Roadmap
3357
Comment:
|
2643
|
Deletions are marked like this. | Additions are marked like this. |
Line 15: | Line 15: |
* use with native build and regular chroot * use with sbuild |
|
Line 43: | Line 41: |
== FAQ Creation == | == Documentation == |
Line 45: | Line 43: |
The Security Team FAQ needs to be written to answer the various questions Ubuntu gets about security: | * The Security Team [:SecurityTeam/FAQ: FAQ] needs to be written to answer the various questions Ubuntu gets about security. * The Security Team [:SecurityTeam/KnowledgeBase: KnowledgeBase] needs to be written. Many ideas have already been listed there. |
Line 47: | Line 46: |
* difference between -updates and -security * versioning * builds * links to various security policies == KnowledgeBase Creation == The Security Team Knowledge{{{}}}Base needs to be written. Various links could include: * security updates * [:SecurityUpdateProcedures: Security Update Procedures] * Ubuntu CVE tracker link * mitre * NVD * oss-security link * Policies (FAQ could link to Knowledge{{{}}}Base) * policy on local DoS * policy on root passwords/sudo * policy on open network ports * policy on sudo * policy on home directory permissions * AppArmor docs * SELinux docs * How to handle backporting security updates * good upstream patches * micro release * SRU * -backports * [:DebuggingSecurity] for bug reports == Perform Investigations == |
== Investigations == |
ContentsBRTableOfContents |
SELinux Support
Hardy Heron
The roadmap and progress on providing SELinux support for Hardy can be found at the ["HardySELinux"] wiki page.
Hardening Wrapper
Documentation
Need to provide documentation for:
- use with pbuilder
- adjusting packaging to enable/disable hardening-wrapper
- recompiling existing packages with hardening-wrapper
Hardy Heron
Enable the [:Security/HardeningWrapper: HardeningWrapper] on select packages. Some candidates might be:
- apache2
- php5
- mysql
- bind9
- openldap2.3
- postfix
- cupsys
- openssh
- postgresql
- samba
- dovecot
- dhcpd
- dhcp3-client
These candidates were chosen as they are network daemons provided either in tasksel or typical installations. These packages would have to be modified to Build-Depends on hardening-wrapper, and adjust debian/rules accordingly. This will require discussion and testing, and may not be appropriate for Hardy.
Intrepid Ibex
Enable the [:Security/HardeningWrapper: HardeningWrapper] on all buildd systems so all programs are compiled with it by default.
Documentation
- The Security Team [:SecurityTeam/FAQ: FAQ] needs to be written to answer the various questions Ubuntu gets about security.
The Security Team [:SecurityTeam/KnowledgeBase: KnowledgeBase] needs to be written. Many ideas have already been listed there.
Investigations
Several ideas for possible work come from investigating existing the installed set of packages.
- [:Security/Investigation/Setuid]: which programs are setuid and what may be needed to improve them.
Wishlist
This area can be used to list ideas for future security work, or link to bugs that describe "Wishlist" issues.
- non-exec stack bugs (there are still some programs that have executable stack regions)
- more profiles added to apparmor-profiles
- hardened default config (Bastille-like). Check the compatibility of debian-bastille
- look into chrooted-packages (as in apt-get install apache-chroot). Special attention on virtual hosting, updating and adding packages and modules. Another option would be to develop an apparmor profile and/or selinux policy.
- Modify debsecan package to grab CVE reports from USN
- Extract useful ["/Grsecurity"] patches for the kernel.
SecurityTeam/Roadmap (last edited 2022-01-04 22:38:06 by rodrigo-zaiden)