Security Catch-all

Registered by Marc Deslauriers on 2011-10-05

Implement various additional security things that don't need a full blueprint of their own. Some or all of this will be discussed in the morning roundtable discussions.

Blueprint information

Status:
Started
Approver:
Jamie Strandboge
Priority:
Medium
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Marc Deslauriers
Definition:
Approved
Series goal:
Accepted for precise
Implementation:
Beta Available
Milestone target:
None
Started by
Jamie Strandboge on 2011-10-25

Related branches

Sprints

Whiteboard

NOTE: jdstrand> wrt kubuntu, security team point of view given in various internal discussions. At this time, kubuntu TBD by TB

Work Items:
[jdstrand] discuss firewalld/network-manager changes with cyphermox (0.5): DONE
[jdstrand] ufw python3 support (2): POSTPONED
[jjohansen] add to regression tests that firewire dma is off and the old driver is blacklisted (0.5): TODO
[sbeattie] apport hook to disable bugs when people using the Eve installer (look at automatix, verify plugin finder) (0.5): POSTPONED
[jdstrand] follow up with broder on writing a script to report -backports packages that need an update due to -security: DONE
[sbeattie] look at how to split/deactivate networking interface in auditd (maybe already handled in packaging) (1): POSTPONED
[sbeattie] auditd daemon-only package (0.5): POSTPONED
[sbeattie] create AppArmor profile for auditd (1): POSTPONED
[sbeattie] prepare MIR request for auditd (0.5): POSTPONED
[mdeslaur] remove java plugin from ubuntu-restricted-extras and verify plugin-finder service (0.5): DONE
[jdstrand] verify status of desktop-couch, if no longer used demote (bug #844995) (0.5): DONE
[tyhicks] verify status of erlang, if not longer used demote (rabbitmq needs it for build depends) (0.5): DONE
[jdstrand] review/update supported rdepends of qt4-x11 to determine if qt4-x11 needs to still be updated (medium) (0.5): DONE
[micahg] talk to desktop and upstream about direction of webkit-gtk 1.8 and go from there (high) (0.5): DONE
[micahg] triage the remaining webkit-gtk CVEs with aliases (medium) (2): POSTPONED
[micahg] file in embargoed with with CVE and and git commits for webkit-gtk (medium)(2): POSTPONED
[micahg] follow up with chriscoulson about getting stable ppa working for chromium: DONE
[micahg] identify what bugs in chromium we would block on and submit to team for review (high): DONE
[micahg] script screenshots of chromium (browsershots.org) (low) (1): POSTPONED
[jdstrand] add to QRT important packages to test for with webkit (0.5): DONE
[jdstrand] have script pull out assigned fields in cve alerts (0.5): DONE
[jdstrand] update wiki with meaning of work item, CVE priorities, security team policies on handling dev release (0.5): DONE
[sbeattie] see if debsums can use something better than md5 (0.5): POSTPONED
[sbeattie] if so, make sure packages in main make use of debsums at build time (2): POSTPONED
[sbeattie] investigate debsums.ubuntu.com (0.5): POSTPONED
[sbeattie] document proper use of debsums with a livecd (0.5): POSTPONED
[mdeslaur] work with mvo on package support status (mvo, mdeslaur, jdstrand) (1.5): DONE
[jdstrand] determine arm LTS status (0.5): DONE
[jdstrand] follow-up on what is happening with kubuntu (2): DONE
[mdeslaur] add overlayfs to schroot (1): DONE
[mdeslaur] verify sbuild for overlayfs (0.5): DONE
[mdeslaur] update mk-sbuild for overlayfs (0.5): DONE
[jdstrand] talk to elmo about squid3: DONE
[jdstrand] talk to server team about squid3: DONE
[tyhicks] verify selinux tools and framework (1): DONE
[mdeslaur] aide config files and UTF-8 - need to filter the final config (2): DONE
[mdeslaur] aide UTF-8 in database - need to check for UTF-8 (1): DONE
[jdstrand] file bug for rss feeds per release with usn-website (0.5): DONE
[sbeattie] fix qrt apache scripts for working with upstream testsuite (1): POSTPONED
[sbeattie] add umt compare-ppa-bin (1): POSTPONED
[sbeattie] add umt compare-ppa-log (1): POSTPONED
[micahg] Prepare ESR stable PPA for LTS releases (beta/aurora are the same for whatever the base rapid release version is) (0.5) (high): POSTPONED

UDS preparation notes:

= Roundtable topics =

Sandboxing (roundtable)
    - seccomp mode 2
        - ubuntu integration - apparmor integration? - is there anywhere we can utilize seccomp? (try and find potential proof of concept)
    - aa sandbox (maybe discuss in apparmor session)
        - chroot/aufs/overlayfs improvements/integration
    - containers

Look at Roadmap for important items (roundtable)

= Non-discussion items =
ensure that update-notifier-common is installed in the server seed so that motd gets updated information about available updates [LP: #870121]

screen locking
 - [smspillaz] implement gnome-shell style screen locking in compiz plugin: DONE - need to get into precise
 - Screen locking with autologin and passwordless users (work item)

See if anything is missing from https://wiki.ubuntu.com/UbuntuEngineering/12.04/UpstreamDevelopment/ProjectTracking
 - mentioning talking to security

crypto consolidation. (work items: (secure development wiki page) (add a mention to the MIR process))
    http://lwn.net/Articles/454491/
    http://p11-glue.freedesktop.org/doc/p11-kit/

md5 removal as a security hash in archive apps (work item (add to secure dev wiki page, add to mir process, add warnings to crypto library))

TLS 1.0/SSL 3.0 lifespan (work item)

review RBAC of other systems and see if anything we can take/get inspired by (work item: review other rbac systems)

How do we display ignored CVEs in our tracker? (ie: universe from hardy...)

= Monday roundtable notes =
Copied from http://summit.ubuntu.com/uds-p/meeting/19591/security-p-roundtable-monday/:
bug #879087: firewire. is there anything we need to do beyond our current defaults? No.
firewire:
 - the old driver with the problem is disabled (blacklisted)
 - the new driver doesn't have the problem
 - [ACTION] - add to regression tests that dma is off and the old driver is blacklisted

make sure an apport hook gets added to block bugs where users are using Eve installer (http://apticon.wordpress.com/) to install (a la automatix bug blocking)
[ACTION] apport hook to disable bugs when people using the Eve installer
 - look at automatix hook
 - verify message pops up

[broder] write a script to report -backports packages that need an update due to -security - bring forward
[ACTON] follow up with broder on writing a script to report -backports packages that need an update due to -security - bring forward

ufw:
[ACTION] investigate firewalld for integration
[ACTION] qrt
[ACTION] daily builds

auditd in main? (maybe split in in two, a lobotomized version for main, and the full network connectivity version for universe?) (roundtable, bug #878155)
auditd in main:
 - 2 packages, one without networking and one with
 - network support isn't supporting (per upstream)
 - even better just turn off networking
 - [ACTION] look at how to split/deactivate networking interface
 - [ACTION] audit daemon
 - [ACTION] create AppArmor profile
 - [ACTION] prepare MIR request

Getting ubuntu tools up to snuff for xattrs (roundtable)
 - used by file caps - security labeling
don't need dpkg support for fscaps anymore cause
just make sure that the tools
• tar [fedora patch: http://pkgs.fedoraproject.org/gitweb/?p=tar.git;a=blob;f=tar-1.24-xattrs.patch]
• star
• ls
• rsync
• cpio
• any archiving tools
• look at configure options
• look for patches
• qrt test script for adding files and archiving
• gzip, bzip, lzma, xz, unzip (look into for individual
• bacula
• unison
• backuppc, bacula, rsnapshot (maybe add some documentation)
• [ACTION] wiki page documenting the investigations
• the attribute namespaces, security, trusted, system, user. which of these need to be backed up and restore
∘ don't backup security
∘ do backup system (acls), trusted (fscaps?) and user (set fattr)
• reevaluate who does what after
[ACTION] remove java plugin from ubuntu-restricted-extras
 - major security attack vector
 - usage of legitimate java plugins on web is not widespread
 - no longer restricted
[ACTION] verify plugin-finder-service
[ACTION] notify major derivatives
desktop-couch and erlang
[ACTION] verify status
[ACTION] if no longer used demote
[ACTION] rabbitmq needs it for build depends
debsums in main
 - based on md5
 - some packages in main don't ship it so if debsums installed after, then checksums not created
 - most packages ship it
 - [ACTION] see if debsums can use something better than md5
 - when is it enabled?
 - to be continued
Also see uncompleted work items from: security-o-catch-all

= Tuesday Roundtable =
debsums in main
 - based on md5
 - some packages in main don't ship it so if debsums installed after, then checksums not created
 - most packages ship it
 - [ACTION] see if debsums can use something better than md5
 - when is it enabled?
 - [ACTION] investigate debsums.ubuntu.com
 - [ACTION] document proper use of debsums with a livecd

mvo:
 - [ACTION] mdeslaur to work with mvo on maintenance time frame for LTS
 - [ACTION] will arm be full lts
 - [jdstrand] follow-up on what is happening with kubuntu
 - [ACTION] verify main and universe and what should be where (mvo, mdeslaur, jdstrand)

aufs is gone (doesn't compile)
[kees] add overlayfs to schroot
[ACTION] verify sbuild
[ACTION] update mk-sbuild

squid3
[jdstrand] talk to elmo about squid3
[jdstrand] talk to server team about squid3

selinux
[tyhicks] verify selinux tools and framework

aide
- two issues
 - [ACTION] config files and UTF-8 - need to filter the final config
 - [ACTION] UTF-8 in database - need to check for UTF-8

UCT rss feeds per package
- neat, but not immediately straightforward to implement
- patches welcome

usn-website
- [ACTON] file bug for rss feeds per release

updating the dev release
- pocket copies - at what point do we stop? we can do this as long as the dev release does not have newer version. at alpha 1 we upload, merge or sync
- [micahg] ask TB or appropriate group on archive admin policy on what gets pocket copied to dev release and when so we don't lose patches (eg, -proposed has something newer and someone merges to dev, thus losing the patch)[micahg] ask TB or appropriate group on archive admin policy on what gets pocket copied to dev release and when so we don't lose patches (eg, -proposed has something newer and someone merges to dev, thus losing the patch)
- to be contined

= Security roubtable Wednesday =
discussed ceph a bit in preparation for the session later

discussed Ubuntu security features with potential customer

discussed chromium reduced test cases (ie, test only what we miht block on)
desktop/test_printing
desktop/test_existing_profiles
files/test_office_docs: one oo.o document .doc
'images' : gif, jpg, png, pdf
pages/test_bookmarks
pages/test_redirect
pages/test_javascript_google
plugins/test_flash
plugins/test_html5
plugins (other): two files, do one as embedded and one as http
ssl/test_https
ssl/test_by_hostname: go to twice. first time, exit on warning. 2nd, accept on warning
ssl/test_by_ip: go to twice. first time, exit on warning. 2nd, accept on warning
java/test_java
java/test_java_lp728798: the color dither one

work item: fix basic and digest auth tests for chromium

= Friday Roundtable =
ecryptfs and long filenames
- stream cipher
add an entry to our FAQ on the installer hash issue
[ev] tell security team how installer hash is generated
possibly add an entry to the FAQ on the geoip
lot's of talk with ted discussing the status of dbus/apparmor and its direction, as well as what he would like ("a sort of policykit for the session bus")

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.