Roadmap

Differences between revisions 121 and 122
Revision 121 as of 2010-02-07 02:35:59
Size: 13293
Editor: 145
Comment: added a blueprint to smbd, nmbd and winbindd so that I can make their profiles and track my progress in doing so :)
Revision 122 as of 2010-02-16 18:39:51
Size: 12260
Editor: modemcable144
Comment:
Deletions are marked like this. Additions are marked like this.
Line 87: Line 87:
  * https://bugs.launchpad.net/bugs/283315 (KDE)
  * https://bugs.launchpad.net/bugs/291712 (KDE)
  * https://bugs.launchpad.net/bugs/296085 (KDE)
  * https://bugs.launchpad.net/bugs/326721 (KDE)
  * https://bugs.launchpad.net/bugs/349427 (KDE)
Line 92: Line 89:
  * https://bugs.launchpad.net/bugs/317995 (Gnome)
  * https://bugs.launchpad.net/bugs/344803 (Gnome)
  * https://bugs.launchpad.net/bugs/338057 (Gnome)
  * https://bugs.launchpad.net/bugs/345026 (Gnome)
Line 97: Line 90:
  * https://bugs.launchpad.net/bugs/355027 (Gnome)
Line 99: Line 91:
  * https://bugs.launchpad.net/bugs/371388 (Gnome)
Line 102: Line 93:
  * https://bugs.launchpad.net/bugs/393166 (Gnome)
Line 104: Line 94:
  * https://bugs.launchpad.net/bugs/408011 (Gnome)
  * https://bugs.launchpad.net/bugs/411350 (Gnome)
  * https://bugs.launchpad.net/bugs/426808 (Gnome)
  * https://bugs.launchpad.net/bugs/440814 (Gnome)
  * https://bugs.launchpad.net/bugs/484603 (Gnome)
  * https://bugs.launchpad.net/bugs/484072 (Gnome)
  * https://bugs.launchpad.net/bugs/485695 (Gnome)
Line 112: Line 95:
  * https://bugs.launchpad.net/bugs/440814 (Compiz)
Line 114: Line 96:
  * https://bugs.launchpad.net/bugs/349427 (XFCE)
  * https://bugs.launchpad.net/bugs/397892 (XFCE)

Karmic

Blueprints

Documentation

  • The Security Team FAQ needs to be filled with answers to the various questions Ubuntu gets about security.

  • The Security Team KnowledgeBase need more to be written. Many ideas have already been listed there.

Investigations

Several ideas for possible work come from investigating existing the installed set of packages.

  • setuid: which programs are setuid and what may be needed to improve them.

  • measure how many bits of randomness are actually being used in kernel ASLR, compared to other ASLR implementations.
  • review ideas from brainstorm.

AppArmor Confinement

The following profiles have been identified and prioritized as targets for AppArmor confinement. A number of profiles already exist and are not included in this list. Please note that a high priority does not indicate a committment to develop the profile during the current development cycle.

  • Top priority
  • Secondary priority
    • nmbd (see blueprint)

    • winbind (see blueprint)

    • smbd (example profile which is opt-in only and disabled by default) (see blueprint)

    • spamassassin (spamd)
    • acroread (likely not possible due to constraints of agreement with Adobe)
  • Tertiary priority
    • dnsmasq (exists in apparmor-profiles)
    • squid (possibly P2 (talk to elmo)) (contributed profile in LP: #497790)

    • awstats
    • analog (in progress)

    • mailman
    • asterisk (universe)
    • exim4
    • nagios/nrpe
    • openssh-server (not easy, as users can spawn anything)
    • pidgin
    • empathy
    • mail clients (thunderbird, kmail, evolution) -- difficult
    • eog
    • totem
    • skype WONT FIX (likely not possible due to constraints of agreement. People can use the profile shipped in /usr/share/apparmor-profiles/extras)

    • ekiga
    • rhythmbox
  • Unspecified priority
    • portmap (low-effort)
    • rpc.statd (low-effort)
    • scripts that people tend to give sudo access. For example: apache2ctl, initscripts
    • munin

Unscheduled Wishlist Items

This area can be used to list ideas for future security work, or link to bugs that describe "Wishlist" issues.

Not Interested

  • hardened default config (Bastille-like). Check the compatibility of debian-bastille. Status: reviewed. what can be done in a default install is already being done

Community Participation

These are some ideas that came out during the community growth meeting at UDSKarmic:

  • for the SecurityTeam

    • more IRC workshops
    • blog more
    • always participate in Ubuntu Developer Week
    • participate with Hall of Fame or 5-a-day
    • work even more closely with Debian
  • Encourage community involvement:
    • perhaps a "Universe packages of the week?" (only if you are also available (we'll be in #ubuntu-security on ...))
    • some focused event like suspend/resume with kernel team or maybe hug days. This could be done with apparmor profiles ('Apparmor Week')
    • participate with security documentation
    • testing
      • automated test cases could be created for each release (autohotkey for Windows allows to replay GUI actions for testing a PoC)
      • perhaps look into applications to replay actions
    • have a ppa to pull profiles from profile repositories and make them available
    • make testing very easy
      • make-test-tarball is a start, but also need to create VMs easily. vm-tools is a start, but needs to be even easier (maybe grab an image from somewhere...)
    • talk to server team about a survey about features. many of these will likely be security features
  • Disseminating information
    • communicating the security team's needs can be handled (in part) by the community team
    • communication about needed apparmor profiles could be improved
    • maybe talk about what our needs are (eg universe, apparmor profiles, etc)
    • have harvest better integrate with security fixes (talk to dholbach and jorge)

    • focus and ask what is keeping people from adopting Ubuntu
      • we should also identify several areas where we become experts and give all the information-- eg if a salesperson is in front of a potential client and is asked 'tell me about all your logging software' or 'tell me all the ways you handle user credentials and authentication'
  • look into USN-C (community USN) and a way to attach the name of the committer/uploader as a way to increase involvement (though better reputation)


CategorySecurityTeam

SecurityTeam/Roadmap (last edited 2022-01-04 22:38:06 by rodrigo-zaiden)