#opnfv-sec log

14:04:59 <LukeHinds> #startmeeting Security Group
14:04:59 <collabot> Meeting started Wed May 27 14:04:59 2015 UTC.  The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:04:59 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:04:59 <collabot> The meeting name has been set to 'security_group'
14:05:15 <LukeHinds> #topic Last weeks minutes
14:05:35 <LukeHinds> #info Nothing of note! As everyone was @ the summit / vacation!
14:05:50 <LukeHinds> #info just myself and Marcin caught up
14:06:02 <LukeHinds> #topic Agenda Bashing
14:06:07 <LukeHinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:06:28 <LukeHinds> #info mark yourselves down as attended
14:06:43 <jaosorior> done
14:06:49 <jaosorior> aripie, are you around?
14:06:52 <LukeHinds> #info main topics are inspector approval (yay!) and next steps how we can help
14:07:06 <MikeCamel> Is there audio?
14:07:19 <LukeHinds> #info and perhaps the ETSI SEC mapping to OPNFV projs, if we have a volunteer
14:07:22 <jaosorior> MikeCamel: No audio. We switched to IRC-only
14:07:27 <aripie> #info Ari is here, yes
14:07:39 <LukeHinds> #info any additions we wish to make  / amend / adjust?
14:07:42 <MikeCamel> OK.  Kapil Sood (Intel) volunteered to update that page, btw.
14:07:54 <LukeHinds> excellent!
14:08:07 <LukeHinds> lets keep it as a topic then
14:08:08 <jaosorior> MikeCamel: cool! Thanks for the info
14:08:12 <MikeCamel> np
14:08:24 <jaosorior> MikeCamel: Do you know if Kapil Sood will attend this meeting?
14:08:45 <MikeCamel> He has done in the past.  He's online: I'll ping him.
14:09:19 <LukeHinds> shall we give him 2-3 mins see if he wants to join, we are not over stretched agenda / time wise?
14:09:48 <jaosorior> I guess we could
14:09:49 <aripie> sure
14:10:44 <MikeCamel> He's on vacation today, so no.  Sorry.
14:10:51 <LukeHinds> np!
14:10:57 <LukeHinds> #topic Inspector
14:11:17 <jaosorior> #info Inspector has finally been approved as an official OPNFV project
14:11:45 <jaosorior> #info As I mentioned in the mail, I have already asked for a repository and a bug-tracker
14:11:52 <LukeHinds> #info the guys would like to use the security group to align / discuss inspector activties, which was agreed to be a good idea.
14:12:29 <LukeHinds> how do you want to proceed with this juan/ari? should we go next steps > project needs / where we could help?
14:12:55 <aripie> I suppose we need to sanity check the provisional task list first
14:12:57 <jaosorior> We should look into making the material that has been already created by ETSI and CSA into a concrete maping towards the components we use in OPNFV
14:13:38 <LukeHinds> @aripie - do you have that list available?
14:13:38 <collabot> LukeHinds: Error: "aripie" is not a valid command.
14:13:48 <LukeHinds> is this list available?
14:14:00 <aripie> yes, let's see if I can find it
14:14:15 <LukeHinds> #info jaosorior: We should look into making the material that has been already created by ETSI and CSA into a concrete maping towards the components we use in OPNFV
14:14:31 <MikeCamel> Kapil is co-rapporteur with Ashutosh Dutta (also active in OPNFV, I think) of SEC008, a work item on security monitoring and management in ETSI NFV which may well be very relevant.
14:14:35 <LukeHinds> #info aripie: provisioning list should be sanity checked
14:14:55 <MikeCamel> Though if inspector is more audit-focused, I'm not sure!
14:15:23 <jaosorior> MikeCamel: It is a possibility that we could help provisioning the data that they need
14:15:36 <LukeHinds> it could be a case that inspector is the vessel to make sure the security events are made available from the vim (openstack) or network (onf)
14:15:37 <MikeCamel> I guess you should talk.  :-)
14:15:53 <jaosorior> MikeCamel: Can you help out to bring them to the next Security Group's meeting?
14:16:11 <LukeHinds> #info inspector can be used for SEC008, a work item on security monitoring and management in ETSI NFV which may well be very relevant.
14:16:27 <MikeCamel> Kapil is planning to be at the next one - he's on vacation today.  Ashutosh isn't Intel - he's AT&T, I think.
14:16:40 <LukeHinds> I can contact ashutosh
14:16:50 <jaosorior> LukeHinds: Excellent
14:16:51 <MikeCamel> @LukeHinds - it may be that the SEC008 may inform the work in Inspector.
14:16:51 <collabot> MikeCamel: Error: "LukeHinds" is not a valid command.
14:17:00 <LukeHinds> #action Kapil to attend next SEC group to discuss SEC008 and inspector
14:17:19 <LukeHinds> #action Luke to contact Ashutosh to perform the same.
14:17:53 <LukeHinds> So that is some good interwork planned already.
14:18:02 <LukeHinds> Who else do we need to reach out to Juan?
14:18:19 <LukeHinds> I know someone at OPF if that helps?
14:18:21 <LukeHinds> security guy
14:18:44 <LukeHinds> and Ari too..
14:18:56 <jaosorior> OPF?
14:19:04 <LukeHinds> ONF
14:19:05 <LukeHinds> :)
14:19:18 <LukeHinds> open networking foundation
14:19:33 <aripie> yes, ONF security contact would be great to have
14:19:53 <jaosorior> Indeed
14:20:14 <jaosorior> the way I see it, there will be three main activities:
14:20:14 <LukeHinds> #action Luke to contact ONF about inspector project
14:21:35 <jaosorior> * Proactively monitor the components (such as OpenStack) to see that the relevant events in the system (such as requests taken in the services) are properly emitted (logged)
14:22:11 <aripie> #link https://etherpad.opnfv.org/p/inspector_preliminary
14:22:22 <jaosorior> * Align with relevant institutions (such as ETSI) in order to have their requirements and use-cases be mapped in a concrete way with the actual services we are using in OPNFV
14:22:34 <aripie> there is a task list among other preliminary considerations
14:23:14 <jaosorior> * Respond to bug-reports (and properly implement them in the components upstream), which will be filed when we figure out there is something missing or when our shareholders report they need more information for a certain use-case
14:23:31 <LukeHinds> #info three main activities:
14:23:42 <LukeHinds> #info Proactively monitor the components (such as OpenStack) to see that the relevant events in the system (such as requests taken in the services) are properly emitted (logged)
14:23:44 <jaosorior> but that link describes what I just wrote too :P
14:23:56 <LukeHinds> #info Align with relevant institutions (such as ETSI) in order to have their requirements and use-cases be mapped in a concrete way with the actual services we are using in OPNFV
14:24:03 <LukeHinds> #info Respond to bug-reports (and properly implement them in the components upstream), which will be filed when we figure out there is something missing or when our shareholders report they need more information for a certain use-case
14:24:19 <LukeHinds> #info all covered in the following #link https://etherpad.opnfv.org/p/inspector_preliminary
14:24:29 <LukeHinds> sorry, I got going so finished off :)
14:24:50 <aripie> so any comments on the info in the link is welcome!
14:24:54 <LukeHinds> So the first one sounds like it has the largest scope?
14:25:02 <jaosorior> Indeed
14:25:18 <jaosorior> This will be documented in the repo
14:25:36 <jaosorior> So, the idea for the repo is for it to contain mostly two things:
14:25:41 <LukeHinds> Have you defined the monitoring mechanisms / frameworks?
14:25:57 <LukeHinds> Like a common format, I guess that would be CADF?
14:26:09 <aripie> yes, CADF would be the primary
14:26:25 <aripie> we are considering translators to/from other formats
14:26:48 <jaosorior> documentation relevant to the project: e.g. what frameworks already exist in the components and what they provide; the reports that we generate on the state of the components
14:27:16 <jaosorior> and also the repo will contain tracking of the upstream fixes (or features if necessary)
14:27:49 <jaosorior> for OpenStack CADF is mostly taken into account, as it's already being used and there is support and acceptance for it already in the community
14:28:43 <LukeHinds> If CADF is not present in a project, what would the next candidate be? Perhaps log parsing, or snmp traps? that sort of thing...
14:29:14 <aripie> post-processing of the audit data for monitoring  (other than potential format translation) or triggering activities is not in scope at least as of yet
14:29:44 <aripie> I suppose log handling/analysis might overlap with other projects
14:30:06 <LukeHinds> Let's do mock engagement with another project..
14:30:10 <LukeHinds> help me understand.
14:30:23 <jaosorior> Moon project is supposed to have some monitoring in scope. That's why I want to collaborate with them
14:30:35 <LukeHinds> we approach ONF to introduce audit events
14:30:45 <MikeCamel> I think that Moon is more likely to be relevant to the ETSI work item I mentioned, tbh.
14:31:08 <jaosorior> MikeCamel: That is most likely the case
14:31:09 <LukeHinds> would the expectation be that they would raise the events using CADF?
14:31:57 <jaosorior> The expectation is that, for instance, Moon would be reading events out of the event collector (which are in CADF form)
14:32:32 <jaosorior> While we make sure that the relevant events are actually emited (which is not always the case) and that the right information is available (which is not the case and we need to fix this)
14:33:05 <aripie> From ONF components the audit events in CADF would be preferred
14:33:58 <LukeHinds> so the 'event collector'? Ceilometer, who would that be?
14:34:06 <jaosorior> LukeHinds: yes
14:34:13 <LukeHinds> ahh ok
14:34:30 <LukeHinds> I have the end2end picture now
14:35:06 <LukeHinds> but it could be another system, anyone who develops a service to accept the CADF events?
14:35:15 <aripie> absolutely
14:35:19 <jaosorior> For instance, in the identity component in OpenStack (Keystone) if a user authenticates, we know that there is relevant info in the audit event. However, if a user now tries to assign a role, information such as who was the initiator of the event is missing. This is the kind of stuff we need to fix
14:35:39 <jaosorior> LukeHinds: yes
14:35:46 <LukeHinds> understand
14:36:17 <aripie> the consumer of the audit data can be any other system that eats CADF
14:36:18 <jaosorior> So, if this type of information is missing, then the event is worthless as no proper monitoring can be done
14:36:53 <LukeHinds> i see now, thx
14:37:58 <LukeHinds> Any other candidates outside of openstack / onf?
14:38:18 <LukeHinds> kvm / qemu as an example?
14:38:21 <aripie> odl
14:38:46 <jaosorior> LukeHinds: I'm trying to get commiters that will work with OpenDaylight, but since they have a release, we need to wait for things to get less hectic
14:38:48 <LukeHinds> I guess nova, instead of kvm/qemu
14:39:23 <LukeHinds> understand
14:39:33 <jaosorior> yes, one should be able to get proper information about the hypervisor from Nova. Evaluating if this is possible, and if this information is appropriate is part of the first task I mentioned
14:40:09 <jaosorior> Same goes for Neutron, one should be able to poll the underlying backends in Neutron. This could help generating a proper topology report
14:40:18 <LukeHinds> neutron as well at a guess, security groups, keys etc.
14:40:30 <LukeHinds> double send :)
14:41:02 <jaosorior> LukeHinds: Exactly
14:41:40 <LukeHinds> very useful!
14:41:51 <jaosorior> Now, hopefully we can get the people set as "contributors" to attend the next meeting, so we can map what people can do and actually start dividing tasks
14:42:36 <jaosorior> In the meantime, I'll work on getting that repo and bug-tracker (hopefully linux foundation will answer soon) and will set up a proper structure for the documentation to live in the repo
14:43:22 <LukeHinds> I will do an update at the TSC soon and re-introduce the group and inspector to all, encourage people to come along
14:43:35 <jaosorior> LukeHinds: Good idea
14:43:37 <LukeHinds> you can put me as a contributor
14:43:59 <jaosorior> LukeHinds: You're already there ;)
14:44:14 <jaosorior> #link https://wiki.opnfv.org/requirements_projects/inspector
14:44:15 <LukeHinds> and hopefully I will know my resource utlization better soon, but I guess I am already contrbuting by helping get disucssions going.
14:44:25 <LukeHinds> ok good
14:44:52 <aripie> sure, getting the contacts is good contribution
14:45:28 <LukeHinds> so whats your target for next weeks meeting? you said about task assignment, so will you start to scope out work items?
14:47:29 <jaosorior> LukeHinds: yeah. We will start focusing on specific components
14:47:49 <LukeHinds> sounds good to me.
14:48:17 <LukeHinds> #action juan/ari to start listing specific components / work items for commiters / contributers
14:48:34 <jaosorior> alright! Any other questions/comments?
14:48:52 <LukeHinds> not from me now, I have a good picture.....anyone else.....
14:49:38 <jaosorior> alright. Anything else on the agenda for the sec-group meeting?
14:50:09 <LukeHinds> that's it now, we already worked out the ETSI stuff and I will get in touch with the ODL guy I know
14:50:14 <LukeHinds> we have those as actions
14:50:35 <LukeHinds> I won't end yet, will let it run to capture any late questions.
14:50:56 <aripie> ok, standing by
14:56:35 <LukeHinds> ok, I guess we are done. Thanks guys, very informative and a great project I look forward to its progress and hope to help out as much as I can.
14:56:47 <LukeHinds> #endmeeting