC usage" [High,Confirmed]
18:02:36 <bdpayne> #info This security note is about ready to go, looking for final comments and then we'll release it.
18:02:47 <bdpayne> Any comments / discussion on the note?
18:04:24 <bdpayne> Hrm, before I continue… do we have people attending the security meeting?
18:04:44 <mtesauro> You're talking about the note here https://bugs.launchpad.net/osn/+bug/1098582 right?
18:04:45 <uvirtbot> Launchpad bug 1098582 in osn "Note: Security impact of Libvirt/LXC usage" [High,Confirmed]
18:04:55 <Chris___> Yes, i am here for security meeting
18:04:55 <bdpayne> high, yes, that's the one
18:05:12 <bdpayne> great, glad to see some folks here
18:05:14 <lauraglendenning> I'm here as well
18:05:24 <mtesauro> The final version (2013-01-23) looks fine to me
18:05:33 <bdpayne> ok, thanks
18:05:52 <mtesauro> Is that some sort of markdown/asciidoc-ish markup or just nice text formatting on the ###'s
18:06:07 <bdpayne> #info If anyone has further feedback on the note, please get it in by the end of the day today
18:06:38 <bdpayne> I think that's markdown
18:07:01 <bdpayne> #topic Storage Encryption
18:07:14 <mtesauro> Cool.  We should probably note that somewhere in case someone want to consume and format the notes externally
18:07:15 <bdpayne> ok, let's pick up where we left off last week
18:07:30 <bdpayne> sure, makes sense mtesauro
18:08:03 <bdpayne> #info There are two open proposals for different kinds of storage encryption right now
18:08:23 <bdpayne> #info object encryption (swift) by Intel
18:08:26 <bdpayne> #link https://blueprints.launchpad.net/swift/+spec/encrypted-objects
18:08:36 <bdpayne> #info volume encryption (cinder) by APL
18:08:46 <bdpayne> #link https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes
18:09:00 <bdpayne> has anyone reviewed these?  any discussion, thoughts, comments, etc?
18:09:27 <Chris___> i have not reviewed.  still trying to get my bearings in this community. :)
18:09:50 <mtesauro> I haven't gotten to that yet but its on my short list.  Should have comments by next meeting
18:09:54 <bdpayne> np, I actually have some thoughts one where people can participate and help out
18:10:16 <bdpayne> ok, sounds good… I think that storage encryption is useful and a nice addition to openstack
18:10:31 <bdpayne> I've certainly heard from lots of users that it is desired
18:10:42 <Chris___> agree.  i think it will really help build confidence in user community
18:10:49 <bdpayne> I wonder if there's utility is trying to get some symmetry between these two proposals
18:10:50 <Chris___> if done well, that is
18:10:59 <rellerreller> Both of them involve key managers, so that should be discussed at some point
18:10:59 <bdpayne> or if it is better to wait and do that later
18:11:24 <bdpayne> indeed
18:11:48 <bdpayne> #action Let's all try to review these and think about how they will fit together over the next week
18:12:12 <bdpayne> any other thoughts on storage encryption?
18:12:34 <Chris___> do we have a security policy in mind which describes threats we are, and are not, trying to address with encryption?
18:12:45 <bdpayne> good question
18:12:49 <bdpayne> the short answer is no
18:13:07 <bdpayne> but I did provide some comments on the APL proposal this morning, asking questions about just that
18:13:22 <bdpayne> this is another area where I think it would be useful to get some alignment between the proposals
18:13:31 <bdpayne> and, really, for openstack at large
18:13:31 <rellerreller> We received the feedback.  Thank you.
18:13:55 <Chris___> yes, in my experience, security policy should be precursor to any evaluation discussion
18:14:37 <mtesauro> it is nice to know the problem that we're trying to solve with encryption
18:14:43 <bdpayne> coming up with a general security policy for all of openstack would be a huge project
18:14:56 <Chris___> don't have to boil the ocean
18:15:03 <Chris___> just deal with encryption for now.
18:15:03 <bdpayne> but, I do agree that some more crisp understanding of the threats being addressed is good
18:15:11 <bdpayne> yeah, agreed
18:15:39 <Chris___> maybe a good topic for upcoming summit?
18:15:45 <bdpayne> #action Let's refine the security models for the storage encryption schemes
18:15:52 <bdpayne> sure
18:16:09 <bdpayne> I always like to see more security discussion at the summit
18:16:11 <bdpayne> :-)
18:16:54 <bdpayne> #topic Open Discussion
18:17:05 <Chris___> in the meantime, i will try to review the proposals
18:17:21 <rellerreller> Any feedback would be much appreciated
18:17:27 <bdpayne> #info so I wanted to open up the discussion a bit to see what other security related things are on people's minds and where the group can help
18:18:28 <bdpayne> there is one that has caught my attention
18:18:41 <bdpayne> #info python code in rootwrap
18:18:44 <bdpayne> #link https://blueprints.launchpad.net/oslo/+spec/nova-rootwrap-python-exec
18:19:31 <bdpayne> based on what I saw at the last summit, I think that there's probably a lot of security work going on within openstack
18:19:46 <bdpayne> and probably a lot going on in silos
18:20:19 <Chris___> ... probably at differing levels of competency.
18:20:32 <bdpayne> well, sure… hopefully that's where we can help
18:20:46 <bdpayne> where has everyone been involved to date?
18:21:42 <Chris___> i am still very new to group and am still in (rapid) learning mode
18:21:58 <bdpayne> np
18:22:09 <bdpayne> this is something worth thinking about for everyone
18:22:31 <noslzzp> Is there a project that addresses overall security status from instrumentation and/or integrity point of view?
18:22:44 <noslzzp> (also new to the group, btw)
18:22:59 <bdpayne> not sure what you are getting at with that question
18:23:20 <bdpayne> but, in terms of openstack, we are the only active security effort that I'm aware of … and we're just getting started ;-)
18:23:40 <bdpayne> there is the vulnerability management team, but they are more reactive
18:23:47 <bdpayne> (a good thing, but complementary)
18:23:51 <noslzzp> Example:  given a particular compute node, is there any finger printing of the configuration state?
18:24:00 <mtesauro> I've been testing the OpenStack implementation at Rack - mostly dynamic testing of API's as well as code reviews, etc.
18:24:13 <mtesauro> Some infrastructure work as well but mostly in the AppSec space.
18:24:20 <bdpayne> ok, great
18:24:35 <bdpayne> that's certainly a big piece of what I think is needed
18:24:43 <bdpayne> fuzzing, code review, blueprint review, etc
18:24:46 <noslzzp> i agree.
18:24:57 <bdpayne> #topic Next Steps
18:25:19 <bdpayne> #info So, I wanted to call out a few specific places where I think people can help today
18:25:40 <bdpayne> 1) we need help putting together the hardening guide
18:25:55 <bdpayne> #link https://github.com/hyakuhei/OSSG_Hardening_Guide
18:26:20 <bdpayne> First steps there are reviewing the outline.txt file and then helping to write sections
18:26:34 <bdpayne> Anyone that is interested, please drop me a line and I'll get you engaged
18:26:47 <bdpayne> 2) I'd like to see about pairing OSSG members with the core projects
18:27:15 <rellerreller> Is there a timeline when things are planned to be done for the hardening guide?
18:27:25 <rellerreller> When do you want feedback by?
18:27:26 <bdpayne> This way we can more easily track where the security problems are, and bring information back to the group about when code reviews are needed, etc
18:27:45 <bdpayne> I'd like to get the hardening guide in some alpha form by the summit
18:28:01 <bdpayne> And it will surely continue to grow from there
18:28:19 <rellerreller> ok
18:28:41 <bdpayne> So, if you are already engaged in a core project, then perhaps you could be the OSSG rep
18:28:49 <bdpayne> just a liaison between the projects
18:29:08 <bdpayne> if you aren't, but are interested, then perhaps start getting engaged and see if it's a good fit
18:29:31 <bdpayne> #topic Final Words
18:29:39 <bdpayne> anything else?
18:29:51 <noslzzp> Has anyone looked at what the DISA STIGs provide?  We can probably embrace and extend quite a bit from there.
18:30:20 <bdpayne> I have not, but perhaps you can send some pointers?
18:30:31 <Chris___> nor i.
18:30:36 <noslzzp> #link www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf (RHEL)
18:31:03 <bdpayne> ok, we can continue discussion via email, on the dev channel
18:31:05 <bdpayne> thanks guys
18:31:12 <Chris___> one question.
18:31:12 <bdpayne> #endmeeting