2020 personal security checkup (sprint 240 and 241)

This thread is for discussion relating to the 2020 security audit, which will be a self guided checkup on your own security practices.

Ticket to log time: your assigned ticket titled “personal security checkup”. A subset have been scheduled for sprint 240, to allow iterating on the form before everyone completes it.


[off topic]
@samuel Could this go in the public forum? I know this is about security, but there shouldn’t be anything in this thread that would be an issue to communicate about publicly? And if there were, that could go in a specific private thread when/if needed.
[/off topic]

Oh of course, sorry I didn’t even realize we had public and private versions of the forum topics.

How public is ‘public’ by the way? I can’t view this if I log out.

1 Like

@swalladge Thanks! :slight_smile:

For the details about this, see Opening up the forum - the categories marked as “public” aren’t yet public, to give time to everyone to review it.

1 Like

Very nice security checklist, thanks!

Your GitHub personal access token used for logging in to Vault is stored securely (eg. in your password manager).

This seemed strange to me, as I have never had to “store” this token anywhere. When it expires, I just create a new one in GitHub’s UI, then enter it directly into Vault, and never have to think about it again until it expires a couple months later, in which case I need to generate a new one anyways.

Oh that’s interesting. I often get logged out of vault and need to enter the token again - that’s why I’ve been treating that token as a password and stored in my password manager. You’re right that it would be more secure to not store the token anywhere locally. Do you think the checklist should be updated?

Hmm, I get logged out about every two months and I assume (or maybe the message says) that it’s because the token is expired, so I regenerate a new one then. If that’s what you’re talking about, maybe I could be saving myself some work and re-using the tokens. But if you mean that you get logged out much more often than that, I’m surprised because I usually stay logged in for about two months at a time.

I just completed it myself, and discovered some issues with my own setup (which was surprising, since I wrote the list :stuck_out_tongue: ).

  • I’d forgotten to set up a firewall on my new desktop install, so I set up ufw.
  • Found a couple of GitHub, GitLab and AWS personal tokens that were no longer used - deleted.
  • A couple of weak passwords from years ago (for personal services, not OC related; I checked them all while I was there). Updated them.

I think when Vault says that, it’s referring to the generated auth token that’s stored in cookies or localstorage, not the github token. Github tokens don’t expire as far as I know.

Oh :man_facepalming:. I knew GitHub tokens never expire so I always wondered why Vault kept telling me the token expired. I just assumed that Vault had some sort of security policy requiring you to get a new token from GitHub every so often. That makes way more sense. Well I’m glad I talked to you! Turns out I should have been saving the token in my password manager :stuck_out_tongue:

1 Like

It is also worth adding that ssh keys must be generated with a passphrase.

1 Like

Haha, you were not the only one :smiley: I assumed exactly the same and when Vault told me the token expired I always just went to Github to regenerate it.

1 Like

Good point, added. :+1:

When browsing the documentation/handbook, feel free to open any tickets related to typos, outdated information and so on. This will help to assign newcomer friendly tickets to our newcomers and keep our documentation updated. Example: We don’t use KeePass (based on my best knowledge) anymore, hence I opened an issue which will result in a newcomer friendly ticket. :innocent: