[Security_sig] 10/27 Conf. call minutes

Chris Wright chrisw at osdl.org
Thu Oct 27 16:09:05 PDT 2005

	Mary Edie Meredith (OSDL)
	Emily Ratliff (IBM)
	Dennis Wells (Unisys)
	Chris Wright (OSDL)


	- DCL security gap list



Mary: TPM vs. Intrusion Detection

Emily: We call it integrity

Mary: Ge had file integrity as separate, does tpm support this?

Emily: It can, needs more code.  See trousers.sf.net for details on
what's done.

Mary: What's left for IDS w/out TPM

Chris: IDS is there w/out TPM.  It's not a gap in that sense.  TPM is
both hardware and software, so all legacy systems have no TPM, and
there's functional IDS.

Emily:  It's also not a gap in the sense of feature comparison w/ other
OS.  We have an opportunity to be a leader.

Mary: Are there gaps in IDS?

Chris: Not really.

Emily: I don't think so.  Linux is pretty solid in that area, some of it
is morphing to intrusion reaction, 

Mary: Static analysis tools under access control...

Chris: It's not about access control, it's about producing secure code
with fewer security bugs.

Emily: Vulnerability mitigation

Mary: Priority (1-10)?

Chris: It's hard to place too high because it has a holy grail element.

Mary: It's OK

Emily: I'd say it's high priority.  Esp. w.r.t. patch management.

Mary: Speaking of patch management...what's the priority of this one.

Chris: It's a distro issue, but it's pretty important for communication
between distro and customer.

Emily: I wonder if there's going to be distro participation in better
granularity risk assessment with patch management, such as the one Cisco
is adopting.

Chris: Could you send link?

Mary: Run rootless, priority?

Chris: Can be done already, but maybe not in a way that's competitive
with other OS's methods.

Emily: More of an ISV issue with app that runs w/out root on one OS, and
requires root on Linux.

Chris:  Is this just smth. as simple fs permissions issue?  Can't
read/write to some area?

Emily: More like needing to be root to bind to low-numbered port.

Chris: Ah, so more like capabilities than using smth like SELinux policy
to manage.

Emily: Yes for environments that don't use SELinux.

Mary: Capabilities good enough, so low priority?

Chris: They don't quite do the job, but I agree the priority is lower.

Emily: Opensource participation, nessus, etc... is there risk with
community participation?  Similarly, Russell Coker just posted something
along those lines on LSPP list.  Might be interesting to survey important
projects and health of their communities?

More information about the security_sig mailing list