* Security Working Group meeting - Wednesday January 5
@ 2022-01-05 17:42 Joseph Reynolds
2022-01-05 22:29 ` Security Working Group meeting - Wednesday January 5 - results Joseph Reynolds
0 siblings, 1 reply; 3+ messages in thread
From: Joseph Reynolds @ 2022-01-05 17:42 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday January 5 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
and anything else that comes up:
1.
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
- Joseph
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security Working Group meeting - Wednesday January 5 - results
2022-01-05 17:42 Security Working Group meeting - Wednesday January 5 Joseph Reynolds
@ 2022-01-05 22:29 ` Joseph Reynolds
2022-01-06 18:27 ` Dhananjay Phadke
0 siblings, 1 reply; 3+ messages in thread
From: Joseph Reynolds @ 2022-01-05 22:29 UTC (permalink / raw)
To: openbmc
On 1/5/22 11:42 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday January 5 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attendance: Joseph R, James M, Dick W, Ratan G, Dhananjay P
1 We discussed some current topics:
1a email thread subject: meta-phosphor: enable `allow-root-login`
We discussed the prospect of moving away from root logins and creating a
new “admin” userid and then how that admin user would get the root
access they needed to run commands like busctl and systemctl. We
discussed solutions including Restricted bash and sudo.
Note that all processes run as root, and work for “daemon privilege
separation” needs help, see
“https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100>and related
code reviews.
1b gerrit review “Disallow no-access user login” (the NoAccess role)
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295>and
https://github.com/openbmc/bmcweb/issues/227
<https://github.com/openbmc/bmcweb/issues/227>
A NoAccess user can login but cannot logout. There seem to be two ways
to fix this.
2 The OpenBMC security response team wants to use the github security
tabs, and is looking for best practices.
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/50115
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/50115>
How can the OpenBMC SRT get authority to publish security advisories on
github? What are the best practices? What repo should be used?
openbmc/openbmc? openbmc/security-response? A new repo
openbmc/security-advisories?
See
https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization
<https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization>
3 The OpenBMC security response team is working to become a Mitre CNA
(see minutes from 2021-12-22 meeting) so they can have better control
over CVEs for the OpenBMC project.
James to follow up questions with Mitre.
See CVSS scoring example doc https://www.first.org/cvss/v3.1/examples
<https://www.first.org/cvss/v3.1/examples>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security Working Group meeting - Wednesday January 5 - results
2022-01-05 22:29 ` Security Working Group meeting - Wednesday January 5 - results Joseph Reynolds
@ 2022-01-06 18:27 ` Dhananjay Phadke
0 siblings, 0 replies; 3+ messages in thread
From: Dhananjay Phadke @ 2022-01-06 18:27 UTC (permalink / raw)
To: Joseph Reynolds, Mihm, James, openbmc
On 1/5/2022 2:29 PM, Joseph Reynolds wrote:
> 2 The OpenBMC security response team wants to use the github security
> tabs, and is looking for best practices.
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/50115
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/50115>
>
> How can the OpenBMC SRT get authority to publish security advisories on
> github? What are the best practices? What repo should be used?
> openbmc/openbmc? openbmc/security-response? A new repo
> openbmc/security-advisories?
>
> See
> https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization
> <https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization>
>
GitHub advisories documentation:
https://docs.github.com/en/code-security/security-advisories
Regards,
Dhananjay
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-06 18:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05 17:42 Security Working Group meeting - Wednesday January 5 Joseph Reynolds
2022-01-05 22:29 ` Security Working Group meeting - Wednesday January 5 - results Joseph Reynolds
2022-01-06 18:27 ` Dhananjay Phadke
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.