#opnfv-sec log

14:05:52 <lhinds> #startmeeting Sec Group 29/06
14:05:52 <collabot`> Meeting started Wed Jun 29 14:05:52 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:05:52 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:05:52 <collabot`> The meeting name has been set to 'sec_group_29_06'
14:06:05 <lhinds> ok, not sure where Sona is.
14:06:13 <lhinds> #topic Agenda
14:06:22 <lhinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:06:36 <lhinds> rough agenda, please make additions should you wish too.
14:07:06 <aripie> I am ok with the agenda
14:07:48 <lhinds> k, pinged Sona on google hangouts
14:08:17 <lhinds> #topic Security Scanning
14:08:34 <lhinds> So at the summit, we did a demo and a presentation.
14:08:48 <lhinds> there was some good follow up, and others showed an interest in getting involved.
14:09:18 <lhinds> I met with functest, and we discussed getting its own repo and possible new scenarios.
14:09:54 <lhinds> Since then I have the email out on tech-discuss about getting a repo, but most our of the mind, we should be able to just go ahead,
14:10:13 <lhinds> I also need to answer some valid Q's from Daniel @ E ///
14:10:41 <lhinds> So that's a quick round up. The topic that I had was around SCAP authors.
14:11:34 <B_Smith> just a quick comment, irc is incorrect on meeting page
14:11:57 <lhinds> Now that we will be moving towards covering other installers (Ubuntu based) and possibly OpenDaylight or any given Application, we need help with authoring the upstream SCAP content or maintaining it.
14:12:06 <lhinds> B_Smith: will take a look thx!
14:13:37 <lhinds> To author SCAP content, you don't need to code. Its about putting hardening checks into XML format
14:14:02 <lhinds> So interested in volunteers if anyone has free cycles to take it on.
14:14:47 <serverascode> not a huge fan of xml :), but I'm interested in helping out there
14:15:10 <lhinds> thanks serverascode, are you familiar with SCAP?
14:15:20 <lhinds> (not that you need to be,its learnable)
14:15:31 <serverascode> only at a high level, would need to do some research
14:16:45 <lhinds> cool. so at the moment, for openstack checks and CentOS checks, the content is in good shape. There is also some Debian content which I heard is good, but could likely use clarification
14:17:03 <lhinds> (with the view that Debian will be applicable to Ubuntu (In most cases)
14:17:07 <lhinds> https://github.com/OpenSCAP/scap-security-guide/tree/master/Debian/8
14:17:56 <lhinds> so it might just be a case of installing a VM, running the SCAP scan, and seeing if the packaging is present.
14:18:12 <lhinds> I will help of course 100%, but will be busy with the coding parts
14:18:40 <serverascode> ok, yup sounds good
14:19:10 <serverascode> is it in terms of openstack + debian, or debian in general?
14:19:27 <lhinds> serverascode: ultimately both.
14:19:34 <serverascode> ok
14:19:44 <lhinds> So for the OS, as you can see its already there.
14:20:10 <lhinds> For openstack, we have SCAP already present for Centos / RHEL versions of openstack.
14:20:24 <lhinds> but the difference between the two is very small
14:20:34 <lhinds> perhaps paths / variables.
14:20:49 <lhinds> but must use upstream openstack, with the main difference being the installers
14:21:26 <lhinds> But the good news is that Major Hayden (a rackspace guy) has developed openstack security ansible playbooks that we can use.
14:21:35 <lhinds> so its all out there, just needs collating.
14:22:11 <serverascode> ok, interesting, yeah I'm aware of Mr. Hayden, openstack-ansible, nice
14:22:19 <lhinds> serverascode: do you have a Linux foundation account (read as do you have a jira account)?
14:22:26 <serverascode> yeah I do
14:22:43 <lhinds> cool, how would i find you..is it the same as you IRC nick?
14:22:56 <serverascode> yup
14:23:50 <lhinds> Curits?
14:24:31 <serverascode> curtis collicutt yup
14:24:44 <lhinds> excellent, got you now.
14:24:53 <lhinds> I am Luke, and we also have Ari here too.
14:25:22 <lhinds> great to have you involved
14:25:27 <serverascode> hi :) thanks
14:25:53 <aripie> hi
14:26:20 <lhinds> so I will assign some jira tasks to you, but understand you might want to have a read up and that first.
14:26:34 <lhinds> We are inbetween releases right now, so no big rush
14:26:41 <serverascode> ok
14:27:44 <lhinds> #action lhinds set up jira task for serverascode to look / research into SCAP authorship
14:28:14 <lhinds> there is talk on YouTube where I demo'ed the scanning tool if you want to check it out.
14:28:55 <lhinds> #link https://www.youtube.com/watch?v=SFkwbUAoHfo
14:29:06 <serverascode> ok will watch that, thanks
14:29:43 <serverascode> I was at the summit but missed that one
14:29:54 <lhinds> oh, you missed the best one :P
14:30:02 <lhinds> just kidding
14:30:18 <serverascode> :)
14:30:43 <lhinds> ok, so thats good. I have a lot to do on cleaning up the wiki etc, but that will contain more info
14:31:18 <lhinds> this is the project proposal that gives some info as well:
14:31:32 <lhinds> #link https://wiki.opnfv.org/pages/viewpage.action?pageId=6824812
14:32:05 <lhinds> ok, the next topic is Badge Programme.
14:32:17 <lhinds> But Sona is missing, so I guess we might be skipping that one this week.
14:32:20 <lhinds> so...
14:32:25 <lhinds> #topic AOB
14:32:31 <lhinds> Any other business?
14:32:44 <aripie> not for today
14:33:33 <lhinds> serverascode ?
14:33:55 <serverascode> nothing from me, nope
14:34:13 <lhinds> ok, well good to have you join serverascode and nice to catch up with you aripie
14:34:25 <lhinds> see you next week, also I am on here all the time
14:34:34 <serverascode> great, thanks kindly
14:34:42 <lhinds> so any follow up questions, just type my name and I will get pinged
14:34:46 <aripie> ok, good with the summit outcome, cu next week
14:34:57 <lhinds> #endmeeting