20080605

Meeting

Agenda for this meeting

These items will be discussed at the next meeting:

Notes

Log

=== ubottu changed the topic of #ubuntu-meeting to: Current meeting: Security Team | Calendar: http://fridge.ubuntu.com/event | Logs: https://wiki.ubuntu.com/MeetingLogs/ | 07 Jun 21:00 UTC: Marketing Team | 09 Jun 10:30 UTC: Michigan LoCo Bug Jam | 10 Jun 11:00 UTC: Asia and Oceania Ubuntu Membership Approval Board | 11 Jun 06:00 UTC: Platform Team | 11 Jun 17:00 UTC: QA Team
[20:50] <emgent> we can start ?
[20:50] <emgent> kees jdstrand wgrant ?
[20:52] <kees> emgent: we should wait for the actual time.  :)
[20:53] <slangasek> right, kinda defeats the purpose of publically scheduling the meetings otherwise..
[20:53] <emgent> oh true,
[20:53] <emgent> @schedule rome
[20:53] <ubottu> emgent: Schedule for Europe/Rome: Current meeting: Security Team | 07 Jun 23:00: Marketing Team | 09 Jun 12:30: Michigan LoCo Bug Jam | 10 Jun 13:00: Asia and Oceania Ubuntu Membership Approval Board | 11 Jun 08:00: Platform Team | 11 Jun 19:00: QA Team
[20:56]  * wgrant appears.
[20:57] <emgent> heya wgrant :)
[20:59] <wgrant> TOo-early morning, emgent.
[21:00] <kees> #startmeeting
[21:00] <MootBot> Meeting started at 15:01. The chair is kees.
[21:00] <MootBot> Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE]
[21:00] <kees> [TOPIC] intros, if needed
[21:00] <MootBot> New Topic:  intros, if needed
[21:00] <kees> hello everyone!
[21:00] <kees> who's here for the Security Team Meeting?
[21:00] <CaseySchaufler> Casey Schaufler
[21:00] <emgent> me
[21:01] <kees> hiya CaseySchaufler, nice to meet you on IRC.  :)
[21:01] <CaseySchaufler> A pleasure
[21:01] <jdstrand> hi!
[21:01] <wgrant> Me!
[21:01] <wgrant> Hi CaseySchaufler.
[21:01] <CaseySchaufler> Hello wgrant
[21:02] <kees> since CaseySchaufler is new to this meeting, I thought we'd go around quickly and say who we all are and what we do on the security team at large
[21:02] <wgrant> \
[21:02] <wgrant> Oops.
[21:02] <kees> I'm Kees Cook, technical lead of the Ubuntu Security Team, and I do stable package updates and try to work on proactive security in development releases.
[21:03] <kees> I work at Canonical with jdstrand, and that's it for me.  :)
[21:03] <jdstrand> I'm Jamie Strandboge, Canonical employee, and work on the security with Kees
[21:04] <wgrant> I'm William Grant, a MOTU. I pretend to do universe security updates and try to keep ubuntu-cve-tracker, when uni doesn't waste so much time.
[21:04] <CaseySchaufler> I'm Casey Schaufler, and I wrote Smack, a really simple MAC scheme based on 20 years experiance with MLS Unix systems.
[21:04] <wgrant> *ubuntu-cve-tracker updated
[21:04] <wgrant> It is too early.
[21:04] <kees> wgrant: heh
[21:04] <kees> emgent: you're up.
[21:05] <emgent> I'm Emanuele Gentili, part of Security Team (community): Ubuntu Whitehat Leader and Motu Swat member. I work on auditing/pentest and I work in universe security updates.
[21:05] <kees> (wasn't ajmitch going to come this morning?)
[21:05] <kees> CaseySchaufler: for some background where it relates to MAC systems, I did the initial integration work for AppArmor (along with mathiaz (server team)) and jdstrand did many profiles that went into main packages.
[21:06] <kees> okay, our agenda for this meeting:
[21:06] <kees> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[21:06] <MootBot> LINK received:  https://wiki.ubuntu.com/SecurityTeam/Meeting
[21:06] <kees> if anyone has stuff to add, please add it to the wiki and let us know that we need to reload the page.  :)
[21:07] <emgent> ok cool :)
[21:07] <kees> I've got another thing I've got to leave for at about :40 after, so if things are still rolling, jdstrand is going to take over for me as chair.  (Though I have no idea how mootboot will deal with that...)
[21:07] <kees> [TOPIC] CVE review
[21:07] <MootBot> New Topic:  CVE review
[21:08] <jdstrand> we should go quickly though-- I don't have much time after that :)
[21:08] <kees> I was hoping we'd have ajmitch here since he was interested in the ubuntu-cve-tracker work
[21:08] <kees> anything you need merged for the tracker, wgrant?
[21:08] <kees> anything people are working on that they need help/direction on?
[21:09] <kees> (I'm personally testing stable kernel updates at the moment, which is a mess of outstanding CVEs...)
[21:09] <wgrant> kees: I've got a couple of smallish changes in my branch, but I've got a big exam in a little over a week so won't be doing much for a while.
[21:09] <emgent> for me not now
[21:09] <kees> wgrant: okay, no problem.  I'll pull the changes and just ping me when you've got more.  :)
[21:09] <kees> I was thinking about adding either per-release or per-package RSS feeds to the CVE tracker's HTML output directories.
[21:10] <kees> that way people interested in a specific package (like the partner repo folks) could track individual package's CVEs
[21:10] <emgent> sounds good
[21:10] <emgent> now i use RSS to for manage CVEs
[21:10] <kees> should be an easy addition to the "make" process.
[21:10] <emgent> s/to/too/
[21:11] <kees> emgent: cool, which RSS feed do you pull from now?
[21:11] <emgent> just a moment
[21:11] <emgent> [LINK] http://nvd.nist.gov/download/nvd-rss.xml
[21:11] <MootBot> LINK received:  http://nvd.nist.gov/download/nvd-rss.xml
[21:11] <emgent> and..
[21:12] <emgent> [LINK] http://nvd.nist.gov/download/nvd-rss-analyzed.xml
[21:12] <MootBot> LINK received:  http://nvd.nist.gov/download/nvd-rss-analyzed.xml
[21:12] <kees> cool, I wonder if we can build that into the check-cves process.  it's kind of pain to pull down so much XML each day.  :)
[21:12] <kees> okay, well, in the interests of time, let's forge ahead
[21:12] <kees> [TOPIC] UDS review
[21:12] <MootBot> New Topic:  UDS review
[21:13] <kees> sounds like every one had a good time at the conference -- anything outstanding people want to discuss?
[21:13] <kees> I was happy with how things worked out, but we're still a bit behind on the compiler hardening bits... it's coming though
=== nijaba` is now known as nijaba
[21:14] <emgent> soyuz for manage universe-update is in progress true?
[21:14] <kees> either doko or I need to fix a few toolchain tests, but the patches are now in a form that doko is happy with.
[21:14] <kees> emgent: right, it's coming along.  "private" PPAs are being developed now to support it.
[21:14] <emgent> ok cool.
[21:15] <kees> I don't have an ETA from them -- wish I did, so I could track the progress a little better.
[21:15] <kees> okay, moving on quickly...
[21:15] <jdstrand> I haven't done anything yet with ufw, other than upload a small bug fix in hardy-proposed
[21:15] <kees> [TOPIC] Smack
[21:15] <MootBot> New Topic:  Smack
[21:15] <kees> CaseySchaufler: what do we need to do to get Smack working happily in Ubuntu?
[21:15] <CaseySchaufler> Turn off SELinux. ...
[21:15] <emgent> lol :)
[21:16] <kees> I read http://schaufler-ca.com/ briefly, and was hoping to have something like https://help.ubuntu.com/community/AppArmor to follow
[21:16] <kees> CaseySchaufler: hah.  well, the MAC system is selectable at boot time.
[21:16] <emgent> [link] (22:15) ( CaseySchaufler) Turn off SELinux. ...
[21:16] <MootBot> LINK received:  (22:15) ( CaseySchaufler) Turn off SELinux. ...
[21:16] <kees> by default AppArmor is in used, but the SELinux integration work was done so that installing "selinux" would do all the magic needed to make it the default, set up policies, etc.
[21:16] <emgent> opss..
[21:16] <kees> having something like that for Smack would be great for people that wanted to use it.
[21:17] <CaseySchaufler> Really, there are a few things to do, sshd, login, cron, but the changes are much less than SELinux of AppArmor requires.
[21:17] <CaseySchaufler> There are no "application profiles" required.
[21:17] <CaseySchaufler> Smack looks at processes, not programs.
[21:17] <emgent> uhm..
[21:18] <kees> CaseySchaufler: well, step 1 is to make it usable.  step 2 would be to make all the profiles (what's Smack's term for this?) on par with the existing AppArmor ones.  steps after that would be evaluating our MACs to decide if we should switch our default.
[21:18] <kees> CaseySchaufler: what would be the steps as you see them to get Smack on par with the existing AppArmor protections?
[21:18] <CaseySchaufler> Step 1 is easy because of the Smack mindset that if the labels match, you're golden,
[21:19] <kees> how does Smack store its labels?
[21:19]  * wgrant saw something about xattrs.
[21:20] <CaseySchaufler> Step 2 is tough, the process label determines the access, not an attribute of the program.
[21:20] <CaseySchaufler> Labels are xattrs.
[21:20] <CaseySchaufler> So a profile is a user thing, not a program thing.
[21:20] <wgrant> To me, a combination of AppArmor and Smack sounds optimal, but I suppose that doesn't work.
[21:20] <kees> but there must be a way to define and write out the xattrs from some text file?
[21:20] <kees> wgrant: unfortunately, stacked LSM isn't very happy
[21:21] <emgent> gobby ?
[21:21] <CaseySchaufler> Smack supports file system default labels.
[21:21] <CaseySchaufler> Unless the xattr (SMACK64) is there, the fs default is used.
[21:21] <kees> do you mean DAC, or do you mean SELinux labels?
[21:22] <CaseySchaufler> This makes it easy to support xattr-less fs
[21:22] <kees> was Smack in 2.6.24 ?
[21:22] <CaseySchaufler> Smack in new to 2.6.25
[21:22] <kees> okay, dang.  so we'll have to wait for the first intrepid kernel upload before anyone can really play with it.
[21:23] <emgent> true
[21:23] <kees> well, I'm all for seeing something similar to what the SELinux folks did.  would you be interested in getting packages prepared to configure a Smack environment?
[21:23] <CaseySchaufler> SELinux uses labels of its own name, Smack uses labels too, but different ones
[21:23] <CaseySchaufler> There is no need to pre-label the file system.
[21:24] <kees> that's a plus.  :)
[21:24] <CaseySchaufler> If you want to, it's easy enough, but all files that come with the distro ought to be labeled with the floor label ("_").
[21:25] <CaseySchaufler> And because that's the default default, it's simple.
[21:25] <CaseySchaufler> Home directories and user files should get labeled.
[21:25] <kees> CaseySchaufler: for the next security meeting, could you prepare an example set of labels for replicating the cupsys AppArmor protections?
[21:25] <CaseySchaufler> I'm working on a busybox adduser to do that.
[21:26] <kees> that would let us compare things more easily
[21:26] <kees> also, I note that Smack doesn't hook file_mmap.  any reason for that?
[21:26] <CaseySchaufler> cupsys. Ok, I can do that .
[21:27] <CaseySchaufler> wrt file_mmap - you need to open the file to mmap it, so the MAC check is done.
[21:27] <kees> [ACTION] CaseySchaufler to write up example labels for cupsys + Smack
[21:27] <MootBot> ACTION received:  CaseySchaufler to write up example labels for cupsys + Smack
[21:27] <CaseySchaufler> Unlike SELinux, Smack processes rarely change their labels.
[21:27] <kees> what about MAP_FIXED handling, where no fd is involved?
[21:28] <CaseySchaufler> No quick answer to MAP_FIXED.
[21:29] <kees> okay, cool.   I'm mostly fishing due to a hiccup we encountered late in the release with AppArmor which used file_mmap, but didn't implement the default kernel's mmap_min_addr check (selinux had duplicated it, but our version of AppArmor didn't have it yet)
[21:29] <kees> anyway, I'm very interested in getting another MAC available, so I'm very happy you came to our meeting.
[21:29] <jdstrand> yes, thanks CaseySchaufler :)
[21:29] <CaseySchaufler> Because Smack uses simple interfaces and textstrings there are few ...
[21:30] <CaseySchaufler> libraries and helper apps required.
[21:30] <kees> yeah, it sounds very small :)
[21:30] <emgent> :)
[21:30] <CaseySchaufler> So it can fit in my brain.
[21:31] <kees> hheheh
[21:31] <emgent> lol
[21:31] <kees> alright, well, we're a little blocked waiting for the intrepid kernel, but after that, for next meeting maybe, we can start playing with it.
[21:31] <CaseySchaufler> Really, with SELinux or even AppArmor, it's very hard to tell if an access will succeed in advance and if not, why.
[21:32] <kees> CaseySchaufler: generally we meet every two weeks.  (UDS moved things a bit recently, though)
[21:32] <CaseySchaufler> OK. 2 weeks then?
[21:32] <kees> well, AIUI, that's not true with SELinux, which has extensive analysis tools, but I've never used them.
[21:32] <emgent> me too :\
[21:33] <kees> CaseySchaufler: I say "generally" because we schedule it at the end of the meeting, but we've got another topic coming.  stick around?
[21:33] <CaseySchaufler> Yes, it is true. The proof is that you need those extensive tools!
[21:33] <CaseySchaufler> Sure.
[21:33] <kees> CaseySchaufler: sure -- I'm a fan of "KISS"
[21:33] <kees> but my primary goal is to have admins able to make their own choices about the MAC they want.
[21:33] <CaseySchaufler> Didn't they break up?
[21:33] <wgrant> It's a lot harder to leave a gaping hole if you follow KISS.
[21:34] <CaseySchaufler> I agree.
[21:34] <kees> heh.  this KISS: http://en.wikipedia.org/wiki/KISS_principle
[21:34] <CaseySchaufler> Yes, I just couldn't resist.
[21:34] <kees> I couldn't tell -- don't know your sarcasm style yet.  :)
[21:34] <kees> moving forward...
[21:34] <emgent> :)
[21:34] <kees> [TOPIC] White hat group Schedule Penetration Test date and packages to Auditing
[21:34] <MootBot> New Topic:  White hat group Schedule Penetration Test date and packages to Auditing
[21:35] <emgent> so, anteater (report tool) beta is out
[21:35] <emgent> [link] https://code.edge.launchpad.net/~ubuntu-whitehat/ubuntu-whitehat-project/uwht
[21:35] <MootBot> LINK received:  https://code.edge.launchpad.net/~ubuntu-whitehat/ubuntu-whitehat-project/uwht
[21:35] <emgent> i think that next week we can start to work
[21:36] <emgent> kees: do you know in what infra we can start security tests ?
[21:36] <kees> cool, hooked up to the python-launchpad-bugs
[21:36] <emgent> heya python-launchpad-bugs now is supported
[21:36] <emgent> s/heay/yeah/
[21:36] <kees> emgent: before anything happens they want a specific test plan -- what ports, services, etc.
[21:37] <kees> emgent: so, probably best to discuss that on the -hardened mailing list.
[21:37] <kees> can you do that this week?
[21:37] <emgent> sure, i will do
[21:37] <kees> [ACTION] emgent to discuss whitehat testing plans on -hardened mailing list
[21:37] <MootBot> ACTION received:  emgent to discuss whitehat testing plans on -hardened mailing list
[21:37] <emgent> anyway for example for test launchpad i talked with stevea
[21:37] <emgent> and him say to me to work on staging.launchpad.net
[21:38] <emgent> so, i will send mail for define method and infra to test.
[21:38] <kees> emgent: right.  that, for example, would be part of the tesing plan.  "Test LP for .... NOTE: use staging.lp..." etc
[21:38] <kees> emgent: what you want is input on the plan, ideas, etc.
[21:38] <emgent> yep
[21:39] <kees> emgent: get it narrowed down to specific things that infra can look at and say "yeah, we're comfortable with those tests"
[21:39] <emgent> i think so
[21:40] <kees> emgent: and for non-LP things, giving some idea of the methods and tests is a start.
[21:40] <kees> emgent: once that's documented, we'll have plan we can work from.
[21:40]  * kees looks around for crimsun.... he wanted to do this for software too.
[21:40] <emgent> ok i understand, i will draft it
[21:40] <emgent> hehehe :)
[21:41] <kees> great.
[21:41] <kees> okay...
[21:41] <emgent> about auditing, I'm thinking to write a list of packages (CMS) used by loco
[21:41] <kees> good idea.  a lot of this can be discussed on the mailing list too.  (no need to wait 2 weeks between reports...)
[21:41] <emgent> ok cool. :)
[21:42] <kees> [TOPIC] next meeting
[21:42] <MootBot> New Topic:  next meeting
[21:42] <kees> 2 weeks, same time?
[21:42] <emgent> +1 for me
[21:42] <CaseySchaufler> OK by me.
[21:42] <kees> wgrant: did this work out for you, other than being brutally early?
[21:42] <emgent> thanks kees :)
[21:42] <kees> I'll try to get crimsun and ajmitch to come to the next meeting (\sh too, but he usually tries to make it)
[21:42] <jdstrand> thanks kees!
[21:43] <emgent> \sh: will read the logs
[21:43] <kees> cool, 2 weeks it is.  :)  thanks everyone, and thanks CaseySchaufler for coming -- glad to have you helping us with Smack.  :)
[21:43] <kees> #endmeeting
[21:43] <MootBot> Meeting finished at 15:45.

MeetingLogs/Security/20080605 (last edited 2008-08-06 16:31:56 by localhost)