13:59:10 <LukeHinds> #startmeeting Security Group 13:59:10 <collabot> Meeting started Wed Apr 29 13:59:10 2015 UTC. The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:59:10 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 13:59:10 <collabot> The meeting name has been set to 'security_group' 13:59:23 <LukeHinds> Lets see how many we get :) 14:01:08 <LukeHinds> #topic Agenda (nothing fixed for this month) 14:03:39 <LukeHinds> #agreed agenda 14:03:58 <LukeHinds> #agreed last minutes 14:04:05 <LukeHinds> #topic work items 14:05:10 <LukeHinds> #info Not much of an update from me *. Aric has set up the sec group permissions and I need to get in contact with him. I have been a bit busy internally these past few days, but will get onto that tomorrow I hope. 14:05:34 <LukeHinds> #info any others want to update? 14:06:16 <mwinandy_> yep, short update 14:06:29 <LukeHinds> ok, i think this will be a short meeting this week, which is ok. 14:06:38 <LukeHinds> sorry...go for it marcel 14:07:42 <mwinandy_> #info Worked on outline of int.security policy to integrate reporting of security issues and the SecurityImpact flagging in gerrit/Jira. Needs to be polished yet. 14:08:04 <LukeHinds> sounds good thanks! 14:08:22 <mwinandy_> #info For those projects that use VM images I think this is useful to include/reference: Center for Internet Security (CIS) benchmarks http://benchmarks.cisecurity.org/downloads/benchmarks/ 14:08:33 <mwinandy_> #link http://benchmarks.cisecurity.org/downloads/benchmarks/ 14:09:24 <mwinandy_> #info CIS benchmarks gives advice how to configure, e.g., RedHat or Centos instances when using them as VM images 14:09:27 <LukeHinds> do they have specifics around VMI' handling? 14:09:35 <LukeHinds> got you :) 14:10:11 <LukeHinds> #info feel free to put these on the wiki 14:10:15 <mwinandy_> which is in principle similar to using it on a box (e.g., close unused doors) :) 14:10:58 <mwinandy_> #info current draft structure is on etherpad. Please feel free to comment 14:11:18 <mwinandy_> #link https://etherpad.opnfv.org/p/int-sec-policies 14:11:22 <mwinandy_> finish. L) 14:13:22 <LukeHinds> #info looks good (etherpad), but be mindful you have overlap with the secure coding guidelines, better to put your links in there and reference the secure coding page from the int-sec-policies 14:13:58 <mwinandy_> yes, will do (still "legacy content" there :) 14:14:07 <LukeHinds> #info General Policies for OPNFV Development Infrastructure -> https://wiki.opnfv.org/security/securecode 14:14:34 <LukeHinds> #info mwinandy_> yes, will do (still "legacy content" there :) -> understood 14:14:52 <LukeHinds> ok, I think we might be done? @jaosorior are you there? 14:15:19 <jaosorior> LikeHinds: hey 14:15:37 <LukeHinds> hey, not sure if you want to say anything, if not that's fine as well 14:15:58 <jaosorior> LukeHinds: Not much, unless you brought some ETSI people here. We talked last week about aligning with them 14:16:12 <jaosorior> in regards to audit 14:16:36 <LukeHinds> No, I was hoping ashutosh would be here, but he is not. Same for Mike Burshall. 14:16:48 <LukeHinds> Maybe next week, I will drop him an email as well. 14:16:54 <aripie> #info inspector: expecting to have a discussion tomorrow in the proposed projects agenda point 14:17:11 <LukeHinds> I will try to make sure I attend 14:17:16 <aripie> #info any comments on the proposal - any further information you would want to get included? 14:18:04 <jaosorior> aripie: Not from my side. Does anybody else think there should be something else included in the proposal? 14:18:20 <LukeHinds> it looks good to me, I think I will have more contributions and feedback as the functional design starts to get fleshed out. 14:18:55 <LukeHinds> #info I can see the gap is there, and you have a good scope to start the project off 14:18:56 <mwinandy_> yes 14:19:10 <LukeHinds> gap = need 14:19:18 <aripie> ok let's take the discussion tomorrow and see who will get on board 14:19:21 <mwinandy_> #info Is there any concern about protecting log/audit data integrity in the Inspector project? 14:20:22 <jaosorior> mwinandy_: that is already included in the project proposal 14:20:42 <mwinandy_> good! :) 14:20:57 <jaosorior> do you need the link to it? 14:21:13 <mwinandy_> if you have, would appreciat4e 14:21:31 <jaosorior> #link https://wiki.opnfv.org/requirements_projects/inspector 14:22:14 <jaosorior> mwinandy_: It's part of the scope. But before that we must tackle several problems first: 14:22:41 <LukeHinds> #info, do you have any initial plans on how the data / events will be rendered? 14:22:51 <jaosorior> 1) There is already an audit initiative in OpenStack which pushes for CADF. That is fine, but we need to make sure it meets our requirements, so we need to align with ETSI too. 14:23:20 <jaosorior> 2) Even though there is already an audit initiative, there is no way of doing system/functional tests with it, so we need to enable testing the auditing in tempest 14:23:53 <jaosorior> 3) OpenDayLight has no audit capabilities whatsoever, so we need to come up with with requirements for that, and get people actually writing those 14:24:38 <LukeHinds> #info I will make sure I start to populate this #link https://wiki.opnfv.org/security/upstream/etsi as I already have a little insight into ETSI 14:26:10 <jaosorior> 4) Ceilometer, which will eventually digest the audit logs in OpenStack, has ...some... integrity protection for the events (some of which are actually audit events). But that has proven to have serious performance problems. So we need to come up with an alternative solution that meets performance needs, and enables some integrity checks, before actually 14:26:11 <jaosorior> going into the audit log integrity, which is even more performance intensive (at least how I've envisioned it) 14:26:33 <jaosorior> So there's a lot of work coming, it's gonna be fun :P 14:27:52 <LukeHinds> sure sounds it, I will be honest, I have no idea how you would intergrity check something dynamic such as a log 14:28:41 <jaosorior> LukeHinds: If you want, one of these days I can have a session on how audit currently works in OpenStack 14:28:54 <LukeHinds> that would be very useful thanks 14:29:12 <jaosorior> LukeHinds: The current proposal is to push for the CADF framework, which is the one used in OpenStack. So hopefully we can use that too in OpenDayLight 14:30:20 <mwinandy_> LukeHinds: well, maybe instead of checking there you could be some enforcement to only append. and then checking that the enforcement works 14:30:57 <jaosorior> At least CADF would be a lot easier to push forward, since it already is accepted in OpenStack, so only thing we might need to do is extend it. And since there is no auditing in OpenDayLight, sounds to me like they would like to use something that's already supported by the rest 14:31:52 <LukeHinds> #info I just found this that looks like worth a watch #link https://www.openstack.org/summit/openstack-summit-atlanta-2014/session-videos/presentation/an-overview-of-cloud-auditing-support-for-openstack 14:32:43 <jaosorior> LukeHinds: I didn't see that in the summit, but I'll give it a look and could point you out stuff that has been outdated, and how it works now (if any) 14:33:28 <LukeHinds> sounds good. "We will finish by presenting some possible future directions such as extending the use of CADF beyond audit to facilitate event correlation and federation across multiple tiers. " 14:34:05 <jaosorior> not sure if CADF is used for anything else at the moment in OpenStack 14:34:49 <jaosorior> well... by not sure I'm pretty sure it isn't used for anything else... yet 14:36:16 <jaosorior> but I guess we need something more standard than CADF as a final format. So I'm thinking we're gonna end up writing a CADF->syslog translator or something of the sort. If someone has a hard requirement on that 14:37:49 <jaosorior> Anyway, please bring people that could have useful input, so we can all allign in this 14:38:22 <LukeHinds> agree, I will study up and try to make some input 14:38:29 <jaosorior> I think auditing is something we all need, and as much input as we can get, and even hands-on help, the better 14:40:00 <jaosorior> anyway 14:40:11 <jaosorior> any other questions? 14:40:13 <LukeHinds> what projects do you see the initial focus on..keystone / barbican / nova? 14:40:40 <LukeHinds> or which have the most interesting events 14:40:54 <jaosorior> LukeHinds: the projects that will mostly be our focus will be Ceilometer (the collector of audit events) and keystonemiddleware (the one that actually calls the CADF framework to generate audit events) 14:41:05 <jaosorior> so that's the hands-on work in OpenStack 14:41:25 <jaosorior> now, other than that, we need to make sure that all the components used in OPNFV are properly audited 14:41:40 <jaosorior> so we need to evaluate the actions that they can take, get proper requirements on what info we need 14:41:58 <jaosorior> and then, properly test that the audit events actually contain what we need (which translated to writing a test in tempest) 14:42:35 <LukeHinds> ok, I am getting a better pitcure now. i think a session from you would be very useful. do you want do that during a sec meeting? 14:42:46 <jaosorior> I can do that, sure 14:42:54 <LukeHinds> we can also send out an email to tech-discuss to encourage the other projects to join. 14:43:24 <LukeHinds> its in their interest and they could also help define the CADF values for their project 14:44:00 <LukeHinds> would next Wednesday be ok? 14:44:14 <jaosorior> that's alright with me 14:44:30 <jaosorior> right now the next step is to get the approval to start working, which hopefully will come tomorrow from the TSC 14:44:40 <jaosorior> we are in the agenda for tomorrow's meeting 14:44:47 <jaosorior> and then we can start actually writing action points 14:44:53 <jaosorior> or tasks 14:45:56 <LukeHinds> ok, so shall we hold the presentation until tomorrow 14:46:20 <jaosorior> lets do that 14:46:21 <LukeHinds> then if we get approval (which will happen) it adds weight to getting others interested 14:46:27 <jaosorior> exactly 14:46:32 <LukeHinds> sounds good 14:48:04 <LukeHinds> #agreed pending approval on inspector, jaosorior will present an overview of auditing in openstack. we will push out an email encouraging other projects to attend, as they will be candidates for auditing events using the CADF framework. 14:48:48 <LukeHinds> #agree preliminary date of 6/5 (Wednesday) 14:49:15 <LukeHinds> ashutosh has been emailing me, he had been trying to join 14:50:35 <LukeHinds> Hi, ashutosh, you made it :) 14:50:49 <LukeHinds> we are winding down now, but feel free to say anything you have in mind 14:51:06 <AShutosh> Finally, how do I get the audio, sorry, I have been trying the WebMeeting for last two weeks:) 14:51:14 <LukeHinds> we were discussing inspector, which goes forward for approval tomorrow 14:51:30 <LukeHinds> we have stopped using audio for now, and just IRC 14:51:30 <AShutosh> Where is the document? 14:51:50 <LukeHinds> #link https://wiki.opnfv.org/requirements_projects/inspector 14:51:51 <AShutosh> How do I read the document? 14:52:24 <AShutosh> OK let me look at it, I need to get used to IRC mode of communication have not used for a while, used to jabber etc 14:52:44 <AShutosh> OK, thanks for the link 14:53:13 <LukeHinds> anything new happening on the moon project? 14:56:37 <AShutosh> What else did we discuss today? 14:57:11 <AShutosh> I missed the whole meeting it looks like 14:57:59 <AShutosh> Where do we send the requirements of Inspector for the approval 14:58:17 <LukeHinds> other discussions were on the work items, one of interest to you was the etsi wiki page 14:58:41 <LukeHinds> you can make reqiurements in here, or jaosorior: do you have an etherpad? 14:58:57 <AShutosh> Any sort of collaboration hapening around ETSI/NFV spec? 14:59:34 <LukeHinds> this is where we plan to put the etsi standards and map them to opnfv projects https://wiki.opnfv.org/security/upstream/etsi 14:59:42 <jaosorior> no etherpad yet, before I wanted to get approval from the TSC 15:00:02 <LukeHinds> the inspector team are also interested in having someone from etsi see where compliance can be mapped as well 15:00:03 <jaosorior> which happens tomorrow, hopefully 15:01:20 <AShutosh> Inspector is an Ericsson proposal, I would encourage them to look at ETSI documents also, I can perhaps communicate with them 15:02:39 <jaosorior> AShutosh: Yes, the plan is to get alignment with ETSI, as was mentioned earlier 15:02:50 <aripie> AShutosh: yes, we are grateful for any input 15:03:22 <aripie> I have checked through all the ETSI public papers 15:03:40 <LukeHinds> can I hash an action here for you ashutosh to review and suggest additions? 15:03:54 <jaosorior> sure 15:04:35 <LukeHinds> #action after inspector approval, a etherpad will be put up and emailed out 15:05:01 <LukeHinds> #action ashutosh to review and suggest additions with the view from the etsi sec group (within etherpad( 15:05:05 <AShutosh> Let me review the requirement document 15:05:29 <LukeHinds> of course, but to have requirements from you as an operator with needs, is very useful! 15:05:35 <LukeHinds> we are all vendors :) 15:06:25 <LukeHinds> its a good opportunity to input requirement needs into opnfc 15:06:28 <LukeHinds> *opnfv 15:07:06 <mwinandy_> (opnfc would also be an interesting project... *g*) 15:07:33 <AShutosh> I assume this is all with respect to Inspector document, right? 15:07:39 <LukeHinds> ok, we are over an hour. I will has end the meeting, but that does not mean discussion needs to stop. we can talk when we like 24/7 15:07:44 <LukeHinds> ashutosh, yes 15:07:51 <LukeHinds> but the same for anything security related 15:08:00 <AShutosh> OK, 15:08:05 <LukeHinds> you can either email tech-discuss 15:08:09 <LukeHinds> drop in here 15:08:17 <LukeHinds> or ask for time on the next meeting 15:08:29 <AShutosh> OK, what is the mailing list? 15:09:08 <LukeHinds> just use the main one and it will place [opnfv-sec] in the subject 15:09:58 <LukeHinds> #info - not sure if everyone has done it, but they have filters set up on the mailing list system, you might need to add security 15:10:16 <LukeHinds> ok, i got to go, but feel free to keep chatting folks! 15:10:19 <LukeHinds> #endmeeting