Security Working Group - Wednesday April 29 - results
jrey at linux.ibm.com
Fri May 1 06:05:54 AEST 2020
On 4/28/20 11:12 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 29 at 10:00am PDT.
> We'll discuss current development items, and anything else that comes up.
> The current topics:
> 1. Skip May 13 meeting due to OCP Summit?
We'll decide later.
> 2. IPMI over DTLS.
See discussion happening in the email list.
> 3. Requirements for security audit logs. Access, deleting, APIs.
There was general support for the ideas that the BMC should have
dedicated security audit log that could not be deleted or cleared. This
log would have only security-relevant events.
> 4. Using mTLS for HTTPS access to BMCWeb.
TODO: Joseph to ask for docs from the developers who created the patch.
> 5. Rate-limit BMCWeb authentication failures.
The concept was favorably received, with lots of questions about
details. TODO: Joseph will push a BMCWeb patch with a proof of concept.
> 6. Review Dropbear (SSH server) settings.
> 7. OWASP dependency checker.
See next item.
Item 8 added during the meeting:
8. How do we run dynamic scan tools that are privately licensed and the
output of which is copyrighted which means it cannot be shared with the
We shared our current practices which does allow pushing the fixes back
into the project. TODO: Joseph will document this practice and add it
to the security working group wiki.
The we discussed if we can use tools because we are a Linux function
project. TODO: Joseph to followup with Kurt.
> Access, agenda, and notes are in the wiki:
> - Joseph
More information about the openbmc