[ubuntu-hardened] security center in ubuntu

Nils-Christoph Fiedler ncfiedler at gnome.org
Sat Apr 3 12:29:52 BST 2010 

I surely meant the usage of unskilled users with selinux. But my 
scepticism refers to the nsa history of selinux. I simply dont trust it 
out of this circumstance. We have a little private people monitoring 
through our government here in Germany, so its hard for me to trust a 
technology inspired or whatever by an instituion like that. Has anyone 
of you verified the code of selinux as not possibly evil?

In my eyes, besides hard techniques, human perception and a related lack 
of information is a great cause for the vulnerability of a system. 
Therefor the documentation of a "security-center" is very important. 
Today these important information that is needed for the user to see the 
necessity to take action is wide spread over the internet. (I dont know 
of a source, where much information about this issue is bundled.) And 
there will always be a statistical lack of security, when it is too 
uncomfortable for the user to take this action to protect him / her, 
because then it is easier to fall back to old samples of behaviour - 
thats human.

For those packages, that are already part of the repositories / 
sources-list, there should be an easy way of installation via gui. The 
possibility to install the terminal or else doesnt meet the goal of 
ease, when you dont know, what to install.

I guess thats it from over here for the moment. Please keep in mind, 
that I am using GNOME, so that I am not aware of maybe existing ubuntu 
specific guis concerning this issue in KDE.


*Here's an open list, feel free to add / modify sth. missing:*
+ Email encryption like enigmail / seahorse
+ Firewall / iptables / port management (when I install gufw today, the 
default setting is OFF.. / sudo ufw status)
+ Antivirus like clamav (especially for machines standing in a local 
network with Windows maschines - I could never run clamtk for updates 
properly)
+ Usage of Bleachbit / Deborphan / wipe order (even cache and history 
data can be a vulnerability in case of local access to the maschine)
+ Easy installation of Truecrypt by integration into the sources-list by 
default
+ Testingscript for passwordstrength (the documentation should recommend 
[1] alternation, different level pwds and provide information about the 
syntax of good passwords, maybe with an implementation of John & rainbow 
tables / international dictionaries or an updatable local database, that 
stores the most known weak passwords, like "password", "god" and so on)
+ Combined Webbrowser user agent and language switcher (today only 
available as a plugin for Firefox as far as I know)
+ rkhunter / chkrootkit for rootkits, backdoor, exploits
+ Check whether a keylogger is running (e.g. lkl)
+ Permission check, using information provided by apt to identify 
changes to system files
+ moblock for ip-list blocking (maybe also for blocking known insecure 
tor endnodes)
+ tripwire for integrity
+ aide for file changes
+ logcheck
+ checksecurity
+ denyhosts

*
The documentation should provide information about:*
+ LVM encryption
+ [1], maybe with a little impressing mathmatical example of brute force 
and social engineering. Especially using the same password in a social 
network service and as the root password is kind of stupid.
+ Installation, usage and risks of tor, privoxy, ntp
+ The risk of using popular monopolists services
+ Maybe telling the users the risk of running sth as root via a 
selfclosing popup


*Just some various links I found, related to this issue:*
http://savannah.nongnu.org/projects/tiger
http://savannah.nongnu.org/project/memberlist.php?group=tiger
http://www.nongnu.org/tiger/
http://brainstorm.ubuntu.com/idea/19648/
http://brainstorm.ubuntu.com/idea/1282/
https://help.ubuntu.com/community/MoBlock
http://www.debuntu.org/intrusion-detection-with-aide
http://packages.ubuntu.com/de/karmic/denyhosts






---

Kees Cook schrieb:
> On Fri, Apr 02, 2010 at 01:20:33PM -0000, Nils-Christoph Fiedler wrote:
>   
>> this idea, because today security is kind of a patchwork of different
>> software, partly even not in the repositories of ubuntu, which makes it
>>     
>
> I have to disagree about the "not in the repositories" bit, but I can
> agree that a central UI for investigating security would be interesting.
>
>   
>> accurate and a little annoying for more skilled ones, to install and
>> setup those software separately. (talking about my personal experience)
>>     
>
> The bulk of Ubuntu's security[1] is on by default and doesn't require
> any user interaction.  For the other pieces, the way to configure them
> is very different, since they do very different things.  To that end,
> I think documentation is needed before a UI.  If we can't describe what
> to do first, we have no hope of writing a UI to help do things.  :)
>
>   
>> besides that i think there is a lack of "corporate design" or
>> centralization of software and settings management in ubuntu, because
>> you dont have one location where to individualize settings, but a
>> handful of applications for that. (maybe this is also a problem of
>> gnome)
>> what do you think about that?
>>     
>
> Sounds like a great project; I would be interested in what you come
> up with.  Just itemizing specifically which subsystems to incorporate
> would be a great first step, with consolidated documentation pointers
> to follow, I'd imagine.
>
> Thanks!
>
> -Kees
>
> [1] https://wiki.ubuntu.com/Security/Features#Matrix
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20100403/1b6322e6/attachment.htm

More information about the ubuntu-hardened mailing list