17:01:16 #startmeeting openstack security group 17:01:17 Meeting started Thu Jul 24 17:01:16 2014 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:18 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:20 The meeting name has been set to 'openstack_security_group' 17:01:30 hey all 17:01:33 Lets start with a roundtable :) 17:01:40 Rollcall even 17:01:49 \o 17:01:51 man. this is going to be a long meeting ;) 17:01:55 o/ 17:02:02 \o/ 17:02:04 Michael from Rackspace is here. 17:02:08 o/ 17:02:21 how are you all? 17:02:24 o/ 17:02:27 oh hey mxin_ - nice to see a racker here 17:02:28 hey Michael 17:02:32 hi all 17:02:49 hi sicarie where are you joining us from? 17:03:02 Perhaps hyakuhei was thinking of this: https://www.youtube.com/watch?v=lfGpVcdqeS0 17:03:04 hp 17:03:05 I have some urgent stuff to take care. will be back later. Sorry 17:03:51 ok cool, welcome clouddon 17:03:54 i 17:04:09 Morning Rob. CloudDon == Sriramhere, FYI 17:04:14 how are you all doing? 17:04:27 pretty good, you? 17:04:31 Good, we're just giving it a minute or two to let people filter in and doing a bit of a rollcall 17:05:50 looks like we're losing more than we're picking up :) 17:05:50 ok, so I guess we'll get rolling, what's the agenda for today? 17:05:59 Obviously I want to talk about the OSSG Meetup 17:06:09 bug filing for the gate test stuff 17:06:10 please 17:06:21 maybe nkinder or you can take it if I happen to be in demo when that comes up 17:06:23 Good call, what elese? 17:06:28 tmcpeak: sure thing 17:06:29 Speaker submissions for the summit 17:06:38 current OSSN status 17:06:55 threat modeling outcomes with regards to keystone trusts 17:07:16 +2 17:07:16 Great. 17:07:32 or +1,+1 17:07:33 So I just want to reiterate my thanks to everyone that came to the meetup 17:07:47 yeah great stuff! thanks for hosting 17:07:52 +1 I think it was a great get-together 17:07:54 I think it was a great success, we achieved a hell of a lot in the time available 17:08:10 indeed! 17:08:14 60+ bugs against the security guide, several changes already through the process 17:08:22 ~3 New OSSNs 17:08:31 Threat Analysis progress 17:08:35 yippeee, thanks to Rob and HP for hosting this. From my side, I apologize for not being able to hang out for the evening events. 17:08:40 and the gate test // Bandit stuff was awesome 17:08:48 25 bugs 17:08:51 clouddon: You came for the free beer as I recall ;) 17:08:51 ~25 17:09:14 It was my pleasure to host so many awesome people in the same place. 17:09:15 only one evening. Wish i gave you company all the evneings 17:09:27 Well, we appreciate you making the time. 17:09:33 hyakuhei: do you plan to write up a summary for the mailing list so those that couldn't attend know what we accomplished? 17:09:49 +1 17:09:54 I do, I intended to do it on the flight but I've been quite unwell 17:09:54 +1 17:10:00 :( 17:10:06 I will endavour to get something out tomorrow 17:10:16 uh oh, I hope I'm not responsible for that 17:10:26 I'm really proud of what we achieved, I want some content putting in the OpenStack newsletter too 17:10:28 bdpayne = plague master 17:10:34 ;) 17:10:42 bdpayne: Germ warfare between OpenStack vendors :( 17:10:48 this is where everyone 'hides' 17:10:53 heh 17:10:55 hyakuhei: I have some summary stuff written up too, but don't want to steal your thunder :) 17:10:57 heh, sorry! 17:11:23 nkinder: Yeah I've already done an internal one, I'll get something out tomorrow 17:11:44 hyakuhei: cool, I'll chime if there's anything I have to add 17:11:50 Great. 17:12:10 ok, so lets work through the agenda. I'll skip going into more depth on the meet-up - email to follow 17:12:25 tmcpeak: Go first 17:12:37 can you take over for me? 17:12:42 demo imminent 17:12:44 heh, ok 17:12:51 # Gate Tests 17:12:55 let's try that again 17:12:59 #topic Gate Tests 17:13:06 #topic Gate Tests 17:13:16 thanks, I'm powerless... :) 17:13:21 powar! 17:13:38 How has the filing of issues we found with the hacking tests going? 17:14:19 So not many have been filed ye 17:14:20 *yet 17:14:27 the google dock is largely complete. 17:14:30 I have on I'll work on but haven't had time 17:14:31 I know that tmcpeak was able ot get one of the glance shell injection isues actually fixed and merged, which is awesome! 17:14:38 Though some are missing, I've deconflicted a few 17:14:41 *one 17:14:54 nkinder: thanks for the help! 17:15:25 hyakuhei: did you scan through and vet any of the issues after the mid-cycle? 17:15:52 nkinder: A few repetitions and one or two non-issues 17:15:57 but largely the list was good 17:16:22 Those writing up the bugs will be expected to do a bit of verification though 17:16:30 hyakuhei: ok, I see you have them divided between "bug" and "discuss" 17:17:05 ok, so the right approach here is to divide and conquer IMHO 17:17:06 Yeah, so not all of them (by any means) are clear vulnerabilities 17:17:11 +1 17:17:20 is there a link to this doc that is sharable? 17:17:25 or are you keeping it private for now? 17:17:27 tmcpeak: which one(s) were you planning on looking at? 17:17:59 nkinder: I'll take the injection ones 17:18:01 It is editable by anyone wit hthe link 17:18:04 bdpayne: it's public, but security by obscurity right now... 17:18:05 nkinder: trace through the code, etc 17:18:07 for starters 17:18:16 I think Jason was looking at one also 17:18:26 I don't think there were any showstopping vulnerabilities in there? 17:18:35 hyakuhei: nope 17:18:52 hyakuhei: none warranting OSSA status 17:18:57 IMO 17:18:58 *waves*, sorry late 17:19:06 chair6: hey! 17:19:12 chair6: hola 17:19:17 ok, well I'm happy to help if someone is willing to share the info... but perhaps you guys have it all covered? 17:19:26 So I have no issue with making it more widely available 17:19:32 I can take care of the insecure tmpfile ones 17:19:32 bdpayne: could always use the help 17:19:45 bdpayne: just shared it with you out of band 17:19:54 ok, thanks 17:20:00 somebody needs to evangelize the getting rid of crap versions of SSL one 17:20:12 tmcpeak: you mean the md5 ones? 17:20:23 nkinder: no the getting rid of SSL 2.3 support 17:20:31 if we're still doing that 17:20:31 tmcpeak: oh, yes 17:21:10 should we fill in assignees on the google doc? 17:21:19 seems like a good idea to avoid stepping on each other 17:21:37 nkinder: definitely, repeated effort is bad 17:21:39 My intention was that people would add their names to them and pick them up ad-hoc 17:21:46 ie, before they wrote the bug 17:21:54 but I'm happy to carve it up too 17:22:08 sicarie: fancy taking a few? 17:22:17 Just added my name ot the tmpfile ones 17:22:17 Absolutely 17:22:37 hyakuhei: I'll take all shell injection ones 17:22:56 hyakuhei: probably some economy of scale to be had by taking all of one class of bug 17:23:03 tmcpeak: +1 17:23:19 Yeah I'm fine with that, thanks for taking it on! 17:23:23 ok, let's see how far we can get by next week on these 17:23:30 other gate test topics... 17:23:30 sounds good 17:23:31 for row 3, is there anything more specific (ref to line of code)? 17:23:38 chair6 is working on getting bandit licensed 17:24:08 bdpayne: pan right? 17:24:15 bdpayne: we can re-run the scan and add it in 17:24:25 ok 17:24:28 not sure what pan is 17:24:42 yup, licensing is in progress .. shouldn't be too far off 17:25:11 i'm hoping to get it done by tomorrow, but if not will clean it up when back from vacation 17:25:31 So once bandit is licensed, we can start looking at how to get it running for Keystone as non-voting 17:25:34 bdpayne: Thought you were referring to the google doc - nvm 17:25:43 nkinder: excellent! 17:25:50 I'm happy to work on that, though I'll be out next week 17:26:01 +1 bandit is the way to go 17:26:08 I'll see how far I get on it this week 17:26:41 We still need to compare bandit vs. hacking tests too 17:26:57 Just to see if there are any differences in what they find 17:26:59 Yeah, we never looked at the bandit output iirc 17:27:05 long goal should probably be bandit, it's more thorough 17:27:08 Will be interesting for finding gaps 17:27:11 tmcpeak: +1 17:27:14 hyakuhei I was/am, but still don't know what "pan 17:27:14 Well, we also never added tests for a few things (like the 0.0.0.0 checks) 17:27:16 Though I think we're all agreed 17:27:21 "pan" is ;-) 17:27:30 oh well 17:27:30 bdpayne: I'm confused too :) 17:27:31 bdpayne: the doc has line pointers if you scroll right ? 17:27:36 pan == scroll 17:27:43 ah 17:27:44 ohhh 17:27:44 ohhhh 17:27:54 need the translator in here 17:27:54 so this row is missing a reference in that col 17:27:56 which is why I asked 17:27:57 :P 17:28:05 ...must be a british thing ;) 17:28:06 Ah I schee, I thought you meant in general 17:28:11 nkinder: so many things are! 17:28:21 ok, what's next? 17:28:35 hyakuhei: once the licensing is done, we should add the remaining tests to bandit 17:28:52 is anyone interested in writing one of those tests who hasn't written one for bandit before? 17:29:01 nkinder: yes 17:29:01 it might produce some good feedback about bandit 17:29:07 sicarie: great! 17:29:18 sicarie: so the 0.0.0.0 hacking test is definitely a gap 17:29:22 nkinder: yup I'd like to write a few 17:29:26 I'll pitch in too 17:29:29 nkinder: cool, I can take that 17:29:35 I *think* we caught most of the others 17:29:49 What's the IPv6 for 0.0.0.0 ::: ? 17:30:13 hyakuhei: I don't know that there is an equivalent 17:30:22 ::0 17:30:23 0.0.0.0 applies to v4 and v6 families 17:30:41 at least from a socket interface 17:30:45 Internet say's its :: 17:31:01 Wow, this "google" thing is awesome! 17:31:04 we should see how the socket interface works with that 17:31:17 Yeah 17:31:30 since family specifies what families to listen on, and 0.0.0.0 will listen on v6 as well as v4 17:31:39 the same might be true of :: 17:31:39 ok finally demo time 17:31:41 brb 17:31:46 So I want to do some validation on SSL3.0 and what, if anything really needs it. I suspect the list is very small. 17:31:49 good luck tmcpeak 17:32:04 I don't have anything more on gate tests for now 17:32:42 ok, wanna talk about OSSN while you have the floor? 17:32:59 hyakuhei: sure, please change the topic o powerful one 17:33:01 #topic OSSN: OpenStack Security Notes 17:33:14 We have 3 new notes in flight, which is awesome 17:33:25 0020, 0021, and 0022 17:33:28 Need moar 17:33:41 I believe 0022 is in need of review (it was updated this morning) 17:33:59 #link https://review.openstack.org/#/c/108349 17:34:23 the other two need updates by the authors (stan and priti) 17:34:44 I'll do a review pass on 0022 17:34:54 hyakuhei: there is that private issue that might turn into an OSSN in the works 17:34:54 I'll poke stan. 17:35:07 Yeah I can see that hapenning 17:35:24 I'll get mine updated today 17:35:26 ok, so we talked about ways to generate more OSSNs - any more thoughts on that? 17:35:31 one other potentially good one is related to a bug I've been helping with 17:35:31 viraptor: thanks! 17:36:01 https://review.openstack.org/101792 17:36:14 this is the keystone client password logging issue 17:36:30 debug logging logs entire requests, including passwords 17:36:41 sorry if I'm slow to the game here, but I'm pretty shocked that OSSN-0022 isn't a CVE 17:38:02 It's because it's a wierd mode of operaiton I think 17:38:11 Start a stopped instance with soft-reboot call 17:38:14 iirc 17:38:24 sure, but... ugh 17:38:29 this is nasty 17:38:37 bdpayne: there's some background discussion on that decision in the bug 17:38:46 Though I'd agree that anything that breaks the ACLs that didn't come from a 'please break my ACL' API call should be an OSSA/CVE 17:38:47 bdpayne: it might be worth arguing the point further 17:39:05 I'll look into the bug 17:39:06 thanks 17:39:13 I've reviewed the OSSN and it lgtm 17:39:18 (fyi) 17:39:30 dg__: we are just discussing your OSSN 17:39:38 hey sorry I'm late 17:40:07 dg__: I plan to review it this afternoon 17:40:31 nkinder thanks 17:40:47 on the keystoneclient password logging one, what do others think about a note advising about it? 17:40:51 this isn't a huge concern for a normal client, but it's pretty ugly if Horizon has debug logging on 17:41:19 nkinder: I'll look now 17:41:24 debug logging in Horizon will then show the requests it makes to keystone with passwords for users 17:41:25 dg__: reviewed your OSSN 17:42:17 It's being fixed in the client now, but it's probably worth mentioning to recommend updating the client for older releases 17:42:27 I didn't think we were doing OSSNs for client side logging ? I'm happy for that not to be the case but I thought that was the precedent 17:42:31 back 17:43:04 hyakuhei thanks, I'll fix the line lengths 17:43:19 hyakuhei: client-side logging in this case is Horizon though 17:43:26 Ah ok 17:43:35 Yeah that sounds bad. 17:43:40 hyakuhei: if you and I log into Horizon, the Horizon admin might have debug logging on which contains our passwords 17:44:13 ok, I'll create an ossn bug for it 17:44:20 hyakuhei: please add an #action for me 17:44:35 I can pick up that new OSSN if people want 17:44:37 #action nkinder to create an OSSN for https://review.openstack.org/101792 17:44:50 tkelsey: sure 17:45:01 tkelsey: I've been working on the bug and unit tests for it 17:45:13 tkelsey: so I can answer any questions for you 17:45:32 Great stuff! 17:45:40 nkinder: cool, I'll contact you for details 17:45:42 hyakuhei: for identifying new OSSNs, we discussed using SecurityImpact reviews to find issues 17:45:55 hyakuhei: We talked about a sub-team that is responsible for reviews 17:46:07 Yeah, is there a nice way to see a list of all gerrit items with certain tags? 17:46:10 I assume there is 17:46:17 I haven't had a chance to follow up and investigate that yet 17:46:44 hyakuhei: You can add an action for me to look into that 17:46:58 Would be good to have over 30 by the summit - I think that should be doable 17:47:10 Once we have a list, we can craft an e-mail with the responsibilities for the sub-team 17:47:15 hyakuhei: over 30 notes? 17:47:17 #action nkinder to investigate ways of identifying all the 'security impact' bugs 17:47:19 hyakuhei: that should be no problem 17:47:20 nkinder: yup 17:47:34 hyakuhei: ok, that's it on notes from me 17:48:08 * nkinder steps away for 2 minutes 17:48:12 ok, what else did we have to discuss? 17:48:20 #topic Other business 17:48:35 hyakuhei can we add a gate test for line lenght on OSSNs? 17:48:49 also, I fixed the line length on ossn-22, please review 17:48:55 I have a few words on the book 17:49:14 Is now good? 17:49:31 We don't have any gate tests for OSSNs at the moment but yeah that would be high on the list dg__ 17:49:36 bdpayne: go ahead 17:49:42 #topic security guide 17:50:06 Coming out of the meetup last week, we have lots of bugs filed on the book. Many of the smaller changes are being plucked off by various people, which is great. 17:50:24 Moving forward, I'd like to put together a bit of a roadmap about how we want the book to shape up. 17:50:37 There are some larger questions about content, organization, release schedule, etc. 17:50:51 We didn't really get a chance to flush this out last week, which is fine. 17:51:06 So... what I'd like to do is to get more people familiar with the book project by working on the open bugs. 17:51:18 * nkinder back 17:51:20 And I can put together a strawman proposal for longer term thinking. 17:51:21 Yeah, a big discussion should be around if we branch with release cycles 17:51:26 bdpayne: sounds good 17:51:36 Then I'll open that strawman up for larger group comment / review. 17:51:41 bdpayne: yeah, a book v2.0 plan would be a good idea 17:51:47 There's a lot of moving pieces, so I think this is a reasonable approach. 17:52:06 But if anyone wants to be engaged with this from the earliest stages, then please just drop me a line. 17:52:08 Also... 17:52:20 I received some questions around what it takes to be listed on the authors list 17:52:20 bdpayne happy to pick up some of those bugs 17:52:22 This is an open question 17:52:29 And something that we should be thinking about 17:52:53 beyond that, thanks to everyone for pushing the book ahead nicely last week 17:52:55 Yeah, so there's probably a difference between contributors and authors 17:52:59 bdpayne: yeah, that seems like a difficult thing to define 17:53:04 we're getting lots of nice changes! 17:53:21 we have lots of new contributors as well 17:53:25 which is great stuff 17:53:26 Most of the authors listed wrote one or more entire chapters 17:53:50 yeah, I think the bar should be set to something similar to what the initial authors did 17:53:54 just need to define that formally 17:53:55 I think that's a reasonable bar at which to be an author, changes and paragrphas here and there are probably contributors 17:54:03 At the discression of bdpayne of course. 17:54:08 heh 17:54:24 I.E if someone writes a shed load of content for every chapter they should probably be an author 17:54:26 1 beer == contributor, 6 beers == author, etc 17:54:33 bdpayne: +1 17:54:39 Ok guys, last 5 minutes 17:54:42 sounds good 17:54:50 that's all I have on the book 17:55:07 I'd quickly like to say a few things about threat modelling of keystone trusts 17:55:21 #topic Other business 17:55:21 We identified 2 threat scenarios last week 17:55:31 go ahead nkinder 17:55:44 I've written unit tests to cover those here - https://review.openstack.org/109120 17:55:56 additional reviews from OSSG folks would be appreciated 17:56:26 Also related, I sent an e-mail out to the dev list yesterday about adding some additional limits to trusts 17:56:34 #action hyakuhei to review https://review.openstack.org/109120 17:56:44 nkinder: what about limiting trust delegations to prevent resource exhaustion attacks? 17:56:45 nkinder: I didn't see it... 17:56:54 no, not resource exhaustion 17:57:09 it's to hve liites on how long a trust can be valid for at a global level 17:57:25 this would be one way of preventing a permanent backdoor for a compromised account 17:57:36 I know that one, we have the OSSN on it 17:57:38 s/liites/limits/ 17:57:50 that's not the only reason, but it's related to that OSSN 17:57:51 but if there is no limiting and they never expire then you could eventually exhaust resources, clog up the DB, etc 17:58:05 ideally, role based limits could be set to put a cap on delegation 17:58:24 right now, it's up to the user to cap a trust (and everyone can put no expiration on it) 17:59:08 the discussion is here - http://lists.openstack.org/pipermail/openstack-dev/2014-July/040944.ht 17:59:21 http://lists.openstack.org/pipermail/openstack-dev/2014-July/040944.html 17:59:26 not truncated this time :P 17:59:46 ok, that's all from me 17:59:53 ahh cool 17:59:56 Great, thanks for the link nkinder 18:00:05 Ok, that's time people! Thank you everyone! 18:00:08 thanks everyone 18:00:14 bye all 18:00:16 thanks 18:00:18 thanks all 18:00:19 #endmeeting