When: Wed Jan 30 2008
Where: #ubuntu-meeting on irc.freenode.net
Chaired By: KeesCook
Agenda for this meeting
These items will be discussed at the next meeting:
- CVE status
- SELinux progress
- Hardening Wrapper testing
- Organized penetration testing
- Other topics
- Next meeting time
- CVE status
- In active use. Soon to publish states in a central place.
- IDEA: finish changelog scanner to mark closed CVEs
- Going well, a few more tweaks are pending.
- SELinux progress
- Going well, still needs initial upload and more testing.
- ACTION: keescook to review selinux packaging work
- ACTION: crimsum to review selinux packaging work
- ACTION: propagandist to post selinux packaging to REVU
- ACTION: keescook to investigate virtual package for security utils (apparmor/selinux agnostic) to not conflict with ubuntu-standard
- Hardening Wrapper testing
- Needs more testing, archive rebuilds, and more comments
- ACTION: crimsun to add pbuilder notes to wiki
- ACTION: keescook to add sbuild notes to wiki
- Organized penetration testing and auditing
- Next meeting
- Same place/time, in two weeks.
- Other topics
- ACTION: keescook to poke irc ops to get #ubuntu-security
Started logging meeting in #ubuntu-meeting [20:01:14] <emgent> ok :) [20:01:33] <keescook> so who all is here for the security team meeting? So far I know emgent and jdstrand are listening. :) [20:01:42] <propagandist> me [20:01:48] <keescook> hi propagandist! [20:01:48] * propagandist waves [20:01:55] <dendrobates> \o/ [20:01:59] * zul is lurking [20:02:05] <keescook> I've started the initial outline for the security team wiki area [20:02:09] <keescook> [URL] https://wiki.ubuntu.com/SecurityTeam [20:02:18] <keescook> it's nearly empty except for the agenda [20:02:28] <jdstrand> heh [20:02:34] <emgent> :) [20:02:40] <keescook> [URL] https://wiki.ubuntu.com/SecurityTeam/Meeting [20:03:55] <keescook> well, given it's our first meeting, I figure we should all give a quick intro about ourselves. [20:04:44] <keescook> I'm part of the "main" security team (and a Canonical employee). With jdstrand, I'm responsible for keep packages in main for all the supported releases free of CVEs. :) [20:05:03] <keescook> additionally, I do some coordination of proactive security development work in the devel release of Ubuntu. [20:05:14] <keescook> who wants to go next? :) [20:05:30] <jdstrand> o/ [20:05:42] <crimsun> ('lo, sorry about the tardiness) [20:05:45] <keescook> neversfelde, jason_tang, crimsun: all here for the security team meeting? [20:05:49] * Mithrandir lurks [20:05:52] <keescook> np, we're just getting started [20:05:53] <crimsun> keescook: aye. [20:05:58] <jdstrand> as keescook said, I am a part of the 'main' security team and a Canonical employee [20:06:03] <emgent> :) [20:06:09] <jason_tang> jason_tang -> email@example.com [20:06:19] <propagandist> I'm an employee of Tresys Technology and work generally with the upstream SELinux. My current project is to supply Hardy with SELinux support ;o) [20:06:22] <keescook> neversfelde, jason_tang, crimsun: agenda is here https://wiki.ubuntu.com/SecurityTeam/Meeting [20:07:03] <emgent> I'm a member of Motu-swat, and i'm in MOTU mentoring. [20:07:37] <emgent> keescook, sorry i should reset router. see u 2 mins. [20:07:43] <keescook> [LINK] https://wiki.ubuntu.com/SecurityTeam [20:07:48] <keescook> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [20:07:56] <keescook> (was using the wrong command...) [20:08:03] <keescook> emgent: okay [20:08:23] <keescook> cool, thanks, anyone else want to introduce themselves? [20:09:12] <dendrobates> oooo me [20:09:33] <crimsun> sure. dan chen, crimsun at ubuntu dot com. [20:10:08] <dendrobates> I am also a Canonical employee. I manage the server and security team , of which, jdstrand and keescook are a part. [20:10:46] <keescook> crimsun: what things are you generally interested in from a security perspective? everyone else so far, I can guess at. :) [20:11:29] <crimsun> keescook: development processes, IDS/IPS, auditing generally. [20:12:59] <keescook> emgent: you're up. can you give people a quick overview about what you're interested in? [20:13:06] <keescook> _emgent: ^^ [20:13:12] <_emgent> back. [20:14:24] <emgent> sure [20:14:41] <emgent> My main interest are: auditing generally and penetration tests [20:15:13] <keescook> okay, cool. Let's move to the first item on the agenda [20:15:20] <keescook> [TOPIC] CVE status [20:16:00] <keescook> one of the things jdstrand, Fujitsu, and I have been working on is getting the Ubuntu CVE tracker looking good [20:16:32] <keescook> at present, the tracker is in bzr, and we're doing well keeping up with things. [20:16:51] <keescook> there's always more work to do, but for anyone interested in issue tracking, check it out: [20:17:03] <keescook> [LINK] https://launchpad.net/ubuntu-cve-tracker/ [20:17:34] <keescook> pretty soon we should have the finishing touches on an HTML export of the data (jdstrand has done some great work on this) [20:17:40] <emgent> cool [20:17:44] <jdstrand> I'd like to mention that the ubuntu-cve-tracker covers all packages, not just main [20:17:54] <keescook> yes, very good point. [20:18:19] <keescook> some of it is a bit out of date -- one tool that needs to be (re)written is a changelog-scanner that can see when CVEs are fixed on upload. [20:18:39] <keescook> [IDEA[ finish changelog scanner to mark closed CVEs [20:18:42] <keescook> [IDEA] finish changelog scanner to mark closed CVEs [20:18:50] <emgent> +1 [20:18:55] <keescook> :) [20:18:58] <joejaxx> :) [20:19:49] <keescook> that's all I wanted to mention about the tracker. it basically drives the security update work, so it's a good place to look for things or check on stuff. [20:20:15] <keescook> (and I want to start moving a little more quickly, since we've got a hard-stop at 21:00) [20:20:21] <keescook> moving on... [20:20:29] <keescook> [TOPIC] AppArmor progress [20:20:45] <keescook> this is a bit redundant with the server team status possibly, but I thought I'd mention it quickly here too. [20:21:35] <keescook> as it stands, the AppArmor infrastructure is stable and working in Hardy. There are a few tweaks pending in the next kernel upload, but other than that, we should now match what SuSE will ship next. [20:21:56] <keescook> profile creation work continues -- I will defer to the Server Team meeting for that discussion. [20:22:07] <keescook> any questions or thoughts on AppArmor? [20:22:23] <emgent> nope, https://wiki.ubuntu.com/AppArmor is ok :) [20:22:28] <keescook> sounds good. [20:22:28] <joejaxx> i am glad we are matching up with SuSE :) [20:22:34] <keescook> [TOPIC] SELinux progress [20:22:49] <keescook> we've got 2 tresys folks here, so I'll let them discuss this one. :) [20:23:00] <propagandist> ;o} [20:23:02] <propagandist> We've updated the packages for most of selinux upstream. I've put them here: [20:23:05] <propagandist> [LINK] https://code.launchpad.net/~calebcase/+junk/selinux-support [20:23:08] <propagandist> The blueprint for selinux support is available at: [20:23:10] <propagandist> [LINK] https://blueprints.launchpad.net/ubuntu/+spec/selinux-support [20:23:24] <propagandist> The wiki was updated today with some more infomration about our direction here: [20:23:27] <propagandist> [LINK] https://wiki.ubuntu.com/HardySELinux [20:24:08] <keescook> are these packages patched versions of what's in Debian, or total replacements? [20:24:28] <propagandist> They are total replacements. [20:24:59] <propagandist> The debian maintainer is somewhat mia at the moment. [20:25:12] <keescook> okay. (I see the changelog builds on the Debian package -- that's good) [20:25:19] <emgent> :) [20:25:22] <keescook> [LINK] http://codebrowse.launchpad.net/~calebcase/+junk/selinux-support/annotate/calebcase%40gmail.com-20080129123710-usfimgmeob938hj5?file_id=changelog-20080128164716-qc9exv0y4qt0xf39-216 [20:26:10] <keescook> I'm on holiday next week, but I'll get these reviewed (and in theory uploaded) before feature freeze [20:26:24] <keescook> [ACTION] keescook to review selinux packaging work [20:26:38] <keescook> I'd happily welcome other eyes on it too. :) [20:26:51] <propagandist> Up till recently the focus was to get all the packages updated to upstream. That seems to be mostly done now, and we've moved to creating the 'selinux' package and testing them out. We're also updating the security policy. [20:26:59] <keescook> propagandist: have you posted any of the package builds to REVU? That might be handy too. [20:27:12] <crimsun> I'm happy to look over them, too, since my work is directly related. [20:27:18] <propagandist> keescook: will do [20:27:27] <joejaxx> :) [20:27:33] <keescook> [ACTION] crimsum to review selinux packaging work [20:27:36] <propagandist> the more eyes the better [20:27:47] <keescook> [ACTION] propagandist to post selinux packaging to REVU [20:27:47] <keescook> agreed [20:28:00] <emgent> cool [20:28:04] <keescook> great job! I'm really happy to see this moving forward at a fast clip. :) [20:28:08] <joejaxx> :D [20:28:12] * joejaxx is too :) [20:28:16] <propagandist> ;o} [20:28:50] <propagandist> There is one issue with ubuntu-standard [20:29:04] <keescook> propagandist: once things are uploaded, would you be able to write a "here's how to use/test SELinux" email for ubuntu-devel and ubuntu-hardened? [20:29:13] <keescook> propagandist: what's the issue? [20:29:16] <joejaxx> keescook: i was just about to ask that [20:29:18] <joejaxx> :) [20:29:22] <propagandist> it is recommending apparmor-utils, which if you try to install a conflicting package with apparmor attempts to uninstall standard [20:30:01] <propagandist> It may be better for it to recommend security-utils and have apparmor-utils provide it [20:30:02] <keescook> propagandist: right, I remember this bit now -- I like the meta-package solution that was proposed [20:30:13] <propagandist> kk [20:30:31] <propagandist> sure thing on the email [20:30:45] <crimsun> oh, meaning virtual package? Sorry, I was looking for a security-meta. [20:30:48] <propagandist> although there is a short quick and dirty on the wiki [20:31:14] <keescook> crimsun: sorry, yes, virtual package; my bad. :) [20:31:50] <propagandist> yes a meta package for linux-security would be ideal for handling the switching [20:31:52] <keescook> propagandist: between an PPA and REVU, it should be possible to make item 1 on the "Quick and Dirty" list very easy for people. [20:32:19] <keescook> [ACTION] keescook to investigate virtual package for security utils (apparmor/selinux agnostic) to not conflict with ubuntu-standard [20:32:26] <propagandist> keescook: kk, i've been working on putting things into my PPA [20:32:36] <keescook> great! :) [20:32:55] <keescook> any other notes on SELinux? (/me rushes forward in the agenda...) [20:33:17] <propagandist> i think thats it for now [20:33:26] <keescook> [TOPIC] Hardening wrapper testing [20:33:32] <jdstrand> thanks for your good work on this propagandist [20:33:53] <keescook> okay, I sent an email about the new compile-time hardening options wrapper [20:33:56] <propagandist> jdstrand: thanks ;o) [20:34:31] <keescook> [LINK] https://lists.ubuntu.com/archives/ubuntu-devel/2008-January/024958.html [20:34:59] <keescook> and I've been coordinating with Debian as well (Moritz announced the cousin project for hardening in Debian this week) [20:35:20] <keescook> I'd really love it if people doing builds could test the wrapper (and obviously the resulting builds) [20:35:56] <keescook> does anyone have any ideas about ways we can motivate its use, and/or track its progress? [20:36:31] <crimsun> one way could be to have it hook into pbuilder. [20:37:25] <keescook> crimsun: in what way? hooking it to dpkg-buildpackage had been discussed, but no one wanted it to be a hard Depends or anything. [20:38:45] <keescook> I'd love to see about getting a full archive rebuild done with it enabled. This was done in Debian which was very educational. [20:39:04] <jdstrand> keescook: IIRC this is going to be turned on by default in hardy+1, correct? [20:39:20] <crimsun> keescook: assuming hardening-wrapper is promoted into main, have the pbuilder package depend on it, create a separate hooks subdirectory. This would allow people to enable it for testing by passing the pbuilder hook* options. [20:39:27] <keescook> jdstrand: assuming it doesn't melt all the builds, yes. Part of getting it tested in Hardy is to make doko happy [20:39:59] <jdstrand> oh, so we are turning it on for hardy builds, at least for a while? [20:40:04] <keescook> crimsun: interesting -- I don't use pbuilder so I'm unfamiliar with the hook options. [20:40:13] <keescook> jdstrand: no, I mean, the package is available for people to test with [20:40:18] <crimsun> keescook: since a lot of people should^Ware using pbuilder, it would be a fairly unintrusive method of selectively enabling it. [20:40:25] <jdstrand> ah, that's what I thought [20:40:28] <crimsun> should be*/are [20:40:55] <keescook> crimsun: can you write a few notes about that to the wiki page for it? [20:41:00] <keescook> [LINK] https://wiki.ubuntu.com/Security/HardeningWrapper [20:41:09] <crimsun> keescook: sure [20:41:20] <keescook> cool, I'll add some notes about it for sbuild [20:41:39] <keescook> [ACTION] crimsun to add pbuilder notes to wiki, keescook to add sbuild notes to wiki [20:42:09] <emgent> good. :) [20:42:17] <keescook> has anyone actually used the wrapper yet besides me? :) [20:42:58] <keescook> if you haven't, please pick you favorite app and give it a try. :) inkscape builds/runs fine for me. :) [20:43:14] * jdstrand is ashamed to say he has not yet [20:43:20] <keescook> hehe [20:43:22] <jdstrand> (but will) [20:43:24] <keescook> okay, moving on [20:43:30] <emgent> hhaha me too. [20:43:30] <emgent> :) [20:43:38] <keescook> [TOPIC] organized penetration testing and auditing [20:44:21] <keescook> emgent has been doing some great work poking at the edges of various ubuntu services, and proposed a formalized team to do this kind of work into the future [20:45:25] <keescook> emgent: what sort of plans do you have? I have a few notes about it, but figured we should hear from you first. [20:45:33] <\sh> grmpf...I'm late...but I'm there at least [20:45:45] <emgent> well, i created a wiki page and launchpad group [20:45:57] <keescook> \sh: hi! [20:46:02] <joejaxx> emgent: do you have a link to that? :) [20:46:04] <emgent> but i dont know if name is good and if it's good add to MOTU-SWAT branch. [20:46:08] <\sh> keescook, evening...sorry for being late :) [20:46:17] <emgent> [LINK] https://wiki.ubuntu.com/UbuntuHackersTeam [20:46:18] <keescook> \sh: no problem -- that's what IRC logs are for. :) [20:46:28] <emgent> [LINK] https://launchpad.net/~ubuntu-hackers [20:46:43] <keescook> emgent: so, one of the things that came up on MOTU was people not wanting to confuse the term "hackers". [20:47:13] <emgent> i select this name because i see GNU structure [20:47:14] <keescook> I don't have any strong opinion myself, but in the interests of clarity, what do you think about calling the subteam "ubuntu-pentest" or something like that? [20:47:17] <joejaxx> perhaps use PenTest ? [20:47:24] <joejaxx> keescook: yeap :D [20:47:28] <keescook> joejaxx: we are of one mind! :) [20:47:32] <joejaxx> keescook: :D [20:47:32] <crimsun> right, "hackers" is far too overloaded. [20:47:35] <emgent> and GNU have Hackers Team, but the name it'snt important [20:47:57] <Mithrandir> ubuntu-pokers. [20:47:59] <keescook> I've never tried -- can LP team names be changed? [20:48:02] <keescook> Mithrandir: heheh [20:48:06] <joejaxx> keescook: yes i believe so [20:48:07] <emgent> Mithrandir, lol [20:48:18] <joejaxx> lol [20:48:20] <Mithrandir> suitably ambigious. :-) [20:48:21] <keescook> Mithrandir: then we'll need to buy chips and deal cards. [20:48:22] <keescook> hehe [20:48:58] <joejaxx> lol :P [20:49:05] <keescook> another topic was auditing as an area of work for the pentest team. [20:49:26] <emgent> What would be the best name, and who is interested in contributing? [20:49:35] <keescook> I tend to view successfully audit work as "grey boxing" -- looking at both source and behavior. if you're looking at behavior, you're a pentester. [20:49:53] <keescook> emgent: I'd vote for "ubuntu-pentest". I'm highly interested, but low on time. [20:50:09] <emgent> ubuntu-pentest or ubuntu-fox ? :-) [20:50:11] <joejaxx> yeah i would put my vote -pentest as well [20:50:48] * Mithrandir votes for -pokers [20:50:53] <keescook> let's go with ubuntu-pentest for now? emgent can you adjust it? [20:51:00] <emgent> keescook, sure. [20:51:06] <emgent> but i'd like Mithrandir idea :P [20:51:26] <keescook> [ACTION] emgent to rename ubuntu-hackers team to ubuntu-pentest [20:51:43] <keescook> another area of concern is making sure we attract the _right_ kind of people for the pentest work. [20:52:07] <joejaxx> keescook: yeah that is the other thing :( [20:52:15] <joejaxx> we do not want to attract the wrong crowd [20:52:19] <keescook> emgent has done a great job with private disclosure, and I think making sure this remains the focus, it will be sucessful [20:52:40] <emgent> https://edge.launchpad.net/~ubuntu-pentest is online. [20:52:42] <emgent> :) [20:52:56] <keescook> so, making sure the language is unambigious on the wiki page will be good. [20:53:05] <joejaxx> yeap [20:53:19] <emgent> keescook, just a moment :) [20:53:42] <keescook> also, the LP team has asked that poking at LP be done via staging.launchpad.net just in case something would break production services. [20:54:21] <keescook> equally so, anything that may have bad effects should be run past the #is staff first [20:54:25] <jdstrand> ok good [20:54:41] <emgent> ok cool. [20:54:54] <Mithrandir> keescook: ITYM #canonical-sysadmin? [20:54:57] <crimsun> literally #is, or #canonical-sysadmins? [20:55:14] <jdstrand> I would like to say that the language should be *very* clear [20:55:19] <keescook> Mithrandir: right, sorry. #canonical-sysadmins is right [20:55:22] <\sh> keescook, what about a general "you are allowed to break stuff on a commercial website", for the members of the team? thinking of the legal view of all those penetration tests [20:55:29] <jdstrand> this isn't a honeynet challenge or anything [20:55:35] <keescook> \sh: yeah, agreed. [20:56:16] <\sh> keescook, regarding all the nifty lawyers out there, it's necessary to address those issues first for non-canonical members :) [20:56:26] <joejaxx> :) [20:56:26] <keescook> let's get some language proposed, and we can approve it for the next meeting? [20:56:35] * mathiaz waves at keescook and sits at the back for the first security team meeting :D [20:56:37] <jdstrand> if the members of the team are allowed to break stuff, then that needs to by a moderated team-- is it? [20:56:39] <joejaxx> sounds good [20:56:39] <emgent> keescook, +1 [20:56:51] <keescook> okay, 5 minutes left... [20:56:51] <\sh> jdstrand, hopefully yes... [20:56:55] <joejaxx> jdstrand: the team is restricted at the moment [20:57:00] <joejaxx> i just looked [20:57:02] <emgent> keescook, i open this ? or restricted ? [20:57:09] <jdstrand> ok [20:57:21] <crimsun> (I was thinking to have emgent and Canonical employees be admins.) [20:57:23] <keescook> emgent: leave it restricted -- we want to make sure people understand the "do no harm" ideals [20:57:33] <keescook> [TOPIC] next meeting [20:57:38] <emgent> keescook, ok. [20:57:46] <keescook> what do people think of same time/place in two weeks? [20:57:52] <crimsun> WFM. [20:57:58] <joejaxx> keescook: sounds good to me :) [20:58:04] <jdstrand> time is good for me [20:58:04] <\sh> keescook, around 20 UTC is a good time :) so yes :) [20:58:13] <emgent> +1 [20:58:15] <propagandist> good for me too [20:58:17] <keescook> \o/ that's set. [20:58:37] <keescook> okay, everyone please feel free to add agenda items to the wiki page (and fill out missing sections of the wiki) [20:58:40] <\sh> crimsun, you add something for sbuild how to enable the wrapper? :) [20:58:52] <crimsun> \sh: kees will; I'll work on pbuilder. [20:59:01] <\sh> crimsun, ok...other way around :) [20:59:05] <emgent> keescook, two questions: [20:59:14] <keescook> emgent: sure [20:59:23] <crimsun> thanks, everyone! [20:59:24] <emgent> 1) it's possible drop and register #ubuntu-security? [20:59:38] <keescook> emgent: yes, I think we should do this, and probably start a mailing list too [20:59:52] <keescook> [ACTION] keescook to poke irc ops to get #ubuntu-security online [21:00:02] <emgent> 2) it's possible add firstname.lastname@example.org ? [21:00:10] <mathiaz> keescook: couldn't ubuntu-hardened be used for that ? [21:00:25] <keescook> mathiaz: possibly... good point [21:00:38] <keescook> emgent: is that okay with you? the channel is pretty low-volume at the moment [21:00:41] <emgent> ubuntu-security it's ok, we can add all security project this. [21:00:47] <jdstrand> #ubuntu-hardened needs some life ;) [21:00:51] <keescook> #endmeeting Meeting ended.