Improving security in z/OS Open Tools

[IgorTodorovskiIBM]

• Should we enable 2-factor authentication as a requirement?

When you require use of two-factor authentication for your organization, members, outside collaborators, and billing managers (including bot accounts) who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable two-factor authentication for their personal account within three months of their removal from your organization.

• Should our tooling be enhanced to detect vulnerabilities for installed software?
  • Covered in https://github.com/orgs/ZOSOpenTools/discussions/214
• Should we enable CodeQL github actions for code scanning: https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
• Enabling Dependabot alerts to be generated when a new vulnerable dependency or malware is found in one of your repositories - https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
• Enabling secret scanning - Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally. https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts

Any thoughts or other ideas?

[ccw-1]

I am using 2FA to acccess git, you can't possibly know though. How can you enforce that?

[IgorTodorovskiIBM]

This is in reference to https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization . It would remove those who don't have two factor authentication enabled from our organization.

[ccw-1]

You can certainly enable those github.com scannings. How about requiring commits to be signed?

[IgorTodorovskiIBM]

Yep, we can explore setting commit signing as an requirement, maybe once we port gpg and its dependencies.

[perry-ca]

Can we open a separate issue/topic for the 2nd bullet. I feel these are independent topics. Both important.

[IgorTodorovskiIBM]

Moved it to https://github.com/orgs/ZOSOpenTools/discussions/214

[v1gnesh]

@IgorTodorovskiIBM

Should we enable 2-factor authentication as a requirement?

Yes, and also please consider FIDO or FIDO2 security for SSH.
People may moan but this is the only phishing-resistant MFA.
OpenSSH added support for this a couple of years ago.
https://developers.yubico.com/SSH/

Enabling secret scanning - Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally. https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-partner-alerts

Chezmoi will help; I'll try to port it soon.
I'm pretty sure it will be a productivity booster in general.

[v1gnesh]

@IgorTodorovskiIBM @MikeFultonDev
Let's apply for https://github.com/1Password/1password-teams-open-source 😄

[v1gnesh]

I've submitted a PR (per their process) - 1Password/for-open-source#744
Also invited Igor & Mike (to start off).
Do let me know if the invites should be to your personal IDs (instead of IBM IDs).
Because this is open source work, and upstreaming is happening, this project (and its contributors) should qualify to what 1Password offers.

[IgorTodorovskiIBM]

Nice find! Some organizations like IBM already have a 1Password account set up. I see that 1Password Teams secures up to 10 members - https://1password.com/teams/ - does that apply here as well?

[v1gnesh]

I hope not (on the limit); can ask about that when 1pw writes back.

Generally nice to know that IBM uses a pw manager, and that too a user-friendly one 😁

[perry-ca]

I assume the client would need to be ported to z/OS as well.

[v1gnesh]

Hi Sean, if it's for SSH and git workflows (commit signing, pull/push), porting is not required.
SSH IdentityAgent forwarding can be setup, and I've done just that.
https://developer.1password.com/docs/ssh

For secrets (like API token etc.), I still have to look up if we can use something.
1pw CLI works for this, but I think that works only for secrets use on local machine.
There's also a 1pw connect server which may help, but I'll have to read up.

[v1gnesh]

1Password for Teams Open Source

Happy to report that the ZOSOpenTools org now has 1Password Teams --> https://zosopentools.1password.com/.
Currently, @MikeFultonDev & myself are the owners, but I'll probably leave as the owner if someone else wants to step in.

Because I already have a 1Password personal account, I don't need a seat.
And because IBMers may also have 1Password, you may prefer using that account.
However, there is now the option of using this, for non-IBM contributors.
Of course, IBMers are free to join with their personal mail address, for this open source work :)

I've asked if the same 10-person limit applies.
EDIT:

Oh I forgot to ask @jodyheavener, does the same 10 person limit apply?
@v1gnesh Nope, you shouldn't encounter a limit when adding people. 😄

1Password/for-open-source#754

A quick question for everyone - @MikeFultonDev @IgorTodorovskiIBM @perry-ca @HarithaIBM @AnthonyGiorgio -
How many of youse (lol) use 1pw's new SSH capability - https://blog.1password.com/1password-ssh-agent/
With SSH agent forwarding setup on the local machine, pointing to 1pw's IdentityAgent, SSH keys don't need to go on any server.

[lbdyck]

That looks awesome for use on a system where 1Password runs (i.e. Windows) but sadly it won't work where I do 99.999% of my git work which is on z/OS under OMVS. Someday perhaps :)

[v1gnesh]

Hi @lbdyck, when I git push from z/OS, I get a prompt from 1pw on my local machine to auth to git, and to sign commit :)

From the workstation's ~/.ssh/config:

Host zopen
     User userme
     HostName ip-address
     ForwardAgent yes
     ServerAliveInterval 30
     IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

[lbdyck]

interesting - thanks

[MikeFultonDev]

@AnthonyGiorgio I believe you wrote a blog on this?

[v1gnesh]

@MikeFultonDev - you will like this - https://crashoverride.com/blog/chalk-is-now-officially-open-source

[AnthonyGiorgio]

Interesting to see Omkhar Arasaratnam's name in the quotes. I worked with him at IBM many years ago.