I am an OSCE OSCP OSWP I can help with some security :) On Wed, 2012-06-13 at 02:09 +0000, infrastructure-request@xxxxxxxxxxxxxxxxxxxxxxx wrote: > Send infrastructure mailing list submissions to > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > or, via email, send a message with subject or body 'help' to > infrastructure-request@xxxxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > infrastructure-owner@xxxxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of infrastructure digest..." > > > Today's Topics: > > 1. Re: Ticket #1084 Research/Updates (Kevin Fenzi) > 2. mulling the idea of a Infrastructure Security FAD (fedora > activity day) (Kevin Fenzi) > 3. Re: mulling the idea of a Infrastructure Security FAD (fedora > activity day) (Jayson Rowe) > 4. Re: mulling the idea of a Infrastructure Security FAD (fedora > activity day) (Ricky Elrod) > 5. Re: mulling the idea of a Infrastructure Security FAD (fedora > activity day) (Stephen John Smoogen) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 12 Jun 2012 13:56:21 -0600 > From: Kevin Fenzi <kevin@xxxxxxxxx> > To: infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > Subject: Re: Ticket #1084 Research/Updates > Message-ID: <20120612135621.681a7a0d@xxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > On Mon, 11 Jun 2012 20:40:08 -0400 > Jason Taylor <fedrhino42@xxxxxxxxx> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Everyone, > > > > After talking with nirik briefly about this ticket, poking around and > > getting oriented a little it seems like starting with a high level > > view working to a more detailed low level view is the way to go > > updating/creating these docs. With that in mind the first item I am > > looking at is: > > > > http://fedoraproject.org/wiki/File:Infrastructure_Architecture_GlobalNetwork.png > > > > A few questions: > > 1. How attached are we to this specific image? Can I look around for a > > different image to put this information on? > > Not very. I'm happy with any image/setup that conveys how things are, > with extra bonus for easy to add new things or change. > > > 2. With regard to the data on the image, do we still utilize both > > ServerBeach locations? (I didn't run across any location > > specifications regarding which serverbeach location in nagios or > > puppet) > > Nope. All our serverbeach machines are in the same datacenter now. > > It's their San Antonio, TX datacenter. > > > 3. Are there any other locations that should be added? (e.g. > > Internetx) > > Yeah, internetx is also in Germany. Berlin I think. > > osuosl is in Corvallis, oregon, us. > > bodhost is in england (not sure exactly where). > > kevin > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 836 bytes > Desc: not available > URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120612/2f6ff8aa/attachment-0001.sig> > > ------------------------------ > > Message: 2 > Date: Tue, 12 Jun 2012 17:03:48 -0600 > From: Kevin Fenzi <kevin@xxxxxxxxx> > To: Fedora Infrastructure <infrastructure@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: mulling the idea of a Infrastructure Security FAD (fedora > activity day) > Message-ID: <20120612170348.16cec5a0@xxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > Greetings. > > I've been toying with the idea of a Fedora Infrastructure FAD (Fedora > Activity Day) around getting our security tasks further along/mapped > out, or just done. We can do all these things remotely, but sitting > down with less distractions and getting things done or deciding on > roadmaps may work faster/better in person. > > More information on FAD's: > http://fedoraproject.org/wiki/Fedora_Activity_Day_-_FAD > > Some possible Goals: > > * Put in place our 2 factor authentication solution. > - Enable globally for sudo. > - Come up with plan/roadmap for applications 2 factor > authentication. > - enable more 2nd factors if we only have one working. > (yubikey, google authenticator, others?) > * Revamp firewall rules to further restrict traffic between machines. > * Come up with a better plan for signing servers > - In puppet or out of puppet? > - On demand vs always on > - ssh access, console, 2factor? > * Hash out a roadmap or plans around git commit signing. > - See if this is something we want to do > * Work on FAS security enhancements > - backup email address? > - security questions? > - better gpg integration? > - handling for 2 factor auth > * Setup a simple IDS of some kind? > - Notice non standard traffic in our internal nets > * Finish up keys.fedoraproject.org and announce it. > * Clean up selinux AVCs and move more things to enforcing. > * Your brilliant Fedora Infrastructure security related idea here. > > Possible dates: > > last week of Aug, First week of Sept? > (This puts us between the Alpha and Beta freezes, and is possibly > enough notice to get better airfair/etc rates). > somewhere in 2012-08-27 to 2012-09-10 > > First 2 weeks in Nov? > (After F18 is released, before thanksgiving) > somewhere in 2012-11-05 to 2012-11-16 > > Right before next Fudcon? > 2013-01-15 to 2013-01-17? > > Your exciting better dates here. > > Possible locations: > > Red Hat HQ in RDU? > pros: can probably get a room/network and pull in other RH folks > > Westford, MA > pros: could probably get a room/network and pull in other RH > engr folks. > > Other location here: > must be cheap to fly to/stay at, and have a facility we could > meet at and use. > > So, this is more a 'is there enough interest in this to peruse it' type > of email. > > How many folks would be interested in going to something like this? > > What dates or places would you prefer? > > Is there another topic that would be a better thing to do than > Security? I can think of several more topics if we would prefer > something else (Fixing our application logging could be it's own FAD by > itself). > > Thoughts? > > kevin > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 836 bytes > Desc: not available > URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120612/4ab3bc81/attachment-0001.sig> > > ------------------------------ > > Message: 3 > Date: Tue, 12 Jun 2012 20:55:00 -0400 > From: Jayson Rowe <jayson.rowe@xxxxxxxxx> > To: Fedora Infrastructure <infrastructure@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: mulling the idea of a Infrastructure Security FAD (fedora > activity day) > Message-ID: > <CAKNS325+dPj-Kp3j0nkQHCFMN2=kXNiNSgv9dZj1cJXK73mp4w@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1 > > On Tue, Jun 12, 2012 at 7:03 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > Greetings. > > > > I've been toying with the idea of a Fedora Infrastructure FAD (Fedora > > Activity Day) around getting our security tasks further along/mapped > > out, or just done. We can do all these things remotely, but sitting > > down with less distractions and getting things done or deciding on > > roadmaps may work faster/better in person. > > > > More information on FAD's: > > http://fedoraproject.org/wiki/Fedora_Activity_Day_-_FAD > > > > Some possible Goals: > > > > * Put in place our 2 factor authentication solution. > > - Enable globally for sudo. > > - Come up with plan/roadmap for applications 2 factor > > authentication. > > - enable more 2nd factors if we only have one working. > > (yubikey, google authenticator, others?) > > * Revamp firewall rules to further restrict traffic between machines. > > * Come up with a better plan for signing servers > > - In puppet or out of puppet? > > - On demand vs always on > > - ssh access, console, 2factor? > > * Hash out a roadmap or plans around git commit signing. > > - See if this is something we want to do > > * Work on FAS security enhancements > > - backup email address? > > - security questions? > > - better gpg integration? > > - handling for 2 factor auth > > * Setup a simple IDS of some kind? > > - Notice non standard traffic in our internal nets > > * Finish up keys.fedoraproject.org and announce it. > > * Clean up selinux AVCs and move more things to enforcing. > > * Your brilliant Fedora Infrastructure security related idea here. > > > > Possible dates: > > > > last week of Aug, First week of Sept? > > (This puts us between the Alpha and Beta freezes, and is possibly > > enough notice to get better airfair/etc rates). > > somewhere in 2012-08-27 to 2012-09-10 > > > > First 2 weeks in Nov? > > (After F18 is released, before thanksgiving) > > somewhere in 2012-11-05 to 2012-11-16 > > > > Right before next Fudcon? > > 2013-01-15 to 2013-01-17? > > > > Your exciting better dates here. > > > > Possible locations: > > > > Red Hat HQ in RDU? > > pros: can probably get a room/network and pull in other RH folks > > > > Westford, MA > > pros: could probably get a room/network and pull in other RH > > engr folks. > > > > Other location here: > > must be cheap to fly to/stay at, and have a facility we could > > meet at and use. > > > > So, this is more a 'is there enough interest in this to peruse it' type > > of email. > > > > How many folks would be interested in going to something like this? > > > > What dates or places would you prefer? > > > > Is there another topic that would be a better thing to do than > > Security? I can think of several more topics if we would prefer > > something else (Fixing our application logging could be it's own FAD by > > itself). > > > > Thoughts? > > > > kevin > > > > _______________________________________________ > > infrastructure mailing list > > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > > I would absolutely love to come to something like this. Due to > finances, and not having to buy a plane ticket, RDU would be best for > me (I could drive...I'm about a 3.5hr drive away), and I'm almost sure > I could swing it, especially if I could split a room w/ someone. Dates > aren't as big of a deal for me. How many days of the week would it > involve? I'd have to make sure I have extra vacation time at work to > spare. > > -- > -jayson > > > ------------------------------ > > Message: 4 > Date: Tue, 12 Jun 2012 20:55:10 -0400 > From: Ricky Elrod <codeblock@xxxxxxxx> > To: infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > Subject: Re: mulling the idea of a Infrastructure Security FAD (fedora > activity day) > Message-ID: <4FD7E4EE.3050903@xxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > So, I really like this idea. I think it would be a really fun and > productive time. > > I think security is a good topic, but it'll be good to see if anyone > else has other ideas. I think we have quite a few things we could cover > in the security realm though, like you listed. > > I'd prefer to stay away from the last week of August/first week of > September, because for me (and possibly others -- Ian?) classes will > just have started back up. I'd vote for earlier, maybe the end of July? > Or the first week or two of August? Beyond that us college-goers will > probably be getting ready for the semester. > > I don't have a lot of preference on location, either of your ideas are > about the same distance from me, personally. > > But yes, I'm very interested in this, I think it would be a lot of fun, > and I think we could get a lot done. > > -re > > On 06/12/2012 07:03 PM, Kevin Fenzi wrote: > > Greetings. > > > > I've been toying with the idea of a Fedora Infrastructure FAD (Fedora > > Activity Day) around getting our security tasks further along/mapped > > out, or just done. We can do all these things remotely, but sitting > > down with less distractions and getting things done or deciding on > > roadmaps may work faster/better in person. > > > > More information on FAD's: > > http://fedoraproject.org/wiki/Fedora_Activity_Day_-_FAD > > > > Some possible Goals: > > > > * Put in place our 2 factor authentication solution. > > - Enable globally for sudo. > > - Come up with plan/roadmap for applications 2 factor > > authentication. > > - enable more 2nd factors if we only have one working. > > (yubikey, google authenticator, others?) > > * Revamp firewall rules to further restrict traffic between machines. > > * Come up with a better plan for signing servers > > - In puppet or out of puppet? > > - On demand vs always on > > - ssh access, console, 2factor? > > * Hash out a roadmap or plans around git commit signing. > > - See if this is something we want to do > > * Work on FAS security enhancements > > - backup email address? > > - security questions? > > - better gpg integration? > > - handling for 2 factor auth > > * Setup a simple IDS of some kind? > > - Notice non standard traffic in our internal nets > > * Finish up keys.fedoraproject.org and announce it. > > * Clean up selinux AVCs and move more things to enforcing. > > * Your brilliant Fedora Infrastructure security related idea here. > > > > Possible dates: > > > > last week of Aug, First week of Sept? > > (This puts us between the Alpha and Beta freezes, and is possibly > > enough notice to get better airfair/etc rates). > > somewhere in 2012-08-27 to 2012-09-10 > > > > First 2 weeks in Nov? > > (After F18 is released, before thanksgiving) > > somewhere in 2012-11-05 to 2012-11-16 > > > > Right before next Fudcon? > > 2013-01-15 to 2013-01-17? > > > > Your exciting better dates here. > > > > Possible locations: > > > > Red Hat HQ in RDU? > > pros: can probably get a room/network and pull in other RH folks > > > > Westford, MA > > pros: could probably get a room/network and pull in other RH > > engr folks. > > > > Other location here: > > must be cheap to fly to/stay at, and have a facility we could > > meet at and use. > > > > So, this is more a 'is there enough interest in this to peruse it' type > > of email. > > > > How many folks would be interested in going to something like this? > > > > What dates or places would you prefer? > > > > Is there another topic that would be a better thing to do than > > Security? I can think of several more topics if we would prefer > > something else (Fixing our application logging could be it's own FAD by > > itself). > > > > Thoughts? > > > > kevin > > > > > > > > _______________________________________________ > > infrastructure mailing list > > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > > > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 490 bytes > Desc: OpenPGP digital signature > URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120612/9842323f/attachment-0001.sig> > > ------------------------------ > > Message: 5 > Date: Tue, 12 Jun 2012 20:09:26 -0600 > From: Stephen John Smoogen <smooge@xxxxxxxxx> > To: Fedora Infrastructure <infrastructure@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: mulling the idea of a Infrastructure Security FAD (fedora > activity day) > Message-ID: > <CANnLRdisY0Wpv+mcX2Ob5s87BfMja4WnUqWUQTEQkynyeJWTkg@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=windows-1252 > > On 12 June 2012 17:03, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > Greetings. > > > > I've been toying with the idea of a Fedora Infrastructure FAD (Fedora > > Activity Day) around getting our security tasks further along/mapped > > out, or just done. We can do all these things remotely, but sitting > > down with less distractions and getting things done or deciding on > > roadmaps may work faster/better in person. > > > > More information on FAD's: > > http://fedoraproject.org/wiki/Fedora_Activity_Day_-_FAD > > > > Some possible Goals: > > > > * Put in place our 2 factor authentication solution. > > - Enable globally for sudo. > > - Come up with plan/roadmap for applications 2 factor > > authentication. > > - enable more 2nd factors if we only have one working. > > (yubikey, google authenticator, others?) > > I think this would be a good focus. We are looking at a 2 day > work-fest (meaning many people would be block out 4 days (2 to travel, > 2 to work)) and I think that would take up most of that 2 days. The > next primary focus would be mapping what we have and how they talk to > each other. Getting to know what is around and how it talks to > everything is a time consuming task but once it is done, it makes > figuring out what is left out in the wind, what we care about and what > we don't much easier. > > > * Revamp firewall rules to further restrict traffic between machines. > > * Come up with a better plan for signing servers > > - In puppet or out of puppet? > > - On demand vs always on > > - ssh access, console, 2factor? > > * Hash out a roadmap or plans around git commit signing. > > - See if this is something we want to do > > * Work on FAS security enhancements > > - backup email address? > > - security questions? > > - better gpg integration? > > - handling for 2 factor auth > > * Setup a simple IDS of some kind? > > - Notice non standard traffic in our internal nets > > * Finish up keys.fedoraproject.org and announce it. > > * Clean up selinux AVCs and move more things to enforcing. > > * Your brilliant Fedora Infrastructure security related idea here. > > > > Possible dates: > > > > last week of Aug, First week of Sept? > > (This puts us between the Alpha and Beta freezes, and is possibly > > enough notice to get better airfair/etc rates). > > somewhere in 2012-08-27 to 2012-09-10 > > > > First 2 weeks in Nov? > > (After F18 is released, before thanksgiving) > > somewhere in 2012-11-05 to 2012-11-16 > > > > Right before next Fudcon? > > 2013-01-15 to 2013-01-17? > > > > Your exciting better dates here. > > > > Possible locations: > > > > Red Hat HQ in RDU? > > pros: can probably get a room/network and pull in other RH folks > > > > Westford, MA > > pros: could probably get a room/network and pull in other RH > > engr folks. > > > > Other location here: > > must be cheap to fly to/stay at, and have a facility we could > > meet at and use. > > > > So, this is more a 'is there enough interest in this to peruse it' type > > of email. > > > > How many folks would be interested in going to something like this? > > > > What dates or places would you prefer? > > > > Is there another topic that would be a better thing to do than > > Security? I can think of several more topics if we would prefer > > something else (Fixing our application logging could be it's own FAD by > > itself). > > > > Thoughts? > > > > kevin > > > > _______________________________________________ > > infrastructure mailing list > > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > > > _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
