FAD Infrastructure Security 2012
From FedoraProject
(Difference between revisions)
(add some more details and flesh things out some) |
|||
| Line 5: | Line 5: | ||
In this FAD we will focus on some security related projects to get them done and deployed. | In this FAD we will focus on some security related projects to get them done and deployed. | ||
| − | * primary goal: Finish implementation and deployment of 2 factor authentication for sudo | + | * primary goal: Finish implementation and deployment of 2 factor authentication for sudo on all machines. |
| + | |||
| + | * FAS Changes | ||
| + | |||
| + | ** Enabling 2 factor / pin setup. | ||
| + | |||
| + | ** Way to reset when 2 factor is lost/stolen/broken | ||
| + | |||
| + | ** backup codes? | ||
| + | |||
| + | ** figure out which backends are supported. (googleauth? yubikey?) | ||
| + | |||
| + | ** See if web apps can be made easily 2 factor aware. | ||
| + | |||
| + | ** way to enforce 2 factor for some groups? | ||
| + | |||
| + | * Infrastructure setup | ||
| + | |||
| + | ** setup server/cgi on fas machines | ||
| + | |||
| + | ** setup backends | ||
| + | |||
| + | ** setup pam module / confirm sudo working | ||
| + | |||
| + | * Extra Credit | ||
| + | |||
| + | ** Enable 2 factor for ssh (optional ability for packagers to use for commits) | ||
| + | |||
| + | ** Enable 2 factor for web apps | ||
| + | |||
| + | ** Enable 2 factor for hosted / nagios / misc | ||
In addition, we may attempt to complete the following '''secondary''' goals as time allows: | In addition, we may attempt to complete the following '''secondary''' goals as time allows: | ||
* secondary goal(s): | * secondary goal(s): | ||
| + | |||
| + | * Revamp firewall rules to further restrict traffic between machines. | ||
| + | |||
| + | * Come up with a better plan for signing servers | ||
| + | - In puppet or out of puppet? | ||
| + | - On demand vs always on | ||
| + | - ssh access, console, 2factor? | ||
| + | |||
| + | * Hash out a roadmap or plans around git commit signing. | ||
| + | - See if this is something we want to do | ||
| + | |||
| + | * Work on FAS security enhancements | ||
| + | - backup email address? | ||
| + | - security questions? | ||
| + | - better gpg integration? | ||
| + | - handling for 2 factor auth | ||
| + | |||
| + | * Setup a simple IDS of some kind? | ||
| + | - Notice non standard traffic in our internal nets | ||
| + | |||
| + | * Finish up keys.fedoraproject.org and announce it. | ||
| + | |||
| + | * Clean up selinux AVCs and move more things to enforcing. | ||
== Detailed Work Items & Final Attendees == | == Detailed Work Items & Final Attendees == | ||
| + | |||
[[FAD_Infrastructure_Security_2012/attendees | Attendees]] | [[FAD_Infrastructure_Security_2012/attendees | Attendees]] | ||
| + | |||
| + | People needed to get primary objective done: | ||
| + | |||
| + | * FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc | ||
| + | |||
| + | * Sysadmins - deploy server and pam changes. skvidal, kevin, etc | ||
| + | |||
| + | * Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code. | ||
== Planning Prerequisites == | == Planning Prerequisites == | ||
Revision as of 03:14, 8 August 2012
This is the main page for The Fedora Infrastructure 2012 Security FAD, which is a FAD focused on Security.
Contents |
Purpose
In this FAD we will focus on some security related projects to get them done and deployed.
- primary goal: Finish implementation and deployment of 2 factor authentication for sudo on all machines.
- FAS Changes
- Enabling 2 factor / pin setup.
- Way to reset when 2 factor is lost/stolen/broken
- backup codes?
- figure out which backends are supported. (googleauth? yubikey?)
- See if web apps can be made easily 2 factor aware.
- way to enforce 2 factor for some groups?
- Infrastructure setup
- setup server/cgi on fas machines
- setup backends
- setup pam module / confirm sudo working
- Extra Credit
- Enable 2 factor for ssh (optional ability for packagers to use for commits)
- Enable 2 factor for web apps
- Enable 2 factor for hosted / nagios / misc
In addition, we may attempt to complete the following secondary goals as time allows:
- secondary goal(s):
- Revamp firewall rules to further restrict traffic between machines.
- Come up with a better plan for signing servers
- In puppet or out of puppet? - On demand vs always on - ssh access, console, 2factor?
- Hash out a roadmap or plans around git commit signing.
- See if this is something we want to do
- Work on FAS security enhancements
- backup email address? - security questions? - better gpg integration? - handling for 2 factor auth
- Setup a simple IDS of some kind?
- Notice non standard traffic in our internal nets
- Finish up keys.fedoraproject.org and announce it.
- Clean up selinux AVCs and move more things to enforcing.
Detailed Work Items & Final Attendees
People needed to get primary objective done:
- FAS developers - code needed fas changes. toshio, relrod, ricky, mmcgrath, etc
- Sysadmins - deploy server and pam changes. skvidal, kevin, etc
- Developers - fix issues with pam or cgi parts, help integrate with backends/fas. pam devs, mricon for cgi server side, folks who know about security code.
Planning Prerequisites
See the How to organize a FAD list; you can keep your to-do list here.
- Work out budget
- Decide on Dates and Location
- Arrange Facilities
- List Resources
- Arrange Lodging
- Arrange Refreshments
- Arrange a Social Event
Plan
- Location:
- Date:
- Schedule
- Participants arrive at THIS_TIME_AND_DATE
- Schedule item
- Schedule item
- Schedule item
- Participants leave at THIS_TIME_AND_DATE
- Important skills (one or more)
- skill
- skill
- skill
- Personnel (people who might fit the bill)
- Name (location, role) Confirmed? (Y/N)
- Name (location, role) Confirmed? (Y/N)
- Name (location, role) Confirmed? (Y/N)
- others?
- Other considerations
- Contributor V can offer a living room for evening social gatherings.
- Contributor W has a car and is willing to do airport pick-ups.
- Contributor X needs as much advance notice as possible.
- Contributor Y has a schedule that is better on Fridays than on Tuesdays, and prefers weekend times after 4:28 AM.
- Contributor Z is allergic to peanuts.
Logistics
Snacks/Beverages: Details go here.
Lunch: Details go here.
Dinner: Details go here.
Budget
If you want funding from Red Hat, ask the Community Architecture team. If you can find other ways to fund your FAD, that's great too!
| Contributor | Dept | Arrv | Dept | Arrv | Cost |
|---|---|---|---|---|---|
| Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
| Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
| Name | Travel to FAD, departure | Travel to FAD, arrival | Travel from FAD, departure | Travel from FAD, arrival | Ticket cost |
- Travel: $A for airfare, bus, train, etc. funding needed to get attendees to the FAD
- Housing: $B for hotel, etc. needed to have attendees sleep during the FAD
- link to hotel room booking website, if applicable
- Space: $C for renting space to hack in, if applicable
- address and travel details for the space
- Supplies: $D for anything else you may need
- item
- item
- item
Total budget: $A+B+C+D
