Redfish security questions

[Joseph Reynolds]

On 2/12/20 12:18 AM, Thomaiyar, Richard Marian wrote:
> This is on next week right? I will attend (it will be late, but i will 
> try to manage). We can discuss about this and also about pam_abl 
> related to blocking users based on IP address issue.

Yes, both topics mentioned in this email are on the Wednesday 2020-02-19 
security work group agenda.  We can discuss them early in the meeting if 
you wish.

I am trying to push the conversation back out onto the email list (as a 
general principle).  I'll cut/paste the forum topic into a separate 
email thread to get it going.

I briefly looked at using pam_abl (Linux-PAM module(8) and its 
corresponding command(1)).  I am interested in using its "automatic 
black listing IP addresses" function.  It is GPL3 license which I think 
OpenBMC can use.  I am also interested in rate-limiting authentication 
attempts as a complementary solution.  I'll continue that email thread 
as I have time to do so.

Thank you!

- Joseph

>
>
> regards,
>
> Richard
>
> On 2/11/2020 11:01 PM, Joseph Reynolds wrote:
>>
>> On 2/10/20 10:37 PM, Thomaiyar, Richard Marian wrote:
>>> On a different note,
>>>
>>> Let me know your  thoughts on this too 
>>> https://redfishforum.com/thread/279/channel-privilege-support-direction-redfish
>>>
>>> I am trying to get the direction of the redfish  spec, whether they 
>>> want to consider channel based privilege restriction or just single 
>>> privilege.
>>
>> Richard,
>>
>> Thanks.  I've replied to your thread with questions of my own. Please 
>> reply to my questions on the Redfish forum.  I think we (OpenBMC) 
>> need to have clear requirements.  I've added your topic to the 
>> OpenBMC security working group and plan to stir up any interest.  
>> You're welcome to attend, but it is not necessary.
>>
>> OpenBMC security working group:
>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
>>
>>
>> - Joseph
>>
>>>
>>> regards,
>>>
>>> Richard
>>>
>>> On 2/10/2020 11:05 PM, Joseph Reynolds wrote:
>>>> The Redfish spec recently changed to allow users with the Login 
>>>> privilege to enumerate all BMC users. Previously only the admin 
>>>> user could do this.  I disagree with this change and believe it is 
>>>> an unnecessary information exposure.  Details are in the Redfish 
>>>> forum post.
>>>>
>>>> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 
>>>>
>>>>
>>>> Are we okay with this?  Do we ask Redfish to change it back? Please 
>>>> reply to this email or to the forum with your thoughts.
>>>>
>>>> Thanks,
>>>> - Joseph
>>>>
>>>> References:
>>>>
>>>> The change was made to Redfish version 2019.4 > DSP2046 > 
>>>> Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:
>>>> https://www.dmtf.org/standards/redfish
>>>>
>>>> OpenBMC has the corresponding implementation change pending here:
>>>> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
>>>>
>>>> This was discussed in the 2020-02-05 OpenBMC security working group 
>>>> meeting as agenda item 3.  Minutes:
>>>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
>>>>
>>>>
>>