<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> I surely meant the usage of unskilled users with selinux. But my scepticism refers to the nsa history of selinux. I simply dont trust it out of this circumstance. We have a little private people monitoring through our government here in Germany, so its hard for me to trust a technology inspired or whatever by an instituion like that. Has anyone of you verified the code of selinux as not possibly evil? In my eyes, besides hard techniques, human perception and a related lack of information is a great cause for the vulnerability of a system. Therefor the documentation of a "security-center" is very important. Today these important information that is needed for the user to see the necessity to take action is wide spread over the internet. (I dont know of a source, where much information about this issue is bundled.) And there will always be a statistical lack of security, when it is too uncomfortable for the user to take this action to protect him / her, because then it is easier to fall back to old samples of behaviour - thats human. For those packages, that are already part of the repositories / sources-list, there should be an easy way of installation via gui. The possibility to install the terminal or else doesnt meet the goal of ease, when you dont know, what to install. I guess thats it from over here for the moment. Please keep in mind, that I am using GNOME, so that I am not aware of maybe existing ubuntu specific guis concerning this issue in KDE. Here's an open list, feel free to add / modify sth. missing: + Email encryption like enigmail / seahorse + Firewall / iptables / port management (when I install gufw today, the default setting is OFF.. / sudo ufw status) + Antivirus like clamav (especially for machines standing in a local network with Windows maschines - I could never run clamtk for updates properly) + Usage of Bleachbit / Deborphan / wipe order (even cache and history data can be a vulnerability in case of local access to the maschine) + Easy installation of Truecrypt by integration into the sources-list by default + Testingscript for passwordstrength (the documentation should recommend [1] alternation, different level pwds and provide information about the syntax of good passwords, maybe with an implementation of John & rainbow tables / international dictionaries or an updatable local database, that stores the most known weak passwords, like "password", "god" and so on) + Combined Webbrowser user agent and language switcher (today only available as a plugin for Firefox as far as I know) + rkhunter / chkrootkit for rootkits, backdoor, exploits + Check whether a keylogger is running (e.g. lkl) + Permission check, using information provided by apt to identify changes to system files + moblock for ip-list blocking (maybe also for blocking known insecure tor endnodes) + tripwire for integrity + aide for file changes + logcheck + checksecurity + denyhosts The documentation should provide information about: + LVM encryption + [1], maybe with a little impressing mathmatical example of brute force and social engineering. Especially using the same password in a social network service and as the root password is kind of stupid. + Installation, usage and risks of tor, privoxy, ntp + The risk of using popular monopolists services + Maybe telling the users the risk of running sth as root via a selfclosing popup Just some various links I found, related to this issue: <a class="moz-txt-link-freetext" href="http://savannah.nongnu.org/projects/tiger">http://savannah.nongnu.org/projects/tiger</a> <a class="moz-txt-link-freetext" href="http://savannah.nongnu.org/project/memberlist.php?group=tiger">http://savannah.nongnu.org/project/memberlist.php?group=tiger</a> <a class="moz-txt-link-freetext" href="http://www.nongnu.org/tiger/">http://www.nongnu.org/tiger/</a> <a class="moz-txt-link-freetext" href="http://brainstorm.ubuntu.com/idea/19648/">http://brainstorm.ubuntu.com/idea/19648/</a> <a class="moz-txt-link-freetext" href="http://brainstorm.ubuntu.com/idea/1282/">http://brainstorm.ubuntu.com/idea/1282/</a> <a class="moz-txt-link-freetext" href="https://help.ubuntu.com/community/MoBlock">https://help.ubuntu.com/community/MoBlock</a> <a class="moz-txt-link-freetext" href="http://www.debuntu.org/intrusion-detection-with-aide">http://www.debuntu.org/intrusion-detection-with-aide</a> <a class="moz-txt-link-freetext" href="http://packages.ubuntu.com/de/karmic/denyhosts">http://packages.ubuntu.com/de/karmic/denyhosts</a> --- Kees Cook schrieb: <blockquote cite="mid:20100402173348.GY4078@outflux.net" type="cite"> <pre wrap="">On Fri, Apr 02, 2010 at 01:20:33PM -0000, Nils-Christoph Fiedler wrote: </pre> <blockquote type="cite"> <pre wrap="">this idea, because today security is kind of a patchwork of different software, partly even not in the repositories of ubuntu, which makes it </pre> </blockquote> <pre wrap=""> I have to disagree about the "not in the repositories" bit, but I can agree that a central UI for investigating security would be interesting. </pre> <blockquote type="cite"> <pre wrap="">accurate and a little annoying for more skilled ones, to install and setup those software separately. (talking about my personal experience) </pre> </blockquote> <pre wrap=""> The bulk of Ubuntu's security[1] is on by default and doesn't require any user interaction. For the other pieces, the way to configure them is very different, since they do very different things. To that end, I think documentation is needed before a UI. If we can't describe what to do first, we have no hope of writing a UI to help do things. :) </pre> <blockquote type="cite"> <pre wrap="">besides that i think there is a lack of "corporate design" or centralization of software and settings management in ubuntu, because you dont have one location where to individualize settings, but a handful of applications for that. (maybe this is also a problem of gnome) what do you think about that? </pre> </blockquote> <pre wrap=""> Sounds like a great project; I would be interested in what you come up with. Just itemizing specifically which subsystems to incorporate would be a great first step, with consolidated documentation pointers to follow, I'd imagine. Thanks! -Kees [1] <a class="moz-txt-link-freetext" href="https://wiki.ubuntu.com/Security/Features#Matrix">https://wiki.ubuntu.com/Security/Features#Matrix</a> </pre> </blockquote> </body> </html>