From Fedora Project Wiki
No edit summary |
(add some more details and flesh things out some) |
||
| Line 5: | Line 5: | ||
In this FAD we will focus on some security related projects to get them done and deployed. | In this FAD we will focus on some security related projects to get them done and deployed. | ||
* primary goal: Finish implementation and deployment of 2 factor authentication for sudo | * primary goal: Finish implementation and deployment of 2 factor authentication for sudo on all machines. | ||
* FAS Changes | |||
** Enabling 2 factor / pin setup. | |||
** Way to reset when 2 factor is lost/stolen/broken | |||
** backup codes? | |||
** figure out which backends are supported. (googleauth? yubikey?) | |||
** See if web apps can be made easily 2 factor aware. | |||
** way to enforce 2 factor for some groups? | |||
* Infrastructure setup | |||
** setup server/cgi on fas machines | |||
** setup backends | |||
** setup pam module / confirm sudo working | |||
* Extra Credit | |||
** Enable 2 factor for ssh (optional ability for packagers to use for commits) | |||
** Enable 2 factor for web apps | |||
** Enable 2 factor for hosted / nagios / misc | |||
In addition, we may attempt to complete the following '''secondary''' goals as time allows: | In addition, we may attempt to complete the following '''secondary''' goals as time allows: | ||
* secondary goal(s): | * secondary goal(s): | ||
* Revamp firewall rules to further restrict traffic between machines. | |||
* Come up with a better plan for signing servers | |||
- In puppet or out of puppet? | |||
- On demand vs always on | |||
- ssh access, console, 2factor? | |||
* Hash out a roadmap or plans around git commit signing. | |||
- See if this is something we want to do | |||
* Work on FAS security enhancements | |||
- backup email address? | |||
- security questions? | |||
- better gpg integration? | |||
- handling for 2 factor auth | |||
* Setup a simple IDS of some kind? | |||
- Notice non standard traffic in our internal nets | |||
* Finish up keys.fedoraproject.org and announce it. | |||
* Clean up selinux AVCs and move more things to enforcing. | |||
== Detailed Work Items & Final Attendees == | == Detailed Work Items & Final Attendees == | ||
[[FAD_Infrastructure_Security_2012/attendees | Attendees]] | [[FAD_Infrastructure_Security_2012/attendees | Attendees]] | ||
People needed to get primary objective done: | |||
* FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc | |||
* Sysadmins - deploy server and pam changes. skvidal, kevin, etc | |||
* Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code. | |||
== Planning Prerequisites == | == Planning Prerequisites == | ||
Revision as of 03:14, 8 August 2012
This is the main page for The Fedora Infrastructure 2012 Security FAD, which is a FAD focused on Security.
Purpose
In this FAD we will focus on some security related projects to get them done and deployed.
- primary goal: Finish implementation and deployment of 2 factor authentication for sudo on all machines.
- FAS Changes
- Enabling 2 factor / pin setup.
- Way to reset when 2 factor is lost/stolen/broken
- backup codes?
- figure out which backends are supported. (googleauth? yubikey?)
- See if web apps can be made easily 2 factor aware.
- way to enforce 2 factor for some groups?
- Infrastructure setup
- setup server/cgi on fas machines
- setup backends
- setup pam module / confirm sudo working
- Extra Credit
- Enable 2 factor for ssh (optional ability for packagers to use for commits)
- Enable 2 factor for web apps
- Enable 2 factor for hosted / nagios / misc
In addition, we may attempt to complete the following secondary goals as time allows:
- secondary goal(s):
- Revamp firewall rules to further restrict traffic between machines.
- Come up with a better plan for signing servers
- In puppet or out of puppet? - On demand vs always on - ssh access, console, 2factor?
- Hash out a roadmap or plans around git commit signing.
- See if this is something we want to do
- Work on FAS security enhancements
- backup email address? - security questions? - better gpg integration? - handling for 2 factor auth
- Setup a simple IDS of some kind?
- Notice non standard traffic in our internal nets
- Finish up keys.fedoraproject.org and announce it.
- Clean up selinux AVCs and move more things to enforcing.
Detailed Work Items & Final Attendees
People needed to get primary objective done:
- FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc
- Sysadmins - deploy server and pam changes. skvidal, kevin, etc
- Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code.
Planning Prerequisites
See the How to organize a FAD list; you can keep your to-do list here.
- Work out budget
- Decide on Dates and Location
- Arrange Facilities
- List Resources
- Arrange Lodging
- Arrange Refreshments
- Arrange a Social Event
Plan
- Location:
- Date:
- Schedule
- Participants arrive at THIS_TIME_AND_DATE
- Schedule item
- Schedule item
- Schedule item
- Participants leave at THIS_TIME_AND_DATE
- Important skills (one or more)
- skill
- skill
- skill
- Personnel (people who might fit the bill)
- Name (location, role) Confirmed? (Y/N)
- Name (location, role) Confirmed? (Y/N)
- Name (location, role) Confirmed? (Y/N)
- others?
- Other considerations
- Contributor V can offer a living room for evening social gatherings.
- Contributor W has a car and is willing to do airport pick-ups.
- Contributor X needs as much advance notice as possible.
- Contributor Y has a schedule that is better on Fridays than on Tuesdays, and prefers weekend times after 4:28 AM.
- Contributor Z is allergic to peanuts.
Logistics
Snacks/Beverages: Details go here.
Lunch: Details go here.
Dinner: Details go here.
Budget
If you want funding from Red Hat, ask the Community Architecture team. If you can find other ways to fund your FAD, that's great too!
| Contributor | Dept | Arrv | Dept | Arrv | Cost |
|---|---|---|---|---|---|
| Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
| Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
| Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
- Travel: $A for airfare, bus, train, etc. funding needed to get attendees to the FAD
- Housing: $B for hotel, etc. needed to have attendees sleep during the FAD
- link to hotel room booking website, if applicable
- Space: $C for renting space to hack in, if applicable
- address and travel details for the space
- Supplies: $D for anything else you may need
- item
- item
- item
Total budget: $A+B+C+D
