UbuntuHardenedMeeting25-10-2005

notes

Attending

  • Lorenzo Hernández García-Hierro
  • Jeff Schroeder
  • HermanBos

  • Andrew Mitchell

topics

  • push vSecurity
  • IBM Stack Smashing Protector merged in 4.1 (upstream!). Deployment?
  • SELinux status and work to get done
  • misc, kernel patches
  • documentation
  • * ip randomization, etc
  • File specs for UBZ by 27 oct.

Push vSecurity

Why?

  • Usable
  • Just Works (TM) and doesn't need to be configured
  • VSecurity works using simple interfaces, there's no need for buggy and complicated device nodes handling. it works using sysctl and sysfs/procfs
  • out of the box you get everything except the fine-grained capabilities granting

One problem left

Jeff: "The end user impact is this: when you rmmod capability, modprobe capability disable=1, modprobe vsecurity, and close that terminal, you get a kernel oops. complete system freeze and a hard reboot is required"

Lorenzo is working on this.

SELinux status and work to get done

remove suid binaries in dapper?

List of Jeff's suid files in Ubuntu http://wiki.tuxedo-es.org/Suid_files

Documentation

Jeff wrote some documentation: http://wiki.tuxedo-es.org/Lowering_privilege_with_capabilities_tutorial

File Spec(s) for UBZ

General

Mark noted in his "Road to Dapper" on the announce list. Specs should be filed in on launchpad. This all Before 27 oct! http://lists.ubuntu.com/archives/ubuntu-announce/2005-October/000045.html

Following these guidelines https://wiki.ubuntu.com/FeatureSpecifications

Proactive Security Spec

This spec includes vSecurity. And Andrew already filed it on launchpad for UBZ. https://launchpad.net/distros/ubuntu/+spec/proactive-security

ProactiveSecurityBOF which the spec links is still empty. We need to fill this up before UBZ

Andrew will lead the BOF on UBZ regarding this spec.

Earlier work

From UDU: ProactiveSecurityRoadmap

UbuntuHardenedMeeting25-10-2005 (last edited 2008-08-06 16:33:17 by localhost)