#opnfv-sec log

14:03:16 <lhinds> #startmeeting OPNFV SEcurity Group 02/12/2015
14:03:17 <collabot> Meeting started Wed Dec  2 14:03:16 2015 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:03:17 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:03:17 <collabot> The meeting name has been set to 'opnfv_security_group_02_12_2015'
14:03:40 <lhinds> so agenda..I have the following
14:03:53 <lhinds> #topic agenda
14:04:01 <lhinds> 1. OPNFV Security Guide
14:04:08 <lhinds> 2. CI Badge Program
14:04:15 <lhinds> 3. Inspector
14:04:21 <lhinds> 4. Any other business
14:04:30 <lhinds> Anyone have any additions?
14:05:11 <Sona> I have been looking at containers
14:05:16 <aripie> did we conclude something on Moon earlier, i remember there was some discussion but have forgotten...
14:05:54 <lhinds> yes, we agreed to not merge inspector, as inspector was upstream, and it might end up being just a vehicle for moon to get things done upstream
14:06:26 <lhinds> so we keep it seperate, and of course moon would be welcome to use inspector as a project to get audit changes happening upstream
14:06:33 <aripie> right, now I recall
14:06:40 <lhinds> moon is mainly all in its own repo now
14:06:55 <aripie> ok, no need for agenda item on that
14:07:15 <lhinds> #info agreed agenda
14:07:27 <lhinds> #topic OPNFV Security Guide
14:08:24 <lhinds> ok, so I have a lot of stuff to push up to gerrit, so more content.
14:08:57 <lhinds> Sona is getting set up well, and so things are progressing there. I have been on IRC to help Sona get set up, so I can do the same for you aripie if you prefer
14:09:28 <lhinds> Also we get some good input from iben which I will go through
14:09:35 <Sona> Thanks Luke
14:09:37 <aripie> I have it cloned and sphinx works for me
14:09:42 <lhinds> ah good!
14:10:15 <Sona> sphinx works for me too
14:10:44 <lhinds> so I know you have an interest in working on networking Sona. Could i recommend, you draw up what details of what you would like to cover?
14:11:13 <lhinds> you can use etherpad.opnfv.org/p/security-guide
14:11:31 <lhinds> and aripie, have you thought about what topics you would like to work on?
14:11:53 <aripie> logging, monitoring, audit to start with
14:11:57 <Sona> well I have looked at compute security :)
14:12:15 <lhinds> fine aripie, sounds good
14:12:17 <Sona> have been looking at hypervisory vs containers security/performance
14:12:29 <Sona> what part do you need most help?
14:12:54 <lhinds> Sona, wit you at enea, compute would be a good math
14:13:02 <lhinds> /s/math/match
14:13:09 <Sona> I am not very good at writing, but I can review and give some input
14:13:14 <lhinds> thats ok!
14:13:30 <lhinds> how would you mean by performance?
14:14:14 <lhinds> #agreed aripie> logging, monitoring, audit to start with
14:14:47 <Sona> containers are faster, easier than hypervisors ...
14:15:38 <lhinds> I would hold fire on that just for now, as containers are not in opnfv at the moment.
14:16:06 <lhinds> good topics for compute, are how to harden the hypervisor.
14:16:06 <Sona> ok
14:16:21 <Sona> yes, that is also good to look at
14:16:41 <Sona> how to make hypervisor secure
14:16:48 <lhinds> so its good to frame everything under 'I am a customer, I have deployed this OPNFV platform, ahhhh! how to I make this platform secure'
14:16:53 <lhinds> Sona, yep
14:17:22 <lhinds> So SELinux (MAC / DAC) controls, patching, good Linux OS security - that sort of deal.
14:17:42 <Sona> ok, I will focuse only to hardening hypervisor to start with
14:17:43 <lhinds> Or AppArmor, so the ubuntu peeps don't get upset as well :)
14:18:03 <lhinds> sure, I can help a lot there as well, as I have been focused on that area for a while.
14:18:14 <lhinds> we also have some very good stuff around.
14:18:40 <aripie> introspection is a nicely controversial topic, too
14:18:53 <lhinds> what would also be good, is to chat with the KVM team, and see if there is anything new, that OPNFV brings into KVM that needs security consideration
14:19:09 <lhinds> agree, aripie, but can anyone do that yet?
14:19:27 <aripie> not properly as far as I know
14:19:48 <lhinds> certainly can have a mention though, that could be under a 'if compromised'
14:20:02 <lhinds> #info lhinds> what would also be good, is to chat with the KVM team, and see if there is anything new, that OPNFV brings into KVM that needs security consideration
14:20:24 <lhinds> when I say KVM team, I mean the OPNFV KVM project
14:20:40 <lhinds> I think there might be someone from enea on there as well?
14:21:17 <Sona> I will check
14:22:07 <lhinds> sounds cool, so just keep in mind, we are going for pragamtic advise that ops can pick up and use, more then thought leadership / cutting edge
14:22:52 <lhinds> ok..
14:23:02 <lhinds> #topic Badge Program
14:23:26 <lhinds> so I spoke with the TSC yesterday, and they agreed to go for the linux foundation security badge program
14:23:43 <lhinds> #link https://www.coreinfrastructure.org/programs/badge-program
14:23:52 <lhinds> I spoke about this last week.
14:24:13 <lhinds> will be looking for volunteers here, as we will be driving this in the security group
14:24:27 <lhinds> have a read on what its about and will send out an email shortly.
14:24:31 <aripie> I am interested
14:24:46 <lhinds> if you already have any questions, do please ask away.
14:25:33 <aripie> i understood from LF CII that they also solicit input for the badges initiative, so if we feel something is weird or missing, we should indicate
14:26:05 <lhinds> yes, very much...its an opensource project, so we can push to them as well.
14:26:49 <aripie> was there any ambition level statement on badges in TSC?
14:27:22 <aripie> thinking in terms which projects come first etc
14:28:11 <lhinds> it will be an overall badge for the whole opnfv
14:28:28 <aripie> understood
14:28:31 <lhinds> so projects will align, based on us putting the criteria into place
14:29:11 <aripie> we are not that many so cannot simultaneously support many projects
14:29:20 <aripie> so makes sense to focus on the criteria
14:29:57 <lhinds> yep, and Aric will help as well, for implementing some of the CI stuff (like code scanning) release changes etc
14:30:15 <lhinds> #topic inspector
14:30:36 <lhinds> quick note, I have to leave a little ealier again, but will be back online as well shortly
14:30:43 <lhinds> so I put myself as acting for now
14:31:08 <aripie> thanks
14:31:08 <lhinds> I also rebuilt a celiometer based devstack instance, so I will try and get those two jira issues closed.
14:31:40 <lhinds> I will then work out what can be done next, I just need to align internally, as we have IPR checks and stuff, as I expect all you do as well.
14:32:09 <aripie> yes
14:32:26 <lhinds> i think maybe, we start to look at opendaylight again
14:32:34 <lhinds> lets see, I should know more soon
14:33:21 <lhinds> and of course its very open for anyone to raise a jira issue, as acting PTL I won't try to gatekeep or reject (unless its something insanely out of scope, like 'replace keystone')
14:33:42 <aripie> mmm... nice idea
14:33:46 <Sona> what should we specificly look at in opendaylight?
14:34:03 <lhinds> Sona, check out the inspector wiki page.
14:34:11 <lhinds> its about audit contributions upstrea
14:34:14 <lhinds> *m
14:34:22 <aripie> it is the gaps in auditability we are most interested at this stage
14:34:25 <lhinds> ok, I just need to pop out..
14:34:36 <lhinds> I won't hash the meeting as ended yet
14:34:41 <aripie> ok
14:34:47 <lhinds> so feel free to keep going, or raise new topics.
14:35:01 <lhinds> I will be about 25 mins (got to get my daughter from school)
14:35:11 <aripie> right
14:35:20 <Sona> ok, I need to go soon as well
14:36:37 <Sona> Ari, can you explain a little about audit contributions?
14:36:39 <aripie> Sona: you can check this
14:36:43 <aripie> #link https://etherpad.opnfv.org/p/inspector_preliminary
14:37:25 <aripie> and
14:37:29 <aripie> #link https://wiki.opnfv.org/requirements_projects/inspector
14:38:30 <Sona> Thanks Ari, I will need these
14:38:50 <aripie> we aim to bridge the gap in upstream projects regarding audit capabilities by identifying the gaps
14:39:07 <aripie> and then possibly contributing with code to bridge the gaps
14:39:40 <aripie> also
14:39:44 <aripie> #link https://jira.opnfv.org/secure/Dashboard.jspa
14:40:09 <aripie> and
14:40:13 <aripie> #link https://gerrit.opnfv.org/gerrit/inspector
14:41:09 <Sona> I will read these, thanks
14:43:11 <Sona> Ari, I need to go, I will look at hypervisor security until next week
14:44:08 <aripie> OK, I will stay if Luke has something more when back
14:44:11 <aripie> bye now
14:44:20 <Sona> bye
15:16:02 <lhinds> ok, back now!
15:16:08 <lhinds> #endmeeting