notes

Attending

Lorenzo Hernández García-Hierro Jeff Schroeder Herman Bos Andrew Mitchell

topics

• push vSecurity
• IBM Stack Smashing Protector merged in 4.1 (upstream!). Deployment?
• SELinux status and work to get done
• misc, kernel patches
• documentation
• * ip randomization, etc
• File specs for UBZ by 27 oct.

Push vSecurity

Why? * Usable * Just Works (TM) and doesn't need to be configured * VSecurity works using simple interfaces, there's no need for buggy and complicated device nodes handling. it works using sysctl and sysfs/procfs * out of the box you get everything except the fine-grained capabilities granting

One problem left

Jeff: "The end user impact is this: when you rmmod capability, modprobe capability disable=1, modprobe vsecurity, and close that terminal, you get a kernel oops. complete system freeze and a hard reboot is required"

Lerenzo is working on this.

SELinux status and work to get done

remove suid binaries in dapper?

List of Jeff's suid files in Ubuntu http://wiki.tuxedo-es.org/Suid_files

Documentation

Jeff wrote some documentation: http://wiki.tuxedo-es.org/Lowering_privilege_with_capabilities_tutorial

File Specs for UBZ

General

Mark noted in his "Road to Dapper" on the announce list. Specs should be filed in on launchpad. This all Before 27 oct! http://lists.ubuntu.com/archives/ubuntu-announce/2005-October/000045.html

Following these guidelines https://wiki.ubuntu.com/FeatureSpecifications

Ubuntu Hardened specs

* Proactive Security http://wiki.ubuntu.com/FeatureSpecifications

* SELinux

End of edit conflict