17:00:32 #startmeeting openstack security group 17:00:33 Meeting started Thu Sep 18 17:00:32 2014 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:34 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:36 The meeting name has been set to 'openstack_security_group' 17:00:42 roll call - hi guys :) 17:00:48 \o/ 17:00:49 hi 17:00:52 hi 17:01:14 o/ 17:01:40 hey chair6 - welcome 17:01:51 hai 17:01:53 ok, Agenda for today... 17:02:07 OSSN status 17:02:24 I'd like tkelsey to talk about RPC security when he joins 17:02:33 +1 17:02:42 Recap of the actions from last meeting 17:02:42 hi 17:02:47 hey all, sorry im late 17:02:48 hey bknudson tkelsey 17:03:45 No nkinder or bdpayne 17:03:51 ok, lets take a look at the OSSN 17:03:52 yeah nkinder said he'd be gone 17:04:09 so we've got a few out since last week 17:04:17 OSSN-0020, OSN-0026 17:04:21 I have an OSSN I think is almost ready 17:04:26 from Priti and Tim 17:04:36 https://bugs.launchpad.net/ossn >- still got three listed as New 17:04:36 OSSN-27 i think 17:04:47 +2'd 27 a few minutes ago iirc 17:05:04 oh, 27? 17:05:08 sorry, 26 was mine 17:05:08 OSSN-0025 --> https://review.openstack.org/#/c/117928/ 17:05:30 shohel02: did yours get published? 17:05:34 yeah OSSN27 has merged and Rob just +2 OSSN29 17:05:40 I think mine one OSSN-0024 almost ready 17:06:14 ok, let's go sequentially to make sure we aren't missing any 17:06:50 link https://wiki.openstack.org/wiki/Security_Notes 17:07:03 I guess they're all done except those mentioned 17:07:08 so shohel02: what do you need? 17:07:10 reviews? 17:07:27 it has gone through quite lot of review 17:07:43 ok: 24 is here: https://review.openstack.org/#/c/114460/ 17:07:45 feedback welcome 17:07:58 shohel02: it's probably mostly done 17:08:05 should be 17:08:11 #action tkelsey and sicarie please review OSSN-024 17:08:31 ok will do 17:08:33 25: sicarie 17:08:34 https://review.openstack.org/#/c/117928/ 17:09:24 I'm guessing 28 is nkinder's 17:09:34 29 is tkelsey's new one 17:09:37 that's almost done too 17:09:52 Yeah Tim's is looking good 17:10:13 hyakuhei: yeah, that should be ready 17:10:17 it got +1 from me and +2 from you 17:10:35 Mr. Payne 17:10:46 Great, we'll get bdp or nk to have a look 17:10:51 cool 17:11:01 how's the backlog looking? 17:11:29 https://bugs.launchpad.net/ossn 17:11:34 3 marked as 'new' - should be assigned to people 17:11:36 looks like there are 3 if anybody wants to pick some up 17:11:49 hey guys, sorry I'm late 17:11:51 :-) 17:12:03 wootles! welcome! 17:13:09 allright 17:13:10 ok great so next on the agenda? bdpayne I see I'm still getting spammed with doc changes! 17:13:29 chair6: Bandit update? 17:14:09 yep, doc is moving along 17:14:36 still plenty of tickets to address, if people want to help out :-) 17:14:41 bandit.. neeaaarly a stackforge project 17:14:46 actually, already is at this point 17:14:56 chair6: congratulations! 17:15:03 waiting on https://bugs.launchpad.net/openstack-ci/+bug/1370204 now so we can actually +2 changes through gerrit 17:15:04 Launchpad bug 1370204 in openstack-ci "Initial Gerrit group member for stackforge/bandit" [Wishlist,In progress] 17:15:19 but we're there.. 17:15:21 #link https://github.com/stackforge/bandit 17:15:34 nice! 17:15:40 do we have an example report? 17:16:14 bknudson: I'll put one up on pastebin 17:16:36 they're very easily generated, depending on what you want it for 17:16:54 #link http://git.openstack.org/cgit/stackforge/bandit/ - congrats :D 17:17:18 So you're using gerrit etc from now on? 17:17:44 yup, that's the plan 17:17:51 Hooray! 17:18:02 Well done chair6 tmcpeak 17:18:13 i'm going to make me, tmcpeak, and nkinder the initial bandit-core members with +2 rights 17:18:26 tmcpeak: I noticed a few vuln reports from you recently - any from bandit? 17:18:26 thank you! 17:18:34 hyakuhei: yeah, all from Bandit 17:18:58 I'm hoping to get a CVE out of at least one of them 17:19:07 Superb. 17:19:36 https://review.openstack.org/#/q/status:open+project:stackforge/bandit,n,z 17:19:42 there's already a review 17:19:43 great tmcpeak and chair6 17:20:14 This really is a cool tool 17:20:26 Great thing to come out of the OSSG 17:20:29 yep bknudson, that's the last step in getting it all gerrit-enabled 17:20:42 now we just gotta keep it somewhat stable, and build more tests :) 17:21:02 is there a quick summary of what it checks for already? 17:21:24 Should have a wiki page 17:21:27 Would be nice 17:21:34 yeah, we're way behind on documentation for it 17:21:38 seventh:plugins finnigaj$ grep 'def ' * 17:21:38 blacklist_calls.py:def blacklist_functions(context, config): 17:21:38 blacklist_calls.py:def _get_tuple_for_item(blacklist_object): 17:21:38 blacklist_imports.py:def blacklist_imports(context, config): 17:21:38 blacklist_imports.py:def _get_tuple_for_item(blacklist_object): 17:21:40 crypto_random.py:def random_lib_calls(context): 17:21:43 crypto_random.py:def random_lib_imports(context): 17:21:45 crypto_request_no_cert_validation.py:def request_with_no_cert_validation(context): 17:21:47 I'd think the generated docs would have a page for each of the plugins / tests. 17:21:48 general_bad_file_permissions.py:def set_bad_file_permissions(context): 17:21:51 general_bind_all_interfaces.py:def hardcoded_bind_all_interfaces(context): 17:21:54 general_hardcoded_password.py:def hardcoded_password(context, config): 17:21:58 general_hardcoded_tmp.py:def hardcoded_tmp_directory(context): 17:22:00 injection_shell.py:def subprocess_popen_with_shell_equals_true(context): 17:22:03 injection_shell.py:def any_other_function_with_shell_equals_true(context): 17:22:06 injection_sql.py:def hardcoded_sql_expressions(context): 17:22:09 injection_wildcard.py:def linux_commands_wildcard_injection(context): 17:22:12 ^ those are the tests we currently have defined 17:22:14 documentation definitely needs work, auto-gen would be very nice to have 17:22:36 Nice set, does that cover all the ones we came up with at the meet? 17:22:52 hyakuhei: mostly 17:23:06 X Flag use of shell=True - have a working prototype of this 17:23:07 X Flag overly generous file permissions (rxwrxwrxw,777 etc) -  have a working prototype of this 17:23:07 X Flag use of poor crypto primatives - we need to identify what are "poor" crypto primatives 17:23:07 X Flag use of potentially dangerous libraries / trusted interactions cPickle etc - Pickle would be a good start, the issue is determining whether input has been sanitiized/is trusted 17:23:07 Flag direct use of SQL statements (SQLAlchemy should be) 17:23:10 I hope there's a check for using eval() 17:23:19 bknudson: there is 17:23:25 I found a few eval bugs and filed them with bandit 17:23:37 #action chair6 to create wiki page for bandit 17:25:57 http://pastebin.com/5YSmNW6W 17:26:25 there's a sample output from running against cinder 17:26:31 lots of hits! 17:26:48 yea 17:26:51 so we have profiles 17:26:57 "Chmod setting a permissive mask 0666 on file (path)." !!! ?? 17:27:02 if you aren't interested in seeing certain types of tests, you can exclude those 17:27:05 Would be good, when working through results, to work out some idea of the number of false positives 17:27:13 you can also group by the type of issue 17:27:20 rather than the file/linenumber where the issue was found 17:27:31 For a whole project thats actually not many results 17:27:32 hyakuhei: yeah, so I haven't seen many false positives 17:27:38 :D 17:27:40 we just ran a code scan using Yasca or RATS or something. 17:27:50 depends on how you define 'false positive', i guess :) 17:27:51 what we see are a lot of hits in "test" 17:27:57 and this output looks pretty similar 17:28:10 We also need a way to track whats been submitted perhaps - I can see _lots_ of repeated bug reports in the coming months 17:28:12 bknudson: how so? 17:28:28 hyakuhei: yeah, good point 17:28:38 tmcpeak: so one example is "Random library should not be used for any security or cryptographic purposes" -- RATS also complains about that. 17:28:42 LP does a reasonable jub of deduping 17:28:45 trying to consider that when setting the severity level for each test .. if the test is likely to generate false positives, it should probably flag issues as INFO or WARN 17:28:53 bknudson: ahhh 17:29:25 I assume we'll want to flag whatever it complains about as "safe" with some explanation 17:29:34 yeah: you can't see it in the paste, but there are levels of these 17:29:38 which are color coded 17:29:52 in the actual output blue is info, yellow is warning, red is error 17:29:54 and you can filter 17:30:04 so if you want to run a scan and only show errors, there is a command line option for that 17:30:13 the readme at https://github.com/stackforge/bandit is a little outdated but does address some of this, worth a quick read 17:32:41 bknudson: that chmod 0o666 one I filed :) 17:32:57 I went through and ran against all projects and shotgun filed a bunch of bugs a few days ago 17:33:01 I'm on a quest for a CVE 17:33:03 and I'm lazy 17:33:07 hence Bandit 17:33:29 let's get the easy ones out of the way. 17:33:41 yarp 17:33:59 so even with Bandit 17:34:05 some analysis has to be done afterwards 17:34:21 no way to automate that yet 17:34:27 but it does make it easier to know where to look 17:34:34 For sure 17:34:44 if we've got unsafe libraries, maybe we develop safe versions of them 17:35:02 for example, if subprocess is unsafe, we develop a subprocess that doesn't allow unsafe stuff 17:35:13 not sure if that's possible 17:35:28 bknudson: yeah, in that case it's mostly just the shell injection problem 17:35:35 running with shell=True 17:35:50 parameterize the input and you're usually ok 17:36:02 and rootwrap if used correctly can help 17:36:26 I still find rootwrap quite scary 17:36:43 it's better than inline sudo 17:36:59 at least you have the option to filter 17:37:43 allright so yeah 17:37:51 everybody please give Bandit a spin if you have the chance 17:37:57 hopefully we'll be in Stackforge soon 17:38:05 new tests are definitely needed 17:38:17 and if you have any thoughts on how to make it better please drop me a line 17:38:26 Or a CR :) 17:38:37 or that ;) 17:38:57 that's probably enough on Bandit for today 17:39:31 tmcpeak: do you have scan result for each project some where 17:39:45 shohel02: no, that would be a good idea to have 17:40:26 ok, whats next to talk about? 17:40:41 once it's in infra we should be able to do a check experimental to generate it 17:40:55 i can talk about threat analysis 17:41:17 please do :) 17:41:23 ls 17:41:27 haha oops 17:42:10 we have a skeleton doc / folder for Gerrit review 17:42:19 https://review.openstack.org/#/c/121034/ 17:42:59 i think its best to go with markdown format at this stage 17:43:05 http://docs-draft.openstack.org/34/121034/1/check/gate-security-doc-tox-doc-publish-checkbuild/d9f278e/publish-docs/security-guide/content/index.html 17:43:30 MD is easy enough I think 17:43:57 yes .. its easy to review and modify ... not much additional syntax 17:44:14 i am looking for review.. 17:44:53 if successfully done, we can start towards adding analysis report 17:44:54 So Andreas left some comments 17:45:12 yes.. mainly style issue 17:46:21 content is review is something we are looking for 17:46:43 Ok, I can take a look at that 17:46:48 thanks :) 17:47:17 #action hyakuhei to review https://review.openstack.org/#/c/121034/ 17:47:45 thats all for now 17:50:00 Great, any more for any more? 17:50:05 tkelsey 17:50:21 Ah yes - whats going on with RPC // Kite tkelsey ? 17:50:48 hey, so I can talk about Kite/Secure RPC 17:50:55 Please do :) 17:51:41 there is a review in progress for a plugin framework for oslo.messaging that allows message level security 17:51:52 and a plugin for using kite to implement that 17:51:59 i'll dig up the link 17:52:48 https://review.openstack.org/#/c/109806/ 17:53:00 any input on that would be awesome of course :-) 17:54:01 So I saw some discussion of moving where encryption happens? 17:54:19 oh, in kite? 17:54:26 I think so 17:54:36 humm, I must have missed that, that on dev? 17:54:51 Upshot was Jamie is away for a month and more input from Simmo required 17:55:12 Ok I'll forward you the mail that's confusing me 17:55:18 I think that's everything 17:56:07 ah yeah that stuff, sorry, yeah so Jamie has been working from the kite side of things. I am coming from the messaging side and we meet in the middle at python-kiteclient 17:57:01 Jamie is out for a month or as you say, but I can still push on with the message side. Would love to hear from Simmo of course 17:57:15 Ok great! Keep us posted please :) 17:57:20 will do 17:57:53 action completed.. 17:57:55 #link https://wiki.openstack.org/wiki/Security/Projects/Bandit 17:58:04 :) 17:58:09 sweet 17:58:13 nice ! 17:59:20 Great work today, make sure you hit those actions P) 17:59:28 #endmeeting