| mharley[m] | Test. | 15:35 |
|---|---|---|
| fungi | mharley[m]: whatcha testin'? | 15:39 |
| mharley[m] | My IRC client. :-) | 15:45 |
| mharley[m] | fungi: leveraging you're here, what's the process to join this team: https://security.openstack.org/vmt.html? | 15:47 |
| fungi | mharley[m]: generally, a deep understanding of upstream openstack development processes as well as some familiarity with details of the software in our overseen repositories, and helping out with public security bugs in openstack projects for a while | 15:48 |
| fungi | also an interest in vulnerability management (obviously), attention to detail, and available time to perform the tasks we do | 15:49 |
| mharley[m] | Thank you, fungi . Will check that. | 15:51 |
| fungi | mharley[m]: https://security.openstack.org/vmt-process.html is our basic process document, and https://security.openstack.org/repos-overseen.html is the current list of repositories for which we oversee reports of suspected vulnerabilities (though that can expand over time, and we do also assist on a best-effort basis with other official openstack deliverables not listed there) | 15:53 |
| mharley[m] | The first link is familiar. The second one is new to me. | 15:58 |
| fungi | the first one includes a link to the second | 15:59 |
| fungi | but it's easy to overlook, yes | 15:59 |
| mharley[m] | Great. My bad to not have read the whole page yet. How is the current situation of using OpenSCAP with OpenStack? | 16:00 |
| mharley[m] | I see a mention to it here: https://docs.openstack.org/security-guide/management/integrity-life-cycle.html. | 16:00 |
| fungi | that would probably be a question for someone who deploys and operates openstack. i don't, nor have i ever used openscap in other contexts. i see it mentioned in the security guide as an example of a system you might want to use for applying security controls, but it looks like the details are an exercise for the reader | 16:06 |
| JayF | There was some measured boot work done in Ironic + other openstack projects, but I've not heard anything about OpenSCAP specifically. | 16:07 |
| JayF | attested boot, that's the word, attested :D | 16:07 |
| fungi | also be aware that the openstack security guide is long in the tooth. in my (failing) capacity as security sig chair i've tried to find people with time and interest to update it, but most of the content in there is about 5 years old or older | 16:07 |
| fungi | JayF: yeah, boot attestation and trusted computing is sort of orthogonal i guess (though you could probably use something like openscap for managing bits of it, i think?) | 16:09 |
| JayF | I'm not sure I fully understand the difference, but that's fine | 16:10 |
| JayF | like, I know boot attestation, I know confidential containers | 16:10 |
| JayF | "trusted computing" is a term I've used heard to describe everything from DRM to TLS to etc etc | 16:10 |
| JayF | I'm sure it means a specific thing, just I don't know it | 16:10 |
| fungi | scap is a bit more general: https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3 | 16:11 |
| fungi | "The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along with its annex (NIST Special Publication 800-126A) and a set of schemas, collectively define the technical composition of SCAP | 16:12 |
| fungi | version 1.3 in terms of its component specifications, their interrelationships and interoperation, and the requirements for SCAP content." | 16:12 |
| mharley[m] | Yes, OpenSCAP is more general. It's a tool that checks a sequence of verification items and applies them to make your software compliant with such items. | 16:13 |
| fungi | another thing to keep in mind when we talk about schemes line scap, fips, et cetera is that openstack is a global project, so while meeting standards/recommendations expected by some specific national government may be worthwhile effort for some contributors whose employers need to meet those, they're not generally applicable worldwide | 16:15 |
| fungi | though there is certainly overlap between expectations of different national governments, so to the extent to which we can help ease that burden for the majority of stakeholders, such investment may still be worthwhile to the project as a whole | 16:16 |
| fungi | but at the same time, there are definitely cases where the information security interests of some nations are directly conflicting, so it can be hard to satisfy everyone | 16:20 |
| mharley[m] | Absolutely important, but I was more asking about the tool itself than some specificity. 🙂 | 16:21 |
| mharley[m] | Just making an absurd comparison, take a look of something that exists for AWS clouds: https://github.com/prowler-cloud/prowler. I was looking for something like this when found out about OpenSCAP. | 16:23 |
| mharley[m] | It started with AWS only, created by one of my ex-colleagues, and grew up to encompass other clouds. | 16:24 |
| mharley[m] | It began as a "simple" compliance scanner. | 16:24 |
| fungi | mharley[m]: probably worth raising the question on the openstack-discuss mailing list with [ops][security-sig] tags in the subject, see if anyone downstream is doing things with openscap for openstack and has sample policies they're willing to share | 16:31 |
| mharley[m] | OK, cool. | 16:34 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!