openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/118230 | 00:14 |
---|---|---|
openstackgerrit | Shellee Arnold proposed a change to openstack/security-doc: Grammatical errors in CH.45 - Forensics and Incident Response. https://review.openstack.org/116545 | 00:25 |
*** jamielen- has joined #openstack-security | 00:58 | |
*** jamielennox has quit IRC | 01:00 | |
*** jamielen- is now known as jamielennox | 01:01 | |
openstackgerrit | Shellee Arnold proposed a change to openstack/security-doc: Sentence rewording CH. 41 - Hardening the Virtualization Layers https://review.openstack.org/118234 | 01:04 |
*** jamielennox_ has joined #openstack-security | 01:10 | |
*** jamielen- has joined #openstack-security | 01:11 | |
*** jamielen| has joined #openstack-security | 01:12 | |
*** jamielennox has quit IRC | 01:13 | |
*** jamielennox_ has quit IRC | 01:15 | |
*** jamielen- has quit IRC | 01:15 | |
*** jamielen| is now known as jamielennox | 01:18 | |
*** jamielennox_ has joined #openstack-security | 01:28 | |
*** jamielennox has quit IRC | 01:31 | |
*** jamielennox_ is now known as jamielennox | 01:40 | |
openstackgerrit | Shellee Arnold proposed a change to openstack/security-doc: Suspicious Link in CH 9 - Continuous Systems Management. https://review.openstack.org/118236 | 01:41 |
openstackgerrit | Deepti Navale proposed a change to openstack/security-doc: Included info about Federated Identity https://review.openstack.org/118237 | 01:52 |
*** jamielen- has joined #openstack-security | 02:10 | |
*** jamielennox has quit IRC | 02:13 | |
*** jamielennox has joined #openstack-security | 02:47 | |
*** jamielennox_ has joined #openstack-security | 02:48 | |
*** jamielen- has quit IRC | 02:52 | |
*** jamielennox has quit IRC | 02:52 | |
*** zz_naotokl is now known as naotok | 03:00 | |
*** jamielen- has joined #openstack-security | 03:01 | |
*** jamielennox_ has quit IRC | 03:05 | |
*** jamielennox has joined #openstack-security | 03:47 | |
*** jamielennox_ has joined #openstack-security | 03:48 | |
*** jamielen- has quit IRC | 03:50 | |
*** jamielennox has quit IRC | 03:52 | |
*** jamielennox has joined #openstack-security | 04:14 | |
*** voodookid has joined #openstack-security | 04:14 | |
*** jamielen- has joined #openstack-security | 04:15 | |
*** jamielennox_ has quit IRC | 04:18 | |
*** jamielennox has quit IRC | 04:19 | |
*** voodookid has quit IRC | 04:38 | |
*** voodookid has joined #openstack-security | 04:40 | |
*** voodookid has quit IRC | 04:46 | |
*** jamielennox has joined #openstack-security | 05:52 | |
*** jamielen- has quit IRC | 05:54 | |
*** jamielennox_ has joined #openstack-security | 06:52 | |
*** jamielen- has joined #openstack-security | 06:53 | |
*** jamielennox has quit IRC | 06:56 | |
*** jamielennox_ has quit IRC | 06:57 | |
*** openstackgerrit has quit IRC | 07:02 | |
*** jamielen- is now known as jamielennox | 07:11 | |
*** naotok is now known as zz_naotok | 07:33 | |
*** jamielennox is now known as jamielennox|away | 08:09 | |
*** IAm_thor has joined #openstack-security | 09:30 | |
*** IAm_thor has left #openstack-security | 09:30 | |
*** IAm_thor has joined #openstack-security | 09:42 | |
*** IAm_thor has left #openstack-security | 09:42 | |
*** IAm_thor has joined #openstack-security | 09:45 | |
*** IAm_thor has left #openstack-security | 09:45 | |
*** IAm_thor has joined #openstack-security | 09:48 | |
*** IAm_thor has left #openstack-security | 09:48 | |
*** IAm_thor has joined #openstack-security | 09:53 | |
*** IAm_thor has left #openstack-security | 09:54 | |
*** amrith is now known as _amrith_ | 12:28 | |
*** IAm_thor has joined #openstack-security | 12:39 | |
*** IAm_thor has left #openstack-security | 12:40 | |
*** IAm_thor has joined #openstack-security | 12:42 | |
*** IAm_thor has quit IRC | 12:44 | |
*** voodookid has joined #openstack-security | 13:05 | |
*** dmccowan has joined #openstack-security | 13:09 | |
*** paulmo has joined #openstack-security | 13:11 | |
*** paulmo has quit IRC | 13:14 | |
*** paulmo has joined #openstack-security | 13:14 | |
*** paulmo has left #openstack-security | 13:21 | |
*** bknudson has joined #openstack-security | 13:23 | |
*** paulmo has joined #openstack-security | 13:27 | |
*** voodookid has quit IRC | 13:30 | |
*** _amrith_ is now known as amrith | 13:49 | |
*** openstackgerrit has joined #openstack-security | 14:05 | |
*** IAm_thor has joined #openstack-security | 14:15 | |
*** IAm_thor has left #openstack-security | 14:15 | |
*** nkinder has joined #openstack-security | 14:28 | |
*** voodookid has joined #openstack-security | 14:34 | |
*** IAm_thor has joined #openstack-security | 14:38 | |
*** IAm_thor has left #openstack-security | 14:38 | |
*** IAm_thor has joined #openstack-security | 14:51 | |
*** IAm_thor has left #openstack-security | 14:51 | |
*** dmccowan has quit IRC | 14:58 | |
*** IAm_thor has joined #openstack-security | 15:00 | |
*** IAm_thor has left #openstack-security | 15:00 | |
*** dmccowan has joined #openstack-security | 15:03 | |
*** tmcpeak has joined #openstack-security | 16:08 | |
tmcpeak | nkinder: you around? | 16:44 |
nkinder | tmcpeak: yep | 16:44 |
tmcpeak | cool | 16:45 |
tmcpeak | nkinder: so for bandit: I've changed it so that each test has a decorator which marks which node type it should run against | 16:45 |
tmcpeak | like this: | 16:45 |
tmcpeak | @checks_functions | 16:45 |
tmcpeak | def call_wildcard_injection(context): | 16:45 |
tmcpeak | so we no longer need the right hand side of this: | 16:46 |
tmcpeak | call_wildcard_injection = test_calls | 16:46 |
tmcpeak | for that matter we no longer need the left hand side of it either | 16:46 |
tmcpeak | we can have it so that you just run bandit, it automatically scans the plugins directory, and loads all functions and runs the appropriate type of tests for each node | 16:47 |
tmcpeak | so now we need to define what configs should look like | 16:47 |
tmcpeak | should we assume for a config all tests are in unless specifically excluded, or all tests are out unless specifically included | 16:48 |
tmcpeak | nkinder: any thoughts? | 16:48 |
nkinder | tmcpeak: is there a need to have a test get run for multiple node types? | 16:49 |
tmcpeak | nkinder: that would be supported with the decorator | 16:50 |
tmcpeak | @checks_functions | 16:50 |
tmcpeak | @checks_imports | 16:50 |
tmcpeak | ... | 16:50 |
tmcpeak | I think that would be a fringe case, which is why I didn't write it so that you just do @checks('functions', 'imports') | 16:50 |
nkinder | tmcpeak: yeah, so the decorators thing sounds good | 16:54 |
nkinder | tmcpeak: for tests, I would assume everything is in unless explicitly excluded | 16:54 |
tmcpeak | cool | 16:55 |
tmcpeak | so regardless of data format, I'm thinking something like | 16:55 |
tmcpeak | profile: OpenStack | 16:55 |
tmcpeak | - exclude: none | 16:55 |
tmcpeak | profile: normal python | 16:55 |
tmcpeak | er | 16:56 |
tmcpeak | normal_python | 16:56 |
tmcpeak | exclude: processutils.execute | 16:56 |
tmcpeak | etc | 16:56 |
tmcpeak | where processutils.execute is the name of a test | 16:57 |
tmcpeak | tests are named based on filename | 16:57 |
tmcpeak | sounds good? | 16:57 |
*** bdpayne has joined #openstack-security | 17:04 | |
amrith | tmcpeak, new code for you to review! (thanks) | 17:11 |
openstackgerrit | Stanislaw Pitucha proposed a change to openstack/security-doc: OSSN-0023 Keystone logs tokens at INFO levels https://review.openstack.org/114971 | 17:17 |
tmcpeak | amrith: CL #6? | 17:20 |
amrith | thanks, didn't realize you'd already +1'ed it. | 17:21 |
tmcpeak | :) | 17:21 |
tmcpeak | maybe somebody else in here can give it a second look | 17:21 |
tmcpeak | paulmo bdpayne nkinder bknudson, etc | 17:22 |
bdpayne | alert all the people :-) | 17:22 |
bknudson | look at what? | 17:22 |
tmcpeak | oh crap | 17:22 |
tmcpeak | link :) | 17:22 |
tmcpeak | https://review.openstack.org/117174 | 17:22 |
bknudson | yikes | 17:23 |
tmcpeak | lol | 17:23 |
tmcpeak | yeah, the original bug was exciting | 17:23 |
openstackgerrit | Andreas Jaeger proposed a change to openstack/security-doc: Add project and service names to glossary https://review.openstack.org/118412 | 17:30 |
tmcpeak | bknudson: thank you! | 17:37 |
openstackgerrit | A change was merged to openstack/security-doc: Add links/references to RFCs/NIST publications in Chapter 40 tables - Hypervisor selection https://review.openstack.org/117612 | 17:40 |
*** nkinder has quit IRC | 17:43 | |
*** sicarie has joined #openstack-security | 17:54 | |
*** bdpayne has quit IRC | 18:01 | |
*** bdpayne has joined #openstack-security | 18:01 | |
*** sicarie has quit IRC | 18:01 | |
*** nkinder has joined #openstack-security | 18:06 | |
tmcpeak | nkinder: is this the correct/latest repo for OSSN? https://github.com/openstack/security-doc/tree/master/security-notes | 18:07 |
nkinder | tmcpeak: yes | 18:07 |
tmcpeak | cool | 18:07 |
tmcpeak | anyway way to just grab the OSSN part, or do I just git clone the whole security doc now? | 18:07 |
*** jamielennox|away is now known as jamielennox_ | 18:09 | |
nkinder | tmcpeak: you need to clone the entire repo | 18:15 |
tmcpeak | nkinder: ok, cool | 18:16 |
tmcpeak | what do you guys think I should list for vulnerable OpenStack components / versions for the code execution by writing to config | 18:27 |
tmcpeak | I'd imagine pretty much all components/versions are effected | 18:28 |
tmcpeak | thoughts? | 18:28 |
tmcpeak | nkinder: ^ ? | 18:28 |
nkinder | tmcpeak: which one is this? Injection via the config files? | 18:45 |
nkinder | tmcpeak: IIRC, there were only certain services who were vulnerable | 18:46 |
tmcpeak | nkinder: yeah, that we found so far, but given that most of the processes are using processutils.execute rather than popen, my guess is that our list is not exhaustive | 18:51 |
tmcpeak | there are at least two services I know of: glance and trove | 18:51 |
tmcpeak | should I hold off until I've done a complete scan, or should we somehow saw multiple services | 18:51 |
tmcpeak | nkinder: I guess in general we need to decide what direction we want to go with this note | 18:54 |
tmcpeak | do we want to say that the recommended action is to ensure all config files are locked down and validate inputs to them that do take input from untrusted users | 18:54 |
tmcpeak | or do we want to call attention to particular services which aren't parameterizing inputs to process calls correctly | 18:55 |
tmcpeak | my feeling is to go with the first, because calling out all of the ways where malicious config file tampering can cause code execution is a moving target | 18:55 |
*** sweston_ is now known as sweston | 18:59 | |
nkinder | tmcpeak: I wouldn't want to say that something is vulnerable if it's not, so we should call out the ones we know. | 19:12 |
tmcpeak | ok | 19:12 |
nkinder | tmcpeak: it's OK to say other services might be affected, and that you really need to protect access to config files in general | 19:12 |
tmcpeak | what about just 'Numerous OpenStack services / versions' | 19:13 |
tmcpeak | nkinder: since I fixed the one in Glance, the only one we have currently unfixed is in Trove, but I bet there's a bunch more | 19:21 |
tmcpeak | nkinder: maybe I should hold off on this until I add processutils.execute with shell=True scanning | 19:22 |
tmcpeak | I don't want to pick on Trove, I bet it's all over the place | 19:22 |
amrith | bknudson, tmcpeak ... took another crack at https://review.openstack.org/117174 | 19:22 |
amrith | tmc just saw your last comment, yes it is all over the place. | 19:22 |
tmcpeak | amrith: yeah | 19:23 |
tmcpeak | if I'm going to call out shell=True, I'll wait until I get Bandit updated so I can at least pick on projects equally | 19:23 |
*** dmccowan has quit IRC | 19:23 | |
*** dmccowan has joined #openstack-security | 19:38 | |
*** dmccowan has quit IRC | 19:43 | |
*** dmccowan has joined #openstack-security | 19:43 | |
tmcpeak | nkinder: getting ready to get going on Bandit config change as talked about above. Thinking to use yml, you ok with that? | 20:11 |
nkinder | tmcpeak: I'm ok with YAML | 20:11 |
tmcpeak | cool | 20:11 |
*** amrith is now known as _amrith_ | 20:34 | |
*** sicarie has joined #openstack-security | 21:23 | |
*** dmccowan has quit IRC | 21:32 | |
*** _amrith_ is now known as amrith | 21:39 | |
*** nkinder has quit IRC | 21:48 | |
*** bknudson has quit IRC | 22:05 | |
*** bdpayne has quit IRC | 22:31 | |
*** bdpayne has joined #openstack-security | 22:32 | |
*** grom has joined #openstack-security | 22:52 | |
*** voodookid has quit IRC | 23:10 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/118488 | 23:14 |
*** jamielen^ has joined #openstack-security | 23:18 | |
*** jamielennox_ has quit IRC | 23:20 | |
*** sicarie has quit IRC | 23:25 | |
*** bdpayne has quit IRC | 23:27 | |
*** jamielennox has joined #openstack-security | 23:32 | |
*** jamielen^ has left #openstack-security | 23:32 | |
*** bdpayne has joined #openstack-security | 23:32 | |
grom | logout | 23:46 |
grom | quit | 23:47 |
*** grom has quit IRC | 23:47 | |
*** bdpayne has quit IRC | 23:55 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!