(add some more details and flesh things out some) |
(Update a bit more) |
||
Line 40: | Line 40: | ||
* secondary goal(s): | * secondary goal(s): | ||
* Redo koji ssl certs in a better way. | |||
* Revamp firewall rules to further restrict traffic between machines. | * Revamp firewall rules to further restrict traffic between machines. | ||
Line 72: | Line 74: | ||
* FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc | * FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc | ||
* Sysadmins - deploy server and pam changes. skvidal, kevin, etc | * Sysadmins - deploy server and pam changes. skvidal, kevin, smooge, relrod etc | ||
* Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code. | * Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code. | ||
People good to have to get other secondary objectives done: | |||
* Rel-eng - signing server security, cert rework. dgilmore. | |||
* Other folks who know IDSes, git commit signing, etc. | |||
== Planning Prerequisites == | == Planning Prerequisites == | ||
Line 89: | Line 97: | ||
== Plan == | == Plan == | ||
TBD | |||
# '''Location:''' | # '''Location:''' | ||
# '''Date:''' | # '''Date:''' |
Revision as of 22:12, 8 August 2012
This is the main page for The Fedora Infrastructure 2012 Security FAD, which is a FAD focused on Security.
Purpose
In this FAD we will focus on some security related projects to get them done and deployed.
- primary goal: Finish implementation and deployment of 2 factor authentication for sudo on all machines.
- FAS Changes
- Enabling 2 factor / pin setup.
- Way to reset when 2 factor is lost/stolen/broken
- backup codes?
- figure out which backends are supported. (googleauth? yubikey?)
- See if web apps can be made easily 2 factor aware.
- way to enforce 2 factor for some groups?
- Infrastructure setup
- setup server/cgi on fas machines
- setup backends
- setup pam module / confirm sudo working
- Extra Credit
- Enable 2 factor for ssh (optional ability for packagers to use for commits)
- Enable 2 factor for web apps
- Enable 2 factor for hosted / nagios / misc
In addition, we may attempt to complete the following secondary goals as time allows:
- secondary goal(s):
- Redo koji ssl certs in a better way.
- Revamp firewall rules to further restrict traffic between machines.
- Come up with a better plan for signing servers
- In puppet or out of puppet? - On demand vs always on - ssh access, console, 2factor?
- Hash out a roadmap or plans around git commit signing.
- See if this is something we want to do
- Work on FAS security enhancements
- backup email address? - security questions? - better gpg integration? - handling for 2 factor auth
- Setup a simple IDS of some kind?
- Notice non standard traffic in our internal nets
- Finish up keys.fedoraproject.org and announce it.
- Clean up selinux AVCs and move more things to enforcing.
Detailed Work Items & Final Attendees
People needed to get primary objective done:
- FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc
- Sysadmins - deploy server and pam changes. skvidal, kevin, smooge, relrod etc
- Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code.
People good to have to get other secondary objectives done:
- Rel-eng - signing server security, cert rework. dgilmore.
- Other folks who know IDSes, git commit signing, etc.
Planning Prerequisites
See the How to organize a FAD list; you can keep your to-do list here.
- Work out budget
- Decide on Dates and Location
- Arrange Facilities
- List Resources
- Arrange Lodging
- Arrange Refreshments
- Arrange a Social Event
Plan
TBD
- Location:
- Date:
- Schedule
- Participants arrive at THIS_TIME_AND_DATE
- Schedule item
- Schedule item
- Schedule item
- Participants leave at THIS_TIME_AND_DATE
- Important skills (one or more)
- skill
- skill
- skill
- Personnel (people who might fit the bill)
- Name (location, role) Confirmed? (Y/N)
- Name (location, role) Confirmed? (Y/N)
- Name (location, role) Confirmed? (Y/N)
- others?
- Other considerations
- Contributor V can offer a living room for evening social gatherings.
- Contributor W has a car and is willing to do airport pick-ups.
- Contributor X needs as much advance notice as possible.
- Contributor Y has a schedule that is better on Fridays than on Tuesdays, and prefers weekend times after 4:28 AM.
- Contributor Z is allergic to peanuts.
Logistics
Snacks/Beverages: Details go here.
Lunch: Details go here.
Dinner: Details go here.
Budget
If you want funding from Red Hat, ask the Community Architecture team. If you can find other ways to fund your FAD, that's great too!
Contributor | Dept | Arrv | Dept | Arrv | Cost |
---|---|---|---|---|---|
Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
- Travel: $A for airfare, bus, train, etc. funding needed to get attendees to the FAD
- Housing: $B for hotel, etc. needed to have attendees sleep during the FAD
- link to hotel room booking website, if applicable
- Space: $C for renting space to hack in, if applicable
- address and travel details for the space
- Supplies: $D for anything else you may need
- item
- item
- item
Total budget: $A+B+C+D