Security Working Group meeting - Wednesday Feb 5 - summary results

Joseph Reynolds jrey at linux.ibm.com
Thu Feb 20 10:51:11 AEDT 2020 

On 2/5/20 10:06 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday Feb 5 at 10:00am PDT.

These are the notes from the previous meeting that was held on 
2020-02-05 -- 2 weeks ago.


>
> We'll discuss current development items, and anything else that comes 
> up.  The current topics:
>
> 1. Moving forward with security assurance work at the OpenBMC project 
> level.  ("How do we know what is most important to work on?")  Review 
> steps forward.

There was general agreement that the list of assurance schemes in thew 
security working group wiki is a good start.

>
> 2. BMCWeb intermediate site identity certificates.

https://lists.ozlabs.org/pipermail/openbmc/2020-January/020321.html
After looking at the code, we figured BMCWeb had no way to present 
intermediate site identity certificates, but support could be added.
The next steps areto complete the investigation, push up an enhancement 
if needed, and document how users can provision the BMC with their 
intermediate certs. Created https://github.com/openbmc/bmcweb/issues/116
>
> 3. BMCWeb account management privilege changes (following the latest 
> Redfish spec) allow account enumeration.

This was pursued (see the minutes).  After the meeting, the outcome was 
learned: Refish did not intend this.  A non admin user will get only 
their own account.  A Redfish spec change will clarify this.

>
> 4. BMCWeb address CWE-307 (unlimited password guessing) via 
> rate-limiting authentication attempts.

The project currently has no such protection, so this seems like a good 
approach.

Have we considered blocking by IP address?  Considered progressively 
longer timeouts? Considered the pam_abl module or PAM modules that 
require MFA?

If an LDAP server is used, it may not allow enumeration of its users, 
which would make this a non-issue for this use case.  Does this apply 
only to local users? (ANSWER: Yes).

There are various disparate use cases including: rate-limiting (as 
proposed here), account lockouts (traditional pam_tally2 solution), 
password reset required, and notifying the admin … just to name a few 
use cases.  I (Joseph) am going for a default least-common-denominator 
solution into the project that the BMC can provide without requiring 
additional elements such as 2FA servers.


This was re-discussed in more depth in the 2020-02-19 meeting.

>
> 5. Discuss progress in setting up an alternate meeting time.

Joseph will followup in the email list.  I (Joseph) think an early 
morning (like 2am CDT) would work for Australia, China, India, and 
Europe.  (See subsequent emails.) The next step is to identify core 
individuals and set up a meeting time.

>
> Access, agenda, and notes are in the wiki:
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Jose 

- Joseph

More information about the openbmc mailing list