032009
Revision 4 as of 2009-03-27 20:42:33
Clear message
Thank you for your interest in Securing Ubuntu !
BodhiZazen will be running two Q&A sessions on irc to discuss security and security issues.
Please review these threads & bring your questions :
logs for 19/03 and 26/03
19/03/2009
1 [00:00] <bodhi_zazen> Probably one at at time for guests
2 [00:00] <Rocket2DMn> ack im fighting with someone
3 [00:00] <Nano_ext3> we are all fighting lolz
4 [00:00] <Nano_ext3> can I type something everyone?
5 [00:00] <Nano_ext3> :)
6 [00:01] <bodhi_zazen> I can see everyone has hit the wall :)
7 [00:01] <Rocket2DMn> i should customize my terminal like bodhi_zazen has
8 [00:01] <Rocket2DMn> is that a bash thing?
9 [00:01] <jimi_hendrix> bodhi_zazen, what programs are those
10 [00:01] <bodhi_zazen> OK, lets get this show on the wall
11 [00:01] <bodhi_zazen> :)
12 [00:01] <Nano_ext3> haha
13 [00:01] <WastePotato> \o/
14 [00:01] <bodhi_zazen> First , thank you everyone for coming to this session
15 [00:01] <rraj_be> bodhi_zazen: sorry for intrupting, when i tried it , its giving like "Enter passphrase for key '/home/raj/.ssh/ufbt-guest':"
16 [00:02] <Snova> rraj_be: "padawan"
17 [00:02] <jimi_hendrix> bodhi_zazen, whats tha shell
18 [00:02] <bodhi_zazen> Let me assure you , the beginners team put me up to this
19 [00:02] <rraj_be> k Snova
20 [00:02] <jimi_hendrix> ive heard zsh but not jailzsh
21 [00:02] <Snova> jimi_hendrix: A jailed Zsh. :)
22 [00:02] <jimi_hendrix> which is?
23 [00:02] <bodhi_zazen> it is a shell I make for apparmor jimi_hendrix
24 [00:02] <bodhi_zazen> it is zsh
25 [00:02] <Snova> Zsh, in a restricted environment.
26 [00:02] <jimi_hendrix> ahh
27 [00:02] <jimi_hendrix> did you edit it or something
28 [00:02] <jimi_hendrix> edit the source*
29 [00:02] <WastePotato> :(
30 [00:03] <Snova> No, that's what AppArmor is for.
31 [00:03] <bodhi_zazen> The intention is to raise awareness of security and so here we are :)
32 [00:03] <jimi_hendrix> ok
33 [00:03] * jimi_hendrix raises hand
34 [00:03] <bodhi_zazen> What do people want me to cover, what questions do you have ?
35 [00:03] * jimi_hendrix raises hand
36 [00:03] <rraj_be> Snova: Enter passphrase for key '/home/raj/.ssh/ufbt-guest':
37 [00:03] <bodhi_zazen> go jimi_hendrix :)
38 [00:03] <rraj_be> Permission denied (publickey).
39 [00:03] <Nano_ext3> show how to implement profiles
40 [00:03] <bodhi_zazen> rraj_be: padawan
41 [00:03] <Nano_ext3> http://paste.ubuntu.com/133993/
42 [00:03] <jimi_hendrix> bodhi_zazen, i dual boot windows and ubuntu
43 [00:03] <jimi_hendrix> do i need an antivirus on ubuntu
44 [00:03] <rraj_be> ok bodhi_zazen
45 [00:04] <Nano_ext3> jimi_hendrix: hahah no
46 [00:04] <Nano_ext3> this is for user control
47 [00:04] <Nano_ext3> security on a server if you may
48 [00:04] <bodhi_zazen> someone help rraj_be in a private window or on ##beginenrs-help
49 [00:04] <bodhi_zazen> OK, antivirus first then :)
50 [00:04] <bodhi_zazen> you will get varied opinions
51 [00:04] * jimi_hendrix uses AVG on windows
52 [00:05] <bodhi_zazen> IMO antivirus is best used on your windows boxes
53 [00:05] <Nano_ext3> Agreed
54 [00:05] <bodhi_zazen> IMO Linux antivirus is best on file or mail servers
55 [00:05] <Nano_ext3> things that need the security
56 [00:05] <bodhi_zazen> IMO scanning your Linux desktop with antivirus will yield lots fo false positives
57 [00:05] <jimi_hendrix> what about a webserver
58 [00:05] <Nano_ext3> for desktop , not an issue really
59 [00:05] * jimi_hendrix is thinking of setting up a webserver
60 [00:05] <Nano_ext3> yes on a webserver I would say
61 [00:05] <Rocket2DMn> bodhi_zazen, if you need a place to start the discussion, why dont you briefly explain some of the tools you use to enhance security in linux (apparmor, iptables, ossec, snort, etc). e.g. in one sentence each, what do they do?
62 [00:06] <Nano_ext3> anything that deals with heavy user traffic
63 [00:06] <bodhi_zazen> good idea Rocket2DMn :)
64 [00:06] <Nano_ext3> yea
65 [00:06] <bodhi_zazen> The linux tools are a bit different
66 [00:06] <bodhi_zazen> and linux is modular ...
67 [00:06] <bodhi_zazen> The first line of defense is, of course, permissions
68 [00:06] <bodhi_zazen> sudo vs su ?
69 [00:06] <Nano_ext3> yea
70 [00:07] <jimi_hendrix> sudo runs one command su changes your user
71 [00:07] <bodhi_zazen> su gives all or none root access
72 [00:07] <Rocket2DMn> (or other user access)
73 [00:07] <bodhi_zazen> sudo allows finer control
74 [00:07] <bodhi_zazen> sudo -i for a root shell
75 [00:07] <bodhi_zazen> Next a firewall
76 [00:07] <bodhi_zazen> firewall are also full of opinions
77 [00:08] <bodhi_zazen> In general, you should use a router as a router has a firewall built in
78 [00:08] <Nano_ext3> thats how I do it
79 [00:08] <bodhi_zazen> a default install of ubuntu has no servers listening, so the default settings behind a router are just fine
80 [00:08] <Nano_ext3> Not versed in linux firewalls yet
81 [00:09] <bodhi_zazen> If you wish to user a firewall, to set up your own router (NAT) or limit connections, teh firewall is iptables
82 [00:09] <jimi_hendrix> what about firestarter?
83 [00:09] <bodhi_zazen> iptables can be configured with commands, a script, ufw, or a gui tool such as GUFW, Guraddog, firestarter, shorewall, etc
84 [00:10] <bodhi_zazen> guraddog has very nice built in help
85 [00:10] <bodhi_zazen> the gui tools are not the firewall, only config tools
86 [00:10] <bodhi_zazen> Open them, config iptables, close them
87 [00:10] <Nano_ext3> think router access list , but on the OS itself via iptables
88 [00:10] <bodhi_zazen> I advise you NOT use Firestarter to monitor your network traffic
89 [00:11] <bodhi_zazen> Next , everyone know the terms HIDS / NIDS ?
90 [00:11] <Nano_ext3> no
91 [00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Intrusion-detection_system
92 [00:11] <bodhi_zazen> http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
93 [00:12] <bodhi_zazen> http://en.wikipedia.org/wiki/Network_intrusion_detection_system
94 [00:12] <bodhi_zazen> OK, HIDS, most new users are familiar with say Windows antivirus scanners
95 [00:12] <bodhi_zazen> This is a HIDS
96 [00:12] <Nano_ext3> k
97 [00:12] <bodhi_zazen> so is rkhunter and chkrootkit
98 [00:12] <bodhi_zazen> as is OSSEC, tripwire, etc
99 [00:13] <bodhi_zazen> use these tools to monitor your system for unauthorizzed changes
100 [00:13] <bodhi_zazen> rkhunter and chkrootkit have a bunch of flase positives, learn what they are
101 [00:13] <duanedesign> do you recommend running chkrootkit from a usb device
102 [00:13] <bodhi_zazen> and what a "normal" sustem is
103 [00:14] <bodhi_zazen> duanedesign: I do not think it matters really
104 [00:14] <bodhi_zazen> The point is, you can not monitor your system for changes if you do not know what normal is
105 [00:14] <bodhi_zazen> You will get alerts when you say install new software as well, or change a config file
106 [00:15] <bodhi_zazen> Next NIDS
107 [00:15] <bodhi_zazen> NIDS is sophisticated and even the geekiest will find this hard
108 [00:16] <bodhi_zazen> You need to understand basic networking protocols, tcp, udp, ping, etc
109 [00:16] <bodhi_zazen> Tools include snort and wireshark
110 [00:16] * jimi_hendrix tried wireshark one to sniff some packets i was sending
111 [00:16] <Nano_ext3> ive take Cisco CCNA, and Id still have enormous trouble with that
112 [00:16] <Nano_ext3> wireshark I have used
113 [00:16] * jimi_hendrix 's head blew up
114 [00:16] <bodhi_zazen> these tools are "packte sniffers" and will montior your network traffic
115 [00:17] <Nano_ext3> I reccomend wireshark
116 [00:17] <bodhi_zazen> snort will user a set of rules to identify potentially problematic activity, although lots of false positives
117 [00:17] <bodhi_zazen> wireshark will monitor the raw packets
118 [00:17] <bodhi_zazen> in a nut shell
119 [00:18] <bodhi_zazen> Next line of defense - SELinux / Apparmor
120 [00:18] <Nano_ext3> :)
121 [00:18] <jimi_hendrix> SELinux != distro right
122 [00:18] <Snova> No, it's a security framework built into the kernel.
123 [00:18] <Nano_ext3> no
124 [00:18] <Nano_ext3> to jimi
125 [00:18] <Nano_ext3> security monitor
126 [00:18] <bodhi_zazen> These are very powerful tools and these are the first tools that can protect you against unknown exploits and Zero day exploits
127 [00:18] <bodhi_zazen> These tools can limit even root
128 [00:18] <Nano_ext3> zero day?
129 [00:19] <Snova> Security exploits, on the day they are found, before they are patched.
130 [00:19] <bodhi_zazen> http://en.wikipedia.org/wiki/Zero-Day_Attack
131 [00:19] <bodhi_zazen> Ubuntu uses Apparmor, but it needs to be configured
132 [00:19] <bodhi_zazen> Most people find apparmor easy to understand
133 [00:20] <bodhi_zazen> The point, IMO, of apparmor is to "confine" any network applications
134 [00:20] <bodhi_zazen> such as firefox, thunderbird, etc
135 [00:20] <bodhi_zazen> you limit what they can do on your os
136 [00:20] <bodhi_zazen> you can also limit a users shell, as I will show you on the shared ssh session
137 [00:20] <Nano_ext3> cool
138 [00:20] <lovinglinux> can be used with torrent applications?
139 [00:21] <Snova> Anything.
140 [00:21] <bodhi_zazen> IMO SELINUX and Apparmor are mis characterized as "overkill"
141 [00:21] <bodhi_zazen> lovinglinux: yes
142 [00:21] <bodhi_zazen> I am collecting apparmor profiles here : http://bodhizazen.net/aa-profiles/
143 [00:21] <lovinglinux> So if someone exploit a vunerability on my torrent client, then Apparmor can prevent it from achieving success?
144 [00:21] <bodhi_zazen> I have a profile for rtorrent
145 [00:22] <Snova> lovinglinux: AppArmor can prevent it from accomplishing anything by restricting access to the filesystem, which is mostly the same thing.
146 [00:22] <bodhi_zazen> If anyone is willing to contribute, send me your profiles ( bodhi.zazen @ ubuntu.com)
147 [00:22] <bodhi_zazen> and I will post them as well
148 [00:22] <Nano_ext3> i will have time this weeked to learn it bodhi
149 [00:22] <lovinglinux> do you know a good tutorial for apparmor?
150 [00:22] <Nano_ext3> bodhi link him your thread
151 [00:22] <Nano_ext3> :)
152 [00:22] <bodhi_zazen> /end long winded security drive by
153 [00:23] * jimi_hendrix puts away machine gun
154 [00:23] <bodhi_zazen> Links are here : http://paste.ubuntu.com/133993/
155 [00:23] <lovinglinux> thanks
156 [00:23] <Snova> AppArmor introduction: http://ubuntuforums.org/showthread.php?t=1008906
157 [00:23] <bodhi_zazen> OK , with that background, questions please ?
158 [00:23] <Snova> Oh, didn't notice the links at the bottom of that..
159 [00:23] <bodhi_zazen> Or do you want to see what the shared session can do ?
160 [00:23] <bodhi_zazen> ie live demo ?
161 [00:24] * jimi_hendrix raises hand
162 [00:24] <bodhi_zazen> go jimi_hendrix :)
163 [00:24] <jimi_hendrix> if i am running a webserver (linux of course...well maybe a *BSD)...and its just pages with html, what am i at risk for
164 [00:25] <bodhi_zazen> apache attacks, php attacks, and DOS are the major ones
165 [00:25] <bodhi_zazen> The damage depends on the attack
166 [00:26] <bodhi_zazen> I have seen php code that takes you cookies for example (think passwords for web sites)
167 [00:26] <bodhi_zazen> If a crack allows "arbitrary code" think an intruder then has root access
168 [00:26] <lovinglinux> Do I need to create apparmor profiles for all applications that connect to network or just for those that listen to ports?
169 [00:26] <bodhi_zazen> many attacks then use your box to attack others, send spam, spoof ip, what have you
170 [00:27] <bodhi_zazen> IMO lovinglinux all apps that access the internet
171 [00:27] <jimi_hendrix> bodhi_zazen, i said just html, no php
172 [00:27] <bodhi_zazen> although as you can see I do not yet have profiles for all apps yet
173 [00:28] <bodhi_zazen> jimi_hendrix: LAMP == Linux apache Mysql and PHP so I included it in the broader discussion
174 [00:28] <jimi_hendrix> ok
175 [00:28] <bodhi_zazen> Want to see a demo ?
176 [00:28] <jimi_hendrix> yes
177 [00:28] <bodhi_zazen> On the ssh session ?
178 [00:28] <Nano_ext3> yeps
179 [00:28] <bodhi_zazen> OK
180 [00:29] <bodhi_zazen> anyone need assistance connecting via ssh ?
181 [00:29] <bodhi_zazen> ok, the guru account has root access
182 [00:29] <bodhi_zazen> as you can see
183 [00:30] <bodhi_zazen> the guru account can install applications
184 [00:30] <Traveler15164> yeah, i keep getting the Permission denied (publickey) error
185 [00:30] <bodhi_zazen> :)
186 [00:30] <bodhi_zazen> someone help Traveler15164 please :)
187 [00:30] <lovinglinux> sorry, I know how to use ssh, but don't which server I'm supposed to connect
188 [00:30] <bodhi_zazen> I will wait and answer questions
189 [00:31] <bodhi_zazen> you need the key
190 [00:31] <bodhi_zazen> then ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
191 [00:31] <bodhi_zazen> pw = padawan
192 [00:31] <Nano_ext3> http://paste.ubuntu.com/133993/
193 [00:31] <Nano_ext3> follow exactly
194 [00:31] <Nano_ext3> verbatim
195 [00:31] <bodhi_zazen> http://paste.ubuntu.com/133993/
196 [00:31] <Nano_ext3> via terminal
197 [00:31] <bodhi_zazen> for keys
198 [00:31] <Nano_ext3> beat you to it :)
199 [00:31] <bodhi_zazen> any other questions while we are waiting
200 [00:31] <bodhi_zazen> ?
201 [00:32] <bodhi_zazen> chickens, all questions are welcome :)
202 [00:33] <bodhi_zazen> you in Traveler15164 ?
203 [00:33] <bodhi_zazen> lovinglinux: ?
204 [00:33] <Traveler15164> nope
205 [00:33] <bodhi_zazen> Traveler15164: what do you need help with ?
206 [00:33] <bodhi_zazen> do you have the key ?
207 [00:33] <lovinglinux> just a second
208 [00:33] <Traveler15164> yes
209 [00:33] <bodhi_zazen> do you know how to use it ?
210 [00:34] <Traveler15164> i got it and placed it in a new empty file?
211 [00:34] <Traveler15164> named ufbt-guest and chmod 400 on that
212 [00:34] <Snova> Stick it in ~/.ssh
213 [00:34] <Traveler15164> it is
214 [00:34] <bodhi_zazen> ok
215 [00:34] <Snova> ssh guest@bodhizazen.net -i ~/.ssh/ufbt-guest
216 [00:34] <Nano_ext3> you have to place that text in ~/.ssh/ufbt-guest
217 [00:34] <Nano_ext3> and then chmod 400 on that file
218 [00:35] <Nano_ext3> its all in the paste link
219 [00:35] <Nano_ext3> http://paste.ubuntu.com/133993/
220 [00:35] <lovinglinux> The authenticity of host xxxxxxxxxxx can't be established.
221 [00:35] <Traveler15164> i'll redo it all to make sure
222 [00:35] <bodhi_zazen> lol lovinglinux
223 [00:35] <Snova> lovinglinux: That's normal, just confirm it.
224 [00:35] <bodhi_zazen> say yes :)
225 [00:36] <bodhi_zazen> Traveler15164: cd .ssh
226 [00:36] <lovinglinux> lol, stupid me
227 [00:36] <bodhi_zazen> rm ufbt-guest
228 [00:36] <bodhi_zazen> wget http://bodhizazen.net/beginners/ufbt-guest
229 [00:36] <bodhi_zazen> chmod 400 ufbt
230 [00:36] <Rocket2DMn> you may have to "ssh bodhizazen.net" first and accept the fingerprint
231 [00:36] <bodhi_zazen> ssh guest@bodhizazen.net -i ./ufbt-guest
232 [00:36] <Rocket2DMn> then just ctrl-c without doing any authentication
233 [00:37] <Rocket2DMn> then do the ssh command above to use the key
234 [00:37] <lovinglinux> Connection closed by xxxxxxxxx
235 [00:37] <Rocket2DMn> i found if you use the key without having the fingerprint cached, it doesnt give you the option to store it and it aborts
236 [00:38] <bodhi_zazen> thanks Rocket2DMn
237 [00:38] <bodhi_zazen> Traveler15164: you in ?
238 [00:38] <Traveler15164> redoing it worked
239 [00:38] <bodhi_zazen> lovinglinux: ?
240 [00:38] <Traveler15164> strange
241 [00:38] <bodhi_zazen> OK, so ...
242 [00:38] <bodhi_zazen> as you can see we are root :)
243 [00:38] <lovinglinux> OK, I am in
244 [00:38] <Nano_ext3> yay!
245 [00:38] <bodhi_zazen> as you can see, we started a new shell
246 [00:39] * Nano_ext3 runs around in circles with streamers
247 [00:39] <bodhi_zazen> guru was jailzsh
248 [00:39] <bodhi_zazen> root is bash
249 [00:39] <bodhi_zazen> but the apparmor confinement follows us
250 [00:39] <bodhi_zazen> so ...
251 [00:39] <bodhi_zazen> First I am limiting root with iptables ...
252 [00:40] <bodhi_zazen> sorry for the typo :(
253 [00:40] <bodhi_zazen> as you can see, root can ping google , but not my lan
254 [00:40] <jimi_hendrix> back
255 [00:40] <bodhi_zazen> so lets stop iptables :)
256 [00:41] <bodhi_zazen> OH NO
257 [00:41] <bodhi_zazen> Permission denied
258 [00:41] <jimi_hendrix> sudo it!
259 [00:41] <Halow> He's root....
260 [00:41] <jimi_hendrix> (i know)
261 [00:41] <Rocket2DMn> tab complete fail
262 [00:41] <bodhi_zazen> ok ..
263 [00:42] <bodhi_zazen> lets mess with the settings a little
264 [00:42] <bodhi_zazen> foiled again :)
265 [00:42] <bodhi_zazen> Lets try this ::)
266 [00:43] <bodhi_zazen> :)
267 [00:44] <Halow> :O
268 [00:44] <Snova> Ok, so the AppArmor restrictions followed you from jailzsh to root's Bash?
269 [00:44] <bodhi_zazen> so you can see, although root can install apps, access to critical system files is restricted
270 [00:44] <jimi_hendrix> r00t has uber fail?
271 [00:44] <bodhi_zazen> yes Snova
272 [00:44] <bodhi_zazen> We can start a new shell if we wish
273 [00:45] <Rocket2DMn> My head just exploded.
274 [00:45] <Nano_ext3> ugh gotta run, sorry guys
275 [00:45] <bodhi_zazen> so ..
276 [00:45] <Nano_ext3> have to head home for work tommorow :(
277 [00:45] <Rocket2DMn> now bodhi_zazen , do these restrictions apply only when using sudo to access root? What if you had a try root login, like "su -" ?
278 [00:45] <Snova> Bye Nano_ext3.
279 [00:45] <Nano_ext3> laters :(
280 [00:45] <bodhi_zazen> any process you start is confined by apparmor
281 [00:45] <bodhi_zazen> the restrictions follow you
282 [00:45] <Nano_ext3> ill read more on aa this weekend
283 [00:46] <Nano_ext3> def
284 [00:46] <Nano_ext3> laters
285 [00:46] <bodhi_zazen> no Rocket, watch
286 [00:46] <bodhi_zazen> see, we are now guru again ?
287 [00:46] <bodhi_zazen> guru is given jailzsh as a default shell
288 [00:47] <bodhi_zazen> jailzsh in an apparmor profile and I think I can show it to you
289 [00:47] <bodhi_zazen> There it is ...
290 [00:47] <lovinglinux> That's it? Looks simple.
291 [00:47] <bodhi_zazen> that was jail bash
292 [00:48] <bodhi_zazen> jailbash is from jdong
293 [00:48] <bodhi_zazen> posted here :
294 [00:48] <bodhi_zazen> http://bodhizazen.net/aa-profiles/jdong/ubuntu-8.04/usr.local.bin.jailbash
295 [00:48] <bodhi_zazen> and yes, it is simple
296 [00:49] <lovinglinux> I'm gonna try this
297 [00:49] <bodhi_zazen> I am restricting access to jailzsh as it is a fair amount more permissive then jailbash
298 [00:49] <bodhi_zazen> anything else you want to see in the shared session ?
299 [00:50] <bodhi_zazen> please, other security questions ?
300 [00:50] <jimi_hendrix> bodhi_zazen, is it possible to secure a windows server?
301 [00:50] <bodhi_zazen> yes, of course
302 [00:51] <Rocket2DMn> ahh hardened windows servers :)
303 [00:51] <lovinglinux> I have one stupid question at http://ubuntuforums.org/showthread.php?t=1100778
304 [00:51] <bodhi_zazen> Again, I am collecting aa profiles here : http://bodhizazen.net/aa-profiles/
305 [00:51] <bodhi_zazen> download them, try them out, and if you wish send me your modifications and I will post them for others
306 [00:52] <bodhi_zazen> lovinglinux: in a nut shell, no your router is not ipv6
307 [00:52] <bodhi_zazen> most people disable ipv6
308 [00:53] <jimi_hendrix> Rocket2DMn, is it possible then?
309 [00:53] <bodhi_zazen> ip providers hate ipv6 because ipv6 makes them obsolete as an ip provider
310 [00:53] <bodhi_zazen> they would need to provide the physical layer howerver
311 [00:53] <Rocket2DMn> yes jimi_hendrix you can lock down windows servers
312 [00:53] <lovinglinux> bodhi_zazen: so just leave ipv6 alone right? No need for iptables rules?
313 [00:53] <bodhi_zazen> yes, or you can disable it if you wish
314 [00:53] <lovinglinux> bodhi_zazen: thanks
315 [00:54] <bodhi_zazen> some people think their box runs faster if they disable it
316 [00:54] <bodhi_zazen> np
317 [00:54] <bodhi_zazen> please, I have been ranting, questions, questions :)
318 [00:54] <jimi_hendrix> what is the average airspeed of a swallow
319 [00:54] <lovinglinux> is there an alternative for intrusion detection without using MySQL?
320 [00:55] <bodhi_zazen> yes lovinglinux
321 [00:55] <bodhi_zazen> you can use snort + barnyard
322 [00:56] <lovinglinux> I will look into that. Thanks
323 [00:56] <bodhi_zazen> lovinglinux: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1255683_tax307468,00.html
324 [00:57] <bodhi_zazen> although that may use mysql, and if so, my mistake
325 [00:57] <ds305> quit Thanks bodhi
326 [00:57] <jgoguen> lol :)
327 [00:58] <lovinglinux> I have another question. Please wait because I have a inflamed finger, so I need time to type.
328 [00:58] <bodhi_zazen> go lovinglinux
329 [00:58] <bodhi_zazen> Well, we are close to the hour
330 [00:59] <bodhi_zazen> Watch, if I close the screen session you all are disconnected :)
331 [00:59] <bodhi_zazen> >:)
332 [00:59] <Snova> Oh, like that? ;)
333 [00:59] <bodhi_zazen> Just like that
334 [00:59] <lovinglinux> I have an iptables rule to accept established connection. If I have a client listening to a port, but no other ports opened, is it possible for someone already connected to my client to establish connections on other ports?
335 [00:59] <bodhi_zazen> The guest account can not connect without a session running
336 [00:59] <bodhi_zazen> if you try you will be blacklisted after a few attempts
337 [01:00] <bodhi_zazen> hard to follow lovinglinux
338 [01:00] <lovinglinux> bodhi_zazen: maybe is just my paranoia
339 [01:01] <bodhi_zazen> If your client is cracked and you are droping new connections I do not think normally the client could establish a new connection on a new port
340 [01:01] <bodhi_zazen> I guess they could use the established connection and leverage additional exploits
341 [01:02] <lovinglinux> bodhi_zazen: through the same port?
342 [01:02] <bodhi_zazen> Well, thank you everyone, it is 7 so we are "oficially" over, although I will be available for say 10-15 minutes
343 [01:02] <bodhi_zazen> then I have to go to my family
344 [01:02] <duanedesign> aawesome!!! thank you
345 [01:02] <bodhi_zazen> in theory lovinglinux
346 [01:02] <Halow> Yes, thank you!
347 [01:03] <bodhi_zazen> since the connection is established ...
348 [01:03] <lovinglinux> Thank you very much. Really nice experience, specially the shared ssh session.
349 [01:03] <bodhi_zazen> you are most welcome everyone
350 [01:03] <duanedesign> applause
351 [01:03] <bodhi_zazen> the beginners team is going to run additional sessions
352 [01:03] <bodhi_zazen> and the shared ssh session is available to anyone willing to teach
353 [01:04] <bodhi_zazen> I have found the shared ssh session is a very effective demo for apparmor and iptables , lol
354 [01:05] <bodhi_zazen> wb k0001 :)
355 [01:05] <lovinglinux> bodhi_zazen: what do you think about UPnP?
356 [01:05] <bodhi_zazen> Not a lot
357 [01:05] <bodhi_zazen> Again, we all like convienience
358 [01:05] <k0001> bodhi_zazen: hwllo
359 [01:05] <bodhi_zazen> but we all hate it when we are cracked, lol
360 [01:05] <lovinglinux> lol
361 [01:06] <bodhi_zazen> so it is nice (off UPnP) for our flash drives to auto mount
362 [01:06] <bodhi_zazen> but not so nice when a malignant code the uses this to automatically start it's evil work ;)
363 [01:07] <bodhi_zazen> security and convenience == yin and yang and we must bring balance to the force
364 [01:08] <bodhi_zazen> it is just that the balance point is dependent on sphincter tone, :p
365 [01:08] <lovinglinux> lol
366 [01:08] <bodhi_zazen> If anyone is interested in topics or teaching sessions, please let me know
367 [01:08] <lovinglinux> do I need to keep your key for further sessions?
368 [01:09] <bodhi_zazen> I shall try to run a session every other week at this time with varied topics
369 [01:09] <bodhi_zazen> I am sorry to have such limited times, I wish I could vary it more, but I have a family so this works best
370 [01:09] <duanedesign> that is much appreciated
371 [01:09] <bodhi_zazen> yes lovinglinux
372 [01:10] <duanedesign> :)
373 [01:10] <lovinglinux> what time is there right now and what time it starts?
374 [01:10] <bodhi_zazen> I hope that the sessions are logged and posted in classroom
375 [01:10] <bodhi_zazen> It is just past 7 PM local time for me
376 [01:10] <bodhi_zazen> Sessions will start at 6 pm local time
377 [01:11] <lovinglinux> Ok, great
378 [01:11] <bodhi_zazen> and if anyone has a topic, add it to the list
379 [01:11] <bodhi_zazen> I think we do another security session in 2 weeks
380 === k00011 is now known as k0001
381 [01:11] <bodhi_zazen> and after that I have been asked to cover permissions
382 [01:11] <lovinglinux> permissions will be nice
383 [01:12] <linuxwarrior> is the session on 26th will be the same as this one ?
384 [01:12] <bodhi_zazen> Add your topic here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
385 [01:12] <bodhi_zazen> put my name in as the instructor
386 [01:13] <bodhi_zazen> and I will add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
387 [01:13] <bodhi_zazen> linuxwarrior: same topic
388 [01:13] <bodhi_zazen> Hopefully different questions :)
389 [01:13] <bodhi_zazen> I hope people will try iptables, apparmor, etc and bring questions
390 [01:13] <Snova> Hmm... I could probably help with a few of those.
391 [01:14] <linuxwarrior> ok ;)
392 [01:14] <bodhi_zazen> http://bodhizazen.net/Tutorials/iptables/
393 [01:14] <bodhi_zazen> I posted a number of links here : http://paste.ubuntu.com/133993/
394 [01:14] <Traveler15164> what i don't get is i can genprof firefox and play around with it, then do the scan and it doesn't really add that much to the profile
395 [01:14] <bodhi_zazen> no Traveler15164
396 [01:15] <bodhi_zazen> That is the problem with apparmor, you will need to emulate a profile or make your own
397 [01:15] <bodhi_zazen> firefox is not the best to start because it is large
398 [01:15] <bodhi_zazen> Start with say xchat
399 [01:15] <bodhi_zazen> or your irc client
400 [01:15] <bodhi_zazen> and then go to firefox
401 [01:15] <bodhi_zazen> sudo aa-enforce xchat
402 [01:15] <bodhi_zazen> then
403 [01:15] <lovinglinux> Is there a requirement for classes to be related with system configuration or can they be about how to use a specific kind of program, like multimedia for example?
404 [01:16] <bodhi_zazen> tail -F /var/log/messages
405 [01:16] <bodhi_zazen> open xchat and watch and resolve errors
406 [01:16] <bodhi_zazen> lovinglinux: topics are open
407 [01:17] <bodhi_zazen> we (the beginners team) is here to educate and we really want to grow this service and cover topics of interest to the community
408 [01:17] <bodhi_zazen> We hope to add things like Moodle
409 [01:17] <bodhi_zazen> http://fmc.isgreat.org/Ubuntu_Classroom/index.html
410 [01:17] <bodhi_zazen> so we can develop more formal content
411 [01:17] <bodhi_zazen> but ...
412 [01:17] <Traveler15164> iif you put just enough in the firefox profile to allow firefox to start up, then it lets you view or change anything in that session but the settings or cache isn't saved, correct?
413 [01:17] <bodhi_zazen> we are in the beginning phases
414 [01:17] <Traveler15164> sorta like a sandboxing app
415 [01:18] <bodhi_zazen> yes, I think Traveler15164
416 [01:18] <lovinglinux> So maybe I could help with some stuff, like how to organize image collections using IPTC, EXIF and so on. I will think about it.
417 [01:18] <bodhi_zazen> If you change (edit) the profile, you need to restart both apparmor and firefox for the effects to take place
418 [01:18] <Traveler15164> ok
419 [01:18] <bodhi_zazen> no always firefox, but it does not hurt
420 [01:19] <bodhi_zazen> Sometimes you also need to clear your cache on firefox as well
421 [01:19] <bodhi_zazen> lovinglinux: any help you can offer would be awesome
422 [01:19] <bodhi_zazen> some team members help with content
423 [01:19] <bodhi_zazen> others teach
424 [01:19] <bodhi_zazen> some do nothing
425 [01:19] <bodhi_zazen> :)
426 [01:19] <lovinglinux> lol
427 [01:19] <bodhi_zazen> it is a team effort and we are all volunteers
428 [01:20] <bodhi_zazen> the main limiting factor , of course, is my time
429 [01:20] <bodhi_zazen> I rely on the focus groups to help
430 [01:20] <bodhi_zazen> OK, I gotta go
431 [01:20] <bodhi_zazen> really, thank you all for coming
432 [01:20] <bodhi_zazen> and lets see if we can continue and extend these sessions
433 [01:21] <Halow> Thanks again. :)
434 [01:21] <bodhi_zazen> we need both helpers and an audience :)
435 [01:21] <lovinglinux> bodhi_zazen: thanks again
436 [01:21] <bodhi_zazen> PM me on the forms or come on by #ubuntuforums-beginners :)
26/03/2009
1 [00:00] <bodhi_zazen> 'lo everyone :)
2 [00:01] * Hobbsee is here & watching
3 [00:01] <bodhi_zazen> I am hoping this session can be more interactive then the last ;)
4 [00:01] <bodhi_zazen> Otherwise I was going to discuss a little on encryption
5 [00:02] <HymnToLife> sounds like fun
6 [00:02] <bodhi_zazen> Here is the pastebin from 2 weeks ago
7 [00:02] <bodhi_zazen> http://paste.ubuntu.com/133993/
8 [00:02] <bodhi_zazen> we covered some of the basics and I demoed apparmor in a shared ssh session
9 [00:02] <Snova> bodhi_zazen: I tried to log in just now, got errors regarding screen profiles.
10 [00:02] <bodhi_zazen> which I can do again if you wish
11 [00:03] <bodhi_zazen> yes Snova , the shared screen session is kaput at the moment, but I can fix it if you wish
12 [00:03] <bodhi_zazen> I think ;)
13 [00:04] <bodhi_zazen> I updated the system for ecryptfs, and it borked the shared screen session
14 [00:08] <bodhi_zazen> OK, try to join the shared session Snova ;)
15 [00:08] <bodhi_zazen> sorry this was not working
16 [00:09] <DasEi> bodhi_zazen: do you have the link of the last session ( I missed ?)
17 [00:09] <bodhi_zazen> Let me ask if anyone has any questions then ?
18 [00:10] <bodhi_zazen> DasEi: I do not know off the top of my head where the logs are
19 [00:10] <bodhi_zazen> I can find them
20 [00:10] <bodhi_zazen> cprofitt: do you know ?
21 [00:10] <Snova> Still broken.
22 [00:10] <bodhi_zazen> :(
23 [00:10] <bodhi_zazen> too bad
24 [00:11] <cprofitt> know what?
25 [00:11] <bodhi_zazen> I can try one more thing ..
26 [00:11] <bodhi_zazen> cprofitt: where logs of these sessions are posted ?
27 [00:11] <cprofitt> the logs should be on the wiki page
28 [00:12] <cprofitt> https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Events
29 [00:12] <cprofitt> I did not get any for your last session though bodhi_zazen
30 [00:12] <bodhi_zazen> oic, lol
31 [00:12] <HymnToLife> bodhi_zazen: I have a question
32 [00:12] <bodhi_zazen> please HymnToLife :)
33 [00:12] <HymnToLife> should I use DSA or RSA for my SSH keys? *evil grin*
34 [00:13] <bodhi_zazen> lol
35 [00:13] <bodhi_zazen> to be honest I am not sure it matters
36 [00:13] <bodhi_zazen> That is like asking DROP or REJECT with iptables
37 [00:14] <bodhi_zazen> If you use RSA (I think) use 1024 bits (whick is now default)
38 [00:14] <bodhi_zazen> do you have a preference ?
39 [00:15] <bodhi_zazen> try again Snova ;)
40 [00:15] <bodhi_zazen> Lets talk a bit about encryption then ;)
41 [00:16] <bodhi_zazen> do people know encryption options on Ubuntu ?
42 [00:16] <Snova> bodhi_zazen: Looks like the same thing again.
43 [00:16] <bodhi_zazen> kk Snova :(
44 [00:16] <bodhi_zazen> thanks
45 [00:16] <HymnToLife> bodhi_zazen: I prefer RSA
46 [00:16] <bodhi_zazen> yes, in general I do too
47 [00:16] <HymnToLife> DSA has been developed by the NSA, and they have had shady practices
48 [00:16] <bodhi_zazen> it seems 70% prefer RSA
49 [00:17] <HymnToLife> also, since SSH-2 uses DSA only for host keys encryption
50 [00:17] <bodhi_zazen> Encryption options on Ubuntu are LUKS and ecryptfs
51 [00:17] <HymnToLife> using is also for user keys is kind of putting all your eggs in the same basket
52 [00:18] <HymnToLife> using it*
53 [00:18] <bodhi_zazen> One can use truecrypt and other tools such as encryptfs and gpg
54 [00:18] <bodhi_zazen> To install an encrypted system, meaning / and swap are encrypted , use the Alternate CD
55 [00:19] <bodhi_zazen> By default this will give you a /boot partition, and LVM + LUKS
56 [00:19] <bodhi_zazen> Post install or during the install, if you wish, you can use ecryptfs to encrypt your /home/user directory, swap, or a private (or other) directories
57 [00:20] <bodhi_zazen> I posted a how to on ecryptfs here : http://bodhizazen.net/Tutorials/Ecryptfs/
58 [00:20] <bodhi_zazen> It still needs a bit of work, but the basic information is there
59 [00:21] <bodhi_zazen> encryption is used basically to protect your personal data if your laptop or hard drive is stolden
60 [00:21] <bodhi_zazen> IMO things like password protecting yoru BIOS and GRUB is a minor deterrent if someone has physical access
61 [00:22] <bodhi_zazen> Some people like those tools, and yes it may stop a casual intruder, but they are easily defeated
62 [00:22] <HymnToLife> also, if it comes down to it, some encryption tools can make encryption plausibly deniable
63 [00:22] <bodhi_zazen> The disadvantage of encryption is there is a, IMO, minor performance hit
64 [00:23] <bodhi_zazen> +1 HymnToLife
65 [00:23] <HymnToLife> meaning that the police, government, etc. cannot *prove* you have encrypted stuff
66 [00:23] <bodhi_zazen> he he he ...
67 [00:23] <bodhi_zazen> Encryption can be defeated by a $ hammer applied to the solar plexus >:)
68 [00:23] <bodhi_zazen> * $10
69 [00:24] <bodhi_zazen> Sometime you need to apply the hammer a few times for it to work
70 [00:24] <bodhi_zazen> lol
71 [00:24] <bodhi_zazen> The other disadvantage of encryption would be if you lost your password or wanted to re-install preserving /home for example
72 [00:25] <bodhi_zazen> It can be done, but none of the installers will preserve /home automatically , even if it is on a separate partition and so you would need to take casre to configure the encryption manually post install
73 [00:26] <bodhi_zazen> Frankly, IMO, it is easier to back up you data, re-install with the defaults, and then restore your data
74 [00:26] <bodhi_zazen> /end rant on encryption
75 [00:26] <bodhi_zazen> :)
76 [00:26] <DasEi> also a more complicared access in case of harddrive-trouble can be added to the disadvantages
77 [00:27] <Hobbsee> actually, if you set a partition as /home, the installer won't try to auto-format it
78 [00:27] <Hobbsee> or at least, not on recent ubuntu releases.
79 [00:27] <bodhi_zazen> Oh, one more thing, you can use keys with some encryption tools to automate decryption
80 [00:27] <bodhi_zazen> No it will not Hobbsee , but I will not set up LUKS or encryptfs either
81 [00:27] <Hobbsee> that's true
82 [00:27] <bodhi_zazen> so post install you may not be able to decrypt it
83 [00:28] <bodhi_zazen> :(
84 [00:28] <Hobbsee> that may not still be true for jaunty, btw.
85 [00:28] <bodhi_zazen> You need to take care with encryptfs if you encrypted /home/user_name because the information was stored on the root partition
86 [00:28] <maxb> Isn't all the "setup" for ecryptfs contained within the homedir anyway?
87 [00:29] <bodhi_zazen> maxb: It depends on how you setup encryptfs
88 [00:29] <Snova> Is encryption only to protect if somebody gets physical access to the HD?
89 [00:29] <bodhi_zazen> If you used encryptfs-setup-private you will be OK
90 [00:29] <maxb> bodhi_zazen: Are you talking about ecryptfs? If so, spell it's name right to avoid confusing us!
91 [00:29] <maxb> oops. I fail at apostrophe usage
92 [00:29] <bodhi_zazen> If you encrypted your home directory during installation, no , the key is on the root partition and linked back to $HOME
93 [00:30] <HymnToLife> Snova: in the case of ecryptfs, yes
94 [00:30] <bodhi_zazen> so you will loose the config info if you install over the top of root
95 [00:30] <HymnToLife> however, there are other kinds of encryption
96 [00:30] <bodhi_zazen> sorry, yes ecryptfs
97 [00:30] <bodhi_zazen> :p
98 [00:30] <HymnToLife> Snova: for example, you can encrypts files using GnuPG to send them by email
99 [00:31] <HymnToLife> (or to store them for later use)
100 [00:31] <maxb> Ah, right, I'm only using ecryptfs in private-subdir setup, because I disagree that encrypting the entire homedir makes sense
101 [00:31] <bodhi_zazen> If your data is sensitive enough to encrypt -
102 [00:31] <Snova> I am fairly familiar with encryption in general, just wondering if there is any point to an encrypted *hard drive* (should have mentioned that previously) beyond physical access.
103 [00:31] <bodhi_zazen> 1. Know that if the data is decrypted, ie you mounted your Private directory or LUKS partition, or truecrypt
104 [00:32] <bodhi_zazen> the data is available to the root user
105 [00:32] <HymnToLife> Snova: that the only one I can think of right now, but it's a pretty big one
106 [00:32] <bodhi_zazen> or any other users allowed by your permissions
107 [00:32] <HymnToLife> especially nowadays when laptops are getting smaller and smaller, thus easier to lose/steal
108 [00:32] <bodhi_zazen> and 2. you should take care to encrypt your back ups as well :p
109 [00:33] <bodhi_zazen> Snova: Only the paranoid would encrypt the entire installation
110 [00:33] <Snova> bodhi_zazen: Any amount of it, really.
111 [00:33] <bodhi_zazen> This would be to prevent someone for say installing a rootkit from a live CD
112 [00:33] <HymnToLife> bodhi_zazen: there are many good reasons to be paranoid nowadays
113 [00:34] <bodhi_zazen> The two potential vulnerabilities with encryption are :
114 [00:34] <DasEi> and even then you'll need extra partitions or containers to avoid online-access
115 [00:34] <bodhi_zazen> 1. Someone , in theory, could recover the key from RAM
116 [00:34] <bodhi_zazen> 2. Your /boot partition is not encrypted so someone could replace your kernel
117 [00:34] <bodhi_zazen> +1 HymnToLife re paranoia
118 [00:35] <bodhi_zazen> Snova: for others , encrypting your private directory in /home , or a data partition, or removable device may be sufficient
119 [00:36] <bodhi_zazen> I guess my point is to raise awareness of the vulnerabilities of physical access and encryption as the best solution, IMO
120 [00:36] <HymnToLife> s/best/only/
121 [00:37] <HymnToLife> encryption is based on math, math never cheats ;)
122 [00:37] <bodhi_zazen> Well, you could wipe the drive or smash it very fast as they are breaking down your door ;)
123 [00:37] <bodhi_zazen> melt it
124 [00:37] <bodhi_zazen> questions on encryption ?
125 [00:38] <bodhi_zazen> hint - this is your chance to ask questions
126 [00:38] <bodhi_zazen> It sounds as if we have a few people here now who use encryption
127 [00:39] <HymnToLife> no, I don't!
128 [00:39] <HymnToLife> you can't prove anything!
129 [00:39] <bodhi_zazen> Guilty by association
130 [00:39] <bodhi_zazen> Off with his head
131 [00:40] <DasEi> I just wonder how f.e. us-gpg needs a backdoor for nsa-related stuff, it is on ubuntu ?
132 [00:40] <bodhi_zazen> We could talk a bit about iptables, root kits, antivirus
133 [00:41] <bodhi_zazen> I know antivirus is boring to some, but it is a FAQ on the forums
134 [00:41] <bodhi_zazen> Did anybody take a look at AppArmor ?
135 [00:42] <DasEi> too less, let's talk
136 [00:42] <HymnToLife> DasEi: if I understand your question, it's because the NSA doesn't like it when people use encryption they can't break :p
137 [00:42] <bodhi_zazen> too less ?
138 [00:43] <HymnToLife> well, they won't admit it, of course, but there's strong suspicion that the NSA-approve"d cryptosystems are the ones they can break
139 [00:43] <DasEi> I recognized appamor f.e. restricts file access of an apache, but are not familiar with it
140 [00:44] <HymnToLife> (hence why I don't use DSA for my SSH keys)
141 [00:44] <DasEi> HymnToLife: pm ? don't stop bod..
142 [00:44] <bodhi_zazen> no, this is an open discussion
143 [00:44] <HymnToLife> well, you asked the question here, so I answer here :p
144 [00:44] <bodhi_zazen> Or at least I hope so
145 [00:45] <bodhi_zazen> DasEi: Apparmor can be used , and is most often used to "confine" network aware applications
146 [00:45] <HymnToLife> or really any application
147 [00:45] <DasEi> k, what I saw when mentioning harddrive encryption where different solutions ( I'm german), and from the same app, there are different releases, some of them are not legal in us
148 [00:45] <bodhi_zazen> It has not been as popular as it *should* be , IMO
149 [00:46] <bodhi_zazen> I posed a how to here : http://ubuntuforums.org/showthread.php?t=1008906
150 [00:46] <HymnToLife> but the network-related ones are the one it makes most sense confining
151 [00:46] <HymnToLife> since they basically process untrusted data all the time
152 [00:46] <bodhi_zazen> and I am starting to post some example profiles here : http://bodhizazen.net/aa-profiles/
153 [00:46] <bodhi_zazen> Looking for contributions in face
154 [00:46] <bodhi_zazen> *fact
155 [00:47] <bodhi_zazen> Apparmor vs SElinux is another issue sometimes debated
156 [00:47] <bodhi_zazen> Apparmor is easier to learn, but IMO takes more time to maintain
157 [00:48] <bodhi_zazen> For example , you need to revise your profile when firefox is updated from 3.0.6 to 3.0.7
158 [00:48] <bodhi_zazen> ;)
159 [00:48] <bodhi_zazen> You have to keep an eye on apparmor, and there are no GUI tools in Ubuntu, although SUSE has some
160 [00:50] <bodhi_zazen> Any questions / comments please jump in >:)
161 [00:50] <bodhi_zazen> Shifting gears a little ...
162 [00:50] <bodhi_zazen> Antivirus
163 [00:50] <bodhi_zazen> IMO the biggest problem with antivirus is the sheer numbers of false postitives
164 [00:50] <bodhi_zazen> If you use antivirus and you do not want to simply delete detected files, you will have to do a fair amount of detective work
165 [00:51] <bodhi_zazen> Example : http://ubuntuforums.org/showthread.php?t=1106160
166 [00:51] <bodhi_zazen> Snova: can you try to connect again please ?
167 [00:51] <Snova> Ok. :)
168 [00:52] <bodhi_zazen> nvr mind, it is still borked
169 [00:52] <Snova> bodhi_zazen: Yep. :)
170 [00:52] <bodhi_zazen> I had to update for ecryptfs , but it broke screen
171 [00:53] <HymnToLife> well, you can always experiment with AA by yourself in a virtual machine (so you don't get locked off your real system)
172 [00:53] <HymnToLife> the basic concepts are really not hard to grasp
173 [00:54] <HymnToLife> Novell advertises it as requiring only 1-2 days of training, I don't think they're very far from the truth
174 [00:54] <bodhi_zazen> I agree with that
175 [00:54] <bodhi_zazen> I would say I am still learning, but it took me about 4 hours to become comfortable with it
176 [00:55] <bodhi_zazen> The advantage of apparmor, it has the potential to stop zero day exploits
177 [00:55] <bodhi_zazen> We have 5 minutes left in this session ;)
178 [00:56] <bodhi_zazen> I will run a session on this channel, same time, every 1-2 weeks depending in interest
179 [00:56] <bodhi_zazen> From last week there was the suggestion we discuss permissions
180 [00:56] <bodhi_zazen> Now I know most of you know basic permissions, but we can review sticky bits and if you wish acl
181 [00:58] <DasEi> I#ve got a question to the initialization of apparmor
182 [00:58] <HymnToLife> basic SSH configuration might be a good topic too
183 [00:59] <HymnToLife> I'm thinking about Issues like that: http://ubuntuforums.org/showthread.php?t=1107057
184 [00:59] <DasEi> what does this 'connecting to repository mean ? isn't this a local mechanism ?
185 [00:59] <HymnToLife> for those who want a bit more control than basic usernames/passwords
186 [00:59] <HymnToLife> DasEi: it means downloading a few pre-made profiles for common applications, IIRC
187 [01:00] <bodhi_zazen> DasEi: and HymnToLife we could have sessions on apparmor or ssh in more depth
188 [01:00] <bodhi_zazen> I happen to like ssh ;)
189 [01:01] <DasEi> HymnToLife: and it does for every app Iagain ?
190 [01:01] <bodhi_zazen> DasEi: AppArmor was developed my Novell
191 [01:01] <HymnToLife> but now they fired all the aa devs :p
192 [01:01] <bodhi_zazen> And I think the idea was to have a central repository for profiles
193 [01:01] <DasEi> deeper sessions.. gotta get coffeine.. great
194 [01:01] <HymnToLife> I heard some of them were working for Microsoft now
195 [01:01] <bodhi_zazen> for things such as say apache or what not
196 [01:02] <bodhi_zazen> I do not think it has been developed, but it still comes up when you generate a profile
197 [01:02] <bodhi_zazen> aa was then added to Ubuntu and we will need to see how much it is used / developed
198 [01:03] <bodhi_zazen> Otherwise we will be back to SELinux :p
199 [01:03] <HymnToLife> Mandriva uses AA too
200 [01:03] <DasEi> sry when bein annoying; apparmor follows an given app in the inital , then asks additional quests and then creates the profile, which can be altered manually again, so no need for external request..
201 [01:03] <HymnToLife> I think that's all
202 [01:03] <bodhi_zazen> no DasEi
203 [01:03] <bodhi_zazen> Most profiles need to be personalized anyways
204 [01:03] <bodhi_zazen> PCLinuxOS ?
205 [01:04] <bodhi_zazen> I have not tried that lately, but I though they were Mandriva based.
206 [01:04] <HymnToLife> I think so too, but I don't go in the RPM world often
207 [01:05] <bodhi_zazen> OK, I will stay for a while if there are additional questions, otherwise 2 weeks
208 [01:05] <bodhi_zazen> Any interest in having weekly sessions ?
209 [01:05] <DasEi> k, reading shall heal me for now, many thanks, bodhi_zazen and all the others
210 [01:05] <bodhi_zazen> topics : add them here : https://wiki.ubuntu.com/BeginnersTeam/FocusGroups/Education/Proposals
211 [01:06] <bodhi_zazen> put my name by the topic and I will try to announce and cover them as we go
212 [01:06] <DasEi> bodhi_zazen: nothing bad, nice would be to follow up missed ons at http://irclogs.ubuntu.com/
213 [01:06] <DasEi> *ones
214 [01:07] <bodhi_zazen> In the long run the Beginners Team is hoping to do continued and more focused in depth sessions, perhaps using something such as Moodle
215 [01:07] <bodhi_zazen> yes DasEi I thought ubuntu-classroom was going to post sessions, I will look into that
216 [01:07] <bodhi_zazen> I do not have a way right now to log sessions
217 [01:07] <bodhi_zazen> as I am @ work and accessing over mibbit
218 [01:08] <DasEi> bodhi_zazen:they do, but last isn't there by now
219 [01:08] <bodhi_zazen> We shall look into it then DasEi
220 [01:08] <bodhi_zazen> but yes the intention is to post logs
221 [01:08] <bodhi_zazen> and grow these sessions
222 [01:09] <bodhi_zazen> I am hoping to spread the word and get some discussion and education going.
223 [01:09] <DasEi> date -u was the greatest tip on UTC, writes this bold, lol
224 [01:09] <bodhi_zazen> lol
225 [01:09] <bodhi_zazen> Thank you everyone for coming
226 [01:10] <DasEi> thank you for rowing
227 [01:10] <bodhi_zazen> I shall spam channels with future meetings, but this time works out for most people, although not all
228 [01:10] <bodhi_zazen> I hope these sessions help educate people ;)
229 [01:11] <bodhi_zazen> we should learn from each other, some people know very much
230 [01:11] <bodhi_zazen> we are planning to do sessions on wiki and development (packageing)