L
|
Size: 1470
Comment:
|
Size: 3860
Comment: page was renamed from SecurityTeam/UDS
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from SecurityTeam/UDS | |
| Line 30: | Line 31: |
| * apparmor abstractions cleanup * apparmor usability * sort out apparmor upstream vs apparmor in ubuntu (is this still needed?) * ufw * usability improvements: * delete by number * reset * limit command options * show listening * rsyslog * more reporting * more work on ufw/upstart/boot integration * what does server team need/want (eg, ebtables?) * requested features (eg ufw-simple-gui, nat/rdr, etc) * libvirt/apparmor features, polishing and maintenance * bug fixing * add backing store support * make sure it works with newer releases * support features newly supported by the selinux driver * continue to develop test cases (eg pool-* and vol-* commands) * run qemu:///system VMs as non-root * we should generalize and improve the apparmor apport hook * update firefox profile to work better in KDE (and XFCE) * implement a way to automatically, but temporarily, subscribe ubuntu-security to package bugs for security uploads |
|
| Line 32: | Line 57: |
| * Smartcard/USB token authentication * Certificate on USB disk authentication == Sessions == * (kees) apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs, common security bugs, AA profiled packages, list of reasons why no hook, etc) * (nxvl) review sponsorship process and compare to security-sponsorship * (kees) http://fedoraproject.org/wiki/Features/LowerProcessCapabilities (foundations) * (mdeslaur) screen lock does not work (requires Gnome screen saver folks, Riddell, QA, create "DebuggingScreenLocking", triage borked systems) * (jdstrand) [[https://blueprints.edge.launchpad.net/ubuntu/+spec/security-lucid-ubuntu-and-debian"|How can the Ubuntu Security Team help Debian better?"]] (debian folks?) * (kees) Notification of system BIOS failures (NX bit. Needs DX.) * (jdstrand) [[https://blueprints.edge.launchpad.net/ubuntu/+spec/security-lucid-apparmor-abstractions|apparmor abstractions cleanup]] * (jdstrand) [[https://blueprints.edge.launchpad.net/ubuntu/+spec/security-lucid-apparmor-usability|apparmor usability in Ubuntu]] (existing profiles, userspace tools, profile creation, upgrade tunables, reporting denials) * (kees) AppArmor upstream planning session(s) * (mdeslaur) Catch-all * (mdeslaur) 2-factor (Smartcard/USB token/fingerprint/Cert) authentication (soren) |
Dumping ground for UDS ideas
KeesCook
apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs)
- review sponsorship process and compare to security-sponsorship
http://fedoraproject.org/wiki/Features/LowerProcessCapabilities
- figure out better "screen lock does not work" bug triage process
- filesystem capabilities
- forwarding patches to debian BTS for security updates
protecting select() users when RLIMIT_NOFILE > 1024 http://sourceware.org/bugzilla/show_bug.cgi?id=10352
- using lxc
- process limit unlimited (LP: #391761)
- readdir_r stack smashing (LP: #392501)
- patch ssh to gain boolean to disable banner
- patch ssh to gain -Wl,-z,now
- patch samba to gain -Wl,-z,now
upstream NX-emu patch http://www.codemonkey.org.uk/junk/linus-es.txt
- mmap_min back into procps for reset-when-wine-goes-away?
mmap_min sysctl drop from dosemu, wine http://wiki.debian.org/mmap_min_addr
- procps warns about syncookies
- verify RO+NX kernel patch in 2.6.32+
review https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks
- deroot auditd
- grub2 + TPM
http://people.canonical.com/~kees/nx-missing into pkg on server & desktop that has translations, preferably tied to x86/x86_64 arch.
- should /proc/kallsyms and /boot/System.map be root-only ?
JamieStrandboge
- apparmor abstractions cleanup
- apparmor usability
- sort out apparmor upstream vs apparmor in ubuntu (is this still needed?)
- ufw
- usability improvements:
- delete by number
- reset
- limit command options
- show listening
- rsyslog
- more reporting
- more work on ufw/upstart/boot integration
- what does server team need/want (eg, ebtables?)
- requested features (eg ufw-simple-gui, nat/rdr, etc)
- usability improvements:
- libvirt/apparmor features, polishing and maintenance
- bug fixing
- add backing store support
- make sure it works with newer releases
- support features newly supported by the selinux driver
- continue to develop test cases (eg pool-* and vol-* commands)
- run qemu:///system VMs as non-root
- we should generalize and improve the apparmor apport hook
- update firefox profile to work better in KDE (and XFCE)
- implement a way to automatically, but temporarily, subscribe ubuntu-security to package bugs for security uploads
MarcDeslauriers
- Smartcard/USB token authentication
- Certificate on USB disk authentication
Sessions
(kees) apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs, common security bugs, AA profiled packages, list of reasons why no hook, etc)
- (nxvl) review sponsorship process and compare to security-sponsorship
(kees) http://fedoraproject.org/wiki/Features/LowerProcessCapabilities (foundations)
(mdeslaur) screen lock does not work (requires Gnome screen saver folks, Riddell, QA, create "DebuggingScreenLocking", triage borked systems)
(jdstrand) How can the Ubuntu Security Team help Debian better?" (debian folks?)
- (kees) Notification of system BIOS failures (NX bit. Needs DX.)
(jdstrand) apparmor abstractions cleanup
(jdstrand) apparmor usability in Ubuntu (existing profiles, userspace tools, profile creation, upgrade tunables, reporting denials)
(kees) AppArmor upstream planning session(s)
- (mdeslaur) Catch-all
- (mdeslaur) 2-factor (Smartcard/USB token/fingerprint/Cert) authentication (soren)
SecurityTeam/UDS/L (last edited 2010-04-26 17:52:01 by pool-71-114-231-221)