so also need to think about how/when these access can be useful/
2022-05-09 12917, 2022
atj
yes, this is why an external log server is useful because the logs can't be erased (hopefully)
2022-05-09 12901, 2022
lucifer
right erasing is one part. but with root access, one could login just as the postgres user and the db access logs won't show anything.
2022-05-09 12911, 2022
atj
right
2022-05-09 12904, 2022
alastairp
but keep in mind that anything is better than nothing - we're still going in the right direction
2022-05-09 12907, 2022
lucifer
will need to consider this thoroughly during logging review.
2022-05-09 12911, 2022
atj
indeed
2022-05-09 12913, 2022
lucifer
yup agreed
2022-05-09 12915, 2022
alastairp
if we start thinking about what to log, and where to log it to
2022-05-09 12916, 2022
atj
perfect is the enemy of good etc
2022-05-09 12938, 2022
atj
not running services as root would be good
2022-05-09 12956, 2022
lucifer
makes sense
2022-05-09 12901, 2022
alastairp
(which is next on the list)
2022-05-09 12924, 2022
lucifer
onto next?
2022-05-09 12927, 2022
atj
yep
2022-05-09 12930, 2022
lucifer
3. Log possible incidents irrespective of whether we determined a breached happened or not, probably in syswiki or docs?
2022-05-09 12931, 2022
monkey
syswiki makes sense
2022-05-09 12939, 2022
lucifer
so if we patch a vulnerability, i think it might be a good idea to log it somewhere. if we later detect something unusual, it'll help. also better to keep track of all of this stuff.
2022-05-09 12943, 2022
atj
yes I think so
2022-05-09 12911, 2022
lucifer
syswiki sounds good. MB team already uses it for a few purposes.
2022-05-09 12927, 2022
yvanzo
It’s better than nothing to start with.
2022-05-09 12955, 2022
atj
I think it's a good place to start, if it turns out not to be suitable then we can re-evaluate
2022-05-09 12917, 2022
lucifer
sounds good
2022-05-09 12927, 2022
lucifer
do we have anything else on this topic?
2022-05-09 12932, 2022
alastairp
not freom me
2022-05-09 12957, 2022
Freso
Well, there’s also only 1 minute left, so…
2022-05-09 12905, 2022
lucifer
so docker capabilities next time (meeting after schema change probably) ?
2022-05-09 12914, 2022
mayhem
sounds like it
2022-05-09 12915, 2022
atj
going back to zas' question, I think we should be aiming for our security baseline to be at a level that deters an unsophisticated attacker (e.g. pop shell and install cryptominer)
2022-05-09 12944, 2022
lucifer
makes sense
2022-05-09 12957, 2022
atj
sophisticated attackers need reasons to target you, and I'm not sure that MeB has many of those
2022-05-09 12916, 2022
yvanzo
Just a reminder: next Monday there will be a MB database schema change.
2022-05-09 12926, 2022
Freso
Good reminder. :)
2022-05-09 12935, 2022
Freso
Quick last minute final topic: Next meeting
2022-05-09 12947, 2022
Freso
next Monday there will be a MB database schema change.
2022-05-09 12951, 2022
Freso
so no meeting.
2022-05-09 12955, 2022
Freso
Next meeting in 14 days. :)
2022-05-09 12915, 2022
Freso
And with that, thank you all for your time! Stay safe out there!
2022-05-09 12918, 2022
Freso
</BANG>
2022-05-09 12921, 2022
lucifer
thanks all!
2022-05-09 12923, 2022
atj
thanks
2022-05-09 12924, 2022
yvanzo
Thanks everyone!
2022-05-09 12929, 2022
monkey
Thanks !
2022-05-09 12958, 2022
TOPIC: MetaBrainz Community and Development channel | MusicBrainz non-development: #musicbrainz | BookBrainz: #bookbrainz | Channel is logged; see https://musicbrainz.org/doc/IRC for details | Agenda [next meeting: 2022-05-23]: Reviews, Securing MeB infrastructure - part 4
2022-05-09 12902, 2022
reosarevok
yvanzo: are you still available for a bit to check and merge stuff?
2022-05-09 12914, 2022
atj
monkey: re the start time column in the docker container table, I found a jquery timeago plugin which works quite nicely, have a look
2022-05-09 12957, 2022
monkey
Yep, I know the one
2022-05-09 12900, 2022
monkey
Should work fine
2022-05-09 12903, 2022
monkey
Yep, just looked again, that's great. Does it play well with datatables?
2022-05-09 12911, 2022
atj
yes, the sorting still works
2022-05-09 12936, 2022
atj
and I set the title attribute, so the date shows when you hover over it
2022-05-09 12947, 2022
monkey
👍
2022-05-09 12900, 2022
monkey
I think that's all the boxes ticked
2022-05-09 12945, 2022
atj
zas: I have a small ruby app mostly implemented which will periodically login to a configured list of servers and retrieve the docker stats, then write the output to a file for use with datatables
2022-05-09 12956, 2022
atj
once it's ready for consumption, we should discuss how to secure it sufficiently
2022-05-09 12905, 2022
atj
I think a dedicated user with a locked down sudo configuration is the best option, but would be interested in your thoughts
2022-05-09 12927, 2022
yvanzo
reosarevok: I’m still testing #2496 atm.
2022-05-09 12933, 2022
atj
then we need to secure the web page too
2022-05-09 12933, 2022
reosarevok
Perfect, thanks
2022-05-09 12901, 2022
yvanzo
reosarevok: On #2434, the conversations look OK but your review is still requesting changes.
Do you have cats perchance? Just a hunch that you might :D
2022-05-09 12957, 2022
reosarevok
lucifer: ooooooh, proper sir tests
2022-05-09 12910, 2022
lucifer
:D
2022-05-09 12908, 2022
lucifer
yvanzo: hi! i just saw https://github.com/metabrainz/docker-server-confi… . this is creating issues while trying to start a container on gaga. one is named listenbrainz-mbid-mapping and other is named listenbrainz-mbid-mapping-writer-prod, if second is running the script refuses to start the first one. probably docker filter check needs to be refined.
2022-05-09 12941, 2022
lucifer
i'll revert docker-server-configs locally for now on gaga to start the container
2022-05-09 12926, 2022
lucifer
mayhem: ^ in case you need to restart the mapping containers
2022-05-09 12954, 2022
CatQuest
aerozol: aaawww nice doggo
2022-05-09 12935, 2022
CatQuest
yea, I had cats, but sadly they all passed away (most of them where old, but the last one was only 2 years odl and it broke my heart. I haven't got another after this :s)
2022-05-09 12901, 2022
CatQuest
what i doggos name?
2022-05-09 12904, 2022
CatQuest
is*
2022-05-09 12947, 2022
CatQuest
give them headpats from me <3
2022-05-09 12925, 2022
v6lur joined the channel
2022-05-09 12950, 2022
aerozol
He is Bean!
2022-05-09 12924, 2022
aerozol
Awww so heart breaking. I'm sure when you've had time to heal another cat will slink their way into your heart
2022-05-09 12950, 2022
aerozol
He got an ear scratch from you just now
2022-05-09 12955, 2022
Lotheric has quit
2022-05-09 12906, 2022
yvanzo
reosarevok: off for the day, will continue on tomorrow
