so also need to think about how/when these access can be useful/
atj
yes, this is why an external log server is useful because the logs can't be erased (hopefully)
lucifer
right erasing is one part. but with root access, one could login just as the postgres user and the db access logs won't show anything.
atj
right
alastairp
but keep in mind that anything is better than nothing - we're still going in the right direction
lucifer
will need to consider this thoroughly during logging review.
atj
indeed
lucifer
yup agreed
alastairp
if we start thinking about what to log, and where to log it to
atj
perfect is the enemy of good etc
not running services as root would be good
lucifer
makes sense
alastairp
(which is next on the list)
lucifer
onto next?
atj
yep
lucifer
3. Log possible incidents irrespective of whether we determined a breached happened or not, probably in syswiki or docs?
monkey
syswiki makes sense
lucifer
so if we patch a vulnerability, i think it might be a good idea to log it somewhere. if we later detect something unusual, it'll help. also better to keep track of all of this stuff.
atj
yes I think so
lucifer
syswiki sounds good. MB team already uses it for a few purposes.
yvanzo
It’s better than nothing to start with.
atj
I think it's a good place to start, if it turns out not to be suitable then we can re-evaluate
lucifer
sounds good
do we have anything else on this topic?
alastairp
not freom me
Freso
Well, there’s also only 1 minute left, so…
lucifer
so docker capabilities next time (meeting after schema change probably) ?
mayhem
sounds like it
atj
going back to zas' question, I think we should be aiming for our security baseline to be at a level that deters an unsophisticated attacker (e.g. pop shell and install cryptominer)
lucifer
makes sense
atj
sophisticated attackers need reasons to target you, and I'm not sure that MeB has many of those
yvanzo
Just a reminder: next Monday there will be a MB database schema change.
Freso
Good reminder. :)
Quick last minute final topic: Next meeting
next Monday there will be a MB database schema change.
so no meeting.
Next meeting in 14 days. :)
And with that, thank you all for your time! Stay safe out there!
</BANG>
lucifer
thanks all!
atj
thanks
yvanzo
Thanks everyone!
monkey
Thanks !
TOPIC: MetaBrainz Community and Development channel | MusicBrainz non-development: #musicbrainz | BookBrainz: #bookbrainz | Channel is logged; see https://musicbrainz.org/doc/IRC for details | Agenda [next meeting: 2022-05-23]: Reviews, Securing MeB infrastructure - part 4
reosarevok
yvanzo: are you still available for a bit to check and merge stuff?
atj
monkey: re the start time column in the docker container table, I found a jquery timeago plugin which works quite nicely, have a look
monkey
Yep, I know the one
Should work fine
Yep, just looked again, that's great. Does it play well with datatables?
atj
yes, the sorting still works
and I set the title attribute, so the date shows when you hover over it
monkey
👍
I think that's all the boxes ticked
atj
zas: I have a small ruby app mostly implemented which will periodically login to a configured list of servers and retrieve the docker stats, then write the output to a file for use with datatables
once it's ready for consumption, we should discuss how to secure it sufficiently
I think a dedicated user with a locked down sudo configuration is the best option, but would be interested in your thoughts
yvanzo
reosarevok: I’m still testing #2496 atm.
atj
then we need to secure the web page too
reosarevok
Perfect, thanks
yvanzo
reosarevok: On #2434, the conversations look OK but your review is still requesting changes.
Do you have cats perchance? Just a hunch that you might :D
reosarevok
lucifer: ooooooh, proper sir tests
lucifer
:D
yvanzo: hi! i just saw https://github.com/metabrainz/docker-server-con... . this is creating issues while trying to start a container on gaga. one is named listenbrainz-mbid-mapping and other is named listenbrainz-mbid-mapping-writer-prod, if second is running the script refuses to start the first one. probably docker filter check needs to be refined.
i'll revert docker-server-configs locally for now on gaga to start the container
mayhem: ^ in case you need to restart the mapping containers
CatQuest
aerozol: aaawww nice doggo
yea, I had cats, but sadly they all passed away (most of them where old, but the last one was only 2 years odl and it broke my heart. I haven't got another after this :s)
what i doggos name?
is*
give them headpats from me <3
v6lur joined the channel
aerozol
He is Bean!
Awww so heart breaking. I'm sure when you've had time to heal another cat will slink their way into your heart
He got an ear scratch from you just now
Lotheric has quit
yvanzo
reosarevok: off for the day, will continue on tomorrow
