[ubuntu-hardened] Re: Any progress on hardening Ubuntu?

Magnus Therning magnus at therning.org
Mon Oct 10 16:57:56 CDT 2005


I'm bringing this over to ubuntu-hardened.

> On lun, 2005-10-10 at 10:42 +0100, Magnus Therning wrote:
>> Any info on it anywhere? Is it part of vSecurity?
>
> http://pearls.tuxedo-es.org/vsecurity/
> http://www.randombit.net/projects/cap_over/
>
> We already have worked out most of the stuff. Need to re-base to latest
> vsecurity cvs.

Thanks. Both are really interesting indeed. Also new to me, seems I
haven't been keeping up with what's happening :(

>> [.. snip on SELinux and policy updates ..]
>>
>> Personally I'm not very interested in SELinux, which is why I first
>> was quite disappointed after reading the progress page. However, after
>> reading the spec on tuxedo-es.org I was pleasantly surprised to see
>> mentions of grSecurity and PaX and some other things that interest me
>> more.
>
> Well, I recommend you to check out these slides I presented in Dijon
> (France) in the Libre Software Meeting 2005:
> http://pearls.tuxedo-es.org/papers/linuxsec-lsm2005-slides.pdf

Cool. Good presentation indeed.

> No offense at all, but I'm used to hear bad opinions and inaccurate
> comments about it, and they usually come from people who have never used
> SELinux in their life and know near to nothing about it. My scope covers
> all the technologies, and I know well the advantages and disadvantages
> of each one of them. I use grSecurity, but I also use SELinux
> extensively, I use PaX but also deployed Exec Shield in some scenarios.
>
> It's a matter of having no bias when it comes to technical stuff. Here
> we have facts, we either probe them or we just shut up, but there's no
> room for noise.
>
> Side-note: Is it really that bad that an US government or
> law-enforcement organization supports the development of an open source
> (or Free Software, with free as in freedom) project? It's pretty sad
> while "the community" keeps asking for government support for the
> development of Free Software. Now that they put an eye on it, we reject
> them! (...)

Hmmm, looks like I provoked a standard response there :-) The reason why
I'm not so interested in SELinux is simply that I'm not very interested in
MAC at all. Not at the moment at least. PaX, CapOver, pam_tcb and the
sorts is where I'd like to start (from a personal POV).

IMHO the MAC stuff (SELinux, grsecurity, RSBAC, etc) is the next step.

>> [.. snip on plea for contributors ..]
>>
>> If you are willing to provide some guidance I'll be willing to
>> contribute.
>
> Sure, I'll explain what needs to be done and how is supposed to be done.
> Time to arrange a meeting. I propose two sessions, tomorrow at night
> (CEST, 20:00) and this next weekend Friday night (again CEST, 20:00).
>
> I hope that's OK.
>
>> Weekend is possible for me. What time? (I'm in GMT.)
>
> I'm on CEST (CET for winter). Located in Spain.

I should be able to be there tomorrow evening for a discussion (which BTW
will be the first time ever I take part in an IRC meeting :-).

/M

(If you're wondering why some of my emails are signed and others aren't
it's ulitmately due to my clumsiness. My laptop is being repaired and I
can only send signed messages from work. This I'm writing using my wife's
WindowsXP notebook.)

-- 
Magnus




More information about the ubuntu-hardened mailing list