Security Working Group - Wednesday April 29 - results

Joseph Reynolds jrey at
Fri May 1 06:05:54 AEST 2020

On 4/28/20 11:12 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday April 29 at 10:00am PDT.
> We'll discuss current development items, and anything else that comes up.
> The current topics:
> 1. Skip May 13 meeting due to OCP Summit?

We'll decide later.

> 2. IPMI over DTLS.

See discussion happening in the email list.

> 3. Requirements for security audit logs.  Access, deleting, APIs.

There was general support for the ideas that the BMC should have 
dedicated security audit log that could not be deleted or cleared. This 
log would have only security-relevant events.

> 4. Using mTLS for HTTPS access to BMCWeb.

TODO: Joseph to ask for docs from the developers who created the patch.

> 5. Rate-limit BMCWeb authentication failures.

The concept was favorably received, with lots of questions about 
details. TODO: Joseph will push a BMCWeb patch with a proof of concept.
> 6. Review Dropbear (SSH server) settings.


> 7. OWASP dependency checker.

See next item.

Item 8 added during the meeting:
8. How do we run dynamic scan tools that are privately licensed and the 
output of which is copyrighted which means it cannot be shared with the 
OpenBMC community?
We shared our current practices which does allow pushing the fixes back 
into the project.  TODO: Joseph will document this practice and add it 
to the security working group wiki.
The we discussed if we can use tools because we are a Linux function 
project.   TODO: Joseph to followup with Kurt.

- Joseph

> Access, agenda, and notes are in the wiki:
> - Joseph

More information about the openbmc mailing list