OpenStack - User contributions [en]

Security/How To Contribute

2016-11-03T17:24:13Z

Dg:

== How to contribute to the OpenStack Security project ==

=== Initial Steps for Everyone ===
# Join the OSSG launchpad group: https://launchpad.net/~openstack-ossg
# Join the OpenStack Security mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
# Introduce yourself at the weekly OSSG meeting on IRC: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
# Read the sections below for specific ways that someone with your skills can help improve the security of OpenStack.

=== Developers, New to OpenStack ===
* Set yourself up to contribute to OpenStack (see the “If you’re a developer” section): https://wiki.openstack.org/wiki/How_To_Contribute
* Review code reviews tagged as SecurityImpact
:* Notifications come to the openstack-security mailing list
:* https://review.openstack.org/#/q/message:SecurityImpact+is:open,n,z
* Identify open bugs that you can work on to learn a project (we recommend starting with just one project before branching out too much)
:* Compute (Nova): https://bugs.launchpad.net/nova
:* Object Storage (Swift): https://bugs.launchpad.net/swift/
:* Image Service (Glance): https://bugs.launchpad.net/glance
:* Identity (Keystone): https://bugs.launchpad.net/keystone
:* Dashboard (Horizon): https://bugs.launchpad.net/horizon
:* Networking (Neutron): https://bugs.launchpad.net/neutron
:* Block Storage (Cinder): https://bugs.launchpad.net/cinder
:* Common Code (Oslo): https://bugs.launchpad.net/oslo
* Review code to learn a project and find security issues (we recommend starting with just one project before branching out too much)
:* Compute (Nova): https://github.com/openstack/nova
:* Object Storage (Swift): https://github.com/openstack/swift
:* Image Service (Glance): https://github.com/openstack/glance
:* Identity (Keystone): https://github.com/openstack/keystone
:* Dashboard (Horizon): https://github.com/openstack/horizon
:* Networking (Neutron): https://github.com/openstack/neutron
:* Block Storage (Cinder): https://github.com/openstack/cinder
:* Common Code (Oslo): https://github.com/openstack/oslo-incubator

=== Developers, Experienced with OpenStack ===
* Security leadership on specific OpenStack project
:* OSSG needs people with both a strong security background and a strong OpenStack background to work as core developers on projects. These people would help serve as the link between OSSG and the OpenStack project by:
::* Identifying areas where the code should be improved
::* Writing blueprints for security features related to that project
::* Ensuring relevant reviews are marked with SecurityImpact tags
::* Leveraging OSSG members to help solve security problems
::* Become a trusted security resource among the core developers
:* This is a position that one grows into by demonstrating good work over time. This is not something where you are simply appointed. If you are interested, OSSG can help get you started.
* Identify security-relevant code reviews and tag as SecurityImpact
* Review code reviews tagged as SecurityImpact
:* Notifications come to the openstack-security mailing list
:* https://review.openstack.org/#/q/message:SecurityImpact+is:open,n,z
* Review blueprints
:* Compute (Nova): https://blueprints.launchpad.net/nova
:* Object Storage (Swift): https://blueprints.launchpad.net/swift
:* Image Service (Glance): https://blueprints.launchpad.net/glance
:* Identity (Keystone): https://blueprints.launchpad.net/keystone
:* Dashboard (Horizon): https://blueprints.launchpad.net/horizon
:* Networking (Neutron): https://blueprints.launchpad.net/neutron
:* Block Storage (Cinder): https://blueprints.launchpad.net/cinder
:* Common Code (Oslo): https://blueprints.launchpad.net/oslo
* Write security-relevant blueprints

=== Security Architects ===
* Review / edit / add to the OpenStack Security Guide
:* Webpage: http://docs.openstack.org/sec/
:* DocBook Source: https://github.com/openstack/security-doc/tree/master/security-guide
* Review / edit / create OSSNs
:* https://wiki.openstack.org/wiki/Security/Security_Note_Process
:* https://launchpad.net/ossn
* Review blueprints (see links in developer section above)
* Write security-relevant blueprints

=== Writers / Editors ===
* Initial setup instructions can be found at the Documentation First Timer's How To page: https://wiki.openstack.org/wiki/Documentation/HowTo/FirstTimers
* Once those steps are complete, you can help review / edit the OpenStack Security Guide
:* Webpage: http://docs.openstack.org/sec/
:* DocBook Source: https://github.com/openstack/security-doc/tree/master/security-guide
:* List of Enhancements / Bugs: https://bugs.launchpad.net/openstack/+bugs?field.tag=sec-guide
:* Open a new Enhancement / Bug: File a bug on https://bugs.launchpad.net/openstack-manuals/+filebug and tag it with "sec-guide". Option for tags is available under "Extra options".

* Review / edit OSSNs
:* https://wiki.openstack.org/wiki/Security/Security_Note_Process
:* https://launchpad.net/ossn

=== QA / Automation / Software Development Engineer in Test (SDET) ===
* Add security testing to current test suites
* Add security tests to OS projects
* Learn to identify and file Security Bugs
* Identify open bugs and/or report security bugs that you can work on to learn a project (we recommend starting with just one project before branching out too much)
:* Compute (Nova): https://bugs.launchpad.net/nova
:* Object Storage (Swift): https://bugs.launchpad.net/swift/
:* Image Service (Glance): https://bugs.launchpad.net/glance
:* Identity (Keystone): https://bugs.launchpad.net/keystone
:* Dashboard (Horizon): https://bugs.launchpad.net/horizon
:* Networking (Neutron): https://bugs.launchpad.net/neutron
:* Block Storage (Cinder): https://bugs.launchpad.net/cinder
:* Common Code (Oslo): https://bugs.launchpad.net/oslo

=== Other Tasks ===
* Create / update common OSSG presentation slides

Security/How To Contribute

2016-11-03T17:23:13Z

Dg:

== How to contribute to the OpenStack Security project ==

=== Initial Steps for Everyone ===
# Join the OSSG launchpad group: https://launchpad.net/~openstack-ossg
# Join the OpenStack Security mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
# Introduce yourself at the weekly OSSG meeting on IRC: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
# Read the sections below for specific ways that someone with your skills can help improve the security of OpenStack.

=== Developers, New to OpenStack ===
* Set yourself up to contribute to OpenStack (see the “If you’re a developer” section): https://wiki.openstack.org/wiki/How_To_Contribute
* Review code reviews tagged as SecurityImpact
:* Notifications come to the openstack-security mailing list
:* https://review.openstack.org/#/q/message:SecurityImpact+is:open,n,z
* Identify open bugs that you can work on to learn a project (we recommend starting with just one project before branching out too much)
:* Compute (Nova): https://bugs.launchpad.net/nova
:* Object Storage (Swift): https://bugs.launchpad.net/swift/
:* Image Service (Glance): https://bugs.launchpad.net/glance
:* Identity (Keystone): https://bugs.launchpad.net/keystone
:* Dashboard (Horizon): https://bugs.launchpad.net/horizon
:* Networking (Neutron): https://bugs.launchpad.net/neutron
:* Block Storage (Cinder): https://bugs.launchpad.net/cinder
:* Common Code (Oslo): https://bugs.launchpad.net/oslo
* Review code to learn a project and find security issues (we recommend starting with just one project before branching out too much)
:* Compute (Nova): https://github.com/openstack/nova
:* Object Storage (Swift): https://github.com/openstack/swift
:* Image Service (Glance): https://github.com/openstack/glance
:* Identity (Keystone): https://github.com/openstack/keystone
:* Dashboard (Horizon): https://github.com/openstack/horizon
:* Networking (Neutron): https://github.com/openstack/neutron
:* Block Storage (Cinder): https://github.com/openstack/cinder
:* Common Code (Oslo): https://github.com/openstack/oslo-incubator

=== Developers, Experienced with OpenStack ===
* Security leadership on specific OpenStack project
:* OSSG needs people with both a strong security background and a strong OpenStack background to work as core developers on projects. These people would help serve as the link between OSSG and the OpenStack project by:
::* Identifying areas where the code should be improved
::* Writing blueprints for security features related to that project
::* Ensuring relevant reviews are marked with SecurityImpact tags
::* Leveraging OSSG members to help solve security problems
::* Become a trusted security resource among the core developers
:* This is a position that one grows into by demonstrating good work over time. This is not something where you are simply appointed. If you are interested, OSSG can help get you started.
* Identify security-relevant code reviews and tag as SecurityImpact
* Review code reviews tagged as SecurityImpact
:* Notifications come to the openstack-security mailing list
:* https://review.openstack.org/#/q/message:SecurityImpact+is:open,n,z
* Review blueprints
:* Compute (Nova): https://blueprints.launchpad.net/nova
:* Object Storage (Swift): https://blueprints.launchpad.net/swift
:* Image Service (Glance): https://blueprints.launchpad.net/glance
:* Identity (Keystone): https://blueprints.launchpad.net/keystone
:* Dashboard (Horizon): https://blueprints.launchpad.net/horizon
:* Networking (Neutron): https://blueprints.launchpad.net/neutron
:* Block Storage (Cinder): https://blueprints.launchpad.net/cinder
:* Common Code (Oslo): https://blueprints.launchpad.net/oslo
* Write security-relevant blueprints

=== Security Architects ===
* Review / edit / add to the OpenStack Security Guide
:* Webpage: http://docs.openstack.org/sec/
:* DocBook Source: https://github.com/openstack/security-doc/tree/master/security-guide
* Review / edit / create OSSNs
:* https://launchpad.net/ossn
* Review blueprints (see links in developer section above)
* Write security-relevant blueprints

=== Writers / Editors ===
* Initial setup instructions can be found at the Documentation First Timer's How To page: https://wiki.openstack.org/wiki/Documentation/HowTo/FirstTimers
* Once those steps are complete, you can help review / edit the OpenStack Security Guide
:* Webpage: http://docs.openstack.org/sec/
:* DocBook Source: https://github.com/openstack/security-doc/tree/master/security-guide
:* List of Enhancements / Bugs: https://bugs.launchpad.net/openstack/+bugs?field.tag=sec-guide
:* Open a new Enhancement / Bug: File a bug on https://bugs.launchpad.net/openstack-manuals/+filebug and tag it with "sec-guide". Option for tags is available under "Extra options".

* Review / edit OSSNs
:* https://wiki.openstack.org/wiki/Security/Security_Note_Process
:* https://launchpad.net/ossn

=== QA / Automation / Software Development Engineer in Test (SDET) ===
* Add security testing to current test suites
* Add security tests to OS projects
* Learn to identify and file Security Bugs
* Identify open bugs and/or report security bugs that you can work on to learn a project (we recommend starting with just one project before branching out too much)
:* Compute (Nova): https://bugs.launchpad.net/nova
:* Object Storage (Swift): https://bugs.launchpad.net/swift/
:* Image Service (Glance): https://bugs.launchpad.net/glance
:* Identity (Keystone): https://bugs.launchpad.net/keystone
:* Dashboard (Horizon): https://bugs.launchpad.net/horizon
:* Networking (Neutron): https://bugs.launchpad.net/neutron
:* Block Storage (Cinder): https://bugs.launchpad.net/cinder
:* Common Code (Oslo): https://bugs.launchpad.net/oslo

=== Other Tasks ===
* Create / update common OSSG presentation slides

Security/Security Note Process

2016-08-17T19:23:36Z

Dg: /* Number Assignment */

This page describes the process that should be followed for writing and publishing an OpenStack Security Note (OSSN). This page is intended to be used by members of the OpenStack Security Group.
== Writing ==
When writing a new Security Note, you should ensure that the target audience will be able to clearly answer the following questions once they have read the Security Note:

* What is the issue?
* Is my deployment affected?
* What are the ramifications if my deployment is affected?
* What can I do to correct or avoid the issue?

To ensure that the Security Note is technically correct, you should reach out to the developers involved if any clarification is needed. Much of the required technical information is usually in the Launchpad bug already, but additional information is often needed to produce a thorough Security Note.

You should also check the new Security Note for the following issues:

* Correct spelling
* Proper grammar
* Avoid using acronyms (or define them when first used in the Security Note)

=== Number Assignment ===
When you begin to write a new Security Note, the first thing you should do is assign the next available OSSN number to your note. This is done in the [[Security_Notes|Security Note publishing area]] on the wiki. Add a placeholder with the proposed title of your new Security Note using the next available number and append '''(work in progress)''' to it. This should look similar to the following example:

* OSSN-1234 - My new Security Note '''(work in progress)'''

Save the page, then click the link you just added, to create a new page. Paste in the title of the OSSN and a link to the launchpad bug, then save the page.

=== Templates ===
The OpenStack Security Notes are kept in the [http://git.openstack.org/cgit/openstack/security-doc/ Security Docs repository], which contains a template to aid in the creation of new Security Notes.

The template is in the format used for publishing to the OpenStack mailing lists. The line length should be limited to 72 characters with the exception of example snippets of configuration files or long links in the '''Contacts / References''' section. This will prevent problems with line wrapping messing up the formatting that can occur with popular PGP mail client software. The template format is also what we use for the Security Notes that we push to the git repository.

== Testing ==
If the new Security Note is documenting a workaround, it is important that it is actually tested to ensure it works. If you need help in testing, you can reach out to the developers in the original Launchpad bug as well as other members of the OpenStack Security Group.

== Reviewing ==
The Gerrit review system is used to review new Security Notes. It is recommended that you read over the [http://docs.openstack.org/infra/manual/developers.html#development-workflow Development Workflow] if you are not already familiar with it. Do not hesitate to reach out to authors of released notes if you want to be guided through the process.

In order to link the review to the associated Lauchpad bug, you should use the '''Closes-bug''' tag in your commit message. The details on using this tag are described on the [[GitCommitMessages|Git commit messages]] page.

The OpenStack Security Notes source repository is available at http://git.openstack.org/cgit/openstack/security-doc/

A Security Note will need to be reviewed by two members of the OpenStack Security Note Core group to be merged. It is also a good idea to add the PTL from any projects related to the Security Note as a reviewer.

== Publishing ==
Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published to the OpenStack wiki and the OpenStack mailing lists.
=== Wiki ===
Before publishing a Security Note to the mailing lists, it should be published on the OpenStack wiki. This allows the e-mail version of the Security Note to contain a link to the wiki that is immediately accessible. Each Security Note gets it's own wiki page, which is then linked to from the [[Security_Notes | Security Notes]] wiki page. The new Security Note wiki page location should be '''OSSN/OSSN-''number'''''. The numbering scheme is simply a 4 digit integer that we increment when a new OSSN is published. You can look at the previously posted Security Notes to see what the next free number is.

When publishing a Security Note to the OpenStack wiki, you should use proper wiki markup to improve formatting and aid readability. It is recommended that you look at the previously published Security Notes to see examples of how markup is used for formatting.

=== Mailing Lists ===
Once a Security Note has been published on the wiki, it should be sent to the following mailing lists:

* openstack-dev@lists.openstack.org
* openstack@lists.openstack.org

The e-mails should be signed, and the subject should be in the form of '''[OSSN ''number''] ''Title'''''. The body of the e-mail should use the format from the template above.

== Post-mortem Tasks ==
Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note.

Security-SIG

2016-04-22T14:39:39Z

Dg: /* Security Blog */

Security issues, tooling, innovations and education within OpenStack are the responsibility of the Security project. The Security project is a horizontal effort within OpenStack that is comprised of what was previously referred to as the OpenStack Security Group and the Vulnerability Management Team. The Security project undertakes both technical and governance activities within OpenStack, aiming to provide guidance, information and code that enhances the overall security of the OpenStack ecosystem.

[[File:SecurityProjectPillars.png|center|820px|A diagram showing the pillars of the Security project]]

== Organization and Contribution ==
The security group is built up primarily of two groups of people; those who write OpenStack code and those who try to secure OpenStack code! We have contributors from over 30 different companies involved in OpenStack. If you're interested in helping to make OpenStack more secure, either through writing better code, writing documentation or inventing cool new features and tooling - we want to hear from you!

=== Organization ===
The Security project was recently incorporated into OpenStack under the big-tent model for collaboration. That means we're recognised by the OpenStack foundation and we govern ourselves in the same way that every other official project does. We have a Project Technical Lead (PTL), Cores and Regular members just like other projects do. The PTL is elected every six months, we meet up at each OpenStack Summit and hold our own mid-cycle meet-ups too. More regularly we meet on IRC each week to discuss progress on multiple activities. We use the [Security] tag on the standard [[https://wiki.openstack.org/wiki/Mailing_Lists#Future_Development|OpenStack developer mailing list]] when things warrant wider discussion.

* [[https://wiki.openstack.org/wiki/Mailing_Lists#Future_Development|OpenStack developer mailing list]]

==== IRC ====
The security group has an IRC room (#openstack-security) on irc.freenode.net that's used for general communications, chat and the occasional user query. The security project meets weekly to discuss progress on individual activities. We encourage new contributors to say hello during our weekly meetings.

* [http://eavesdrop.openstack.org/#Security_meeting Weekly meeting IRC information]
* [http://eavesdrop.openstack.org/meetings/security/ Weekly meeting logs]
* [http://eavesdrop.openstack.org/irclogs/%23openstack-security/ Logs from the #openstack-security room]
* [https://webchat.freenode.net/?randomnick=1&channels=%23openstack-meeting%2C%23openstack-meeting-alt%2C%23openstack-meeting-3%2C%23openstack-meeting-4&prompt=1&uio=d4 IRC WebChat Client]

=== Contribution ===
The process of becoming a member of the group is described on the OSSG [https://launchpad.net/~openstack-ossg Launchpad page].
At the moment of writing, there is no defined "procedure" to get involved into the OSSG and a suggested set of steps
follows. Each described steps might or not be relevant depending on the individual member's background and familiarity with the OpenStack project.

Some steps to get started are:
*Read the OpenStack documentation and understand the most common deployment scenarios.
*Go through the [http://docs.openstack.org/trunk/openstack-compute/install/yum/content/ OpenStack installation guide] and create a deployment (either a native one or in a virtualized environment), in order to get a basic understanding of the interaction of the different OpenStack services. Some installation scripts such as [http://devstack.org/ Devstack] and [http://openstack.redhat.com/Quickstart Packstack] are readily available. However, you should not underestimate the educational benefits of spending some quality time to install OpenStack manually.
*Read the newly released [http://docs.openstack.org/trunk/openstack-security/content/index.html OpenStack security guide] in order to dive into the security aspects of setting up and running an OpenStack deployment.
*Getting acquainted to some degree with the rest of the OpenStack manuals is highly encouraged.
*The next step is to choose one of the OpenStack components in order to become closely familiarized with it and eventually be able to use the combined expertise of the OSSG in order to make thoughtful contributions to the component (code reviews, direct code contribution, architectural aspects) and improve its security. It is of course important to chose a component that would closely match your interests; given the size of OpenStack, becoming closely familiar with the chosen component's code base, deployment and administration practices might require significant time investments. Once you have chosen a component, send an email on the OSSG email list to let others know about your intentions.

See https://wiki.openstack.org/wiki/Security/How_To_Contribute for more details on how you can improve OpenStack security.

== Software Activities ==
The OpenStack Security Project has a number of ongoing activities that aim to enhance security of the OpenStack cloud ecosystem. These predominantly break down into three groups; Advisory, Guidance and Software.

=== Anchor - Ephemeral PKI ===
Anchor is a lightweight, open source, Public Key Infrastructure (PKI), which uses automated provisioning of short-term certificates to enable cryptographic trust in OpenStack services. Certificates are typically valid for 12-24 hours and are issued based on the result from a policy enforcing decision engine. Short term certificates enable passive revocation, to bypass the issues with the traditional revocation mechanisms used in most PKI deployments.

* [https://git.openstack.org/cgit/openstack/anchor Anchor Git Repository]
* [https://review.openstack.org/#/q/anchor,n,z Anchor Gerrit]
* [https://bugs.launchpad.net/anchor Anchor Launchpad]
* [https://www.youtube.com/watch?v=jf_YOzW7I3s Summit Announcement Video]
* [https://www.youtube.com/watch?v=Q_ZhrQq-_YM Summit Followup Video]

=== Bandit - Python Security Linter ===
Bandit is a security linter for Python source code, utilizing the ast module from the Python standard library. The ast module is used to convert source code into a parsed tree of Python syntax nodes. Bandit allows users to define custom tests that are performed against those nodes. At the completion of testing, a report is generated that lists security issues identified within the target source code.

Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. Although early in development it is already adding value to the OpenStack code base with several projects leveraging it in their CI gate tests. As the project matures the desire is to see widespread adoption of Bandit in the OpenStack community.

Bandit can be obtained by cloning the repository. The README.rst file contains documentation regarding installation, usage, and configuration.

* [https://git.openstack.org/cgit/openstack/bandit Bandit Git Repository]
* [https://review.openstack.org/#/q/bandit,n,z Bandit Gerrit]
* [https://bugs.launchpad.net/bandit Bandit Launchpad]

== Advisory Activities ==
The Security project issues Security Advisories (OSSA) and Security Notes (OSSN) both are targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.

=== Security Advisories - OSSA ===
[[File:VMTprocess.png|800px|thumbnail|center]]

Within the Security project exists the Vulnerability Management Team. The VMT is a small group of experienced developers who receive, triage and release fixes for vulnerabilities in OpenStack. The final stage of fixing a vulnerability is to release a Security Advisory for the community. The OSSA details the nature of the vulnerability and any workaround or patches required to mitigate it.

* Read more about the VMT process on [https://security.openstack.org/vmt-process.html their dedicated webpage]
* View the [https://security.openstack.org/ossalist.html issued OSSA list]

=== Security Notes - OSSN ===
Security Notes are designed to complement the Security Advisories issued by the Vulnerability Management Team. Security notes can be issued for almost anything affecting the security of potential OpenStack deployments. In many cases a vulnerability may be reported that cannot be fixed immediately because the fix might break the API or otherwise cause service-breaking issues for downstream consumers. Often the Security project will write notes that will guide deployers in how to best mitigate the issues when an OSSA cannot be provided. OSSNs are also issued for significant vulnerabilities in third party applications that would affect OpenStack deployments.

* [https://wiki.openstack.org/wiki/Security/Security_Note_Process OpenStack Security Note Process]
* [https://wiki.openstack.org/wiki/Security_Notes Issued Security Notes]

== Guidance Activities ==
Most of the documentation we produce, be it the security guide or security advisories are focussed on downstream consumers of OpenStack technology. We are also actively working on guidance and tooling for *developers* in the hope that we can help stop vulnerabilities making it into code in the first place.

See the [https://security.openstack.org/#secure-development-guidelines Developer Guideline] section of https://security.openstack.org for more info

=== Security Guide ===
[[File:Openstack-security-guide.jpg|frameless|center]]
This [http://docs.openstack.org/sec/ book] was written by a close community of security experts from the OpenStack Security Project in a short, intense week-long effort at an undisclosed location. One of the goals for this book is to bring together interested members to capture their collective knowledge and give it back to the OpenStack community.

See http://docs.openstack.org/sec/

=== Security Blog ===
We now have a blog, take a look to see the latest of what has been happening in the OpenStack Security world: https://openstack-security.github.io/

== Vulnerability Management Team ==
The OpenStack Vulnerability Management team is the first point of contact for OpenStack security issues. They are responsible for the vulnerability handling and disclosure process.

See http://wiki.openstack.org/VulnerabilityManagement

Design Summit/Planning

2016-04-01T20:58:55Z

Dg: /* Topic proposal, discussion and selection */

== Topic proposal, discussion and selection ==

* Barbican - https://etherpad.openstack.org/p/barbican-L-design-sessions
* Ceilometer - https://docs.google.com/spreadsheets/d/1vlEe75uZc5faytpvIMPrQdViOOsRLnfeThk_Rp_lIvI/edit#gid=0
* Cinder - https://etherpad.openstack.org/p/cinder-liberty-proposed-sessions
* Congress - https://etherpad.openstack.org/p/congress-liberty-design-session
* Cross-project track - [https://docs.google.com/spreadsheets/d/1vCTZBJKCMZ2xBhglnuK3ciKo3E8UMFo5S5lmIAYMCSE/edit?usp=sharing Current suggestions] -- Submit your own suggestion using [http://goo.gl/forms/S69HM6XEeb the form here]
* Fuel - https://etherpad.openstack.org/p/fuel-newton-summit-planning
* Glance - https://etherpad.openstack.org/p/liberty-glance-summit-topics
* Heat - https://etherpad.openstack.org/p/liberty-heat-sessions
* Horizon - https://etherpad.openstack.org/p/horizon-liberty-summit
* Infra - https://etherpad.openstack.org/p/infra-liberty-summit-planning
* Ironic - https://etherpad.openstack.org/p/liberty-ironic-design-summit-ideas
* Keystone - https://etherpad.openstack.org/p/keystone-newton-summit-brainstorm
* Manila - https://etherpad.openstack.org/p/manila-liberty-proposed-sessions
* Neutron - https://etherpad.openstack.org/p/liberty-neutron-summit-topics
* Nova - https://etherpad.openstack.org/p/liberty-nova-summit-ideas
* OpenStackClient - https://etherpad.openstack.org/p/osc-liberty-summit-planning
* Oslo - https://etherpad.openstack.org/p/liberty-oslo-summit-planning
* QA - https://etherpad.openstack.org/p/liberty-qa-summit-topics
* Release Cycle Management - https://etherpad.openstack.org/p/liberty-relmgt-summit-topics
* Sahara - https://etherpad.openstack.org/p/sahara-liberty-proposed-sessions
* Security Project - https://etherpad.openstack.org/p/security-newton-summit-brainstorm
* Swift - https://etherpad.openstack.org/p/liberty-swift-summit-topics
* TripleO - https://etherpad.openstack.org/p/tripleo-liberty-proposed-sessions
* Trove - https://etherpad.openstack.org/p/trove-liberty-proposed-sessions

Security/Projects/Anchor

2015-07-14T17:03:04Z

Dg:

= Anchor =
== What is it ==
Anchor is an ephemeral PKI system built to enable cryptographic trust in OpenStack services in a way that doesn't rely on broken provisioning and revocation mechanisms that undermine most PKI deployments.

More content to follow, this page is a place holder.

* Stackforge: <nowiki>git clone https://review.openstack.org/openstack/anchor</nowiki> or git://git.openstack.org/openstack/anchor
* Gerrit: https://review.openstack.org/#/admin/projects/openstack/anchor
* Launchpad: https://launchpad.net/anchor

While we get around to adding more content, you may find this presentation from the Paris summit on Ephemeral PKI: http://youtu.be/jf_YOzW7I3s

== Next Steps ==
Recently Anchor underwent several large changes. [https://review.openstack.org/#/c/142470/ Firstly] it moved away from using the unmaintained M2Crypto library and [https://review.openstack.org/#/c/142486/ secondly] its project configuration was altered to better match standard boilerplate for OpenStack projects. Because of the size of and disruptive nature of these changes the project has entered a period of feature freeze while we work on creating an extensive test suite.

The Anchor Roadmap is maintained here: https://etherpad.openstack.org/p/Anchor_Project_Roadmap

== Contributing ==
We are a friendly bunch and would be more than happy to welcome anyone interested in contributing to Anchor. Since we are in a feature freeze period we would encourage anyone looking to get involved to focus their efforts on helping to enhance and improve our test suite. The Anchor project is discussed during the [https://wiki.openstack.org/wiki/Security_Teams OSSG] weekly meetings in and in the #openstack-security IRC room, feel free to drop in and say hello.

[[Category: stackforge]]

Security/Projects/Anchor

2015-07-14T16:57:57Z

Dg:

= Anchor =
== What is it ==
Anchor is an ephemeral PKI system built to enable cryptographic trust in OpenStack services in a way that doesn't rely on broken provisioning and revocation mechanisms that undermine most PKI deployments.

More content to follow, this page is a place holder.

* Stackforge: <nowiki>git clone https://review.openstack.org/openstack/anchor</nowiki> or git://git.openstack.org/openstack/anchor
* Gerrit: https://review.openstack.org/#/admin/projects/openstack/anchor
* Launchpad: https://launchpad.net/anchor

While we get around to adding more content, you may find this presentation from the Paris summit on Ephemeral PKI: http://youtu.be/jf_YOzW7I3s

== Next Steps ==
Recently Anchor underwent several large changes. [https://review.openstack.org/#/c/142470/ Firstly] it moved away from using the unmaintained M2Crypto library and [https://review.openstack.org/#/c/142486/ secondly] its project configuration was altered to better match standard boilerplate for OpenStack projects. Because of the size of and disruptive nature of these changes the project has entered a period of feature freeze while we work on creating an extensive test suite.

== Contributing ==
We are a friendly bunch and would be more than happy to welcome anyone interested in contributing to Anchor. Since we are in a feature freeze period we would encourage anyone looking to get involved to focus their efforts on helping to enhance and improve our test suite. The Anchor project is discussed during the [https://wiki.openstack.org/wiki/Security_Teams OSSG] weekly meetings in and in the #openstack-security IRC room, feel free to drop in and say hello.

[[Category: stackforge]]

Security Notes

2015-01-28T11:19:39Z

Dg:

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution ("work in progress")
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0022

2014-07-17T11:07:20Z

Dg: Created page with "== Soft reboot of instance does not ensure iptables rules are present == Holding for https://bugs.launchpad.net/ossn/+bug/1316822"

== Soft reboot of instance does not ensure iptables rules are present ==

Holding for https://bugs.launchpad.net/ossn/+bug/1316822

Security Notes

2014-07-16T13:42:49Z

Dg: /* Published Security Notes */

Security Notes

2014-07-16T13:41:02Z

Dg: /* Published Security Notes */

Security Notes

2014-06-03T11:21:32Z

Dg:

Security Notes

2014-06-03T11:21:03Z

Dg:

OSSN/OSSN-0016

2014-06-03T11:19:52Z

Dg: /* Contacts / References */

__NOTOC__
== Cinder wipe fails in an insecure manner on Grizzly ==

=== Summary ===
A configuration error can prevent the secure erase of volumes in Cinder on
Grizzly, potentially allowing a user to recover another user’s data.

=== Affected Services / Software ===
Cinder, Grizzly

=== Discussion ===
In Cinder on Grizzly, a configurable method to perform a secure erase of
volumes was added. In the event of a misconfiguration no secure erase will
be performed.

The default code path in Cinder’s clear_volume() method, which is taken
in the event of a configuration error, results in no wiping of the volume -
even in the event that the user had flagged the volume for wiping.

This is the same behaviour as if the volume_clear = ‘none’ option was
selected. This could let an attacker recover data from a volume that was
intended to be securely erased. Examples of possible incorrect
configuration options include values that would appear to result in a
secure erase, for example “volume_clear = true” or “volume_clear =
yes”.

In the event of a misconfiguration resulting in this issue, the message
“Error unrecognized volume_clear option” should be present in log
files.

=== Recommended Actions ===
- Create and clear a volume (cinder create --display_name erasetest 10;
cinder delete erasetest)
- Review log files for the above error message (grep “Error unrecognized
volume_clear option” <logfile>)
- Review configuration files to ensure that the valid options ‘zero’ or
‘shred’ are specified.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0016
* Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1322766
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

OSSN/OSSN-0016

2014-06-03T11:19:05Z

Dg:

__NOTOC__
== Cinder wipe fails in an insecure manner on Grizzly ==

=== Summary ===
A configuration error can prevent the secure erase of volumes in Cinder on
Grizzly, potentially allowing a user to recover another user’s data.

=== Affected Services / Software ===
Cinder, Grizzly

=== Discussion ===
In Cinder on Grizzly, a configurable method to perform a secure erase of
volumes was added. In the event of a misconfiguration no secure erase will
be performed.

The default code path in Cinder’s clear_volume() method, which is taken
in the event of a configuration error, results in no wiping of the volume -
even in the event that the user had flagged the volume for wiping.

This is the same behaviour as if the volume_clear = ‘none’ option was
selected. This could let an attacker recover data from a volume that was
intended to be securely erased. Examples of possible incorrect
configuration options include values that would appear to result in a
secure erase, for example “volume_clear = true” or “volume_clear =
yes”.

In the event of a misconfiguration resulting in this issue, the message
“Error unrecognized volume_clear option” should be present in log
files.

=== Recommended Actions ===
- Create and clear a volume (cinder create --display_name erasetest 10;
cinder delete erasetest)
- Review log files for the above error message (grep “Error unrecognized
volume_clear option” <logfile>)
- Review configuration files to ensure that the valid options ‘zero’ or
‘shred’ are specified.

=== Contacts / References ===
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0016
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1322766
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

OSSN/OSSN-0016

2014-05-30T16:03:22Z

Dg: Created page with "Cinder wipe fails open on Grizzly see https://bugs.launchpad.net/ossn/+bug/1322766"

Cinder wipe fails open on Grizzly

see https://bugs.launchpad.net/ossn/+bug/1322766

OSSN/OSSN-0015

2014-05-30T15:52:22Z

Dg: Created page with "See: https://bugs.launchpad.net/ossn/+bug/1322766"

See:
https://bugs.launchpad.net/ossn/+bug/1322766

Security Notes

2014-05-30T15:52:05Z

Dg: /* Published Security Notes */