UbuntuHardenedMeeting25-10-2005
notes
Attending
Lorenzo Hernández García-Hierro Jeff Schroeder Herman Bos Andrew Mitchell
topics
- push vSecurity
- IBM Stack Smashing Protector merged in 4.1 (upstream!). Deployment?
- SELinux status and work to get done
- misc, kernel patches
- documentation
- * ip randomization, etc
- File specs for UBZ by 27 oct.
Push vSecurity
Why? * Usable * Just Works (TM) and doesn't need to be configured * VSecurity works using simple interfaces, there's no need for buggy and complicated device nodes handling. it works using sysctl and sysfs/procfs * out of the box you get everything except the fine-grained capabilities granting
One problem left
Jeff: "The end user impact is this: when you rmmod capability, modprobe capability disable=1, modprobe vsecurity, and close that terminal, you get a kernel oops. complete system freeze and a hard reboot is required"
Lerenzo is working on this.
SELinux status and work to get done
remove suid binaries in dapper?
List of Jeff's suid files in Ubuntu http://wiki.tuxedo-es.org/Suid_files
Documentation
Jeff wrote some documentation: http://wiki.tuxedo-es.org/Lowering_privilege_with_capabilities_tutorial
File Specs for UBZ
General
Mark noted in his "Road to Dapper" on the announce list. Specs should be filed in on launchpad. This all Before 27 oct! http://lists.ubuntu.com/archives/ubuntu-announce/2005-October/000045.html
Following these guidelines https://wiki.ubuntu.com/FeatureSpecifications
Ubuntu Hardened specs
* Proactive Security http://wiki.ubuntu.com/FeatureSpecifications
* SELinux
End of edit conflict