20080508

Meeting

Agenda for this meeting

These items will be discussed at the next meeting:

  • CVE review

  • SELinux status - ChadSellers

  • Hardy review
  • Intrepid planning
    • Hardened compiler options
    • UDS

  • <topic> - <name>

  • Next meeting time

Notes

Log

20:00 -!- ubottu changed the topic of #ubuntu-meeting to: Current meeting: Ubuntu Security Team meeting | Calendar: http://fridge.ubuntu.com/event | Logs: https://wiki.ubuntu.com/MeetingLogs/ | 09 May 04:00 UTC: MOTU | 14 May 06:00 UTC: Platform Team | 14 May 21:00 UTC: Server Team | 15 May 13:00 UTC: Desktop Team
20:01 < kees> #startmeeting
20:01 -!- mdz [n=mdz@217.207.76.231] has quit [Read error: 110 (Connection timed out)]
20:01 < kees> err
20:01 < kees> no mootbot?
20:01 < kees> well, I can paste logs manually.  :)
20:01 < mra> heh
20:02 < kees> so, who all is here for the security team meeting?
20:02 < propagandist> heyya ;o]
20:02 < mra> I am
20:02 < jdstrand> o/
20:02 < kees> alright, let's get started.  Current Agenda is here:
20:03 < kees> https://wiki.ubuntu.com/SecurityTeam/Meeting
20:03 < kees> I don't see emgent, so I'll dropped the whitehat topic for now.
20:03 < kees> [topic] CVE review
20:03 -!- SEJeff [n=jeff@66.151.59.138] has joined #ubuntu-meeting
20:04 < kees> we've got a bunch of things cooking
20:04 < kees> any CVEs anyone is interested in working on?
20:05 < jdstrand> I might suggest https://bugs.launchpad.net/ubuntu/+source/speex/+bug/218652
20:05 < ubottu> Launchpad bug 218652 in xine-lib "CVE-2008-1686: Multiple speex implementations insufficient boundary checks" [Undecided,In progress]
20:05 < jdstrand> I am handling xine-lib, gstreamer, speex and vorbis-tools, but there are a lot of universe packages that need it
20:06 < kees> yeah, it's a pretty long list.
20:06 < jdstrand> it's an easy patch
20:06 < jdstrand> but a lot of packages
20:06 -!- RoAkSoAx [n=roaksoax@190.42.82.9] has quit [Remote closed the connection]
20:07 < kees> also on the horizon is a kernel update, probably early next week.  it's being built currently.
20:07 < kees> in an effort to increase CVE visibility, jdstrand and I have built a web area that is exported regularly from the ubuntu-cve-tracker bzr tree:
20:07 < kees> http://people.ubuntu.com/~ubuntu-security/cve/open.html
20:08 -!- juliux [n=juliux@ubuntu/member/juliux] has quit [Read error: 104 (Connection reset by peer)]
20:08 < jdstrand> kees: do you want to advertise that link, since it's a symlink?
20:08 < kees> (and some graphs as well: http://people.ubuntu.com/~ubuntu-security/cve/open-cves.png)
20:08 < jdstrand> (I don't care, but I thought since it isn't official yet, we could use the real one)
20:09 < kees> jdstrand: an index.html needs to be built up, but it's a reasonable starting point for the moment.
20:09 < jdstrand> fair enough
20:09 -!- juliux [n=juliux@ubuntu/member/juliux] has joined #ubuntu-meeting
20:09 < mra> it looks good so far
20:10 < kees> any help with open CVEs (especially testing) is, of course, greatly appreciated.  :)
20:10 < jdstrand> absolutely!
20:11 < jdstrand> :)
20:11 < kees> okay, moving on...
20:11 < kees> [topic] SELinux status
20:12 < kees> propagandist: how goes selinux in the final hardy release?  I haven't seen many complaints.
20:12 < propagandist> kees: other than a few bugs, its going well
20:13 < mra> is there any way to see how many people have switched over to it?
20:13 < propagandist> That would be interesting to know...
20:14 < jdstrand> popularity-contest could give a relative idea
20:14 < jdstrand> but I don't know how many people use that
20:14 < kees> http://popcon.ubuntu.com/
20:14 < kees> I'm not sure how to examine just hardy, though
20:15 -!- juliux [n=juliux@ubuntu/member/juliux] has quit [Remote closed the connection]
20:16 < kees> 42 people are using it says popcon.  :)
20:16 < kees> so, I suspect that's not a useful number.
20:16 -!- Keybuk [n=scott@82.153.206.3] has joined #ubuntu-meeting
20:16 < mra> that's pretty good for how new it is
20:16 < kees> propagandist: any specific plans for intrepid?
20:17 < propagandist> kees: some additional policies for maybe apache and xguest (just suggestions) and some work to sync up with debian as much as possible
20:18 < kees> propagandist: sounds good.
20:18 < propagandist> I'm open to suggestions as well
20:18 < jdstrand> propagandist: I'm surious as to what you'll come up with to contain apache, especially wrt virtual hosts, php and perl
20:18 < jdstrand> s/surious/curious/
20:18 -!- RoAkSoAx [n=roaksoax@190.42.82.9] has joined #ubuntu-meeting
20:19 < kirkland> kees: sorry, missed the roll call, belated, "here"
20:19 < kees> propagandist: btw, is anyone from tresys coming to UDS?
20:19 < kees> heya kirkland, no worries.  :)
20:19 < propagandist> jdstrand: ;o] me too... I'll be using the current refpol as a starting point, but after that we'll see
20:19 -!- qwertyu [n=qwertyu@84.76.94.4] has joined #ubuntu-meeting
20:19 -!- awen_ [n=andreas@0x50a061ae.glnqu1.broadband.tele.dk] has joined #ubuntu-meeting
20:19 < propagandist> jdstrand: I'll try to keep everyone updated on the plan for that
20:20 < propagandist> kees: I don't think so. It's in Prague yes?
20:20 -!- Keybuk__ [n=scott@82.153.206.3] has joined #ubuntu-meeting
20:20 < jdstrand> propagandist: I mention that, because I was hoping at some point to do the equivalent with apparmor, but the way apache is packaged now doesn't really help with profiling :?
20:20 < jdstrand> mathiaz and I started a conversation on it, but we may talk about it more at UDS
20:21 < kees> propagandist: yea, prague
20:21 < jdstrand> propagandist: it might be a several release process to get apache in shape-- especially since we would want to get Debian involved
20:21 < propagandist> jdstrand: true true
20:21 -!- Keybuk__ [n=scott@82.153.206.3] has quit [Read error: 104 (Connection reset by peer)]
20:22 < kees> okay, moving on...
20:23 < kees> [topic] hardy review
20:23 < kees> while CVEs should really cover stuff in hardy, is there anything people wanted to talk about relating to the release?
20:23 < kees> anything to do better/different for intrepid, etc?
20:23 < SEJeff> Blog about the proactive security work
20:24 < SEJeff> We have smack and we also have capabilities support in the kernel
20:24 < SEJeff> Why not work on cutting down on suid root binaries?
20:24 < mra> that one can be tough because you can quickly cause usability problems
20:24 < kees> SEJeff: I've tended to blob about the things I'm directly involved in.  are those other two areas ones you could blog about?
20:24 < SEJeff> I started work on this awhile back: https://wiki.ubuntu.com/Security/Investigation/Setuid
20:25 -!- Keybuk [n=scott@82.153.206.3] has quit [Read error: 104 (Connection reset by peer)]
20:25 < kees> SEJeff: it looks like a pretty short list so far, which is good.
20:25 < SEJeff> kees, If we start writing patches to make some of those utilities only check the caps instead of the uid, would the patches get accepted into ubuntu if it takes awhile for upstream to adopt?
20:26 < kees> SEJeff: yup -- as long as there was no loss in functionality, I'd be happy to see them in Ubuntu.
20:26 < jdstrand> SEJeff: seeing that list, cupsys shouldn't be as big of a concern-- it is protected via apparmor by default (pitti purposely dropped the extensive derooting patch IIRC because of the use of apparmor)
20:26 < SEJeff> Here's the email about this I initially sent: https://lists.ubuntu.com/archives/ubuntu-hardened/2007-October/000227.html
20:26 < kees> I'd prefer they get passed up through Debian and upstream too, of course.
20:26 < SEJeff> Of course
20:27 < SEJeff> THats the goal, but gnu utilities maintainers are notorious for taking a LONG time for stuff like that. It took ages for the selinux folks to get the -Z options into upstream
20:28 < kees> yeah, understood, but having a LP bug linked to the upstream bug with the patch will go a long way towards being able to show where things stand for each package.
20:28 < kees> (and those LP bugs could be linked to from the wiki page)
20:28 < SEJeff> I also still owe you guys a version of ubuntu-cve-tracker that supports tablesorting. tablekit was just too heavyweight because of prototype.js
20:28 < SEJeff> I got it working and didn't like it so dropped it
20:28 < kees> heh
20:29 < jdstrand> SEJeff: oh yea-- I reworked the table slightly-- shouldn't affect too much based on what I saw of your previous work
20:29 < kees> I think we've gotten into intrepid so...
20:29 < kees> [topic] intrepid
20:29 < jdstrand> s/yea/yeah/
20:30 < kees> besides working on what interests people from the roadmap (and/or adding more things to the roadmap), there's at least one area I'd like to cover here: hardened compiler options
20:30 < kees> the testing done with the hardening-wrapper was a success, and as a result, the majority of its features were put directly into the gcc defaults
20:31 < kees> due to the need for a central place to document this, I wrote up: https://wiki.ubuntu.com/CompilerFlags
20:31 < jdstrand> \o/
20:31 < jdstrand> *awesome* work and tenacity kees! :)
20:31 < kees> *whew* thanks.  I have to thank infinity and doko as well.  :)
20:31 < kees> and of course, everyone else who did testing of the wrapper
20:32 < SEJeff> Thats a huge win
20:32 < jdstrand> yea infinity and doko !
20:32 < kees> -D_FORTIFY_SOURCE=2 is by far going to be the biggest glitch-causer, but the result will be better code overall
20:32 < kees> now, as far as PIE, there were many good concerns raised, so we'll discuss it further at UDS.  I'm pushing for PIE-by-default on amd64.
20:33 < jdstrand> it's for the mergers to fix right? ;P
20:33 < SEJeff> Ubuntu needs a page just like this: http://fedoraproject.org/wiki/Security/Features that is "marketed"
20:33 < kees> jdstrand: heh.  well, and anyone else watching the automated import build failures...
20:33 < kees> SEJeff: absolutely.  I actually have something a little like it, but it was rather ... bare ... until recently.
20:33 < jdstrand> SEJeff: http://www.ubuntu.com/products/whatisubuntu/serveredition/features/security
20:34 -!- knightlust [n=radio@ubuntu/member/knightlust] has joined #ubuntu-meeting
20:34 < kees> the URL from jdstrand is a result of some of that "marketing" work
20:34 < kees> I want a matrix, though, too.
20:34 < jdstrand> nijaba wrote a lot of that
20:34  * jdstrand nods
20:35 < kees> another area of work I'd like to see is on getting PIE-by-default for various daemon's builds.  it's the same list that was put together before, but the goal here would be to make it part of the build system, and to avoid the need for a wrapper.
20:36 < kees> specifically: https://wiki.ubuntu.com/Security/HardeningWrapper#targets
20:36 < jdstrand> kees: you mean debian/rules?
20:36 < kees> jdstrand: yeah.
20:36 < kees> there is some example of how to do this in openssh, and is rather painful.
20:36 < jdstrand> a lot of those are already quite different from Debian, so that shouldn't be a big deal
20:37 < kees> while the wrapper is an easy way to test that the build and execution would work, I'd like to get a common "configure" macro or something to do it.
20:37 < jdstrand> (just the act of carrying the diff that is)
20:37  * kees nods
20:37 < jdstrand> kees: what about dh_hardening
20:37 < jdstrand> ?
20:37 < kees> hunh.  probably more of a makefile include, but yeah, that's a great idea.
20:38 < kees> while not hugely popular yet, 10 debian source packages are using the hardening wrapper -- including quagga.
20:40 < jdstrand> IIRC, there seems to be quite a bit of interest though
20:40 < kees> yeah, even those few packages really put it through its paces.
20:41 < kees> wrung out a few odd-ball bugs
20:41 < kees> anyway...
20:41 < jdstrand> my main focus in terms of intrepid development is more work on ufw
20:41 < kees> we'll have more of an idea about the 'official' focus on security work after UDS.
20:41 < jdstrand> specifically package integration-- which is one of the topics at UDS
20:42 < SEJeff> Zelut has been working on ufw support for kickseed
20:42 < kees> I'm excited about that.  It should be very interesting.  :)
20:42 < SEJeff> indeed
20:42 < SEJeff> But for it to get into debian, that will probably have to use iptables
20:42 < jdstrand> SEJeff: yep-- been talking to him a bit about it
20:42 -!- nand [n=nand@48.150-226-89.dsl.completel.net] has quit ["Bye!"]
20:42 < jdstrand> SEJeff: ? ufw is just a front-end for iptables
20:42 < SEJeff> We'll work more on kickseed later on.
20:43 < jdstrand> oh, the kickseed part
20:43 < SEJeff> jdstrand, yes, and kickseed is in debian-installer
20:43 < SEJeff> but is ufw in debian by default? not so much
20:43  * jdstrand doesn't think it's in Debian at *all* yet...
20:43 < kees> jdstrand: couldn't hurt to find a DD (*cough*) to sponsor it...
20:44 < jdstrand> heh
20:44 < jdstrand> it's on my todo list
20:44 < kees> :)
20:45 < jdstrand> I think I'd like to separate out debian/ from the bzr branch, but need to think about it some more
20:45 < kees> anything else to cover?  anything to bring up at UDS that isn't already in the roadmap?
20:45 < jdstrand> (I could look at what lamont does with bind9 for inspiration)
20:45 < SEJeff> kees, Focus on proactive security more. You've been doing a heck of a job so far. Don't stop
20:46 < kees> thanks; I'd like to do more.  :)
20:46 < jdstrand> SEJeff: that's another thing I hope to do-- add some more default enforcing apparmor profiles
20:47 < kees> [topic] next meeting
20:47 < kees> two weeks would be UDS.
20:47 < SEJeff> kees, Speaking of that. 1 last thing from me
20:48 < kees> how about we push to the 29th, so we can review UDS discussions?
20:48 < kees> SEJeff: sure
20:48 < SEJeff> Seeing as how Apparmor getting upstream still is stalled... and Smack is a MAC framework "aligning with Ubuntu's use cases"
20:48 < SEJeff> Why not look into migrating to SMACK
20:48 < SEJeff> It might seem radical, but you don't get the weird errors with things like the btrfs bug I sent to the list
20:48 < jdstrand> I'm on vacation on the 29th
20:49 < jdstrand> (that whole week actually)
20:49 < kees> SEJeff: true, it's worth looking into.  the main benefit with AA currently is the help we're getting from AA upstream with bugs, etc.
20:49 < SEJeff> Sure, because you are 1 of 2 users
20:49  * kees nods
20:50 < SEJeff> SMACK upstream would have similar responses /me thinks
20:50 < kees> agreed.  there's a price to switching, but intrepid would certainly be a good time to examine that.
20:50 < SEJeff> ANd smack is upstream, so it causes less problems than anything out of tree
20:50 < mra> Casey is pretty good, the only real drawback is there is only one of him
20:51 < SEJeff> mra, and Crispin Cowan works for Microsoft now.
20:51 < mra> yes, but he hasn't been the one pushing patches for a while now
20:51 < kees> SuSE still has developers on AA, so I'm not freaking out just yet.
20:51 < mra> I'm just saying AA has less to worry about from freak bus accidents
20:52 < SEJeff> kees, They have commercial support contracts in place. Of course they will support it
20:52 < kees> but I'm quite glad to have the tresys folks working with Ubuntu too.  :)
20:52 < propagandist> What about SELinux (perhaps stating the obvious here)?
20:52 < propagandist> kees: :o)
20:53 < kees> propagandist: yup, that would be on the list too.  I've personally been more interested in "choice", but obviously we needed to pick something originally to run with.
20:53 < SEJeff> If I ever get time (maybe maybe not) I'll work on setroubleshootd
20:53 < jdstrand> propagandist: I am super excited about the selinux work that's happened so far
20:53 < propagandist> SEJeff: that would be awsome, I think joejaxx had a working/almost working package of it
20:53 < jdstrand> :)
20:54 < SEJeff> noted
20:54 < SEJeff> What about polgen-gui?
20:54 < SEJeff> ANyone working on that?
20:54 -!- mbudde [n=michael@87.61.168.49] has quit [Remote closed the connection]
20:54 < kees> okay, so proposed meeting time: 2000 UTC, here, June 5th.
20:54 < SEJeff> You give them that and people can't say SELinux is hard anymore
20:54 < jdstrand> kees: wfm
20:54 < propagandist> kees: sounds good to me
20:55 < propagandist> SEJeff: ;o]
20:55 -!- OgMaciel [n=omaciel@foresight/developer/OgMaciel] has quit ["Ex-Chat"]
20:55 < mra> kees: that works
20:55 < propagandist> SEJeff: I don't think anyones started on that (maybe joejaxx though)
20:56 < kees> alright.  thanks everyone!
20:56 < kees> #endmeeting
20:56 < jdstrand> thanks kees!
20:56 < propagandist> thanks ;o]

MeetingLogs/Security/20080508 (last edited 2008-08-06 16:23:05 by localhost)