Ubuntu Wiki

Jaunty

Hardened Compiler Flags

• Continue building more of the archive with the new CompilerFlags, as originally detailed in the HardeningWrapper documentation.

Blueprints

• https://blueprints.launchpad.net/ubuntu/+spec/jaunty-security-defaults

  • SHA512
  • SYN-flood protection

  • Dovecot AppArmor profile

• https://blueprints.launchpad.net/ubuntu/+spec/use-pae-when-possible

  • have installer choose -server when hardware is PAE-capable (perhaps rename -server kernel to something that doesn't seem strange to desktop users).

• https://blueprints.launchpad.net/ubuntu/+spec/64bit-pie-by-default

Documentation

• The Security Team FAQ needs to be filled with answers to the various questions Ubuntu gets about security.

• The Security Team KnowledgeBase need more to be written. Many ideas have already been listed there.

Investigations

Several ideas for possible work come from investigating existing the installed set of packages.

• setuid: which programs are setuid and what may be needed to improve them.

• possibly other good ideas from brainstorm see : http://brainstorm.ubuntu.com/category/16

Unscheduled Wishlist Items

This area can be used to list ideas for future security work, or link to bugs that describe "Wishlist" issues.

• investigate soft nx patch (last remaining execshield feature not in mainline yet)

  • http://cvs.fedora.redhat.com/viewcvs/devel/kernel/linux-2.6-execshield.patch?root=extras&view=log

• non-exec stack bugs (there are still some programs that have executable stack regions). doing this is only useful when either softnx or PAE-nx are used on 32bit, since 64bit already defaults to a non-exec stack.

  • https://bugs.launchpad.net/ubuntu/+bugs?field.tag=execstack

  • "readelf -l $BIN" shows GNU_STACK with "E".

  • Gentoo write-up of what to do: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

  • Get Fedora patches upstream where they belong

    • http://cvs.fedoraproject.org/viewcvs/devel/bogl/bogl-0.1.18-noexecstack.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/gdk-pixbuf/gtk+-2.2.2-noexecstack.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/libdv/libdv-0.104-no-exec-stack.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/lightning/lightning-1.2-execstack.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/net-tools/net-tools-1.60-execshield.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/net-tools/netplug-1.2.9-execshield.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/ocaml/ocaml-3.11-dev12-no-executable-stack.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/qimageblitz/qimageblitz-0.0.4-noexecstack.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/zip/exec-shield.patch?view=markup

    • http://cvs.fedoraproject.org/viewcvs/devel/mlton/mlton-20070826-no-execmem.patch?view=markup

• more profiles added to apparmor-profiles
• hardened default config (Bastille-like). Check the compatibility of debian-bastille
• look into chrooted-packages (as in apt-get install apache-chroot). Special attention on virtual hosting, updating and adding packages and modules. Another option would be to develop an apparmor profile and/or selinux policy.
• Modify debsecan package to grab CVE reports from USN

• Extract useful /Grsecurity patches for the kernel.

• Modify apt-listbugs package to check package CVE's from USN.

• Implement more useful SAK that does not kill a running X server/session (Secure Attention Key: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=blob;f=Documentation/SAK.txt;hb=HEAD). The current SAK implementation closes everything that has /dev/console open, including entire tty7 (graphical display), while the Windows implementation is more useful because there is an option to require Ctrl-Alt-Del prior to entering any log on password (initial log on, re-log on after returning from screensaver, etc.).

• Improved use of cryptography integrated well with Ubuntu
  • Encrypted swap by default on all installations
  • eCryptfs + SELinux/AppArmor integration, to protect encrypted data from root
• Sweeping, static analysis of all of main (then universe)

  • something like bogosec (http://bogosec.sourceforge.net/) to provide numeric source code quality metrics, track over time, use for code review

• Anti-virus

  • ClamavSpamassassinInMain

  • If Ubuntu continues to gain popularity, it will garner more attention from virus writers

  • Would be nice not to make some of the mistakes Windows makes with its anti-virus software

• Security Certification / Documentation
  • IBM presentation on work it did certifying RHEL/SLES, stresses open sourced efforts:

    • http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/os-ltc-standards/LWE-Boston-06.pdf

    • http://www-128.ibm.com/developerworks/linux/library/os-ltc-security/

  • RHEL High Level Design document, rewrite for Ubuntu?

    • http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/os-ltc-security/RHEL-4-HL-V2.13.pdf

CategorySecurityTeam