Security Working Group meeting - Wednesday January 5 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Jan 6 09:29:28 AEDT 2022
On 1/5/22 11:42 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday January 5 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attendance: Joseph R, James M, Dick W, Ratan G, Dhananjay P
1 We discussed some current topics:
1a email thread subject: meta-phosphor: enable `allow-root-login`
We discussed the prospect of moving away from root logins and creating a
new “admin” userid and then how that admin user would get the root
access they needed to run commands like busctl and systemctl. We
discussed solutions including Restricted bash and sudo.
Note that all processes run as root, and work for “daemon privilege
separation” needs help, see
“https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100>and related
code reviews.
1b gerrit review “Disallow no-access user login” (the NoAccess role)
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49295>and
https://github.com/openbmc/bmcweb/issues/227
<https://github.com/openbmc/bmcweb/issues/227>
A NoAccess user can login but cannot logout. There seem to be two ways
to fix this.
2 The OpenBMC security response team wants to use the github security
tabs, and is looking for best practices.
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/50115
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/50115>
How can the OpenBMC SRT get authority to publish security advisories on
github? What are the best practices? What repo should be used?
openbmc/openbmc? openbmc/security-response? A new repo
openbmc/security-advisories?
See
https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization
<https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization>
3 The OpenBMC security response team is working to become a Mitre CNA
(see minutes from 2021-12-22 meeting) so they can have better control
over CVEs for the OpenBMC project.
James to follow up questions with Mitre.
See CVSS scoring example doc https://www.first.org/cvss/v3.1/examples
<https://www.first.org/cvss/v3.1/examples>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
More information about the openbmc
mailing list