[openstack-dev] [OSSN-0060] Glance configuration option can lead to privilege escalation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Glance configuration option can lead to privilege escalation - --- ### Summary ### Glance exposes a configuration option called `use_user_token` in the configuration file `glance-api.conf`. It should be noted that the default setting (`True`) is se

Re: [openstack-dev] [keystone][security] New BP for anti brute force in keystone

One issue to be aware of is the use of this as a Denial of Service vector. Basically an attacker can use this to lock out key accounts by continuously sending invalid passwords. Doing this might have unexpected and undesirable results, particularly in automated tasks. I think this feature has so

Re: [openstack-dev] [openstack-ansible][security] Next steps: openstack-ansible-security

Hey Major, This sounds like a great next step. It might also be cool to set up Vagrant to pull Ubuntu 14.04, grab Ansible, and run the scripts on it. I'll carve out a few hours early next week and have a crack at it. -Travis On 11/6/15, 10:59 PM, Major Hayden wrote: >Hello there, > >At this

Re: [openstack-dev] [oslo][bandit] Handling bandit configuration files in Oslo

Hi Cyril, This is a really cool idea. It should be fairly easy to implement and can only help make Bandit more usable. To be honest enhancing the way we're using the 'bandit.yaml' file has been on our list for a while. A tool like this seems like it would be a nice intermediate solution until w

Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

This does seem to make a lot of sense. Basically what we will get is an improved lowest common denominator when it comes to intra-node TLS. This probably also fits in nicely with work others in OpenStack Security have recently discussed regarding the creation of a super-lightweight CA. The only p

[openstack-dev] [Security] (moved post from OpenStack-ML) Re: Security concern VMs isolation (Damedeu Eric)

Hi Eric, First off welcome to OpenStack! Generally for security related questions we use the OpenStack-dev mailing list and preface the subject with a [Security] tag. One of the functions of a hypervisor is to ensure proper isolation of tenant VMs. That being said I highly recommend deploying s

[openstack-dev] Bandit 0.13.0 released

Today we released Bandit version 0.13.0 which includes the following features and enhancements: Plugins now registered as entry points Improved Bandit run speed Added a confidence filter option Added timestamp to JSON report New plugin to detect Try, Except, Pass Improved detection for hardcoded /

Re: [openstack-dev] [Security] Would people see a value in the cve-check-tool? (Reshetova, Elena)

(Merging thread from security ML) Bandit probably isn¹t the correct integration point for this - cve-check has its own analysis procedures while Bandit uses Python AST. Also I see the use workflows being different. For Bandit a developer/gate wants to check a specific code snippet whereas for cve

[openstack-dev] [Security] Nominating Michael McCune for Security CoreSec

I¹d like to propose Michael McCune for CoreSec membership. I¹ve worked with Michael (elmiko) on numerous security tasks and bugs, and he has a great grasp on security concepts and is very active in the OpenStack security community. I think he would be a natural choice for CoreSec. smime.p7s Des

[openstack-dev] [sec] [ossg] Introducing Bandit code security analyzer

Hi all - Bandit is a Python AST-based static analyzer from the OpenStack Security Group. Unlike other static code analysis tools in the OpenStack ecosystem such as hacking and flake8, Bandit was purpose-built to help find security vulnerabilities. Bandit has a wiki page at: https://wiki.opens