[ubuntu-hardened] Proactive security (was: More kernel patches)

[Paul Sladen]

On Thu, 14 Feb 2008, Jeff Schroeder wrote:
> it is good to FINALLY see some proactive security work from the Ubuntu

I think (hope) that Ubuntu has been proactively working on security a bit
longer than that.  Even the first versions had a few simples things done
different;  the "no open ports" policy, removing setuid and daemons from
running as root---even sysklogd was replaced by a copy of 'dd'!

Ubuntu even took a different direct with the splash system;  Ubuntu was
shipping a system entirely based in userspace. ---No JPEG decoders in the
kernel there... ;-)

However, there is more to be done because when the improvements can be done
hand-in-hand with keeping a "Just Works" philosophy.  One of those
improvements could be ensuring that good patches (such as the /dev/mem)
restrictions don't get dropped at the point they no longer easily apply but
which haven't yet made it into the main kernel tree.

	-Paul
-- 
Why do one side of a triangle when you can do all three.  Helsinki, FI.