<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>All,</div>
<div><br>
</div>
<div>Thank you so much for the great input and discussion! I made edits to the document based on feedback received including:</div>
<ul>
<li>Added a note indicating that the Oslo implementation path is the community desired implementation path to date.</li><li>Removed the concept of an Oslo Config option to disable log security (which would have enabled logging of some sensitive data).</li><li>Don't log URI or full request objects which could contain credential or data location information.</li><li>Added a discussion point, based on feedback, about the possibility of enabling AUDIT log setting to log some sensitive data (AUDIT would not be a recommended production setting in this form obviously).</li></ul>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div><a href="https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines">https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines</a></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Priti Desai <<a href="mailto:Priti_Desai@symantec.com">Priti_Desai@symantec.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, June 12, 2014 1:00 PM<br>
<span style="font-weight:bold">To: </span>"Kuvaja, Erno" <<a href="mailto:kuvaja@hp.com">kuvaja@hp.com</a>>, "Bryan D. Payne" <<a href="mailto:bdpayne@acm.org">bdpayne@acm.org</a>>, Paul Montgomery <<a href="mailto:paul.montgomery@rackspace.com">paul.montgomery@rackspace.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>" <<a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Openstack-security] Secure Logging Recommendations<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>I agree on making logs in (2) only readable by root/admin. It might be tricky to enforce it for already deployed services. </div>
<div><br>
</div>
<div>I would like to add an item on collecting DEBUG logs for a particular request. I did not find any notion of START and END of log messages in Keystone which makes it very hard to troubleshoot, also adds complexity in Monitoring and Notification of services.</div>
<div><br>
</div>
<div>Cheers</div>
<div>Priti</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span><Kuvaja>, Erno <<a href="mailto:kuvaja@hp.com">kuvaja@hp.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, June 12, 2014 12:37 AM<br>
<span style="font-weight:bold">To: </span>"Bryan D. Payne" <<a href="mailto:bdpayne@acm.org">bdpayne@acm.org</a>>, Paul Montgomery <<a href="mailto:paul.montgomery@rackspace.com">paul.montgomery@rackspace.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>" <<a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Openstack-security] Secure Logging Recommendations<br>
</div>
<div><br>
</div>
<div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:191722404;
mso-list-type:hybrid;
mso-list-template-ids:-1560610262 -707622094 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:?;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:?;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:?;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:?;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:?;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">I do agree with Bryan that it would be better not to log point 2 at all and I would suggest that if we provide this functionality to turn such on
we should also make those logs at that point root/admin readable only.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">I would also like to add an item to Sensitive/Confidential data list. One should never log any URI or full request object. These might contain user
sensitive information like credentials, data locations etc.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">Just a side note on the log levels. Lots of OPS are telling that currently getting anything valuable from the logs, they need to run the services
on DEBUG log level. Based on this I really like the statement that DEBUG level should still never compromise the security of the information.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">-<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><!--[endif]--><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">Erno (LP: jokke)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> Bryan D. Payne [<a href="mailto:bdpayne@acm.org">mailto:bdpayne@acm.org</a>]
<br>
<b>Sent:</b> 11 June 2014 17:00<br>
<b>To:</b> Paul Montgomery<br>
<b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack-security] Secure Logging Recommendations<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Paul,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I really like this. Here's a few additional thoughts:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1) On the implementation side, doing this in Oslo seems like a good plan. At least doing as much of the security sensitive filtering stuff there. This is something we are basically asking all projects to do, so Oslo is the right answer.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">2) On this point:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"<span style="font-size: 10.5pt; color: rgb(51, 51, 51); font-family: 'Arial Unicode MS', sans-serif; ">If confidential/sensitive data MUST be logged for root cause analysis, create an Oslo Config setting that disables security features,
vividly informs the operator of this fact and make sure that the description accurately describes that this option should not be used for normal production purposes."</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: rgb(51, 51, 51); font-family: 'Arial Unicode MS', sans-serif; ">I think that it would be nice if we just didn't do this at all. But, I understand the realities and we are likely to be more successful
in our goals here if we can accommodate something like this. To that end, I could say that when the system is operating in this mode, we should prefix EVERY log line with a short string that makes it clear that this mode is for debug/test and that it shouldn't
be used for production purposes.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: rgb(51, 51, 51); font-family: 'Arial Unicode MS', sans-serif; ">3) CADF is interesting and appears to be getting some traction. I am not too familiar with this standard, though. It may be useful
to have these logging guidelines reviewed by someone who has more familiarity with CADF to make sure that everything lines up nicely.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: rgb(51, 51, 51); font-family: 'Arial Unicode MS', sans-serif; ">4) OSSG hasn't traditionally been through a process of "blessing" a document such as this. However, I would argue that it would be a
good idea for us to figure out how to do this. I think that providing guidelines such as this are a valuable "next step" towards increasing influence and interactions with the dev teams.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: rgb(51, 51, 51); font-family: 'Arial Unicode MS', sans-serif; ">Cheers,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: rgb(51, 51, 51); font-family: 'Arial Unicode MS', sans-serif; ">-bryan</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Jun 6, 2014 at 8:00 AM, Paul Montgomery <<a href="mailto:paul.montgomery@rackspace.com" target="_blank">paul.montgomery@rackspace.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; ">I created a first pass document describing some potential solutions to OpenStack sensitive data logging leaks (such as credentials or auth tokens):<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; "><a href="https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines" target="_blank">https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; ">I would appreciate reviews and discussions in order to gain approval of the OSSG and the security-minded community before making recommendations to other
projects (especially in the "Possible Implementation Options" section).<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; ">Thanks!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; ">---paulmo<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10.5pt; color: black; font-family: Calibri, sans-serif; "><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</span></div>
</div>
</span>
</body>
</html>