[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: another volunteer

On Wed, May 09, 2001 at 03:50:38PM +0100, Alan Cox wrote:
> > unfortunately I have subscribed this list only today.
> > Please, do not hesitate to let me know how can I contribute
> > (eg. what about the establishment of a GNU/Linux Security SIG -
> > task #27482 ?).
> > 
> 
> Umm interesting I hadnt noticed that task. How is that different from
> security-audit and/or vendor-sec ?

In my opinion, the GNU/Linux Security SIG should address only
the security issues ingrained in either the system interface
or the environment described in LSB specifications. 

I should be out of the scope of this SIG to describe how:
the developers of GNU/Linux distributions must implement commands
and utilities in a "secure" and robust way (code auditing and
developing are inevitably vendors tasks).

However, since I have not searched yet the list archive for related
threads, I am simingly missing some goals for this SIG.

Here it is a partial list of issues that may or may not be addressed
by the Security SIG. It would be nice add to it other issues and 
group its items in a "must be addressed" and "must not be addressed"
lists.

In no particular order:

 	Item		           |Relevant Spec. Sections| Comments
-----------------------------------|-----------------------|----------       
libc functions prone to security   | 10.1                  |
problems                           |                       |
-----------------------------------|-----------------------|----------
cryptographic hash functions       | chapter 13            |
supported for packages verification|                       |
-----------------------------------|-----------------------|----------
security issues in dynamic linking | chapter 7             |
-----------------------------------|-----------------------|----------
/dev/{u,}random behavior and how   |                       | more
seeds are handled at system        |                       |generally: 
initialization                     |                       | PRNG    
-----------------------------------|-----------------------|----------
security and environment variables |                       |
(eg. IFS, PATH, TMPDIR, etc...)    |                       |
-----------------------------------|-----------------------|----------
Posix.1e (POSIX.6)                 |                       |
-----------------------------------|-----------------------|----------
PAM or more generally    	   |                       | 
authentication mechanisms          |                       |
-----------------------------------|-----------------------|----------
users & groups                     | Chapter 16            | alreay
                                   |                       | present
                                   |                       |----------
                                   |                       | DAC?
-----------------------------------|-----------------------|----------
ownerships and permissions         | 17.2                  | already
                                   |                       | present
-----------------------------------|-----------------------|----------
Internation Kernel Patch and its   |			   |
support				   |			   |
-----------------------------------|-----------------------|----------


Thanks,
alfonso
Reply to: