#opnfv-sec log

14:02:54 <lhinds> #startmeeting Security Group 31/08
14:02:54 <collabot> Meeting started Wed Aug 31 14:02:54 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:54 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:02:54 <collabot> The meeting name has been set to 'security_group_31_08'
14:03:08 <Sona> hi
14:03:21 <lhinds> #topic agenda
14:03:27 <lhinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:03:38 <lhinds> anyone like to add to the agenda?
14:04:07 <Sona> it is ok
14:04:16 <lhinds> #topic Security Scanning
14:05:05 <lhinds> Not a lot to report, as waiting to see how I should branch for D-release, as C-release is frozen.
14:05:13 <lhinds> only a small bug to close https://jira.opnfv.org/browse/SECSCAN-18
14:05:52 <lhinds> and another closed last week...
14:05:55 <serverascode> I'm wondering what the next steps I should pursue are, in terms of https://jira.opnfv.org/browse/SECSCAN-7
14:06:15 <serverascode> as in how to determine the health of the 14.04 oscap content
14:06:50 <lhinds> just looking serverascode
14:07:09 <lhinds> ok, first off..good work!
14:07:19 <lhinds> you got the scanner issues fixed?
14:08:00 <serverascode> yeah it will run and so does the govready stuff, but I'm not sure how to ascertain the health of the actual rules
14:09:04 <lhinds> one sec...just reading
14:09:24 <lhinds> well this looks healthy to me.
14:09:27 <lhinds> "This includes insuring that the content available can be run by the tool and reports are valid and sound (not full of gibberish, but instead human readable)"
14:09:47 <lhinds> so by gibberish, I meant correctly formatted and readable
14:10:12 <lhinds> nots lots of incorrect formatting e.g. '(*#~2!!'@@) etc
14:10:53 <serverascode> yeah it does seem to output properly
14:11:07 <lhinds> SCAP is often prone to encoding issues
14:11:12 <lhinds> and this looks good to me.
14:11:36 <lhinds> The results are not for us to be concerned with (such as the hardening status / health)
14:11:51 <lhinds> more the health of the report being generated cleanly
14:11:57 <lhinds> does that make sense?
14:12:00 <serverascode> yup
14:12:08 <lhinds> good work mate!
14:12:27 <serverascode> cool thanks :)
14:12:29 <lhinds> next steps will be writing the code so its part of Fuels CI build
14:12:55 <lhinds> That will be on me, so I expect will start that over the next fortnight.
14:13:04 <serverascode> ok
14:13:07 <lhinds> BTW, did you get your fixes pushed upstream ?
14:13:17 <lhinds> I think others would benefit over this work too
14:13:53 <serverascode> there wasn't really any fixes, just a realization that 1) the SWIG errors weren't a big deal and 2) make check is not tested on ubuntu
14:14:36 <lhinds> I am just thinking we could create a DEB file from your work and make it available in Ubuntu / Debian repos?
14:15:02 <lhinds> your work == dealing with compiling issues as you describe
14:15:25 <serverascode> 14.04 has an openscap package it's just older
14:15:27 <lhinds> how do you fancy being a package maintainer :) ?
14:15:44 <lhinds> https://jira.opnfv.org/browse/SECSCAN-9
14:16:14 <lhinds> so maybe we could look into if the maintainer still looks after updating the packages?
14:16:58 <serverascode> I could work on getting a new package for 14.04 for sure, just not sure they would take it
14:17:52 <lhinds> If you don't mind doing that, go for it..I will back you up on any mailing lists etc, not that I think you will need it.
14:18:02 <serverascode> ok sure I can take that on
14:18:45 <lhinds> thanks mate, any lifting you need me to do, just let me know. I know a guy who is a debian package maintaner who I am sure will help if we need advice.
14:18:52 <serverascode> ok
14:19:20 <lhinds> cool!
14:19:26 <lhinds> ok..
14:19:35 <lhinds> #topic security audit
14:20:13 <lhinds> so been busy here, currently I have completed code checks on Apex, Fuel, and just now..release engineering.
14:20:29 <Sona> Thanks Luke, you have done a lot
14:20:41 <lhinds> Found quite a few things, but won't list here, as kind of in embargo.
14:20:59 <Sona> I feel guilty :(
14:21:08 <lhinds> don't worry!
14:21:22 <lhinds> you can test my tool out if you want to help
14:21:34 <lhinds> we now have some readthedocs auto builds going on
14:21:36 <lhinds> http://anteater.readthedocs.io/en/latest/index.html
14:21:45 <Sona> do you know if Jira can handle privacy
14:21:45 <lhinds> and the tool itself:
14:21:47 <lhinds> https://github.com/lukehinds/anteater
14:21:58 <lhinds> Sona, waiting to hear back from Aric
14:22:36 <lhinds> quick demo:
14:22:36 <Sona> Do you think it would help if I attend TSC meeting next week
14:22:38 <lhinds> https://asciinema.org/a/5juc3lxf8p4dene8h8y8r68le
14:23:21 <Sona> nice demo
14:23:53 <lhinds> I have not had time to add the bad crypto checks, but will do.
14:23:59 <lhinds> I have just been using grep for now
14:24:12 <serverascode> interesting, guess opnfv will have to deal with a lot more languages than openstack
14:24:13 <Sona> it is good start
14:24:26 <lhinds> but will try to get something programmatic going in anteater
14:24:51 <lhinds> seems like ashlee is getting busy too now, so all good
14:26:01 <lhinds> ok, any questions on security audits?
14:26:34 <lhinds> Sona: "Do you think it would help if I attend TSC" - Not sure, do we have a slot organised?
14:26:44 <Sona> I just don't know how to contribute ?
14:26:58 <Sona> with  sec-audit
14:27:00 <lhinds> serverascode: yep, we have C, Python, and Java
14:27:38 <lhinds> Sona: Try to install the tool and see if you can get it to run, and then try to break it...that will help loads.
14:27:53 <Sona> ok
14:27:55 <lhinds> You can then make suggestions on how it could be improved, etc.
14:28:14 <lhinds> just ping me on irc if you get stuck with anything
14:28:27 <Sona> about TSC meeting: I wonder if it helps to bring up Jira issue in TSC meeting?
14:28:48 <Sona> or should I discuss it directly with Aric
14:28:55 <Sona> or Ray?
14:29:30 <lhinds> Just keep reminding them over email, or IM aric in #opnfv-meeting
14:29:40 <Sona> ok
14:29:43 <lhinds> TSC tends to have pre-scheduled topics.
14:30:03 <Sona> I see
14:30:22 <lhinds> ok..
14:30:31 <lhinds> #topic badge program
14:30:36 <lhinds> over to you Sona
14:31:12 <Sona> I helped Jill with some questions
14:31:38 <Sona> I hope they can make official announcement/white paper
14:31:58 <Sona> how was my blog? did you like it?
14:32:40 <Sona> I think it is good that we (Security Group) write blogs once in awhile
14:32:51 <lhinds> Sona: looked good, Ashlee added some answers as well, so I guess it could be a multi interview panel thing
14:33:14 <Sona> that would be good
14:33:36 <serverascode> I read it, good stuff :)
14:33:50 <Sona> I will soon clean up the Jira
14:34:28 <Sona> and start planning of maintenance of Badge
14:34:35 <Sona> and improving it
14:35:09 <lhinds> thanks Sona
14:35:28 <Sona> you are welcome :)
14:35:34 <lhinds> ok, so i think its now AOB
14:35:42 <lhinds> #topic AOB
14:35:48 <lhinds> (any other business)
14:35:52 <lhinds> anyone...?
14:35:55 <serverascode> none
14:36:00 <Sona> I don't have anything more to bring up
14:36:10 <lhinds> serverascode ?
14:36:17 <serverascode> nope nothing
14:36:31 <lhinds> ok, good meeting today, appreciate the work / efforts all.
14:36:36 <lhinds> #endmeeting