HardyServerSecurity

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

This is a meta-spec to promote discussion of various security protections that could lead to further specs. The goal is to create a list of possible future projects, and have them prioritized based on input from possible implementers.

Release Note

Many new security features are included in Hardy. They include:

  • x86_64 kernel stack protection
  • password strength indicator during installation and user creation
  • kernel VDSO randomization support
  • kernel heap/exec memory location randomization support
  • lower 64k memory protection
  • ...

Rationale

There are many areas of work possible in the field of proactive security, and collecting a list to work from can help clarify a roadmap.

Use Cases

  • Eve wants to see a certain security feature implemented in Ubuntu. It is small and does not require much discussion. She adds it to the roadmap, finds people to help develop and test the feature, and gets it rolled out for inclusion in Hardy.

Assumptions

  • New security features will be balanced against usability and freedom.
  • Features that introduce possible interference with certain use-cases need to be well documented so that affected users can understand how to safely work around or disable the new feature.

BoF agenda and discussion

This is a meta-spec: discussion leading to more specs, possibly covering smaller items that don't need a full spec.

We already have specs for this UDS on:

Need to do some work for:

  • Compile-time hardening: http://wiki.debian.org/Hardening

  • kernel compile-time hardening (CC_STACKPROTECTOR)
  • password strength indicators (ubiquity, d-i?)
  • hunt/fix lack of VDSO randomization
  • verify heap/exec randomization is working (should be in 2.6.23)
  • block lower 64k memory from being mmapped
  • tool to set password strength using auth-client-config
  • inotify-based super-tripwire (default number of inotify watches is 8192. Located in /proc/sys/fs/inotify/max_user_watches)
    • middle ground: self-protecting binaries to make sure it self doesn't change
  • forensics
  • moving auditd from universe to main

  • event correlation between audit/logs. Look into snare and ossec. http://www.intersectalliance.com/projects/Snare/ and http://www.ossec.net/

    • repository of best-practice configurations, processes
  • server certification process
  • anti-PTRACE - turn off ptrace by default - e.g. limit access via new capabilities
  • GRsecurity patch break-out
    • analyze possible broken applications
  • examine NIST 800-53 and 800-26 the NIST Automated Security Self-Evaluation Tool (ASSET)
    • apt-get install nist-policy ....
    • RHEL "clip" software handles NIST policy system changes
    • examine use of SSLv2 in clients (need to make SSLv3 the default)
      • see Ubuntu Answer 14407

CategorySpec

HardyServerSecurity (last edited 2008-08-06 16:20:54 by localhost)