## page was renamed from SecurityTeam/UDS Dumping ground for UDS Lucid ideas == KeesCook == * apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs) * review sponsorship process and compare to security-sponsorship * http://fedoraproject.org/wiki/Features/LowerProcessCapabilities * figure out better "screen lock does not work" bug triage process * filesystem capabilities * forwarding patches to debian BTS for security updates * protecting select() users when RLIMIT_NOFILE > 1024 http://sourceware.org/bugzilla/show_bug.cgi?id=10352 * using lxc * process limit unlimited (LP: #391761) * readdir_r stack smashing (LP: #392501) * patch ssh to gain boolean to disable banner * patch ssh to gain -Wl,-z,now * patch samba to gain -Wl,-z,now * upstream NX-emu patch http://www.codemonkey.org.uk/junk/linus-es.txt * mmap_min back into procps for reset-when-wine-goes-away? * mmap_min sysctl drop from dosemu, wine http://wiki.debian.org/mmap_min_addr * procps warns about syncookies * verify RO+NX kernel patch in 2.6.32+ * review https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks * review https://wiki.canonical.com/IS/SoftwareAudit * deroot auditd * grub2 + TPM * http://people.canonical.com/~kees/nx-missing into pkg on server & desktop that has translations, preferably tied to x86/x86_64 arch. * should /proc/kallsyms and /boot/System.map be root-only ? == JamieStrandboge == * apparmor abstractions cleanup * apparmor usability * sort out apparmor upstream vs apparmor in ubuntu (is this still needed?) * ufw * usability improvements: * delete by number * reset * limit command options * show listening * rsyslog * more reporting * more work on ufw/upstart/boot integration * what does server team need/want (eg, ebtables?) * requested features (eg ufw-simple-gui, nat/rdr, etc) * libvirt/apparmor features, polishing and maintenance * bug fixing * add backing store support * make sure it works with newer releases * support features newly supported by the selinux driver * continue to develop test cases (eg pool-* and vol-* commands) * run qemu:///system VMs as non-root * we should generalize and improve the apparmor apport hook * update firefox profile to work better in KDE (and XFCE) * implement a way to automatically, but temporarily, subscribe ubuntu-security to package bugs for security uploads == MarcDeslauriers == * Smartcard/USB token authentication * Certificate on USB disk authentication == Sessions == * (kees) apport hooks (vs https://bugs.edge.launchpad.net/~ubuntu-security/+packagebugs, common security bugs, AA profiled packages, list of reasons why no hook, etc) * (nxvl) review sponsorship process and compare to security-sponsorship * (kees) http://fedoraproject.org/wiki/Features/LowerProcessCapabilities (foundations) * (mdeslaur) screen lock does not work (requires Gnome screen saver folks, Riddell, QA, create "DebuggingScreenLocking", triage borked systems) * (jdstrand) [[https://blueprints.edge.launchpad.net/ubuntu/+spec/security-lucid-ubuntu-and-debian"|How can the Ubuntu Security Team help Debian better?"]] (debian folks?) * (kees) Notification of system BIOS failures (NX bit. Needs DX.) * (jdstrand) [[https://blueprints.edge.launchpad.net/ubuntu/+spec/security-lucid-apparmor-abstractions|apparmor abstractions cleanup]] * (jdstrand) [[https://blueprints.edge.launchpad.net/ubuntu/+spec/security-lucid-apparmor-usability|apparmor usability in Ubuntu]] (existing profiles, userspace tools, profile creation, upgrade tunables, reporting denials) * (kees) AppArmor upstream planning session(s) * (mdeslaur) Catch-all * (mdeslaur) 2-factor (Smartcard/USB token/fingerprint/Cert) authentication (soren)