#opnfv-sec log

13:59:10 <LukeHinds> #startmeeting Security Group
13:59:10 <collabot> Meeting started Wed Apr 29 13:59:10 2015 UTC.  The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:59:10 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:59:10 <collabot> The meeting name has been set to 'security_group'
13:59:23 <LukeHinds> Lets see how many we get :)
14:01:08 <LukeHinds> #topic Agenda (nothing fixed for this month)
14:03:39 <LukeHinds> #agreed agenda
14:03:58 <LukeHinds> #agreed last minutes
14:04:05 <LukeHinds> #topic work items
14:05:10 <LukeHinds> #info Not much of an update from me *. Aric has set up the sec group permissions and I need to get in contact with him. I have been a bit busy internally these past few days, but will get onto that tomorrow I hope.
14:05:34 <LukeHinds> #info any others want to update?
14:06:16 <mwinandy_> yep, short update
14:06:29 <LukeHinds> ok, i think this will be a short meeting this week, which is ok.
14:06:38 <LukeHinds> sorry...go for it marcel
14:07:42 <mwinandy_> #info Worked on outline of int.security policy to integrate reporting of security issues and the SecurityImpact flagging in gerrit/Jira. Needs to be polished yet.
14:08:04 <LukeHinds> sounds good thanks!
14:08:22 <mwinandy_> #info For those projects that use VM images I think this is useful to include/reference: Center for Internet Security (CIS) benchmarks http://benchmarks.cisecurity.org/downloads/benchmarks/
14:08:33 <mwinandy_> #link http://benchmarks.cisecurity.org/downloads/benchmarks/
14:09:24 <mwinandy_> #info CIS benchmarks gives advice how to configure, e.g., RedHat or Centos instances when using them as VM images
14:09:27 <LukeHinds> do they have specifics around VMI' handling?
14:09:35 <LukeHinds> got you :)
14:10:11 <LukeHinds> #info feel free to put these on the wiki
14:10:15 <mwinandy_> which is in principle similar to using it on a box (e.g., close unused doors) :)
14:10:58 <mwinandy_> #info current draft structure is on etherpad. Please feel free to comment
14:11:18 <mwinandy_> #link https://etherpad.opnfv.org/p/int-sec-policies
14:11:22 <mwinandy_> finish. L)
14:13:22 <LukeHinds> #info looks good (etherpad), but be mindful you have overlap with the secure coding guidelines, better to put your links in there and reference the secure coding page from the int-sec-policies
14:13:58 <mwinandy_> yes, will do (still "legacy content" there :)
14:14:07 <LukeHinds> #info General Policies for OPNFV Development Infrastructure -> https://wiki.opnfv.org/security/securecode
14:14:34 <LukeHinds> #info mwinandy_> yes, will do (still "legacy content" there :)   -> understood
14:14:52 <LukeHinds> ok, I think we might be done? @jaosorior are you there?
14:15:19 <jaosorior> LikeHinds: hey
14:15:37 <LukeHinds> hey, not sure if you want to say anything, if not that's fine as well
14:15:58 <jaosorior> LukeHinds: Not much, unless you brought some ETSI people here. We talked last week about aligning with them
14:16:12 <jaosorior> in regards to audit
14:16:36 <LukeHinds> No, I was hoping ashutosh would be here, but he is not. Same for Mike Burshall.
14:16:48 <LukeHinds> Maybe next week, I will drop him an email as well.
14:16:54 <aripie> #info inspector: expecting to have a discussion tomorrow in the proposed projects agenda point
14:17:11 <LukeHinds> I will try to make sure I attend
14:17:16 <aripie> #info any comments on the proposal - any further information you would want to get included?
14:18:04 <jaosorior> aripie: Not from my side. Does anybody else think there should be something else included in the proposal?
14:18:20 <LukeHinds> it looks good to me, I think I will have more contributions and feedback as the functional design starts to get fleshed out.
14:18:55 <LukeHinds> #info I can see the gap is there, and you have a good scope to start the project off
14:18:56 <mwinandy_> yes
14:19:10 <LukeHinds> gap = need
14:19:18 <aripie> ok let's take the discussion tomorrow and see who will get on board
14:19:21 <mwinandy_> #info Is there any concern about protecting log/audit data integrity in the Inspector project?
14:20:22 <jaosorior> mwinandy_: that is already included in the project proposal
14:20:42 <mwinandy_> good! :)
14:20:57 <jaosorior> do you need the link to it?
14:21:13 <mwinandy_> if you have, would appreciat4e
14:21:31 <jaosorior> #link https://wiki.opnfv.org/requirements_projects/inspector
14:22:14 <jaosorior> mwinandy_: It's part of the scope. But before that we must tackle several problems first:
14:22:41 <LukeHinds> #info, do you have any initial plans on how the data / events will be rendered?
14:22:51 <jaosorior> 1) There is already an audit initiative in OpenStack which pushes for CADF. That is fine, but we need to make sure it meets our requirements, so we need to align with ETSI too.
14:23:20 <jaosorior> 2) Even though there is already an audit initiative, there is no way of doing system/functional tests with it, so we need to enable testing the auditing in tempest
14:23:53 <jaosorior> 3) OpenDayLight has no audit capabilities whatsoever, so we need to come up with with requirements for that, and get people actually writing those
14:24:38 <LukeHinds> #info I will make sure I start to populate this #link https://wiki.opnfv.org/security/upstream/etsi as I already have a little insight into ETSI
14:26:10 <jaosorior> 4) Ceilometer, which will eventually digest the audit logs in OpenStack, has ...some... integrity protection for the events (some of which are actually audit events). But that has proven to have serious performance problems. So we need to come up with an alternative solution that meets performance needs, and enables some integrity checks, before actually
14:26:11 <jaosorior> going into the audit log integrity, which is even more performance intensive (at least how I've envisioned it)
14:26:33 <jaosorior> So there's a lot of work coming, it's gonna be fun :P
14:27:52 <LukeHinds> sure sounds it, I will be honest, I have no idea how you would intergrity check something dynamic such as a log
14:28:41 <jaosorior> LukeHinds: If you want, one of these days I can have a session on how audit currently works in OpenStack
14:28:54 <LukeHinds> that would be very useful thanks
14:29:12 <jaosorior> LukeHinds: The current proposal is to push for the CADF framework, which is the one used in OpenStack. So hopefully we can use that too in OpenDayLight
14:30:20 <mwinandy_> LukeHinds: well, maybe instead of checking there you could be some enforcement to only append. and then checking that the enforcement works
14:30:57 <jaosorior> At least CADF would be a lot easier to push forward, since it already is accepted in OpenStack, so only thing we might need to do is extend it. And since there is no auditing in OpenDayLight, sounds to me like they would like to use something that's already supported by the rest
14:31:52 <LukeHinds> #info I just found this that looks like worth a watch #link https://www.openstack.org/summit/openstack-summit-atlanta-2014/session-videos/presentation/an-overview-of-cloud-auditing-support-for-openstack
14:32:43 <jaosorior> LukeHinds: I didn't see that in the summit, but I'll give it a look and could point you out stuff that has been outdated, and how it works now (if any)
14:33:28 <LukeHinds> sounds good. "We will finish by presenting some possible future directions such as extending the use of CADF beyond audit to facilitate event correlation and federation across multiple tiers. "
14:34:05 <jaosorior> not sure if CADF is used for anything else at the moment in OpenStack
14:34:49 <jaosorior> well... by not sure I'm pretty sure it isn't used for anything else... yet
14:36:16 <jaosorior> but I guess we need something more standard than CADF as a final format. So I'm thinking we're gonna end up writing a CADF->syslog translator or something of the sort. If someone has a hard requirement on that
14:37:49 <jaosorior> Anyway, please bring people that could have useful input, so we can all allign in this
14:38:22 <LukeHinds> agree, I will study up and try to make some input
14:38:29 <jaosorior> I think auditing is something we all need, and as much input as we can get, and even hands-on help, the better
14:40:00 <jaosorior> anyway
14:40:11 <jaosorior> any other questions?
14:40:13 <LukeHinds> what projects do you see the initial focus on..keystone / barbican / nova?
14:40:40 <LukeHinds> or which have the most interesting events
14:40:54 <jaosorior> LukeHinds: the projects that will mostly be our focus will be Ceilometer (the collector of audit events) and keystonemiddleware (the one that actually calls the CADF framework to generate audit events)
14:41:05 <jaosorior> so that's the hands-on work in OpenStack
14:41:25 <jaosorior> now, other than that, we need to make sure that all the components used in OPNFV are properly audited
14:41:40 <jaosorior> so we need to evaluate the actions that they can take, get proper requirements on what info we need
14:41:58 <jaosorior> and then, properly test that the audit events actually contain what we need (which translated to writing a test in tempest)
14:42:35 <LukeHinds> ok, I am getting a better pitcure now. i think a session from you would be very useful. do you want do that during a sec meeting?
14:42:46 <jaosorior> I can do that, sure
14:42:54 <LukeHinds> we can also send out an email to tech-discuss to encourage the other projects to join.
14:43:24 <LukeHinds> its in their interest and they could also help define the CADF values for their project
14:44:00 <LukeHinds> would next Wednesday be ok?
14:44:14 <jaosorior> that's alright with me
14:44:30 <jaosorior> right now the next step is to get the approval to start working, which hopefully will come tomorrow from the TSC
14:44:40 <jaosorior> we are in the agenda for tomorrow's meeting
14:44:47 <jaosorior> and then we can start actually writing action points
14:44:53 <jaosorior> or tasks
14:45:56 <LukeHinds> ok, so shall we hold the presentation until tomorrow
14:46:20 <jaosorior> lets do that
14:46:21 <LukeHinds> then if we get approval (which will happen) it adds weight to getting others interested
14:46:27 <jaosorior> exactly
14:46:32 <LukeHinds> sounds good
14:48:04 <LukeHinds> #agreed pending approval on inspector, jaosorior will present an overview of auditing in openstack. we will push out an email encouraging other projects to attend, as they will be candidates for auditing events using the CADF framework.
14:48:48 <LukeHinds> #agree preliminary date of 6/5 (Wednesday)
14:49:15 <LukeHinds> ashutosh has been emailing me, he had been trying to join
14:50:35 <LukeHinds> Hi, ashutosh, you made it :)
14:50:49 <LukeHinds> we are winding down now, but feel free to say anything you have in mind
14:51:06 <AShutosh> Finally, how do I get the audio, sorry, I have been trying the WebMeeting for last two weeks:)
14:51:14 <LukeHinds> we were discussing inspector, which goes forward for approval tomorrow
14:51:30 <LukeHinds> we have stopped using audio for now, and just IRC
14:51:30 <AShutosh> Where is the document?
14:51:50 <LukeHinds> #link https://wiki.opnfv.org/requirements_projects/inspector
14:51:51 <AShutosh> How do I read the document?
14:52:24 <AShutosh> OK let me look at it, I need to get used to IRC mode of communication have not used for a while, used to jabber etc
14:52:44 <AShutosh> OK, thanks for the link
14:53:13 <LukeHinds> anything new happening on the moon project?
14:56:37 <AShutosh> What else did we discuss today?
14:57:11 <AShutosh> I missed the whole meeting it looks like
14:57:59 <AShutosh> Where do we send the requirements of Inspector for the approval
14:58:17 <LukeHinds> other discussions were on the work items, one of interest to you was the etsi wiki page
14:58:41 <LukeHinds> you can make reqiurements in here, or jaosorior: do you have an etherpad?
14:58:57 <AShutosh> Any sort of collaboration hapening around ETSI/NFV spec?
14:59:34 <LukeHinds> this is where we plan to put the etsi standards and map them to opnfv projects https://wiki.opnfv.org/security/upstream/etsi
14:59:42 <jaosorior> no etherpad yet, before I wanted to get approval from the TSC
15:00:02 <LukeHinds> the inspector team are also interested in having someone from etsi see where compliance can be mapped as well
15:00:03 <jaosorior> which happens tomorrow, hopefully
15:01:20 <AShutosh> Inspector is an Ericsson proposal, I would encourage them to look at ETSI documents also, I can perhaps communicate with them
15:02:39 <jaosorior> AShutosh: Yes, the plan is to get alignment with ETSI, as was mentioned earlier
15:02:50 <aripie> AShutosh: yes, we are grateful for any input
15:03:22 <aripie> I have checked through all the ETSI public papers
15:03:40 <LukeHinds> can I hash an action here for you ashutosh to review and suggest additions?
15:03:54 <jaosorior> sure
15:04:35 <LukeHinds> #action after inspector approval, a etherpad will be put up and emailed out
15:05:01 <LukeHinds> #action  ashutosh to review and suggest additions with the view from the etsi sec group (within etherpad(
15:05:05 <AShutosh> Let me review the requirement document
15:05:29 <LukeHinds> of course, but to have requirements from you as an operator with needs, is very useful!
15:05:35 <LukeHinds> we are all vendors :)
15:06:25 <LukeHinds> its a good opportunity to input requirement needs into opnfc
15:06:28 <LukeHinds> *opnfv
15:07:06 <mwinandy_> (opnfc would also be an interesting project... *g*)
15:07:33 <AShutosh> I assume this is all with respect to Inspector document, right?
15:07:39 <LukeHinds> ok, we are over an hour. I will has end the meeting, but that does not mean discussion needs to stop. we can talk when we like 24/7
15:07:44 <LukeHinds> ashutosh, yes
15:07:51 <LukeHinds> but the same for anything security related
15:08:00 <AShutosh> OK,
15:08:05 <LukeHinds> you can either email tech-discuss
15:08:09 <LukeHinds> drop in here
15:08:17 <LukeHinds> or ask for time on the next meeting
15:08:29 <AShutosh> OK, what is the mailing list?
15:09:08 <LukeHinds> just use the main one and it will place [opnfv-sec] in the subject
15:09:58 <LukeHinds> #info - not sure if everyone has done it, but they have filters set up on the mailing list system, you might need to add security
15:10:16 <LukeHinds> ok, i got to go, but feel free to keep chatting folks!
15:10:19 <LukeHinds> #endmeeting