* Security Working Group Meeting - Wed 14 October @ 2020-10-13 19:06 Parth Shukla 2020-10-15 14:14 ` Security Working Group Meeting - Wed 14 October - results Joseph Reynolds 0 siblings, 1 reply; 4+ messages in thread From: Parth Shukla @ 2020-10-13 19:06 UTC (permalink / raw) To: openbmc [-- Attachment #1: Type: text/plain, Size: 1126 bytes --] This is a reminder of the OpenBMC Security Working Group meeting scheduled for this Wednesday October 14 at 10:00am PDT. We'll discuss the following items on the agenda <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, and anything else that comes up: 1. (Joseph): Follow up from 2020-8-19: Gerrit code review: BMCWeb webUI login change: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/35457 Question: What are the security risks of using the proposed config flag BMCWEB_INSECURE_ENABLE_UNAUTHENTICATED_ASSETS=YES? 1. Fingerprinting (leak information about the BMC’s manufacturer and version). 2. Attackers have an easier time getting the code to find and exploit security bugs. 3. May make DoS easier. 4. More? 2. (Joseph): Per https://lists.ozlabs.org/pipermail/openbmc/2020-October/023530.html do we agree on the approach? What security categories seem most important? Access, agenda and notes are in the wiki: https://github.com/openbmc/openbmc/wiki/Security-working-group Regards, Parth [-- Attachment #2: Type: text/html, Size: 1899 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group Meeting - Wed 14 October - results 2020-10-13 19:06 Security Working Group Meeting - Wed 14 October Parth Shukla @ 2020-10-15 14:14 ` Joseph Reynolds 2020-10-15 14:22 ` Security Working Group Meeting - Wed 14 October - request for security bug tracker Joseph Reynolds 0 siblings, 1 reply; 4+ messages in thread From: Joseph Reynolds @ 2020-10-15 14:14 UTC (permalink / raw) To: openbmc On 10/13/20 2:06 PM, Parth Shukla wrote: > This is a reminder of the OpenBMC Security Working Group meeting > scheduled for this... > This Message Is From an External Sender > This message came from outside your organization. > > This is a reminder of the OpenBMC Security Working Group meeting > scheduled for this Wednesday October 14 at 10:00am PDT. > > We'll discuss the following items on the agenda > <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, > and anything else that comes up: > > 1. (Joseph): Follow up from 2020-8-19: Gerrit code review: BMCWeb > webUI login change: > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/35457 > Question: What are the security risks of using the proposed config > flag BMCWEB_INSECURE_ENABLE_UNAUTHENTICATED_ASSETS=YES? > 1. Fingerprinting (leak information about the BMC’s manufacturer > and version). > 2. Attackers have an easier time getting the code to find and > exploit security bugs. > 3. May make DoS easier. > 4. More? > Yes, those are the main risks we talked about. And it seems reasonable for some environments to accept these risks. We discussed fingerprinting, and the desire to minimize this surface going forward. We discussed how the Redfish standard requires files to have unauthenticated access to static files while the OpenBMC project has uses cases that don’t want to allow that, for example, discussion in https://redfishforum.com/thread/375/mtls-enforcement-openbmcs-redfish-implementation > 2. (Joseph): Per > https://lists.ozlabs.org/pipermail/openbmc/2020-October/023530.html do > we agree on the approach? What security categories seem most important? The Microsoft, IBM, and Common Criteria schemes each have topics that seem appropriate. No other high-level scheme was proposed, so we’ll go with these for now. In particular, will someone please articulate topics from Microsoft Security Development Lifecycle (SDL), and we’ll add them to the list. TODO It was agreed that the list of topics have information that can be leveraged by various security development processes. For example, a team that uses OpenBMC in their project and wants to follow a security scheme/process/evaluation should be able to use these topics to find what they need in the OpenBMC project documentation. We agreed in principle to organize OpenBMC security work to a subset of the topics listed. Two subtopics were discussed: 2A. We reviewed the security reporting and bug fixing process. Specifically: * The OpenBMC security response team: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md * This is what github advocates using: https://github.com/openbmc/openbmc/security/advisories * What tools do we use to: * Identify which open source pkgs are used in an openbmc build, * Identify security bugs in those packages, and * Ensure that we pull in fixes or otherwise mitigate the problem. 2B. Given that OpenBMC is a Linux Foundation project, what resources does the Linux Foundation offer? Specifically, we want a private secure bug tracker for the OpenBMC security response team to use. The following topic was added: 3. Anton update on privilege separation work ANSWER: Progress on ipmi-net & bmcweb -- working on dbus config, sockets; which areas to sandbox. To make the migration work (changing from root user to another user), we will need to migrate the process’s environment, for example: bmcweb uses files in /home/root and it won't have permission afterward. We discussed how to do the source bump to help CI go more smoothly. > Access, agenda and notes are in the wiki: > https://github.com/openbmc/openbmc/wiki/Security-working-group > > Regards, > Parth ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group Meeting - Wed 14 October - request for security bug tracker 2020-10-15 14:14 ` Security Working Group Meeting - Wed 14 October - results Joseph Reynolds @ 2020-10-15 14:22 ` Joseph Reynolds 2020-10-15 15:53 ` krtaylor 0 siblings, 1 reply; 4+ messages in thread From: Joseph Reynolds @ 2020-10-15 14:22 UTC (permalink / raw) To: openbmc, krtaylor On 10/15/20 9:14 AM, Joseph Reynolds wrote: > On 10/13/20 2:06 PM, Parth Shukla wrote: >> This is a reminder of the OpenBMC Security Working Group meeting >> scheduled for this... >> This Message Is From an External Sender >> This message came from outside your organization. >> >> This is a reminder of the OpenBMC Security Working Group meeting >> scheduled for this Wednesday October 14 at 10:00am PDT. >> >> We'll discuss the following items on the agenda >> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, >> and anything else that comes up: >> ...snip... > > Two subtopics were discussed: > > 2A. We reviewed the security reporting and bug fixing process. > Specifically: > > * The OpenBMC security response team: > https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md > > * This is what github advocates using: > https://github.com/openbmc/openbmc/security/advisories > > * What tools do we use to: > > * Identify which open source pkgs are used in an openbmc build, > > * Identify security bugs in those packages, and > > * Ensure that we pull in fixes or otherwise mitigate the problem. > > > 2B. Given that OpenBMC is a Linux Foundation project, what resources > does the Linux Foundation offer? Specifically, we want a private > secure bug tracker for the OpenBMC security response team to use. Kurt, The OpenBMC security response team could benefit from a bug tracker to track security vulnerabilities that were reported to the project and not yet disclosed. This is to support [1] and would have to be private and secure. What is commonly used for this? Can we do it at the project level? Can LF help? - Joseph [1]: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md ...snip... >> Access, agenda and notes are in the wiki: >> https://github.com/openbmc/openbmc/wiki/Security-working-group >> >> Regards, >> Parth > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group Meeting - Wed 14 October - request for security bug tracker 2020-10-15 14:22 ` Security Working Group Meeting - Wed 14 October - request for security bug tracker Joseph Reynolds @ 2020-10-15 15:53 ` krtaylor 0 siblings, 0 replies; 4+ messages in thread From: krtaylor @ 2020-10-15 15:53 UTC (permalink / raw) To: Joseph Reynolds, openbmc On 10/15/20 9:22 AM, Joseph Reynolds wrote: > On 10/15/20 9:14 AM, Joseph Reynolds wrote: >> On 10/13/20 2:06 PM, Parth Shukla wrote: >>> This is a reminder of the OpenBMC Security Working Group meeting >>> scheduled for this... >>> This Message Is From an External Sender >>> This message came from outside your organization. >>> >>> This is a reminder of the OpenBMC Security Working Group meeting >>> scheduled for this Wednesday October 14 at 10:00am PDT. >>> >>> We'll discuss the following items on the agenda >>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, >>> and anything else that comes up: >>> > ...snip... >> >> Two subtopics were discussed: >> >> 2A. We reviewed the security reporting and bug fixing process. >> Specifically: >> >> * The OpenBMC security response team: >> https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md >> >> >> * This is what github advocates using: >> https://github.com/openbmc/openbmc/security/advisories >> >> * What tools do we use to: >> >> * Identify which open source pkgs are used in an openbmc build, >> >> * Identify security bugs in those packages, and >> >> * Ensure that we pull in fixes or otherwise mitigate the problem. >> >> >> 2B. Given that OpenBMC is a Linux Foundation project, what resources >> does the Linux Foundation offer? Specifically, we want a private >> secure bug tracker for the OpenBMC security response team to use. > > Kurt, Again, PLEASE cc me directly, I don't read every email on the list. It was another happy coincidence that I read this and saw my name. :) > The OpenBMC security response team could benefit from a bug tracker to > track security vulnerabilities that were reported to the project and not > yet disclosed. This is to support [1] and would have to be private and > secure. > What is commonly used for this? Can we do it at the project level? Can > LF help? Just brainstorming here... What about a github repo like openbmc/security_tracking or similar with its own team? We'd have to experiment with that and make sure it was private. Otherwise, we could do something with hosting with the LF (bugzilla instance?), but it would surely cost $$$. Another reason for project owned, independent assets, but I digress. Let's see what we can do with the tools we have now (github) especially since we may be moving that way anyway. Kurt Taylor (krtaylor) > - Joseph > > [1]: > https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md > > > > ...snip... >>> Access, agenda and notes are in the wiki: >>> https://github.com/openbmc/openbmc/wiki/Security-working-group >>> >>> Regards, >>> Parth >> > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-15 15:54 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-10-13 19:06 Security Working Group Meeting - Wed 14 October Parth Shukla 2020-10-15 14:14 ` Security Working Group Meeting - Wed 14 October - results Joseph Reynolds 2020-10-15 14:22 ` Security Working Group Meeting - Wed 14 October - request for security bug tracker Joseph Reynolds 2020-10-15 15:53 ` krtaylor
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).