14:04:59 <LukeHinds> #startmeeting Security Group 14:04:59 <collabot> Meeting started Wed May 27 14:04:59 2015 UTC. The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:04:59 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:04:59 <collabot> The meeting name has been set to 'security_group' 14:05:15 <LukeHinds> #topic Last weeks minutes 14:05:35 <LukeHinds> #info Nothing of note! As everyone was @ the summit / vacation! 14:05:50 <LukeHinds> #info just myself and Marcin caught up 14:06:02 <LukeHinds> #topic Agenda Bashing 14:06:07 <LukeHinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:06:28 <LukeHinds> #info mark yourselves down as attended 14:06:43 <jaosorior> done 14:06:49 <jaosorior> aripie, are you around? 14:06:52 <LukeHinds> #info main topics are inspector approval (yay!) and next steps how we can help 14:07:06 <MikeCamel> Is there audio? 14:07:19 <LukeHinds> #info and perhaps the ETSI SEC mapping to OPNFV projs, if we have a volunteer 14:07:22 <jaosorior> MikeCamel: No audio. We switched to IRC-only 14:07:27 <aripie> #info Ari is here, yes 14:07:39 <LukeHinds> #info any additions we wish to make / amend / adjust? 14:07:42 <MikeCamel> OK. Kapil Sood (Intel) volunteered to update that page, btw. 14:07:54 <LukeHinds> excellent! 14:08:07 <LukeHinds> lets keep it as a topic then 14:08:08 <jaosorior> MikeCamel: cool! Thanks for the info 14:08:12 <MikeCamel> np 14:08:24 <jaosorior> MikeCamel: Do you know if Kapil Sood will attend this meeting? 14:08:45 <MikeCamel> He has done in the past. He's online: I'll ping him. 14:09:19 <LukeHinds> shall we give him 2-3 mins see if he wants to join, we are not over stretched agenda / time wise? 14:09:48 <jaosorior> I guess we could 14:09:49 <aripie> sure 14:10:44 <MikeCamel> He's on vacation today, so no. Sorry. 14:10:51 <LukeHinds> np! 14:10:57 <LukeHinds> #topic Inspector 14:11:17 <jaosorior> #info Inspector has finally been approved as an official OPNFV project 14:11:45 <jaosorior> #info As I mentioned in the mail, I have already asked for a repository and a bug-tracker 14:11:52 <LukeHinds> #info the guys would like to use the security group to align / discuss inspector activties, which was agreed to be a good idea. 14:12:29 <LukeHinds> how do you want to proceed with this juan/ari? should we go next steps > project needs / where we could help? 14:12:55 <aripie> I suppose we need to sanity check the provisional task list first 14:12:57 <jaosorior> We should look into making the material that has been already created by ETSI and CSA into a concrete maping towards the components we use in OPNFV 14:13:38 <LukeHinds> @aripie - do you have that list available? 14:13:38 <collabot> LukeHinds: Error: "aripie" is not a valid command. 14:13:48 <LukeHinds> is this list available? 14:14:00 <aripie> yes, let's see if I can find it 14:14:15 <LukeHinds> #info jaosorior: We should look into making the material that has been already created by ETSI and CSA into a concrete maping towards the components we use in OPNFV 14:14:31 <MikeCamel> Kapil is co-rapporteur with Ashutosh Dutta (also active in OPNFV, I think) of SEC008, a work item on security monitoring and management in ETSI NFV which may well be very relevant. 14:14:35 <LukeHinds> #info aripie: provisioning list should be sanity checked 14:14:55 <MikeCamel> Though if inspector is more audit-focused, I'm not sure! 14:15:23 <jaosorior> MikeCamel: It is a possibility that we could help provisioning the data that they need 14:15:36 <LukeHinds> it could be a case that inspector is the vessel to make sure the security events are made available from the vim (openstack) or network (onf) 14:15:37 <MikeCamel> I guess you should talk. :-) 14:15:53 <jaosorior> MikeCamel: Can you help out to bring them to the next Security Group's meeting? 14:16:11 <LukeHinds> #info inspector can be used for SEC008, a work item on security monitoring and management in ETSI NFV which may well be very relevant. 14:16:27 <MikeCamel> Kapil is planning to be at the next one - he's on vacation today. Ashutosh isn't Intel - he's AT&T, I think. 14:16:40 <LukeHinds> I can contact ashutosh 14:16:50 <jaosorior> LukeHinds: Excellent 14:16:51 <MikeCamel> @LukeHinds - it may be that the SEC008 may inform the work in Inspector. 14:16:51 <collabot> MikeCamel: Error: "LukeHinds" is not a valid command. 14:17:00 <LukeHinds> #action Kapil to attend next SEC group to discuss SEC008 and inspector 14:17:19 <LukeHinds> #action Luke to contact Ashutosh to perform the same. 14:17:53 <LukeHinds> So that is some good interwork planned already. 14:18:02 <LukeHinds> Who else do we need to reach out to Juan? 14:18:19 <LukeHinds> I know someone at OPF if that helps? 14:18:21 <LukeHinds> security guy 14:18:44 <LukeHinds> and Ari too.. 14:18:56 <jaosorior> OPF? 14:19:04 <LukeHinds> ONF 14:19:05 <LukeHinds> :) 14:19:18 <LukeHinds> open networking foundation 14:19:33 <aripie> yes, ONF security contact would be great to have 14:19:53 <jaosorior> Indeed 14:20:14 <jaosorior> the way I see it, there will be three main activities: 14:20:14 <LukeHinds> #action Luke to contact ONF about inspector project 14:21:35 <jaosorior> * Proactively monitor the components (such as OpenStack) to see that the relevant events in the system (such as requests taken in the services) are properly emitted (logged) 14:22:11 <aripie> #link https://etherpad.opnfv.org/p/inspector_preliminary 14:22:22 <jaosorior> * Align with relevant institutions (such as ETSI) in order to have their requirements and use-cases be mapped in a concrete way with the actual services we are using in OPNFV 14:22:34 <aripie> there is a task list among other preliminary considerations 14:23:14 <jaosorior> * Respond to bug-reports (and properly implement them in the components upstream), which will be filed when we figure out there is something missing or when our shareholders report they need more information for a certain use-case 14:23:31 <LukeHinds> #info three main activities: 14:23:42 <LukeHinds> #info Proactively monitor the components (such as OpenStack) to see that the relevant events in the system (such as requests taken in the services) are properly emitted (logged) 14:23:44 <jaosorior> but that link describes what I just wrote too :P 14:23:56 <LukeHinds> #info Align with relevant institutions (such as ETSI) in order to have their requirements and use-cases be mapped in a concrete way with the actual services we are using in OPNFV 14:24:03 <LukeHinds> #info Respond to bug-reports (and properly implement them in the components upstream), which will be filed when we figure out there is something missing or when our shareholders report they need more information for a certain use-case 14:24:19 <LukeHinds> #info all covered in the following #link https://etherpad.opnfv.org/p/inspector_preliminary 14:24:29 <LukeHinds> sorry, I got going so finished off :) 14:24:50 <aripie> so any comments on the info in the link is welcome! 14:24:54 <LukeHinds> So the first one sounds like it has the largest scope? 14:25:02 <jaosorior> Indeed 14:25:18 <jaosorior> This will be documented in the repo 14:25:36 <jaosorior> So, the idea for the repo is for it to contain mostly two things: 14:25:41 <LukeHinds> Have you defined the monitoring mechanisms / frameworks? 14:25:57 <LukeHinds> Like a common format, I guess that would be CADF? 14:26:09 <aripie> yes, CADF would be the primary 14:26:25 <aripie> we are considering translators to/from other formats 14:26:48 <jaosorior> documentation relevant to the project: e.g. what frameworks already exist in the components and what they provide; the reports that we generate on the state of the components 14:27:16 <jaosorior> and also the repo will contain tracking of the upstream fixes (or features if necessary) 14:27:49 <jaosorior> for OpenStack CADF is mostly taken into account, as it's already being used and there is support and acceptance for it already in the community 14:28:43 <LukeHinds> If CADF is not present in a project, what would the next candidate be? Perhaps log parsing, or snmp traps? that sort of thing... 14:29:14 <aripie> post-processing of the audit data for monitoring (other than potential format translation) or triggering activities is not in scope at least as of yet 14:29:44 <aripie> I suppose log handling/analysis might overlap with other projects 14:30:06 <LukeHinds> Let's do mock engagement with another project.. 14:30:10 <LukeHinds> help me understand. 14:30:23 <jaosorior> Moon project is supposed to have some monitoring in scope. That's why I want to collaborate with them 14:30:35 <LukeHinds> we approach ONF to introduce audit events 14:30:45 <MikeCamel> I think that Moon is more likely to be relevant to the ETSI work item I mentioned, tbh. 14:31:08 <jaosorior> MikeCamel: That is most likely the case 14:31:09 <LukeHinds> would the expectation be that they would raise the events using CADF? 14:31:57 <jaosorior> The expectation is that, for instance, Moon would be reading events out of the event collector (which are in CADF form) 14:32:32 <jaosorior> While we make sure that the relevant events are actually emited (which is not always the case) and that the right information is available (which is not the case and we need to fix this) 14:33:05 <aripie> From ONF components the audit events in CADF would be preferred 14:33:58 <LukeHinds> so the 'event collector'? Ceilometer, who would that be? 14:34:06 <jaosorior> LukeHinds: yes 14:34:13 <LukeHinds> ahh ok 14:34:30 <LukeHinds> I have the end2end picture now 14:35:06 <LukeHinds> but it could be another system, anyone who develops a service to accept the CADF events? 14:35:15 <aripie> absolutely 14:35:19 <jaosorior> For instance, in the identity component in OpenStack (Keystone) if a user authenticates, we know that there is relevant info in the audit event. However, if a user now tries to assign a role, information such as who was the initiator of the event is missing. This is the kind of stuff we need to fix 14:35:39 <jaosorior> LukeHinds: yes 14:35:46 <LukeHinds> understand 14:36:17 <aripie> the consumer of the audit data can be any other system that eats CADF 14:36:18 <jaosorior> So, if this type of information is missing, then the event is worthless as no proper monitoring can be done 14:36:53 <LukeHinds> i see now, thx 14:37:58 <LukeHinds> Any other candidates outside of openstack / onf? 14:38:18 <LukeHinds> kvm / qemu as an example? 14:38:21 <aripie> odl 14:38:46 <jaosorior> LukeHinds: I'm trying to get commiters that will work with OpenDaylight, but since they have a release, we need to wait for things to get less hectic 14:38:48 <LukeHinds> I guess nova, instead of kvm/qemu 14:39:23 <LukeHinds> understand 14:39:33 <jaosorior> yes, one should be able to get proper information about the hypervisor from Nova. Evaluating if this is possible, and if this information is appropriate is part of the first task I mentioned 14:40:09 <jaosorior> Same goes for Neutron, one should be able to poll the underlying backends in Neutron. This could help generating a proper topology report 14:40:18 <LukeHinds> neutron as well at a guess, security groups, keys etc. 14:40:30 <LukeHinds> double send :) 14:41:02 <jaosorior> LukeHinds: Exactly 14:41:40 <LukeHinds> very useful! 14:41:51 <jaosorior> Now, hopefully we can get the people set as "contributors" to attend the next meeting, so we can map what people can do and actually start dividing tasks 14:42:36 <jaosorior> In the meantime, I'll work on getting that repo and bug-tracker (hopefully linux foundation will answer soon) and will set up a proper structure for the documentation to live in the repo 14:43:22 <LukeHinds> I will do an update at the TSC soon and re-introduce the group and inspector to all, encourage people to come along 14:43:35 <jaosorior> LukeHinds: Good idea 14:43:37 <LukeHinds> you can put me as a contributor 14:43:59 <jaosorior> LukeHinds: You're already there ;) 14:44:14 <jaosorior> #link https://wiki.opnfv.org/requirements_projects/inspector 14:44:15 <LukeHinds> and hopefully I will know my resource utlization better soon, but I guess I am already contrbuting by helping get disucssions going. 14:44:25 <LukeHinds> ok good 14:44:52 <aripie> sure, getting the contacts is good contribution 14:45:28 <LukeHinds> so whats your target for next weeks meeting? you said about task assignment, so will you start to scope out work items? 14:47:29 <jaosorior> LukeHinds: yeah. We will start focusing on specific components 14:47:49 <LukeHinds> sounds good to me. 14:48:17 <LukeHinds> #action juan/ari to start listing specific components / work items for commiters / contributers 14:48:34 <jaosorior> alright! Any other questions/comments? 14:48:52 <LukeHinds> not from me now, I have a good picture.....anyone else..... 14:49:38 <jaosorior> alright. Anything else on the agenda for the sec-group meeting? 14:50:09 <LukeHinds> that's it now, we already worked out the ETSI stuff and I will get in touch with the ODL guy I know 14:50:14 <LukeHinds> we have those as actions 14:50:35 <LukeHinds> I won't end yet, will let it run to capture any late questions. 14:50:56 <aripie> ok, standing by 14:56:35 <LukeHinds> ok, I guess we are done. Thanks guys, very informative and a great project I look forward to its progress and hope to help out as much as I can. 14:56:47 <LukeHinds> #endmeeting