gmane.linux.ubuntu.hardened.general

authenticated NTP

2012-02-19T22:26:44

Why Ubuntu does not use authenticated NTP by default?

Unauthenticated NTP is dangerous, for example, a MITM can forge the NTP
reply, switch the date back and use old/revoked SSL certificates.

Add overflow protection to kref

David Windsor — 2012-02-16T14:02:13

Hi,

We are attempting to add various grsecurity/PAX features to upstream
Ubuntu kernels.

The PAX folks added refcount overflow protection by inserting
architecture-specific code in the increment paths of atomic_t.  For
instance:

static inline void atomic_inc(atomic_t *v)
 {
asm volatile(LOCK_PREFIX "incl %0\n"

#ifdef CONFIG_PAX_REFCOUNT
     "jno 0f\n"
     LOCK_PREFIX "decl %0\n"
     "int $4\n0:\n"
     _ASM_EXTABLE(0b, 0b)
#endif

     : "+m" (v->counter));
}

There are two distinct classes of users we need to consider here:
those who use atomic_t for reference counters and those who use
atomic_t for keeping track of statistics, like performance counters,
etc.; it makes little sense to overflow a performance counter, so we
shouldn't subject those users to the same protections as imposed on
actual reference counters.  The solution implemented by PAX is to
create a family of *_unchecked() functions and to patch
statistics-based users of atomic_t to use this interface.

PAX refcount overflow p

Sysctl for set_kernel_text_r[wo]

David Windsor — 2011-09-19T01:42:59

Hi,

I am looking into adding a sysctl that enables toggling of
set_kernel_text_rw, set_kernel_text_ro.  It appears that the only
caller of these methods is ftrace, which can rather easily be disabled
when these methods are unavailable.

I'm afraid I'm overlooking something major here.  It seems that such a
control would have been added much earlier if it was actually as
simple as adding a guard variable, mutable via a sysctl, allowing
access to this interface.

Thanks,
David Windsor

OVAL/XCCDF for Ubuntu

Vincent Batts — 2011-09-16T19:54:32

howdy all,

After a brief discussion with sbeattie, kees and mdeslaur, in the
#ubuntu-hardened irc channel, I understand that there are no official
efforts to establish a OVAL and/or XCCDF for ubuntu releases. There
are an increasing amount of utilities to generate reports, or execute
tests from these file formats. One of which is openscap
(http://www.open-scap.org/). A lot of it's efforts come from the
redhat community.

Question to the community, are there any groups currently working on
OVAL/XCCDF files, that would be willing to share?

mdeslaur,
you mentioned access to the USN database, that might get accessed in
an effort to generate these files. Can you provide more information on
that?

Take care,
vb

[PATCH] policycoreutils: preserve mode bits andownership of /tmp in seunshare

dave w — 2011-09-15T17:39:11

Hi,

This patch addresses a flaw in seunshare.c that allows unprivileged
users to arbitrarily modify the contents of /tmp.  This bug is further
described in CVE 2011-1011
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011):

The seunshare_mount function in sandbox/seunshare.c in seunshare in certain
Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat
Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a
new directory on top of /tmp without assigning root ownership and the
sticky bit to this new directory, which allows local users to replace or
delete arbitrary /tmp files, and consequently cause a denial of service or
possibly gain privileges, by running a setuid application that relies on
/tmp, as demonstrated by the ksu application

This patch preserves the mode bits, and thus permissions, and
ownership of the destination directory of the bind mount performed by
seunshare.  The permission check in verify_mount() was relaxed for
directories who originally had the

tomld: fully automatic MAC configuration solution

Horvath Andras — 2011-07-27T06:36:56

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Members,

I'd like to announce the availability of the first beta release of my
tomld project.

This is a deamon managing fully automatic MAC configuration without any
user interaction.

(supported platforms are: Debian 6 and up, Ubuntu 10.10 and up)

My site:
http://log69.com/tomld_en.html

FAQ:
http://log69.com/help_en.html

Screenshot:
http://log69.com/images/tomld.png

You can also find a video of a quick installation:
http://www.youtube.com/watch?v=8pfjuU94of4
http://log69.com/extras/tomld038_ubuntu1104_install.ogv

The code is in beta status, but I'm already using and testing it in
smaller production environments. Once i have a stable version, I'll get
it into Debian as a package.

Every suggestion and feedback are welcome!


Regards,

Andras Horvath
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk4vsggACgkQAx9+mHylNBg7rACfRRVVcaVoPfr35vM2X5GpkWXY
CNsAn2o9/iFc/mFDhyyF/r0brwnuliHO
=4sR0
-----END PGP SIGNATURE-----

Firewall settings: User interface review andquestions

Matthew Paul Thomas — 2011-06-23T16:12:13

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Part of the planned "Desktop-side networking enhancements"
<https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
is the addition of a graphical interface for configuring a firewall.

Mathieu Trudel-Lapierre and I have been working on a design for the
firewall settings. Here's what we have so far:
<https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>

We'd appreciate a general sanity check for these settings, from people
who know more about security than we do. Are they missing anything
highly useful? Or is there anything there that shouldn't be?

There are also two specific questions we have:

*   Does Ubuntu have any "essential" incoming connections, which should
    be allowed in the normal case even when the firewall is turned on?
    (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
    essential.)

    -   If so, how much use is it to have a graphical setting for
        blocking even those "essen

Invitation to connect on LinkedIn

Dan Guido — 2011-05-11T05:35:20

LinkedIn
------------

   
Ubuntu,

I'd like to add you to my professional network on LinkedIn.

- Dan

Dan Guido
Security Consultant at iSEC Partners 
Greater New York City Area

Confirm that you know Dan Guido
https://www.linkedin.com/e/yyd8ze-gnju5h2z-6y/isd/2855049201/gpt-xw2N/

gnome-keyring utilizing a tpm?

Peter Moody — 2011-04-13T02:14:17

Hey Kees,

In a conversation with a co-worker the other day, the idea came up of having
gnome-keyring utilize the tpm on the increasing number of platforms which
support them.  Is this a ridiculous idea? ie, is there some long-ago made
design decision that keyrings MUST BE (rfc caps) exportable? IIRC, don't
kwallet and gnome-keyring use the same crypto libraries (and thus, wouldn't
kwallet benefit from something like this as well?)

Cheers,
peter

new project: tomld (tomoyo learning daemon)

Horvath Andras — 2011-03-24T15:54:52

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Members,

I'd like to announce my new project that i've created recently building
on Tomoyo module.

The goal is a fully automatic MAC configuration solution.

Currently supported platforms are: Debian 6 and Ubuntu 10.10

My site:
http://log69.com/tomld_en.html

Screenshot:
http://log69.com/images/tomld015.png

You can find tutorial videos too:
http://log69.com/extras/tomld_usage_demo.ogv
http://log69.com/extras/tomld_access_demo.ogv

The code is still in alpha status, but i'm already using and testing it
in smaller production environments.

Every suggestion is welcome! Help in testing is greatly appreciated.


Cheers!

Andras Horvath
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk2LaUwACgkQAx9+mHylNBg99wCgk8I3gDgZzMDaF0pSm8X9Song
6r4AoN/9tJ/JeG20WnenljhRUb2T0ztc
=Lvhe
-----END PGP SIGNATURE-----

Give users "global control" over applications' outgoing internet connections

sabayon11 — 2011-03-14T16:45:48

Hi,
Quite often on Ubuntu forums starts all over again a topic concerning 
application based firewall:

TuxGuardian - application based firewall
http://ubuntuforums.org/showthread.php?t=1591340

I need an outbound GUI software firewall
http://ubuntuforums.org/showthread.php?t=1696699

I'm sure there are a few more to find, also on Ubuntu brainstorm.

Idea #26902: Give users "global control" over applications' outgoing 
internet connections
http://brainstorm.ubuntu.com/idea/26902/

Idea #26828: GUI application to manage chroot environment
http://brainstorm.ubuntu.com/idea/26828/

I wonder what Canonical team thinks about this discussion. Could you 
give any feedback.
I'm a new Ubuntu / Linux user and as many others in my position I find 
it difficult to learn advanced security programs like Apparmor, SElinux, 
and others...
Basically all arguments were presented in those discussions.
I think you are perfectly aware that most new Ubuntu users comes from MS 
windows and would like to have an easy, user friendly

Running SELinux on Amazon EC2

bill k — 2011-03-10T21:55:48

Hey all,

I was thinking about running SELinux on my Amazon EC2 image.
The specs are Ubuntu 10.10 64 bit server with 2.6.35-24-virtual kernel
installed.
I don't see any problems installing SELinux on it but I was just wondering
if
anyone as any experience with a similar setup.

I am planning on testing it by running the image locally with kvm.
If all seems good I will then install SELinux on my image on Amazon EC2.

Thank you
~Bill

OpenVAS Vulnerability on Ubuntu Linux Server 8.04

Kaushal Shriyan — 2010-11-16T13:20:18

Hi,

Can someone please suggest/guide me about the below vulnerability. I
have ran OpenVAS Scanner and it reports that vulnerability. The
affected server is Ubuntu 8.04.

Medium
OpenSSH CBC Mode Information Disclosure Vulnerability
Risk: Medium
Application: ssh
Port: 22
Protocol: tcp
ScriptID: 100153
Overview: The host is installed with OpenSSH and is prone to information
disclosure vulnerability.
Vulnerability Insight:
The flaw is caused due to the improper handling of errors within an SSH session
encrypted with a block cipher algorithm in the Cipher-Block Chaining 'CBC' mode.
Impact:
Successful exploits will allow attackers to obtain four bytes of plaintext from
an encrypted session.
Impact Level: Application
Affected Software/OS:
Versions prior to OpenSSH 5.2 are vulnerable. Various versions of SSH Tectia
are also affected.
Fix: Upgrade to higher version
http://www.openssh.com/portable.html
References:
http://www.securityfocus.com/bid/32319
CVE : CVE-2008-5161
BID : 32319

Thanks and Regards

Kaushal

grsec chroot protections

Peter Moody — 2010-11-15T21:52:13

Hey folks,

knowing that this might be a somewhat touchy subject and with my
expectations set thusly, I wanted to ask about the possibility/feasibility
of including some of (hopefully) more self-contained parts of the grsec
patch-set in the (default) ubuntu kernel. Specifically I'm looking at the
chroot protections. Is pulling something like this into the ubuntu kernel
something that would be appropriate for ubuntu-hardened or is it an all or
nothing (emphasis on nothing) sort of thing WRT the ubuntu kernel and grsec?

Cheers,
peter

why I can't use 'user_u' login?

Saint yeyo — 2010-07-06T08:26:51

Hello,

I want to strict privilege of users, I have mapped some user to
'user_u', but when I login that ask me input context, then I input
role: user_r, level: s0-s0, but it says invalid context and refuse to
login,

how can I do that make the default unconfined login users turn to strict users?

help me, thank you.

Blueprint for a security-center in ubuntu

Nils-Christoph Fiedler — 2010-06-14T22:29:30

Hej folks,

remember the little discussion about the idea of a security center for
ubuntu in april?

I still study the psychology of human behaviour towards security issues
in the field of IT at the University of Munich, so in my eyes this idea
I mentioned is not just an ethical responsibility of skilled hackers
towards technically less skilled users, but still a matter that is near
to my heart.
And it is obvious, that the ubuntu project per se will benefit from
realizing this idea in terms of accessability and usability.
So I created an idea at the ubuntu brainstorm website and a blueprint on
Launchpad, aggregating the outcome of the discussion in april.

So dear hackers: I would like to invite anyone, who is interested in
this issue to join / subscribe to it.

You can find the blueprint here:
https://blueprints.launchpad.net/ubuntu/+spec/security-center
and the brainstorm idea here: http://brainstorm.ubuntu.com/idea/25135/

If you have any question, please do not hesitate to write to me!

Kind regards from

SELinux Policy Update for Ubuntu Lucid Lynx

Steve Lawrence — 2010-04-22T23:22:06

Attached are two patches to update the SELinux policy for Ubuntu Lucid
Lynx.

The first patch applies to the repolicy-ubuntu package. This updates the
policy to the latest reference policy (2.20091117) and updates the
debian/patches to fix ubunutu specific policy issues. The majority of
the issues revolved around dbus starting various processes and ensuring
they transition to the correct domain.

The second patch applies to the selinux package. This adds two upstart
scripts to ensure that /var/run and /var/lock are relabeled once they
are mounted so they get the correct labels (var_run_t and var_lock_t
instead of tmpfs_t).

- Steve

want docs

Saint yeyo — 2010-04-19T01:13:37

selinux on lucid

Peter Moody — 2010-04-05T19:40:12

Hey folks,

I've been playing with selinux on lucid recently and I'm looking for
the right place to report two issues:

  1) There seems to be an issue with the refpolicy versions.  the
poilcy selinux-ubuntu is based on an old version of the refpolicy
(Version: 0.2.20090730).  It's also different from selinux-policy-src
(Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
refpolicy, but it seems to conflict with selinux:

  $ apt-cache show selinux-policy-default | grep Conflicts
  Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
(<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
sysvinit (<< 2.86.ds1-1.se1)

This makes it difficult to create custom policies.

  2) according to /proc, dev is mounted as /devtmpfs, which selinux
doesn't know how to treat by default (it gets labeled as
system_u:object_r:unlabeled_t). on #selinux, I found that by adding:

  fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs

security centerin ubuntu

Nils-Christoph Fiedler — 2010-04-02T13:20:33

hi folks!
i'm not sure whether this is the right group to ask, but is there any
ambition to integrate some kind of "security-center" in ubuntu? i love
this idea, because today security is kind of a patchwork of different
software, partly even not in the repositories of ubuntu, which makes it
difficult for technically less skilled people to protect themselves
accurate and a little annoying for more skilled ones, to install and
setup those software separately. (talking about my personal experience)
with security i mean things like tor, antivirus, firewall / port-
management, user-agent-management in browsers, cryptography and things
like that. a combining and well documented gui for those tasks would be
appreciated, because many users are not familiar with the usage of the
terminal.
i know that there are some prjects like tiger or secubuntu (which i
guess isnt under development any longer) or selinux out there, but
personally i dont trust selinux because of its history and read about
some issues with it, refer

SELinux in main/restricted

Florian Friesdorf — 2010-02-11T19:38:39