[Security_sig] Security Gaps

Mary Edie Meredith maryedie at osdl.org
Thu Oct 27 15:49:18 PDT 2005


Same question for Emily's list.

Which should be DCL's focus?

On Thu, 2005-10-13 at 13:53 -0500, Emily Ratliff wrote:
> In no particular order, here are some Linux security gaps/wishlist:
> 
> Highly accurate open source static analysis tools (and all open source
> projects making use of them)
> Capability to run w/o root in a traditional DAC environment
> ala Solaris Process Rights Management
> Linux project: Olaf Dietsche's File system capabilities patch not
> integrated
> Integrated cryptographic framework - single point of FIPS
> certification
> Secure virtualized containment (not SELinux) ala Solaris
> Zones/containers or HPUX Secure Resource Partitions
> this often gets punted to Xen, but there is an advantage for having
> both types of virtualized containment available
> Linux project: vserver not integrated
> Easy to use RBAC tools (not talking about RBACPP)
> Encrypted file system with per file encryption
> Linux project: eCryptfs + others not integrated
> Whole disk encryption
> Patch risk assessment
> MLOSPP compliance may become an issue in the near future
> Kernel crypto api improvements - asynchronous work underway,
> asymmetric algorithms, GCM mode
> 
> I'd like to see IPSec be easier to set up and a centralized repository
> that collects whether Linux IPSec and interoperate with various vendor
> VPNs and the settings required for the VPNs that it can interoperate
> with (ala monitor settings database or CDDB).
> A tiny feature that I would like to see added to logcheck (may be
> there in the latest release) is the ability to switch after a certain
> threshold from telling me about attempts (for example, ssh login
> attempts) from a certain address to successes from that address. The
> attempts become uninteresting and the successes are very, very
> interesting.
> 
> I haven't found anyone who cares but NIS+ is not available on Linux.
> 
> Other requests that we have received - default umask 037, no world
> writeable directories (/tmp) on filesystems/partitions with
> setuid/setgid binaries and log files.
> 
> A key Linux weakness that affects other areas as well as security is a
> lack of integration between components.
> 
> Ed, want to comment on I & A gaps?
> 
> Emily
> 
> Emily Ratliff
> IBM Linux Technology Center, Security
> CISSP #51839
> 512-838-0409 (T/L 678-0409)
> emilyr at us.ibm.com
> 
> _______________________________________________
> security_sig mailing list
> security_sig at lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/security_sig
-- 
Mary Edie Meredith
Initiative Manager
Open Source Development Labs
maryedie at osdl.org
503-906-1942




More information about the security_sig mailing list