Ubuntu Wiki

Dumping ground for UDS Lucid ideas

KeesCook

• apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs)

• review sponsorship process and compare to security-sponsorship

• http://fedoraproject.org/wiki/Features/LowerProcessCapabilities

• figure out better "screen lock does not work" bug triage process
• filesystem capabilities
• forwarding patches to debian BTS for security updates

• protecting select() users when RLIMIT_NOFILE > 1024 http://sourceware.org/bugzilla/show_bug.cgi?id=10352

• using lxc
• process limit unlimited (LP: #391761)
• readdir_r stack smashing (LP: #392501)
• patch ssh to gain boolean to disable banner
• patch ssh to gain -Wl,-z,now
• patch samba to gain -Wl,-z,now

• upstream NX-emu patch http://www.codemonkey.org.uk/junk/linus-es.txt

• mmap_min back into procps for reset-when-wine-goes-away?

• mmap_min sysctl drop from dosemu, wine http://wiki.debian.org/mmap_min_addr

• procps warns about syncookies
• verify RO+NX kernel patch in 2.6.32+

• review https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks

• review https://wiki.canonical.com/IS/SoftwareAudit

• deroot auditd
• grub2 + TPM

• http://people.canonical.com/~kees/nx-missing into pkg on server & desktop that has translations, preferably tied to x86/x86_64 arch.

• should /proc/kallsyms and /boot/System.map be root-only ?

JamieStrandboge

• apparmor abstractions cleanup
• apparmor usability
• sort out apparmor upstream vs apparmor in ubuntu (is this still needed?)
• ufw
  • usability improvements:
    • delete by number
    • reset
    • limit command options
    • show listening
    • rsyslog
    • more reporting
  • more work on ufw/upstart/boot integration
  • what does server team need/want (eg, ebtables?)
  • requested features (eg ufw-simple-gui, nat/rdr, etc)
• libvirt/apparmor features, polishing and maintenance
  • bug fixing
  • add backing store support
  • make sure it works with newer releases
  • support features newly supported by the selinux driver
  • continue to develop test cases (eg pool-* and vol-* commands)
  • run qemu:///system VMs as non-root
• we should generalize and improve the apparmor apport hook
• update firefox profile to work better in KDE (and XFCE)
• implement a way to automatically, but temporarily, subscribe ubuntu-security to package bugs for security uploads

MarcDeslauriers

• Smartcard/USB token authentication
• Certificate on USB disk authentication

Sessions

• (kees) apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs, common security bugs, AA profiled packages, list of reasons why no hook, etc)

• (nxvl) review sponsorship process and compare to security-sponsorship

• (kees) http://fedoraproject.org/wiki/Features/LowerProcessCapabilities (foundations)

• (mdeslaur) screen lock does not work (requires Gnome screen saver folks, Riddell, QA, create "DebuggingScreenLocking", triage borked systems)

• (jdstrand) How can the Ubuntu Security Team help Debian better?" (debian folks?)

• (kees) Notification of system BIOS failures (NX bit. Needs DX.)

• (jdstrand) apparmor abstractions cleanup

• (jdstrand) apparmor usability in Ubuntu (existing profiles, userspace tools, profile creation, upgrade tunables, reporting denials)

• (kees) AppArmor upstream planning session(s)

• (mdeslaur) Catch-all
• (mdeslaur) 2-factor (Smartcard/USB token/fingerprint/Cert) authentication (soren)