Security Working Group meeting - Wednesday August 4 - results

Joseph Reynolds jrey at linux.ibm.com
Thu Aug 5 04:47:31 AEST 2021


On 8/3/21 5:57 PM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting 
> scheduled for this Wednesday August 4 at 10:00am PDT.
>
> We'll discuss the following items on the agenda 
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
> and anything else that comes up:
>
> 1. (Joseph): IBM ACF design (2FA authentication for the special IBM
>   service account) is in review -
>   https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>

DISCUSSION: Joseph gave a brief overview with Q&A.


> 2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
>   keeping the same cleartext password)
>   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214
> <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214>

DISCUSSION: Joseph gave a brief overview and mentioned the pre-requisite 
patch https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45614 
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45614>.  Please 
review!

(Note there is a related email thread for this.)

> 3. (Joseph): Change the SSH server per-session idle timeout to an hour
>   (was unlimited)?  (Sent idea to upstream project
>   yocto-security at yoctoproject.org
>   <mailto:yocto-security at yoctoproject.org>.)  Alternatively, update
>   both SSH and BMCWeb to 30 minutes.
>    1. Guidelines:
>        1. NIST SP800-63B requires a timeout of 30 minutes for
>           "assurance level 2" (high confidence that the authentication
>           is still valid), or 15 minutes for "assurance level 2" (very
>           high confidence).
>           https://pages.nist.gov/800-63-3/sp800-63b.html
>           <https://pages.nist.gov/800-63-3/sp800-63b.html>
>        2. OWASP suggests idle timeouts of 15-30 minutes.
> https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
> <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>
>    2. Alternatively, use the bash shell’s TMOUT variable?
>    3. See Yocto discussion (representative archived email):
>       https://lists.yoctoproject.org/g/yocto-security/message/381
> <https://lists.yoctoproject.org/g/yocto-security/message/381>

DISCUSSION:

There was general agreement that OpenBMC should set a default idle timeout:

  *

    Must be able to configure each interface separately: SSH port 22
    (BMC command shell), SSH port 2200 (host console).

  *

    30 minutes was suggested for the command shell.

  *

    The BMC admin should be able to configure the timeout.  Need to
    check if there is a Redfish API or property for this.

  *

    The technology to have a timeout may be present in the SSH server,
    the underlying application (command shell, host console, etc.), or
    provided by an intervening program such as “screen”.

Joseph to follow up via email.

We also discussed the risks of allowing SSH at all.


Bonus topics:

4 Surya set up a bugzilla within Intel and will administer it.  Demo’d 
the database. We briefly examined the database fields and agreed it 
looks like a good start.

Who has access?: The security response team (see Joseph as admin).  Also 
the bug submitter and the bug fixer will have access to each of their bugs.


https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>

Side discussion: Can we add a security responder from Nvidia?  Yes, 
first review See 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance 
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md#team-composition-and-email-maintenance>

  And then petition the TSC via email: 
https://github.com/openbmc/openbmc#technical-steering-committee 
<https://github.com/openbmc/openbmc#technical-steering-committee>.


5 How to escalate bugs reported to the security response team?

DISCUSSION: We briefly discussed this as the meeting time was past the 
end.  It is hard to make people fix bugs.  Ideas: keep sending reminder 
emails, and try to get someone to fix the bug.



>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group 
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph



More information about the openbmc mailing list