Simplicity is a form of art...

Digital Operational Resilience Act

Sven Vermeulen — Sun, 12 Jan 2025 22:12:00 +0100

One of the topics that most financial institutions are (still) currently working on, is their compliance with a European legislation called DORA. This abbreviation, which stands for "Digital Operational Resilience Act", is a European regulation. European regulations apply automatically and uniformly across all EU countries. This is unlike another recent legislation called NIS2, the "Network and Information Security" directive. As a EU directive, NIS2 requires the EU countries to formulate the directive into local law. As a result, different EU countries can have a slightly different implementation.

The DORA regulation applies to the EU financial sector, and has some strict requirements in it that companies' IT stakeholders are affected by. It doesn't often sugar-coat things like some frameworks do. This has the advantage that its "interpretation flexibility" is quite reduced - but not zero of course. Yet, that advantage is also a disadvantage: financial entities might have had different strategies covering their resiliency, and now need to adjust their strategy.

History of DORA

Officially called the Regulation (EU) 2022/2554, DORA was proposed as a new regulatory framework in September 2020. It aimied to further strengthen the digital operational resilience of the financial sector. "Operational resilience" here focuses strongly on cyber threat resilience and operational risks like IT disasters. On January 16th 2023, the main DORA regulation entered into force and will apply as of January 17th 2025. Yes, that's about now.

Alongside the main DORA text, additional standards are being developed too. These are Regulatory Technical Standards that detail requirements of one or more articles within DORA. The one I currently come into contact with the most is the RTS on ICT risk management framework. This RTS elaborates on various requirements close to my own expertise. However, other RTS documents are also on my visor to read through, such as the technical standard on ICT services supporting critical or important functions provided by ICT third-party service providers and subcontracting ICT services.

During the development of the DORA regulation and these technical standards, various stakeholders were consulted. The European Supervisory Authorities (ESAs) were of course primary stakeholders here, but other stakeholders could also provide their feedback. This feedback, and the answers or reactions of it by the legislative branch, help out in understanding parts of the regulation ("am I reading this right") as well as conveying the understanding of the regulatory branch about what is stated ("does the regular understand what they are asking").

DORA is not a first of course. The moment you start reading the regulation, you notice that it amends previous regulations. These were predecessors, so should also be seen as part of the "history" of DORA: - Regulation (EC) No 1060/2009, which regulates the credit rating agencies. - Regulation (EU) No 648/2012, covering regulation on derivatives, central counter parties, and trade repositories. - Regulation (EU) No 600/2014, regulating the markets in financial instruments. - Regulation (EU) No 909/2014, which focuses on securities settlements and central securities depositories. - Regulation (EU) 2016/1011, focusing on benchmarks in financial instruments and financial contracts, and measuring performance of investment funds

Now, these are all market oriented regulations, and while many of these do sporadically refer to an operational resilience aspect, they require a significant understanding of that financial market to begin with, which isn't the case for DORA. But DORA wasn't the first to be more IT oriented.

The first part of the DORA regulation provides context into the actual legislative articles (which only start one-third into the document). It provides references to previous publications or legislation that are more IT (or cyber threat) oriented. This first part is called the "preamble" in EU legislation.

In this preamble, paragraph 15 references Directive (EU) 2016/1148 as the first broad cybersecurity framework enacted at EU level. It covers a high common level of security of network and information systems. Yes, that's the "NIS" directive that recently got a new iteration: Directive (EU) 2022/2555, aka NIS2. Plenty of other references exist as well. Sometimes these refer to the legislation that covers certain markets, as listed before. Other references focus on the supervisory bodies. Many references are towards other legislation that provides definitions for the used terms.

Structure of DORA

The main DORA legislation (so excluding the regulatory technical standards) covers 64 articles, divided into 9 chapters. But as mentioned earlier, it has a quite sizeable preamble that covers context, motivation and interpretation details for the legislative text. This allows for improved interpretation of the articles themselves.

More specifically, such a preamble covers the legal basis of the legislation, and the objectives why the legislation came to be. I found How to read EU law by Fabian Bohnenberger to be a very good and quick-to-read overview of how an EU legislative text is structured. The DORA preamble covers 106 paragraphs already, and they're not even the actual legislative articles.

So, how are the legislative articles themselves structured like?

Chapter I - General provisions defines what the purpose of the legislation is and its structure (art 1), where the legislation applies to (art 2), 65 definitions used throughout the legislation (art 3) and the notion that proportionality applies (art 4).
Chapter II - ICT risk management tells the in-scope markets and institutions how to govern and organize themselves to cover risk management (art 5), what the risk management framework should do (art 6), that they need to have fit-for-purpose tooling and procedures to cover risk management (art 7), that they need to properly identify risks towards their assets (art 8), need to take sufficient measures to protect themselves against various threats (art 9), be able to detect anomalous activities (art 10), have a response and recovery process in place (art 11), have backup/restore processes in place (art 12), ensure knowledge of the employees is sound (art 13), be able to communicate properly (art 14) and follow regulatory technical standards for ICT risk management (art 15). In the end, art 16 covers the requirements for smaller financial institutions (as DORA differentiates requirements based on the impact, size and some other criteria).
Chapter III - ICT-related incident management, classification and reporting describes how to handle ICT incidents (art 17), how to classify these incidents and threats (art 18), what reporting expectations exist (art 19), and the standardization on the reporting (art 20). The reported incidents are centralized (art 21), supervisors will provide answers to the reports (art 22), and art 23 informs us for which incidents the above is all applicable.
Chapter IV - Digital operational resilience testing covers the testing of the operational resilience. First, general requirements are provided (art 24), after which DORA covers the testing of tools and systems (art 25), mandatory use of penetration testing (art 26), and how these threat-led penetration tests (TLPTs) are carried out (art 27).
Chapter V - Managing of ICT third-party risk further divulges in managing threats related to outsourcing and use of third parties. Art 28 covers the general principles, whereas art 29 covers the potential concentration risk (aka "if everyone depends on this third party, then..."). Contractual expectations are covered in art 30. Further, this chapter covers the introduction of an oversight framework for large, critical third-party service providers. Art 31 designates when a third-party service provider is deemed critical, art 32 covers the oversight structure, art 33 introduces the role of the Lead Overseer(s), their operational coordination (art 34), their power (art 35), and what their capabilities are outside of the EU (art 36). Art 37 covers how the overseer can receive information, if and how investigations take place (art 38), how inspections are handled (art 39), how this relates to existing oversights (art 40), how the conduct of oversight activities is handled (art 41), how authorities follow-up on overseer activities (art 42), who will pay for the oversight activities (art 43) and the international cooperation amongst regulatory/supervisory bodies (art 44).
Chapter VI - Information-sharing arrangements has a single article, art 45, on threat/intelligence information sharing amongst the financial institutions.
Chapter VII - Competent authorities assigns the appropriate authorities towards the various financial institutions (art 46), how these authorities cooperate with others (art 47), and how they cooperate amongst themselves (art 48). Cross-sector exercises are covered in art 49, and the penalties and remedial measures are covered in art 50. Art 51 is how/when administrative penalties/measures are imposed, art 52 is when criminal liabilities where found. Art 53 requires EU member states to notify the EU institutions about related legislation/provisions, art 54 documents how administrative penalties are published. Art 55 confirms the professional secrecy of the authorities, and art 56 covers the data protection provisions for the authorities.
Chapter VIII - Delegated acts has one article (art 57) covering by whom this legislation is exercised (role of the Commission, Parliament, etc.)
Chapter IX - Transitional and final provisions is a "the rest" chapter. It covers a review of the law and implementations by January 17th 2028 (art 58), and then many amendments to existing regulations to make them aligned and consistent with the DORA legislation (art 59 - 63). The last article, art 64, describes when DORA comes into force and when it shall apply.

For me, chapters II (risk management), IV (resilience testing) and V (third party risk) are the most interesting as they cover expectations for many IT processes or controls.

Regulatory Technical Standards

Within the DORA legislation, references are made to regulatory technical standards that need to be drafted up. The intention of the regulatory technical standards is to further elaborate on the expectations and requirements of DORA. These RTS documents also have legislative power (hence the "regulatory" in the name) and are important to track too.

The RTS that covers the ICT risk framework from article 15 is one that has a strong IT orientation with it. Like the EU legislative texts, it holds a lot of context to begin with. The draft publications also cover the feedback received and the answers/results from that feedback. It is unlikely that these will be found in the final published RTS' though.

The current JC 2023 76 - Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework has the actual technical standard between pages 45 and 89. It too uses chapters to split the text up a bit. After art 1, covering the overall risk profile and complexity, we have:

Chapter I - ICT security policies, procedures, protocols, and tools contains significant input for various IT processes and domains. It is further subdivided into sections:
Section I covers what should be in the ICT security policies (art 2),
Section II describes the details of the ICT risk management framework (art 3),
Section III - ICT Asset Management covers the ICT asset management expectations (art 4) and ICT asset management process (art 5),
Section IV - Encryption and cryptography covers cryptography expectations (art 6 and 7),
Section V - ICT Operations Security handles the ICT operations policies (art 8), capacity and performance management (art 9), vulnerability and patch management (art 10), data and system security (art 11), logging expectations (art 12),
Section VI - Network security is about the network security expectations (art 13), and in-transit data protection measures (art 14),
Section VII - ICT project and change management covers the ICT project management (art 15), ICT development and maintenance activities (art 16), and change management (art 17),
Section VIII handles physical security measures (art 18)
Chapter II - Human Resources Policy and Access Control handles HR policies (art 19), identity management (art 20), access control (art 21).
Chapter III - ICT-related incident detection and response , incident management (art 22), anomalous activity detection and response (art 23), business continuity (art 24 and 25), ICT response and recovery (26)

As you can read from the titles, these are more specific. Don't think "Oh, it is just a single article" about a subject. Some articles span more than a full page. For instance, Article 13 on network security has 13 sub-paragraphs.

DORA for architects

I think that the DORA legislation is a crucial authority to consider when you are developing internal policies for EU-based financial institutions. I've mentioned the use of frameworks in the past, which can inspire companies in the development of their own policies. Companies should never blindly copy these frameworks (or legislative requirements) into a policy, because then your policy becomes a mess of overlapping or sometimes even contradictory requirements. Instead, policies should refer to these authorities when relevant, allowing readers to understand which requirements are triggered by which source.

When you're not involved in the development of policies, having a read through some of the DORA texts might be still sensible as it gives a grasp on what requirements are pushed to your company. And while we're at it, do the same for the NIS2 documents, because even if your company is in scope of DORA, NIS2 still applies (DORA is a specialized law, so takes precedence over what NIS2 asks, but if DORA doesn't cover a topic and NIS2 does, then you still have to follow NIS2).

Feedback? Comments? Don't hesitate to get in touch on Mastodon.

Diagrams are no communication channel

Sven Vermeulen — Thu, 05 Sep 2024 22:00:00 +0200

IT architects generally use architecture-specific languages or modeling techniques to document their thoughts and designs. ArchiMate, the framework I have the most experience with, is a specialized enterprise architecture modeling language. It is maintained by The Open Group, an organization known for its broad architecture framework titled TOGAF.

My stance, however, is that architects should not use the diagrams from their architecture modeling framework to convey their message to every stakeholder out there...

Sustainability in IT

Sven Vermeulen — Sun, 25 Sep 2022 13:00:00 +0200

For one of the projects I'm currently involved in, we want to have a better view on sustainability within IT and see what we (IT) can contribute in light of the sustainability strategy of the company. For IT infrastructure, one would think that selecting more power-efficient infrastructure is the way to go, as well as selecting products whose manufacturing process takes special attention to sustainability.

There are other areas to consider as well, though. Reusability of IT infrastructure and optimal resource consumption are at least two other attention points that deserve plenty of attention. But let's start at the manufacturing process...

Getting lost in the frameworks

Sven Vermeulen — Fri, 26 Aug 2022 13:00:00 +0200

The IT world is littered with frameworks, best practices, reference architectures and more. In an ever-lasting attempt to standardize IT, we often get lost in too many standards or specifications. For consultants, this is a gold-mine, as they jump in to support companies - for a fee, naturally - in adopting one or more of these frameworks or specifications.

While having references and specifications isn't a bad thing, there are always pros and cons.

Containers are the new IaaS

Sven Vermeulen — Sat, 21 May 2022 13:00:00 +0200

At work, as with many other companies, we're actively investing in new platforms, including container platforms and public cloud. We use Kubernetes based container platforms both on-premise and in the cloud, but are also very adamant that the container platforms should only be used for application workload that is correctly designed for cloud-native deployments: we do not want to see vendors packaging full operating systems in a container and then shouting they are now container-ready.

Defining what an IT asset is

Sven Vermeulen — Sun, 13 Feb 2022 13:00:00 +0100

One of the main IT processes that a company should strive to have in place is a decent IT asset management system. It facilitates knowing what assets you own, where they are, who the owner is, and provides a foundation for numerous other IT processes.

However, when asking "what is an IT asset", it gets kind off fuzzy...

An IT conceptual data model

Sven Vermeulen — Mon, 17 Jan 2022 10:00:00 +0100

This time a much shorter post, as I've been asked to share this information recently and found that it, by itself, is already useful enough to publish. It is a conceptual data model for IT services.

Ownership and responsibilities for infrastructure services

Sven Vermeulen — Thu, 13 Jan 2022 09:00:00 +0100

In a perfect world, using infrastructure or technology services would be seamless, without impact, without risks. It would auto-update, tailor to the user needs, detect when new features are necessary, adapt, etc. But while this is undoubtedly what vendors are saying their product delivers, the truth is way, waaaay different.

Managing infrastructure services implies that the company or organization needs to organize itself to deal with all aspects of supporting a service. What are these aspects? Well, let's go through those that are top-of-mind for me...

The pleasures of having DTAP

Sven Vermeulen — Thu, 30 Dec 2021 12:00:00 +0100

No, not Diphtheria, Tetanus, and Pertussis (vaccine), but Development, Test, Acceptance, and Production (DTAP): different environments that, together with a well-working release management process, provide a way to get higher quality and reduced risks in production. DTAP is an important cornerstone for a larger infrastructure architecture as it provides environments that are tailored to the needs of many stakeholders.

Creating an enterprise open source policy

Sven Vermeulen — Sat, 20 Nov 2021 15:00:00 +0100

Nowadays it is impossible to ignore, or even prevent open source from being active within the enterprise world. Even if a company only wants to use commercially backed solutions, many - if not most - of these are built with, and are using open source software.

However, open source is more than just a code sourcing possibility. By having a good statement within the company on how it wants to deal with open source, what it wants to support, etc. engineers and developers can have a better understanding of what they can do to support their business further.

In many cases, companies will draft up an open source policy, and in this post I want to share some practices I've learned on how to draft such a policy.

Hybrid cloud can be very complex

Sven Vermeulen — Mon, 08 Nov 2021 20:00:00 +0100

I am not an advocate for hybrid cloud architectures. Or at least, not the definition for hybrid cloud that assumes one (cloud or on premise) environment is just an extension of another (cloud or on premise) environment. While such architectures seem to be simple and fruitful - you can easily add some capacity in the other environment to handle burst load - they are a complex beast to tame.

Transparent encryption is not a silver bullet

Sven Vermeulen — Tue, 19 Oct 2021 08:20:00 +0200

Transparent encryption is relatively easy to implement, but without understanding what it actually means or why you are implementing it, you will probably make the assumption that this will prevent the data from being accessed by unauthorized users. Nothing can be further from the truth.

Evaluating the zero trust hype

Sven Vermeulen — Tue, 05 Oct 2021 00:00:00 +0200

Security vendors are touting the benefits of "zero trust" as the new way to approach security and security-conscious architecturing. But while there are principles within the zero trust mindset that came up in the last dozen years, most of the content in zero trust discussions is tied to age-old security propositions.

Scale is a cloud threat

Sven Vermeulen — Tue, 28 Sep 2021 17:00:00 +0200

Not that long ago, a vulnerability was found in Microsoft Azure Cosmos DB, a NoSQL SaaS database within the Microsoft Azure cloud. The vulnerability, which is dubbed ChaosDB by the Wiz Research Team, uses a vulnerability or misconfiguration in the Jupyter Notebook feature within Cosmos DB. This vulnerability allowed an attacker to gain access to other's Cosmos DB credentials. Not long thereafter, a second vulnerability dubbed OMIGOD showed that cloud security is not as simple as some vendors like you to believe.

These vulnerabilities are a good example of how scale is a cloud threat. Companies that do not have enough experience with public cloud might not assume this in their threat models.

Naming conventions

Sven Vermeulen — Wed, 15 Sep 2021 19:00:00 +0200

Naming conventions. Picking the right naming convention is easy if you are all by yourself, but hard when you need to agree upon the conventions in a larger group. Everybody has an opinion on naming conventions, and once you decide on it, you do expect everybody to follow through on it.

Let's consider why naming conventions are (not) important and consider a few examples to help in creating a good naming convention yourself.

Location view of infrastructure

Sven Vermeulen — Tue, 07 Sep 2021 18:00:00 +0200

In this last post on the infrastructure domain, I cover the fifth and final viewpoint that is important for an infrastructure domain representation, and that is the location view. As mentioned in previous posts, the viewpoints I think are most representative of the infrastructure domain are:

Like with the component view, the location view is a layered approach. While I initially wanted to call it the network view, "location" might be a broader term that matches the content better. Still, it's not a perfect name, but the name is less important than the content, not?

Process view of infrastructure

Sven Vermeulen — Wed, 01 Sep 2021 11:20:00 +0200

In my previous post, I started with the five different views that would support a good view of what infrastructure would be. I believe these views (component, location, process, service, and zoning) cover the breadth of the domain. The post also described the component view a bit more and linked to previous posts I made (one for services, another for zoning).

The one I want to tackle here is the most elaborate one, also the most enterprise-ish, and one that always is a balance on how much time and effort to put into it (as an architect), as well as hoping that the processes are sufficiently standardized in a flexible manner so that you don't need to cover everything again and again in each project.

So, let's talk about processes...

Component view of infrastructure

Sven Vermeulen — Fri, 27 Aug 2021 21:10:00 +0200

IT architects try to use views and viewpoints to convey the target architecture to the various stakeholders. Each stakeholder has their own interests in the architecture and wants to see their requirements fulfilled. A core role of the architect is to understand these requirements and make sure the requirements are met, and to balance all the different requirements.

Architecture languages or meta-models often put significant focus on these views. Archimate has a large annex on Example Viewpoints just for this purpose. However, unless the organization is widely accustomed to enterprise architecture views, it is unlikely that the views themselves are the final product: being able to translate those views into pretty slides and presentations is still an important task for architects when they need to present their findings to non-architecture roles.

Disaster recovery in the public cloud

Sven Vermeulen — Fri, 30 Jul 2021 20:00:00 +0200

The public cloud is a different beast than an on-premise environment, and that also reflects itself on how we (should) look at the processes that are actively steering infrastructure designs and architecture. One of these is the business continuity, severe incident handling, and the hopefully-never-to-occur disaster recovery. When building up procedures for handling disasters (DRP = Disaster Recovery Procedure or Disaster Recover Planning), it is important to keep in mind what these are about.

What is the infrastructure domain?

Sven Vermeulen — Mon, 19 Jul 2021 15:20:00 +0200

In my job as domain architect for "infrastructure", I often come across stakeholders that have no common understanding of what infrastructure means in an enterprise architecture. Since then, I am trying to figure out a way to easily explain it - to find a common, generic view on what infrastructure entails. If successful, I could use this common view to provide context on the many, many IT projects that are going around.

Organizing service documentation

Sven Vermeulen — Thu, 08 Jul 2021 09:20:00 +0200

As I mentioned in An IT services overview I try to keep track of the architecture and designs of the IT services and solutions in a way that I feel helps me keep in touch with all the various services and solutions out there. Similar to how system administrators try to find a balance while working on documentation (which is often considered a chore) and using a structure that is sufficiently simple and standard for the organization to benefit from, architects should try to keep track of architecturally relevant information as well.

So in this post, I'm going to explain a bit more on how I approach documenting service and solution insights for architectural relevance.

Not sure if TOSCA will grow further

Sven Vermeulen — Wed, 30 Jun 2021 14:30:00 +0200

TOSCA is an OASIS open standard, and is an abbreviation for Topology and Orchestration Specification for Cloud Applications. It provides a domain-specific language to describe how an application should be deployed in the cloud (the topology), which and how many resources it needs, as well as tasks to run when certain events occur (the orchestration). When I initially came across this standard, I was (and still am) interested in how far this goes. The promise of declaring an application (and even bundling the necessary application artefacts) within a single asset and then using this asset to deploy on whatever cloud is very appealing to an architect. Especially in organizations that have a multi-cloud strategy.

Integrating or customizing SaaS within your own cloud environment

Sven Vermeulen — Wed, 23 Jun 2021 15:10:00 +0200

Software as a Service (SaaS) solutions are often a quick way to get new capabilities into an organization’s portfolio. Smaller SaaS solutions are simple, web-based solutions which barely integrate with the organization’s other solutions, besides the identity and access management (which is often handled by federated authentication).

More complex or intermediate solutions require more integration focus, and a whole new market of Integration Platform as a Service (iPaaS) solutions came up to facilitate cross-cloud integrations. But even without the iPaaS offerings, integrations are often a mandatory part to leverage the benefits of the newly activated SaaS solution.

In this post I want to bring some thoughts on the integrations that might be needed to support customizing a SaaS solution.

An IT services overview

Sven Vermeulen — Mon, 14 Jun 2021 17:30:00 +0200

My current role within the company I work for is “domain architect”, part of the enterprise architects teams. The domain I am accountable for is “infrastructure”, which can be seen as a very broad one. Now, I’ve been maintaining an overview of our IT services before I reached that role, mainly from an elaborate interest in the subject, as well as to optimize my efficiency further.

Becoming a domain architect allows me to use the insights I’ve since gathered to try and give appropriate advice, but also now requires me to maintain a domain architecture. This structure is going to be the starting point of it, although it is not the true all and end all of what I would consider a domain architecture.

The three additional layers in the OSI model

Sven Vermeulen — Wed, 09 Jun 2021 11:10:00 +0200

At my workplace, I jokingly refer to the three extra layers on top of the OSI network model as a way to describe the difficulties of discussions or cases. These three additional layers are Financial Layer, Politics Layer and Religion Layer, and the idea is that the higher up you go, the more challenging discussions will be.

Virtualization vs abstraction

Sven Vermeulen — Thu, 03 Jun 2021 10:10:00 +0200

When an organization has an extensively large, and heterogeneous infrastructure, infrastructure architects will attempt to make itless complex and chaotic by introducing and maintaining a certain degree of standardization. While many might consider standardization as a rationalization (standardizing on a single database technology, single vendor for hardware, etc.), rationalization is only one of the many ways in which standards can simplify such a degree of complexity.

In this post, I'd like to point out two other, very common ways to standardize the IT environment, without really considering a rationalization: abstraction and virtualization.

SELinux System Administration 3rd Edition

Sven Vermeulen — Wed, 06 Jan 2021 20:00:00 +0100

As I mentioned previously, recently my latest installment of "SELinux System Administration" has been released by Packt Publishing. This is already the third edition of the book, after the first (2013) and second (2016) editions have gotten reasonable success given the technical and often hard nature of full SELinux administration.

Like with the previous editions, this book remains true to the public of system administrators, rather than SELinux policy developers. Of course, SELinux policy development is not ignored in the book.

Abstracting infrastructure complexity

Sven Vermeulen — Fri, 25 Dec 2020 23:00:00 +0100

IT is complex. Some even consider it to be more magic than reality. And with the ongoing evolutions and inventions, the complexity is not really going away. Sure, some IT areas are becoming easier to understand, but that is often offset with new areas being explored.

Companies and organizations that have a sizeable IT footprint generally see an increase in their infrastructure, regardless of how many rationalization initiatives that are started. Personally, I find it challenging, in a fun way, to keep up with the onslaught of new technologies and services that are onboarded in the infrastructure landscape that I'm responsible for.

But just understanding a technology isn't enough to deal with its position in the larger environment.

Working on infra strategy

Sven Vermeulen — Sun, 04 Oct 2020 13:20:00 +0200

After a long hiatus, I'm ready to take up blogging again on my public blog. With my day job becoming more intensive and my side-job taking the remainder of the time, I've since quit my work on the Gentoo project. I am in process of releasing a new edition of the SELinux System Administration book, so I'll probably discuss that more later.

Today, I want to write about a task I had to do this year as brand new domain architect for infrastructure.

cvechecker 3.9 released

Sven Vermeulen — Sun, 09 Sep 2018 13:20:00 +0200

Thanks to updates from Vignesh Jayaraman, Anton Hillebrand and Rolf Eike Beer, a new release of cvechecker is now made available.

This new release (v3.9) is a bugfix release.

Automating compliance checks

Sven Vermeulen — Sat, 03 Mar 2018 13:20:00 +0100

With the configuration baseline for a technical service being described fully (see the first, second and third post in this series), it is time to consider the validation of the settings in an automated manner. The preferred method for this is to use Open Vulnerability and Assessment Language (OVAL), which is nowadays managed by the Center for Internet Security, abbreviated as CISecurity. Previously, OVAL was maintained and managed by Mitre under NIST supervision, and Google searches will often still point to the old sites. However, documentation is now maintained on CISecurity's github repositories.

But I digress...

Documenting a rule

Sven Vermeulen — Wed, 24 Jan 2018 20:40:00 +0100

In the first post I talked about why configuration documentation is important. In the second post I looked into a good structure for configuration documentation of a technological service, and ended with an XCCDF template in which this documentation can be structured.

The next step is to document the rules themselves, i.e. the actual content of a configuration baseline.

Structuring a configuration baseline

Sven Vermeulen — Wed, 17 Jan 2018 09:10:00 +0100

A good configuration baseline has a readable structure that allows all stakeholders to quickly see if the baseline is complete, as well as find a particular setting regardless of the technology. In this blog post, I'll cover a possible structure of the baseline which attempts to be sufficiently complete and technology agnostic.

If you haven't read the blog post on documenting configuration changes, it might be a good idea to do so as it declares the scope of configuration baselines and why I think XCCDF is a good match for this.

Documenting configuration changes

Sven Vermeulen — Sun, 07 Jan 2018 21:20:00 +0100

IT teams are continuously under pressure to set up and maintain infrastructure services quickly, efficiently and securely. As an infrastructure architect, my main concerns are related to the manageability of these services and the secure setup. And within those realms, a properly documented configuration setup is in my opinion very crucial.

In this blog post series, I'm going to look into using the Extensible Configuration Checklist Description Format (XCCDF) as the way to document these. This first post is an introduction to XCCDF functionally, and what I position it for.

SELinux and extended permissions

Sven Vermeulen — Mon, 20 Nov 2017 17:00:00 +0100

One of the features present in the August release of the SELinux user space is its support for ioctl xperm rules in modular policies. In the past, this was only possible in monolithic ones (and CIL). Through this, allow rules can be extended to not only cover source (domain) and target (resource) identifiers, but also a specific number on which it applies. And ioctl's are the first (and currently only) permission on which this is implemented.

Note that ioctl-level permission controls isn't a new feature by itself, but the fact that it can be used in modular policies is.

SELinux Userspace 2.7

Sven Vermeulen — Tue, 26 Sep 2017 14:50:00 +0200

A few days ago, Jason "perfinion" Zaman stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a few new features, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.

Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).

Authenticating with U2F

Sven Vermeulen — Mon, 11 Sep 2017 18:25:00 +0200

In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.

Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk about the pam_u2f setup are indeed correct that it is fairly simple. For completeness sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.

Using nVidia with SELinux

Sven Vermeulen — Wed, 23 Aug 2017 19:04:00 +0200

Yesterday I've switched to the gentoo-sources kernel package on Gentoo Linux. And with that, I also attempted (succesfully) to use the propriatary nvidia drivers so that I can enjoy both a smoother 3D experience while playing minecraft, as well as use the CUDA support so I don't need to use cloud-based services for small exercises.

The move to nvidia was quite simple, as the nvidia-drivers wiki article on the Gentoo wiki was quite easy to follow.

Switch to Gentoo sources

Sven Vermeulen — Tue, 22 Aug 2017 19:04:00 +0200

You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.

That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.

Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).

Project prioritization

Sven Vermeulen — Tue, 18 Jul 2017 20:40:00 +0200

_{This is a long read, skip to “Prioritizing the projects and changes” for the
approach details...}

Organizations and companies generally have an IT workload (dare I say, backlog?) which needs to be properly assessed, prioritized and taken up. Sometimes, the IT team(s) get an amount of budget and HR resources to "do their thing", while others need to continuously ask for approval to launch a new project or instantiate a change.

Sizeable organizations even require engineering and development effort on IT projects which are not readily available: specialized teams exist, but they are governance-wise assigned to projects. And as everyone thinks their project is the top-most priority one, many will be disappointed when they hear there are no resources available for their pet project.

So... how should organizations prioritize such projects?

Structuring infrastructural deployments

Sven Vermeulen — Wed, 07 Jun 2017 20:40:00 +0200

Many organizations struggle with the all-time increase in IP address allocation and the accompanying need for segmentation. In the past, governing the segments within the organization means keeping close control over the service deployments, firewall rules, etc.

Lately, the idea of micro-segmentation, supported through software-defined networking solutions, seems to defy the need for a segmentation governance. However, I think that that is a very short-sighted sales proposition. Even with micro-segmentation, or even pure point-to-point / peer2peer communication flow control, you'll still be needing a high level overview of the services within your scope.

In this blog post, I'll give some insights in how we are approaching this in the company I work for. In short, it starts with requirements gathering, creating labels to assign to deployments, creating groups based on one or two labels in a layered approach, and finally fixating the resulting schema and start mapping guidance documents (policies) toward the presented architecture.

Matching MD5 SSH fingerprint

Sven Vermeulen — Thu, 18 May 2017 18:20:00 +0200

Today I was attempting to update a local repository, when SSH complained about a changed fingerprint, something like the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:p4ZGs+YjsBAw26tn2a+HPkga1dPWWAWX+NEm4Cv4I9s.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:9
ECDSA host key for 192.168.56.101 has changed and you have requested strict checking.
Host key verification failed.

Switched to Lineage OS

Sven Vermeulen — Sun, 09 Apr 2017 16:40:00 +0200

I have been a long time user of Cyanogenmod, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if LineageOS would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.

Today, I made my choice and installed LineageOS.

cvechecker 3.8 released

Sven Vermeulen — Mon, 27 Mar 2017 19:00:00 +0200

A new release is now available for the cvechecker application. This is a stupid yet important bugfix release: the 3.7 release saw all newly released CVEs as being already known, so it did not take them up to the database. As a result, systems would never check for the new CVEs.

Handling certificates in Gentoo Linux

Sven Vermeulen — Mon, 06 Mar 2017 22:20:00 +0100

I recently created a new article on the Gentoo Wiki titled Certificates which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle everything about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.

cvechecker 3.7 released

Sven Vermeulen — Thu, 02 Mar 2017 10:00:00 +0100

After a long time of getting too little attention from me, I decided to make a new cvechecker release. There are few changes in it, but I am planning on making a new release soon with lots of clean-ups.

I missed FOSDEM

Sven Vermeulen — Tue, 07 Feb 2017 17:06:00 +0100

I sadly had to miss out on the FOSDEM event. The entire weekend was filled with me being apathetic, feverish and overall zombie-like. Yes, sickness can be cruel. It wasn't until today that I had the energy back to fire up my laptop.

Sorry for the crew that I promised to meet at FOSDEM. I'll make it up, somehow.

SELinux System Administration, 2nd Edition

Sven Vermeulen — Thu, 22 Dec 2016 19:26:00 +0100

While still working on a few other projects, one of the time consumers of the past half year (haven't you noticed? my blog was quite silent) has come to an end: the SELinux System Administration - Second Edition book is now available. With almost double the amount of pages and a serious update of the content, the book can now be bought either through Packt Publishing itself, or the various online bookstores such as Amazon.

With the holidays now approaching, I hope to be able to execute a few tasks within the Gentoo community (and of the Gentoo Foundation) and get back on track. Luckily, my absence was not jeopardizing the state of SELinux in Gentoo thanks to the efforts of Jason Zaman.

GnuPG: private key suddenly missing?

Sven Vermeulen — Wed, 12 Oct 2016 18:56:00 +0200

After updating my workstation, I noticed that keychain reported that it could not load one of the GnuPG keys I passed it on.

 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 2167
 * Found existing gpg-agent: 2194
 * Warning: can't find 0xB7BD4B0DE76AC6A4; skipping
 * Known ssh key: /home/swift/.ssh/id_dsa
 * Known ssh key: /home/swift/.ssh/id_ed25519
 * Known gpg key: 0x22899E947878B0CE

I did not modify my key store at all, so what happened?

We do not ship SELinux sandbox

Sven Vermeulen — Tue, 27 Sep 2016 20:47:00 +0200

A few days ago a vulnerability was reported in the SELinux sandbox user space utility. The utility is part of the policycoreutils package. Luckily, Gentoo's sys-apps/policycoreutils package is not vulnerable - and not because we were clairvoyant about this issue, but because we don't ship this utility.

Mounting QEMU images

Sven Vermeulen — Mon, 26 Sep 2016 19:26:00 +0200

While working on the second edition of my first book, SELinux System Administration - Second Edition I had to test out a few commands on different Linux distributions to make sure that I don't create instructions that only work on Gentoo Linux. After all, as awesome as Gentoo might be, the Linux world is a bit bigger. So I downloaded a few live systems to run in Qemu/KVM.

Some of these systems however use cloud-init which, while interesting to use, is not set up on my system yet. And without support for cloud-init, how can I get access to the system?

Comparing Hadoop with mainframe

Sven Vermeulen — Wed, 15 Jun 2016 20:55:00 +0200

At my work, I have the pleasure of being involved in a big data project that uses Hadoop as the primary platform for several services. As an architect, I try to get to know the platform's capabilities, its potential use cases, its surrounding ecosystem, etc. And although the implementation at work is not in its final form (yay agile infrastructure releases) I do start to get a grasp of where we might be going.

For many analysts and architects, this Hadoop platform is a new kid on the block so I have some work explaining what it is and what it is capable of. Not for the fun of it, but to help the company make the right decisions, to support management and operations, to lift the fear of new environments. One thing I've once said is that "Hadoop is the poor man's mainframe", because I notice some high-level similarities between the two.

Template was specified incorrectly

Sven Vermeulen — Sun, 27 Mar 2016 13:32:00 +0200

After reorganizing my salt configuration, I received the following error:

[ERROR   ] Template was specified incorrectly: False

Enabling some debugging on the command gave me a slight pointer why this occurred:

[DEBUG   ] Could not find file from saltenv 'testing', u'salt://top.sls'
[DEBUG   ] No contents loaded for env: testing
[DEBUG   ] compile template: False
[ERROR   ] Template was specified incorrectly: False

I was using a single top file as recommended by Salt, but apparently it was still looking for top files in the other environments.

Yet, if I split the top files across the environments, I got the following warning:

[WARNING ] Top file merge strategy set to 'merge' and multiple top files found. Top file merging order is undefined; for better results use 'same' option

So what's all this about?

Using salt-ssh with agent forwarding

Sven Vermeulen — Sat, 26 Mar 2016 19:57:00 +0100

Part of a system's security is to reduce the attack surface. Following this principle, I want to see if I can switch from using regular salt minions for a saltstack managed system set towards salt-ssh. This would allow to do some system management over SSH instead of ZeroMQ.

I'm not confident yet that this is a solid approach to take (as performance is also important, which is greatly reduced with salt-ssh), and the security exposure of the salt minions over ZeroMQ is also not that insecure (especially not when a local firewall ensures that only connections from the salt master are allowed). But playing doesn't hurt.

Trying out imapsync

Sven Vermeulen — Sun, 13 Mar 2016 12:57:00 +0100

Recently, I had to migrate mail boxes for a couple of users from one mail provider to another. Both mail providers used IMAP, so I looked into IMAP related synchronization methods. I quickly found the imapsync application, also supported through Gentoo's repository.

New cvechecker release

Sven Vermeulen — Sat, 07 Nov 2015 11:07:00 +0100

A short while ago I got the notification that pulling new CVE information was no longer possible. The reason was that the NVD site did not support uncompressed downloads anymore. The fix for cvechecker was simple, and it also gave me a reason to push out a new release (after two years) which also includes various updates by Christopher Warner.

So cvechecker 3.6 is now available for general consumption.

Switching focus at work

Sven Vermeulen — Sun, 20 Sep 2015 13:29:00 +0200

Since 2010, I was at work responsible for the infrastructure architecture of a couple of technological domains, namely databases and scheduling/workload automation. It brought me in contact with many vendors, many technologies and most importantly, many teams within the organization. The focus domain was challenging, as I had to deal with the strategy on how the organization, which is a financial institution, will deal with databases and scheduling in the long term.

Getting su to work in init scripts

Sven Vermeulen — Mon, 14 Sep 2015 16:37:00 +0200

While developing an init script which has to switch user, I got a couple of errors from SELinux and the system itself:

~# rc-service hadoop-namenode format
Authenticating root.
 * Formatting HDFS ...
su: Authentication service cannot retrieve authentication info
(Ignored)

Custom CIL SELinux policies in Gentoo

Sven Vermeulen — Thu, 10 Sep 2015 07:13:00 +0200

In Gentoo, we have been supporting custom policy packages for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although binary packages are supported as well).

A recent commit now also allows CIL files to be used.

Using multiple OpenSSH daemons

Sven Vermeulen — Sun, 06 Sep 2015 16:37:00 +0200

I administer a couple of systems which provide interactive access by end users, and for this interactive access I position OpenSSH. However, I also use this for administrative access to the system, and I tend to have harder security requirements for OpenSSH than most users do.

For instance, on one system, end users with a userid + password use the sFTP server for publishing static websites. Other access is prohibited, so I really like this OpenSSH configuration to use chrooted users, internal sftp support, whereas a different OpenSSH is used for administrative access (which is only accessible by myself and some trusted parties).

Maintaining packages and backporting

Sven Vermeulen — Wed, 02 Sep 2015 20:33:00 +0200

A few days ago I committed a small update to policycoreutils, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.

Doing away with interfaces

Sven Vermeulen — Sat, 29 Aug 2015 11:30:00 +0200

CIL is SELinux' Common Intermediate Language, which brings on a whole new set of possibilities with policy development. I hardly know CIL but am (slowly) learning. Of course, the best way to learn is to try and do lots of things with it, but real-life work and time-to-market for now forces me to stick with the M4-based refpolicy one.

Still, I do try out some things here and there, and one of the things I wanted to look into was how CIL policies would deal with interfaces.

Slowly converting from GuideXML to HTML

Sven Vermeulen — Tue, 25 Aug 2015 11:30:00 +0200

Gentoo has removed its support of the older GuideXML format in favor of using the Gentoo Wiki and a new content management system for the main site (or is it static pages, I don't have the faintest idea to be honest). I do still have a few GuideXML pages in my development space, which I am going to move to HTML pretty soon.

In order to do so, I make use of the guidexml2wiki stylesheet I developed. But instead of migrating it to wiki syntax, I want to end with HTML.

Making the case for multi-instance support

Sven Vermeulen — Sat, 22 Aug 2015 12:45:00 +0200

With the high attention that technologies such as Docker, Rocket and the like get (I recommend to look at Bocker by Peter Wilmott as well ;-), I still find it important that technologies are well capable of supporting a multi-instance environment.

Being able to run multiple instances makes for great consolidation. The system can be optimized for the technology, access to the system limited to the admins of said technology while still providing isolation between instances. For some technologies, running on commodity hardware just doesn't cut it (not all software is written for such hardware platforms) and consolidation allows for reducing (hardware/licensing) costs.

Switching OpenSSH to ed25519 keys

Sven Vermeulen — Wed, 19 Aug 2015 18:26:00 +0200

With Mike's news item on OpenSSH's deprecation of the DSA algorithm for the public key authentication, I started switching the few keys I still had using DSA to the suggested ED25519 algorithm. Of course, I wouldn't be a security-interested party if I did not do some additional investigation into the DSA versus Ed25519 discussion.

Updates on my Pelican adventure

Sven Vermeulen — Sun, 16 Aug 2015 19:50:00 +0200

It's been a few weeks that I switched my blog to Pelican, a static site generator build with Python. A number of adjustments have been made since, which I'll happily talk about.

Finding a good compression utility

Sven Vermeulen — Thu, 13 Aug 2015 19:15:00 +0200

I recently came across a wiki page written by Herman Brule which gives a quick benchmark on a couple of compression methods / algorithms. It gave me the idea of writing a quick script that tests out a wide number of compression utilities available in Gentoo (usually through the app-arch category), with also a number of options (in case multiple options are possible).

Why we do confine Firefox

Sven Vermeulen — Tue, 11 Aug 2015 19:18:00 +0200

If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.

In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.

Can SELinux substitute DAC?

Sven Vermeulen — Sun, 09 Aug 2015 14:48:00 +0200

A nice twitter discussion with Erling Hellenäs caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?

SELinux is implemented through the Linux Security Modules framework which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through additional access checks. This criteria was made to have LSM be as minimally invasive as possible.

Filtering network access per application

Sven Vermeulen — Fri, 07 Aug 2015 03:49:00 +0200

Iptables (and the successor nftables) is a powerful packet filtering system in the Linux kernel, able to create advanced firewall capabilities. One of the features that it cannot provide is per-application filtering. Together with SELinux however, it is possible to implement this on a per domain basis.

SELinux does not know applications, but it knows domains. If we ensure that each application runs in its own domain, then we can leverage the firewall capabilities with SELinux to only allow those domains access that we need.

My application base: Obnam

Sven Vermeulen — Wed, 05 Aug 2015 22:35:00 +0200

It is often said, yet too often forgotten: taking backups (and verifying that they work). Taking backups is not purely for companies and organizations. Individuals should also take backups to ensure that, in case of errors or calamities, the all important files are readily recoverable.

For backing up files and directories, I personally use obnam, after playing around with Bacula and attic. Bacula is more meant for large distributed environments (although I also tend to use obnam for my server infrastructure) and was too complex for my taste. The choice between obnam and attic is even more personally-oriented.

Don't confuse SELinux with its policy

Sven Vermeulen — Mon, 03 Aug 2015 01:49:00 +0200

With the increased attention that SELinux is getting thanks to its inclusion in recent Android releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.

Switching to Pelican

Sven Vermeulen — Sun, 02 Aug 2015 04:09:00 +0200

Nothing beats a few hours of flying to get things moving on stuff. Being offline for a few hours with a good workstation helps to not be disturbed by external actions (air pockets notwithstanding).

Early this year, I expressed my intentions to move to Pelican from WordPress. I wasn't actually unhappy with WordPress, but the security concerns I had were a bit too much for blog as simple as mine. Running a PHP-enabled site with a database for something that I can easily handle through a static site, well, I had to try.

Loading CIL modules directly

Sven Vermeulen — Wed, 15 Jul 2015 15:54:00 +0200

In a previous post I used the secilc binary to load an additional test policy. Little did I know (and that's actually embarrassing because it was one of the things I complained about) that you can just use the CIL policy as modules directly.

With this I mean that a …

Restricting even root access to a folder

Sven Vermeulen — Sat, 11 Jul 2015 14:09:00 +0200

In a comment Robert asked how to use SELinux to prevent even root access to a directory. The trivial solution would be not to assign an administrative role to the root account (which is definitely possible, but you want some way to gain administrative access otherwise ;-)

Restricting root is one of the commonly referred features of a MAC (Mandatory Access Control) system. With a well designed user management and sudo environment, it is fairly trivial - but if you need to start from the premise that a user has direct root access, it requires some thought to implement it correctly. The main "issue" is not that it is difficult to implement policy-wise, but that most users will start from a pre-existing policy (such as the reference policy) and build on top of that.

Intermediate policies

Sven Vermeulen — Sun, 05 Jul 2015 18:17:00 +0200

When developing SELinux policies for new software (or existing ones whose policies I don't agree with) it is often more difficult to finish the policies so that they are broadly usable. When dealing with personal policies, having them "just work" is often sufficient. To make the policies reusable for distributions (or for the upstream project), a number of things are necessary:

Try structuring the policy using the style as suggested by refpolicy or Gentoo
Add the role interfaces that are most likely to be used or required, or which are in the current draft implemented differently
Refactor some of the policies to use refpolicy/Gentoo style interfaces
Remove the comments from the policies (as refpolicy does not want too verbose policies)
Change or update the file context definitions for default installations (rather than the custom installations I use)

Where does CIL play in the SELinux system?

Sven Vermeulen — Sat, 13 Jun 2015 23:12:00 +0200

SELinux policy developers already have a number of file formats to work with. Currently, policy code is written in a set of three files:

The .te file contains the SELinux policy code (type enforcement rules)
The .if file contains functions which turn a set of arguments into blocks of SELinux policy code (interfaces). These functions are called by other interface files or type enforcement files
The .fc file contains mappings of file path expressions towards labels (file contexts)

These files are compiled into loadable modules (or a base module) which are then transformed to an active policy. But this is not a single-step approach.

Live SELinux userspace ebuilds

Sven Vermeulen — Wed, 10 Jun 2015 20:07:00 +0200

In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the SELinux userspace so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.

PostgreSQL with central authentication and authorization

Sven Vermeulen — Mon, 25 May 2015 12:07:00 +0200

I have been running a PostgreSQL cluster for a while as the primary backend for many services. The database system is very robust, well supported by the community and very powerful. In this post, I'm going to show how I use central authentication and authorization with PostgreSQL.

Testing with permissive domains

Sven Vermeulen — Mon, 18 May 2015 13:40:00 +0200

When testing out new technologies or new setups, not having (proper) SELinux policies can be a nuisance. Not only are the number of SELinux policies that are available through the standard repositories limited, some of these policies are not even written with the same level of confinement that an administrator might expect. Or perhaps the technology to be tested is used in a completely different manner.

Without proper policies, any attempt to start such a daemon or application might or will cause permission violations. In many cases, developers or users tend to disable SELinux enforcing then so that they can continue playing with the new technology. And why not? After all, policy development is to be done after the technology is understood.

Audit buffering and rate limiting

Sven Vermeulen — Sun, 10 May 2015 14:18:00 +0200

Be it because of SELinux experiments, or through general audit experiments, sometimes you'll get in touch with a message similar to the following:

audit: audit_backlog=321 > audit_backlog_limit=320
audit: audit_lost=44395 audit_rate_limit=0 audit_backlog_limit=320
audit: backlog limit exceeded

The message shows up when certain audit events could not be …

Use change management when you are using SELinux to its fullest

Sven Vermeulen — Thu, 30 Apr 2015 20:58:00 +0200

If you are using SELinux on production systems (with which I mean systems that you offer services with towards customers or other parties beyond you, yourself and your ego), please consider proper change management if you don't do already. SELinux is a very sensitive security subsystem - not in the sense …

Moving closer to 2.4 stabilization

Sven Vermeulen — Mon, 27 Apr 2015 19:18:00 +0200

The SELinux userspace project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the Gentoo Hardened project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …

Trying out Pelican, part one

Sven Vermeulen — Fri, 06 Mar 2015 20:02:00 +0100

One of the goals I've set myself to do this year (not as a new year resolution though, I *really* want to accomplish this ;-) is to move my blog from Wordpress to a statically built website. And Pelican looks to be a good solution to do so. It's based on …

CIL and attributes

Sven Vermeulen — Sun, 15 Feb 2015 15:49:00 +0100

I keep on struggling to remember this, so let's make a blog post out of it ;-)

When the SELinux policy is being built, recent userspace (2.4 and higher) will convert the policy into CIL language, and then build the binary policy. When the policy supports type attributes, these are …

Have dhcpcd wait before backgrounding

Sven Vermeulen — Sun, 08 Feb 2015 16:50:00 +0100

Many of my systems use DHCP for obtaining IP addresses. Even though they all receive a static IP address, it allows me to have them moved over (migrations), use TFTP boot, cloning (in case of quick testing), etc. But one of the things that was making my efforts somewhat more …

Old Gentoo system? Not a problem...

Sven Vermeulen — Wed, 21 Jan 2015 23:05:00 +0100

If you have a very old Gentoo system that you want to upgrade, you might have some issues with too old software and Portage which can't just upgrade to a recent state. Although many methods exist to work around it, one that I have found to be very useful is …

SELinux is great for enterprises (but many don't know it yet)

Sven Vermeulen — Sat, 03 Jan 2015 13:36:00 +0100

Large companies that handle their own IT often have internal support teams for many of the technologies that they use. Most of the time, this is for reusable components like database technologies, web application servers, operating systems, middleware components (like file transfers, messaging infrastructure, ...) and more. All components that are …

Gentoo Wiki is growing

Sven Vermeulen — Sat, 03 Jan 2015 10:09:00 +0100

Perhaps it is because of the winter holidays, but the last weeks I've noticed a lot of updates and edits on the Gentoo wiki.

The move to the Tyrian layout, whose purpose is to eventually become the unified layout for all Gentoo resources, happened first. Then, three common templates (Code …

Why does it access /etc/shadow?

Sven Vermeulen — Tue, 30 Dec 2014 22:48:00 +0100

While updating the SELinux policy for the Courier IMAP daemon, I noticed that it (well, the authdaemon that is part of Courier) wanted to access /etc/shadow, which is of course a big no-no. It doesn't take long to know that this is through the PAM support (more specifically, pam_unix …

Added UEFI instructions to AMD64/x86 handbooks

Sven Vermeulen — Tue, 23 Dec 2014 18:08:00 +0100

I just finished up adding some UEFI instructions to the Gentoo handbooks for AMD64 and x86 (I don't know how many systems are still using x86 instead of the AMD64 one, and if those support UEFI, but the instructions are shared and they don't collide). The entire EFI stuff can …

Handbooks moved

Sven Vermeulen — Sun, 14 Dec 2014 14:42:00 +0100

Yesterday the move of the Gentoo Wiki for the Gentoo handbooks (whose most important part are the installation instructions for the various supported architectures) has been concluded, with a last-minute addition being the one-page views so that users who want to can view the installation instructions completely within one view …

Gentoo Handbooks almost moved to wiki

Sven Vermeulen — Fri, 12 Dec 2014 17:35:00 +0100

Content-wise, the move is done. I've done a few checks on the content to see if the structure still holds, translations are enabled on all pages, the use of partitions is sufficiently consistent for each architecture, and so on. The result can be seen on the gentoo handbook main page …

Sometimes I forget how important communication is

Sven Vermeulen — Wed, 10 Dec 2014 20:38:00 +0100

Free software (and documentation) developers don't always have all the time they want. Instead, they grab whatever time they have to do what they believe is the most productive - be it documentation editing, programming, updating ebuilds, SELinux policy improvements and what not. But they often don't take the time to …

No more DEPENDs for SELinux policy package dependencies

Sven Vermeulen — Sun, 02 Nov 2014 14:51:00 +0100

I just finished updating 102 packages. The change? Removing the following from the ebuilds:

DEPEND="selinux? ( sec-policy/selinux-${packagename} )"

In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …

Using multiple priorities with modules

Sven Vermeulen — Fri, 31 Oct 2014 18:24:00 +0100

One of the new features of the 2.4 SELinux userspace is support for module priorities. The idea is that distributions and administrators can override a (pre)loaded SELinux policy module with another module without removing the previous module. This lower-version module will remain in the store, but will not …

Migrating to SELinux userspace 2.4 (small warning for users)

Sven Vermeulen — Thu, 30 Oct 2014 19:44:00 +0100

In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …

Lots of new challenges ahead

Sven Vermeulen — Sun, 19 Oct 2014 16:01:00 +0200

I've been pretty busy lately, albeit behind the corners, which leads to a lower activity within the free software communities that I'm active in. Still, I'm not planning any exit, on the contrary. Lots of ideas are just waiting for some free time to engage. So what are the challenges …

After SELinux System Administration, now the SELinux Cookbook

Sven Vermeulen — Wed, 24 Sep 2014 20:10:00 +0200

Almost an entire year ago (just a few days apart) I announced my first published book, called SELinux System Administration. The book covered SELinux administration commands and focuses on Linux administrators that need to interact with SELinux-enabled systems.

An important part of SELinux was only covered very briefly in the …

Showing return code in PS1

Sven Vermeulen — Sun, 31 Aug 2014 01:14:00 +0200

If you do daily management on Unix/Linux systems, then checking the return code of a command is something you'll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing …