Apport hook review/creation for security-oriented packages

Registered by Kees Cook on 2009-11-09

This session will review various packages that relate to the Ubuntu Security Team with an eye towards creating, improving, or justifying the lack of apport hooks.

Blueprint information

Status:
Complete
Approver:
Robbie Williamson
Priority:
Medium
Drafter:
Kees Cook
Direction:
Approved
Assignee:
Marc Deslauriers
Definition:
Approved
Series goal:
Accepted for lucid
Implementation:
Implemented
Milestone target:
None
Started by
Kees Cook on 2010-01-14
Completed by
Marc Deslauriers on 2010-03-05

Related branches

Sprints

Whiteboard

Work items:
create apport security symptom: DONE
push apparmor rejection collection into apport's hook-utils: POSTPONED
modify apport hooks to automatically add apparmor tag if a denial is found: POSTPONED
add apport hook to sudo to attach /etc/sudoers (after prompting user): DONE
add apport hook to shadow to attach /etc/login.defs: DONE
subscribe ubuntu-security to clamav, hardening-wrapper, ufw: DONE
review https://wiki.ubuntu.com/QATeam/MainPackagesWithoutBugSubscribers: DONE

Gobby notes:
Brian suggests an apport security symptom to allow common questions, such
as why homedir permissions are the way that they are can be answered and
hopefully reduce the number of bug reports about them.
  - /usr/share/apport/symptoms
  - sounds like a good ("brilliant") idea

Evince and firefox have them due to apparmor being used.
  - apparmor rejection collection should be pushed in to apport's hook-utils

Some things require root access and so aren't included when run as a user.
pitti did add something in karmic that the apparmor hook should make
use of. ("apport.hookutils.root_command_output()")

= Potential Package Targets =
 * (anything carrying an AppArmor profile)
  * automatically add 'apparmor' tag (tags.append()) if there is a denial
  * possibly add 'apparmor' tag when a profile from apparmor-profiles is in
    enforcing mode
 * apparmor package-- move denials/etc to apport, then clean up to have just the
   apparmor package specific stuff in the bug
   * ps auwwxZ
 * sudo
  * ask to attach /etc/sudoers if non-default
 * shadow
  * login: /etc/login.defs (attach if non-default)
 * selinux, refpolicy-ubuntu
  * no idea, enforcing mode, grub? maybe audit messages?
 * pam
  * non-default /etc/pam.d/ files?
 * prelink, libelf
  * execstack: interactive "which file caused it to break?"
 * policykit-1 (ubuntu-security needs to subscribe to this -- it moved)
  * ck-list-sessions (privacy issues?)
  * configuration files if changed?
 * openssl
 * openssh
  * note if config is non-default
 * libselinux
  * if selinux enabled, report stuff
 * libgcrypt11
 * gnutls*
 * gnupg*
 * ufw (detect if files are different and add in bug?)

Does apport have a method to attach a file if changed from install? If not, then
it should. [It does not!] (Maybe have the attaching optional and just indicate if the file has changed.)

Might want to look at attach_conffiles()

On sensitive files, don't attach but note if file is changed in the bug. Could also go interactive in the event that file is different. (Dependent on the above feature being added to apport.)

netstat needs a -Z option! :)

= What New Packages Should Ubuntu Security Subscribe To =
 * clamav
 * hardening-wrapper
 * ufw

ACTION: review https://wiki.ubuntu.com/QATeam/MainPackagesWithoutBugSubscribers for packages to subscribe to and actually subscribe to them (whole team)

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.