Any progress on hardening Ubuntu?
Lorenzo Hernández García-Hierro
lorenzo at gnu.org
Mon Oct 10 15:44:11 CDT 2005
On lun, 2005-10-10 at 10:42 +0100, Magnus Therning wrote:
> Any info on it anywhere? Is it part of vSecurity?
http://pearls.tuxedo-es.org/vsecurity/
http://www.randombit.net/projects/cap_over/
We already have worked out most of the stuff. Need to re-base to latest
vsecurity cvs.
> Yes. This was mentioned in a FUDCON talk at LWE in London. Apparently
> all FC4 packages are compiled with it.
At least the network-exposed ones AFAIK.
> [.. snip on SELinux and policy updates ..]
>
> Personally I'm not very interested in SELinux, which is why I first
> was quite disappointed after reading the progress page. However, after
> reading the spec on tuxedo-es.org I was pleasantly surprised to see
> mentions of grSecurity and PaX and some other things that interest me
> more.
Well, I recommend you to check out these slides I presented in Dijon
(France) in the Libre Software Meeting 2005:
http://pearls.tuxedo-es.org/papers/linuxsec-lsm2005-slides.pdf
No offense at all, but I'm used to hear bad opinions and inaccurate
comments about it, and they usually come from people who have never used
SELinux in their life and know near to nothing about it. My scope covers
all the technologies, and I know well the advantages and disadvantages
of each one of them. I use grSecurity, but I also use SELinux
extensively, I use PaX but also deployed Exec Shield in some scenarios.
It's a matter of having no bias when it comes to technical stuff. Here
we have facts, we either probe them or we just shut up, but there's no
room for noise.
Side-note: Is it really that bad that an US government or
law-enforcement organization supports the development of an open source
(or Free Software, with free as in freedom) project? It's pretty sad
while "the community" keeps asking for government support for the
development of Free Software. Now that they put an eye on it, we reject
them! (...)
> No worries. I don't think a lot of announcements and progress reports
> are necessary. However it would be nice if your progress was trackable
> in some way. Would it be possible for you to make all packages available
> somewhere? (If it already is then there's a missing link in the Ubuntu
> Wiki pages :-) It also makes it easier for someone to jump in and help
> out. (In the end it's all about the source :-)
There are a few packages out there, but we need a package tracking
engine, that is, we should be able to say: F has FOO and XYZ already
implemented, O has XYZ implemented, etc. Then URLs to the announcement
or package location if it's still unofficial. A wiki could do the trick,
but I was thinking about doing BTS on bugs.tuxedo-es.org and then
keeping announcements and the like on debian-hardened.org and it's wiki
namespace on wiki.tuxedo-es.org.
There we need help: people willing to maintain bug reports, tracking
packages, posting announcements, reviewing, etc. As well as in the
development side: packaging, *testing*, giving out ideas...
> Sounds good, I'm eagerly awaiting a summary
Coming soon ;).
> [.. snip on plea for contributors ..]
>
> If you are willing to provide some guidance I'll be willing to
> contribute.
Sure, I'll explain what needs to be done and how is supposed to be done.
Time to arrange a meeting. I propose two sessions, tomorrow at night
(CEST, 20:00) and this next weekend Friday night (again CEST, 20:00).
I hope that's OK.
> Weekend is possible for me. What time? (I'm in GMT.)
I'm on CEST (CET for winter). Located in Spain.
Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo at gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20051010/9abbe121/attachment-0001.pgp
More information about the ubuntu-devel
mailing list