18:00:52 <hyakuhei> #startmeeting openstack security group
18:00:53 <openstack> Meeting started Thu May 29 18:00:52 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:55 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:57 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:58 <bknudson> hi
18:01:03 <nkinder> hi all
18:01:05 <chair6> howdy
18:01:06 <hyakuhei> Hi all, roll call :)
18:01:10 <bdpayne> o/
18:01:11 <paulmo> Paul Montgomery
18:01:14 <tmcpeak> hey everybody, Travis McPeak from Symantec here
18:01:16 * hyakuhei Rob from HP
18:02:04 <hyakuhei> Ok, so I only have one agenda item for today, I presume others have things they want to talk about?
18:02:13 <mxin> hi, My name is Michael Xin from Rackspace.
18:02:15 <paulmo> I had one item
18:02:24 <paulmo> Yay, welcome mxin! :)
18:02:25 <hyakuhei> Hi mxin, thanks for joining us!
18:02:30 <mxin> Thanks.
18:02:33 <hyakuhei> paulmo: great, what was it?
18:02:37 <mxin> Glad to help.
18:02:46 <nkinder> hey mxin!
18:03:00 <hyakuhei> Hey bdpayne, glad to have you back!
18:03:06 <paulmo> I was starting back on trying to create some OpenStack-wide logging recommendations… starting to edit this to update it: https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines
18:03:06 <bdpayne> thanks!
18:03:22 <paulmo> Just had some questions on how we might gain that consensus as a team
18:03:22 <tmcpeak> lets discuss OSSG meetup in San Antonio if time permits
18:03:35 <hyakuhei> tmcpeak: that's the main thing I want to discuss
18:03:39 <mxin> That's cool
18:03:42 <tmcpeak> oh cool, perfect :)
18:03:42 <bknudson> paulmo: add auth tokens to things not to log
18:03:50 <bdpayne> rather, OSSG Meeting ... whereever / whenever it may be
18:03:57 <hyakuhei> indeed.
18:04:00 <bdpayne> s/Meeting/Meetup/
18:04:04 <hyakuhei> Right ok, lets talk about logging first
18:04:08 <hyakuhei> #topic logging
18:04:08 <paulmo> I'm changing that whole page… making diagrams and such.  Check back in a day or so. :)
18:04:24 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines
18:04:36 <hyakuhei> paulmo: do you just want comments, do you need contributions?
18:04:50 <paulmo> This topic keeps popping up with plain text credentials in logs and such.  I just wanted to get a feel from the OSSG about tackling some OpenStack-wide standards.
18:05:15 <bknudson> paulmo: is it expected that no logs have passwords, etc., at all levels?
18:05:18 <hyakuhei> It's slowly getting weeded out, we keep seeing it in OSSAs. Agree that some guidance needs to be provided
18:05:18 <bknudson> even a trace level?
18:05:19 <mxin> That's good start
18:05:30 <paulmo> The elevator pitch is: Let's encourage identifying/tagging confidential (non-user data) in the code/through reviews instead of admins trying to chase down that information reactively on the backend log filtering.
18:05:38 <mxin> Passwords should never be logged anywhere.
18:05:51 <hyakuhei> bknudson: That is my preference but I've seen developers ask for it to stay in debug logs
18:05:58 <nkinder> I've seen password logging bugs get punted on for client side debug logging
18:05:59 <paulmo> … and let's create OSSG agreed upon guidelines.  Just my 2 cents. :)
18:06:10 <bdpayne> yeah, that's a reasonable first step
18:06:14 <tmcpeak> what's the idea behind having them stay in logs?
18:06:15 <hyakuhei> I think our position should just be don't log passwords mkay?
18:06:22 <bdpayne> although we may want to work with VMT after we have put together guidelines
18:06:26 <hyakuhei> tmcpeak: Developers thinking they need it for debug
18:06:37 <mxin> it can be masked like xxxx
18:06:38 <hyakuhei> bdpayne: No harm in getting the VMT's $0.002
18:06:39 <tmcpeak> hmmm
18:06:40 <bdpayne> to make sure that they agree... and can help enforce via their bug triage
18:07:02 <paulmo> This might be controversial but I do not think log level should have anything to do with relaxing security (logging passwords and such).
18:07:03 <hyakuhei> So they already have a pretty good precedent for this
18:07:08 <bknudson> keystone has an "insecure" setting, if you have debug=True in the config
18:07:12 <hyakuhei> paulmo: +1
18:07:37 <hyakuhei> AuthN failures are pretty obvious, I cant imagine why you'd need to log the detail.
18:07:38 <tmcpeak> paulmo: +1
18:07:49 <paulmo> bknudson: That at least gives the operator a very definite understanding of what is happening when that config value is set.
18:07:56 <hyakuhei> Ok great. paulmo can you follow up on the ML?
18:07:58 <nkinder> in addition to logging, we need to worry about audit events (CADF)
18:08:00 <bknudson> where keystone server will return more info to a client... so was wondering if an insecure setting could log passwords, too
18:08:00 <bdpayne> bknudson that sounds scary... what else does this insecure setting do?
18:08:13 <paulmo> hyakuhei: Yes, I'm going to get this wiki into shape and then I'll send this out to the ML. :)
18:08:19 <bknudson> bdpayne: it is scary
18:08:24 <mxin> what's ML?
18:08:27 <nkinder> mailing list
18:08:28 <paulmo> Mailing List
18:08:32 <mxin> thanks.
18:08:57 <bdpayne> paulmo sounds good, thanks for working on that
18:09:12 <mxin> I registered the ML, but I never got any email from it.
18:09:18 <hyakuhei> paulmo: Great work :)
18:09:21 <paulmo> No problem; then we can decide the best way to approach the rest of OpenStack once we agree to the general architecture/recommendations.
18:09:32 <mxin> yes. Great job. Paul!
18:09:32 <hyakuhei> mxin: It's fairly low volume at the moment
18:09:37 <mxin> ic
18:09:39 <mxin> Thanks.
18:10:00 <hyakuhei> Ok, great stuff paulmo, happy for us to move on?
18:10:27 <paulmo> Sure; thanks for the floor!
18:10:32 <hyakuhei> :)
18:10:43 <hyakuhei> #topic OSSG Mid-Cycle Meetup
18:11:13 <hyakuhei> So, I think it would be great to have a mid-cycle meetup
18:11:34 <hyakuhei> for doing those things that are just too hard to do remotely or where tasks benefit from short periods of intense collaboration
18:11:42 <hyakuhei> The book sprint being a great example of this
18:11:46 <tmcpeak> hyakuhei: +1
18:12:02 <hyakuhei> I spread this around at the summit and the feedback was good.
18:12:08 <mxin> hyakuhei: +1
18:12:18 <hyakuhei> I spoke to Barbican about us meeting at the same time as those guys seeing as we have so much overlap
18:12:37 <hyakuhei> The result is that we've been invited to join the Barbican team when they do their joint meetup with Keystone
18:12:51 <hyakuhei> However, I can't make it, niether can Nkinder and some other folks.
18:13:08 <hyakuhei> So I'm inclined to host an OSSG mid-cycle separately from the Barbican meetup
18:13:15 <mxin> sounds good
18:13:20 <bdpayne> I hear CA is nice in the summer :-)
18:13:23 <hyakuhei> and those who want to attend the Barbican/Keystone stuff should be able to do so as individuals
18:13:29 <hyakuhei> bdpayne: So is Seattle!
18:13:31 <nkinder> hyakuhei: I can switch my vacation and make it if it has to happen with Barbican/Keystone
18:13:45 <hyakuhei> No lets do our own thing
18:13:48 <nkinder> ok
18:14:01 <hyakuhei> It's Barbicans first mid-cycle and our first one too
18:14:18 <hyakuhei> Lets look maybe to bring them together next time
18:14:23 <bdpayne> yeah
18:14:30 <nkinder> Barbican did a meetup in feb with Keystone
18:14:52 <hyakuhei> Cool, so I like the idea of us overlapping
18:14:56 <bdpayne> should we aim for sometime in July?
18:15:02 <hyakuhei> but I'd like us in full strength for our first meetup
18:15:10 <hyakuhei> Late July/Early August could work well
18:15:26 <bdpayne> early Aug will conflict with DefCon / Blackhat
18:15:31 <bdpayne> which may be an issue with this group
18:15:37 <bdpayne> also Usenix Security
18:15:42 <hyakuhei> I think we might be a bit grown-up for BH :P
18:15:53 <hyakuhei> Yeah, so lets look at Late July then
18:16:16 <hyakuhei> I can arrange a location for hosting
18:16:29 <tmcpeak> what are you all thinking timewise? an evening, a couple of days, a week?
18:16:33 <hyakuhei> However if some org that isn't mine wants to propose something I'd be happy with that too
18:16:39 <hyakuhei> tmcpeak: closer to a week
18:16:44 <tmcpeak> awesome
18:16:50 <hyakuhei> Maybe a 4 day thing so travel isn't too disruptive
18:16:59 <mxin> it depends on what we want to achieve
18:17:01 <bdpayne> +1 for 4 day
18:17:07 <tmcpeak> 4 day sounds good
18:17:11 <nkinder> yeah, I was thinking 3-4 days too
18:17:22 <mxin> 3 or 4 days
18:17:44 <hyakuhei> ok so we can work through the agenda to get a good feel for wether it should be 3 or 4 days.
18:17:55 <hyakuhei> I know there's lots to be done on the security guide
18:18:11 <hyakuhei> I think a sprint on the guidelines that paulmo wrote would be useful
18:18:34 <hyakuhei> I think we need to revist the TA stuff, agree process and get more people involved there too, if we can work out how to do that
18:18:54 <hyakuhei> I will invite architects from other orgs to come and speak with us, describe their approaches and share their insight
18:19:00 <bdpayne> TA?
18:19:04 <hyakuhei> Threat Analysis
18:19:07 <bdpayne> gotcha
18:19:21 <mxin> like threat model
18:19:25 <hyakuhei> My hope is that we can get everyone working together, through the OSSG to do threat modelling/analysis for OpenStack
18:19:29 <hyakuhei> mxin: Ya :D
18:19:37 <CristianF> +1 to include TA
18:19:52 <mxin> cool
18:20:00 <hyakuhei> There's probably a bunch of smaller more tactical things we can do
18:20:00 <bdpayne> this may also be a good time to spin up 1-2 new efforts
18:20:04 <bdpayne> like security testing
18:20:05 <bdpayne> or ??
18:20:15 <mxin> We need someone who know the products very well to have good threat model done.
18:20:15 <nkinder> testing is a big one...
18:20:19 <bdpayne> if the right people show up and focus on it, the time can help launch something new
18:20:19 <tmcpeak> yeah, I've been thinking about some security tests
18:20:26 <tmcpeak> low hanging fruit could be a good place to start
18:20:30 <CristianF> probably a hackaton? :)
18:20:36 <tmcpeak> should that go in Tempest or elsewhere?
18:20:39 <hyakuhei> Absolutely so we've got a bunch of projects laid out that just need effort
18:20:49 <nkinder> as Kurt S. said in his e-mail yesterday, guidelines and recommendations only go so far.
18:20:50 <bdpayne> I'm thinking that a big portion of this will be hackathon (or write-a-thon)
18:20:53 <hyakuhei> nkinder: wanted to do a TLS hackathon to fix all the broken implementations
18:20:54 <mxin> We are working on security testing of API
18:21:06 <paulmo> nkinder: +1
18:21:20 <hyakuhei> Writing gate tests for low hanging fruit, use of bad functions etc is something we've been wanting to do for a long time
18:21:25 <nkinder> hyakuhei: yeah, I want to see how much interest we get on that.  There should be a thread starting on -dev shortly about it.
18:21:32 <hyakuhei> Great
18:21:51 <bdpayne> should we try to pick a week right now?
18:22:00 <bdpayne> or perhaps a first and second choice?
18:22:05 <tmcpeak> probably better to pick a week sooner than later
18:22:18 <nkinder> I think an etherpad approach would be a good idea where we can hash out dates
18:22:20 <hyakuhei> We could look for something provisionally but it'll go through iterations on the ML I imagine
18:22:27 <hyakuhei> nkinder: +1
18:22:33 <nkinder> ...and set agenda items too
18:22:36 <bdpayne> ok
18:22:48 <bdpayne> personally, if I don't nail it down soon then the dates will get taken
18:22:55 <nkinder> bdpayne: me too
18:22:56 <bdpayne> I suspect others are similar
18:23:00 <mxin> agree
18:23:03 <tmcpeak> yeah, definitely
18:23:21 <hyakuhei> #action bdpayne to create an etherpad and state his preference for dates for the OSSG meetup
18:23:25 <hyakuhei> :)
18:23:26 <bdpayne> heh
18:23:27 <bdpayne> ok
18:23:35 <hyakuhei> No reason we can't get the ball rolling in the next few hours
18:23:49 <hyakuhei> I'll have to work out an appropriate venue
18:25:10 <hyakuhei> Where are people spread? Are we mainly west-coast US?
18:25:30 <paulmo> Austin, TX (help me escape the heat!) :)
18:25:35 <mxin> I am at San antonio, TX
18:25:45 <tmcpeak> San Francisco for me
18:25:46 <bknudson> rochester, mn
18:25:52 <chair6> Seattle
18:26:03 <nkinder> San Francisco area here too
18:26:16 <hyakuhei> Hmmm. So I guess I'll just have to see what I can get. I imagine we'll be 8-14 people
18:26:29 <bdpayne> https://etherpad.openstack.org/p/ossg-juno-meetup
18:27:00 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines
18:27:11 <hyakuhei> Ok, so lets hash out all the details on the etherpad
18:27:21 <hyakuhei> and look to make a decision very soon
18:27:24 <bdpayne> hyakuhei adds value with that link ;-)
18:27:42 <hyakuhei> Now it will show up in the minutes rather than the log
18:27:44 <hyakuhei> :P
18:27:52 <paulmo> Woot!
18:27:55 <bdpayne> yeah, but wrong link
18:27:59 <bdpayne> #link https://etherpad.openstack.org/p/ossg-juno-meetup
18:28:15 <nkinder> Can I give a quick OSSN update?
18:28:39 <tmcpeak> please do
18:28:39 <bdpayne> I'd like to hear it
18:28:39 <hyakuhei> Sigh. Stupid copy-paste Please do
18:28:42 <hyakuhei> please
18:28:47 <hyakuhei> #topic OSSN
18:28:51 <nkinder> OSSN-0015 is up for review - https://review.openstack.org/#/c/96540/
18:28:59 <hyakuhei> :D Nice work nkinder
18:29:04 <hyakuhei> 0014 should be put to bed soon
18:29:07 <nkinder> I cleaned up some things on OSSN-0014, and it needs one more tweak that was pointed out.
18:29:17 <nkinder> I'll have a new revision up in 5 minutes
18:29:27 <hyakuhei> Great work!
18:29:39 <tmcpeak> great job!
18:29:44 <nkinder> There are a few outstanding OSSNs that need authors
18:29:46 <bdpayne> 14 has been a long haul :-)
18:29:55 <nkinder> bdpayne: yup
18:30:13 <nkinder> I'll send out a call to action on the security list in case any new members (or old) are interested
18:30:15 <hyakuhei> nkinder: I'll see if I can get one of our newer members to pick up an OSSN
18:30:26 <hyakuhei> They're a great way to get into the whole OpenStack process
18:30:37 <nkinder> yeah, and I think some of these are pretty easy
18:30:42 <mxin> what's OSSN? Sorry I am new here.
18:31:01 <nkinder> OpenStack Security Note
18:31:15 <bdpayne> #link here's the open OSSG tickets https://bugs.launchpad.net/ossn
18:31:23 <bdpayne> arg.. OSSN ticket
18:31:30 <nkinder> Here are published examples...
18:31:33 <nkinder> #link https://wiki.openstack.org/wiki/Security_Notes
18:31:35 <mxin> Got it. Thanks.
18:32:16 <hyakuhei> So we haven't officially extended the meeting yet which makes us mostly out of time
18:32:23 <hyakuhei> #topic any other business
18:32:31 <paulmo> IRC channel for OSSG?
18:32:40 <hyakuhei> #openstack-security
18:32:50 <bdpayne> does that exist?
18:32:56 <paulmo> Thanks!  Was in another one :)
18:32:57 <hyakuhei> It does
18:33:06 * bdpayne is out of date
18:33:20 <nkinder> bdpayne: you leave for a week and everything changes... :)
18:33:22 <hyakuhei> Someone reads the logs ;)
18:33:41 * bdpayne is still catching up
18:33:57 <hyakuhei> I know that feeling!
18:34:05 <hyakuhei> Ok, so anyone else for anything else?
18:34:23 <hyakuhei> There will be a change in time and meeting length discussed soon
18:34:30 <hyakuhei> That'll be on the mailing list though
18:34:35 <bdpayne> ahh, let's please vote on the time
18:35:09 <hyakuhei> Can't see why we wouldn't - so long as it isn't later than the current meeting I'll be happy
18:35:51 <hyakuhei> Great, well thank you everyone for another productive OSSG meeting. I'll distribute the minutes shortly.
18:36:01 <tmcpeak> thanks everybody
18:36:06 <bdpayne> cheers
18:36:13 <CristianF> bye
18:36:13 <mxin> Thanks. Nice to meet you all.
18:36:15 <hyakuhei> Oh and don't forget to review OSSN-0015
18:36:15 <mxin> bye
18:36:20 <hyakuhei> #endmeeting