[ubuntu-hardened] security center in ubuntu
ncfiedler at gnome.org
Sat Apr 3 12:29:52 BST 2010
I surely meant the usage of unskilled users with selinux. But my
scepticism refers to the nsa history of selinux. I simply dont trust it
out of this circumstance. We have a little private people monitoring
through our government here in Germany, so its hard for me to trust a
technology inspired or whatever by an instituion like that. Has anyone
of you verified the code of selinux as not possibly evil?
In my eyes, besides hard techniques, human perception and a related lack
of information is a great cause for the vulnerability of a system.
Therefor the documentation of a "security-center" is very important.
Today these important information that is needed for the user to see the
necessity to take action is wide spread over the internet. (I dont know
of a source, where much information about this issue is bundled.) And
there will always be a statistical lack of security, when it is too
uncomfortable for the user to take this action to protect him / her,
because then it is easier to fall back to old samples of behaviour -
For those packages, that are already part of the repositories /
sources-list, there should be an easy way of installation via gui. The
possibility to install the terminal or else doesnt meet the goal of
ease, when you dont know, what to install.
I guess thats it from over here for the moment. Please keep in mind,
that I am using GNOME, so that I am not aware of maybe existing ubuntu
specific guis concerning this issue in KDE.
*Here's an open list, feel free to add / modify sth. missing:*
+ Email encryption like enigmail / seahorse
+ Firewall / iptables / port management (when I install gufw today, the
default setting is OFF.. / sudo ufw status)
+ Antivirus like clamav (especially for machines standing in a local
network with Windows maschines - I could never run clamtk for updates
+ Usage of Bleachbit / Deborphan / wipe order (even cache and history
data can be a vulnerability in case of local access to the maschine)
+ Easy installation of Truecrypt by integration into the sources-list by
+ Testingscript for passwordstrength (the documentation should recommend
 alternation, different level pwds and provide information about the
syntax of good passwords, maybe with an implementation of John & rainbow
tables / international dictionaries or an updatable local database, that
stores the most known weak passwords, like "password", "god" and so on)
+ Combined Webbrowser user agent and language switcher (today only
available as a plugin for Firefox as far as I know)
+ rkhunter / chkrootkit for rootkits, backdoor, exploits
+ Check whether a keylogger is running (e.g. lkl)
+ Permission check, using information provided by apt to identify
changes to system files
+ moblock for ip-list blocking (maybe also for blocking known insecure
+ tripwire for integrity
+ aide for file changes
The documentation should provide information about:*
+ LVM encryption
+ , maybe with a little impressing mathmatical example of brute force
and social engineering. Especially using the same password in a social
network service and as the root password is kind of stupid.
+ Installation, usage and risks of tor, privoxy, ntp
+ The risk of using popular monopolists services
+ Maybe telling the users the risk of running sth as root via a
*Just some various links I found, related to this issue:*
Kees Cook schrieb:
> On Fri, Apr 02, 2010 at 01:20:33PM -0000, Nils-Christoph Fiedler wrote:
>> this idea, because today security is kind of a patchwork of different
>> software, partly even not in the repositories of ubuntu, which makes it
> I have to disagree about the "not in the repositories" bit, but I can
> agree that a central UI for investigating security would be interesting.
>> accurate and a little annoying for more skilled ones, to install and
>> setup those software separately. (talking about my personal experience)
> The bulk of Ubuntu's security is on by default and doesn't require
> any user interaction. For the other pieces, the way to configure them
> is very different, since they do very different things. To that end,
> I think documentation is needed before a UI. If we can't describe what
> to do first, we have no hope of writing a UI to help do things. :)
>> besides that i think there is a lack of "corporate design" or
>> centralization of software and settings management in ubuntu, because
>> you dont have one location where to individualize settings, but a
>> handful of applications for that. (maybe this is also a problem of
>> what do you think about that?
> Sounds like a great project; I would be interested in what you come
> up with. Just itemizing specifically which subsystems to incorporate
> would be a great first step, with consolidated documentation pointers
> to follow, I'd imagine.
>  https://wiki.ubuntu.com/Security/Features#Matrix
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened