14:00:26 <LukeHinds> #startmeeting Security Group 14:00:26 <collabot> Meeting started Wed Apr 22 14:00:26 2015 UTC. The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:26 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:00:26 <collabot> The meeting name has been set to 'security_group' 14:01:00 <jaosorior> LukeHinds: where was the agenda again? 14:01:54 <LukeHinds> #info https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:02:44 <LukeHinds> #info Luke is a prize idiot, reinstalled OS and has forgotten the username for gotomeeting as it was in browser cache. We will need to instead do this over IRC, sorry * 14:03:02 <jaosorior> LukeHinds: thought it was agreed before that it was gonna be from IRC now :/ 14:03:03 <LukeHinds> #topic agree agena 14:03:21 <LukeHinds> It was, but would do a few with voice until the message got through 14:03:28 <LukeHinds> but I guess we can start from now :) 14:03:29 <jaosorior> oh, alright 14:03:35 <jaosorior> yeah, I'm planning to only join from IRC 14:03:41 <LukeHinds> makes sense 14:03:53 <LukeHinds> #info anyone want to add to the agenda at all? 14:04:30 <LukeHinds> any inspector stuff Juan? 14:04:31 <jaosorior> noup 14:04:33 <jaosorior> ah 14:04:35 <jaosorior> regarding that 14:04:42 <LukeHinds> yup 14:04:45 <jaosorior> we hope we get a review for that tomorrow from the TSC 14:04:53 <jaosorior> so then we get green light to start 14:04:57 <LukeHinds> sounds good! 14:05:07 <LukeHinds> I am aligning internally to see if I can help out 14:05:13 <jaosorior> We were gonna bring it up last thursday but the meeting ran out of time 14:05:24 <LukeHinds> #info Inspector will hopefully get a review for that tomorrow from the TSC 14:05:50 <LukeHinds> understood, good luck, but it sounds solid to me 14:05:54 <mwinandy> Me too (also trying to find people to help with Inspector) 14:05:58 <LukeHinds> #agree agenda 14:06:09 <jaosorior> I have several propositions which involve some good work 14:06:14 <LukeHinds> #topic last minutes? (not much there) 14:06:20 <jaosorior> will bring them up after we get green light from TSC 14:06:31 <LukeHinds> look forward to hearing them! 14:06:46 <LukeHinds> #agree last minutes 14:07:19 <LukeHinds> #topic work item updates 14:07:27 <LukeHinds> I can go first here 14:09:05 <LukeHinds> #info Jira has been updated so that we can raise security bugs, which are not public (only a member of the osvm / security group and the proj lead / lead commiter) can see. We just need to test this a bit more. I have not been pushing the guys at the linux foundation much though as they are super busy with first release stuff at the same time. But progress 14:09:05 <LukeHinds> is being made. I expect I will bring it all together next week so it can be put in front of the TSC 14:09:34 <LukeHinds> #info Need some members of the group who can read code to join to help handle ulnerbailites as and when they happen 14:09:47 <LukeHinds> #info I don't forsee it being very busy / much of a time sink 14:10:12 <LukeHinds> #info I also am working still on putting up the page to map to ETSI requirements. 14:10:51 <LukeHinds> #info we can do this with Inspector which might be nice. So for every ETSI requirement that is present in inspector we can show the relation, if that makes sense? 14:11:21 <mwinandy> Yes, sounds good. 14:11:32 <jaosorior> LukeHinds: it makes sense 14:11:54 <LukeHinds> #info good, so I will get onto that next week I hope. been a bit busy this week with other stuff on my desk. 14:12:18 <LukeHinds> Marcel, do you want to update on your work item? 14:12:32 <jaosorior> at the moment the main focus is to push for CADF, but if there are specific requirements or suggestions from ETSI, that would be taken into account 14:12:37 <mwinandy> Yes I can a little 14:12:49 <LukeHinds> #info marcel 14:12:59 <LukeHinds> juan lets come back that, its interesting 14:13:48 <jaosorior> I need to figure out if we're gonna have meetings for inspector, or if I should just push the topics in this security meeting 14:14:50 <mwinandy> #info Currently looking at the Integration projects, trying to identify policy-relevant issues. I'm compiling a document for the issues I find. Then we can discuss what to put on the Int.Sec.Policy 14:14:52 <LukeHinds> maybe could try both, use the security group for incubation, and then if topics merit your own meeting / channel then you can kick it off. 14:15:17 <jaosorior> LukeHinds: sounds like a plan 14:15:36 <mwinandy> #info also found another nice example: Apache WSS4J Security Best Practices. Lists tools-related security guidelines 14:15:59 <LukeHinds> #info Marcel, we need to work on the upstream vulnerbitlies and how deployment teams handle those (generate patches) 14:16:56 <LukeHinds> #info for example, openstack let us know 3-4 days in advance of a pending sec patch, which we will need to work with oscar (deployment projects) to have ready 14:16:58 <mwinandy> Ok, also important, I think 14:18:14 <LukeHinds> sounds good Marcel, just put anything new up on the wiki, you can add to the secure coding page I started 14:18:49 <LukeHinds> ok, i think we can do some inspector chats now? 14:19:04 <mwinandy> Ok 14:19:16 <LukeHinds> #topic inspector discussions 14:20:27 <LukeHinds> #info inspector will use sec group for incubation, until it needs its own time for a dedicated meeting / channel. that way it get the eyes of new members to the group and encourages them to get involved. Plus feedback is available each week (if its needed) 14:20:36 <jaosorior> +1 14:21:23 <LukeHinds> Juan, one point on the ETSI. I agree with mapping to CADF is priority. What I meant was, if you solve something that is a requirement in ETSI we can sing that out as a requirement map. 14:21:41 <LukeHinds> but I agree you would not wan to try to design and develop to fufill both 14:21:45 <jaosorior> I'm not that acquainted with the ETSI requirements yet 14:22:03 <jaosorior> but we should have some session to get what's missing from CADF that's a requirement in ETSI 14:22:22 <jaosorior> one main focus of inspector also will be the attestation of event records 14:22:23 <LukeHinds> I will put those up on the wiki next week. I can think of a few that inspect solves already, but need to read the etsi problem statement again 14:23:13 <LukeHinds> would event records be logged events, such as keystone successful / failed auths etc? 14:23:41 <LukeHinds> what do you foresee as some typical events? 14:23:49 <jaosorior> well, CADF defines Event Records, and there are taxonomies to what actions end up being logged 14:23:58 <jaosorior> there are taxonomies defined already in openstack 14:24:12 <LukeHinds> I see, so its bringing them together 14:24:25 <jaosorior> for instance, these ones: https://github.com/openstack/pycadf/tree/master/etc/pycadf 14:25:06 <jaosorior> so we need to evaluate of those taxonomies are exhaustive enough 14:25:14 <jaosorior> or if we need to extend them, which translate to commits to that repo 14:25:34 <LukeHinds> got you now, understand 14:25:39 <LukeHinds> #link https://github.com/openstack/pycadf/tree/master/etc/pycadf 14:26:16 <LukeHinds> #info inspector will extend openstack taxonomies (above link as examples) 14:26:22 <jaosorior> so, if some component is missing these taxonomies, we need to evaluate it, define them, and push them 14:27:15 <jaosorior> on another instance, we need to figure out a way to test that stuff is actually being audited. So we need to either extend tempest, or figure something else out 14:27:26 <jaosorior> (my main option is tempest) 14:28:08 <LukeHinds> # inspector is needs a means to audit the taxonomies, and favorite is tempest, but still being evaluated. 14:28:21 <LukeHinds> #info inspector is needs a means to audit the taxonomies, and favourite is tempest, but still being evaluated. 14:28:36 <LukeHinds> I don't know tempest, but will make sure I have a look 14:28:47 <jaosorior> I'm looking into it 14:28:48 <jaosorior> also 14:28:55 <jaosorior> ODL lacks support for auditting completely 14:29:26 <LukeHinds> odl? 14:29:33 <jaosorior> OpenDaylight 14:29:54 <LukeHinds> ok 14:30:49 <mwinandy> What about ONOS, do you know? 14:30:53 <jaosorior> but my knowledge about it is lacking, so we need support for that 14:31:16 <jaosorior> so if you guys could get some ODL people on board, would be really useful. I'm also trying on this side to get some people 14:31:49 <jaosorior> mwinandy: I'm not that acquainted with ONOS, will give it a read 14:32:33 <jaosorior> mwinandy: Are you acquainted with the project? 14:32:35 <LukeHinds> #action, try to get more ODL into the group 14:32:59 <mwinandy> Not yet, but colleagues 14:34:23 <jaosorior> mwinandy: I'm not mentioning ONOS in the scope of inspector because: 1. I'm not very acquainted with the project. 2. We are considering only the components that are already in OPNFV, which is mostly OpenStack and ODL. 14:34:50 <LukeHinds> do you need any tools yet? jira / git etc? 14:35:09 <mwinandy> But there is the ONOFW project in opnfv 14:35:11 <LukeHinds> or see if greenlight from TSC first? 14:35:11 <jaosorior> mwinandy: we could take it into account, but for that we would need people with ONOS expertice in the project 14:36:12 <jaosorior> LukeHinds: We don't need Jira or git yet. We first need to define a workflow for inspector. And that should be defined once we get green light from the TSC 14:36:29 <mwinandy> jaosorior: maybe I can find colleagues from the ONOSFW to support 14:37:58 <jaosorior> mwinandy: sure, I can see inspector easily linked with any project related to OPNFV, since auditing is a real need in the industry. So we can take the ETSI requirements. Or create CADF taxonomies for ONOSFW if we have people with experience in that. My main area is OpenStack, so at the moment that's my focus, that's why I'm asking for more ODL people to join 14:38:44 <jaosorior> a lot of the stuff coming out of inspector will be blueprints and bug reports. I guess we might need git at some point, since we might as well generate a report on the state of audit in OpenStack, in addition to the one that already exists, that was made by DMTF 14:39:52 <mwinandy> jaosorior: we have ONOS guys, so I think I can find someone to support. Then Inspector could have both ODL and ONOS. What do you think? 14:40:21 <jaosorior> mwinandy: For me it's not a problem, as long as there are people working on that 14:42:20 <LukeHinds> #info mwinandy suggested including ONOS colleagues to work on ONOS inspector based taxonomies, jaosorior agreed it would be good, as long as people working on it 14:43:40 <LukeHinds> is ONOS based on openflow protocol? 14:45:39 <mwinandy> Plugable southbound, can be OpFlow yes 14:45:52 <LukeHinds> I see, so its the hosting OS 14:46:04 <LukeHinds> k, next topic? or do we have more... 14:46:30 <LukeHinds> #topic any other biz? 14:49:00 <LukeHinds> ok, i think we are done! 14:49:38 <LukeHinds> #info reminder, sign up for the mailing list if you have not already. that way you will see gerrit review tagged alerts. 14:50:05 <LukeHinds> even if you don't contribute, it does not matter, just get in and be a part of it 14:50:36 <mwinandy> I registered, but got no confirmation 14:51:47 <LukeHinds> hmm, send a message to aricg or rpaik 14:51:58 <LukeHinds> i will send a test email, see if you get it 14:52:07 <LukeHinds> ok, thanks all 14:52:16 <mwinandy> Thanks 14:52:16 <LukeHinds> same time, same place, next week! 14:52:22 <LukeHinds> #endmeeting