Security Working Group - Wednesday April 29

Security Working Group - Wednesday April 29

[Joseph Reynolds]

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday April 29 at 10:00am PDT.

We'll discuss current development items, and anything else that comes up.

The current topics:

1. Skip May 13 meeting due to OCP Summit?

2. IPMI over DTLS.

3. Requirements for security audit logs.  Access, deleting, APIs.

4. Using mTLS for HTTPS access to BMCWeb.

5. Rate-limit BMCWeb authentication failures.

6. Review Dropbear (SSH server) settings.

7. OWASP dependency checker.


Access, agenda, and notes are in the wiki:

https://github.com/openbmc/openbmc/wiki/Security-working-group

- Joseph

Re: Security Working Group - Wednesday April 29 - results

[Joseph Reynolds]

On 4/28/20 11:12 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday April 29 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> The current topics:
>
> 1. Skip May 13 meeting due to OCP Summit?

We'll decide later.

>
> 2. IPMI over DTLS.

See discussion happening in the email list.

>
> 3. Requirements for security audit logs.  Access, deleting, APIs.

There was general support for the ideas that the BMC should have 
dedicated security audit log that could not be deleted or cleared. This 
log would have only security-relevant events.

>
> 4. Using mTLS for HTTPS access to BMCWeb.

TODO: Joseph to ask for docs from the developers who created the patch.

>
> 5. Rate-limit BMCWeb authentication failures.

The concept was favorably received, with lots of questions about 
details. TODO: Joseph will push a BMCWeb patch with a proof of concept.
>
> 6. Review Dropbear (SSH server) settings.

Yep.

>
> 7. OWASP dependency checker.

See next item.


Item 8 added during the meeting:
8. How do we run dynamic scan tools that are privately licensed and the 
output of which is copyrighted which means it cannot be shared with the 
OpenBMC community?
We shared our current practices which does allow pushing the fixes back 
into the project.  TODO: Joseph will document this practice and add it 
to the security working group wiki.
The we discussed if we can use tools because we are a Linux function 
project.   TODO: Joseph to followup with Kurt.

- Joseph

>
>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph

Public security scan tools (was: Security Working Group)

[Joseph Reynolds]

On 4/30/20 3:05 PM, Joseph Reynolds wrote:
> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday April 29 at 10:00am PDT.
>
...snip...
>>
> Item 8 added during the meeting:
> 8. How do we run dynamic scan tools that are privately licensed and 
> the output of which is copyrighted which means it cannot be shared 
> with the OpenBMC community?
> We shared our current practices which does allow pushing the fixes 
> back into the project.  TODO: Joseph will document this practice and 
> add it to the security working group wiki.
> The we discussed if we can use tools because we are a Linux function 
> project.   TODO: Joseph to followup with Kurt.
>
> - Joseph

Kurt (as OpenBMC Community Manager),

Does being a Linux Foundation Project help?  Can we get access to 
security scan tools that normally require a license to use?
See 
https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools

Is there some way we can open up the process of dynamic scan testing to 
the community?  What are the best practices?

- Joseph

Authentication failure rate limiting (was: Security Working Group)

[Joseph Reynolds]

On 4/30/20 3:05 PM, Joseph Reynolds wrote:
> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>> 5. Rate-limit BMCWeb authentication failures.
>
> The concept was favorably received, with lots of questions about 
> details. TODO: Joseph will push a BMCWeb patch with a proof of concept.

Done.  See https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/31841

- Joseph

Re: Public security scan tools

[krtaylor]

On 4/30/20 3:28 PM, Joseph Reynolds wrote:
> On 4/30/20 3:05 PM, Joseph Reynolds wrote:
>> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>>> This is a reminder of the OpenBMC Security Working Group meeting 
>>> scheduled for this Wednesday April 29 at 10:00am PDT.
>>
> ...snip...
>>>
>> Item 8 added during the meeting:
>> 8. How do we run dynamic scan tools that are privately licensed and 
>> the output of which is copyrighted which means it cannot be shared 
>> with the OpenBMC community?
>> We shared our current practices which does allow pushing the fixes 
>> back into the project.  TODO: Joseph will document this practice and 
>> add it to the security working group wiki.
>> The we discussed if we can use tools because we are a Linux function 
>> project.   TODO: Joseph to followup with Kurt.
>>
>> - Joseph
> 
> Kurt (as OpenBMC Community Manager),
> 
> Does being a Linux Foundation Project help?  Can we get access to 
> security scan tools that normally require a license to use?
> See 
> https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools 

Next time, please address me specifically on the email, it is purely 
coincidence that I actually saw this message  :)

No, we do not automatically get access to any LF services except what is 
already called out in our charter. :-( It never hurts to ask, maybe it 
will be free?

If not, I would recommend that the individual companies that use these 
services as a part of their product testing, would hopefully push any 
security fixes upstream.

  - Kurt Taylor (krtaylor)


> Is there some way we can open up the process of dynamic scan testing to 
> the community?  What are the best practices?
> 
> - Joseph
>