SecurityTeam
|
Size: 1915
Comment: initial outline
|
← Revision 42 as of 2025-06-02 10:36:53 ⇥
Size: 4857
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| [[Include(SecurityTeam/Header)]] | <<Include(SecurityTeam/Header)>> |
| Line 3: | Line 3: |
| ||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;">'''Contents'''[[BR]][[TableOfContents]]|| | ||<tablestyle="left; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 1em 1em 1em 1em; padding: 0.5em;"><<TableOfContents>>|| |
| Line 5: | Line 5: |
| == Introduction == | |
| Line 6: | Line 7: |
| = Introduction = | The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu and its users secure through fixing vulnerabilities and contributing to its security development. The primary teams are: * [[https://launchpad.net/~ubuntu-security|Ubuntu Security]]: team responsible for [[https://wiki.ubuntu.com/SecurityTeam/FAQ#Official%20Support|officially supported packages]] in Ubuntu * [[https://launchpad.net/~motu-swat|MOTU Swat]]: team responsible for helping to coordinate community supported updates in Ubuntu |
| Line 8: | Line 11: |
| The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu secure, and contributing to its proactive hardening. | == Vulnerabilities == A security vulnerability can be defined as ''"a mistake in software that can be directly used by a hacker to gain access to a system or network" -- [[http://cve.mitre.org/about/terminology.html|Mitre]].'' There are many different types of vulnerabilities, some of which are denial of service, gaining user or root privileges, data loss, and information disclosure. The Ubuntu Security Team and Ubuntu community work together to find and correct these mistakes through various activities. |
| Line 10: | Line 14: |
| = Contact = | === Auditing === Searching for security vulnerabilities is usually referred to as auditing. The Ubuntu Security Team often performs audits on software before it is to be [[MainInclusionProcess|officially supported]]. Once vulnerabilities are found, the Security Team uses [[https://wiki.ubuntu.com/SecurityTeam/BugTriage#Private%20Bugs|responsible disclosure]] to let others know about the issue. The [[SecurityTeam/Auditing|Auditing]] page has more information. |
| Line 12: | Line 17: |
| * To report private security bugs, please use Launchpad and check the "Security" flag. * For other private security concerns, please email security@ubuntu.com. * To participate in security packaging work, please join the motu-swat team, and familiarize yourself with the SecurityUpdateProcedures. * To participate in auditing and penetration testing, please join the ubuntu-pentest team. |
=== Tracking === Most flaws in software are found by security researchers and users of the software. These flaws are tracked globally in the [[http://cve.mitre.org|MITRE CVE database]], and the Security Team will track issues that affect Ubuntu in the [[https://ubuntu.com/security/cves|Ubuntu CVE Tracker]]. As new issues come in, they are evaluated, or [[SecurityTeam/BugTriage|triaged]], then added to the CVE Tracker. As issues are fixed the CVEs are updated and retired. |
| Line 17: | Line 20: |
| = How to Contribute = * Help with projects * Write documentation * [:SecurityTeam/Roadmap] * [:SecurityTeam/FAQ] * [DebuggingSecurity] |
For security vulnerabilities that do not have a CVE yet, a [[https://wiki.ubuntu.com/DebuggingSecurity#How%20to%20File|new bug is filed]]. The bug is [[SecurityTeam/BugTriage|triaged]] and if appropriate, a CVE id will be requested by a member of the Security Team. |
| Line 24: | Line 22: |
| = Projects = To discuss any Security Team projects, send email to the ubuntu-hardened mailing list. |
=== Reporting === If you would like to report a security bug in Ubuntu, please see [[https://wiki.ubuntu.com/DebuggingSecurity#How%20to%20File|How to File]]. |
| Line 27: | Line 25: |
| * CVE handling * tracking: Ubuntu CVE Tracker * fixing: main and universe * Hardening * Mandatory Access control * AppArmor * SELinux * Compiler flags * Auditing and Penetration Testing |
=== Fixing === After a flaw is found and assigned a CVE id, it should be [[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase#Announcements|fixed]]. Often the author of the software will provide a patch, or a patch will be created by other developers, including the Ubuntu Security Team. Details for providing security updates to Ubuntu can be found in SecurityTeam/UpdateProcedures. A new centralized way has been launched to inform users about Ubuntu Security Updates via email. The details can be found in [[https://wiki.ubuntu.com/SecurityTeam/Contacts/#usnbot|Contacts]]. |
| Line 37: | Line 28: |
| = Launchpad Membership Policy = * motu-swat: if you are dedicated to making a dent in the universe security updates, this team will have you. * ubuntu-pentest: if you are dedicated to "do not harm" while auditing and testing Ubuntu software and infrastructure, this team will have you. * ubuntu-security: this is a closed team for developers responsible for publishing security updates to the Ubuntu Archive. |
=== Testing === Before making the security update available, the update needs to be tested to see if it fixes the flaw and also doesn't introduce any regressions. The Security Team uses the [[https://code.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master|QA Regression Testing]] suite when performing testing. QA Regression Testing has information on performing tests, checklists, scripts and various other information to help with testing. |
| Line 42: | Line 31: |
| = Meetings = * For details on regular meetings (past and present), see [:SecurityTeam/Meetings]. |
=== Debian === Debian and Ubuntu share a lot of the same software and collaboration with each other is beneficial to both distributions. If you are a Debian Developer or member of the Debian security team, please see [[SecurityTeam/ForDebianDevelopers]] for how you can collaborate with Ubuntu and use Ubuntu resources for your updates. == Development == The Security Team also actively develops protections to help keep Ubuntu users safe from new vulnerabilities. Some projects that the Ubuntu Security Team actively develops are: * [[AppArmor]] (see [[SecurityTeam/KnowledgeBase/AppArmorProfiles | AppArmorProfiles]] for existing default enforcing profiles in Ubuntu) * [[CompilerFlags|CompilerFlags]] * [[UncomplicatedFirewall]] * [[SecurityTeam/Specifications|Specifications]] and [[SecurityTeam/ReleaseStatus|ReleaseStatus]] for current and past development == What You Can Do == Interested in helping? Head to the [[SecurityTeam/GettingInvolved|GettingInvolved]] page to find out how to contribute to the Security Team. |
| Line 46: | Line 45: |
| '''Sub-pages :''' [[Navigation(children,1)]] | '''Sub-pages :''' <<Navigation(children,1)>> |
Introduction
The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu and its users secure through fixing vulnerabilities and contributing to its security development. The primary teams are:
Ubuntu Security: team responsible for officially supported packages in Ubuntu
MOTU Swat: team responsible for helping to coordinate community supported updates in Ubuntu
Vulnerabilities
A security vulnerability can be defined as "a mistake in software that can be directly used by a hacker to gain access to a system or network" -- Mitre. There are many different types of vulnerabilities, some of which are denial of service, gaining user or root privileges, data loss, and information disclosure. The Ubuntu Security Team and Ubuntu community work together to find and correct these mistakes through various activities.
Auditing
Searching for security vulnerabilities is usually referred to as auditing. The Ubuntu Security Team often performs audits on software before it is to be officially supported. Once vulnerabilities are found, the Security Team uses responsible disclosure to let others know about the issue. The Auditing page has more information.
Tracking
Most flaws in software are found by security researchers and users of the software. These flaws are tracked globally in the MITRE CVE database, and the Security Team will track issues that affect Ubuntu in the Ubuntu CVE Tracker. As new issues come in, they are evaluated, or triaged, then added to the CVE Tracker. As issues are fixed the CVEs are updated and retired.
For security vulnerabilities that do not have a CVE yet, a new bug is filed. The bug is triaged and if appropriate, a CVE id will be requested by a member of the Security Team.
Reporting
If you would like to report a security bug in Ubuntu, please see How to File.
Fixing
After a flaw is found and assigned a CVE id, it should be fixed. Often the author of the software will provide a patch, or a patch will be created by other developers, including the Ubuntu Security Team. Details for providing security updates to Ubuntu can be found in SecurityTeam/UpdateProcedures. A new centralized way has been launched to inform users about Ubuntu Security Updates via email. The details can be found in Contacts.
Testing
Before making the security update available, the update needs to be tested to see if it fixes the flaw and also doesn't introduce any regressions. The Security Team uses the QA Regression Testing suite when performing testing. QA Regression Testing has information on performing tests, checklists, scripts and various other information to help with testing.
Debian
Debian and Ubuntu share a lot of the same software and collaboration with each other is beneficial to both distributions. If you are a Debian Developer or member of the Debian security team, please see SecurityTeam/ForDebianDevelopers for how you can collaborate with Ubuntu and use Ubuntu resources for your updates.
Development
The Security Team also actively develops protections to help keep Ubuntu users safe from new vulnerabilities. Some projects that the Ubuntu Security Team actively develops are:
AppArmor (see AppArmorProfiles for existing default enforcing profiles in Ubuntu)
Specifications and ReleaseStatus for current and past development
What You Can Do
Interested in helping? Head to the GettingInvolved page to find out how to contribute to the Security Team.
Sub-pages :
SecurityTeam (last edited 2025-06-02 10:36:53 by 0xdsousa)