20080227
Meeting
End: 21:00 UTC
Where: #ubuntu-meeting on irc.freenode.net
Chaired By: KeesCook
Agenda for this meeting
These items will be discussed at the next meeting:
CVE review - KeesCook
SELinux progress - ChadSellers
SELinux GUI Utils - JoeJaxx
Hardening Wrapper testing - KeesCook
Penetration Test Team Organizzation - emgent
- Contributing to ubuntu-cve-tracker - what's the best way? (deferred)
To-Do List (Expanding our Roadmap) - JoeJaxx (deferred)
- MOTU-SWAT membership (deferred)
- Next meeting time
Notes
IRC Log
Started logging meeting in #ubuntu-meeting [20:00:18] <keescook> hello! [20:00:31] <keescook> [topic] agenda review [20:00:39] <keescook> heya folks :) [20:00:47] * jdstrand waves [20:00:56] <keescook> anyone new here that wants to introduce themselves? [20:01:27] <popey> o/ [20:01:38] <popey> Hello - popey - just a bloke interested in security [20:01:56] <keescook> :) it's a big topic area, anything in particular? [20:02:10] <popey> keeping systems up to date [20:02:17] <keescook> cool. [20:02:25] <keescook> welcome :) [20:02:26] <popey> we do hosting for LUGs, so I'm interested in best practice for making sure we don't get hacked basically :) [20:02:46] <keescook> sounds good -- have you been using gutsy for those hosts? [20:02:59] <popey> they're mostly debian [20:03:07] <keescook> I'm curious if anyone has played much with doing apache isolation with apparmor in gutsy. ah, heh. [20:03:21] <astharot> keescook: cool [20:03:25] <astharot> will try [20:03:27] <keescook> okay, if there are any new agenda items, please add them to the wiki agenda page: [20:03:40] <keescook> [link] https://wiki.ubuntu.com/SecurityTeam/Meeting [20:04:09] <keescook> as usual, we've got an hour before the server team meeting uses this room [20:04:20] <\sh> starts now? [20:04:22] <keescook> so, continuing into what I think will be a quick topic... [20:04:31] <keescook> \sh: yeah, started [20:04:32] <jdstrand> keescook: I thought about it [20:04:44] <jdstrand> re apache/apparmor [20:04:52] <keescook> hehe, me too! :) [20:04:56] <keescook> [topic] cve review [20:05:18] <keescook> anyone have any open CVE concerns? I've got nothing myself, but I like having this place holder just in case. [20:05:53] <\sh> keescook: how do we going for sec fixes for issues which don't have a CVE filed [20:05:57] <\sh> ? [20:06:27] <jdstrand> \sh: we track these by CVE typically-- do you have a particular thing in mind? [20:06:36] <keescook> \sh: we can follow the same processes, but generally, we should request CVE for issues that need them [20:07:11] <keescook> [link] https://wiki.ubuntu.com/SecurityUpdateProcedures [20:07:17] <keescook> there is a small section on requesting a CVE [20:07:46] <keescook> err... there was. [20:07:56] <joejaxx> lol [20:08:14] <\sh> jdstrand: lighttpd [20:09:00] <keescook> [action] keescook to (re?)add CVE request procedure to SUP wiki page [20:09:21] <keescook> \sh: I opted to let lighttpd publish without the CVE (since it was ready to publish) [20:09:49] <keescook> basically, we contact mitre and vendor-sec and ask for one. [20:10:09] <keescook> okay, moving on... [20:10:11] <jdstrand> \sh: does this have an LP bug? [20:10:34] <\sh> jdstrand: jepp...sec [20:10:40] <keescook> [topic] selinux progress [20:10:52] <\sh> jdstrand: bug #195380 [20:10:53] <ubotu> Launchpad bug 195380 in lighttpd "lighttpd crashes in some cases and giving a remote DoS possibility" [Medium,In progress] https://launchpad.net/bugs/195380 [20:10:57] <propagandist> :o) Most packages have made it into upstream. [20:10:59] <keescook> propagandist, jason_tang: things seems pretty cool [20:11:12] <jason_tang> spiffy [20:11:16] <joejaxx> :) [20:11:18] <keescook> I installed a selinux vm. I have no idea what I'm doing in it, but "sestatus -v" seems happy ;) [20:11:20] <propagandist> horray ;o} [20:11:24] <joejaxx> keescook: lol :D [20:11:29] <propagandist> SETools 3.3.3 was released and is in the PPA now. I'll be posting it to revu this week. [20:11:33] <jdstrand> \sh: thanks [20:11:35] <keescook> propagandist: okay, cool [20:11:36] <jason_tang> extra spiffy [20:11:48] <propagandist> Some packages (refpolicy, selinux, and selinux-basics) need to be deleted from the PPA so that their version can be sync'd with upstream. If there aren't any objections I'll do that after the meeting today. [20:11:57] <keescook> propagandist: did you catch the issues with libselinux and libsepol that got uncovered over the weekend? [20:12:09] <propagandist> with pkg-config? [20:12:12] <keescook> yeah [20:12:23] <propagandist> yes, i've pulled those into bzr and posted to the ppa today [20:12:30] <propagandist> they'll get pushed to revu as well [20:12:41] <keescook> okay, excellent. is there hope that those changes will get into upstream? [20:13:01] <propagandist> I would think so :o) [20:13:01] <keescook> for note, I've already uploaded the fixed packages to the archive [20:13:23] <keescook> propagandist: cool. is that something you can drive? I'm not sure where to send the patches [20:13:38] <propagandist> I made some adjustments to the .pc changes though that I think will be easier to upstream (I removed the DESTDIR changes) [20:13:54] <propagandist> keescook: yup i can submit them for us [20:14:31] <propagandist> keescook: Any update on ubuntu-standard apparmor-utils=>security-utils? [20:14:39] <keescook> propagandist: okay, cool -- I did think it was a bit funny-looking that way. what was your solution for handling "prefix" in the .pc file? [20:15:09] <keescook> propagandist: now that I've got my selinux vm, I can more easily see/test the virtual package need there. [20:15:36] <keescook> I will get that into the archive this week -- it should be a very simple fix -- I just wanted to let the new packages settle for a bit [20:16:24] <keescook> propagandist: is it intentional to have the X login be unconfined? [20:16:40] <propagandist> keescook: i left it as the combined DESTDIR+prefix... thats not really optimal, but removing destdir will require a bit more work due to the way its being used currently [20:17:03] <propagandist> keescook: kk [20:17:09] <propagandist> keescook: um... no [20:17:09] <keescook> propagandist: well, the requirement is that the .pc file reports the correct thing. :) how that happens doesn't matter. ;) [20:17:21] <propagandist> keescook: ;o} sounds like a bug to me [20:17:57] <propagandist> I'm going to keep a closer eye on the lp bugs if you want to put it there [20:18:14] <keescook> propagandist: okay, I did an alpha5 install, then dist-upgrade, apt-get purge apparmor, apt-get install selinux, reboot, reboot, login, sestatus => "unconfied" [20:19:23] <keescook> propagandist: okay, I'll file the bug [20:19:30] <propagandist> keescook: :o} [20:19:39] <keescook> [action] keescook to file "unconfined" selinux bug [20:19:58] <keescook> propagandist: beyond setools and the virtual package, is there any outstanding in your view? [20:20:21] <propagandist> keescook: nope, everything looks like its coming together nicely [20:21:00] * propagandist is excited to hear about the gui tools ;o} [20:21:00] <keescook> excellent! :) [20:21:06] <keescook> [topic] selinux gui utils [20:21:09] <joejaxx> hi [20:21:10] <joejaxx> :) [20:21:12] <keescook> :) [20:21:39] <joejaxx> setroubleshoot is almost done packaging wise i just need to fix something to be in compliance with ubuntu policy [20:21:55] <joejaxx> there are still some redhat/fedora specific things i need to investigate [20:22:13] <keescook> joejaxx: is there any beta in REVU or something to poke at early? [20:22:27] <joejaxx> i should have the other gui tools done soon as well (system-config-selinux and the policycoreutils-gui) [20:22:49] <joejaxx> keescook: nope not yet i should upload to ppa ( or revu since that sounds better) [20:23:35] <jdstrand> joejaxx: is the system-config-selinux standalone, or does it need other redhat stuff (IIRC it is python and other libs) [20:23:41] <jdstrand> ? [20:23:47] <joejaxx> the later is actually a patch on policycoreutils so i am wondering how i should go about that [20:24:09] <keescook> joejaxx: is it a bolt on? or does it need a patch to make the -gui work? [20:24:10] <jdstrand> by 'it' I mean 'system-config-*' tools [20:24:18] <jdstrand> in general [20:24:36] <joejaxx> jdstrand: standalone i believe, we already have system-config-printer [20:24:53] <joejaxx> keescook: the patch is the gui code [20:25:15] <joejaxx> grr i wish i would have posted it somewhere http accessible so i could show you all [20:25:31] <keescook> joejaxx: hm... is there some way to keep it external? the feature freeze makes it hard to add a feature to a package, but easy to upload a NEW package. :) [20:26:02] <joejaxx> keescook: yeah, i will have to look further into it [20:26:05] <joejaxx> :) [20:26:14] <joejaxx> i will do that before the end of this business week [20:26:39] <keescook> joejaxx: cool, that sounds good. [20:26:41] <joejaxx> :) [20:27:00] <keescook> do we need to have auditd running when using any of these things? [20:27:16] <joejaxx> for setroubleshoot yes [20:27:37] <joejaxx> but you can have it review log files as well [20:27:42] <keescook> okay. I think mathiaz is actually intending to get it into main for intrepid [20:28:00] <joejaxx> ok great [20:28:30] <keescook> anything we can help with for the gui bits? [20:29:36] <joejaxx> keescook: yes if you are knowledgeable with the python policy it would help :D [20:29:41] <joejaxx> i will upload it to revu later [20:29:57] <keescook> oops. I'm a newb there. ;) we can find someone :) [20:30:03] <joejaxx> ;) [20:30:06] <keescook> okay, so, once on REVU, we can poke at it. :) [20:30:11] <jdstrand> there is a good link-- getting it... [20:30:16] <andrea-bs> joejaxx: I know python a bit well [20:30:23] <keescook> eek, meeting half-over.... [20:30:27] <jdstrand> http://wiki.debian.org/DebianPython/NewPolicy [20:30:31] <jdstrand> joejaxx: ^^ [20:30:34] <joejaxx> jdstrand: ok thanks [20:30:49] <joejaxx> keescook: perhaps we should move on to the next topic for time sake? [20:30:51] <keescook> [topic] hardening wrapper testing [20:31:18] <keescook> so, I starting trying to do some benchmarks for fun and discovered that mplayer doesn't compile with PIE [20:31:29] <keescook> PIE will fail for applications with raw assembly... [20:31:45] <keescook> since those are, by definition, not relocatable in most cases. :( [20:31:45] <NthDegree> PIE seems to have issues with apps that want PIC too [20:32:20] <crimsun_> what portion of main does that affect? [20:32:22] <keescook> NthDegree: afaict, an executable can link with either PIC or PIE objects [20:32:35] <keescook> (PIE is just a "lesser" PIC) [20:32:48] <NthDegree> i've had a few errors where it's asked to recompile with -fPIC [20:33:20] <jdstrand> keescook: when is it ok to issue FTBFS bugs against the packages, when intrepid opens? [20:34:01] <keescook> NthDegree: right, those are .o's that are neither -fPIC nor -fPIE, from what I've been able to tell (i.e. they are not relocatable at all) [20:34:35] <NthDegree> ah [20:35:35] <keescook> and the things that I've found that don't get -fPIC/-fPIE during a compile (with the wrappers) are .S files [20:35:40] <keescook> (things going though "as") [20:36:05] <keescook> those .o files are not relocatable... and some may not be able to be defined that way... it kind of depends. [20:36:30] <keescook> [agreed] we need to take a closer look at things like mplayer [20:36:50] <keescook> NthDegree: what were you compiling that failed? (and did compiling with DEB_BUILD_HARDENING_PIE=0 help?) [20:37:53] <NthDegree> keescook: err large'ish things... KDE was one of my attempts [20:38:13] <keescook> jdstrand: we should open them now, actually, but note them with the tags from the wiki page: [20:38:29] <keescook> https://wiki.ubuntu.com/Security/HardeningWrapper [20:38:41] <keescook> "hardening-ftbfs" [20:38:46] <jdstrand> cool [20:39:12] <keescook> crimsun_: it's unclear... [20:39:28] <keescook> but probably everything with asm in it [20:39:41] <keescook> which is, ironically, the things I'd want to protect most with PIE. ;) [20:39:49] * jdstrand just had a thought that we could compile select packages with hardening wrapper for hardy-- and release with it (eg tasksel server packages might be a start) [20:40:05] <jdstrand> but I realize this is probably too late because of FF [20:40:06] <keescook> ah, as a ppa, perhaps? [20:40:19] <jdstrand> I was thinking for release, ideally [20:40:25] <jdstrand> we Build-Depends on it [20:40:56] <keescook> yeah... makes me nervous to do it this late... but perhaps should be considered more carefully [20:41:01] <keescook> (before ruling it out) [20:41:15] <keescook> what would people nominate for this? [20:41:18] <jdstrand> maybe this is an #ubuntu-server topic too [20:41:25] <keescook> i.e. what packages? [20:41:34] <crimsun_> daemons listening on non-localhost? [20:42:04] <keescook> openssh, while not compiled with some of the other things, is compiled with PIE. [20:42:06] <jdstrand> my thoughts were things in main that ship on the server cd that open a port [20:42:27] <jdstrand> cups might be another candidate [20:42:36] <jdstrand> dhcpd [20:42:49] <jdstrand> dhcp3-client (or whatever its called) [20:42:54] <keescook> jdstrand: would you make a list of candidates and put them in the wiki under the roadmap? [20:43:03] <jdstrand> keescook: I can do that [20:43:15] <keescook> [action] jdstrand to make a list of possible candidates for early hardening in hardy [20:43:33] <keescook> okay, moving on... [20:43:43] <keescook> [topic] pentest team organization [20:43:50] <astharot> hello [20:43:55] <joejaxx> hi [20:44:03] <astharot> I'll talk about this instead of emgent :) [20:44:08] <keescook> https://wiki.ubuntu.com/UbuntuPentest#head-9a8d1f8d2cdf1209688c579b0b9dea5610015391 [20:44:10] <astharot> i'll be quick, 15 minutes left [20:44:14] <keescook> [link] https://wiki.ubuntu.com/UbuntuPentest#head-9a8d1f8d2cdf1209688c579b0b9dea5610015391 [20:44:45] <astharot> all the people involved into the team are pleased to subscribe to the ML [20:44:50] <astharot> http://lists.launchpad.net/ubuntu-pentest/ [20:45:11] <keescook> [action] pentesters subscribe to private pentest list [20:45:15] <astharot> yep [20:45:16] <astharot> then [20:45:47] <astharot> keescook: emgent told me that you should know something about platforms census [20:45:56] <keescook> I don't yet have an infrastructure machine list, IS would like to know what the plans for them are first. :) [20:45:57] <astharot> and that you have to discuss with him via mail [20:46:42] <astharot> uhm I think that by knowning the "volume" of the platforms, the criticism and everything related about the productivity we could start thinking a plan [20:47:06] <astharot> otherwise, how to plan if we don't know what to do? [20:47:32] <joejaxx> we should probably draft up policies first [20:47:51] <astharot> yep, CoC is the next point :) [20:47:52] <keescook> I'd like to at least have an outline. e.g. 1) check for XSS in webservices a, b, c. 2) check for ... etc [20:47:55] <joejaxx> on how to go about things :) [20:48:02] <joejaxx> keescook: same here [20:48:23] <astharot> ok so we should first define the tasks that people will perform on platforms [20:48:24] <keescook> right, CoC will get written before the week is up. jdstrand and I are face-to-face this week (server team meeting) [20:48:34] <astharot> perfect [20:48:48] <astharot> then [20:48:50] <keescook> astharot: that's my thinking. I'm going to have a hard time convincing IS to help until they're comfortable with what's going to happen. :) [20:49:09] <astharot> ok so, task definition in todo list [20:49:43] <astharot> please add it, dunno how to do it :P [20:49:58] <keescook> [action] pentest team to define tasks for TODO list [20:50:09] <keescook> does that capture the task description correctly? [20:50:14] <astharot> yep [20:50:34] <keescook> the template looks good [20:50:36] <astharot> then, I prepared a draft of the pentest report [20:50:39] <astharot> https://wiki.ubuntu.com/UbuntuPentest/ptreport/template [20:50:41] <keescook> https://wiki.ubuntu.com/UbuntuPentest/ptreport/template [20:50:43] <keescook> heh [20:50:43] <astharot> yes [20:50:57] <astharot> so, approvation? [20:50:57] <keescook> (why do some links need [link]?) [20:51:00] <keescook> [link] https://wiki.ubuntu.com/UbuntuPentest/ptreport/template [20:51:05] <keescook> sure, looks good. [20:51:19] <joejaxx> keescook: maybe it does not like https [20:51:21] <joejaxx> :P [20:51:24] <keescook> ah [20:51:53] <astharot> the, emgent is working on "anteater" that should be something automatic to send directly the report to launchpad as bug [20:51:56] <astharot> https://wiki.ubuntu.com/UbuntuPentest/ptreport [20:52:04] <keescook> [link] https://wiki.ubuntu.com/UbuntuPentest/ptreport [20:52:24] <astharot> he has to finish it then he will make a package and will update it on bazaar or ppa [20:52:31] <keescook> okay, sounds good [20:53:10] <keescook> are there new pentest members to approve? [20:53:11] <astharot> last point [20:53:39] <astharot> everything related to ubuntu-pentes should be discussed and approved by every member of the team [20:53:57] <astharot> I don't think there will be new people involved, AFAIK [20:54:01] <keescook> astharot: unanimous approvals may be tricky [20:54:03] <astharot> at least, atm [20:54:09] <jdstrand> astharot: I am assuming that the bug will be marked private as well as security? [20:54:09] <astharot> why tricky? [20:54:20] <astharot> jdstrand: yes that's the plan [20:54:43] <keescook> astharot: it can just be hard to reach 100% agreement some times. [20:55:12] <joejaxx> /win 116 [20:55:14] <joejaxx> bah [20:55:14] <keescook> I think simple majority should work in most cases. [20:55:20] <astharot> ye sure, I think that he wanted to say that every member should vote, not only older or "admins" [20:55:23] <keescook> [agreed] joejaxx has too many windows [20:55:36] <keescook> astharot: ah! okay, then I agree there. [20:55:47] <astharot> perfect [20:55:47] <keescook> running out of time again.... [20:55:52] <astharot> I've done :) [20:55:56] <jdstrand> haha [20:56:03] <astharot> hands up \o/ [20:56:06] <joejaxx> hahaha [20:56:13] <jdstrand> re joejaxx' windows [20:56:31] <keescook> so, should we start this meeting an hour earlier in two weeks? we see to always run out before discussing cve-ubuntu-tracker [20:56:35] <keescook> and the todo lists, etc [20:56:40] <joejaxx> that sounds good [20:56:41] <keescook> [topic] scheduling [20:57:01] <keescook> anyone else have issues with it? [20:57:09] <jdstrand> fine by me [20:57:15] <propagandist> sounds good to me [20:57:16] <keescook> joejaxx: sorry to defer the topics again. :( [20:57:22] <andrea-bs> that's better for me [20:57:24] <keescook> joejaxx: anything you can quickly cover about todo list ideas? [20:57:30] <keescook> [topic] todo list [20:57:37] <joejaxx> same [20:57:39] <joejaxx> keescook: it is quite alright [20:57:42] <joejaxx> keescook: we can leave that for next time :) [20:58:02] <keescook> okay, well, I'd like to shake out the Roadmap to really outline all the kick-ass work we're doing [20:58:08] <joejaxx> yeap [20:58:36] <keescook> okay, next meeting: Mar 12, 1900UTC [20:59:05] <joejaxx> thanks everyone! :) [20:59:06] <keescook> thanks everyone for coming! we'll cover more next time around. :) [20:59:07] <astharot> good [20:59:14] <jdstrand> thanks keescook! :) [20:59:16] <keescook> #endmeeting Meeting ended.
MeetingLogs/Security/20080227 (last edited 2008-08-06 16:14:05 by localhost)