| *** voodookid has joined #openstack-security | 00:34 | |
| *** ved_lad has quit IRC | 00:38 | |
| nkinder_ | voodookid: hey, I checked out the service users on my RDO Icehouse install | 00:44 |
|---|---|---|
| nkinder_ | voodookid: they're all set to /sbin/nologin | 00:44 |
| nkinder_ | voodookid: so typical service/daemon users | 00:44 |
| voodookid | okay, I am writing a quick python thing to see what happens with Shell=True with an account with /bin/nologin, bin/false, etc | 00:44 |
| voodookid | mainly for my own edification | 00:45 |
| voodookid | thank you, very much | 00:45 |
| voodookid | I want to help out, but I feel like I am going to ask some simple questions that are going to elicit some eye rolls | 00:45 |
| voodookid | this is a pre-emptive "thank you" for helping out | 00:48 |
| voodookid | ah, shoot, okay, even if shell=True, the subprocess module will execute anything in args | 00:52 |
| voodookid | and the user's shell is /bin/false | 00:52 |
| voodookid | so that is not a great protection anyway | 00:55 |
| nkinder_ | voodookid: yeah, it doesn't help | 00:57 |
| voodookid | same with nologin as a shell as well. Well, the more you know | 00:58 |
| voodookid | nkinder_: I am still looking to help. If you have underserved areas of development and visibility, please point me at them. | 00:59 |
| nkinder_ | voodookid: according to the Popen python docs, "On Unix with shell=True, the shell defaults to /bin/sh" | 00:59 |
| *** bdpayne has quit IRC | 00:59 | |
| nkinder_ | voodookid: so it's not consulting /etc/passwd | 00:59 |
| nkinder_ | voodookid: so what are your interests and goals around OpenStack? | 01:00 |
| nkinder_ | voodookid: are you just trying to learn more about it? Looking to do development on a core project? Something else? | 01:00 |
| nkinder_ | voodookid: given you're on this channel and you were looking at the CA code in Nova, I take it you are interested in security | 01:01 |
| voodookid | I am a security engineer who is starting to work with Openstack, both professionally, as well as in my own projects. I tend to notice the same mistakes in mutiple open source projects in regards to a SDLC and security handling in general, so I would like to help out as early as possible. Bugs get more expensive the older they get, so I would like to help catch and fix them as soon as possible as well as offer some helpful s | 01:03 |
| nkinder_ | voodookid: There is a lot of interesting work and areas to get involved. Finding something that you are truly interested in will make it enjoyable/rewarding. | 01:03 |
| nkinder_ | voodookid: Ok, well there are a few efforts we have going on in the security group that you might find interesting...hreat modelling | 01:04 |
| nkinder_ | make that thread modeling... | 01:04 |
| nkinder_ | it's been a long day and my fingers have checked out... threat modeling | 01:04 |
| nkinder_ | there's been a pass at Keystone, but we want it to cover the other projects | 01:05 |
| nkinder_ | voodookid: there's some info here - https://wiki.openstack.org/wiki/Security/Threat_Analysis | 01:05 |
| nkinder_ | voodookid: there is also a code-level auditing if you're more of a developer | 01:05 |
| *** voodookid1 has joined #openstack-security | 01:06 | |
| nkinder_ | voodookid1: whoops, must have lost you. What was the last thing you saw from me? | 01:06 |
| voodookid1 | nkinder_: no worries, my wireless is also checked out | 01:06 |
| voodookid1 | the pass at KEystone | 01:06 |
| voodookid1 | Keystone | 01:06 |
| nkinder_ | voodookid: there's some info here - https://wiki.openstack.org/wiki/Security/Threat_Analysis | 01:06 |
| nkinder_ | voodookid: there is also a code-level auditing if you're more of a developer type | 01:06 |
| voodookid1 | I know that is the imaging service, do you mean, where would I attack if I wanted to get at something? | 01:07 |
| nkinder_ | voodookid: keystone is the authorization service. If stores users, handles authentication, and maps the users to roles on a given project | 01:07 |
| voodookid1 | nkinder_: reading the doc | 01:07 |
| nkinder_ | it then gives the user an authorization token | 01:07 |
| voodookid1 | ah, gotcha, sorry, still learning the names of various projects | 01:07 |
| nkinder_ | voodookid: no worries. There are a bunch of them, and it takes a bit to wrap your head around which is which | 01:08 |
| nkinder_ | voodookid: the goal of the security audit effort is to analyze code and produce a summary of security related info. Here's an example from an audit I did of keystone - https://wiki.openstack.org/wiki/Security/Juno/Keystone | 01:09 |
| nkinder_ | voodookid: tmcpeak is working on doing that type of audit of Glance | 01:09 |
| *** voodookid has quit IRC | 01:09 | |
| nkinder_ | voodookid: the real goals for that effort are to not just provide a summary of security info for compliance, but to identify areas of weakness that can be improved by the development teams | 01:10 |
| *** voodookid1 is now known as voodookid | 01:11 | |
| voodookid | okay, I am reading up on it now as well as checking out latest Keystone | 01:11 |
| voodookid | "Keystone doesn't have an home-brewed encryption implementations, everything is used from Python Standard libraries or third party libraries." <---awesome. First thing I look for "I rolled my own hash algo" | 01:12 |
| voodookid | "My own version of MD5" | 01:12 |
| voodookid | etc | 01:12 |
| nkinder_ | voodookid: yeah, absolutely. | 01:13 |
| nkinder_ | voodookid: in my view, OpenStack has grown rather organically with no real coordination around security | 01:13 |
| nkinder_ | voodookid: so for example, every project has their own SSL/TLS client side code instead of a single shared implementation | 01:14 |
| nkinder_ | voodookid: so if a bug hits, it may require 10+ patches that are all slightly different instead of 1 patch in a centralized module that handles SSL/TLS | 01:15 |
| voodookid | such is the way of most projects. You can drag a horse to water, but you cannot make it drink. Same with devs, I think identifying those areas, putting security people on it who have dev skills (or want to develop those, such as myself) you will still get the gains. I have yet to meet a developer who was good at security if they were not already "in" to security. Most of them are security folks who develop. Not the other wa | 01:16 |
| nkinder_ | that particular issue is starting to get addressed now | 01:16 |
| voodookid | and yeah, I was noticing that too. I am noticing some repeat code | 01:16 |
| voodookid | not boiler plate, but same basic functionality | 01:16 |
| nkinder_ | voodookid: one of the grand visions is to eventually have established security guidelines/standards that each project needs to follow | 01:17 |
| nkinder_ | voodookid: but we need to see where we're at currently and start a cleanup effort (which is slow-going) | 01:17 |
| nkinder_ | voodookid: if you're interested in the auditing effort, I've summed it up here - http://www.youtube.com/watch?v=-UPRlbPwV10 | 01:18 |
| * voodookid is watching nkinder_ 's video | 01:18 | |
| nkinder_ | voodookid: when you're done, this shows the current projects that are/aren't covered - https://wiki.openstack.org/wiki/Security/Juno | 01:25 |
| voodookid | nkinder_: "Integreated Projects" and "Incubated" are covered? | 01:29 |
| nkinder_ | voodookid: the more the merrier | 01:29 |
| nkinder_ | voodookid: integrated are the core projects | 01:29 |
| voodookid | ah, okay, and incubated are a work in progress? | 01:30 |
| nkinder_ | incubated are on their way to integrated (hopefully) | 01:30 |
| nkinder_ | exactly | 01:30 |
| nkinder_ | incubated have to be improved for incubation, so they're in a "trial period" so to speak | 01:30 |
| voodookid | ah, okay, and there are other projects out there that are not even listed? This is just what the security team has and what they are working on | 01:30 |
| nkinder_ | boy... s/improved/approved/ | 01:30 |
| nkinder_ | stackforge is anything goes, which is where most projects start | 01:31 |
| nkinder_ | they're not really a part of OpenStack, but they are OpenStack related projects | 01:31 |
| voodookid | ah, okay | 01:31 |
| nkinder_ | integrated is what OpenStack really is, and incubated are in their way to being an official part of OpenStack | 01:31 |
| nkinder_ | voodookid: I'd recommend seeing what catches your interest from the integrated list, as those are most important to cover | 01:33 |
| voodookid | gotcha, that is what I am looking at now | 01:33 |
| nkinder_ | voodookid: nova and neutron are pretty complex areas | 01:33 |
| voodookid | I have looked at nova, but just barely | 01:34 |
| nkinder_ | cinder might be a good one to start with | 01:34 |
| voodookid | I am looking keystone right now, mainly because authN/Z stuff is where I get stoked on | 01:34 |
| nkinder_ | heh, that's my area of interest too | 01:34 |
| voodookid | bcrypt, scrypt, PBKPF2, OpenLDAP/Kerberos, SAML (blegh), etc | 01:35 |
| nkinder_ | I come from an LDAP server developer background | 01:35 |
| voodookid | so many cool things | 01:35 |
| voodookid | *PBKDF2, my fingers lurv to write that wrong | 01:36 |
| nkinder_ | heh... they basically needed a whole new acronym when it's really multiple rounds of SHA | 01:37 |
| *** voodookid has quit IRC | 02:34 | |
| *** voodookid has joined #openstack-security | 02:54 | |
| *** voodookid has quit IRC | 03:01 | |
| *** bdpayne has joined #openstack-security | 05:33 | |
| *** bdpayne has quit IRC | 05:52 | |
| *** jkraj has joined #openstack-security | 08:40 | |
| *** jkraj has quit IRC | 12:55 | |
| *** nkinder_ has quit IRC | 13:08 | |
| *** nkinder_ has joined #openstack-security | 13:56 | |
| *** paulmo has joined #openstack-security | 14:04 | |
| *** jkraj has joined #openstack-security | 14:31 | |
| *** voodookid has joined #openstack-security | 14:40 | |
| openstackgerrit | Christian Berendt proposed a change to openstack/security-doc: Fixed wrong usage of links https://review.openstack.org/104219 | 15:13 |
| *** tmcpeak has joined #openstack-security | 15:30 | |
| paulmo | tmcpeak: Did you get the () line continuation stuff worked out yesterday btw? | 15:40 |
| tmcpeak | paulmo: yeah, I just shortened the variable name :) | 15:41 |
| paulmo | haha that works. If you want an example of what to do I'm happy to show you btw. | 15:42 |
| tmcpeak | ok, just for giggles | 15:42 |
| tmcpeak | how would you wrap this line with parenthesis | 15:42 |
| tmcpeak | paulmo: if 'shell=True' in line_no_sp and 'subprocess' in line_no_sp: | 15:43 |
| paulmo | I'll assume indention is causing that to go past 79 chars | 15:43 |
| tmcpeak | the old variable name, instead of line_no_sp was | 15:44 |
| paulmo | Ok, I went overboard just to show: | 15:45 |
| paulmo | if ('shell=True' in | 15:45 |
| paulmo | line_no_sp and | 15:45 |
| paulmo | 'subprocess' in | 15:45 |
| paulmo | line_no_sp): | 15:45 |
| paulmo | That is an easy one. :) | 15:46 |
| tmcpeak | ahh ok, so wrap the whole thing in parens and then you can put line breaks wherever you want? | 15:46 |
| paulmo | It isn't always quite so easy but for the most part, that can work. | 15:46 |
| paulmo | (like breaking up a 500 character single string for example) | 15:47 |
| tmcpeak | oh yeah, how does that work? | 15:48 |
| tmcpeak | I saw examples on stackforge about that | 15:48 |
| tmcpeak | string = "bla bla" | 15:48 |
| tmcpeak | string += "bla bla" | 15:48 |
| paulmo | Let me write up a quick example :) | 15:48 |
| tmcpeak | cool | 15:48 |
| paulmo | You can do something like this (just make the strings longer to show the wrapping issue): | 15:50 |
| paulmo | my_text = ("0123456789012345678901234567890" | 15:50 |
| paulmo | "abcdefghijklmnopqrstuvwxyz") | 15:50 |
| paulmo | (ugh the indention is off but I lined up both strings) | 15:50 |
| tmcpeak | ohhh | 15:50 |
| tmcpeak | that's cool | 15:51 |
| paulmo | Once you see a few examples, it is really easy eh? | 15:51 |
| paulmo | :) | 15:51 |
| tmcpeak | yeah, good stuff | 15:51 |
| tmcpeak | paulmo: thanks! | 15:51 |
| paulmo | Anytime! | 15:51 |
| tmcpeak | btw, why the holy war against \ | 15:51 |
| paulmo | That is an OpenStack religious issue I guess… it isn't a PEP8 requirement. I'm not sure what the history is. | 15:51 |
| tmcpeak | ahh, well good to know so I can play along | 15:52 |
| paulmo | Most HACKING.rst's will explicitly call that out. | 15:52 |
| tmcpeak | yeah, that's actually how I know I had to shorten the line :) | 15:52 |
| tmcpeak | running hacking against my own hacking rule | 15:53 |
| paulmo | Hack the hacking rule! haha | 15:53 |
| *** bdpayne has joined #openstack-security | 15:58 | |
| *** bdpayne has quit IRC | 16:05 | |
| *** bdpayne has joined #openstack-security | 16:35 | |
| *** ved_lad has joined #openstack-security | 17:25 | |
| *** openstackgerrit has quit IRC | 17:49 | |
| *** openstackgerrit has joined #openstack-security | 17:49 | |
| openstackgerrit | A change was merged to openstack/security-doc: Renamed bk-openstack-sec-guide.xml to bk-openstack-security-guide.xml https://review.openstack.org/103985 | 18:27 |
| *** ved_lad has quit IRC | 18:33 | |
| *** nkinder_ has quit IRC | 19:14 | |
| openstackgerrit | Christian Berendt proposed a change to openstack/security-doc: Update to clouddocs-maven-plugin 2.1.1 https://review.openstack.org/104326 | 19:51 |
| openstackgerrit | A change was merged to openstack/security-doc: Further translation setup https://review.openstack.org/103748 | 19:54 |
| openstackgerrit | Andreas Jaeger proposed a change to openstack/security-doc: Fix buildlang https://review.openstack.org/104327 | 19:58 |
| *** ved_lad has joined #openstack-security | 20:03 | |
| openstackgerrit | A change was merged to openstack/security-doc: Fix buildlang https://review.openstack.org/104327 | 20:11 |
| *** ved_lad has quit IRC | 20:15 | |
| *** jkraj has quit IRC | 20:46 | |
| *** nkinder_ has joined #openstack-security | 20:50 | |
| bdpayne | So who wants to port this to OpenStack? https://github.com/Netflix/security_monkey | 21:59 |
| *** ved_lad has joined #openstack-security | 22:01 | |
| *** paulmo has quit IRC | 22:05 | |
| voodookid | bdpayne: I saw this, freaking rad. What do you think it woudl take? | 22:08 |
| bdpayne | probably quite a bit of work | 22:10 |
| tmcpeak | woah, this looks pretty cool | 22:42 |
| *** tmcpeak has quit IRC | 23:08 | |
| *** voodookid has quit IRC | 23:25 | |
| openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from global requirements https://review.openstack.org/104392 | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!