14:00:23 <Sparks> #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:23 <zodbot> Meeting started Thu Nov 20 14:00:23 2014 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:23 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:26 <Sparks> #meetingname Fedora Security Team 14:00:26 <zodbot> The meeting name has been set to 'fedora_security_team' 14:00:29 <Sparks> #topic Roll Call 14:00:31 * Sparks 14:01:04 <D-Caf> Here 14:01:12 * jrusnack here 14:01:41 <mhayden> howdy 14:02:34 * Sparks welcomes everyone 14:02:41 <bvincent> here 14:03:14 <pjp> H, 14:03:15 <pjp> Hi 14:04:48 <Sparks> Okay, lets get started. 14:04:55 <Sparks> #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:05:08 <Sparks> #topic Follow up on last week's action items 14:05:21 <Sparks> #action Sparks to follow up with fenrus02 (via the security list) on checksec and checksec2. 14:05:27 <Sparks> One day I'll do this. Maybe today. 14:05:34 <Sparks> #topic Next week's meeting 14:05:39 <Sparks> #info US Holiday next Thursday 14:06:05 <Sparks> So, I'm thinking that we should just cancel next week's meeting. I'll be on the road and likely not in front of a computer this time next week. 14:06:35 <jrusnack> sure, np with me 14:07:07 <pjp> Does everyone have holiday next Thursday? 14:07:07 <D-Caf> Understood, I'll be busy with family 14:07:16 * mhayden is out next thursday 14:07:55 <Sparks> pjp: It's US Thanksgiving. 14:07:58 <jrusnack> pjp: Sparks said its US holiday, so no 14:08:10 <pjp> Sparks: jrusnack Right, 14:08:59 <Sparks> #agreed Cancel next week's meeting. 14:09:02 <pjp> I was wondering if we should have the meeting if there are folks who don't have holiday. But it seems majority of the participants have holidays. 14:09:22 <Sparks> I mean, you guys can meet if you like. I have no problem with that. 14:10:18 <pjp> Sparks: yes, that's what, just that someone else would have to conduct it. Which would have been manageable, if there were participants. 14:10:37 <Sparks> pjp: You want to run in so that folks can come if they are available? 14:10:43 <Sparks> #undo 14:10:43 <zodbot> Removing item from minutes: AGREED by Sparks at 14:08:59 : Cancel next week's meeting. 14:11:13 <Sparks> FWIW, I have no problem if other people want to run the meetings. :) 14:11:42 <pjp> Sparks: Sure, okay 14:12:09 <Sparks> #agreed pjp will run next week's meeting 14:12:10 <Sparks> :) 14:12:34 <Sparks> Okay, that's simple enough. 14:12:39 <Sparks> Now lets do the numbers. 14:12:43 <Sparks> #topic Outstanding BZ Tickets 14:12:49 <Sparks> #info Wednesday's numbers: Critical 1, Important 47, Moderate 391, Low 161, Total 600, Trend +33 14:12:55 <Sparks> #info Current tickets owned: 196 (~33%) 14:13:00 <Sparks> #info Tickets closed: 168 14:13:10 <Sparks> So, just a word regarding the trends. 14:13:24 <Sparks> There has been an influx of cases the past two weeks. 14:13:42 <Sparks> Most of these have been in the moderate category. 14:13:51 <pjp> Sparks: these 168 closed are counted in the total 600? 14:13:59 <Sparks> The team continues to pick up the cases, just not as fast as they are coming in. 14:14:05 <Sparks> pjp: No 14:14:15 <Sparks> pjp: That's a cumulative number 14:14:22 <pjp> Sparks: Okay, 600 open tickets? 14:14:28 <Sparks> Yes 14:14:51 <D-Caf> I have to apologize, I've been in active last few weeks due to work load and family, holding to pick it up some this weekend. 14:15:05 * Sparks notes those aren't Wednesday's numbers but rather they are Thursday's numbers. 14:15:32 <Sparks> D-Caf: No worries. I haven't been able to grab as many as I would have liked. 14:15:59 <pjp> Sparks: I'm writing a tool to automate non-responsive maintainer policy, so was looking at total Fedora trackers with keywords: Security, SecurityTracking, it showed up to be about 300. 14:16:28 <Sparks> pjp: Yeah, that's not surprising. 14:16:38 <Sparks> Sad, but not surprising. 14:17:11 <pjp> Sparks: no, so the total 600 is surprising, 14:17:25 <jrusnack> Sparks: could we push for faster "irresponsible maintainer " policy ? 14:17:47 <jrusnack> one thing is maintainer who doesn`t care to update, another is leaving package vulnerable 14:17:54 <jrusnack> we should make it super quick 14:18:18 <Sparks> jrusnack: For critical and Important, I'd agree with that. Moderate and lows... maybe not. 14:18:41 <jrusnack> Sparks: why ? 14:19:16 <pjp> jrusnack: Sparks so the tool currently would automatically ping bugs that are unattended for > 90 days, that no activity on a bug for 3 months 14:19:40 * jsmith joins late, due to a work meeting 14:20:04 <pjp> After 2 such ping notifications, in the 3rd week one of us would have to take a look or invite folks to pick those 14:20:06 <Sparks> jrusnack: Moderate and lows are... well, very much less important. I suspect upstream hasn't been looking at them very closely. If we get to the point of only having moderate and lows then yeah, lets grab a shovel and dig in. :) 14:20:24 <Sparks> jsmith: Welcome 14:20:40 <pjp> jsmith: Hi, 14:20:50 <jrusnack> Sparks: I mean, that policy applies when problem is on packagers side, not upstream`s 14:21:02 <Sparks> jrusnack: I'm not saying that we shouldn't be pinging on these tickets. 14:21:37 <Sparks> jrusnack: Yes, if there is an update available from upstream we should definitely be harping on the maintainer to do the fix. 14:22:04 <pjp> jrusnack: true, I recently pushed updates to one of the python package, for which maintainer did not bother to push an update. 14:22:26 * pjp had to request co-maintainership of the package, 14:22:49 <Sparks> pjp: jsmith can probably do that for you as a super packager 14:23:07 <pjp> Sparks: Yes, today I too became one :) 14:23:11 <jrusnack> pjp: that is sad, and probably does not scale - would we co-maintain everything after some time ? 14:23:38 <pjp> jrusnack: nope, that is where super packager play a role, 14:24:05 <Sparks> pjp: Woot! 14:24:28 <pjp> Maybe I can add all super packager's email in the list who would be requested to look at pending security bugs 14:27:08 <Sparks> pjp: I really think releng needs to look at the packages we're having to apply bandages to. We can't keep doing the packager's work for them. 14:27:37 <pjp> Sparks true, in the long run I hope to hand over the tool to releng 14:27:40 <jrusnack> Sparks: +1 14:28:18 <Sparks> pjp: Maybe give them a list of packages we're having to do the work on. 14:29:17 <pjp> Sparks: yes, we'll regularly publish a list of pending security bugs that are > 90 days old. 14:30:02 <jrusnack> I like that idea - publish cumulative days of exposure for each packager 14:30:54 * Sparks counts 58 Critical and Important bugs that are older than 90 days 14:30:55 <pjp> We'll publish a report about the ones which were fixed too. 14:31:29 <pjp> Boy, 58 critical!! 14:31:54 <Sparks> pjp: Well, there's only one critical. 14:32:28 <pjp> Oh okay, together with important, still...boy! ;) 14:32:32 <Sparks> Yes 14:35:33 <Sparks> Okay, I'm going to start a couple non-responsive maintainer issues today. I'll try to get some of these things in process. 14:36:26 <Sparks> Anything else on the discussion of the bugs? 14:36:34 <pjp> Sparks: to confirm, you are looking at the same bugs list that is linked from the security team wiki page, right? 14:36:53 <Sparks> pjp: Yes 14:37:10 <pjp> Sparks: Okay. 14:37:23 <Sparks> pjp: I just modified the search for just bugs older than 90 days 14:37:36 <pjp> Sparks: right, 14:37:42 <Sparks> #topic Open floor discussion/questions/comments 14:37:50 <Sparks> Okay, does anyone have anything? 14:39:08 <jtaylor90> all set here 14:39:26 <Sparks> Okay... well, if there is nothing else... 14:39:36 <pjp> Does it make sense for us to look at default Fedora configurations, like not allowing remote root login via ssh? 14:39:55 <pjp> currently sshd allows it, 14:40:35 <bvincent> pjp: Really? 14:40:42 <pjp> bvincent: yes, 14:40:56 <Sparks> Yeah, this has bothered me for a while but I understand the rationale. 14:40:57 <bvincent> pjp: I've been using lsh a little too long. 14:41:05 <Southern_Gentlem> pjp you are looking at something 10% of the install might use 14:41:23 <pjp> Southern_Gentlem: 10% of install? 14:41:29 <Southern_Gentlem> installs 14:41:44 <pjp> Southern_Gentlem: all Fedora installs would have it, no? 14:42:00 <Southern_Gentlem> most installs are done with lives nowadays so ssh is blocked by default on those installs 14:42:03 <Sparks> You know, I'd like to have a hardening script that went through and helped you setup proper authentication and fixed your fw and all that when you do the install. 14:42:08 <pjp> bvincent: you need to set PermitRootLogin=no in sshd_config 14:42:28 <bvincent> pjp: I know. It's just I'm not use to installing a daemon, and not checking the settings. 14:42:29 <pjp> Southern_Gentlem: I see 14:42:34 <bvincent> Well in all fairness, the installer reminds you to set a strong root password. 14:42:40 <jrusnack> Sparks: that should be default imo 14:42:57 <bvincent> The ability to log in as root only becomes a problem when your password is weak. 14:43:06 <Sparks> jrusnack: What if you're doing a remote install and don't have access any other way? 14:43:09 <bvincent> A weak user password + sudo is no better. 14:43:28 <Southern_Gentlem> i really hope there is a wiki page telling do this to harden your install 14:43:30 <bvincent> Thus, wouldn't logic dictate the use of keys only? 14:44:10 <Sparks> keys++ 14:44:22 <jrusnack> Sparks: I meant hardened config should be default, not opt in. You can configure during install time otherwise 14:44:33 <D-Caf> I've done many an install remote that required root access to begin with 14:44:38 <Sparks> jrusnack: Well, you might be able to. 14:44:38 <pjp> Southern_Gentlem: that's the idea, to come up with such configurations which eventually could become default in the long run 14:44:47 <Southern_Gentlem> bvincent, most people are not going to use keys in their local network (homes) yes i can see that in a production environment 14:45:19 <pjp> +1 14:45:20 <Sparks> jrusnack: Bring it up on devel@ and see what people say. I'd be all for it but I think there are some use cases that is causing us to not fix it. 14:45:25 <D-Caf> It is disabled soon after the initial install, once a user account is. Created. 14:45:27 <bvincent> Southern_Gentlem: I'm not saying that this should be default. I'm just saying that a weak user password plus sudo access is worse then leaving root access enabled. 14:46:08 <jrusnack> Sparks: I think pjp is expressing the same thing more clearly than I am :) 14:46:11 <D-Caf> But I don't think for server installs we can assume a user account account is always setup. 14:46:27 <bvincent> D-Caf: True. I've seen environments where the only local account is root. 14:47:23 <pjp> bvincent: same here, lot of folks use computer as root users, 14:47:51 <Sparks> that's just crazy talk 14:47:57 * pjp thinks not allowing remote root would encourage non-root user usage 14:47:58 <bvincent> Perhaps, one should look at the OpenSSH hardening portion of the NSA guide for RHEL 5. 14:47:59 <Sparks> that doesn't really actually happen... right? 14:48:03 <bvincent> #link https://www.nsa.gov/ia/_files/os/redhat/nsa_rhel_5_guide_v4.2.pdf 14:48:09 <D-Caf> bvincent: yes, often in my work that a how it goes 14:48:25 <pjp> Sparks: it does 14:48:42 * Sparks curls up in a ball and lays on the floor. 14:48:48 <pjp> Heh..:) 14:49:09 <jrusnack> bvincent: that is somewhat old. I believe openscap rules are based on it, but updated 14:49:36 <bvincent> jrusnack: Do you have a link to the openscap rules? 14:49:46 <D-Caf> root is usually saved for emergency use only, but enables with keys or insane passwords. 14:49:46 <jrusnack> google does, a sec 14:50:23 <bvincent> jrusnack: The version of OpenSSH shipped with RHEL has a lot of older ciphers, so an updated resource would be appreciated. 14:51:51 <jrusnack> bvincent: http://scap-securityguide.rhcloud.com/RHEL6/output/table-rhel6-nistrefs-common.html 14:51:59 <jrusnack> seems like general description of rules 14:52:15 <jrusnack> I`m pretty sure they are packaged in RPM, so you can install and view them locally 14:52:30 <jrusnack> I`m also pretty sure there`s a GUI you can use 14:53:09 <bvincent> jrusnack: I hate to say this, but there must be a reason that RHEL doesn't install out of the box like this. 14:54:07 <jrusnack> bvincent: there was work on anaconda installer to enable scap scanning prior to system being installed 14:54:19 <bvincent> jrusnack: Some of these settings can be a little extreme for a home system, but RHEL is for enterprise usage. 14:54:22 <jrusnack> not sure if its done yet 14:54:23 <Sparks> jrusnack: Yeah, I was excited by that feature 14:54:31 <Sparks> jrusnack: But it was rejected for Fedora 14:54:45 <jrusnack> Sparks: on what merit ? 14:55:01 <bvincent> I use to set all these things manually... The tool is nice. 14:55:18 <Sparks> jrusnack: Well, the discussion went sideways with folks not actually understanding what was being asked. Once the train was off the tracks there was no getting it back upright. 14:55:45 <jrusnack> Sparks: seems like another long-term action item for us 14:56:30 <pjp> We need to audit default configurations of other services/programs too. 14:57:49 <Sparks> Okay, we are running out of time. 14:57:57 <Sparks> jrusnack: Care to move this discussion to the list? 14:58:27 <jrusnack> Sparks: I`ll let pjp do that if he agrees, I was bad at explaining this anyway 14:58:41 <pjp> jrusnack: Sparks okay 14:59:00 <Sparks> Okay,anything else? 14:59:13 <Sparks> Going once 14:59:16 <Sparks> Goine twice 14:59:17 <Sparks> ... 14:59:18 <Sparks> .. 14:59:19 <Sparks> . 14:59:24 <Sparks> #endmeeting