Add two new ideas: audit support for IP firewalls (and other kernel

subsystems other than system calls), security regression tests.
svn path=/www/; revision=29575
2007-02-16 11:40:46 +00:00 · 2007-02-16 11:40:46 +00:00 · e7ab7f96ac · 2020-12-08 03:00:23 +00:00
commit e7ab7f96ac
parent 5ba6d7a85b
1 changed files with 51 additions and 1 deletions
--- a/en/projects/ideas/index.sgml
+++ b/en/projects/ideas/index.sgml
@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//FreeBSD//DTD HTML 4.01 Transitional-Based Extension//EN" [
 <!ENTITY base CDATA "../..">
-<!ENTITY date "$FreeBSD: www/en/projects/ideas/index.sgml,v 1.81 2007/02/14 17:12:44 joel Exp $">
+<!ENTITY date "$FreeBSD: www/en/projects/ideas/index.sgml,v 1.82 2007/02/16 11:23:34 rwatson Exp $">
 <!ENTITY title "FreeBSD list of projects and ideas for volunteers">
 <!ENTITY % navinclude.developers "INCLUDE">
 <!ENTITY % developers SYSTEM "../../developers.sgml"> %developers;
@ -115,6 +115,8 @@
 <h3>Security</h3>
 <ul>
  <li><a href="#p-distribaudit">Distributed audit daemon</a></li>
+  <li><a href="#p-auditkernel">Audit kernel event sources</a></li>
+  <li><a href="#p-securityregression">Security regression tests</a></li>
 </ul>

 <h3>Userland / Installation Tools</h3>
@ -1193,6 +1195,54 @@
  <li>Knowledge of the audit subsystem.</li>
 </ul>

+<a name="#p-auditkernel"></a>
+<h2>Audit kernel event sources</h2>
+<p><strong>Technical contact</strong>: <a
+  href="mailto:rwatson@FreeBSD.org">&a.rwatson;</a></p>
+<p>
+A number of kernel security subsystems, such as IPFW and pf, generate
+security log data.  This task involves identifying potential sources of
+security event information in the kernel and modifying kernel subsystems to
+log that information using the kernel security event auditing system.
+User and programmer documentation of audit may be found on the <a
+href="http://www.trustedbsd.org/docs.html">TrustedBSD Documentation Page</a>.
+There are also extensive manual pages relating to audit in FreeBSD.  This
+project will require careful security analysis and kernel programming, and
+will likely need some re-working of the kernel audit framework (which is
+currently entirely focused on gathering user and kernel system call audit
+data).
+</p>
+<ul>
+  <li>Strong C programming skills.</li>
+  <li>Familiarity with concurrent programming techniques.</li>
+  <li>General understanding of TCP/IP firewalls.</li>
+  <li>Willingness to read the CC/CAPP specification.</li>
+</ul>
+
+<a name="#p-securityregression"></a>
+<h2>Security regression tests</h2>
+<p><strong>Technical contact</strong>: <a
+  href="mailto:rwatson@FreeBSD.org">&a.rwatson;</a></p>
+<p>
+FreeBSD is undergoing constant and active improvement to all of its critical
+subsystems, from file systems to the network stack.  With any change, there
+is a risk of introducing bugs or regressions.  The goal of this task is to
+produce a security regression test suite, which encapsulates requirements
+regarding system security properties and tests that they (still) hold.  Areas
+to test include file system access control, privilege, authentication,
+cryptography, process containment, and more.  There are some current tests
+along these lines in the <a
+href="http://www.freebsd.org/cgi/cvsweb.cgi/src/tools/regression/">FreeBSD
+regression test tree</a>, but they are both incomplete and and inadequate.
+New tests must be created; existing tests must be completed and updated.
+</p>
+<ul>
+  <li>Strong C programming skills.</li>
+  <li>High tolerance for writing test code.</li>
+  <li>High tolerance for reading API specifications.</li>
+  <li>Rigorous and devious mindset.</li>
+</ul>
+
 <hr>

 <!------------------------------------------------------------------>