#opnfv-sec log

14:08:41 <aripie> #startmeeting 2016-01-13
14:08:41 <collabot`> Meeting started Wed Jan 13 14:08:41 2016 UTC.  The chair is aripie. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:08:41 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:08:41 <collabot`> The meeting name has been set to '2016_01_13'
14:08:56 <aripie> #topic agenda bashing
14:09:27 <aripie> #info I have: Security Guideline, Badges program in OPNFV
14:09:41 <aripie> something else you have in mind, Sona?
14:10:12 <sona> what does Badges program mean?
14:10:45 <aripie> that is an initiative for self-assessing open source programs for best security practice
14:10:56 <sona> ok, thanks
14:11:14 <aripie> and we would be the ones to support OPNFV projects in that
14:11:42 <sona> No I don't have, I can review the guide when you add it to gerrit
14:13:11 <aripie> ok
14:13:21 <aripie> #link https://www.coreinfrastructure.org/programs/badge-program
14:13:40 <aripie> #topic Security Guideline
14:14:11 <aripie> #info aripie suggests to have chapter on Logging and Monitoring
14:14:20 <aripie> #info that chapter would include Audit
14:15:22 <aripie> #action aripie will issue initial set of relevant audit requirements for gerrit review
14:16:26 <aripie> you want to note something on the guideline, Sona?
14:17:45 <sona> well I have some ideas about virtualization hardening but I am not good at writing them down :)
14:18:35 <aripie> no problem, just give the input and the rest of the team can review and suggest wordings
14:19:30 <sona> I have some recommendation:  - Strong guest isolation: Use SELinux to get MAC by default, MAC implements strong guest isolation - Keep up to Date with Hypervisor Patches - Turn Off Unnecessary Services to reducing the attack surface of the hypervisor - Make sure that pre-configured virtual appliances and machine images are not misconfigured or have been tampered with before you start them. - Turn Off Unnecessary Services: Remove any
14:20:56 <aripie> one possibility is that we refer to another document where these aspects are described
14:21:35 <sona> these are some suggestion to the "Compute Security"/virtualization section
14:22:13 <aripie> good
14:22:31 <sona> Openstack has good doc regarding virtualization hardening: http://docs.openstack.org/security-guide/compute/hardening-the-virtualization-layers.html
14:22:45 <aripie> that at least we can point to
14:23:01 <sona> yes
14:24:29 <aripie> maybe you could write initial entry to that chapter, we can refine it then together
14:25:03 <sona> ok, I can try :)
14:26:26 <aripie> #agree Sona writes initial entry for Compute Security/virtualization for rest of the team to refine
14:27:26 <sona> Ari, Is this guideline high prio activity for OPNFV security team?
14:28:25 <aripie> that is my impression, though vulnerability handling maybe is ahead of that in priority
14:29:18 <sona> what do you mean by vulnerability handling?
14:29:28 <sona> tracking CVEs?
14:29:41 <sona> in OPNFV components?
14:30:20 <aripie> yes, and especially monitoring fixes to critical CVE's
14:31:24 <sona> do you mean for all components?
14:31:30 <aripie> I think we need to have a discussion of opnfv-sec priorities and start maintaining a backlog
14:31:45 <aripie> yes, for all OPNFV components
14:31:46 <sona> yes, that sounds good idea
14:32:01 <sona> I can track CVEs
14:32:30 <sona> do you think we should file a bug in Jira for critical CVEs?
14:32:33 <aripie> #agree to next meeting agenda, include discussion on opnfv-sec priorities and backlog
14:33:34 <sona> I am not quite sure how OPNFV deal with security updates?
14:33:50 <sona> do you patch them in git and send security adv?
14:34:23 <aripie> I don't think there is any decision on that yet, we probably should make a recommendation
14:34:33 <sona> are you goin to maintain Arno when brahmaputra is released?
14:35:15 <aripie> I believe Arno was just once-off with no maintenance promises
14:35:24 <sona> ok
14:36:05 <sona> I will have an eye on critival CVEs in the components included in OPNFV and file a big in Jira
14:36:12 <sona> does this sound good?
14:36:21 <aripie> it does!
14:36:33 <sona> one stupid question :)
14:36:50 <aripie> are there such?
14:36:51 <sona> what qemu version is used in brahmaputra ?
14:37:46 <aripie> I do not know
14:38:25 <sona> maybe I should ask in the list :)
14:38:28 <aripie> #agree Sona will monitor critical CVEs in OPNFV components and file in Jira
14:38:46 <sona> yes
14:38:56 <aripie> that is what the lists are for!
14:39:11 <sona> yes,
14:39:44 <aripie> thanks for volunteering!
14:40:05 <sona> you are very welcome
14:40:21 <sona> I am glad to help
14:40:50 <aripie> all hands are needed... let's make some quick notes on the Badges, then if any AOB pops in mind
14:41:22 <aripie> #topic Badges program
14:41:23 <sona> just one more question
14:41:25 <sona> is there anything (security related) we can do for Brahmaputra release?
14:41:26 <aripie> go ahead
14:41:55 <aripie> I think the CVE tracking is the top thing we can do
14:42:12 <sona> ok
14:42:13 <aripie> maybe to issue 1st rev of security guideline
14:42:35 <aripie> let us take that to the next meeting topic, too
14:42:44 <sona> ok
14:42:54 <aripie> #agree for next meeting agenda, define tasks relevant for Brahmaputra release
14:43:24 <sona> good, I don't have any more question :)
14:43:48 <aripie> on Badges, I think we need to define tasks as well,
14:44:02 <aripie> to identify which projects would gain most
14:44:24 <aripie> and to decide the ambition level together with the respective projects
14:44:51 <aripie> as security maturity within different projects may vary a lot
14:45:45 <sona> ok
14:46:28 <aripie> I can make a suggestion for how to start with BAdges
14:46:51 <aripie> #Action aripie to suggest how to start introducing Badges to OPNFV projects
14:47:46 <aripie> #topic any other business
14:48:26 <aripie> I did not have any other topics in mind, have you come to think of anything, Sona?
14:48:26 <sona> no
14:48:38 <sona> thanks
14:49:21 <aripie> ok, I will stay around in irc so if something crosses your mind, just let me know
14:49:46 <aripie> #endmeeting