* Security Working Group - Wednesday April 29
@ 2020-04-28 16:12 Joseph Reynolds
2020-04-30 20:05 ` Security Working Group - Wednesday April 29 - results Joseph Reynolds
0 siblings, 1 reply; 5+ messages in thread
From: Joseph Reynolds @ 2020-04-28 16:12 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday April 29 at 10:00am PDT.
We'll discuss current development items, and anything else that comes up.
The current topics:
1. Skip May 13 meeting due to OCP Summit?
2. IPMI over DTLS.
3. Requirements for security audit logs. Access, deleting, APIs.
4. Using mTLS for HTTPS access to BMCWeb.
5. Rate-limit BMCWeb authentication failures.
6. Review Dropbear (SSH server) settings.
7. OWASP dependency checker.
Access, agenda, and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
- Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security Working Group - Wednesday April 29 - results
2020-04-28 16:12 Security Working Group - Wednesday April 29 Joseph Reynolds
@ 2020-04-30 20:05 ` Joseph Reynolds
2020-04-30 20:28 ` Public security scan tools (was: Security Working Group) Joseph Reynolds
2020-05-01 1:52 ` Authentication failure rate limiting (was: Security Working Group) Joseph Reynolds
0 siblings, 2 replies; 5+ messages in thread
From: Joseph Reynolds @ 2020-04-30 20:05 UTC (permalink / raw)
To: openbmc
On 4/28/20 11:12 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 29 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> The current topics:
>
> 1. Skip May 13 meeting due to OCP Summit?
We'll decide later.
>
> 2. IPMI over DTLS.
See discussion happening in the email list.
>
> 3. Requirements for security audit logs. Access, deleting, APIs.
There was general support for the ideas that the BMC should have
dedicated security audit log that could not be deleted or cleared. This
log would have only security-relevant events.
>
> 4. Using mTLS for HTTPS access to BMCWeb.
TODO: Joseph to ask for docs from the developers who created the patch.
>
> 5. Rate-limit BMCWeb authentication failures.
The concept was favorably received, with lots of questions about
details. TODO: Joseph will push a BMCWeb patch with a proof of concept.
>
> 6. Review Dropbear (SSH server) settings.
Yep.
>
> 7. OWASP dependency checker.
See next item.
Item 8 added during the meeting:
8. How do we run dynamic scan tools that are privately licensed and the
output of which is copyrighted which means it cannot be shared with the
OpenBMC community?
We shared our current practices which does allow pushing the fixes back
into the project. TODO: Joseph will document this practice and add it
to the security working group wiki.
The we discussed if we can use tools because we are a Linux function
project. TODO: Joseph to followup with Kurt.
- Joseph
>
>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Public security scan tools (was: Security Working Group)
2020-04-30 20:05 ` Security Working Group - Wednesday April 29 - results Joseph Reynolds
@ 2020-04-30 20:28 ` Joseph Reynolds
2020-05-02 1:01 ` Public security scan tools krtaylor
2020-05-01 1:52 ` Authentication failure rate limiting (was: Security Working Group) Joseph Reynolds
1 sibling, 1 reply; 5+ messages in thread
From: Joseph Reynolds @ 2020-04-30 20:28 UTC (permalink / raw)
To: openbmc, krtaylor
On 4/30/20 3:05 PM, Joseph Reynolds wrote:
> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday April 29 at 10:00am PDT.
>
...snip...
>>
> Item 8 added during the meeting:
> 8. How do we run dynamic scan tools that are privately licensed and
> the output of which is copyrighted which means it cannot be shared
> with the OpenBMC community?
> We shared our current practices which does allow pushing the fixes
> back into the project. TODO: Joseph will document this practice and
> add it to the security working group wiki.
> The we discussed if we can use tools because we are a Linux function
> project. TODO: Joseph to followup with Kurt.
>
> - Joseph
Kurt (as OpenBMC Community Manager),
Does being a Linux Foundation Project help? Can we get access to
security scan tools that normally require a license to use?
See
https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools
Is there some way we can open up the process of dynamic scan testing to
the community? What are the best practices?
- Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Authentication failure rate limiting (was: Security Working Group)
2020-04-30 20:05 ` Security Working Group - Wednesday April 29 - results Joseph Reynolds
2020-04-30 20:28 ` Public security scan tools (was: Security Working Group) Joseph Reynolds
@ 2020-05-01 1:52 ` Joseph Reynolds
1 sibling, 0 replies; 5+ messages in thread
From: Joseph Reynolds @ 2020-05-01 1:52 UTC (permalink / raw)
To: openbmc
On 4/30/20 3:05 PM, Joseph Reynolds wrote:
> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>> 5. Rate-limit BMCWeb authentication failures.
>
> The concept was favorably received, with lots of questions about
> details. TODO: Joseph will push a BMCWeb patch with a proof of concept.
Done. See https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/31841
- Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Public security scan tools
2020-04-30 20:28 ` Public security scan tools (was: Security Working Group) Joseph Reynolds
@ 2020-05-02 1:01 ` krtaylor
0 siblings, 0 replies; 5+ messages in thread
From: krtaylor @ 2020-05-02 1:01 UTC (permalink / raw)
To: Joseph Reynolds, openbmc
On 4/30/20 3:28 PM, Joseph Reynolds wrote:
> On 4/30/20 3:05 PM, Joseph Reynolds wrote:
>> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>>> This is a reminder of the OpenBMC Security Working Group meeting
>>> scheduled for this Wednesday April 29 at 10:00am PDT.
>>
> ...snip...
>>>
>> Item 8 added during the meeting:
>> 8. How do we run dynamic scan tools that are privately licensed and
>> the output of which is copyrighted which means it cannot be shared
>> with the OpenBMC community?
>> We shared our current practices which does allow pushing the fixes
>> back into the project. TODO: Joseph will document this practice and
>> add it to the security working group wiki.
>> The we discussed if we can use tools because we are a Linux function
>> project. TODO: Joseph to followup with Kurt.
>>
>> - Joseph
>
> Kurt (as OpenBMC Community Manager),
>
> Does being a Linux Foundation Project help? Can we get access to
> security scan tools that normally require a license to use?
> See
> https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools
Next time, please address me specifically on the email, it is purely
coincidence that I actually saw this message :)
No, we do not automatically get access to any LF services except what is
already called out in our charter. :-( It never hurts to ask, maybe it
will be free?
If not, I would recommend that the individual companies that use these
services as a part of their product testing, would hopefully push any
security fixes upstream.
- Kurt Taylor (krtaylor)
> Is there some way we can open up the process of dynamic scan testing to
> the community? What are the best practices?
>
> - Joseph
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-05-02 1:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-28 16:12 Security Working Group - Wednesday April 29 Joseph Reynolds
2020-04-30 20:05 ` Security Working Group - Wednesday April 29 - results Joseph Reynolds
2020-04-30 20:28 ` Public security scan tools (was: Security Working Group) Joseph Reynolds
2020-05-02 1:01 ` Public security scan tools krtaylor
2020-05-01 1:52 ` Authentication failure rate limiting (was: Security Working Group) Joseph Reynolds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.