Category Archives: Security

Trying out initramfs with selinux and grsec

Posted on January 15, 2012 by swift

I’m no fan of initramfs. All my systems boot up just fine without it, so I often see it as an additional layer of obfuscation. But there are definitely cases where initramfs is needed, and from the looks of it, … Continue reading →

Posted in Hardened, SELinux | 9 Comments

Unix domain sockets are files

Posted on December 31, 2011 by swift

Probably not a first for many seasoned Linux administrators, and probably not correct accordingly to more advanced users than myself, but I just found out that Unix domain sockets are files. Even when they’re not. I have been looking at … Continue reading →

Posted in SELinux | Leave a comment

SELinux Gentoo/Hardened state 2011-12-19

Posted on December 19, 2011 by swift

On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well. Since last meeting, the follow … Continue reading →

Posted in Hardened, SELinux | 2 Comments

Gentoo Security Benchmark with OVAL and Open-SCAP

Posted on November 16, 2011 by swift

A while ago, I got referred to the Open Vulnerability and Assessment Language, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can … Continue reading →

Posted in Gentoo, Hardened, Security | Leave a comment

SELinux’ 2011/07 releases now stable

Posted on October 23, 2011 by swift

A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the Gentoo SELinux Handbook with the changes I presented on our … Continue reading →

Posted in Hardened, SELinux | Leave a comment

Gentoo Hardened SELinux policies, rev 5

Posted on October 13, 2011 by swift

I’ve pushed out selinux-base-policy version 2.20110726-r5 to the hardened-dev overlay. It does not hold huge changes, most of them are rewrites or updates on pre-existing patches (on the SELinux policies) to make them conform the refpolicy naming conventions and other … Continue reading →

Posted in Hardened, SELinux | Leave a comment

Mitigating risks, part 5 – application firewalls

Posted on October 5, 2011 by swift

The last isolation-related aspect on risk mitigation is called application firewalls. Like more “regular” firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don’t. But unlike these regular firewalls, application … Continue reading →

Posted in Architecture, Security | Leave a comment

Mitigating risks, part 4 – Mandatory Access Control

Posted on September 23, 2011 by swift

I’ve talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn’t help there, and system … Continue reading →

Posted in Architecture, Hardened, Security, SELinux | 1 Comment

Mitigating risks, part 3 – hardening

Posted on September 13, 2011 by swift

While I’m writing this post, my neighbor is shouting. He’s shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don’t worry, he’s not fighting – it is how he expresses … Continue reading →

Posted in Architecture, Security | Leave a comment

Mitigating risks, part 2 – service isolation

Posted on September 9, 2011 by swift

Internet: absolute communication, absolute isolation ~Paul Carvel The quote might be ripped out of its context completely, since it wasn’t made when talking about risks and the assurance you might need to get in order to reduce risks. But it … Continue reading →

Posted in Architecture, Security | Leave a comment

Category Archives: Security

Archives

Meta