Security Working Group - Wednesday March 4
Joseph Reynolds
jrey at linux.ibm.com
Thu Mar 5 11:08:57 AEDT 2020
On 3/2/20 6:05 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday March 4 at 10:00am PDT.
>
> We'll discuss current development items, and anything else that comes up.
>
> The current topics:
>
> 1. Proposal to add new Redfish roles for ServiceRep & OemRep. 2.
> Implement the Redfish PasswordChangeRequired property. 3. Proposal to
> delete BMCWeb sessions after some kinds of account changes.
>
> 4. Intel hackathon (pen test, code reviews, etc) results. 5. Security
> issue: BMCWEB_ENABLE_DBUS_REST=ON enables information leak
>
> 6. Discuss making contributions toward
> https://github.com/openbmc/openbmc/wiki/Security-working-group#security-end-of-release-checklist
> for the May 2020 OpenBMC release based on Yocto 3.1.
>
> Access, agenda, and notes are in the wiki:
Here is a summary of the discussion. More details are in the minutes
linked below.
1. Weagreed that ServiceRep and ManufacturingRep Privileges are useful
to articulate. We found two use cases: Admin same as service agent and
manufacturer, and Admin/Service/manufacturer are different roles. Joseph
will pursue getting these roles and privileges defined in Redfish. We
also discussed the problem of how to prevent the admin from escalating
to the Service role given they control User management. (With possible
solutions discussed), and some alternate designs.
The next step is: Joseph will send an email to the openbmc list with
updated details and proposal.
2. Joseph is working on a new D-Bus property for UserPasswordExpired
that is needed for BMCWeb.
3. Terminating BMCWeb sessions when there are severe account changes
sounds like a good idea.
Nobody signed up to work on it. :)
4. James asked about how to report security vulnerabilities. The plan
to is to follow
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
and make a judgment call, sending some to the email list (thus
disclosing them) and some to the OpenBMC security response team.
The response team can then sort out which issues can be disclosed, and
which we want to fix.
That will be a good stress test.
5. We want definite plans and a timeline for changing the default to
BMCWEB_ENABLE_DBUS_REST=OFF.
6. Joseph will propose an OpenBMC-customized dynamic-security-scan tool
via email.
- Joseph
>
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
> - Joseph
>
More information about the openbmc
mailing list