Any progress on hardening Ubuntu?

Magnus Therning magnus at therning.org
Mon Oct 10 04:42:12 CDT 2005 

On Sun, Oct 09, 2005 at 11:50:01PM +0200, Lorenzo Hernández García-Hierro wrote:
>On dom, 2005-10-09 at 23:04 +0300, Timo Aaltonen wrote:
>>On Sun, 9 Oct 2005, Magnus Therning wrote:
>>
>>>Sorry for the cross-post but there's been *very* little action on
>>>ubuntu-hardened since May (one email, from my :) and I wanted a
>>>slightly larger audience.
>>>
>>>Has any work been done on what was written in the spec
>>>(http://pearls.tuxedo-es.org/ubuntu/ubuntu-hardened-spec-20050503.pdf)?
>>
>>maybe these pages are of interest:
>>
>>https://wiki.ubuntu.com/UbuntuHardened
>>https://wiki.ubuntu.com/ProactiveSecurity
>>https://wiki.ubuntu.com/ProactiveSecurityRoadmap
>
>I hadn't time to send anything to the list but so far, progress has
>been made regarding vSecurity. I've done packages which need some fixes
>but are mostly ready to get into Universe if Martin (pitti) feels OK
>with it.
>
>One of the reasons, among th fact that I'm quite busy with school right
>now, is that I'm finishing the implementation of CapOver-like features
>with help from a third-party, and thus, there's no point on pushing the
>packages (after fixing the little issues left) without such new
>features if we can finish and test them soon.

Any info on it anywhere? Is it part of vSecurity?

>Also, I couldn't send information about it, but gcc-4 comes now with
>IBM Stack Smashing Protector (aka ProPolice) support. It was accepted
>by upstream and thus, we don't need to work that by ourselves anymore.

Yes. This was mentioned in a FUDCON talk at LWE in London. Apparently
all FC4 packages are compiled with it.

[.. snip on SELinux and policy updates ..]

Personally I'm not very interested in SELinux, which is why I first
was quite disappointed after reading the progress page. However, after
reading the spec on tuxedo-es.org I was pleasantly surprised to see
mentions of grSecurity and PaX and some other things that interest me
more.

>I apologize, once again, for the delay on talking about the project
>status and giving out news and advice about it, but I've been certainly
>busy in these last months.

No worries. I don't think a lot of announcements and progress reports
are necessary. However it would be nice if your progress was trackable
in some way. Would it be possible for you to make all packages available
somewhere? (If it already is then there's a missing link in the Ubuntu
Wiki pages :-) It also makes it easier for someone to jump in and help
out. (In the end it's all about the source :-)

>Last but not least, Debian has been accepting changes related to
>user-land SELinux support and I'll try to come with a short summary
>explaining what's "merged" and what's left.

Sounds good, I'm eagerly awaiting a summary

[.. snip on plea for contributors ..]

If you are willing to provide some guidance I'll be willing to
contribute.

>Best is to explain all the details in a meeting, so, I propose to
>arrange one in the IRC, either in OFTC or FreeNode network. I will be
>able to get around for this next weekend or this Tuesday night. Channel
>is #ubuntu-hardened.

Weekend is possible for me. What time? (I'm in GMT.)

/M

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

There's no such thing as a simple cache bug.
     -- Rob Pike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20051010/d30da013/attachment.pgp

More information about the ubuntu-devel mailing list