Agenda for this meeting

These items will be discussed at the next meeting:

  • CVE review - KeesCook

  • SELinux progress - ChadSellers

  • SELinux GUI Utils - JoeJaxx

  • Hardening Wrapper testing - KeesCook

  • Penetration Test Team Organizzation - emgent

  • Contributing to ubuntu-cve-tracker - what's the best way? (deferred)
  • To-Do List (Expanding our Roadmap) - JoeJaxx (deferred)

  • MOTU-SWAT membership (deferred)
  • Next meeting time


Raw Notes


Raw Log

Started logging meeting in #ubuntu-meeting
[20:00:18] <keescook> hello!
[20:00:31] <keescook> [topic] agenda review
[20:00:39] <keescook> heya folks :)
[20:00:47] * jdstrand waves
[20:00:56] <keescook> anyone new here that wants to introduce themselves?
[20:01:27] <popey> o/
[20:01:38] <popey> Hello - popey - just a bloke interested in security
[20:01:56] <keescook> :) it's a big topic area, anything in particular?
[20:02:10] <popey> keeping systems up to date
[20:02:17] <keescook> cool.
[20:02:25] <keescook> welcome :)
[20:02:26] <popey> we do hosting for LUGs, so I'm interested in best practice for making sure we don't get hacked basically :)
[20:02:46] <keescook> sounds good -- have you been using gutsy for those hosts?
[20:02:59] <popey> they're mostly debian
[20:03:07] <keescook> I'm curious if anyone has played much with doing apache isolation with apparmor in gutsy. ah, heh.
[20:03:21] <astharot> keescook: cool
[20:03:25] <astharot> will try
[20:03:27] <keescook> okay, if there are any new agenda items, please add them to the wiki agenda page:
[20:03:40] <keescook> [link] https://wiki.ubuntu.com/SecurityTeam/Meeting
[20:04:09] <keescook> as usual, we've got an hour before the server team meeting uses this room
[20:04:20] <\sh> starts now?
[20:04:22] <keescook> so, continuing into what I think will be a quick topic...
[20:04:31] <keescook> \sh: yeah, started
[20:04:32] <jdstrand> keescook: I thought about it
[20:04:44] <jdstrand> re apache/apparmor
[20:04:52] <keescook> hehe, me too! :)
[20:04:56] <keescook> [topic] cve review
[20:05:18] <keescook> anyone have any open CVE concerns? I've got nothing myself, but I like having this place holder just in case.
[20:05:53] <\sh> keescook: how do we going for sec fixes for issues which don't have a CVE filed
[20:05:57] <\sh> ?
[20:06:27] <jdstrand> \sh: we track these by CVE typically-- do you have a particular thing in mind?
[20:06:36] <keescook> \sh: we can follow the same processes, but generally, we should request CVE for issues that need them
[20:07:11] <keescook> [link] https://wiki.ubuntu.com/SecurityUpdateProcedures
[20:07:17] <keescook> there is a small section on requesting a CVE
[20:07:46] <keescook> err... there was.
[20:07:56] <joejaxx> lol
[20:08:14] <\sh> jdstrand: lighttpd
[20:09:00] <keescook> [action] keescook to (re?)add CVE request procedure to SUP wiki page
[20:09:21] <keescook> \sh: I opted to let lighttpd publish without the CVE (since it was ready to publish)
[20:09:49] <keescook> basically, we contact mitre and vendor-sec and ask for one.
[20:10:09] <keescook> okay, moving on...
[20:10:11] <jdstrand> \sh: does this have an LP bug?
[20:10:34] <\sh> jdstrand: jepp...sec
[20:10:40] <keescook> [topic] selinux progress
[20:10:52] <\sh> jdstrand: bug #195380
[20:10:53] <ubotu> Launchpad bug 195380 in lighttpd "lighttpd crashes in some cases and giving a remote DoS possibility" [Medium,In progress] https://launchpad.net/bugs/195380
[20:10:57] <propagandist> :o) Most packages have made it into upstream.
[20:10:59] <keescook> propagandist, jason_tang: things seems pretty cool
[20:11:12] <jason_tang> spiffy
[20:11:16] <joejaxx> :)
[20:11:18] <keescook> I installed a selinux vm. I have no idea what I'm doing in it, but "sestatus -v" seems happy ;)
[20:11:20] <propagandist> horray ;o}
[20:11:24] <joejaxx> keescook: lol :D
[20:11:29] <propagandist> SETools 3.3.3 was released and is in the PPA now. I'll be posting it to revu this week.
[20:11:33] <jdstrand> \sh: thanks
[20:11:35] <keescook> propagandist: okay, cool
[20:11:36] <jason_tang> extra spiffy
[20:11:48] <propagandist> Some packages (refpolicy, selinux, and selinux-basics) need to be deleted from the PPA so that their version can be sync'd with upstream. If there aren't any objections I'll do that after the meeting today.
[20:11:57] <keescook> propagandist: did you catch the issues with libselinux and libsepol that got uncovered over the weekend?
[20:12:09] <propagandist> with pkg-config?
[20:12:12] <keescook> yeah
[20:12:23] <propagandist> yes, i've pulled those into bzr and posted to the ppa today
[20:12:30] <propagandist> they'll get pushed to revu as well
[20:12:41] <keescook> okay, excellent. is there hope that those changes will get into upstream?
[20:13:01] <propagandist> I would think so :o)
[20:13:01] <keescook> for note, I've already uploaded the fixed packages to the archive
[20:13:23] <keescook> propagandist: cool. is that something you can drive? I'm not sure where to send the patches
[20:13:38] <propagandist> I made some adjustments to the .pc changes though that I think will be easier to upstream (I removed the DESTDIR changes)
[20:13:54] <propagandist> keescook: yup i can submit them for us
[20:14:31] <propagandist> keescook: Any update on ubuntu-standard apparmor-utils=>security-utils?
[20:14:39] <keescook> propagandist: okay, cool -- I did think it was a bit funny-looking that way. what was your solution for handling "prefix" in the .pc file?
[20:15:09] <keescook> propagandist: now that I've got my selinux vm, I can more easily see/test the virtual package need there.
[20:15:36] <keescook> I will get that into the archive this week -- it should be a very simple fix -- I just wanted to let the new packages settle for a bit
[20:16:24] <keescook> propagandist: is it intentional to have the X login be unconfined?
[20:16:40] <propagandist> keescook: i left it as the combined DESTDIR+prefix... thats not really optimal, but removing destdir will require a bit more work due to the way its being used currently
[20:17:03] <propagandist> keescook: kk
[20:17:09] <propagandist> keescook: um... no
[20:17:09] <keescook> propagandist: well, the requirement is that the .pc file reports the correct thing. :) how that happens doesn't matter. ;)
[20:17:21] <propagandist> keescook: ;o} sounds like a bug to me
[20:17:57] <propagandist> I'm going to keep a closer eye on the lp bugs if you want to put it there
[20:18:14] <keescook> propagandist: okay, I did an alpha5 install, then dist-upgrade, apt-get purge apparmor, apt-get install selinux, reboot, reboot, login, sestatus => "unconfied"
[20:19:23] <keescook> propagandist: okay, I'll file the bug
[20:19:30] <propagandist> keescook: :o}
[20:19:39] <keescook> [action] keescook to file "unconfined" selinux bug
[20:19:58] <keescook> propagandist: beyond setools and the virtual package, is there any outstanding in your view?
[20:20:21] <propagandist> keescook: nope, everything looks like its coming together nicely
[20:21:00] * propagandist is excited to hear about the gui tools ;o}
[20:21:00] <keescook> excellent! :)
[20:21:06] <keescook> [topic] selinux gui utils
[20:21:09] <joejaxx> hi
[20:21:10] <joejaxx> :)
[20:21:12] <keescook> :)
[20:21:39] <joejaxx> setroubleshoot is almost done packaging wise i just need to fix something to be in compliance with ubuntu policy
[20:21:55] <joejaxx> there are still some redhat/fedora specific things i need to investigate
[20:22:13] <keescook> joejaxx: is there any beta in REVU or something to poke at early?
[20:22:27] <joejaxx> i should have the other gui tools done soon as well (system-config-selinux and the policycoreutils-gui)
[20:22:49] <joejaxx> keescook: nope not yet i should upload to ppa ( or revu since that sounds better)
[20:23:35] <jdstrand> joejaxx: is the system-config-selinux standalone, or does it need other redhat stuff (IIRC it is python and other libs)
[20:23:41] <jdstrand> ?
[20:23:47] <joejaxx> the later is actually a patch on policycoreutils so i am wondering how i should go about that
[20:24:09] <keescook> joejaxx: is it a bolt on? or does it need a patch to make the -gui work?
[20:24:10] <jdstrand> by 'it' I mean 'system-config-*' tools
[20:24:18] <jdstrand> in general
[20:24:36] <joejaxx> jdstrand: standalone i believe, we already have system-config-printer
[20:24:53] <joejaxx> keescook: the patch is the gui code
[20:25:15] <joejaxx> grr i wish i would have posted it somewhere http accessible so i could show you all
[20:25:31] <keescook> joejaxx: hm... is there some way to keep it external? the feature freeze makes it hard to add a feature to a package, but easy to upload a NEW package. :)
[20:26:02] <joejaxx> keescook: yeah, i will have to look further into it
[20:26:05] <joejaxx> :)
[20:26:14] <joejaxx> i will do that before the end of this business week
[20:26:39] <keescook> joejaxx: cool, that sounds good.
[20:26:41] <joejaxx> :)
[20:27:00] <keescook> do we need to have auditd running when using any of these things?
[20:27:16] <joejaxx> for setroubleshoot yes
[20:27:37] <joejaxx> but you can have it review log files as well
[20:27:42] <keescook> okay. I think mathiaz is actually intending to get it into main for intrepid
[20:28:00] <joejaxx> ok great
[20:28:30] <keescook> anything we can help with for the gui bits?
[20:29:36] <joejaxx> keescook: yes if you are knowledgeable with the python policy it would help :D
[20:29:41] <joejaxx> i will upload it to revu later
[20:29:57] <keescook> oops. I'm a newb there. ;) we can find someone :)
[20:30:03] <joejaxx> ;)
[20:30:06] <keescook> okay, so, once on REVU, we can poke at it. :)
[20:30:11] <jdstrand> there is a good link-- getting it...
[20:30:16] <andrea-bs> joejaxx: I know python a bit well
[20:30:23] <keescook> eek, meeting half-over....
[20:30:27] <jdstrand> http://wiki.debian.org/DebianPython/NewPolicy
[20:30:31] <jdstrand> joejaxx: ^^
[20:30:34] <joejaxx> jdstrand: ok thanks
[20:30:49] <joejaxx> keescook: perhaps we should move on to the next topic for time sake?
[20:30:51] <keescook> [topic] hardening wrapper testing
[20:31:18] <keescook> so, I starting trying to do some benchmarks for fun and discovered that mplayer doesn't compile with PIE
[20:31:29] <keescook> PIE will fail for applications with raw assembly...
[20:31:45] <keescook> since those are, by definition, not relocatable in most cases. :(
[20:31:45] <NthDegree> PIE seems to have issues with apps that want PIC too
[20:32:20] <crimsun_> what portion of main does that affect?
[20:32:22] <keescook> NthDegree: afaict, an executable can link with either PIC or PIE objects
[20:32:35] <keescook> (PIE is just a "lesser" PIC)
[20:32:48] <NthDegree> i've had a few errors where it's asked to recompile with -fPIC
[20:33:20] <jdstrand> keescook: when is it ok to issue FTBFS bugs against the packages, when intrepid opens?
[20:34:01] <keescook> NthDegree: right, those are .o's that are neither -fPIC nor -fPIE, from what I've been able to tell (i.e. they are not relocatable at all)
[20:34:35] <NthDegree> ah
[20:35:35] <keescook> and the things that I've found that don't get -fPIC/-fPIE during a compile (with the wrappers) are .S files
[20:35:40] <keescook> (things going though "as")
[20:36:05] <keescook> those .o files are not relocatable... and some may not be able to be defined that way... it kind of depends.
[20:36:30] <keescook> [agreed] we need to take a closer look at things like mplayer
[20:36:50] <keescook> NthDegree: what were you compiling that failed? (and did compiling with DEB_BUILD_HARDENING_PIE=0 help?)
[20:37:53] <NthDegree> keescook: err large'ish things... KDE was one of my attempts
[20:38:13] <keescook> jdstrand: we should open them now, actually, but note them with the tags from the wiki page:
[20:38:29] <keescook> https://wiki.ubuntu.com/Security/HardeningWrapper
[20:38:41] <keescook> "hardening-ftbfs"
[20:38:46] <jdstrand> cool
[20:39:12] <keescook> crimsun_: it's unclear...
[20:39:28] <keescook> but probably everything with asm in it
[20:39:41] <keescook> which is, ironically, the things I'd want to protect most with PIE. ;)
[20:39:49] * jdstrand just had a thought that we could compile select packages with hardening wrapper for hardy-- and release with it (eg tasksel server packages might be a start)
[20:40:05] <jdstrand> but I realize this is probably too late because of FF
[20:40:06] <keescook> ah, as a ppa, perhaps?
[20:40:19] <jdstrand> I was thinking for release, ideally
[20:40:25] <jdstrand> we Build-Depends on it
[20:40:56] <keescook> yeah... makes me nervous to do it this late... but perhaps should be considered more carefully
[20:41:01] <keescook> (before ruling it out)
[20:41:15] <keescook> what would people nominate for this?
[20:41:18] <jdstrand> maybe this is an #ubuntu-server topic too
[20:41:25] <keescook> i.e. what packages?
[20:41:34] <crimsun_> daemons listening on non-localhost?
[20:42:04] <keescook> openssh, while not compiled with some of the other things, is compiled with PIE.
[20:42:06] <jdstrand> my thoughts were things in main that ship on the server cd that open a port
[20:42:27] <jdstrand> cups might be another candidate
[20:42:36] <jdstrand> dhcpd
[20:42:49] <jdstrand> dhcp3-client (or whatever its called)
[20:42:54] <keescook> jdstrand: would you make a list of candidates and put them in the wiki under the roadmap?
[20:43:03] <jdstrand> keescook: I can do that
[20:43:15] <keescook> [action] jdstrand to make a list of possible candidates for early hardening in hardy
[20:43:33] <keescook> okay, moving on...
[20:43:43] <keescook> [topic] pentest team organization
[20:43:50] <astharot> hello
[20:43:55] <joejaxx> hi
[20:44:03] <astharot> I'll talk about this instead of emgent :)
[20:44:08] <keescook> https://wiki.ubuntu.com/UbuntuPentest#head-9a8d1f8d2cdf1209688c579b0b9dea5610015391
[20:44:10] <astharot> i'll be quick, 15 minutes left
[20:44:14] <keescook> [link] https://wiki.ubuntu.com/UbuntuPentest#head-9a8d1f8d2cdf1209688c579b0b9dea5610015391
[20:44:45] <astharot> all the people involved into the team are pleased to subscribe to the ML
[20:44:50] <astharot> http://lists.launchpad.net/ubuntu-pentest/
[20:45:11] <keescook> [action] pentesters subscribe to private pentest list
[20:45:15] <astharot> yep
[20:45:16] <astharot> then
[20:45:47] <astharot> keescook: emgent told me that you should know something about platforms census
[20:45:56] <keescook> I don't yet have an infrastructure machine list, IS would like to know what the plans for them are first. :)
[20:45:57] <astharot> and that you have to discuss with him via mail
[20:46:42] <astharot> uhm I think that by knowning the "volume" of the platforms, the criticism and everything related about the productivity we could start thinking a plan
[20:47:06] <astharot> otherwise, how to plan if we don't know what to do?
[20:47:32] <joejaxx> we should probably draft up policies first
[20:47:51] <astharot> yep, CoC is the next point :)
[20:47:52] <keescook> I'd like to at least have an outline. e.g. 1) check for XSS in webservices a, b, c. 2) check for ... etc
[20:47:55] <joejaxx> on how to go about things :)
[20:48:02] <joejaxx> keescook: same here
[20:48:23] <astharot> ok so we should first define the tasks that people will perform on platforms
[20:48:24] <keescook> right, CoC will get written before the week is up. jdstrand and I are face-to-face this week (server team meeting)
[20:48:34] <astharot> perfect
[20:48:48] <astharot> then
[20:48:50] <keescook> astharot: that's my thinking. I'm going to have a hard time convincing IS to help until they're comfortable with what's going to happen. :)
[20:49:09] <astharot> ok so, task definition in todo list
[20:49:43] <astharot> please add it, dunno how to do it :P
[20:49:58] <keescook> [action] pentest team to define tasks for TODO list
[20:50:09] <keescook> does that capture the task description correctly?
[20:50:14] <astharot> yep
[20:50:34] <keescook> the template looks good
[20:50:36] <astharot> then, I prepared a draft of the pentest report
[20:50:39] <astharot> https://wiki.ubuntu.com/UbuntuPentest/ptreport/template
[20:50:41] <keescook> https://wiki.ubuntu.com/UbuntuPentest/ptreport/template
[20:50:43] <keescook> heh
[20:50:43] <astharot> yes
[20:50:57] <astharot> so, approvation?
[20:50:57] <keescook> (why do some links need [link]?)
[20:51:00] <keescook> [link] https://wiki.ubuntu.com/UbuntuPentest/ptreport/template
[20:51:05] <keescook> sure, looks good.
[20:51:19] <joejaxx> keescook: maybe it does not like https
[20:51:21] <joejaxx> :P
[20:51:24] <keescook> ah
[20:51:53] <astharot> the, emgent is working on "anteater" that should be something automatic to send directly the report to launchpad as bug
[20:51:56] <astharot> https://wiki.ubuntu.com/UbuntuPentest/ptreport
[20:52:04] <keescook> [link] https://wiki.ubuntu.com/UbuntuPentest/ptreport
[20:52:24] <astharot> he has to finish it then he will make a package and will update it on bazaar or ppa
[20:52:31] <keescook> okay, sounds good
[20:53:10] <keescook> are there new pentest members to approve?
[20:53:11] <astharot> last point
[20:53:39] <astharot> everything related to ubuntu-pentes should be discussed and approved by every member of the team
[20:53:57] <astharot> I don't think there will be new people involved, AFAIK
[20:54:01] <keescook> astharot: unanimous approvals may be tricky
[20:54:03] <astharot> at least, atm
[20:54:09] <jdstrand> astharot: I am assuming that the bug will be marked private as well as security?
[20:54:09] <astharot> why tricky?
[20:54:20] <astharot> jdstrand: yes that's the plan
[20:54:43] <keescook> astharot: it can just be hard to reach 100% agreement some times.
[20:55:12] <joejaxx> /win 116
[20:55:14] <joejaxx> bah
[20:55:14] <keescook> I think simple majority should work in most cases.
[20:55:20] <astharot> ye sure, I think that he wanted to say that every member should vote, not only older or "admins"
[20:55:23] <keescook> [agreed] joejaxx has too many windows
[20:55:36] <keescook> astharot: ah! okay, then I agree there.
[20:55:47] <astharot> perfect
[20:55:47] <keescook> running out of time again....
[20:55:52] <astharot> I've done :)
[20:55:56] <jdstrand> haha
[20:56:03] <astharot> hands up \o/
[20:56:06] <joejaxx> hahaha
[20:56:13] <jdstrand> re joejaxx' windows
[20:56:31] <keescook> so, should we start this meeting an hour earlier in two weeks? we see to always run out before discussing cve-ubuntu-tracker
[20:56:35] <keescook> and the todo lists, etc
[20:56:40] <joejaxx> that sounds good
[20:56:41] <keescook> [topic] scheduling
[20:57:01] <keescook> anyone else have issues with it?
[20:57:09] <jdstrand> fine by me
[20:57:15] <propagandist> sounds good to me
[20:57:16] <keescook> joejaxx: sorry to defer the topics again. :(
[20:57:22] <andrea-bs> that's better for me
[20:57:24] <keescook> joejaxx: anything you can quickly cover about todo list ideas?
[20:57:30] <keescook> [topic] todo list
[20:57:37] <joejaxx> same
[20:57:39] <joejaxx> keescook: it is quite alright
[20:57:42] <joejaxx> keescook: we can leave that for next time :)
[20:58:02] <keescook> okay, well, I'd like to shake out the Roadmap to really outline all the kick-ass work we're doing
[20:58:08] <joejaxx> yeap
[20:58:36] <keescook> okay, next meeting: Mar 12, 1900UTC
[20:59:05] <joejaxx> thanks everyone! :)
[20:59:06] <keescook> thanks everyone for coming! we'll cover more next time around. :)
[20:59:07] <astharot> good
[20:59:14] <jdstrand> thanks keescook! :)
[20:59:16] <keescook> #endmeeting
Meeting ended.

MeetingLogs/Security/20080227 (last edited 2008-08-06 16:14:05 by localhost)