[Security Review] Flatcar

[miao0miao]

Per discussion regarding flatcar due diligence on the 19th April 2023 with @mauilion @nikhita I opened this security review request.

Project Name: Flatcar

Github URL: https://github.com/flatcar/Flatcar
cncf/toc#991 (applying for incubation)

CNCF project stage and issue (NA if not applicable):

Security Provider: no

• Identify team
  • Project security lead (Danielle Tal and Thilo Fromm)
  • Lead security reviewer @JustinCappos
  • 1 or more additional reviewer(s) @ragashreeshekar @mnm678 @sublimino Observers: @krishnakv, @lcostea
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by facilitator on reviewer conflicts
• Slack channel: #sec-assess-flatcar
• Project lead provides draft document
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[ragashreeshekar]

I'd like to join as a reviewer.
No conflicts from my end.

[sublimino]

Thanks for the discussion today @miao0miao and team!

We look forward to your initial 30m presentation including the topics in the meeting notes to feed into Q&A and find further areas for discussion.

From there we'll identify what the TOC want from an OS-level review, and find the most effective way to generate a lightweight threat model to deliver the highest impact and value for users and your team 🙏

[JustinCappos]

Looking forward to getting this started. We need a few more folks to get this going. We will recruit more reviewers in the TAG Security meeting.

Do you have a self assessment document or similar for us to start on?

[t-lo]

Hello Folks,

Please pardon the long delay. In the TAG Security call on May 10th we discussed items we should cover in a security-focused overview presentation on Flatcar to TAG security. We have now finished our presentation and we're planning to present at the TAG Security meeting on the 14th of June.

Please pardon again the delay; creating the presentation took us much longer than expected.

@JustinCappos are there templates / examples for self assessments we could build on? We're a fairly mature project so any rough structure to fill in our details would be very welcome.

[JustinCappos]

There are two ways you could go here. One would be to go through the full process which requires you to do a self assessment ( See these guides: https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md and https://docs.google.com/document/d/1L6AAbzkVHkd2ODGv31Y-UJVKOjq2a0qxdZ5IIOQBcYo/edit# ). The other would be to do the lightweight threat modeling process ( #903 ).

@sublimino should probably weigh in about what is more appropriate for your group. However, if you look at the self assessment and have not already done much of this work, and your project's security is not important in the broader ecosystem, you may be able to get by with the lighter process.

[t-lo]

@JustinCappos Thank you for the pointers! Very helpful indeed. The security assessment book specifically is an awesome resource! I'll review both the self assessment and the thread modelling process in preparation to our presentation on June 14th. Let's briefly align after the presentation on how to proceed.

[t-lo]

Intermediate update: We moved the Flatcar technical overview / security presentation to the June 21st meeting as it did not fit into today's (June 14th) meeting.

[sublimino]

Thanks for adding the note to the meeting agenda, to confirm it's in the EMEA timezone on June 21st at 1pm London. Looking forward to it!

[krishnakv]

I would like to volunteer for this review, please. I have no soft or hard conflicts to report.

[t-lo]

Thank you everybody for your help and support!
As discussed in the TAG Security meeting, our WiP self-assessment doc is here.
It's currently in draft and we're still working on the doc.
We'll get back to you as soon as we're done to get initial feedback, and will convert it to Markdown and file a PR when it is ready.

[JustinCappos]

Adding myself as lead security reviewer. I do not have a conflict.

[mnm678]

I would like to volunteer to participate as a reviewer. I have no hard or soft conflicts.

[sublimino]

Adding my name as a reviewer.

Soft conflicts: I know some of the team and have used the project since CoreOS in 2015, no current usage.

I have no hard conflicts.

[JustinCappos]

I'm signing off that there are no conflicts by any of the reviewers and that all have posted their statements.

[JustinCappos]

@t-lo I took a look at your assessment document and it's a good start. Please let us know when it is done. We have the preliminary team for this assessment all set up. You have a little time as we work with the Pixie team on their review, but we will be blocking on this being completed in two weeks or so.

[t-lo]

Thank you for the feedback @JustinCappos ! I expect to finish the doc later this week so there will even be a little headroom for reviewers to have a first pass before the TAG Security meeting on July 5th.
I will make sure to keep you posted.

[lcostea]

is there space for an additional observer? I watched the youtube presentation of flatcar (the 21st June meeting) and I also read the security assessment book, so looking forward to observe it.

[JustinCappos]

is there space for an additional observer? I watched the youtube presentation of flatcar (the 21st June meeting) and I also read the security assessment book, so looking forward to observe it.

Yes. Please indicate your conflicts of interest.

[lcostea]

Sure, no conflicts on my end. Thanks

[t-lo]

Hello folks,

We've completed the self-assessment, please have a look at your convenience. Questions and feedback are very welcome!
The doc is on Google Docs for now to ease the feedback cycle. As soon as we're all happy with the doc I'll file a PR with the markdown version.

Doc: https://docs.google.com/document/d/1rj9HpBLskgc1FUt1LEeXmMGXdHVEY6qeQt1yocBLmi8/edit

We'll be at Wednesday's TAG Security meeting for Q&A re: our Flatcar presentation two weeks ago and to discuss the self-assessment.

Thank you everybody for helping with this process!

[JustinCappos]

@t-lo I've gone through the naïve questions phase and made a bunch of comments. The document is a very good start (I like the threat model section especially), but is missing a lot of detail that will be needed by reviewers. Can you make a pass and integrate answers to my comments in the text? (Feel free to close the comment if you know you've addressed it, or reply in the comment to ask if you are unsure.)

Also, please take a fresh look over the document for similar comments / issues I didn't flag. I am sure I have missed some as I was going through (especially later in the document).

[t-lo]

Thank you for the review @JustinCappos ! My plate is pretty full today but I've reserved some time tomorrow to go through the feedback and address the comments.

[ahrkrak]

@miao0miao I think "naive questions phase" and "assign issue to security reviewers" are complete (? please confirm) -- if so, maybe you could check off the list?

[t-lo]

@ahrkrak We're still in the naive question phase until I've addressed at least Justin's feedback 😅 I'm about 2/3 done and am planning to wrap it up today.

[ahrkrak]

got it, thanks.

…

________________________________ From: Thilo Fromm ***@***.***> Sent: Friday, 14 July 2023 16:14 To: cncf/tag-security ***@***.***> Cc: Mention ***@***.***>; Comment ***@***.***> Subject: Re: [cncf/tag-security] [Security Review] Flatcar (Issue #1066) @ahrkrak<https://github.com/ahrkrak> We're still in the naive question phase until I've addressed at least Justin's feedback 😅 I'm about 2/3 done and am planning to wrap it up today. — Reply to this email directly, view it on GitHub<#1066 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AC4IEUHUEES2XFNEENRUFM3XQFH4ZBFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIYTGNJRHE4TCMJUG2SG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRSHEZDGNRVGA2DIN5ENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZJAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTCMRVGEZDEOBSG6BKI5DZOBS2K2LTON2WLJLWMFWHKZNKGE3DQMZUHEZDCMBZQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRRGM2TCOJZGEYTINUCUR2HS4DFUVWGCYTFNSSXMYLMOVS2UMRZGIZTMNJQGQ2DPJ3UOJUWOZ3FOKTGG4TFMF2GK>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[t-lo]

@JustinCappos I've rewritten most parts of the self assessment and extended the first sections in particular, addressing all your feedback. Could you please give the doc another go?
(Note that I'll be unavailable Mo-Wed next week; travelling / attending a conference. I'll be back to address new feedback starting Thursday).
Link to doc (unchanged): https://docs.google.com/document/d/1rj9HpBLskgc1FUt1LEeXmMGXdHVEY6qeQt1yocBLmi8/edit

[t-lo]

And thank you for the elaborate and detailed feedback! It's been extremely helpful to improve the document. Thank you for all the time and effort you're putting into this.

[JustinCappos]

Alright, we've completed the naive questions phase! Reviewers ( @ragashreeshekar @sublimino @mnm678 ) and observers ( @krishnakv @lcostea ), it is time to take your notes about the project!

[t-lo]

Please note that I'll be off for the next 3 weeks but @miao0miao and @vbatts will stick around as points of contact for this time.

[JustinCappos]

Addressed via #1219 and #1220

[JustinCappos]

Thanks to the Flatcar team for all the hard work! @t-lo @miao0miao