authenticated NTP

Why Ubuntu does not use authenticated NTP by default?

Unauthenticated NTP is dangerous, for example, a MITM can forge the NTP
reply, switch the date back and use old/revoked SSL certificates.

Add overflow protection to kref

Hi,

We are attempting to add various grsecurity/PAX features to upstream
Ubuntu kernels.

The PAX folks added refcount overflow protection by inserting
architecture-specific code in the increment paths of atomic_t.  For
instance:

static inline void atomic_inc(atomic_t *v)
 {
	asm volatile(LOCK_PREFIX "incl %0\n"

#ifdef CONFIG_PAX_REFCOUNT
		     "jno 0f\n"
		     LOCK_PREFIX "decl %0\n"
		     "int $4\n0:\n"
		     _ASM_EXTABLE(0b, 0b)
#endif

		     : "+m" (v->counter));
}

There are two distinct classes of users we need to consider here:
those who use atomic_t for reference counters and those who use
atomic_t for keeping track of statistics, like performance counters,
etc.; it makes little sense to overflow a performance counter, so we
shouldn't subject those users to the same protections as imposed on
actual reference counters.  The solution implemented by PAX is to
create a family of *_unchecked() functions and to patch

Sysctl for set_kernel_text_r[wo]

Hi,

I am looking into adding a sysctl that enables toggling of
set_kernel_text_rw, set_kernel_text_ro.  It appears that the only
caller of these methods is ftrace, which can rather easily be disabled
when these methods are unavailable.

I'm afraid I'm overlooking something major here.  It seems that such a
control would have been added much earlier if it was actually as
simple as adding a guard variable, mutable via a sysctl, allowing
access to this interface.

Thanks,
David Windsor

-- 
PGP: 6141 5FFD 11AE 9844 153E  F268 7C98 7268 6B19 6CC9

--

-- 
ubuntu-hardened mailing list
ubuntu-hardened <at> lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

OVAL/XCCDF for Ubuntu

howdy all,

After a brief discussion with sbeattie, kees and mdeslaur, in the
#ubuntu-hardened irc channel, I understand that there are no official
efforts to establish a OVAL and/or XCCDF for ubuntu releases. There
are an increasing amount of utilities to generate reports, or execute
tests from these file formats. One of which is openscap
(http://www.open-scap.org/). A lot of it's efforts come from the
redhat community.

Question to the community, are there any groups currently working on
OVAL/XCCDF files, that would be willing to share?

mdeslaur,
you mentioned access to the USN database, that might get accessed in
an effort to generate these files. Can you provide more information on
that?

Take care,
vb

[PATCH] policycoreutils: preserve mode bits and ownership of /tmp in seunshare

Hi,

This patch addresses a flaw in seunshare.c that allows unprivileged
users to arbitrarily modify the contents of /tmp.  This bug is further
described in CVE 2011-1011
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1011):

The seunshare_mount function in sandbox/seunshare.c in seunshare in certain
Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat
Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a
new directory on top of /tmp without assigning root ownership and the
sticky bit to this new directory, which allows local users to replace or
delete arbitrary /tmp files, and consequently cause a denial of service or
possibly gain privileges, by running a setuid application that relies on
/tmp, as demonstrated by the ksu application

This patch preserves the mode bits, and thus permissions, and
ownership of the destination directory of the bind mount performed by
seunshare.  The permission check in verify_mount() was relaxed for
directories who originally had the sticky bit set, as root ownership
is required for these to ensure that unprivileged users cannot unlink
arbitrary files in the newly bind mounted directory.

Thanks,
David

 policycoreutils/sandbox/seunshare.c |   23 ++++++++++++++++++++++-
 1 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/policycoreutils/sandbox/seunshare.c

tomld: fully automatic MAC configuration solution

Dear Members,

I'd like to announce the availability of the first beta release of my
tomld project.

This is a deamon managing fully automatic MAC configuration without any
user interaction.

(supported platforms are: Debian 6 and up, Ubuntu 10.10 and up)

My site:
http://log69.com/tomld_en.html

FAQ:
http://log69.com/help_en.html

Screenshot:
http://log69.com/images/tomld.png

You can also find a video of a quick installation:
http://www.youtube.com/watch?v=8pfjuU94of4
http://log69.com/extras/tomld038_ubuntu1104_install.ogv

The code is in beta status, but I'm already using and testing it in
smaller production environments. Once i have a stable version, I'll get
it into Debian as a package.

Every suggestion and feedback are welcome!

Firewall settings: User interface review and questions

Hi

Part of the planned "Desktop-side networking enhancements"
<https://launchpad.net/ubuntu/+spec/desktop-o-desktop-network-enhancements>
is the addition of a graphical interface for configuring a firewall.

Mathieu Trudel-Lapierre and I have been working on a design for the
firewall settings. Here's what we have so far:
<https://wiki.ubuntu.com/OneiricDesktopNetworkEnhancementsSpec#Design>

We'd appreciate a general sanity check for these settings, from people
who know more about security than we do. Are they missing anything
highly useful? Or is there anything there that shouldn't be?

There are also two specific questions we have:

*   Does Ubuntu have any "essential" incoming connections, which should
    be allowed in the normal case even when the firewall is turned on?
    (As a comparison, Mac OS X identifies "DHCP, Bonjour, and IPSec" as
    essential.)

    -   If so, how much use is it to have a graphical setting for
        blocking even those "essential" connection types?

*   Does Ubuntu have any "essential" outgoing connections? Web
    browsing? E-mail? Avahi?

Thanks
--

-- 

gnome-keyring utilizing a tpm?

new project: tomld (tomoyo learning daemon)

Dear Members,

I'd like to announce my new project that i've created recently building
on Tomoyo module.

The goal is a fully automatic MAC configuration solution.

Currently supported platforms are: Debian 6 and Ubuntu 10.10

My site:
http://log69.com/tomld_en.html

Screenshot:
http://log69.com/images/tomld015.png

You can find tutorial videos too:
http://log69.com/extras/tomld_usage_demo.ogv
http://log69.com/extras/tomld_access_demo.ogv

The code is still in alpha status, but i'm already using and testing it
in smaller production environments.

Every suggestion is welcome! Help in testing is greatly appreciated.

Cheers!

Andras Horvath

Give users "global control" over applications' outgoing internet connections

Hi,
Quite often on Ubuntu forums starts all over again a topic concerning 
application based firewall:

TuxGuardian - application based firewall
http://ubuntuforums.org/showthread.php?t=1591340

I need an outbound GUI software firewall
http://ubuntuforums.org/showthread.php?t=1696699

I'm sure there are a few more to find, also on Ubuntu brainstorm.

Idea #26902: Give users "global control" over applications' outgoing 
internet connections
http://brainstorm.ubuntu.com/idea/26902/

Idea #26828: GUI application to manage chroot environment
http://brainstorm.ubuntu.com/idea/26828/

I wonder what Canonical team thinks about this discussion. Could you 
give any feedback.
I'm a new Ubuntu / Linux user and as many others in my position I find 
it difficult to learn advanced security programs like Apparmor, SElinux, 
and others...
Basically all arguments were presented in those discussions.
I think you are perfectly aware that most new Ubuntu users comes from MS 
windows and would like to have an easy, user friendly application to 
control various aspects of internet security. Besides there are other 
interesting, new security solutions like this on Chrome OS, or not 
developed yet Qubes OS, based on Xen virtualisation, sadbox's.

Running SELinux on Amazon EC2