[ubuntu-hardened] Ideas outside the SELinux box
Me And You
education.kills at gmail.com
Thu Feb 14 21:39:14 GMT 2008
As this is a ubuntu-hardened list, and not just a Ubuntu SELinux list,
I thought I would throw out some ideas on what I would like to see in
Ubuntu as far as security goes, and see what people think. I don't
claim expertise in any areas, but I think of the things here would be
-Running high risk desktop applications as another user.
Namely Firefox. In the last few months (and before that), we've seen
a slew of vulns for ff. Most of them could be negated with the
NoScript extension, but not everyone is going to use that. So I
suggest running ff as a user other than the default desktop user. The
reason for this is simple: the typical desktop user has everything of
value to them under that user. If someone exploits firefox and is able
to read/modify everything that the default user owns, well that's damn
near everything that's important. We could make a shared "download"
directory or some such for accessing files and so forth. I don't think
this will be default, but having the option (something like apt-get
install ff-secure) would be nice.
-Jailed server packages
I don't know about anyone else, but I think jailing applications is a
pain in the ass. Yeah, it's great to know how to do it, but I want
computers to work for *me*, not the other way around. In my sad little
Ubuntu server dreams I'm imaging something like this: apt-get install
lamp-jailed. Wouldn't that be great?
-Firewall setup during install
I think I read this is planned for Hardy, but if it isn't it needs to
be. We've got iptables sitting there doing nothing on default install,
that's just bad planning and design.
-Tightening the system up
Maybe something like a Bastille config by default? I don't know, but
things like the default user (first user) being able to read all the
log files and such just doesn't sit well with me. Maybe I'm over
paranoid, but I like my shiny hat thank you.
More information about the ubuntu-hardened