#openstack-meeting-alt log

17:00:14 <tmcpeak> #startmeeting security
17:00:14 <openstack> Meeting started Thu May 19 17:00:14 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:15 <tmcpeak> o/
17:00:18 <openstack> The meeting name has been set to 'security'
17:00:21 <tmcpeak> #chair hyakuhei
17:00:22 <openstack> Current chairs: hyakuhei tmcpeak
17:00:24 <gmurphy_> o/
17:00:28 <tkelsey> o/
17:00:34 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:01:04 <elmiko> o/
17:01:05 <mdong> o/
17:01:14 <michaelxin> o/
17:01:56 <diazjf1> o/
17:02:02 <tmcpeak> hi everybody
17:02:10 <tmcpeak> please have a look at the agenda and add anything if you want
17:02:12 <tmcpeak> otherwise we'
17:02:16 <tmcpeak> we'll get rolling in a minute or two
17:02:17 <hyakuhei> o/
17:02:23 <lhinds> hi everyone
17:02:32 <hyakuhei> I’m about 50% here. Will be 100% here in a few minutes.
17:02:35 <tmcpeak> hey lhinds
17:02:39 <lhinds> hey tmcpeak
17:03:42 <tmcpeak> I pinged nkinder, if we can get him to join I'll move the OSSN to match his schedule
17:03:58 <tmcpeak> meanwhile, let's roll it
17:04:01 <tmcpeak> #topic Anchor
17:04:09 <tmcpeak> tkelsey: you might be the one today
17:04:16 <tmcpeak> don't see Mr. Chivers
17:04:26 <tkelsey> humm, well i got nothing on my radar
17:04:40 <ccneill> o/
17:04:49 <tmcpeak> easy enough
17:04:52 <tmcpeak> #topic Bandit
17:04:59 <tmcpeak> probably not much here either, huh?
17:05:02 <dg___> o/
17:05:08 <tmcpeak> ahh, Chivers
17:05:13 <tmcpeak> you have anything you want to say on Anchor or no?
17:05:14 <tkelsey> nope, quiet times
17:05:23 <tkelsey> bandit ^
17:05:32 <dg___> ditto, not touched anchor this week. soon
17:05:32 <tmcpeak> cool easy enough
17:05:37 <tmcpeak> I'll tell you where there aren't quiet times
17:05:40 <tmcpeak> #topic Syntribos
17:06:01 <tmcpeak> nkinder: thank you for joining
17:06:09 <nkinder> tmcpeak: sure
17:06:13 <tmcpeak> we'll have the Syntribos team do an update and OSSN is next up
17:06:15 <michaelxin> mdong: go ahead
17:06:42 <mdong> so this past week we’ve done a deep dive into improving our tests
17:07:20 <mdong> we’ve taken a second pass on our current security test cases, mostly to streamline them and reduce false positives
17:07:57 <mdong> rahulunair and vinaypotluri have also been working on creating new test cases
17:08:07 <tmcpeak> awesome
17:08:14 <tmcpeak> I see tons of activity in the channel
17:08:16 <ccneill> we'll be doing another design session soon to tackle some architectural changes we're contemplating, including removing OpenCAFE and changing the way we detect "failures"
17:08:34 <ccneill> i.e. making it easier to write further test cases
17:09:28 <ccneill> thanks to elmiko I think we have a pretty good idea of what a transition to oslo.logging and oslo.config will look like from CAFE components
17:09:30 <michaelxin> We are using the broken API that we talked before as our test bed.
17:09:54 <michaelxin> The running against the broken API should start this week.
17:09:56 <ccneill> yes, we should be running all our basic tests against that API by next week
17:10:05 <ccneill> but yeah, we'll start today/tomorrow
17:10:17 <tmcpeak> how are you guys running it, just manually?
17:10:25 <rhallisey> hello.  Sorry I'm late
17:10:27 <ccneill> yeah, local environment
17:10:42 <tmcpeak> you guys have tox or something to pull down broken API and run Syntribos against it?
17:10:54 <tmcpeak> that would be cool, kind of like Syntribos functional tests
17:10:59 <ccneill> yeah we might do that
17:11:06 <ccneill> probably better than bundling it into the repo itself
17:11:09 <michaelxin> That would be cool.
17:11:11 <ccneill> haven't gotten to that point just yet
17:11:15 <ccneill> but it's doable
17:11:25 <tmcpeak> would make a cool demo
17:11:28 <michaelxin> Currently, the broken api is running use docker tool
17:11:40 <michaelxin> locally
17:11:42 <tmcpeak> I've found running against our bandit examples directory to be the best way to quickly show somebody its value
17:12:03 <tmcpeak> would be really cool to get something similar for Syntribos
17:12:08 <ccneill> yep, we're using the vAPI as our sort of "proof" that we can detect X vulnerabilities
17:12:15 <tmcpeak> very cool
17:12:29 <ccneill> I think there will be a good synergy between syntribos + bandit too
17:12:33 <tmcpeak> yeah
17:12:40 <tmcpeak> I've shown some of the IBM guys and they're really interested
17:12:44 <ccneill> nice
17:12:51 <ccneill> in Syntribos? or bandit?
17:12:55 <tmcpeak> Syntribos
17:13:05 <ccneill> sweet
17:13:18 <ccneill> well hopefully we have something to show off very soon :)
17:13:28 <tmcpeak> awesome, great work guys
17:13:40 <ccneill> I think that's about it for now
17:13:42 <tmcpeak> cool
17:13:44 <tmcpeak> #topic OSSN
17:13:49 <tmcpeak> nkinder: around? :)
17:14:02 <tmcpeak> hyakuhei:
17:14:08 <hyakuhei> Hey
17:14:13 <tmcpeak> got nkinder to join
17:14:19 <nkinder> tmcpeak: yep, I'm here
17:14:20 <tmcpeak> I assume it was you that put you wanted his input on the etherpad, yeah?
17:14:34 <hyakuhei> So we’ve spoken a few times about converting or otherwising magicing OSSNs into a more machine-readable / searchable format
17:15:00 <tmcpeak> yeah talked a bit at the summit about it too
17:15:10 <nkinder> Yeah, we specifically looked at YAML ni the past
17:15:15 <hyakuhei> As much as we’d like to fix things with parsing / scripts - I was going to suggest that we have a manual sprint at the summit to change the OSSNs out
17:15:16 <nkinder> though SCAP would be interesting too
17:15:29 <hyakuhei> SCAP gets pretty vendo specific I think
17:15:53 <hyakuhei> Though some tool that takes OSSN from YAML -> SCAP (with additional content from the person doing the conversion) could be interesting
17:16:15 <hyakuhei> So my proposal would be to agree a YAML schema/format  before the mid-cycle
17:16:34 <nkinder> If we agree on a format, I think the conversion won't be too bad
17:16:40 <lhinds> Guesses are that currently people are manually cherry picking from the notes or the security guide
17:16:51 <nkinder> I have a tool that was converting to YAML, but we didn't have an exact format that we ever agreed on
17:17:26 <tmcpeak> I think the original format of OSSN took us pretty far and we've been hesitant to move forward with YAML out of concern for preserving legacy, yeah?
17:17:56 <hyakuhei> Sounds about right. I think the time is right to move onto something more usable overall
17:18:02 <tmcpeak> +1
17:18:05 <nkinder> Partially that, but we also had a concern that less people would volunteer to write them in YAML (it's more of a barrier to entry)
17:18:07 <hyakuhei> Search being particularly interesting
17:18:21 <michaelxin> +1 for searching
17:18:22 <nkinder> but a parseable format would be nice
17:18:27 <tmcpeak> there's also an issue for how to handle things like code snippets nicely
17:18:39 <hyakuhei> Yup that was a concern but nominally it’s either developers or established peoples who are happy to write YAML now.
17:18:43 <hyakuhei> tmcpeak: Interesting
17:19:07 <nkinder> yeah, there are a few things that become tough in YAML
17:20:14 <hyakuhei> Hmmm. Do the VMT ever run into this problem? gmurphy_ ?
17:20:21 <nkinder> I have some YAML tools here - https://github.com/nkinder/ossn-tools
17:20:22 <hyakuhei> I’m open to other formats
17:20:39 <nkinder> There was some other standard in this area that I looked into at one point
17:20:47 <hyakuhei> So nkinder. Are you in favor of the move in principle?
17:21:09 <gmurphy_> sorry only half watching..
17:21:10 <gmurphy_> what now?
17:21:26 <tmcpeak> gmurphy_: does VMT run into issues with code snippets in YAML for OSSA?
17:21:32 <hyakuhei> Do you run into problems with YAML when describing vulns, code snippets etc
17:21:32 <tmcpeak> and if so, how is it solved?
17:21:37 <gmurphy_> we don't include code snippets..
17:21:50 <hyakuhei> good lot of use you are gmurphy_ ….
17:21:53 <gmurphy_> or haven't historically.
17:21:55 <nkinder> hyakuhei: yeah, I'm fine with it.  I think there are big benefits if we add a scanning tool
17:22:13 <tmcpeak> yeah, pain for dealing with code snippets in some cases is less than benefit for creating a searchable format
17:22:21 <ccneill> one way to solve for code snippets: link out to github commits?
17:22:36 <nkinder> ...by scanning tool, I mean that a deployer can create a simple config file that says things about their deployment (versions, services used, etc.), then the tool can find all relevant notes
17:22:42 <tmcpeak> ccneill: that could definitely work in a lot of cases
17:22:53 <tmcpeak> nkinder: +1
17:22:53 <hyakuhei> That being the case nkinder, how involved in the work do you want to be? I’m happy for you to lead the charge or to let it happen, up to you …
17:23:08 <nkinder> We could link to a published note on the wiki with code snippets
17:23:08 <hyakuhei> ccneill: Code snippets tend to be around config changes etc
17:23:19 <hyakuhei> YAML needs a “”” type thing from python :D
17:23:23 * hyakuhei hides.
17:23:43 <nkinder> hyakuhei: I'm happy to be involved, but my time is a bit thin as of late
17:24:09 <ccneill> hyakuhei: we could just gzip/b64 any text blobs in the YAML?
17:24:17 <ccneill> ugly as all hell, but if linking out isn't an option, it's something
17:24:29 <hyakuhei> Righto, so what’s the best way to manage this? Should we start by smashing things into an etherpad? Do we want a security spec to work through the YAML format?
17:24:33 <ccneill> or maybe link out to a textfile hosted in the same location as the OSSNs
17:24:34 <nkinder> CVRF was the format I looked into previously
17:24:40 <hyakuhei> ccneill: I’d like the YAML to be true YAML i.e human readable.
17:24:42 <tmcpeak> ccneill: text file link could work
17:24:48 <tmcpeak> I'd prefer that over B64
17:25:06 <ccneill> B64 definitely makes review/human reading (without a tool) harder
17:25:10 <hyakuhei> Basically I’d like it if it was all native YAML and then we can have tools for cross publishing, making things searchable etc.
17:25:42 <tmcpeak> well code snippets are pretty central to a fair amount of notes so whatever we get has to address that well
17:25:46 <hyakuhei> Hmmm, I imagine Ansible may have fixed this, aren’t there playbooks YAML? They must have to do smart things with code.
17:26:03 <lhinds> hyakuhei, major is doing a lot there
17:26:03 <tmcpeak> hyakuhei: not fixed
17:26:09 <hyakuhei> lol
17:26:11 <lhinds> we can use the remediation snippets
17:26:19 <lhinds> as examples
17:26:22 <tmcpeak> I've had a hard time with getting unedited code in yaml
17:26:32 <lhinds> there is also a lot of the OSSN stuff in SCAP already
17:26:38 <lhinds> we borrow back :)
17:26:52 <tmcpeak> lhinds: link?
17:26:58 <nkinder> Here's a YAML converted OSSN - http://paste.openstack.org/show/497764/
17:27:12 <tmcpeak> this one is easy bc no snippets
17:27:22 <nkinder> let me find one with snippets...
17:27:43 <lhinds> https://github.com/OpenSCAP/scap-security-guide/tree/master/OpenStack/RHEL-OSP/7/input/oval
17:27:59 <tmcpeak> oh yeah, XML
17:28:15 <nkinder> Here's one with an example snippet - http://paste.openstack.org/show/497765/
17:28:16 <tmcpeak> I despise XML but it does tend to handle snippets pretty well
17:28:50 <lhinds> https://github.com/rackerlabs/openstack-ansible-security
17:29:02 <nkinder> SCAP is a bit different, because it can deal with actual scanning and remediation with some tools
17:29:25 <tmcpeak> nkinder: the snippet here isn't awful
17:29:27 <nkinder> ...but it needs knowledge about the platform, so it is vendor/platform specific
17:29:31 <hyakuhei> SCAP gets quite distro specific quite quickly I think
17:29:31 <tmcpeak> not great but isn't awful either
17:29:42 <gmurphy_> what about sticking with the markdown and embedding metadata somehow (maybe like this - https://pythonhosted.org/Markdown/extensions/meta_data.html)
17:30:00 <nkinder> so the YAML my utility produces was designed to be able to spit back out the text form we're been publishing
17:30:11 <nkinder> Maybe that should not be a goal...
17:30:24 <tmcpeak> nkinder: yeah I think we can relax that constraint
17:30:35 <nkinder> I had thought we'd want a human readable form like now, but a YAML form that can be used for parsing
17:30:38 <tmcpeak> gmurphy_: MD is nice but most of the note would end up being metadata anyway, huh?
17:30:44 <hyakuhei> nkinder: +1
17:30:56 <nkinder> so some things can be simplified in the YAML if we change the goals
17:31:27 <tmcpeak> yep yep
17:31:30 <nkinder> For example, you can see that I have a separate item for each paragraph in the "description" section
17:31:34 <michaelxin> What's the goals here again?
17:31:41 <tmcpeak> goal is easily parseable yet also human readable
17:31:53 <hyakuhei> Yup
17:31:53 <ccneill> hmmm..
17:32:06 <ccneill> maybe bad idea, but what if we just make a pretty web UI that generates markdown in a VERY specific way
17:32:18 <ccneill> and build our own parser for the MD we generate
17:32:19 <hyakuhei> Though actually being directly human readable is a weak requirement if we have something from which a human readable version can easily be derived
17:32:24 <nkinder> The direction I was going with this in the past was that YAML would be the canonical format that we commit to the repo
17:32:28 <gmurphy_> tmcpeak: but isn't the point to have some way of linking the note to an actual version of openstack deployed. you would only need to a small set of metadata to achieve this. e.g. the whole document wouldn't necessarily need to be machine parseable…
17:32:37 <hyakuhei> nkinder: +1
17:32:43 <nkinder> ...and we can convert to a human readable form to publish on the wiki
17:33:02 <nkinder> I didn't focus on making the YAML the readable format
17:33:17 <tmcpeak> ok so one question is, do we want to maintain multiple copies of one note or not
17:33:18 <hyakuhei> We want _all_ the info. In _one_ place. With tools that take that info and make a searchable OSSN DB, a human readable OSSN etc
17:33:30 <tmcpeak> I would say no
17:33:59 <tmcpeak> one shot is either human readable or easily converted to human readable AND contains all the data needed to enable our searches
17:34:11 <hyakuhei> So no, the OSSN doesn’t have to be strictly human readable in YAML but I would like it to be self contained so that the published OSSN and various other tooling can all use the same YAML.
17:34:22 <nkinder> hyakuhei: +1
17:34:33 <tmcpeak> cool
17:34:48 <hyakuhei> which I guess potentially puts B64 back on the table as an easy way to encode messy stuff
17:34:57 <tmcpeak> yeah
17:35:02 <hyakuhei> Although it’s ugly from a git POV
17:35:05 <gmurphy_> yeah that makes sense. i was just trying to think of a way around the code snippets etc.
17:35:06 <hyakuhei> reviewing OSSNs etc
17:35:23 <tmcpeak> not that bad, just have a tox env or something that converts
17:35:29 <michaelxin> sound like a good plan
17:35:29 <tmcpeak> hrmm, yeah
17:35:32 <tmcpeak> not great actually
17:35:48 <ccneill> BSON
17:35:50 <ccneill> :D
17:35:59 <ccneill> (jk)
17:36:06 <elmiko> lol
17:36:13 <lhinds> What's the issue with parsing out the values from MD to YAML? I missed the gotcha?
17:36:36 <hyakuhei> lhinds: The MD is weakly enforced. No particularly solid schema
17:37:02 <ccneill> that's why I was thinking maybe we enforce that by making a tool that you build an OSSN in
17:37:11 <ccneill> and it spits out MD in a format we can easily parse
17:37:18 <ccneill> even if that doesn't map to an existing standard
17:37:21 <ccneill> ¯\_(ツ)_/¯
17:37:23 <hyakuhei> A tool to write a doc?
17:37:25 <ccneill> definitely a bit of work to make it happen
17:37:29 <tmcpeak> that's a lot of engineering work
17:37:33 <ccneill> yep
17:37:38 <hyakuhei> We’d be better off having a WSDL
17:37:44 <ccneill> haha
17:37:45 <nkinder> That's sort of what I developed...
17:37:55 <tmcpeak> might be over-engineering this
17:38:01 <hyakuhei> +1
17:38:02 <nkinder> You can write in the plain text form, then convert to YAML (or vice-versa)
17:38:11 <tmcpeak> ok so we like YAML, only problem is how to handle the base64 snippet for review?
17:38:13 <michaelxin> build on nkinder's current tools is better
17:38:15 <hyakuhei> Ask a room full of engineers to write a document.
17:38:20 <ccneill> haha
17:38:49 <hyakuhei> So potentially we could have a gate job extract, decode and show/add the b64 if that’s the route we went
17:38:54 <hyakuhei> ok, lets all have a think about this
17:39:23 <hyakuhei> and talk more next week?
17:39:24 <tmcpeak> rathole deferred until next week? same time?
17:39:29 <hyakuhei> ++
17:39:30 <nkinder> It would probably be useful if someone looked more closely at the tools I wrote
17:39:39 <hyakuhei> I’ll try to stab at it
17:39:42 <nkinder> ..then can give some feedback
17:39:49 <tmcpeak> sounds good
17:39:58 <nkinder> The one problem with code snippets in it right now is that you lose line feeds
17:40:15 <michaelxin> how often do we have code snippet?
17:40:19 <nkinder> pretty often
17:40:21 <ccneill> nkinder: looks pretty reasonable to me
17:40:26 <ccneill> from a quick skim
17:40:31 <nkinder> ..but it's usually for configuration file snippets
17:40:37 <ccneill> if the MD format is enforced consistently enough
17:40:41 <nkinder> we rarely show actual code
17:40:47 <hyakuhei> Yeah it’s more configs
17:41:26 <ccneill> hmmm... is there some way we could abstract that away?
17:41:32 <ccneill> like have a schema for various config changes?
17:41:39 <ccneill> sorry, I keep trying to make this as complicated as possible :P
17:41:44 <hyakuhei> No way
17:41:59 <ccneill> fair enough
17:42:05 <hyakuhei> Some configs are pure python, many are custom logic, some are strange magic
17:42:37 <michaelxin> can we use Block literals for it?
17:42:52 <nkinder> michaelxin: I think we'll have to do something like that
17:42:55 <ccneill> ...what if we just wrote OSSNs as a Python class with a to_yaml method? O_o
17:42:56 <tmcpeak> michaelxin: that would be the easiest
17:43:12 <ccneill> somewhat similar to setup.py
17:43:18 <tmcpeak> I don't know how well it works for code snippets though
17:43:18 <lhinds> There is a echo=FALSE in MD - we could put in our own tags
17:43:55 <tmcpeak> allright guys, glad we're having this discussion
17:43:58 <michaelxin> can we try it for a couple of existing ones?
17:44:02 <tmcpeak> seems like we've got buy in to do OSSN v 2
17:44:04 <lhinds> is it not more stuff like file perm octals, key / values though?
17:44:09 <tmcpeak> maybe have some plays and come back next week with ideas?
17:44:19 <tmcpeak> do want to have some time to chat midcycle
17:44:27 <hyakuhei> Yup, lets get through the rest of the agenda.
17:45:07 <diazjf1> tmcpeak, hyakuhei, so I started an etherpad here: https://etherpad.openstack.org/p/barbican-security-midcycle-N
17:45:15 <tmcpeak> #topic Midcycle
17:45:47 <diazjf1> Having the security midcycle with the barbican midcycle worked out last year and I wanted to see everyones opinion on having both sessions together
17:45:59 <diazjf1> I am also working on getting space at IBM@Austin
17:46:17 <diazjf1> I wanted to get opinions as well as a list of potential attendees
17:46:36 <hyakuhei> I’m very much in favor of an overlapping midcycle again
17:46:39 <diazjf1> #link https://etherpad.openstack.org/p/barbican-security-midcycle-N
17:46:40 <tmcpeak> +1
17:46:51 <michaelxin> +1
17:46:56 <hyakuhei> diazjf1: ping me a mail if you need support for IBM@Austin
17:47:00 <elmiko> +tacos
17:47:03 <nkinder> I think overlapping would work nicely
17:47:18 <hyakuhei> I assumed Rack when I saw Austin
17:47:28 <nkinder> hyakuhei: Especially if we want to proceed more on the certmonger/anchor documentation we talked about at the Summit
17:47:42 <michaelxin> doug and I talked about this.
17:47:43 <hyakuhei> Definitely
17:47:49 <michaelxin> Let IBM try it first
17:47:54 <hyakuhei> Righto
17:47:55 <michaelxin> we can serve as backup
17:48:05 <diazjf1> cool, yeah I'll keep you guys posted.
17:48:29 <michaelxin> diazjf1: +1
17:48:33 <hyakuhei> Righto, let me know if I can help
17:49:21 <hyakuhei> Anything else on the agenda for today?
17:49:23 <diazjf1> Please add your info to the etherpad
17:49:44 <sicarie> blog post review: https://github.com/openstack-security/openstack-security.github.io/pull/24
17:50:54 <hyakuhei> Thanks sicarie
17:52:24 <hyakuhei> Cool, anything else ?
17:53:06 <tmcpeak> should be a wrap
17:53:46 <hyakuhei> Excellent. Thanks everyone!
17:53:50 <michaelxin> thanks
17:53:51 <tmcpeak> thanks everybody!
17:53:53 <tmcpeak> #endmeeting