Tuesday, 2014-09-02

« Monday, 2014-09-01 Index Wednesday, 2014-09-03 »
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/11823000:14
openstackgerritShellee Arnold proposed a change to openstack/security-doc: Grammatical errors in CH.45 - Forensics and Incident Response.  https://review.openstack.org/11654500:25
*** jamielen- has joined #openstack-security00:58
*** jamielennox has quit IRC01:00
*** jamielen- is now known as jamielennox01:01
openstackgerritShellee Arnold proposed a change to openstack/security-doc: Sentence rewording CH. 41 - Hardening the Virtualization Layers  https://review.openstack.org/11823401:04
*** jamielennox_ has joined #openstack-security01:10
*** jamielen- has joined #openstack-security01:11
*** jamielen| has joined #openstack-security01:12
*** jamielennox has quit IRC01:13
*** jamielennox_ has quit IRC01:15
*** jamielen- has quit IRC01:15
*** jamielen| is now known as jamielennox01:18
*** jamielennox_ has joined #openstack-security01:28
*** jamielennox has quit IRC01:31
*** jamielennox_ is now known as jamielennox01:40
openstackgerritShellee Arnold proposed a change to openstack/security-doc: Suspicious Link in CH 9 - Continuous Systems Management.  https://review.openstack.org/11823601:41
openstackgerritDeepti Navale proposed a change to openstack/security-doc: Included info about Federated Identity  https://review.openstack.org/11823701:52
*** jamielen- has joined #openstack-security02:10
*** jamielennox has quit IRC02:13
*** jamielennox has joined #openstack-security02:47
*** jamielennox_ has joined #openstack-security02:48
*** jamielen- has quit IRC02:52
*** jamielennox has quit IRC02:52
*** zz_naotokl is now known as naotok03:00
*** jamielen- has joined #openstack-security03:01
*** jamielennox_ has quit IRC03:05
*** jamielennox has joined #openstack-security03:47
*** jamielennox_ has joined #openstack-security03:48
*** jamielen- has quit IRC03:50
*** jamielennox has quit IRC03:52
*** jamielennox has joined #openstack-security04:14
*** voodookid has joined #openstack-security04:14
*** jamielen- has joined #openstack-security04:15
*** jamielennox_ has quit IRC04:18
*** jamielennox has quit IRC04:19
*** voodookid has quit IRC04:38
*** voodookid has joined #openstack-security04:40
*** voodookid has quit IRC04:46
*** jamielennox has joined #openstack-security05:52
*** jamielen- has quit IRC05:54
*** jamielennox_ has joined #openstack-security06:52
*** jamielen- has joined #openstack-security06:53
*** jamielennox has quit IRC06:56
*** jamielennox_ has quit IRC06:57
*** openstackgerrit has quit IRC07:02
*** jamielen- is now known as jamielennox07:11
*** naotok is now known as zz_naotok07:33
*** jamielennox is now known as jamielennox|away08:09
*** IAm_thor has joined #openstack-security09:30
*** IAm_thor has left #openstack-security09:30
*** IAm_thor has joined #openstack-security09:42
*** IAm_thor has left #openstack-security09:42
*** IAm_thor has joined #openstack-security09:45
*** IAm_thor has left #openstack-security09:45
*** IAm_thor has joined #openstack-security09:48
*** IAm_thor has left #openstack-security09:48
*** IAm_thor has joined #openstack-security09:53
*** IAm_thor has left #openstack-security09:54
*** amrith is now known as _amrith_12:28
*** IAm_thor has joined #openstack-security12:39
*** IAm_thor has left #openstack-security12:40
*** IAm_thor has joined #openstack-security12:42
*** IAm_thor has quit IRC12:44
*** voodookid has joined #openstack-security13:05
*** dmccowan has joined #openstack-security13:09
*** paulmo has joined #openstack-security13:11
*** paulmo has quit IRC13:14
*** paulmo has joined #openstack-security13:14
*** paulmo has left #openstack-security13:21
*** bknudson has joined #openstack-security13:23
*** paulmo has joined #openstack-security13:27
*** voodookid has quit IRC13:30
*** _amrith_ is now known as amrith13:49
*** openstackgerrit has joined #openstack-security14:05
*** IAm_thor has joined #openstack-security14:15
*** IAm_thor has left #openstack-security14:15
*** nkinder has joined #openstack-security14:28
*** voodookid has joined #openstack-security14:34
*** IAm_thor has joined #openstack-security14:38
*** IAm_thor has left #openstack-security14:38
*** IAm_thor has joined #openstack-security14:51
*** IAm_thor has left #openstack-security14:51
*** dmccowan has quit IRC14:58
*** IAm_thor has joined #openstack-security15:00
*** IAm_thor has left #openstack-security15:00
*** dmccowan has joined #openstack-security15:03
*** tmcpeak has joined #openstack-security16:08
tmcpeaknkinder: you around?16:44
nkindertmcpeak: yep16:44
tmcpeakcool16:45
tmcpeaknkinder: so for bandit: I've changed it so that each test has a decorator which marks which node type it should run against16:45
tmcpeaklike this:16:45
tmcpeak@checks_functions16:45
tmcpeakdef call_wildcard_injection(context):16:45
tmcpeakso we no longer need the right hand side of this:16:46
tmcpeakcall_wildcard_injection = test_calls16:46
tmcpeakfor that matter we no longer need the left hand side of it either16:46
tmcpeakwe can have it so that you just run bandit, it automatically scans the plugins directory, and loads all functions and runs the appropriate type of tests for each node16:47
tmcpeakso now we need to define what configs should look like16:47
tmcpeakshould we assume for a config all tests are in unless specifically excluded, or all tests are out unless specifically included16:48
tmcpeaknkinder: any thoughts?16:48
nkindertmcpeak: is there a need to have a test get run for multiple node types?16:49
tmcpeaknkinder: that would be supported with the decorator16:50
tmcpeak@checks_functions16:50
tmcpeak@checks_imports16:50
tmcpeak...16:50
tmcpeakI think that would be a fringe case, which is why I didn't write it so that you just do @checks('functions', 'imports')16:50
nkindertmcpeak: yeah, so the decorators thing sounds good16:54
nkindertmcpeak: for tests, I would assume everything is in unless explicitly excluded16:54
tmcpeakcool16:55
tmcpeakso regardless of data format, I'm thinking something like16:55
tmcpeakprofile: OpenStack16:55
tmcpeak- exclude: none16:55
tmcpeakprofile: normal python16:55
tmcpeaker16:56
tmcpeaknormal_python16:56
tmcpeakexclude: processutils.execute16:56
tmcpeaketc16:56
tmcpeakwhere processutils.execute is the name of a test16:57
tmcpeaktests are named based on filename16:57
tmcpeaksounds good?16:57
*** bdpayne has joined #openstack-security17:04
amrithtmcpeak, new code for you to review! (thanks)17:11
openstackgerritStanislaw Pitucha proposed a change to openstack/security-doc: OSSN-0023 Keystone logs tokens at INFO levels  https://review.openstack.org/11497117:17
tmcpeakamrith: CL #6?17:20
amriththanks, didn't realize you'd already +1'ed it.17:21
tmcpeak:)17:21
tmcpeakmaybe somebody else in here can give it a second look17:21
tmcpeakpaulmo bdpayne nkinder bknudson, etc17:22
bdpaynealert all the people :-)17:22
bknudsonlook at what?17:22
tmcpeakoh crap17:22
tmcpeaklink :)17:22
tmcpeak https://review.openstack.org/11717417:22
bknudsonyikes17:23
tmcpeaklol17:23
tmcpeakyeah, the original bug was exciting17:23
openstackgerritAndreas Jaeger proposed a change to openstack/security-doc: Add project and service names to glossary  https://review.openstack.org/11841217:30
tmcpeakbknudson: thank you!17:37
openstackgerritA change was merged to openstack/security-doc: Add links/references to RFCs/NIST publications in Chapter 40 tables - Hypervisor selection  https://review.openstack.org/11761217:40
*** nkinder has quit IRC17:43
*** sicarie has joined #openstack-security17:54
*** bdpayne has quit IRC18:01
*** bdpayne has joined #openstack-security18:01
*** sicarie has quit IRC18:01
*** nkinder has joined #openstack-security18:06
tmcpeaknkinder: is this the correct/latest repo for OSSN? https://github.com/openstack/security-doc/tree/master/security-notes18:07
nkindertmcpeak: yes18:07
tmcpeakcool18:07
tmcpeakanyway way to just grab the OSSN part, or do I just git clone the whole security doc now?18:07
*** jamielennox|away is now known as jamielennox_18:09
nkindertmcpeak: you need to clone the entire repo18:15
tmcpeaknkinder: ok, cool18:16
tmcpeakwhat do you guys think I should list for vulnerable OpenStack components / versions for the code execution by writing to config18:27
tmcpeakI'd imagine pretty much all components/versions are effected18:28
tmcpeakthoughts?18:28
tmcpeaknkinder: ^ ?18:28
nkindertmcpeak: which one is this?  Injection via the config files?18:45
nkindertmcpeak: IIRC, there were only certain services who were vulnerable18:46
tmcpeaknkinder: yeah, that we found so far, but given that most of the processes are using processutils.execute rather than popen, my guess is that our list is not exhaustive18:51
tmcpeakthere are at least two services I know of: glance and trove18:51
tmcpeakshould I hold off until I've done a complete scan, or should we somehow saw multiple services18:51
tmcpeaknkinder: I guess in general we need to decide what direction we want to go with this note18:54
tmcpeakdo we want to say that the recommended action is to ensure all config files are locked down and validate inputs to them that do take input from untrusted users18:54
tmcpeakor do we want to call attention to particular services which aren't parameterizing inputs to process calls correctly18:55
tmcpeakmy feeling is to go with the first, because calling out all of the ways where malicious config file tampering can cause code execution is a moving target18:55
*** sweston_ is now known as sweston18:59
nkindertmcpeak: I wouldn't want to say that something is vulnerable if it's not, so we should call out the ones we know.19:12
tmcpeakok19:12
nkindertmcpeak: it's OK to say other services might be affected, and that you really need to protect access to config files in general19:12
tmcpeakwhat about just 'Numerous OpenStack services / versions'19:13
tmcpeaknkinder: since I fixed the one in Glance, the only one we have currently unfixed is in Trove, but I bet there's a bunch more19:21
tmcpeaknkinder: maybe I should hold off on this until I add processutils.execute with shell=True scanning19:22
tmcpeakI don't want to pick on Trove, I bet it's all over the place19:22
amrithbknudson, tmcpeak ... took another crack at  https://review.openstack.org/11717419:22
amrithtmc just saw your last comment, yes it is all over the place.19:22
tmcpeakamrith: yeah19:23
tmcpeakif I'm going to call out shell=True, I'll wait until I get Bandit updated so I can at least pick on projects equally19:23
*** dmccowan has quit IRC19:23
*** dmccowan has joined #openstack-security19:38
*** dmccowan has quit IRC19:43
*** dmccowan has joined #openstack-security19:43
tmcpeaknkinder: getting ready to get going on Bandit config change as talked about above.  Thinking to use yml, you ok with that?20:11
nkindertmcpeak: I'm ok with YAML20:11
tmcpeakcool20:11
*** amrith is now known as _amrith_20:34
*** sicarie has joined #openstack-security21:23
*** dmccowan has quit IRC21:32
*** _amrith_ is now known as amrith21:39
*** nkinder has quit IRC21:48
*** bknudson has quit IRC22:05
*** bdpayne has quit IRC22:31
*** bdpayne has joined #openstack-security22:32
*** grom has joined #openstack-security22:52
*** voodookid has quit IRC23:10
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/11848823:14
*** jamielen^ has joined #openstack-security23:18
*** jamielennox_ has quit IRC23:20
*** sicarie has quit IRC23:25
*** bdpayne has quit IRC23:27
*** jamielennox has joined #openstack-security23:32
*** jamielen^ has left #openstack-security23:32
*** bdpayne has joined #openstack-security23:32
gromlogout23:46
gromquit23:47
*** grom has quit IRC23:47
*** bdpayne has quit IRC23:55
« Monday, 2014-09-01 Index Wednesday, 2014-09-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!