[Security_sig] 01/20 Conf. call minutes
Chris Wright
chrisw at osdl.org
Thu Jan 20 10:12:05 PST 2005
Attendees:
----------
Ge Weijers (Sun)
Emily Ratliff (IBM)
Serge Hallyn (IBM)
Joseph Cihula (Intel)
Slav Inger
Andy Murren
Matt Anderson (HP)
John Cherry (OSDL)
Chris Wright (OSDL)
Agenda:
-------
- DCL doc review needs more input (and upcoming F2F).
- DTL doc status
- CGL spec review, hoping it'll be posted soon (and upcoming F2F).
Actions:
--------
Mary/Lynn: DCL document to list
Phil/Slav: DTL document to list
Ge/Chris: CGL review
Minutes:
--------
Emily: DCL doc, securing one server in the data center. DTL doc puts
requirements on the data center. Do we need another doc, fall through
cracks, DTL doc as environmental.
Slav: Did my reply on list clarify?
Chris: I think we should place these as envrionmental assumptions in the
DTL doc. Let's
Chris: Remote authorization done by which projects?
Emily: Access Manager from Tivoli
Slav: Active Directory
Ge: NFSv4
Slav: CIFS shares, local uses local engine, if GPO in effect, all goes
to server.
Emily: Do we have a volunteer to get the envirnomental pieces into the
DTL doc?
Ge: Integration between client and server should mirror on both sides.
Slav: Client piece of TLS, certificate revocation on server side, etc.
Andy: Recommendations for securely coding the applications? Dialog box
that can take shell commands because it's not securely written, for
example.
Chris: Mostly pointers to existing docs.
Ge: How do I justify openSSL by itself? IPSec, same.
Chris: Start with network being hostile.
Ge: But it's requirement on the application. It's not making the OS
more secure.
Chris: Take ssh vs. telnet. Authentication tokens in the clear could
break system security.
Andy: Audit logs off the box.
Chris: Infrastrucutre library. Makes sense for OS to provide it.
Joe: I like the application tools requirements. This security part is
just one part
Ge: Audit requirements don't currently have any justification. Auditing
doesn't keep the box more secure.
Joe: Auditing is called for in O.DETECT-SOPHISTICATED, etc.
Ge: Containment is a new requirement.
Chris: I look at it like, physical separation, then chroot/jail/namespace,
then MAC based ala SELinux.
Ge: Pushes burden onto customer. And full, secure configuration is
still very non-trivial.
Joe: It does shift the burden. But it's a chicken and egg issue, where
if it's never provided by the OS, the problem will never be solved.
John: Containment seems reasonable since it could be done via chroot-ish
way or SELinux, and since we don't know what the complexity of the
application looks like, we can't make assumptions about the solution.
Joe: Perhaps we can break it down into pieces. Simple vs. complex
containment.
Ge: Is it OK to have objectives with no requirements?
ran out of time...
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the security_sig
mailing list