openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc@lists.ozlabs.org
Subject: Re: Security Working Group meeting - Wednesday August 4 - results
Date: Wed, 4 Aug 2021 13:47:31 -0500	[thread overview]
Message-ID: <638695c3-c0ac-1249-d3d1-fe2cf439432e@linux.ibm.com> (raw)
In-Reply-To: <89b3524f-a1b3-513c-fc6a-1d888e479238@linux.ibm.com>

On 8/3/21 5:57 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 4 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
> 1. (Joseph): IBM ACF design (2FA authentication for the special IBM
>   service account) is in review -
>   https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>

DISCUSSION: Joseph gave a brief overview with Q&A.


> 2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
>   keeping the same cleartext password)
>   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214
> <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214>

DISCUSSION: Joseph gave a brief overview and mentioned the pre-requisite 
patch https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45614 
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45614>.  Please 
review!

(Note there is a related email thread for this.)

> 3. (Joseph): Change the SSH server per-session idle timeout to an hour
>   (was unlimited)?  (Sent idea to upstream project
>   yocto-security@yoctoproject.org
>   <mailto:yocto-security@yoctoproject.org>.)  Alternatively, update
>   both SSH and BMCWeb to 30 minutes.
>    1. Guidelines:
>        1. NIST SP800-63B requires a timeout of 30 minutes for
>           "assurance level 2" (high confidence that the authentication
>           is still valid), or 15 minutes for "assurance level 2" (very
>           high confidence).
>           https://pages.nist.gov/800-63-3/sp800-63b.html
>           <https://pages.nist.gov/800-63-3/sp800-63b.html>
>        2. OWASP suggests idle timeouts of 15-30 minutes.
> https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
> <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>
>    2. Alternatively, use the bash shell’s TMOUT variable?
>    3. See Yocto discussion (representative archived email):
>       https://lists.yoctoproject.org/g/yocto-security/message/381
> <https://lists.yoctoproject.org/g/yocto-security/message/381>

DISCUSSION:

There was general agreement that OpenBMC should set a default idle timeout:

  *

    Must be able to configure each interface separately: SSH port 22
    (BMC command shell), SSH port 2200 (host console).

  *

    30 minutes was suggested for the command shell.

  *

    The BMC admin should be able to configure the timeout.  Need to
    check if there is a Redfish API or property for this.

  *

    The technology to have a timeout may be present in the SSH server,
    the underlying application (command shell, host console, etc.), or
    provided by an intervening program such as “screen”.

Joseph to follow up via email.

We also discussed the risks of allowing SSH at all.


Bonus topics:

4 Surya set up a bugzilla within Intel and will administer it.  Demo’d 
the database. We briefly examined the database fields and agreed it 
looks like a good start.

Who has access?: The security response team (see Joseph as admin).  Also 
the bug submitter and the bug fixer will have access to each of their bugs.


https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>

Side discussion: Can we add a security responder from Nvidia?  Yes, 
first review See 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance>

  And then petition the TSC via email: 
https://github.com/openbmc/openbmc#technical-steering-committee 
<https://github.com/openbmc/openbmc#technical-steering-committee>.


5 How to escalate bugs reported to the security response team?

DISCUSSION: We briefly discussed this as the meeting time was past the 
end.  It is hard to make people fix bugs.  Ideas: keep sending reminder 
emails, and try to get someone to fix the bug.



>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph


  parent reply	other threads:[~2021-08-04 18:48 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-03 22:57 Security Working Group meeting - Wednesday August 4 Joseph Reynolds
2021-08-04  3:04 ` Patrick Williams
2021-08-04  3:22 ` Patrick Williams
2021-08-09 14:09   ` Security Working Group meeting - Wednesday August 4 - ibm-acf repo Joseph Reynolds
2021-08-04  3:28 ` Security Working Group meeting - Wednesday August 4 Patrick Williams
2021-08-04 18:43   ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Joseph Reynolds [this message]
2021-08-04 20:09   ` Security Working Group meeting - Wednesday August 4 - results Patrick Williams
2021-08-04 20:39     ` Joseph Reynolds
2021-08-04 20:49       ` Patrick Williams
2021-08-04 23:23         ` Patrick Williams
2021-08-06 17:10           ` Mihm, James
2021-08-04 23:47         ` Andrew Jeffery
2021-08-04 23:57           ` Ed Tanous
2021-08-05 13:55             ` Brad Bishop
2021-08-05 13:43       ` Brad Bishop
2021-08-05 15:54   ` Brad Bishop

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=638695c3-c0ac-1249-d3d1-fe2cf439432e@linux.ibm.com \
    --to=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).