14:00:26 <LukeHinds> #startmeeting Security Group
14:00:26 <collabot> Meeting started Wed Apr 22 14:00:26 2015 UTC.  The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:26 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:00:26 <collabot> The meeting name has been set to 'security_group'
14:01:00 <jaosorior> LukeHinds: where was the agenda again?
14:01:54 <LukeHinds> #info https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:02:44 <LukeHinds> #info Luke is a prize idiot, reinstalled OS and has forgotten the username for gotomeeting as it was in browser cache. We will need to instead do this over IRC, sorry *
14:03:02 <jaosorior> LukeHinds: thought it was agreed before that it was gonna be from IRC now :/
14:03:03 <LukeHinds> #topic agree agena
14:03:21 <LukeHinds> It was, but would do a few with voice until the message got through
14:03:28 <LukeHinds> but I guess we can start from now :)
14:03:29 <jaosorior> oh, alright
14:03:35 <jaosorior> yeah, I'm planning to only join from IRC
14:03:41 <LukeHinds> makes sense
14:03:53 <LukeHinds> #info anyone want to add to the agenda at all?
14:04:30 <LukeHinds> any inspector stuff Juan?
14:04:31 <jaosorior> noup
14:04:33 <jaosorior> ah
14:04:35 <jaosorior> regarding that
14:04:42 <LukeHinds> yup
14:04:45 <jaosorior> we hope we get a review for that tomorrow from the TSC
14:04:53 <jaosorior> so then we get green light to start
14:04:57 <LukeHinds> sounds good!
14:05:07 <LukeHinds> I am aligning internally to see if I can help out
14:05:13 <jaosorior> We were gonna bring it up last thursday but the meeting ran out of time
14:05:24 <LukeHinds> #info Inspector will hopefully get a review for that tomorrow from the TSC
14:05:50 <LukeHinds> understood, good luck, but it sounds solid to me
14:05:54 <mwinandy> Me too (also trying to find people to help with Inspector)
14:05:58 <LukeHinds> #agree agenda
14:06:09 <jaosorior> I have several propositions which involve some good work
14:06:14 <LukeHinds> #topic last minutes? (not much there)
14:06:20 <jaosorior> will bring them up after we get green light from TSC
14:06:31 <LukeHinds> look forward to hearing them!
14:06:46 <LukeHinds> #agree last minutes
14:07:19 <LukeHinds> #topic work item updates
14:07:27 <LukeHinds> I can go first here
14:09:05 <LukeHinds> #info Jira has been updated so that we can raise security bugs, which are not public (only a member of the osvm / security group and the proj lead / lead commiter) can see. We just need to test this a bit more. I have not been pushing the guys at the linux foundation much though as they are super busy with first release stuff at the same time. But progress
14:09:05 <LukeHinds> is being made. I expect I will bring it all together next week so it can be put in front of the TSC
14:09:34 <LukeHinds> #info Need some members of the group who can read code to join to help handle ulnerbailites as and when they happen
14:09:47 <LukeHinds> #info I don't forsee it being very busy / much of a time sink
14:10:12 <LukeHinds> #info I also am working still on putting up the page to map to ETSI requirements.
14:10:51 <LukeHinds> #info we can do this with Inspector which might be nice. So for every ETSI requirement that is present in inspector we can show the relation, if that makes sense?
14:11:21 <mwinandy> Yes, sounds good.
14:11:32 <jaosorior> LukeHinds: it makes sense
14:11:54 <LukeHinds> #info good, so I will get onto that next week I hope. been a bit busy this week with other stuff on my desk.
14:12:18 <LukeHinds> Marcel, do you want to update on your work item?
14:12:32 <jaosorior> at the moment the main focus is to push for CADF, but if there are specific requirements or suggestions from ETSI, that would be taken into account
14:12:37 <mwinandy> Yes I can a little
14:12:49 <LukeHinds> #info marcel
14:12:59 <LukeHinds> juan lets come back that, its interesting
14:13:48 <jaosorior> I need to figure out if we're gonna have meetings for inspector, or if I should just push the topics in this security meeting
14:14:50 <mwinandy> #info Currently looking at the Integration projects, trying to identify policy-relevant issues. I'm compiling a document for the issues I find. Then we can discuss what to put on the Int.Sec.Policy
14:14:52 <LukeHinds> maybe could try both, use the security group for incubation, and then if topics merit your own meeting / channel then you can kick it off.
14:15:17 <jaosorior> LukeHinds: sounds like a plan
14:15:36 <mwinandy> #info also found another nice example: Apache WSS4J Security Best Practices. Lists tools-related security guidelines
14:15:59 <LukeHinds> #info Marcel, we need to work on the upstream vulnerbitlies and how deployment teams handle those (generate patches)
14:16:56 <LukeHinds> #info for example, openstack let us know 3-4 days in advance of a pending sec patch, which we will need to work with oscar (deployment projects) to have ready
14:16:58 <mwinandy> Ok, also important, I think
14:18:14 <LukeHinds> sounds good Marcel, just put anything new up on the wiki, you can add to the secure coding page I started
14:18:49 <LukeHinds> ok, i think we can do some inspector chats now?
14:19:04 <mwinandy> Ok
14:19:16 <LukeHinds> #topic inspector discussions
14:20:27 <LukeHinds> #info inspector will use sec group for incubation, until it needs its own time for a dedicated meeting / channel. that way it get the eyes of new members to the group and encourages them to get involved. Plus feedback is available each week (if its needed)
14:20:36 <jaosorior> +1
14:21:23 <LukeHinds> Juan, one point on the ETSI. I agree with mapping to CADF is priority. What I meant was, if you solve something that is a requirement in ETSI we can sing that out as a requirement map.
14:21:41 <LukeHinds> but I agree you would not wan to try to design and develop to fufill both
14:21:45 <jaosorior> I'm not that acquainted with the ETSI requirements yet
14:22:03 <jaosorior> but we should have some session to get what's missing from CADF that's a requirement in ETSI
14:22:22 <jaosorior> one main focus of inspector also will be the attestation of event records
14:22:23 <LukeHinds> I will put those up on the wiki next week. I can think of a few that inspect solves already, but need to read the etsi problem statement again
14:23:13 <LukeHinds> would event records be logged events, such as keystone successful / failed auths etc?
14:23:41 <LukeHinds> what do you foresee as some typical events?
14:23:49 <jaosorior> well, CADF defines Event Records, and there are taxonomies to what actions end up being logged
14:23:58 <jaosorior> there are taxonomies defined already in openstack
14:24:12 <LukeHinds> I see, so its bringing them together
14:24:25 <jaosorior> for instance, these ones: https://github.com/openstack/pycadf/tree/master/etc/pycadf
14:25:06 <jaosorior> so we need to evaluate of those taxonomies are exhaustive enough
14:25:14 <jaosorior> or if we need to extend them, which translate to commits to that repo
14:25:34 <LukeHinds> got you now, understand
14:25:39 <LukeHinds> #link https://github.com/openstack/pycadf/tree/master/etc/pycadf
14:26:16 <LukeHinds> #info inspector will extend openstack taxonomies (above link as examples)
14:26:22 <jaosorior> so, if some component is missing these taxonomies, we need to evaluate it, define them, and push them
14:27:15 <jaosorior> on another instance, we need to figure out a way to test that stuff is actually being audited. So we need to either extend tempest, or figure something else out
14:27:26 <jaosorior> (my main option is tempest)
14:28:08 <LukeHinds> # inspector is needs a means to audit the taxonomies, and favorite is tempest, but still being evaluated.
14:28:21 <LukeHinds> #info inspector is needs a means to audit the taxonomies, and favourite is tempest, but still being evaluated.
14:28:36 <LukeHinds> I don't know tempest, but will make sure I have a look
14:28:47 <jaosorior> I'm looking into it
14:28:48 <jaosorior> also
14:28:55 <jaosorior> ODL lacks support for auditting completely
14:29:26 <LukeHinds> odl?
14:29:33 <jaosorior> OpenDaylight
14:29:54 <LukeHinds> ok
14:30:49 <mwinandy> What about ONOS, do you know?
14:30:53 <jaosorior> but my knowledge about it is lacking, so we need support for that
14:31:16 <jaosorior> so if you guys could get some ODL people on board, would be really useful. I'm also trying on this side to get some people
14:31:49 <jaosorior> mwinandy: I'm not that acquainted with ONOS, will give it a read
14:32:33 <jaosorior> mwinandy: Are you acquainted with the project?
14:32:35 <LukeHinds> #action, try to get more ODL into the group
14:32:59 <mwinandy> Not yet, but colleagues
14:34:23 <jaosorior> mwinandy: I'm not mentioning ONOS in the scope of inspector because: 1. I'm not very acquainted with the project. 2. We are considering only the components that are already in OPNFV, which is mostly OpenStack and ODL.
14:34:50 <LukeHinds> do you need any tools yet? jira / git etc?
14:35:09 <mwinandy> But there is the ONOFW project in opnfv
14:35:11 <LukeHinds> or see if greenlight from TSC first?
14:35:11 <jaosorior> mwinandy: we could take it into account, but for that we would need people with ONOS expertice in the project
14:36:12 <jaosorior> LukeHinds: We don't need Jira or git yet. We first need to define a workflow for inspector. And that should be defined once we get green light from the TSC
14:36:29 <mwinandy> jaosorior: maybe I can find colleagues from the ONOSFW to support
14:37:58 <jaosorior> mwinandy: sure, I can see inspector easily linked with any project related to OPNFV, since auditing is a real need in the industry. So we can take the ETSI requirements. Or create CADF taxonomies for ONOSFW if we have people with experience in that. My main area is OpenStack, so at the moment that's my focus, that's why I'm asking for more ODL people to join
14:38:44 <jaosorior> a lot of the stuff coming out of inspector will be blueprints and bug reports. I guess we might need git at some point, since we might as well generate a report on the state of audit in OpenStack, in addition to the one that already exists, that was made by DMTF
14:39:52 <mwinandy> jaosorior: we have ONOS guys, so I think I can find someone to support. Then Inspector could have both ODL and ONOS. What do you think?
14:40:21 <jaosorior> mwinandy: For me it's not a problem, as long as there are people working on that
14:42:20 <LukeHinds> #info mwinandy suggested including ONOS colleagues to work on ONOS inspector based taxonomies, jaosorior agreed it would be good, as long as people working on it
14:43:40 <LukeHinds> is ONOS based on openflow protocol?
14:45:39 <mwinandy> Plugable southbound, can be OpFlow yes
14:45:52 <LukeHinds> I see, so its the hosting OS
14:46:04 <LukeHinds> k, next topic? or do we have more...
14:46:30 <LukeHinds> #topic any other biz?
14:49:00 <LukeHinds> ok, i think we are done!
14:49:38 <LukeHinds> #info reminder, sign up for the mailing list if you have not already. that way you will see gerrit review tagged alerts.
14:50:05 <LukeHinds> even if you don't contribute, it does not matter, just get in and be a part of it
14:50:36 <mwinandy> I registered, but got no confirmation
14:51:47 <LukeHinds> hmm, send a message to aricg or rpaik
14:51:58 <LukeHinds> i will send a test email, see if you get it
14:52:07 <LukeHinds> ok, thanks all
14:52:16 <mwinandy> Thanks
14:52:16 <LukeHinds> same time, same place, next week!
14:52:22 <LukeHinds> #endmeeting