Author Archives: swift

SELinux’ 2011/07 releases now stable

Posted on October 23, 2011 by swift

A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the Gentoo SELinux Handbook with the changes I presented on our … Continue reading →

Posted in Hardened, SELinux | Leave a comment

Gentoo Hardened SELinux policies, rev 5

Posted on October 13, 2011 by swift

I’ve pushed out selinux-base-policy version 2.20110726-r5 to the hardened-dev overlay. It does not hold huge changes, most of them are rewrites or updates on pre-existing patches (on the SELinux policies) to make them conform the refpolicy naming conventions and other … Continue reading →

Posted in Hardened, SELinux | Leave a comment

Upgrading GCC, revisited

Posted on October 13, 2011 by swift

Gentoo has, since long, had a GCC Upgrading guide. A long time ago, upgrading GCC required quite a lot of side activities and was often considered a risky upgrade. But times change, and so do the GCC upgrade cycles. Improved … Continue reading →

Posted in Gentoo | 7 Comments

Mitigating risks, part 5 – application firewalls

Posted on October 5, 2011 by swift

The last isolation-related aspect on risk mitigation is called application firewalls. Like more “regular” firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don’t. But unlike these regular firewalls, application … Continue reading →

Posted in Architecture, Security | Leave a comment

Quickly setup a Gentoo system

Posted on September 24, 2011 by swift

In order to verify if the installation instructions in the Gentoo Handbook are still valid, and to allow me to quickly seed new Gentoo installations in a virtual environment, I wrote a very ugly (really) script to automatically “stage” a … Continue reading →

Posted in Gentoo, Hardened | 7 Comments

Power management guide updated

Posted on September 23, 2011 by swift

The Gentoo Power Management Guide is now updated. It is a full rewrite, focusing currently on two main toolsets: Laptop Mode Tools and cpufreqd. I was pleasantly surprised by the number of features that the laptop mode tools package provided. … Continue reading →

Posted in Gentoo | 1 Comment

Mitigating risks, part 4 – Mandatory Access Control

Posted on September 23, 2011 by swift

I’ve talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn’t help there, and system … Continue reading →

Posted in Architecture, Hardened, Security, SELinux | 1 Comment

Catching up

Posted on September 18, 2011 by swift

As mentioned on the gentoo-doc mailinglist, all documentation bugs (that we know of) related to openrc have been fixed. It was already a week like so, but the last dependency on our “tracker” bug was an open one (asking if … Continue reading →

Posted in Gentoo | 1 Comment

Mitigating risks, part 3 – hardening

Posted on September 13, 2011 by swift

While I’m writing this post, my neighbor is shouting. He’s shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don’t worry, he’s not fighting – it is how he expresses … Continue reading →

Posted in Architecture, Security | Leave a comment

Mitigating risks, part 2 – service isolation

Posted on September 9, 2011 by swift

Internet: absolute communication, absolute isolation ~Paul Carvel The quote might be ripped out of its context completely, since it wasn’t made when talking about risks and the assurance you might need to get in order to reduce risks. But it … Continue reading →

Posted in Architecture, Security | Leave a comment

Author Archives: swift

Archives

Meta