From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Security Working Group meeting - Wednesday August 4
Date: Tue, 3 Aug 2021 17:57:52 -0500 [thread overview]
Message-ID: <89b3524f-a1b3-513c-fc6a-1d888e479238@linux.ibm.com> (raw)
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday August 4 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
and anything else that comes up:
1. (Joseph): IBM ACF design (2FA authentication for the special IBM
service account) is in review -
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>
2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
keeping the same cleartext password)
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214>
3. (Joseph): Change the SSH server per-session idle timeout to an hour
(was unlimited)? (Sent idea to upstream project
yocto-security@yoctoproject.org
<mailto:yocto-security@yoctoproject.org>.) Alternatively, update
both SSH and BMCWeb to 30 minutes.
1. Guidelines:
1. NIST SP800-63B requires a timeout of 30 minutes for
"assurance level 2" (high confidence that the authentication
is still valid), or 15 minutes for "assurance level 2" (very
high confidence).
https://pages.nist.gov/800-63-3/sp800-63b.html
<https://pages.nist.gov/800-63-3/sp800-63b.html>
2. OWASP suggests idle timeouts of 15-30 minutes.
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
<https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>
2. Alternatively, use the bash shell’s TMOUT variable?
3. See Yocto discussion (representative archived email):
https://lists.yoctoproject.org/g/yocto-security/message/381
<https://lists.yoctoproject.org/g/yocto-security/message/381>
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
- Joseph
next reply other threads:[~2021-08-03 22:58 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 22:57 Joseph Reynolds [this message]
2021-08-04 3:04 ` Security Working Group meeting - Wednesday August 4 Patrick Williams
2021-08-04 3:22 ` Patrick Williams
2021-08-09 14:09 ` Security Working Group meeting - Wednesday August 4 - ibm-acf repo Joseph Reynolds
2021-08-04 3:28 ` Security Working Group meeting - Wednesday August 4 Patrick Williams
2021-08-04 18:43 ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Security Working Group meeting - Wednesday August 4 - results Joseph Reynolds
2021-08-04 20:09 ` Patrick Williams
2021-08-04 20:39 ` Joseph Reynolds
2021-08-04 20:49 ` Patrick Williams
2021-08-04 23:23 ` Patrick Williams
2021-08-06 17:10 ` Mihm, James
2021-08-04 23:47 ` Andrew Jeffery
2021-08-04 23:57 ` Ed Tanous
2021-08-05 13:55 ` Brad Bishop
2021-08-05 13:43 ` Brad Bishop
2021-08-05 15:54 ` Brad Bishop
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=89b3524f-a1b3-513c-fc6a-1d888e479238@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).