* Security Working Group meeting today
@ 2020-11-11 13:58 Joseph Reynolds
2020-11-11 19:24 ` Joseph Reynolds
0 siblings, 1 reply; 2+ messages in thread
From: Joseph Reynolds @ 2020-11-11 13:58 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday November 11 at 10:00am PDT.
Apologies if this is a duplicate email.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
and anything else that comes up:
1.
Is OpenBMC ready to move from root to an admin account? See
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/33847
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/33847>
2.
The PAM_ABL module https://github.com/deksai/pam_abl
<https://github.com/deksai/pam_abl>is no longer supported. We had
discussed using PAM_ABL to help prevent DoS.
3.
The CSIS
<https://www.cloudsecurityindustrysummit.org/#documents>published a
paper “A Case for a Trustworthy BMC
<https://cloudsecurityindustrysummit.s3.us-east-2.amazonaws.com/a-case-for-a-trustworthy-bmc.pdf>”
that gives recommendations for security. A section analyzes how
well the OpenBMC project meets these recommendations
<https://cloudsecurityindustrysummit.s3.us-east-2.amazonaws.com/a-case-for-a-trustworthy-bmc.pdf#h.h0igu5dbvaun>.
I’ve added this to the OpenBMC security wiki.
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Security Working Group meeting today
2020-11-11 13:58 Security Working Group meeting today Joseph Reynolds
@ 2020-11-11 19:24 ` Joseph Reynolds
0 siblings, 0 replies; 2+ messages in thread
From: Joseph Reynolds @ 2020-11-11 19:24 UTC (permalink / raw)
To: openbmc
On 11/11/20 7:58 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday November 11 at 10:00am PDT.
> Apologies if this is a duplicate email.
Here are the summary meeting notes.
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>,
> and anything else that comes up:
>
> 1. Is OpenBMC ready to move from root to an admin account? See
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/33847
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/33847>
Please add an image feature for an admin account. It should work and
play nicely with the existing phosphor-user-manager support and with the
sudo package.
>
> 2. The PAM_ABL module https://github.com/deksai/pam_abl
> <https://github.com/deksai/pam_abl>is no longer supported. We had
> discussed using PAM_ABL to help prevent DoS.
No discussion.
> 3. The CSIS
> <https://www.cloudsecurityindustrysummit.org/#documents>published a
> paper “A Case for a Trustworthy BMC
> <https://cloudsecurityindustrysummit.s3.us-east-2.amazonaws.com/a-case-for-a-trustworthy-bmc.pdf>”
> that gives recommendations for security. A section analyzes how
> well the OpenBMC project meets these recommendations
> <https://cloudsecurityindustrysummit.s3.us-east-2.amazonaws.com/a-case-for-a-trustworthy-bmc.pdf#h.h0igu5dbvaun>.
>
> I’ve added this to the OpenBMC security wiki.
No discussion. Plans are to track OpenBMC’s efforts in the security wiki.
Bonus item 4: Anton’s progress in running daemon processes as a non-root
user. ANSWER:
Success making a sandbox that launched multiple daemons (BMCWeb and
ipmi-network) using less-privileged “namespace’d users” and using Linux
groups to carry authority. These daemons communicate with the rest of
the system via D-Bus.
We also discussed if this daemon work has any tie-ins or complication
with the work to login with a non-root admin or operator account. We
also discussed what model / low-level design to use network user
successfully authenticates: how to drop root authority.
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-11-11 19:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 13:58 Security Working Group meeting today Joseph Reynolds
2020-11-11 19:24 ` Joseph Reynolds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.