17:00:32 <hyakuhei> #startmeeting openstack security group
17:00:33 <openstack> Meeting started Thu Sep 18 17:00:32 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:34 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:36 <openstack> The meeting name has been set to 'openstack_security_group'
17:00:42 <hyakuhei> roll call - hi guys :)
17:00:48 <tmcpeak> \o/
17:00:49 <sarnold007> hi
17:00:52 <shohel02> hi
17:01:14 <sicarie> o/
17:01:40 <hyakuhei> hey chair6 - welcome
17:01:51 <chair6> hai
17:01:53 <hyakuhei> ok, Agenda for today...
17:02:07 <tmcpeak> OSSN status
17:02:24 <hyakuhei> I'd like tkelsey to talk about RPC security when he joins
17:02:33 <tmcpeak> +1
17:02:42 <hyakuhei> Recap of the actions from last meeting
17:02:42 <bknudson> hi
17:02:47 <tkelsey> hey all, sorry im late
17:02:48 <hyakuhei> hey bknudson tkelsey
17:03:45 <hyakuhei> No nkinder or bdpayne
17:03:51 <hyakuhei> ok, lets take a look at the OSSN
17:03:52 <tmcpeak> yeah nkinder said he'd be gone
17:04:09 <tmcpeak> so we've got a few out since last week
17:04:17 <tmcpeak> OSSN-0020, OSN-0026
17:04:21 <sicarie> I have an OSSN  I think is almost ready
17:04:26 <tmcpeak> from Priti and Tim
17:04:36 <hyakuhei> https://bugs.launchpad.net/ossn >- still got three listed as New
17:04:36 <tkelsey> OSSN-27 i think
17:04:47 <hyakuhei> +2'd 27 a few minutes ago iirc
17:05:04 <tmcpeak> oh, 27?
17:05:08 <tmcpeak> sorry, 26 was mine
17:05:08 <sicarie> OSSN-0025 -->  https://review.openstack.org/#/c/117928/
17:05:30 <tmcpeak> shohel02: did yours get published?
17:05:34 <tkelsey> yeah OSSN27 has merged and Rob just +2 OSSN29
17:05:40 <shohel02> I think mine one OSSN-0024 almost ready
17:06:14 <tmcpeak> ok, let's go sequentially to make sure we aren't missing any
17:06:50 <tmcpeak> link https://wiki.openstack.org/wiki/Security_Notes
17:07:03 <tmcpeak> I guess they're all done except those mentioned
17:07:08 <tmcpeak> so shohel02: what do you need?
17:07:10 <tmcpeak> reviews?
17:07:27 <shohel02> it has gone through quite lot of review
17:07:43 <tmcpeak> ok: 24 is here: https://review.openstack.org/#/c/114460/
17:07:45 <tmcpeak> feedback welcome
17:07:58 <tmcpeak> shohel02: it's probably mostly done
17:08:05 <shohel02> should be
17:08:11 <hyakuhei> #action tkelsey and sicarie please review OSSN-024
17:08:31 <tkelsey> ok will do
17:08:33 <tmcpeak> 25: sicarie
17:08:34 <tmcpeak> https://review.openstack.org/#/c/117928/
17:09:24 <tmcpeak> I'm guessing 28 is nkinder's
17:09:34 <tmcpeak> 29 is tkelsey's new one
17:09:37 <tmcpeak> that's almost done too
17:09:52 <hyakuhei> Yeah Tim's is looking good
17:10:13 <tmcpeak> hyakuhei: yeah, that should be ready
17:10:17 <tmcpeak> it got +1 from me and +2 from you
17:10:35 <tmcpeak> Mr. Payne
17:10:46 <hyakuhei> Great, we'll get bdp  or nk to have a look
17:10:51 <tmcpeak> cool
17:11:01 <tmcpeak> how's the backlog looking?
17:11:29 <tmcpeak> https://bugs.launchpad.net/ossn
17:11:34 <hyakuhei> 3 marked as 'new' - should be assigned to people
17:11:36 <tmcpeak> looks like there are 3 if anybody wants to pick some up
17:11:49 <bdpayne> hey guys, sorry I'm late
17:11:51 <bdpayne> :-)
17:12:03 <hyakuhei> wootles! welcome!
17:13:09 <tmcpeak> allright
17:13:10 <hyakuhei> ok great so next on the agenda? bdpayne I see I'm still getting spammed with doc changes!
17:13:29 <tmcpeak> chair6: Bandit update?
17:14:09 <bdpayne> yep, doc is moving along
17:14:36 <bdpayne> still plenty of tickets to address, if people want to help out :-)
17:14:41 <chair6> bandit.. neeaaarly a stackforge project
17:14:46 <chair6> actually, already is at this point
17:14:56 <hyakuhei> chair6: congratulations!
17:15:03 <chair6> waiting on https://bugs.launchpad.net/openstack-ci/+bug/1370204 now so we can actually +2 changes through gerrit
17:15:04 <uvirtbot> Launchpad bug 1370204 in openstack-ci "Initial Gerrit group member for stackforge/bandit" [Wishlist,In progress]
17:15:19 <chair6> but we're there..
17:15:21 <chair6> #link https://github.com/stackforge/bandit
17:15:34 <bdpayne> nice!
17:15:40 <bknudson> do we have an example report?
17:16:14 <tmcpeak> bknudson: I'll put one up on pastebin
17:16:36 <chair6> they're very easily generated, depending on what you want it for
17:16:54 <hyakuhei> #link http://git.openstack.org/cgit/stackforge/bandit/ - congrats :D
17:17:18 <hyakuhei> So you're using gerrit etc from now on?
17:17:44 <chair6> yup, that's the plan
17:17:51 <hyakuhei> Hooray!
17:18:02 <hyakuhei> Well done chair6 tmcpeak
17:18:13 <chair6> i'm going to make me, tmcpeak, and nkinder the initial bandit-core members with +2 rights
17:18:26 <hyakuhei> tmcpeak: I noticed a few vuln reports from you recently - any from bandit?
17:18:26 <tmcpeak> thank you!
17:18:34 <tmcpeak> hyakuhei: yeah, all from Bandit
17:18:58 <tmcpeak> I'm hoping to get a CVE out of at least one of them
17:19:07 <hyakuhei> Superb.
17:19:36 <bknudson> https://review.openstack.org/#/q/status:open+project:stackforge/bandit,n,z
17:19:42 <bknudson> there's already a review
17:19:43 <shohel02> great tmcpeak and chair6
17:20:14 <hyakuhei> This really is a cool tool
17:20:26 <hyakuhei> Great thing to come out of the OSSG
17:20:29 <chair6> yep bknudson, that's the last step in getting it all gerrit-enabled
17:20:42 <chair6> now we just gotta keep it somewhat stable, and build more tests :)
17:21:02 <bknudson> is there a quick summary of what it checks for already?
17:21:24 <hyakuhei> Should have a wiki page
17:21:27 <hyakuhei> Would be nice
17:21:34 <tmcpeak> yeah, we're way behind on documentation for it
17:21:38 <chair6> seventh:plugins finnigaj$ grep 'def ' *
17:21:38 <chair6> blacklist_calls.py:def blacklist_functions(context, config):
17:21:38 <chair6> blacklist_calls.py:def _get_tuple_for_item(blacklist_object):
17:21:38 <chair6> blacklist_imports.py:def blacklist_imports(context, config):
17:21:38 <chair6> blacklist_imports.py:def _get_tuple_for_item(blacklist_object):
17:21:40 <chair6> crypto_random.py:def random_lib_calls(context):
17:21:43 <chair6> crypto_random.py:def random_lib_imports(context):
17:21:45 <chair6> crypto_request_no_cert_validation.py:def request_with_no_cert_validation(context):
17:21:47 <bknudson> I'd think the generated docs would have a page for each of the plugins / tests.
17:21:48 <chair6> general_bad_file_permissions.py:def set_bad_file_permissions(context):
17:21:51 <chair6> general_bind_all_interfaces.py:def hardcoded_bind_all_interfaces(context):
17:21:54 <chair6> general_hardcoded_password.py:def hardcoded_password(context, config):
17:21:58 <chair6> general_hardcoded_tmp.py:def hardcoded_tmp_directory(context):
17:22:00 <chair6> injection_shell.py:def subprocess_popen_with_shell_equals_true(context):
17:22:03 <chair6> injection_shell.py:def any_other_function_with_shell_equals_true(context):
17:22:06 <chair6> injection_sql.py:def hardcoded_sql_expressions(context):
17:22:09 <chair6> injection_wildcard.py:def linux_commands_wildcard_injection(context):
17:22:12 <chair6> ^ those are the tests we currently have defined
17:22:14 <chair6> documentation definitely needs work, auto-gen would be very nice to have
17:22:36 <hyakuhei> Nice set, does that cover all the ones we came up with at the meet?
17:22:52 <tmcpeak> hyakuhei: mostly
17:23:06 <tmcpeak> X	Flag use of shell=True - have a working prototype of this
17:23:07 <tmcpeak> X	Flag overly generous file permissions (rxwrxwrxw,777 etc) -  have a working prototype of this
17:23:07 <tmcpeak> X	Flag use of poor crypto primatives - we need to identify what are "poor" crypto primatives
17:23:07 <tmcpeak> X	Flag use of potentially dangerous libraries / trusted interactions cPickle etc - Pickle would be a good start, the issue is determining whether input has been sanitiized/is trusted
17:23:07 <tmcpeak> Flag direct use of SQL statements (SQLAlchemy should be)
17:23:10 <bknudson> I hope there's a check for using eval()
17:23:19 <tmcpeak> bknudson: there is
17:23:25 <tmcpeak> I found a few eval bugs and filed them with bandit
17:23:37 <chair6> #action chair6 to create wiki page for bandit
17:25:57 <tmcpeak> http://pastebin.com/5YSmNW6W
17:26:25 <tmcpeak> there's a sample output from running against cinder
17:26:31 <bknudson> lots of hits!
17:26:48 <tmcpeak> yea
17:26:51 <tmcpeak> so we have profiles
17:26:57 <bknudson> "Chmod setting a permissive mask 0666 on file (path)." !!! ??
17:27:02 <tmcpeak> if you aren't interested in seeing certain types of tests, you can exclude those
17:27:05 <hyakuhei> Would be good, when working through results, to work out some idea of the number of false positives
17:27:13 <tmcpeak> you can also group by the type of issue
17:27:20 <tmcpeak> rather than the file/linenumber where the issue was found
17:27:31 <hyakuhei> For a whole project thats actually not many results
17:27:32 <tmcpeak> hyakuhei: yeah, so I haven't seen many false positives
17:27:38 <hyakuhei> :D
17:27:40 <bknudson> we just ran a code scan using Yasca or RATS or something.
17:27:50 <chair6> depends on how you define 'false positive', i guess :)
17:27:51 <tmcpeak> what we see are a lot of hits in "test"
17:27:57 <bknudson> and this output looks pretty similar
17:28:10 <hyakuhei> We also need a way to track whats been submitted perhaps - I can see _lots_ of repeated bug reports in the coming months
17:28:12 <tmcpeak> bknudson: how so?
17:28:28 <tmcpeak> hyakuhei: yeah, good point
17:28:38 <bknudson> tmcpeak: so one example is "Random library should not be used for any security or cryptographic purposes" -- RATS also complains about that.
17:28:42 <hyakuhei> LP does a reasonable jub of deduping
17:28:45 <chair6> trying to consider that when setting the severity level for each test .. if the test is likely to generate false positives, it should probably flag issues as INFO or WARN
17:28:53 <tmcpeak> bknudson: ahhh
17:29:25 <bknudson> I assume we'll want to flag whatever it complains about as "safe" with some explanation
17:29:34 <tmcpeak> yeah: you can't see it in the paste, but there are levels of these
17:29:38 <tmcpeak> which are color coded
17:29:52 <tmcpeak> in the actual output blue is info, yellow is warning, red is error
17:29:54 <tmcpeak> and you can filter
17:30:04 <tmcpeak> so if you want to run a scan and only show errors, there is a command line option for that
17:30:13 <chair6> the readme at https://github.com/stackforge/bandit is a little outdated but does address some of this, worth a quick read
17:32:41 <tmcpeak> bknudson: that chmod 0o666 one I filed :)
17:32:57 <tmcpeak> I went through and ran against all projects and shotgun filed a bunch of bugs a few days ago
17:33:01 <tmcpeak> I'm on a quest for a CVE
17:33:03 <tmcpeak> and I'm lazy
17:33:07 <tmcpeak> hence Bandit
17:33:29 <bknudson> let's get the easy ones out of the way.
17:33:41 <hyakuhei> yarp
17:33:59 <tmcpeak> so even with Bandit
17:34:05 <tmcpeak> some analysis has to be done afterwards
17:34:21 <tmcpeak> no way to automate that yet
17:34:27 <tmcpeak> but it does make it easier to know where to look
17:34:34 <hyakuhei> For sure
17:34:44 <bknudson> if we've got unsafe libraries, maybe we develop safe versions of them
17:35:02 <bknudson> for example, if subprocess is unsafe, we develop a subprocess that doesn't allow unsafe stuff
17:35:13 <bknudson> not sure if that's possible
17:35:28 <tmcpeak> bknudson: yeah, in that case it's mostly just the shell injection problem
17:35:35 <tmcpeak> running with shell=True
17:35:50 <tmcpeak> parameterize the input and you're usually ok
17:36:02 <tmcpeak> and rootwrap if used correctly can help
17:36:26 <hyakuhei> I still find rootwrap quite scary
17:36:43 <tmcpeak> it's better than inline sudo
17:36:59 <tmcpeak> at least you have the option to filter
17:37:43 <tmcpeak> allright so yeah
17:37:51 <tmcpeak> everybody please give Bandit a spin if you have the chance
17:37:57 <tmcpeak> hopefully we'll be in Stackforge soon
17:38:05 <tmcpeak> new tests are definitely needed
17:38:17 <tmcpeak> and if you have any thoughts on how to make it better please drop me a line
17:38:26 <hyakuhei> Or a CR :)
17:38:37 <tmcpeak> or that ;)
17:38:57 <tmcpeak> that's probably enough on Bandit for today
17:39:31 <shohel02> tmcpeak: do you have scan result for each project some where
17:39:45 <tmcpeak> shohel02: no, that would be a good idea to have
17:40:26 <hyakuhei> ok, whats next to talk about?
17:40:41 <bknudson> once it's in infra we should be able to do a check experimental to generate it
17:40:55 <shohel02> i can talk about threat analysis
17:41:17 <hyakuhei> please do :)
17:41:23 <tmcpeak> ls
17:41:27 <tmcpeak> haha oops
17:42:10 <shohel02> we have a skeleton doc / folder for Gerrit review
17:42:19 <shohel02> https://review.openstack.org/#/c/121034/
17:42:59 <shohel02> i think its best to go with markdown format at this stage
17:43:05 <bknudson> http://docs-draft.openstack.org/34/121034/1/check/gate-security-doc-tox-doc-publish-checkbuild/d9f278e/publish-docs/security-guide/content/index.html
17:43:30 <hyakuhei> MD is easy enough I think
17:43:57 <shohel02> yes .. its easy to review and modify ... not much additional syntax
17:44:14 <shohel02> i am looking for review..
17:44:53 <shohel02> if successfully done, we can start towards adding analysis report
17:44:54 <hyakuhei> So Andreas left some comments
17:45:12 <shohel02> yes.. mainly style issue
17:46:21 <shohel02> content is review is something we are looking for
17:46:43 <hyakuhei> Ok, I can take a look at that
17:46:48 <shohel02> thanks :)
17:47:17 <hyakuhei> #action hyakuhei to review https://review.openstack.org/#/c/121034/
17:47:45 <shohel02> thats all for now
17:50:00 <hyakuhei> Great, any more for any more?
17:50:05 <tmcpeak> tkelsey
17:50:21 <hyakuhei> Ah yes - whats going on with RPC // Kite tkelsey ?
17:50:48 <tkelsey> hey, so I can talk about Kite/Secure RPC
17:50:55 <hyakuhei> Please do :)
17:51:41 <tkelsey> there is a review in progress for a plugin framework for oslo.messaging that allows message level security
17:51:52 <tkelsey> and a plugin for using kite to implement that
17:51:59 <tkelsey> i'll dig up the link
17:52:48 <tkelsey> https://review.openstack.org/#/c/109806/
17:53:00 <tkelsey> any  input on that would be awesome of course :-)
17:54:01 <hyakuhei> So I saw some discussion of moving where encryption happens?
17:54:19 <tkelsey> oh, in kite?
17:54:26 <hyakuhei> I think so
17:54:36 <tkelsey> humm, I must have missed that, that on dev?
17:54:51 <hyakuhei> Upshot was Jamie is away for a month and more input from Simmo required
17:55:12 <hyakuhei> Ok I'll forward you the mail that's confusing me
17:55:18 <hyakuhei> I think that's everything
17:56:07 <tkelsey> ah yeah that stuff, sorry, yeah so Jamie has been working from the kite side of things. I am coming from the messaging side and we meet in the middle at python-kiteclient
17:57:01 <tkelsey> Jamie is out for a month or as you say, but I can still push on with the message side. Would love to hear from Simmo of course
17:57:15 <hyakuhei> Ok great! Keep us posted please :)
17:57:20 <tkelsey> will do
17:57:53 <chair6> action completed..
17:57:55 <chair6> #link https://wiki.openstack.org/wiki/Security/Projects/Bandit
17:58:04 <hyakuhei> :)
17:58:09 <tmcpeak> sweet
17:58:13 <tkelsey> nice !
17:59:20 <hyakuhei> Great work today, make sure you hit those actions P)
17:59:28 <hyakuhei> #endmeeting