Project

General

Profile

Feature #15981

Define security policy for access that gives arbitrary code execution on the Tails infrastructure

Added by intrigeri 3 months ago. Updated 22 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
Continuous Integration
Target version:
Start date:
09/26/2018
Due date:
% Done:

50%

QA Check:
Feature Branch:
Type of work:
Communicate
Blueprint:
Starter:
Affected tool:

Description

We have no security policy defined for access to the Jenkins web UI and for sending branches to Jenkins. Do we need one? If yes, what shall it be?


Related issues

Related to Tails - Feature #15798: Jenkins access for new FT members Resolved 09/26/2018
Blocks Tails - Feature #13284: Core work 2017Q2→2019Q2: Sysadmin (Adapt our infrastructure) Confirmed 06/30/2017

History

#1 Updated by intrigeri 3 months ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to groente
  • % Done changed from 0 to 30
  • QA Check set to Ready for QA

For #15798 I've analyzed potential consequences of the attacker taking control over Jenkins or one of its worker VMs. And then I did some work to make lateral movement harder for such an attacker. IMO the result is good enough to give FT members access to Jenkins without any specific security policy.

#2 Updated by intrigeri 3 months ago

  • Subject changed from Define security policy for access to Jenkins to Define security policy for access that give arbitrary code exec on a lizard VM
  • Assignee changed from groente to intrigeri
  • QA Check changed from Ready for QA to Dev Needed

Actually, some service admins already have SSH access to a lizard VM => let's generalize this ticket.

#3 Updated by intrigeri 3 months ago

  • Blocks Feature #13284: Core work 2017Q2→2019Q2: Sysadmin (Adapt our infrastructure) added

#4 Updated by intrigeri 3 months ago

  • Subject changed from Define security policy for access that give arbitrary code exec on a lizard VM to Define security policy for access that give arbitrary code execution on the Tails infrastructure

#5 Updated by intrigeri 3 months ago

  • Subject changed from Define security policy for access that give arbitrary code execution on the Tails infrastructure to Define security policy for access that gives arbitrary code execution on the Tails infrastructure

#6 Updated by intrigeri 3 months ago

  • % Done changed from 30 to 50
  • QA Check deleted (Dev Needed)

We've designed (thanks groente!) and drafted a security policy in sysadmin.git. I'll now send it to everyone who already has such access and we'll see what comes out from it. If those who are waiting in line for Jenkins access satisfy that policy, I'll give them access.

#8 Updated by intrigeri 3 months ago

  • Type of work changed from Sysadmin to Communicate

#9 Updated by intrigeri 2 months ago

  • Target version changed from Tails_3.10.1 to Tails_3.11

2 weeks later, I've pinged everyone who did not reply yet. I'll come back to it in ~2 more weeks.

#10 Updated by intrigeri 25 days ago

  • Assignee changed from intrigeri to groente
  • QA Check set to Info Needed

I've pinged people twice already. I don't want to nag people endlessly and a security policy is only useful if we enforce it consistently so I would like to set a deadline.

Here's a proposal for one last email ping to the people who never answered:

Hi!

Here's one third and last ping.

Worst case, we'll disable any access that's in scope for this security policy
3 months after the initial announcement, i.e. not before December 26.

But we certainly hope we won't have to do that! If you take a few minutes
today to check your compliance with this security policy, it'll save
everyone involved quite some time :)

I'll also make the same deadline clear to those who did answer but have not achieved compliance yet.

#11 Updated by groente 25 days ago

  • Assignee changed from groente to intrigeri
  • QA Check deleted (Info Needed)

christmas presents from the bofh, i like it :)

jokes aside, that sounds completely reasonable, go for it!

#12 Updated by intrigeri 25 days ago

christmas presents from the bofh, i like it :)

ah ah :)

Now, if we indeed have to cut access to people in the end, the work needed to do so and possibly dealing with negative feedback might be a rather poisoned kind of gift, but well.

jokes aside, that sounds completely reasonable, go for it!

OK!

#13 Updated by intrigeri 23 days ago

  • Target version changed from Tails_3.11 to Tails_3.12

intrigeri wrote:

Here's a proposal for one last email ping to the people who never answered:

[...]

I'll also make the same deadline clear to those who did answer but have not achieved compliance yet.

Done both. I'll come back to it after the deadline.

#14 Updated by intrigeri 22 days ago

Remaining: emmapeel, spriver.

#15 Updated by intrigeri 22 days ago

  • Parent task deleted (#15798)

#16 Updated by intrigeri 22 days ago

Also available in: Atom PDF