== Meeting == * '''When''': Wed Feb 13 2008 * '''Start''': 20:00 * '''End''': 21:00 * '''Timezone''': [[http://www.timeanddate.com/worldclock/fixedtime.html?month=02&day=13&year=2008&hour=20&min=0&sec=0&p1=0|UTC]] * '''Where''': #ubuntu-meeting on irc.freenode.net * '''Chaired By''': KeesCook == Agenda for this meeting == These items will be discussed at the next meeting: * CVE status - KeesCook * AppArmor progress - KeesCook * SELinux progress - ChadSellers * SELinux GUI Utils - JoeJaxx (postponed) * Hardening Wrapper testing - KeesCook * Organized penetration testing - [[emgent]] * Define working tools docs and PT draft report * Define working method and '''Ubuntu Pentest day''' date * Approval membership * Contributing to ubuntu-cve-tracker - what's the best way? (postponed) * To-Do List (Expanding our Roadmap) - JoeJaxx * MOTU-SWAT membership (postponed) * - * Next meeting time == Notes == [[http://kryten.incognitus.net/mootbot/meetings/ubuntu-meeting.20080213_2000.html|Raw Notes]] == IRC Log == [[http://kryten.incognitus.net/mootbot/meetings/ubuntu-meeting.log.20080213_2000.html|Raw Log]] {{{ Started logging meeting in #ubuntu-meeting [20:00:15] hi everyone! [20:00:26] 'night keescook! [20:00:30] hi keescook! [20:00:32] ;o} hey! [20:00:40] I figure I'll wait a few moment to let anyone else show up, and then we can get started. [20:00:51] Sure. [20:00:53] [TOPIC] review agenda [20:01:06] [link] https://wiki.ubuntu.com/SecurityTeam/Meeting [20:01:52] okay, so, anyone new to the meeting this week? [20:02:08] I have never been to one of these before [20:02:31] cool, well, this is just the 2nd of it's kind, so we're new to it too. :) [20:02:33] me too [20:02:40] me neither :) [20:02:52] mra, nijaba: do you want to give a quick introduction about yourselves? [20:03:12] o/ [20:03:19] introductions from last week are near the top of the IRC log: [20:03:23] [link] https://wiki.ubuntu.com/MeetingLogs/Security/20080130 [20:03:47] lobo, nxvl_work: you too, if you feel up to it. [20:03:49] ok, I am the Ubuntu Server PM -> Nick Barcet IRL [20:03:55] I'm interested in security work in Ubuntu, and also ia64 related issues [20:04:03] PM == Project Manager, yes? [20:04:18] mra: do you mean ia64 or amd64? [20:04:24] nope, product manager, but you do know that, keith ;) [20:04:33] keith! [20:04:53] right, I used the wrong word there. [20:04:57] i'm a contributor to ubuntu, not yet even ubuntu member, i'm a student of system engineering on Lima - Per� [20:05:01] heh [20:05:01] I'm interested in all kinds, but not alot of people watch ia64 so I try to pay closer attention there [20:05:03] that was for project :) [20:05:07] mra: what kinds of security work interests you? [20:05:27] i'm working for 3 years as network and security consultant, most of the time making sysadmining [20:05:37] I am part of the HP team that brought SuSE and RH through their CAPP/LSPP evaluations [20:06:12] mra: cool. did you find that to be tricky? [20:06:17] so I'm interested in all kinds of security, but I'm more interested in what Ubutu wants to do with security [20:06:19] yes. [20:06:28] but worthwhile [20:06:41] nxvl_work: cool [20:06:47] okay, welcome everyone. :) [20:07:09] any other agenda items anyone wants to add at the last minute, go ahead and update the wiki, I'll reload it when we get near the end. :) [20:07:18] im 26 years old, live in the southern part of germany. work for about 4 years as network administrator for a mid size company. i'm interested in network security monitoring, computer networks in general and i'm also very interested in linux security. i run a couple of grsecurity hardened servers. [20:07:55] lobo: excellent. I'd be curious to hear which grsec options you have enabled. I'd like to get some of those features broken out and put into the mainline kernel. [20:08:30] okay, forging ahead -- we only have an hour :) [20:08:36] [topic] CVE status [20:08:56] * siretart waves into the round :) [20:09:02] I was on holiday last week, so I think I'll lean on jdstrand and anyone from motu-swat for this one. :) [20:09:05] heya siretart [20:09:06] keescook: ok, maybe we can have a talk in ubuntu-hardened later about grsec ;-) [20:09:14] lobo: sounds good [20:09:17] keescook: I'm actually thinking about updating the Wiki with grsecurity. I was wondering if it's a possibility to Ubuntu and it's downsides (incompatibility with other software, wine for example) [20:09:50] umm-- not sure what to say here that wasn't in USNs... [20:09:59] gouki: yes please! I'd love to see some feature details. Perhaps use SecurityTeam/Roadmap/GRSecurity and outline the details (and link to it from the Roadmap page?) [20:10:18] keescook: Sure thing [20:10:29] (I'd be happy to talk a length-- just want to stay on topic) [20:10:37] at length [20:10:39] jdstrand: agreed. maybe this agenda item is redundant. [20:10:44] what is USN? [20:10:53] I will say that people were wondring about clamav [20:10:55] mra: Ubuntu Security Notice: [20:11:02] [link] http://ubuntu.com/usn/ [20:11:18] it was pushed out today for gutsy and feisty, but there is a buildd issue that isn't resolved yet causing a problem with dapper [20:11:47] (something about translations-- should be fixed soon) [20:12:25] I'll also mention for anyone who doesn't know that the local root exploit from slashdaot et al was patched yesterday [20:12:39] cool. I think I put this on the agenda just to have a place to talk about CVEs in general. Perhaps for next meeting, people can call out specific CVE issues they want to talk about. And if the list is empty, we can skip it. :) [20:12:50] * keescook hugs jdstrand for those fixes :) [20:13:02] <\emgent> sorry ofr away [20:13:07] * jdstrand high fives keescook will he hugs him [20:13:08] <\emgent> my adsl sux. [20:13:21] \emgent: heh, no problem. logs should be available from Mootbot [20:13:24] (however that is actually done, is up to your imagination) [20:13:29] <\emgent> cool [20:13:32] okay, moving on [20:13:41] [topic] AppArmor progress [20:13:45] * jdstrand wonders why he can't type [20:13:58] I haven't heard anything new from upstream, but will ping them today [20:14:04] jdstrand: irssi via ssh? [20:14:13] [action] keescook to ping AA upstream for anything to sneak in before FF [20:14:31] nxvl_work: ? [20:14:32] mathiaz, jdstrand: you were both working on more profiles [20:14:39] keescook: yes [20:14:50] jdstrand: are you having troubles to type using irssi via ssh connection? [20:14:52] I am getting the packaging together for slapd, named and mysqld [20:15:07] nxvl_work: oh, heh, no-- just not too good today [20:15:16] jdstrand: oh ok [20:15:22] keescook: kind of. dendrobates added an abstraction for likewise. [20:15:26] the profiles are tested with our qa-regression-tests, and seem in good shape [20:15:58] keescook: It's a good way to figure out the workflow needed to get new profiles added. [20:16:07] will be taking usr.sbin.named and usr.sbin.mysqld out of apparmor-profiles and adding them to their respective packages [20:16:23] jdstrand: could you document how this should be done ? [20:16:43] jdstrand: especially from a packaging POV (like Replaces etc...) [20:16:47] mathiaz: I sure will when it's all tested ;) [20:16:49] jdstrand: would these regression tests be useful for selinux testing? [20:16:50] [link] https://launchpad.net/qa-regression-testing [20:17:26] propagandist: sure-- they exercise various parts of the application-- especially the default installation [20:17:31] jdstrand: the goal is to run them enabled? That might be the distinction: if it's in "complain" they stay in apparmor-profiles, and in "enforce" they go into the target package? [20:17:34] they aren't apparmor specific by any means [20:17:47] keescook: yes. That is the plan. [20:17:52] keescook: oh yes-- full-on enabled [20:17:59] mathiaz: heh. yay :) [20:18:12] complete with note in README.Debian to go to DebuggingApparmor ;) [20:18:19] hehe [20:18:30] (which I wrote last week) [20:18:54] https://wiki.ubuntu.com/DebuggingApparmor [20:19:09] [link] https://wiki.ubuntu.com/DebuggingApparmor [20:19:23] propagandist: https://code.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master [20:19:35] jdstrand: nice ;o) I will take a look at those and see how SELinux fares [20:19:52] propagandist: more tests are always welcome. ;) [20:20:05] okay, good time to transition to... [20:20:06] absolutely! [20:20:12] [topic] SELinux progress [20:20:24] Packages all pbuild succesfully and are available from the Hardened PPA: [20:20:24] [LINK] https://launchpad.net/~ubuntu-hardened/+archive/ [20:20:24] They are also on revu. [20:20:30] Sources are available from: [20:20:30] [LINK] https://code.launchpad.net/~calebcase/+junk/selinux-support [20:20:30] Hardy server and desktop boot successfully SELinux enabled and enforcing. [20:20:46] I'm a slacker and haven't managed to get through all the package reviews, but I have been working through the TODO list propagandist sent via emai. [20:21:19] External Package Status: [20:21:19] grub [bug 189173, submitted] [20:21:19] openssh [bug 188136, submitted] [20:21:19] pam [bug 187822, merged] [20:21:19] shadow [bug 191326, submitted] [20:21:21] ustr [new package, ?] [20:21:23] Launchpad bug 189173 in grub "trigger for update-grub" [Undecided,New] https://launchpad.net/bugs/189173 [20:21:24] ubuntu-standard [change apparmor-utils recommend to meta, keescook?] [20:21:24] Launchpad bug 188136 in openssh "package openssh-4.7p1 configure.ac improperly fails to recognize getseuserbyname and get_default_context_with_level" [Undecided,Fix released] https://launchpad.net/bugs/188136 [20:21:26] Launchpad bug 187822 in pam "package pam-0.99.7.1 pam_selinux.so doesn't support seusers" [Undecided,Fix released] https://launchpad.net/bugs/187822 [20:21:27] Launchpad bug 191326 in shadow "package shadow-4.0.18.2-1 enable pam_selinux in login.pam" [Undecided,New] https://launchpad.net/bugs/191326 [20:21:35] keescook: ;o} vacations are so rough! [20:21:47] <\emgent> :) [20:22:09] pam is done, openssh just hit the archive (building now) [20:22:16] As keescook says, the packages are in need of revieweing and merging. I am available to fix any problems with the packages (Freeze is tomorrow right!?) Please let me know what needs to be done! [20:22:25] keescook: oh nice! [20:22:42] ustr is accepted in Debian. [20:22:54] I'll file a sync for it in Ubuntu right now... [20:23:05] I've been helping joejaxx with reviewing the selinux source packages, but I'm traveling this week, so further progress will (unfortunately) be by proxy [20:24:10] propagandist: what would help me is a checklist of the packages to review. I can browse your PPA, but it'd be handy to have a wiki to take notes on. [20:24:40] keescook: kk, I will put them up [20:24:53] okay, ustr import requested. [20:25:12] <\emgent> cool [20:25:19] ;o} [20:25:38] it sounds like things are in good shape. I'm going to poke at grub too. I think shadow should be trivial as well. [20:26:14] we'll make FF, and if not, it shouldn't be hard to get an exception since selinux doesn't work correctly currently, so new uploads can't really regress. :) [20:26:26] ;o} [20:26:31] heh [20:26:52] <\emgent> :> [20:26:57] Breaking your package just before FF is the surest way to get to upload updates later. [20:27:02] heh [20:27:09] ScottK: shh, this is publically logged [20:27:11] Are we using /[TASK] to assign these or just remember? ;o} [20:27:16] * jdstrand makes a note of that [20:28:19] propagandist: I think our [action] list would get long. I think just making the TODO list in the wiki should be fine. I've been able to see which things need sponsoring so far, so we're good. [20:28:32] keescook: kk sounds good [20:28:46] we're skipping joejaxx's selinux UI stuff for this meeting since he hadn't slept in 36 hours. :) [20:28:57] heheh [20:28:59] true, true [20:29:05] but, based on screenshots he posted a while back, it looks like it's very cool [20:29:16] <\emgent> :) [20:29:16] [topic] hardening wrapper testing [20:29:26] keescook: Are this screenshots publicly available? [20:29:29] anyone get a chance to do more hardened builds with the wrapper? [20:29:36] gouki: yeah, but I don't have the link handy [20:29:51] keescook: No problem. We'll talk about it on -hardened. [20:30:18] keescook, are there links to those screenshots? [20:30:22] crimsun: did you get the pbuilder bits documented? [20:30:25] keescook: yes. I have a document that's sitting in $employer's prepublication review queue (due to my doing it on work time); I'll get those bits posted onto the Ubuntu wiki upon their approval. [20:30:27] mra: see above (no) [20:30:46] mra: Yes, but he doesn't have them handy. We'll talk about it on #ubuntu-hardened. [20:31:11] crimsun: cool. were you able to do any builds? [20:31:37] keescook: as a test, I built the entire audio stack from alsa-driver->alsa-lib->pulseaudio->gstreamer->bmpx [20:32:08] keescook: things were considerably easier than using hooks. pbuilder provides bootstrap-time options for it. [20:32:14] nice! how did it do? [20:32:17] ah, good [20:32:19] went fine. [20:32:22] \o/ [20:32:35] <\emgent> :) [20:32:51] can anyone else make some time to do rebuild tests? packages you're interested in, etc? [20:32:59] general use of the wrapper is documented here: [20:33:33] [link] https://wiki.ubuntu.com/Security/HardeningWrapper [20:34:12] it would be good to run the qa-regression-tests scripts on packages compiled with HardeningWrapper [20:34:21] yeah, good idea [20:34:27] indeed, that's queued on my list [20:34:43] we do need behavioral tests instead of just compile tests. :) [20:35:01] I'd also like to see some benchmarks. Some suggestions were made on the Debian mailing lists. [20:35:32] [action] keescook to find debian benchmark mailing list post link [20:36:08] [topic] ubuntu-pentest [20:36:13] * keescook turns it over to emgent [20:36:18] <\emgent> heya :) [20:36:27] <\emgent> well, ubuntu pentest team wiki page is up [20:36:31] <\emgent> [link] https://wiki.ubuntu.com/UbuntuPentest [20:36:57] <\emgent> now we can define "working tools docs" and PT draft report [20:37:04] I'm waiting to get the mailing list up (I sent an RT for it) [20:37:17] <\emgent> ok cool [20:37:36] <\emgent> I think that it's important write a draft report for monitoring all works [20:37:36] also we need to check the appliance of memberships to the team [20:37:59] <\emgent> nxvl_work, later see agenda: https://wiki.ubuntu.com/SecurityTeam/Meeting [20:38:20] <\emgent> [action] emgent to write report draft [20:38:47] \emgent: i mean to avoid this -> https://lists.ubuntu.com/archives/ubuntu-hardened/2008-February/000294.html [20:38:55] <\emgent> someone interested to write some docs about working tools for new members? [20:39:16] nxvl_work: There is a topic for that on the Wiki [20:39:33] \emgent: first we need to decide which tools are we going to use [20:39:35] some "process guildlines" would be good too (i.e. keep vulns private until fixed, etc) [20:39:43] gouki: yep, but read the link i have just posted [20:39:56] <\emgent> nxvl_work, we can talk about it in ml, if it's ok for all. [20:40:01] and people can be team members if they agree to abide by those guidelines, CoC, etc. [20:40:17] nxvl_work: I'm aware of that. I followed the discussion. But we will get to it. [20:40:45] <\emgent> well about working method [20:40:46] [action] emgent to write report draft [20:40:56] also we need to have standards and policies about the tools used (i.e: not to use dangerous tests, which tools to use, etc..) [20:41:24] keescook: can we get them to sign something separate for the CoC, or is that enough? [20:41:24] <\emgent> i think that it's good decide one 1-2 day for month for pentest-sessions [20:41:28] not to touch anything if you gain access [20:41:32] not to break anything [20:41:38] that can include upstream contacts, where/when to test live services (i.e. staging.launchpad.net) [20:41:44] <\emgent> we can talk with infra people and working to services. [20:42:01] jdstrand: I'm not sure there is a general way to do "sign this thing", so we just have to take people at their word. [20:42:21] 1/2 days couldn't be enough [20:42:25] <\emgent> it's important see "draft report" and wrte a new with all tests [20:42:35] keescook, you could ask them to gpg sign something [20:42:51] its a way to register that you agreed to it [20:42:56] keescook: maybe if they gpg signed the contents of an email message and sent it to the mlist? [20:43:07] keescook: we can make a Contract of Confidentiality and everyone on the team must sign it [20:43:12] <\emgent> astharot, what do you propose ? [20:43:12] those contents would be the 'policy' [20:43:13] mra: right, and post it on their own wiki page [20:43:15] mra: true, we could look in to it -- but I think an email confirming should be good enough. yeah, sure, sign the email. cool. [20:43:17] astharot: for specific components of the infra, I don't see why it wouldn't. [20:43:37] it depends on how platforms do you want to test per month [20:43:47] keescook: I think it's important from a mindset point of view, as well as potentially legal [20:43:49] <\emgent> keescook, can you talk with infra people for number pt sessions ? [20:43:55] Other than that, we could also have in account contributions done by that person. [20:44:05] (people will take it more seriously if they sign it) [20:44:13] first there should be a census of the platforms to be checked [20:44:19] then start thinking to a "schedule" [20:44:29] \emgent: I'm unclear what you mean? I think we'll need to coordinate infra-poking on a case-by-case basis with the infrastructure folks [20:44:34] <\emgent> astharot, +1 [20:44:43] <\emgent> keescook, ok [20:44:46] * jdstrand feels they *must* sign the email [20:44:54] \emgent: i.e. we can make a list of things we want to test, and then bring it to them, and schedule times to do it. [20:45:12] <\emgent> ok cool. [20:45:14] jdstrand: I agree -- it's not a very high barrier. :) [20:45:26] moreover, you should decide how many times per year/month/week you want to test each platform [20:45:36] or on "new releases" basis [20:45:46] <\emgent> astharot, yep later, now we should write report draft [20:45:58] nothing like having the laptop die 15 minutes before the meeting... [20:46:31] nxvl_work: would you be willing to go through this IRC log and pull out all the method/guideline ideas we had? [20:46:48] mm [20:46:52] if they got recorded in the wiki, it'd be a great starting point for more details [20:47:01] <\emgent> about Ubuntu Pentest day i think that first is good complete other docs (draft report, working tools docs etc..) [20:47:06] i'm kind of out of time this week, but if you can wait until weekend there is no problem [20:47:17] <\emgent> i think that we can decide date in ml or next meeting [20:47:39] <\emgent> and write a calendar [20:47:55] first the census, then the schedule [20:47:57] * jdstrand wants to go on record that we need to have our CoC in place, signed, and our policies defined before any pentesting [20:47:58] <\emgent> [link] https://wiki.ubuntu.com/UbuntuPentest/PentestDayCalendar [20:48:08] nxvl_work: yeah, weekend should be fine. [20:48:21] <\emgent> me too, weekend +1 [20:48:39] [action] nxvl_work to prepare rough draft of pentest guidelines in Wiki, including ideas from ths IRC logs [20:49:02] <\emgent> well, according to astharot is good first the census and later the schedule [20:49:02] jdstrand: I think that's fine. [20:49:32] <\emgent> keescook, when pt private meilinglist is ready we can use it for coordination [20:49:45] <\emgent> s/meilinglist/mailinglist/ [20:50:00] <\emgent> it's ok for all ? [20:50:08] yup, sounds good. [20:50:10] Sure [20:50:33] <\emgent> ok, now candidature [20:50:34] we can use bug reports on LP team as mailing list [20:50:41] we use to use it on DCT :P [20:50:45] (10 minutes left, let's trying to be quick...) [20:51:02] s/ing// [20:51:03] <\emgent> andrea-bs, nxvl_work online ? [20:51:06] \emgent: please, proceed. It's important to define that. [20:51:09] o/ [20:51:15] \emgent: I'm here :) [20:51:30] Maybe it would be good for Zelut to be around [20:51:38] <\emgent> about bugreports we can use launchpad np [20:51:38] He the listadmin and owner of the hardened team. [20:51:55] I'll send a meeting-minutes note to the hardened ml [20:51:59] <\emgent> gouki, i know. [20:52:11] I'll talk to him. [20:52:25] <\emgent> ok [20:52:37] <\emgent> we can procede to membership approvation ? [20:52:44] please do :) [20:52:46] I believe so [20:53:05] <\emgent> cool [20:53:17] <\emgent> andrea-bs [20:53:21] I think if applicants understand they need to be careful and use responsible disclosure (private bugs, etc) that should be good. :) [20:53:35] I'm a developer who use Python as main programming language, but I know C/C++ [20:53:35] and ASM on x86 (AT&T syntax) too. I'm interested in bugs and of course in [20:53:35] security issues in Linux and expecially in Ubuntu. I work with Ubuntu [20:53:35] BugControl and I'd like to join PenTest to help out better. [20:53:53] <\emgent> i saw him wiki page and launchpad page [20:53:55] <\emgent> for me +1 [20:54:05] +1 too :) [20:54:09] * jdstrand knows he is harping on the same thing, but if we have all our policies, etc figured out, this will fall into place [20:54:23] I also read it, and if I have anything to say, +1 [20:54:24] <\emgent> jdstrand, please vote :) [20:54:37] <\emgent> astharot, please vote too. [20:54:53] +1 ? :) [20:55:03] <\emgent> heheh :P [20:55:05] <\emgent> jdstrand, ? [20:55:13] +1 (but wants something signed by all of us) [20:55:19] (oops, I need to do the mootbot voting) [20:55:20] (am I obsessing?) [20:55:32] * jdstrand think you are jdstrand [20:55:37] <\emgent> hehe [20:55:38] [agreed] we'll retroactively make sure all pentest members sign the pentest CoC [20:55:51] welcome andrea-bs :) [20:55:51] <\emgent> crimsun, plese vote [20:55:58] thanks everybody! :) [20:56:06] heh, getting ahead of myself, but 4 minutes left! [20:56:11] <\emgent> ok :D [20:56:14] quick quick, on to nxvl_work :) [20:56:14] +1 here [20:56:19] <\emgent> ok [20:56:25] https://wiki.ubuntu.com/Nxvl [20:56:29] <\emgent> welcome andrea-bs [20:56:30] https://edge.launchpad.net/~nvalcarcel [20:56:31] <\emgent> nxvl_work, go [20:56:33] (we might also define who gets a vote, etc) [20:56:34] as i said before [20:56:38] \emgent: thank you [20:56:41] i'm a 23 years old student [20:56:47] <\emgent> jdstrand, https://wiki.ubuntu.com/UbuntuPentest/Members [20:56:48] [action] \emgent to define who votes for pentest membership [20:56:59] <\emgent> keescook, all members. [20:56:59] and i have 3 year experience working as network and security consultant [20:57:12] * jdstrand thinks this is sounding like a Council [20:57:13] most of my work has been sysadmining and pentesting [20:57:16] As webmaster of PUU, I believe nxvl_work would be good. He has made several good and informative posts fetched by PUU. [20:57:21] based on discussions, i'm +1 [20:57:27] <\emgent> +1 [20:57:33] also +1 [20:57:37] my area of specialization is security, cause i love it [20:57:38] :D [20:57:40] hehe [20:57:43] <\emgent> astharot, jenda [20:57:44] +1 [20:57:53] <\emgent> astharot, ? [20:57:56] +1 [20:58:02] <\emgent> ok welcome nxvl_work [20:58:03] * astharot is automatic +1 :) [20:58:06] welcome nxvl_work :) [20:58:11] 2 min! [20:58:13] thanks to all [20:58:13] 2 minutes left! :S [20:58:22] <\emgent> keescook, switch topic [20:58:23] [topic] Contributing to ubuntu-cve-tracker - what's the best way? [20:58:42] everyone please review the README in the ubuntu-cve-tracker and prepare questions about it for next meeting! [20:58:49] [topic] todo list [20:58:54] gouki: what's puu? [20:58:56] everyone please fill in our roadmap wiki page. :) [20:59:06] [topic] next meeting [20:59:07] nxvl_work: ubuntuweblogs.org [20:59:11] ah yes [20:59:12] :D [20:59:14] I'll defer motu-swat membership [20:59:17] I put that there for thinking about bzr branches, etc. so we should be thinking of that too [20:59:24] next meeting, in two week, same time/place? [20:59:30] sounds fine [20:59:34] +1 [20:59:39] <\emgent> +1 [20:59:41] Sure [20:59:46] +1 from me (if I can vote :D) [20:59:47] the ayes have it. done! :) [20:59:51] #endmeeting Meeting ended. }}}