[report] (24-03) Ubuntu Hardened work tracking

Lorenzo Hernández García-Hierro lorenzo at gnu.org
Thu Mar 24 17:32:55 CST 2005


The following issues are reported to the Bugzilla and being worked on,
finished or re-worked:

#1: Linux Security Modules framework networking hooks

Current linux-image-2.6.10* packages are lacking of support for network
LSM hooks, which leads to several problems while doing development of
LSM-related work relying on them, and making those in need of them
recompiling the kernel sources every-time they get updated.

This should be fixed soon if it hasn't already been fixed.

#2: Hardened Debian patches for GCC 3.3 and 3.4 (security related

Currently, gcc-3.4 sources come with the patches, they are not enabled
nor used in the binary packages.
After studying the case, after looking at an alternative gcc-ssp package
(which would lead to unnecessary maintenance overhead and conflicts), we
have decided that having SSP/ProPolice enabled in the default toolchain
is the way to go, but not making it *functionally* enabled, which means,
users would need to explicitly set the needed flags (-fstack-protector*,
PIE related flags...).

New libssp packages are being made available, also, the kernel patch for
kernel-level helpers might be submitted for inclusion:


#3: PT_PAX_FLAGS marking support on binutils.

As of the on-going effort for deploying PaX, made among the proper
Ubuntu Hardened team, by Martin Pitt, fine-grained marking for
executables is needed in order to provide softmode support, etc.

The impact of the inclusion of the PT_PAX_FLAGS marking support into the
toolchain, more concretely into binutils, has been known to *don't* be
negative, among the little overhead of having another dpatch to maintain
or check.

#4: Upgrade to Linux-PAM 0.77 with Security-Enhanced Linux support

Currently, and as a Hoary+1 goal, some user-land packages will need to
be modified in order to support SELinux which is being actively deployed
within the Ubuntu Linux distribution.

One of them is PAM, which will give to us the possibility of supporting
also the KDE desktop engine, and other things (those who rely on pam and
it's modules for authenticating and so on).

The patches for SELinux support use to come from Fedora repositories,
thus, these are well tested and known to work *quite well*, as upstream
(www.nsa.gov) no longer maintains userland patches.

#5: enh: Ubuntu Security Center

John Richard Moser proposed a worthy enhancement to the user's final
experience, which should be subject of study and further looking, as
it's deployment could help more than just the Ubuntu Linux users, being
a key tool for desktop users and making user-friendly the deployment of
the security technologies at issue.

#6: Consider setting more restrictive default ulimits

We all know on the later noise coming from an (maybe sensationalist, at
least more than needed ...) article published on SecurityFocus
(http://www.securityfocus.com/columnists/308), fork bombs being subject
of discussion, when a simple ":(){ :|:;}:" can make people blaming at
even the kernel security...

Anyways, enforcement of process execution, memory, priority and open
file descriptors limits should be studied and subject of further look in
order to ensure that such issues don't fill our bug tracking /SCM

At this point, profiles-based solutions come to mind, so, we could talk
on a desktop, server and normal profile, each one of them could make use
of the different security technologies and configurations, depending on
the needs of the user, sysadmin or fooman at issue :)


And that's all folks (at least for this month).

Regarding the SELinux deployment, we need to discuss a few things:

	* dpkg changes: we can't rely on postinst rules, we should look
			for better solutions before falling in the 
			current one.
	* policy:	provide separate policy packages for each binary
			package (foo and selinux-policy-foo), improve
			the current package (the configuration method
			is weird :( )...
	* user-land:	fill bug reports for the bugzilla (or malone if
			it changes) on each package which should be
			modified for SELinux support and get Fedora's
			patches from their repositories.
	* kernel:	fabbione, keep up the good work ;D

Lorenzo Hernández García-Hierro <lorenzo at gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050325/3a9512b1/attachment.pgp

More information about the ubuntu-devel mailing list