Simplicity is a form of art...https://blog.siphos.be/Thu, 05 Sep 2024 22:00:00 +0200Diagrams are no communication channelhttps://blog.siphos.be/2024/09/diagrams-are-no-communication-channel/<p>IT architects generally use architecture-specific languages or modeling techniques to document their thoughts and designs. <a href="https://www.opengroup.org/archimate-forum/archimate-overview">ArchiMate</a>, the framework I have the most experience with, is a specialized enterprise architecture modeling language. It is maintained by The Open Group, an organization known for its broad architecture framework titled TOGAF.</p> <p>My stance, however, is that architects should not use the diagrams from their architecture modeling framework to convey their message to every stakeholder out there...</p> <p><strong>An enterprise framework for architects</strong></p> <p>Certainly, using a single modeling language like ArchiMate is important. It allows architects to use a common language, a common framework, in which they can convey their ideas and designs. When collaborating on the same project, it would be unwise to use different modeling techniques or design frameworks among each other.</p> <p>By standardizing on a single framework <em>for a particular purpose</em>, a company can optimize their efforts surrounding education and documentation. If several architecture frameworks are used for the same purpose, inefficiencies arise. Supporting tooling can also be selected (such as <a href="https://www.archimatetool.com/">Archi</a>), which has specialized features to support this framework. The more architects are fluent in a common framework, the less likely ambiguity or misunderstandings occur about what certain architectures or designs want to present.</p> <p>Now, I highlighted "<em>for a particular purpose</em>", because that architecture framework isn't the goal, it's a means.</p> <p><strong>Domain-specific language, also in architecture</strong></p> <p>In larger companies, you'll find architects with different specializations and focus areas. A common set is to have architects at different levels or layers of the architecture:</p> <ul> <li>enterprise architects focus on the holistic and strategic level, </li> <li>domain architects manage the architecture for one or more domains (a means of splitting the complexity of a company, often tied to business domains), </li> <li>solution or system architects focus on the architecture for specific projects or solutions, </li> <li>security architects concentrate on the cyber threats and protection measures, </li> <li>network architects look at the network design, flows and flow controls, etc.</li> </ul> <p>Architecture frameworks are often not meant to support all levels. ArchiMate for instance, is tailored to enterprise and domain level in general. It also supports solution or system architecture well when it focuses on applications. Sure, other architecture layers can be expressed as well, but after a while, you'll notice that the expressivity of the framework lacks the details or specifics needed for those layers.</p> <p>It is thus not uncommon that, at a certain point, architects drop one framework and start using another. Network architecture and design is expressed differently than the ICT domain architecture. Both need to 'plug into each other', because network architects need to understand the larger picture they operate in, and domain architects should be able to read network architecture design and relate it back to the domain architecture.</p> <p>Such a transition is not only within IT. Consider city planning and housing units, where architects design new community areas and housing. These designs need to be well understood by the architects, who are responsible for specific specializations such as utilities, transportation, interior, landscaping, and more. They use different ways of designing, but make sure it is understandable (and often even standardized) by the others.</p> <p><strong>Your schematic is not your presentation</strong></p> <p>I've seen architects who are very satisfied with their architectural design: they want nothing more than to share this with their (non-architect) stakeholders in all its glory. And while I do agree that lead engineers, for instance, should be able to understand architecture drawings, the schematics themselves shouldn't be the presentation material.</p> <p>And definitely not towards higher management.</p> <p>When you want to bring a design to a broader community, or to stakeholders with different backgrounds or roles, it is important to tell your story in an easy-to-understand way. Just like building architects would create physical mock-ups at scale to give a better view of a building, IT architects should create representative material to expedite presentations and discussions.</p> <p>Certainly, you will lose a lot of insight compared to the architectural drawings, but you'll get much better acceptance by the community.</p> Sven VermeulenThu, 05 Sep 2024 22:00:00 +0200tag:blog.siphos.be,2024-09-05:/2024/09/diagrams-are-no-communication-channel/ArchitecturearchitectureSustainability in IThttps://blog.siphos.be/2022/09/sustainability-in-IT/<p>For one of the projects I'm currently involved in, we want to have a better view on sustainability within IT and see what we (IT) can contribute in light of the sustainability strategy of the company. For IT infrastructure, one would think that selecting more power-efficient infrastructure is the way to go, as well as selecting products whose manufacturing process takes special attention to sustainability. </p> <p>There are other areas to consider as well, though. Reusability of IT infrastructure and optimal resource consumption are at least two other attention points that deserve plenty of attention. But let's start at the manufacturing process...</p> Sven VermeulenSun, 25 Sep 2022 13:00:00 +0200tag:blog.siphos.be,2022-09-25:/2022/09/sustainability-in-IT/ArchitecturesustainabilityGetting lost in the frameworkshttps://blog.siphos.be/2022/08/getting-lost-in-the-frameworks/<p>The IT world is littered with frameworks, best practices, reference architectures and more. In an ever-lasting attempt to standardize IT, we often get lost in too many standards or specifications. For consultants, this is a gold-mine, as they jump in to support companies - for a fee, naturally - in adopting one or more of these frameworks or specifications.</p> <p>While having references and specifications isn't a bad thing, there are always pros and cons.</p> Sven VermeulenFri, 26 Aug 2022 13:00:00 +0200tag:blog.siphos.be,2022-08-26:/2022/08/getting-lost-in-the-frameworks/ArchitectureframeworkCMMIISOContainers are the new IaaShttps://blog.siphos.be/2022/05/containers-are-the-new-iaas/<p>At work, as with many other companies, we're actively investing in new platforms, including container platforms and public cloud. We use Kubernetes based container platforms both on-premise and in the cloud, but are also very adamant that the container platforms should only be used for application workload that is correctly designed for cloud-native deployments: we do not want to see vendors packaging full operating systems in a container and then shouting they are now container-ready.</p> Sven VermeulenSat, 21 May 2022 13:00:00 +0200tag:blog.siphos.be,2022-05-21:/2022/05/containers-are-the-new-iaas/Architecturekubernetescontaineriaasinfrastructurevirtual-machineDefining what an IT asset ishttps://blog.siphos.be/2022/02/defining-what-an-it-asset-is/<p>One of the main IT processes that a company should strive to have in place is a decent IT asset management system. It facilitates knowing what assets you own, where they are, who the owner is, and provides a foundation for numerous other IT processes.</p> <p>However, when asking "what is an IT asset", it gets kind off fuzzy...</p> Sven VermeulenSun, 13 Feb 2022 13:00:00 +0100tag:blog.siphos.be,2022-02-13:/2022/02/defining-what-an-it-asset-is/Architectureasset-managementcobititilAn IT conceptual data modelhttps://blog.siphos.be/2022/01/an-it-conceptual-data-model/<p>This time a much shorter post, as I've been asked to share this information recently and found that it, by itself, is already useful enough to publish. It is a conceptual data model for IT services.</p> Sven VermeulenMon, 17 Jan 2022 10:00:00 +0100tag:blog.siphos.be,2022-01-17:/2022/01/an-it-conceptual-data-model/Architecturecdmasset-managementconfiguration-managementOwnership and responsibilities for infrastructure serviceshttps://blog.siphos.be/2022/01/ownership-and-responsibilities-for-infrastructure-services/<p>In a perfect world, using infrastructure or technology services would be seamless, without impact, without risks. It would auto-update, tailor to the user needs, detect when new features are necessary, adapt, etc. But while this is undoubtedly what vendors are saying their product delivers, the truth is way, waaaay different.</p> <p>Managing infrastructure services implies that the company or organization needs to organize itself to deal with all aspects of supporting a service. What are these aspects? Well, let's go through those that are top-of-mind for me...</p> Sven VermeulenThu, 13 Jan 2022 09:00:00 +0100tag:blog.siphos.be,2022-01-13:/2022/01/ownership-and-responsibilities-for-infrastructure-services/ArchitectureRACIresponsibilitiesThe pleasures of having DTAPhttps://blog.siphos.be/2021/12/the-pleasures-of-having-DTAP/<p>No, not Diphtheria, Tetanus, and Pertussis (vaccine), but <em>Development, Test, Acceptance, and Production (DTAP)</em>: different environments that, together with a well-working release management process, provide a way to get higher quality and reduced risks in production. DTAP is an important cornerstone for a larger infrastructure architecture as it provides environments that are tailored to the needs of many stakeholders.</p> Sven VermeulenThu, 30 Dec 2021 12:00:00 +0100tag:blog.siphos.be,2021-12-30:/2021/12/the-pleasures-of-having-DTAP/ArchitectureDTAPenvironmentszoningdevelopmenttestacceptanceproductionCreating an enterprise open source policyhttps://blog.siphos.be/2021/11/creating-an-enterprise-open-source-policy/<p>Nowadays it is impossible to ignore, or even prevent open source from being active within the enterprise world. Even if a company only wants to use commercially backed solutions, many - if not most - of these are built with, and are using open source software.</p> <p>However, open source is more than just a code sourcing possibility. By having a good statement within the company on how it wants to deal with open source, what it wants to support, etc. engineers and developers can have a better understanding of what they can do to support their business further.</p> <p>In many cases, companies will draft up an <em>open source policy</em>, and in this post I want to share some practices I've learned on how to draft such a policy.</p> Sven VermeulenSat, 20 Nov 2021 15:00:00 +0100tag:blog.siphos.be,2021-11-20:/2021/11/creating-an-enterprise-open-source-policy/ArchitectureopensourceenterpriselegalcomplianceHybrid cloud can be very complexhttps://blog.siphos.be/2021/11/hybrid-cloud-can-be-very-complex/<p>I am not an advocate for hybrid cloud architectures. Or at least, not the definition for hybrid cloud that assumes one (cloud or on premise) environment is just an extension of another (cloud or on premise) environment. While such architectures seem to be simple and fruitful - you can easily add some capacity in the other environment to handle burst load - they are a complex beast to tame.</p> Sven VermeulenMon, 08 Nov 2021 20:00:00 +0100tag:blog.siphos.be,2021-11-08:/2021/11/hybrid-cloud-can-be-very-complex/ArchitecturehybridcloudTransparent encryption is not a silver bullethttps://blog.siphos.be/2021/10/transparent-encryption-is-not-a-silver-bullet/<p>Transparent encryption is relatively easy to implement, but without understanding what it actually means or why you are implementing it, you will probably make the assumption that this will prevent the data from being accessed by unauthorized users. Nothing can be further from the truth.</p> Sven VermeulenTue, 19 Oct 2021 08:20:00 +0200tag:blog.siphos.be,2021-10-19:/2021/10/transparent-encryption-is-not-a-silver-bullet/Architectureencryptiontransparentluksdm-cryptEvaluating the zero trust hypehttps://blog.siphos.be/2021/10/evaluating-the-zero-trust-hype/<p>Security vendors are touting the benefits of "zero trust" as the new way to approach security and security-conscious architecturing. But while there are principles within the zero trust mindset that came up in the last dozen years, most of the content in zero trust discussions is tied to age-old security propositions.</p> Sven VermeulenTue, 05 Oct 2021 00:00:00 +0200tag:blog.siphos.be,2021-10-05:/2021/10/evaluating-the-zero-trust-hype/Architecturezero-trustsecurityenterprisenetwork-securityScale is a cloud threathttps://blog.siphos.be/2021/09/scale-is-a-cloud-threat/<p>Not that long ago, a vulnerability was found in <a href="https://docs.microsoft.com/en-us/azure/cosmos-db/">Microsoft Azure Cosmos DB</a>, a NoSQL SaaS database within the Microsoft Azure cloud. The vulnerability, which is dubbed <a href="https://chaosdb.wiz.io/">ChaosDB</a> by the <a href="https://twitter.com/wiz_io">Wiz Research Team</a>, uses a vulnerability or misconfiguration in the <a href="https://docs.microsoft.com/en-us/azure/cosmos-db/cosmosdb-jupyter-notebooks">Jupyter Notebook feature</a> within Cosmos DB. This vulnerability allowed an attacker to gain access to other's Cosmos DB credentials. Not long thereafter, a second vulnerability dubbed <a href="https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure">OMIGOD</a> showed that cloud security is not as simple as some vendors like you to believe.</p> <p>These vulnerabilities are a good example of how scale is a cloud threat. Companies that do not have enough experience with public cloud might not assume this in their threat models.</p> Sven VermeulenTue, 28 Sep 2021 17:00:00 +0200tag:blog.siphos.be,2021-09-28:/2021/09/scale-is-a-cloud-threat/ArchitecturecloudvulnerabilityNaming conventionshttps://blog.siphos.be/2021/09/naming-conventions/<p>Naming conventions. Picking the right naming convention is easy if you are all by yourself, but hard when you need to agree upon the conventions in a larger group. Everybody has an opinion on naming conventions, and once you decide on it, you do expect everybody to follow through on it.</p> <p>Let's consider why naming conventions are (not) important and consider a few examples to help in creating a good naming convention yourself.</p> Sven VermeulenWed, 15 Sep 2021 19:00:00 +0200tag:blog.siphos.be,2021-09-15:/2021/09/naming-conventions/ArchitecturenamingLocation view of infrastructurehttps://blog.siphos.be/2021/09/location-view-of-infrastructure/<p>In this last post on the infrastructure domain, I cover the fifth and final viewpoint that is important for an infrastructure domain representation, and that is the <em>location view</em>. As mentioned in previous posts, the viewpoints I think are most representative of the infrastructure domain are:</p> <ul> <li><a href="https://blog.siphos.be/2021/09/process-view-of-infrastructure/">process view</a></li> <li><a href="https://blog.siphos.be/2021/06/an-it-services-overview/">service view</a></li> <li><a href="https://blog.siphos.be/2021/08/component-view-of-infrastructure/">component view</a></li> <li><a href="https://blog.siphos.be/2017/06/structuring-infrastructural-deployments/">zoning view</a></li> <li>location view</li> </ul> <p>Like with the component view, the location view is a layered approach. While I initially wanted to call it the network view, "location" might be a broader term that matches the content better. Still, it's not a perfect name, but the name is less important than the content, not?</p> Sven VermeulenTue, 07 Sep 2021 18:00:00 +0200tag:blog.siphos.be,2021-09-07:/2021/09/location-view-of-infrastructure/ArchitecturearchitecturelocationnetworkvirtualizationprotocolProcess view of infrastructurehttps://blog.siphos.be/2021/09/process-view-of-infrastructure/<p>In my <a href="https://blog.siphos.be/2021/08/component-view-of-infrastructure/">previous post</a>, I started with the five different views that would support a good view of what infrastructure would be. I believe these views (component, location, process, service, and zoning) cover the breadth of the domain. The post also described the component view a bit more and linked to previous posts I made (one for <a href="https://blog.siphos.be/2021/06/an-it-services-overview/">services</a>, another for <a href="https://blog.siphos.be/2017/06/structuring-infrastructural-deployments/">zoning</a>).</p> <p>The one I want to tackle here is the most elaborate one, also the most enterprise-ish, and one that always is a balance on how much time and effort to put into it (as an architect), as well as hoping that the processes are sufficiently standardized in a flexible manner so that you don't need to cover everything again and again in each project.</p> <p>So, let's talk about processes...</p> Sven VermeulenWed, 01 Sep 2021 11:20:00 +0200tag:blog.siphos.be,2021-09-01:/2021/09/process-view-of-infrastructure/ArchitecturearchitectureprocessComponent view of infrastructurehttps://blog.siphos.be/2021/08/component-view-of-infrastructure/<p>IT architects try to use views and viewpoints to convey the target architecture to the various stakeholders. Each stakeholder has their own interests in the architecture and wants to see their requirements fulfilled. A core role of the architect is to understand these requirements and make sure the requirements are met, and to balance all the different requirements.</p> <p>Architecture languages or meta-models often put significant focus on these views. Archimate has a large annex on <a href="https://pubs.opengroup.org/architecture/archimate3-doc/apdxc.html#_Toc10045495">Example Viewpoints</a> just for this purpose. However, unless the organization is widely accustomed to enterprise architecture views, it is unlikely that the views themselves are the final product: being able to translate those views into pretty slides and presentations is still an important task for architects when they need to present their findings to non-architecture roles.</p> Sven VermeulenFri, 27 Aug 2021 21:10:00 +0200tag:blog.siphos.be,2021-08-27:/2021/08/component-view-of-infrastructure/ArchitecturearchitecturecomponentviewpointDisaster recovery in the public cloudhttps://blog.siphos.be/2021/07/disaster-recovery-in-the-public-cloud/<p>The public cloud is a different beast than an on-premise environment, and that also reflects itself on how we (should) look at the processes that are actively steering infrastructure designs and architecture. One of these is the business continuity, severe incident handling, and the hopefully-never-to-occur disaster recovery. When building up procedures for handling disasters (<a href="https://en.wikipedia.org/wiki/Disaster_recovery">DRP = Disaster Recovery Procedure or Disaster Recover Planning</a>), it is important to keep in mind what these are about.</p> Sven VermeulenFri, 30 Jul 2021 20:00:00 +0200tag:blog.siphos.be,2021-07-30:/2021/07/disaster-recovery-in-the-public-cloud/ArchitecturearchitecturecloudDRPWhat is the infrastructure domain?https://blog.siphos.be/2021/07/what-is-the-infrastructure-domain/<p>In my job as domain architect for "infrastructure", I often come across stakeholders that have no common understanding of what infrastructure means in an enterprise architecture. Since then, I am trying to figure out a way to easily explain it - to find a common, generic view on what infrastructure entails. If successful, I could use this common view to provide context on the many, many IT projects that are going around.</p> Sven VermeulenMon, 19 Jul 2021 15:20:00 +0200tag:blog.siphos.be,2021-07-19:/2021/07/what-is-the-infrastructure-domain/ArchitecturearchitecturepatternOrganizing service documentationhttps://blog.siphos.be/2021/07/organizing-service-documentation/<p>As I mentioned in <a href="https://blog.siphos.be/2021/06/an-it-services-overview/">An IT services overview</a> I try to keep track of the architecture and designs of the IT services and solutions in a way that I feel helps me keep in touch with all the various services and solutions out there. Similar to how system administrators try to find a balance while working on documentation (which is often considered a chore) and using a structure that is sufficiently simple and standard for the organization to benefit from, architects should try to keep track of architecturally relevant information as well.</p> <p>So in this post, I'm going to explain a bit more on how I approach documenting service and solution insights for architectural relevance.</p> Sven VermeulenThu, 08 Jul 2021 09:20:00 +0200tag:blog.siphos.be,2021-07-08:/2021/07/organizing-service-documentation/ArchitecturearchitecturedocumentationstructurewikiNot sure if TOSCA will grow furtherhttps://blog.siphos.be/2021/06/not-sure-if-TOSCA-will-grow-further/<p>TOSCA is an OASIS open standard, and is an abbreviation for <em>Topology and Orchestration Specification for Cloud Applications</em>. It provides a domain-specific language to describe how an application should be deployed in the cloud (the topology), which and how many resources it needs, as well as tasks to run when certain events occur (the orchestration). When I initially came across this standard, I was (and still am) interested in how far this goes. The promise of declaring an application (and even bundling the necessary application artefacts) within a single asset and then using this asset to deploy on whatever cloud is very appealing to an architect. Especially in organizations that have a multi-cloud strategy.</p> Sven VermeulenWed, 30 Jun 2021 14:30:00 +0200tag:blog.siphos.be,2021-06-30:/2021/06/not-sure-if-TOSCA-will-grow-further/ArchitecturearchitecturecloudTOSCAOASIStopologyorchestrationinfrastructureIaCNFVIntegrating or customizing SaaS within your own cloud environmenthttps://blog.siphos.be/2021/06/integrating-or-customizing-SaaS-within-your-own-cloud-environment/<p>Software as a Service (SaaS) solutions are often a quick way to get new capabilities into an organization’s portfolio. Smaller SaaS solutions are simple, web-based solutions which barely integrate with the organization’s other solutions, besides the identity and access management (which is often handled by federated authentication).</p> <p>More complex or intermediate solutions require more integration focus, and a whole new market of Integration Platform as a Service (iPaaS) solutions came up to facilitate cross-cloud integrations. But even without the iPaaS offerings, integrations are often a mandatory part to leverage the benefits of the newly activated SaaS solution.</p> <p>In this post I want to bring some thoughts on the integrations that might be needed to support customizing a SaaS solution.</p> Sven VermeulenWed, 23 Jun 2021 15:10:00 +0200tag:blog.siphos.be,2021-06-23:/2021/06/integrating-or-customizing-SaaS-within-your-own-cloud-environment/ArchitecturearchitecturecloudSaaSintegrationcustomizationAn IT services overviewhttps://blog.siphos.be/2021/06/an-it-services-overview/<p>My current role within the company I work for is “domain architect”, part of the enterprise architects teams. The domain I am accountable for is “infrastructure”, which can be seen as a very broad one. Now, I’ve been maintaining an overview of our IT services before I reached that role, mainly from an elaborate interest in the subject, as well as to optimize my efficiency further.</p> <p>Becoming a domain architect allows me to use the insights I’ve since gathered to try and give appropriate advice, but also now requires me to maintain a domain architecture. This structure is going to be the starting point of it, although it is not the true all and end all of what I would consider a domain architecture.</p> Sven VermeulenMon, 14 Jun 2021 17:30:00 +0200tag:blog.siphos.be,2021-06-14:/2021/06/an-it-services-overview/ArchitecturearchitectureoverviewservicelandscapecatalogcapabilityThe three additional layers in the OSI modelhttps://blog.siphos.be/2021/06/the-three-additional-layers-in-the-OSI-model/<p>At my workplace, I jokingly refer to the three extra layers on top of the OSI network model as a way to describe the difficulties of discussions or cases. These three additional layers are Financial Layer, Politics Layer and Religion Layer, and the idea is that the higher up you go, the more challenging discussions will be.</p> Sven VermeulenWed, 09 Jun 2021 11:10:00 +0200tag:blog.siphos.be,2021-06-09:/2021/06/the-three-additional-layers-in-the-OSI-model/MiscOSImeetinghumorVirtualization vs abstractionhttps://blog.siphos.be/2021/06/virtualization-vs-abstraction/<p>When an organization has an extensively large, and heterogeneous infrastructure, infrastructure architects will attempt to make itless complex and chaotic by introducing and maintaining a certain degree of standardization. While many might consider standardization as a rationalization (standardizing on a single database technology, single vendor for hardware, etc.), rationalization is only one of the many ways in which standards can simplify such a degree of complexity.</p> <p>In this post, I'd like to point out two other, very common ways to standardize the IT environment, without really considering a rationalization: abstraction and virtualization.</p> Sven VermeulenThu, 03 Jun 2021 10:10:00 +0200tag:blog.siphos.be,2021-06-03:/2021/06/virtualization-vs-abstraction/ArchitecturearchitecturevirtualizationabstractionSELinux System Administration 3rd Editionhttps://blog.siphos.be/2021/01/selinux-system-administration-3rd-edition/<p>As I mentioned previously, recently my latest installment of "SELinux System Administration" has been released by Packt Publishing. This is already the third edition of the book, after the first (2013) and second (2016) editions have gotten reasonable success given the technical and often hard nature of full SELinux administration.</p> <p>Like with the previous editions, this book remains true to the public of system administrators, rather than SELinux policy developers. Of course, SELinux policy development is not ignored in the book.</p> Sven VermeulenWed, 06 Jan 2021 20:00:00 +0100tag:blog.siphos.be,2021-01-06:/2021/01/selinux-system-administration-3rd-edition/SELinuxselinuxpacktbookAbstracting infrastructure complexityhttps://blog.siphos.be/2020/12/abstracting-infrastructure-complexity/<p>IT is complex. Some even consider it to be more magic than reality. And with the ongoing evolutions and inventions, the complexity is not really going away. Sure, some IT areas are becoming easier to understand, but that is often offset with new areas being explored.</p> <p>Companies and organizations that have a sizeable IT footprint generally see an increase in their infrastructure, regardless of how many rationalization initiatives that are started. Personally, I find it challenging, in a fun way, to keep up with the onslaught of new technologies and services that are onboarded in the infrastructure landscape that I'm responsible for.</p> <p>But just understanding a technology isn't enough to deal with its position in the larger environment.</p> Sven VermeulenFri, 25 Dec 2020 23:00:00 +0100tag:blog.siphos.be,2020-12-25:/2020/12/abstracting-infrastructure-complexity/ArchitectureinfrastructurearchimateWorking on infra strategyhttps://blog.siphos.be/2020/10/working-on-infra-strategy/<p>After a long hiatus, I'm ready to take up blogging again on my public blog. With my day job becoming more intensive and my side-job taking the remainder of the time, I've since quit my work on the Gentoo project. I am in process of releasing a new edition of the SELinux System Administration book, so I'll probably discuss that more later.</p> <p>Today, I want to write about a task I had to do this year as brand new domain architect for infrastructure.</p> Sven VermeulenSun, 04 Oct 2020 13:20:00 +0200tag:blog.siphos.be,2020-10-04:/2020/10/working-on-infra-strategy/Architecturecvechecker 3.9 releasedhttps://blog.siphos.be/2018/09/cvechecker-3.9-released/<p>Thanks to updates from Vignesh Jayaraman, Anton Hillebrand and Rolf Eike Beer, a new release of <a href="https://github.com/sjvermeu/cvechecker/wiki">cvechecker</a> is now made available.</p> <p>This new release (v3.9) is a bugfix release.</p> Sven VermeulenSun, 09 Sep 2018 13:20:00 +0200tag:blog.siphos.be,2018-09-09:/2018/09/cvechecker-3.9-released/Free-SoftwarecvecheckerAutomating compliance checkshttps://blog.siphos.be/2018/03/automating-compliance-checks/<p>With the configuration baseline for a technical service being described fully (see the <a href="https://blog.siphos.be/2018/01/documenting-configuration-changes/">first</a>, <a href="https://blog.siphos.be/2018/01/structuring-a-configuration-baseline/">second</a> and <a href="https://blog.siphos.be/2018/01/documenting-a-rule/">third</a> post in this series), it is time to consider the validation of the settings in an automated manner. The preferred method for this is to use <em>Open Vulnerability and Assessment Language (OVAL)</em>, which is nowadays managed by the <a href="https://oval.cisecurity.org/">Center for Internet Security</a>, abbreviated as CISecurity. Previously, OVAL was maintained and managed by Mitre under NIST supervision, and Google searches will often still point to the old sites. However, documentation is now maintained on CISecurity's <a href="https://github.com/OVALProject/Language/tree/5.11.2/docs">github repositories</a>.</p> <p>But I digress...</p> Sven VermeulenSat, 03 Mar 2018 13:20:00 +0100tag:blog.siphos.be,2018-03-03:/2018/03/automating-compliance-checks/SecurityxccdfovalscapbaselineDocumenting a rulehttps://blog.siphos.be/2018/01/documenting-a-rule/<p>In the <a href="https://blog.siphos.be/2018/01/documenting-configuration-changes/">first post</a> I talked about why configuration documentation is important. In the <a href="https://blog.siphos.be/2018/01/structuring-a-configuration-baseline/">second post</a> I looked into a good structure for configuration documentation of a technological service, and ended with an XCCDF template in which this documentation can be structured.</p> <p>The next step is to document the rules themselves, i.e. the actual content of a configuration baseline.</p> Sven VermeulenWed, 24 Jan 2018 20:40:00 +0100tag:blog.siphos.be,2018-01-24:/2018/01/documenting-a-rule/SecurityxccdfscapbaselineStructuring a configuration baselinehttps://blog.siphos.be/2018/01/structuring-a-configuration-baseline/<p>A good configuration baseline has a readable structure that allows all stakeholders to quickly see if the baseline is complete, as well as find a particular setting regardless of the technology. In this blog post, I'll cover a possible structure of the baseline which attempts to be sufficiently complete and technology agnostic.</p> <p>If you haven't read the blog post on <a href="https://blog.siphos.be/2018/01/documenting-configuration-changes/">documenting configuration changes</a>, it might be a good idea to do so as it declares the scope of configuration baselines and why I think XCCDF is a good match for this.</p> Sven VermeulenWed, 17 Jan 2018 09:10:00 +0100tag:blog.siphos.be,2018-01-17:/2018/01/structuring-a-configuration-baseline/SecurityxccdfscapbaselineDocumenting configuration changeshttps://blog.siphos.be/2018/01/documenting-configuration-changes/<p>IT teams are continuously under pressure to set up and maintain infrastructure services quickly, efficiently and securely. As an infrastructure architect, my main concerns are related to the manageability of these services and the secure setup. And within those realms, a properly documented configuration setup is in my opinion very crucial.</p> <p>In this blog post series, I'm going to look into using the <em>Extensible Configuration Checklist Description Format (XCCDF)</em> as the way to document these. This first post is an introduction to XCCDF functionally, and what I position it for.</p> Sven VermeulenSun, 07 Jan 2018 21:20:00 +0100tag:blog.siphos.be,2018-01-07:/2018/01/documenting-configuration-changes/SecurityxccdfscapbaselineSELinux and extended permissionshttps://blog.siphos.be/2017/11/selinux-and-extended-permissions/<p>One of the features present in the <a href="https://github.com/SELinuxProject/selinux/wiki/Releases">August release</a> of the SELinux user space is its support for ioctl xperm rules in modular policies. In the past, this was only possible in monolithic ones (and CIL). Through this, allow rules can be extended to not only cover source (domain) and target (resource) identifiers, but also a specific number on which it applies. And ioctl's are the first (and currently only) permission on which this is implemented.</p> <p>Note that ioctl-level permission controls isn't a new feature by itself, but the fact that it can be used in modular policies is.</p> Sven VermeulenMon, 20 Nov 2017 17:00:00 +0100tag:blog.siphos.be,2017-11-20:/2017/11/selinux-and-extended-permissions/SELinuxselinuxioctlSELinux Userspace 2.7https://blog.siphos.be/2017/09/selinux-userspace-2.7/<p>A few days ago, <a href="http://blog.perfinion.com/">Jason "perfinion" Zaman</a> stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a <a href="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt">few new features</a>, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.</p> <p>Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).</p> Sven VermeulenTue, 26 Sep 2017 14:50:00 +0200tag:blog.siphos.be,2017-09-26:/2017/09/selinux-userspace-2.7/SELinuxgentooselinuxuserspaceAuthenticating with U2Fhttps://blog.siphos.be/2017/09/authenticating-with-u2f/<p>In order to further secure access to my workstation, after the <a href="http://blog.siphos.be/2017/08/switch-to-gentoo-sources/">switch to Gentoo sources</a>, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by <a href="https://lwn.net/Articles/544640/">chaining authentication methods in OpenSSH</a>.</p> <p>Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk about the <code>pam_u2f</code> setup are indeed correct that it is fairly simple. For completeness sake, I've documented what I know on the Gentoo Wiki, as the <a href="https://wiki.gentoo.org/wiki/Pam_u2f">pam_u2f article</a>.</p> Sven VermeulenMon, 11 Sep 2017 18:25:00 +0200tag:blog.siphos.be,2017-09-11:/2017/09/authenticating-with-u2f/Securitygentoosecurityyubicou2fpamUsing nVidia with SELinuxhttps://blog.siphos.be/2017/08/using-nvidia-with-selinux/<p>Yesterday I've <a href="http://blog.siphos.be/2017/08/switch-to-gentoo-sources/">switched to the gentoo-sources kernel package</a> on Gentoo Linux. And with that, I also attempted (succesfully) to use the propriatary nvidia drivers so that I can enjoy both a smoother 3D experience while playing minecraft, as well as use the CUDA support so I don't need to use cloud-based services for small exercises.</p> <p>The move to nvidia was quite simple, as the <a href="https://wiki.gentoo.org/wiki/NVidia/nvidia-drivers">nvidia-drivers wiki article</a> on the Gentoo wiki was quite easy to follow.</p> Sven VermeulenWed, 23 Aug 2017 19:04:00 +0200tag:blog.siphos.be,2017-08-23:/2017/08/using-nvidia-with-selinux/SELinuxgentooselinuxnvidiaSwitch to Gentoo sourceshttps://blog.siphos.be/2017/08/switch-to-gentoo-sources/<p>You've might already read it on the Gentoo news site, the <a href="https://www.gentoo.org/news/2017/08/19/hardened-sources-removal.html">Hardened Linux kernel sources are removed from the tree</a> due to the <a href="http://grsecurity.net/">grsecurity</a> change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.</p> <p>That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. <a href="https://blogs.gentoo.org/ago/2017/08/21/sys-kernel-grsecurity-sources-available/#utm_source=feed&amp;utm_medium=feed&amp;utm_campaign=feed">Agostino Sarubbo has started providing sys-kernel/grsecurity-sources</a> for the users who want to stick with it, as it is based on <a href="https://github.com/minipli/linux-unofficial_grsec">minipli's unofficial patchset</a>. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.</p> <p>Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).</p> Sven VermeulenTue, 22 Aug 2017 19:04:00 +0200tag:blog.siphos.be,2017-08-22:/2017/08/switch-to-gentoo-sources/GentoogentoohardenedgrsecurityselinuxProject prioritizationhttps://blog.siphos.be/2017/07/project-prioritization/<p><sub>This is a long read, skip to “Prioritizing the projects and changes” for the approach details...</sub></p> <p>Organizations and companies generally have an IT workload (dare I say, backlog?) which needs to be properly assessed, prioritized and taken up. Sometimes, the IT team(s) get an amount of budget and HR resources to "do their thing", while others need to continuously ask for approval to launch a new project or instantiate a change.</p> <p>Sizeable organizations even require engineering and development effort on IT projects which are not readily available: specialized teams exist, but they are governance-wise assigned to projects. And as everyone thinks their project is the top-most priority one, many will be disappointed when they hear there are no resources available for their pet project.</p> <p>So... how should organizations prioritize such projects?</p> Sven VermeulenTue, 18 Jul 2017 20:40:00 +0200tag:blog.siphos.be,2017-07-18:/2017/07/project-prioritization/ArchitecturepmostrategySAFeprioritizationprojectStructuring infrastructural deploymentshttps://blog.siphos.be/2017/06/structuring-infrastructural-deployments/<p>Many organizations struggle with the all-time increase in IP address allocation and the accompanying need for segmentation. In the past, governing the segments within the organization means keeping close control over the service deployments, firewall rules, etc.</p> <p>Lately, the idea of micro-segmentation, supported through software-defined networking solutions, seems to defy the need for a segmentation governance. However, I think that that is a very short-sighted sales proposition. Even with micro-segmentation, or even pure point-to-point / peer2peer communication flow control, you'll still be needing a high level overview of the services within your scope.</p> <p>In this blog post, I'll give some insights in how we are approaching this in the company I work for. In short, it starts with requirements gathering, creating labels to assign to deployments, creating groups based on one or two labels in a layered approach, and finally fixating the resulting schema and start mapping guidance documents (policies) toward the presented architecture.</p> Sven VermeulenWed, 07 Jun 2017 20:40:00 +0200tag:blog.siphos.be,2017-06-07:/2017/06/structuring-infrastructural-deployments/ArchitecturesegmentationzoningdeploymentslandscapeMatching MD5 SSH fingerprinthttps://blog.siphos.be/2017/05/matching-md5-ssh-fingerprint/<p>Today I was attempting to update a local repository, when SSH complained about a changed fingerprint, something like the following:</p> <div class="highlight"><pre><span></span><code>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:p4ZGs+YjsBAw26tn2a+HPkga1dPWWAWX+NEm4Cv4I9s. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/user/.ssh/known_hosts:9 ECDSA host key for 192.168.56.101 has changed and you have requested strict checking. Host key verification failed. </code></pre></div> Sven VermeulenThu, 18 May 2017 18:20:00 +0200tag:blog.siphos.be,2017-05-18:/2017/05/matching-md5-ssh-fingerprint/Securityopensshfingerprintmd5Switched to Lineage OShttps://blog.siphos.be/2017/04/switched-to-lineage-os/<p>I have been a long time user of <a href="https://en.wikipedia.org/wiki/CyanogenMod">Cyanogenmod</a>, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if <a href="https://www.lineageos.org/">LineageOS</a> would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.</p> <p>Today, I made my choice and installed LineageOS.</p> Sven VermeulenSun, 09 Apr 2017 16:40:00 +0200tag:blog.siphos.be,2017-04-09:/2017/04/switched-to-lineage-os/Misccyanogenmodlineageosmobileandroidcvechecker 3.8 releasedhttps://blog.siphos.be/2017/03/cvechecker-3.8-released/<p>A new release is now available for the <a href="https://github.com/sjvermeu/cvechecker/wiki">cvechecker</a> application. This is a stupid yet important bugfix release: the 3.7 release saw all newly released CVEs as being already known, so it did not take them up to the database. As a result, systems would never check for the new CVEs.</p> Sven VermeulenMon, 27 Mar 2017 19:00:00 +0200tag:blog.siphos.be,2017-03-27:/2017/03/cvechecker-3.8-released/Free-SoftwarecvecheckerHandling certificates in Gentoo Linuxhttps://blog.siphos.be/2017/03/handling-certificates-in-gentoo-linux/<p>I recently created a new article on the Gentoo Wiki titled <a href="https://wiki.gentoo.org/wiki/Certificates">Certificates</a> which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle <em>everything</em> about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.</p> Sven VermeulenMon, 06 Mar 2017 22:20:00 +0100tag:blog.siphos.be,2017-03-06:/2017/03/handling-certificates-in-gentoo-linux/Gentoogentoocertificatesnsscvechecker 3.7 releasedhttps://blog.siphos.be/2017/03/cvechecker-3.7-released/<p>After a long time of getting too little attention from me, I decided to make a new <a href="https://github.com/sjvermeu/cvechecker/wiki">cvechecker</a> release. There are few changes in it, but I am planning on making a new release soon with lots of clean-ups.</p> Sven VermeulenThu, 02 Mar 2017 10:00:00 +0100tag:blog.siphos.be,2017-03-02:/2017/03/cvechecker-3.7-released/Free-SoftwarecvecheckerI missed FOSDEMhttps://blog.siphos.be/2017/02/i-missed-fosdem/<p>I sadly had to miss out on the FOSDEM event. The entire weekend was filled with me being apathetic, feverish and overall zombie-like. Yes, sickness can be cruel. It wasn't until today that I had the energy back to fire up my laptop.</p> <p>Sorry for the crew that I promised to meet at FOSDEM. I'll make it up, somehow.</p> Sven VermeulenTue, 07 Feb 2017 17:06:00 +0100tag:blog.siphos.be,2017-02-07:/2017/02/i-missed-fosdem/MiscgentoofosdemSELinux System Administration, 2nd Editionhttps://blog.siphos.be/2016/12/selinux-system-administration-2nd-edition/<p>While still working on a few other projects, one of the time consumers of the past half year (haven't you noticed? my blog was quite silent) has come to an end: the <a href="https://www.packtpub.com/networking-and-servers/selinux-system-administration-second-edition">SELinux System Administration - Second Edition</a> book is now available. With almost double the amount of pages and a serious update of the content, the book can now be bought either through Packt Publishing itself, or the various online bookstores such as <a href="https://www.amazon.com/SELinux-System-Administration-Sven-Vermeulen-ebook/dp/B01LWM02WI">Amazon</a>.</p> <p>With the holidays now approaching, I hope to be able to execute a few tasks within the Gentoo community (and of the Gentoo Foundation) and get back on track. Luckily, my absence was not jeopardizing the state of <a href="https://wiki.gentoo.org/wiki/SELinux">SELinux</a> in Gentoo thanks to the efforts of Jason Zaman.</p> Sven VermeulenThu, 22 Dec 2016 19:26:00 +0100tag:blog.siphos.be,2016-12-22:/2016/12/selinux-system-administration-2nd-edition/SELinuxselinuxgentoorhelredhatpacktbookpublishingGnuPG: private key suddenly missing?https://blog.siphos.be/2016/10/gnupg-private-key-suddenly-missing/<p>After updating my workstation, I noticed that keychain reported that it could not load one of the GnuPG keys I passed it on.</p> <div class="highlight"><pre><span></span><code> * keychain 2.8.1 ~ http://www.funtoo.org * Found existing ssh-agent: 2167 * Found existing gpg-agent: 2194 * Warning: can't find 0xB7BD4B0DE76AC6A4; skipping * Known ssh key: /home/swift/.ssh/id_dsa * Known ssh key: /home/swift/.ssh/id_ed25519 * Known gpg key: 0x22899E947878B0CE </code></pre></div> <p>I did not modify my key store at all, so what happened?</p> Sven VermeulenWed, 12 Oct 2016 18:56:00 +0200tag:blog.siphos.be,2016-10-12:/2016/10/gnupg-private-key-suddenly-missing/Free-SoftwaregnupgWe do not ship SELinux sandboxhttps://blog.siphos.be/2016/09/we-do-not-ship-selinux-sandbox/<p>A few days ago a vulnerability was reported in the SELinux sandbox user space utility. The utility is part of the <code>policycoreutils</code> package. Luckily, Gentoo's <code>sys-apps/policycoreutils</code> package is not vulnerable - and not because we were clairvoyant about this issue, but because we don't ship this utility.</p> Sven VermeulenTue, 27 Sep 2016 20:47:00 +0200tag:blog.siphos.be,2016-09-27:/2016/09/we-do-not-ship-selinux-sandbox/SELinuxselinuxsandboxgentoovulnerabilityseunshareMounting QEMU imageshttps://blog.siphos.be/2016/09/mounting-qemu-images/<p>While working on the second edition of my first book, <a href="https://www.packtpub.com/networking-and-servers/selinux-system-administration-second-edition">SELinux System Administration - Second Edition</a> I had to test out a few commands on different Linux distributions to make sure that I don't create instructions that only work on Gentoo Linux. After all, as awesome as Gentoo might be, the Linux world is a bit bigger. So I downloaded a few live systems to run in Qemu/KVM.</p> <p>Some of these systems however use <a href="https://cloudinit.readthedocs.io/en/latest/">cloud-init</a> which, while interesting to use, is not set up on my system yet. And without support for cloud-init, how can I get access to the system?</p> Sven VermeulenMon, 26 Sep 2016 19:26:00 +0200tag:blog.siphos.be,2016-09-26:/2016/09/mounting-qemu-images/Free-SoftwareqemuComparing Hadoop with mainframehttps://blog.siphos.be/2016/06/comparing-hadoop-with-mainframe/<p>At my work, I have the pleasure of being involved in a big data project that uses Hadoop as the primary platform for several services. As an architect, I try to get to know the platform's capabilities, its potential use cases, its surrounding ecosystem, etc. And although the implementation at work is not in its final form (yay agile infrastructure releases) I do start to get a grasp of where we might be going.</p> <p>For many analysts and architects, this Hadoop platform is a new kid on the block so I have some work explaining what it is and what it is capable of. Not for the fun of it, but to help the company make the right decisions, to support management and operations, to lift the fear of new environments. One thing I've once said is that "Hadoop is the poor man's mainframe", because I notice some high-level similarities between the two.</p> Sven VermeulenWed, 15 Jun 2016 20:55:00 +0200tag:blog.siphos.be,2016-06-15:/2016/06/comparing-hadoop-with-mainframe/HadoophadoopmainframeTemplate was specified incorrectlyhttps://blog.siphos.be/2016/03/template-was-specified-incorrectly/<p>After reorganizing my salt configuration, I received the following error:</p> <div class="highlight"><pre><span></span><code>[ERROR ] Template was specified incorrectly: False </code></pre></div> <p>Enabling some debugging on the command gave me a slight pointer why this occurred:</p> <div class="highlight"><pre><span></span><code>[DEBUG ] Could not find file from saltenv 'testing', u'salt://top.sls' [DEBUG ] No contents loaded for env: testing [DEBUG ] compile template: False [ERROR ] Template was specified incorrectly: False </code></pre></div> <p>I was using a single top file as recommended by Salt, but apparently it was still looking for top files in the other environments.</p> <p>Yet, if I split the top files across the environments, I got the following warning:</p> <div class="highlight"><pre><span></span><code>[WARNING ] Top file merge strategy set to 'merge' and multiple top files found. Top file merging order is undefined; for better results use 'same' option </code></pre></div> <p>So what's all this about?</p> Sven VermeulenSun, 27 Mar 2016 13:32:00 +0200tag:blog.siphos.be,2016-03-27:/2016/03/template-was-specified-incorrectly/Free-SoftwaresaltUsing salt-ssh with agent forwardinghttps://blog.siphos.be/2016/03/using-salt-ssh-with-agent-forwarding/<p>Part of a system's security is to reduce the attack surface. Following this principle, I want to see if I can switch from using regular salt minions for a saltstack managed system set towards <code>salt-ssh</code>. This would allow to do some system management over SSH instead of ZeroMQ.</p> <p>I'm not confident yet that this is a solid approach to take (as performance is also important, which is greatly reduced with <code>salt-ssh</code>), and the security exposure of the salt minions over ZeroMQ is also not that insecure (especially not when a local firewall ensures that only connections from the salt master are allowed). But playing doesn't hurt.</p> Sven VermeulenSat, 26 Mar 2016 19:57:00 +0100tag:blog.siphos.be,2016-03-26:/2016/03/using-salt-ssh-with-agent-forwarding/Free-SoftwaresaltTrying out imapsynchttps://blog.siphos.be/2016/03/trying-out-imapsync/<p>Recently, I had to migrate mail boxes for a couple of users from one mail provider to another. Both mail providers used IMAP, so I looked into IMAP related synchronization methods. I quickly found the <a href="https://github.com/imapsync/imapsync">imapsync</a> application, also supported through Gentoo's repository.</p> Sven VermeulenSun, 13 Mar 2016 12:57:00 +0100tag:blog.siphos.be,2016-03-13:/2016/03/trying-out-imapsync/Free-SoftwareimapsyncNew cvechecker releasehttps://blog.siphos.be/2015/11/new-cvechecker-release/<p>A short while ago I got the notification that pulling new CVE information was no longer possible. The reason was that the NVD site did not support uncompressed downloads anymore. The fix for cvechecker was simple, and it also gave me a reason to push out a new release (after two years) which also includes various updates by Christopher Warner.</p> <p>So <a href="https://github.com/sjvermeu/cvechecker/wiki">cvechecker 3.6</a> is now available for general consumption.</p> Sven VermeulenSat, 07 Nov 2015 11:07:00 +0100tag:blog.siphos.be,2015-11-07:/2015/11/new-cvechecker-release/Free-SoftwarecvecheckerSwitching focus at workhttps://blog.siphos.be/2015/09/switching-focus-at-work/<p>Since 2010, I was at work responsible for the infrastructure architecture of a couple of technological domains, namely databases and scheduling/workload automation. It brought me in contact with many vendors, many technologies and most importantly, many teams within the organization. The focus domain was challenging, as I had to deal with the strategy on how the organization, which is a financial institution, will deal with databases and scheduling in the long term.</p> Sven VermeulenSun, 20 Sep 2015 13:29:00 +0200tag:blog.siphos.be,2015-09-20:/2015/09/switching-focus-at-work/ArchitectureworkhadoopdockerGetting su to work in init scriptshttps://blog.siphos.be/2015/09/getting-su-to-work-in-init-scripts/<p>While developing an init script which has to switch user, I got a couple of errors from SELinux and the system itself:</p> <div class="highlight"><pre><span></span><code><span class="go">~# rc-service hadoop-namenode format</span> <span class="go">Authenticating root.</span> <span class="go"> * Formatting HDFS ...</span> <span class="go">su: Authentication service cannot retrieve authentication info</span> <span class="gp gp-VirtualEnv">(Ignored)</span> </code></pre></div> Sven VermeulenMon, 14 Sep 2015 16:37:00 +0200tag:blog.siphos.be,2015-09-14:/2015/09/getting-su-to-work-in-init-scripts/SELinuxselinuxinitrcCustom CIL SELinux policies in Gentoohttps://blog.siphos.be/2015/09/custom-cil-selinux-policies-in-gentoo/<p>In Gentoo, we have been supporting <a href="https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file">custom policy packages</a> for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although <a href="https://wiki.gentoo.org/wiki/Binary_package_guide">binary packages</a> are supported as well).</p> <p>A recent <a href="https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f2aa45db35bbf3a74f8db09ece9edac60e79ee4">commit</a> now also allows CIL files to be used.</p> Sven VermeulenThu, 10 Sep 2015 07:13:00 +0200tag:blog.siphos.be,2015-09-10:/2015/09/custom-cil-selinux-policies-in-gentoo/GentoogentoocilselinuxebuildeclassUsing multiple OpenSSH daemonshttps://blog.siphos.be/2015/09/using-multiple-openssh-daemons/<p>I administer a couple of systems which provide interactive access by end users, and for this interactive access I position <a href="http://www.openssh.com/">OpenSSH</a>. However, I also use this for administrative access to the system, and I tend to have harder security requirements for OpenSSH than most users do.</p> <p>For instance, on one system, end users with a userid + password use the sFTP server for publishing static websites. Other access is prohibited, so I really like this OpenSSH configuration to use chrooted users, internal sftp support, whereas a different OpenSSH is used for administrative access (which is only accessible by myself and some trusted parties).</p> Sven VermeulenSun, 06 Sep 2015 16:37:00 +0200tag:blog.siphos.be,2015-09-06:/2015/09/using-multiple-openssh-daemons/Free-Softwareopensshsshu2fselinuxMaintaining packages and backportinghttps://blog.siphos.be/2015/09/maintaining-packages-and-backporting/<p>A few days ago I committed a small update to <code>policycoreutils</code>, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.</p> Sven VermeulenWed, 02 Sep 2015 20:33:00 +0200tag:blog.siphos.be,2015-09-02:/2015/09/maintaining-packages-and-backporting/GentoogentooebuildpatchingDoing away with interfaceshttps://blog.siphos.be/2015/08/doing-away-with-interfaces/<p>CIL is SELinux' Common Intermediate Language, which brings on a whole new set of possibilities with policy development. I hardly know CIL but am (slowly) learning. Of course, the best way to learn is to try and do lots of things with it, but real-life work and time-to-market for now forces me to stick with the M4-based refpolicy one.</p> <p>Still, I do try out some things here and there, and one of the things I wanted to look into was how CIL policies would deal with interfaces.</p> Sven VermeulenSat, 29 Aug 2015 11:30:00 +0200tag:blog.siphos.be,2015-08-29:/2015/08/doing-away-with-interfaces/SELinuxselinuxcilSlowly converting from GuideXML to HTMLhttps://blog.siphos.be/2015/08/slowly-converting-from-guidexml-to-html/<p>Gentoo has removed its support of the older GuideXML format in favor of using the <a href="https://wiki.gentoo.org">Gentoo Wiki</a> and a new content management system for the main site (or is it static pages, I don't have the faintest idea to be honest). I do still have a few GuideXML pages in my development space, which I am going to move to HTML pretty soon.</p> <p>In order to do so, I make use of the <a href="https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/xml/htdocs/xsl/guidexml2wiki.xsl?view=log">guidexml2wiki</a> stylesheet I <a href="http://blog.siphos.be/2013/02/transforming-guidexml-to-wiki/">developed</a>. But instead of migrating it to wiki syntax, I want to end with HTML.</p> Sven VermeulenTue, 25 Aug 2015 11:30:00 +0200tag:blog.siphos.be,2015-08-25:/2015/08/slowly-converting-from-guidexml-to-html/GentoogentooguidexmlxmlxsltrstmediawikihtmlMaking the case for multi-instance supporthttps://blog.siphos.be/2015/08/making-the-case-for-multi-instance-support/<p>With the high attention that technologies such as <a href="https://www.docker.com/">Docker</a>, <a href="https://coreos.com/blog/rocket/">Rocket</a> and the like get (I recommend to look at <a href="https://github.com/p8952/bocker">Bocker</a> by Peter Wilmott as well ;-), I still find it important that technologies are well capable of supporting a multi-instance environment.</p> <p>Being able to run multiple instances makes for great consolidation. The system can be optimized for the technology, access to the system limited to the admins of said technology while still providing isolation between instances. For some technologies, running on commodity hardware just doesn't cut it (not all software is written for such hardware platforms) and consolidation allows for reducing (hardware/licensing) costs.</p> Sven VermeulenSat, 22 Aug 2015 12:45:00 +0200tag:blog.siphos.be,2015-08-22:/2015/08/making-the-case-for-multi-instance-support/ArchitectureSwitching OpenSSH to ed25519 keyshttps://blog.siphos.be/2015/08/switching-openssh-to-ed25519-keys/<p>With Mike's <a href="http://comments.gmane.org/gmane.linux.gentoo.devel/96896">news item</a> on OpenSSH's deprecation of the <a href="https://en.wikipedia.org/wiki/Digital_Signature_Algorithm">DSA algorithm</a> for the public key authentication, I started switching the few keys I still had using DSA to the suggested <a href="http://ed25519.cr.yp.to/">ED25519</a> algorithm. Of course, I wouldn't be a security-interested party if I did not do some additional investigation into the DSA versus Ed25519 discussion.</p> Sven VermeulenWed, 19 Aug 2015 18:26:00 +0200tag:blog.siphos.be,2015-08-19:/2015/08/switching-openssh-to-ed25519-keys/Free-SoftwareopensshsshgentooUpdates on my Pelican adventurehttps://blog.siphos.be/2015/08/updates-on-my-pelican-adventure/<p>It's been a few weeks that I <a href="http://blog.siphos.be/2015/08/switching-to-pelican/">switched</a> my blog to <a href="http://blog.getpelican.com/">Pelican</a>, a static site generator build with Python. A number of adjustments have been made since, which I'll happily talk about.</p> Sven VermeulenSun, 16 Aug 2015 19:50:00 +0200tag:blog.siphos.be,2015-08-16:/2015/08/updates-on-my-pelican-adventure/Free-SoftwareblogpelicanwordpressFinding a good compression utilityhttps://blog.siphos.be/2015/08/finding-a-good-compression-utility/<p>I recently came across a <a href="http://catchchallenger.first-world.info//wiki/Quick_Benchmark:_Gzip_vs_Bzip2_vs_LZMA_vs_XZ_vs_LZ4_vs_LZO">wiki page</a> written by <a href="http://catchchallenger.first-world.info/wiki/User:Alpha_one_x86">Herman Brule</a> which gives a quick benchmark on a couple of compression methods / algorithms. It gave me the idea of writing a quick script that tests out a wide number of compression utilities available in Gentoo (usually through the <code>app-arch</code> category), with also a number of options (in case multiple options are possible).</p> Sven VermeulenThu, 13 Aug 2015 19:15:00 +0200tag:blog.siphos.be,2015-08-13:/2015/08/finding-a-good-compression-utility/GentoogentoocompressionWhy we do confine Firefoxhttps://blog.siphos.be/2015/08/why-we-do-confine-firefox/<p>If you're a bit following the SELinux development community you will know <a href="http://danwalsh.livejournal.com">Dan Walsh</a>, a <a href="http://people.redhat.com/dwalsh/">Red Hat</a> security engineer. Today he <a href="http://danwalsh.livejournal.com/72697.html">blogged</a> about <em>CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox</em>. He should've asked why the <em>reference policy</em> or <em>Red Hat/Fedora policy</em> does not confine Firefox, because SELinux is, as I've <a href="http://blog.siphos.be/2015/08/dont-confuse-selinux-with-its-policy/">mentioned before</a>, not the same as its policy.</p> <p>In effect, Gentoo's SELinux policy <em>does</em> confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to <a href="https://wiki.gentoo.org/wiki/Project:SELinux/Development_policy#Develop_desktop_policies">develop desktop policies</a> in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.</p> Sven VermeulenTue, 11 Aug 2015 19:18:00 +0200tag:blog.siphos.be,2015-08-11:/2015/08/why-we-do-confine-firefox/SELinuxgentooselinuxpolicyfirefoxcvevulnerabilityxdgCan SELinux substitute DAC?https://blog.siphos.be/2015/08/can-selinux-substitute-dac/<p>A nice <a href="https://twitter.com/sjvermeu/status/630107879123623936">twitter discussion</a> with <a href="https://twitter.com/erlheldata">Erling Hellenäs</a> caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?</p> <p>SELinux is implemented through the <a href="https://en.wikipedia.org/wiki/Linux_Security_Modules">Linux Security Modules framework</a> which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through <em>additional</em> access checks. This criteria was made to have LSM be as minimally invasive as possible.</p> Sven VermeulenSun, 09 Aug 2015 14:48:00 +0200tag:blog.siphos.be,2015-08-09:/2015/08/can-selinux-substitute-dac/SELinuxselinuxrefpolicylinuxdaclsmFiltering network access per applicationhttps://blog.siphos.be/2015/08/filtering-network-access-per-application/<p>Iptables (and the successor nftables) is a powerful packet filtering system in the Linux kernel, able to create advanced firewall capabilities. One of the features that it <em>cannot</em> provide is per-application filtering. Together with SELinux however, it is possible to implement this on a <em>per domain</em> basis.</p> <p>SELinux does not know applications, but it knows domains. If we ensure that each application runs in its own domain, then we can leverage the firewall capabilities with SELinux to only allow those domains access that we need.</p> Sven VermeulenFri, 07 Aug 2015 03:49:00 +0200tag:blog.siphos.be,2015-08-07:/2015/08/filtering-network-access-per-application/SELinuxselinuxnetworkiptablesMy application base: Obnamhttps://blog.siphos.be/2015/08/my-application-base-obnam/<p>It is often said, yet too often forgotten: taking backups (and verifying that they work). Taking backups is not purely for companies and organizations. Individuals should also take backups to ensure that, in case of errors or calamities, the all important files are readily recoverable.</p> <p>For backing up files and directories, I personally use <a href="http://obnam.org/">obnam</a>, after playing around with <a href="http://www.bacula.org/">Bacula</a> and <a href="https://attic-backup.org/">attic</a>. Bacula is more meant for large distributed environments (although I also tend to use obnam for my server infrastructure) and was too complex for my taste. The choice between obnam and attic is even more personally-oriented.</p> Sven VermeulenWed, 05 Aug 2015 22:35:00 +0200tag:blog.siphos.be,2015-08-05:/2015/08/my-application-base-obnam/Free-SoftwaremabbackupobnamDon't confuse SELinux with its policyhttps://blog.siphos.be/2015/08/dont-confuse-selinux-with-its-policy/<p>With the increased attention that SELinux is getting thanks to its inclusion in recent <a href="https://source.android.com/devices/tech/security/selinux/">Android</a> releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.</p> Sven VermeulenMon, 03 Aug 2015 01:49:00 +0200tag:blog.siphos.be,2015-08-03:/2015/08/dont-confuse-selinux-with-its-policy/SELinuxselinuxpolicycilSwitching to Pelicanhttps://blog.siphos.be/2015/08/switching-to-pelican/<p>Nothing beats a few hours of flying to get things moving on stuff. Being offline for a few hours with a good workstation helps to not be disturbed by external actions (air pockets notwithstanding).</p> <p>Early this year, I expressed my <a href="http://blog.siphos.be/2015/03/trying-out-pelican-part-one/">intentions to move to Pelican</a> from WordPress. I wasn't actually unhappy with WordPress, but the security concerns I had were a bit too much for blog as simple as mine. Running a PHP-enabled site with a database for something that I can easily handle through a static site, well, I had to try.</p> Sven VermeulenSun, 02 Aug 2015 04:09:00 +0200tag:blog.siphos.be,2015-08-02:/2015/08/switching-to-pelican/Free-SoftwareblogpelicanwordpressLoading CIL modules directlyhttps://blog.siphos.be/2015/07/loading-cil-modules-directly/<p>In a <a href="http://blog.siphos.be/2015/06/where-does-cil-play-in-the-selinux-system/">previous post</a> I used the <code>secilc</code> binary to load an additional test policy. Little did I know (and that's actually embarrassing because it was one of the things I complained about) that you can just use the CIL policy as modules directly.</p> <!-- PELICAN_END_SUMMMARY --> <p>With this I mean that a …</p>Sven VermeulenWed, 15 Jul 2015 15:54:00 +0200tag:blog.siphos.be,2015-07-15:/2015/07/loading-cil-modules-directly/SELinuxcilselinuxRestricting even root access to a folderhttps://blog.siphos.be/2015/07/restricting-even-root-access-to-a-folder/<p>In a <a href="http://blog.siphos.be/2014/01/private-key-handling-and-selinux-protection/comment-page-1/#comment-143323">comment</a> Robert asked how to use SELinux to prevent even root access to a directory. The trivial solution would be not to assign an administrative role to the root account (which is definitely possible, but you want some way to gain administrative access otherwise ;-)</p> <p>Restricting root is one of the commonly referred features of a MAC (Mandatory Access Control) system. With a well designed user management and sudo environment, it is fairly trivial - but if you need to start from the premise that a user has direct root access, it requires some thought to implement it correctly. The main "issue" is not that it is difficult to implement policy-wise, but that most users will start from a pre-existing policy (such as the reference policy) and build on top of that.</p> Sven VermeulenSat, 11 Jul 2015 14:09:00 +0200tag:blog.siphos.be,2015-07-11:/2015/07/restricting-even-root-access-to-a-folder/SELinuxIntermediate policieshttps://blog.siphos.be/2015/07/intermediate-policies/<p>When developing SELinux policies for new software (or existing ones whose policies I don't agree with) it is often more difficult to finish the policies so that they are broadly usable. When dealing with personal policies, having them "just work" is often sufficient. To make the policies reusable for distributions (or for the upstream project), a number of things are necessary:</p> <ul> <li>Try structuring the policy using the style as suggested by refpolicy or Gentoo</li> <li>Add the role interfaces that are most likely to be used or required, or which are in the current draft implemented differently</li> <li>Refactor some of the policies to use refpolicy/Gentoo style interfaces</li> <li>Remove the comments from the policies (as refpolicy does not want too verbose policies)</li> <li>Change or update the file context definitions for default installations (rather than the custom installations I use)</li> </ul> Sven VermeulenSun, 05 Jul 2015 18:17:00 +0200tag:blog.siphos.be,2015-07-05:/2015/07/intermediate-policies/SELinuxcommunitycontributionspolicy-developmentselinuxWhere does CIL play in the SELinux system?https://blog.siphos.be/2015/06/where-does-cil-play-in-the-selinux-system/<p>SELinux policy developers already have a number of file formats to work with. Currently, policy code is written in a set of three files:</p> <ul> <li>The <code>.te</code> file contains the SELinux policy code (type enforcement rules)</li> <li>The <code>.if</code> file contains functions which turn a set of arguments into blocks of SELinux policy code (interfaces). These functions are called by other interface files or type enforcement files</li> <li>The <code>.fc</code> file contains mappings of file path expressions towards labels (file contexts)</li> </ul> <p>These files are compiled into loadable modules (or a base module) which are then transformed to an active policy. But this is not a single-step approach.</p> Sven VermeulenSat, 13 Jun 2015 23:12:00 +0200tag:blog.siphos.be,2015-06-13:/2015/06/where-does-cil-play-in-the-selinux-system/SELinuxcilselinuxuserspaceLive SELinux userspace ebuildshttps://blog.siphos.be/2015/06/live-selinux-userspace-ebuilds/<p>In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the <a href="https://github.com/SELinuxProject/selinux">SELinux userspace</a> so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.</p> Sven VermeulenWed, 10 Jun 2015 20:07:00 +0200tag:blog.siphos.be,2015-06-10:/2015/06/live-selinux-userspace-ebuilds/GentoocilGentooselinuxuserspacePostgreSQL with central authentication and authorizationhttps://blog.siphos.be/2015/05/postgresql-with-central-authentication-and-authorization/<p>I have been running a PostgreSQL cluster for a while as the primary backend for many services. The database system is very robust, well supported by the community and very powerful. In this post, I'm going to show how I use central authentication and authorization with PostgreSQL.</p> Sven VermeulenMon, 25 May 2015 12:07:00 +0200tag:blog.siphos.be,2015-05-25:/2015/05/postgresql-with-central-authentication-and-authorization/Free-SoftwarepostgresqlTesting with permissive domainshttps://blog.siphos.be/2015/05/testing-with-permissive-domains/<p>When testing out new technologies or new setups, not having (proper) SELinux policies can be a nuisance. Not only are the number of SELinux policies that are available through the standard repositories limited, some of these policies are not even written with the same level of confinement that an administrator might expect. Or perhaps the technology to be tested is used in a completely different manner.</p> <p>Without proper policies, any attempt to start such a daemon or application might or will cause permission violations. In many cases, developers or users tend to disable SELinux enforcing then so that they can continue playing with the new technology. And why not? After all, policy development is to be done <em>after</em> the technology is understood.</p> Sven VermeulenMon, 18 May 2015 13:40:00 +0200tag:blog.siphos.be,2015-05-18:/2015/05/testing-with-permissive-domains/SELinuxpermissivepolicyselinuxsemanagetestAudit buffering and rate limitinghttps://blog.siphos.be/2015/05/audit-buffering-and-rate-limiting/<p>Be it because of SELinux experiments, or through general audit experiments, sometimes you'll get in touch with a message similar to the following:</p> <div class="highlight"><pre><span></span><code>audit: audit_backlog=321 &gt; audit_backlog_limit=320 audit: audit_lost=44395 audit_rate_limit=0 audit_backlog_limit=320 audit: backlog limit exceeded </code></pre></div> <!-- PELICAN_END_SUMMMARY --> <p>The message shows up when certain audit events could not be …</p>Sven VermeulenSun, 10 May 2015 14:18:00 +0200tag:blog.siphos.be,2015-05-10:/2015/05/audit-buffering-and-rate-limiting/Free-SoftwareauditkernelsecurityselinuxUse change management when you are using SELinux to its fullesthttps://blog.siphos.be/2015/04/use-change-management-when-you-are-using-selinux-to-its-fullest/<p>If you are using SELinux on production systems (with which I mean systems that you offer services with towards customers or other parties beyond you, yourself and your ego), please consider proper change management if you don't do already. SELinux is a very sensitive security subsystem - not in the sense …</p>Sven VermeulenThu, 30 Apr 2015 20:58:00 +0200tag:blog.siphos.be,2015-04-30:/2015/04/use-change-management-when-you-are-using-selinux-to-its-fullest/SELinuxchange-managementpolicyselinuxMoving closer to 2.4 stabilizationhttps://blog.siphos.be/2015/04/moving-closer-to-2-4-stabilization/<p>The <a href="https://github.com/SELinuxProject/selinux/wiki">SELinux userspace</a> project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the <a href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Hardened</a> project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …</p>Sven VermeulenMon, 27 Apr 2015 19:18:00 +0200tag:blog.siphos.be,2015-04-27:/2015/04/moving-closer-to-2-4-stabilization/Gentoo2.4GentoohardenedselinuxuserspaceTrying out Pelican, part onehttps://blog.siphos.be/2015/03/trying-out-pelican-part-one/<p>One of the goals I've set myself to do this year (not as a new year resolution though, I *really* want to accomplish this ;-) is to move my blog from Wordpress to a statically built website. And <a href="http://docs.getpelican.com/en/3.5.0/">Pelican</a> looks to be a good solution to do so. It's based on …</p>Sven VermeulenFri, 06 Mar 2015 20:02:00 +0100tag:blog.siphos.be,2015-03-06:/2015/03/trying-out-pelican-part-one/GentooblogGentoohaskellpandocpelicanwordpressCIL and attributeshttps://blog.siphos.be/2015/02/cil-and-attributes/<p>I keep on struggling to remember this, so let's make a blog post out of it ;-)</p> <p>When the SELinux policy is being built, recent userspace (2.4 and higher) will convert the policy into CIL language, and then build the binary policy. When the policy supports type attributes, these are …</p>Sven VermeulenSun, 15 Feb 2015 15:49:00 +0100tag:blog.siphos.be,2015-02-15:/2015/02/cil-and-attributes/SELinuxattributecilselinuxHave dhcpcd wait before backgroundinghttps://blog.siphos.be/2015/02/have-dhcpcd-wait-before-backgrounding/<p>Many of my systems use DHCP for obtaining IP addresses. Even though they all receive a static IP address, it allows me to have them moved over (migrations), use TFTP boot, cloning (in case of quick testing), etc. But one of the things that was making my efforts somewhat more …</p>Sven VermeulenSun, 08 Feb 2015 16:50:00 +0100tag:blog.siphos.be,2015-02-08:/2015/02/have-dhcpcd-wait-before-backgrounding/GentoodhcpdhcpcdGentooOld Gentoo system? Not a problem...https://blog.siphos.be/2015/01/old-gentoo-system-not-a-problem/<p>If you have a very old Gentoo system that you want to upgrade, you might have some issues with too old software and Portage which can't just upgrade to a recent state. Although many methods exist to work around it, one that I have found to be very useful is …</p>Sven VermeulenWed, 21 Jan 2015 23:05:00 +0100tag:blog.siphos.be,2015-01-21:/2015/01/old-gentoo-system-not-a-problem/GentooGentooportagesnapshottreeSELinux is great for enterprises (but many don't know it yet)https://blog.siphos.be/2015/01/selinux-is-great-for-enterprises-but-many-dont-know-it-yet/<p>Large companies that handle their own IT often have internal support teams for many of the technologies that they use. Most of the time, this is for reusable components like database technologies, web application servers, operating systems, middleware components (like file transfers, messaging infrastructure, ...) and more. All components that are …</p>Sven VermeulenSat, 03 Jan 2015 13:36:00 +0100tag:blog.siphos.be,2015-01-03:/2015/01/selinux-is-great-for-enterprises-but-many-dont-know-it-yet/SELinuxcompaniesconfigurationengineeringenterpriseselinuxGentoo Wiki is growinghttps://blog.siphos.be/2015/01/gentoo-wiki-is-growing/<p>Perhaps it is because of the winter holidays, but the last weeks I've noticed a lot of updates and edits on the Gentoo wiki.</p> <p>The move to the <a href="https://wiki.gentoo.org/wiki/Project:Website/Tyrian">Tyrian</a> layout, whose purpose is to eventually become the unified layout for all Gentoo resources, happened first. Then, three common templates (<code>Code …</code></p>Sven VermeulenSat, 03 Jan 2015 10:09:00 +0100tag:blog.siphos.be,2015-01-03:/2015/01/gentoo-wiki-is-growing/DocumentationdocumentationGentoowikiWhy does it access /etc/shadow?https://blog.siphos.be/2014/12/why-does-it-access-etcshadow/<p>While updating the SELinux policy for the Courier IMAP daemon, I noticed that it (well, the authdaemon that is part of Courier) wanted to access <code>/etc/shadow</code>, which is of course a big no-no. It doesn't take long to know that this is through the PAM support (more specifically, <code>pam_unix …</code></p>Sven VermeulenTue, 30 Dec 2014 22:48:00 +0100tag:blog.siphos.be,2014-12-30:/2014/12/why-does-it-access-etcshadow/SELinuxchkpwdpamselinuxshadowunix_chkpwdAdded UEFI instructions to AMD64/x86 handbookshttps://blog.siphos.be/2014/12/added-uefi-instructions-to-amd64x86-handbooks/<p>I just finished up adding some UEFI instructions to the <a href="https://wiki.gentoo.org/wiki/Handbook:Main_Page">Gentoo handbooks</a> for AMD64 and x86 (I don't know how many systems are still using x86 instead of the AMD64 one, and if those support UEFI, but the instructions are shared and they don't collide). The entire EFI stuff can …</p>Sven VermeulenTue, 23 Dec 2014 18:08:00 +0100tag:blog.siphos.be,2014-12-23:/2014/12/added-uefi-instructions-to-amd64x86-handbooks/DocumentationefiGentoohandbookuefiHandbooks movedhttps://blog.siphos.be/2014/12/handbooks-moved/<p>Yesterday the move of the <a href="https://wiki.gentoo.org/wiki/Handbook:Main_Page">Gentoo Wiki</a> for the Gentoo handbooks (whose most important part are the installation instructions for the various supported architectures) has been concluded, with a last-minute addition being the <a href="https://wiki.gentoo.org/wiki/Handbook:Main_Page#Viewing_the_handbook">one-page views</a> so that users who want to can view the installation instructions completely within one view …</p>Sven VermeulenSun, 14 Dec 2014 14:42:00 +0100tag:blog.siphos.be,2014-12-14:/2014/12/handbooks-moved/DocumentationGentoohandbookwikiGentoo Handbooks almost moved to wikihttps://blog.siphos.be/2014/12/gentoo-handbooks-almost-moved-to-wiki/<p>Content-wise, the move is done. I've done a few checks on the content to see if the structure still holds, translations are enabled on all pages, the use of partitions is sufficiently consistent for each architecture, and so on. The result can be seen on <a href="https://wiki.gentoo.org/wiki/Handbook:Main_Page">the gentoo handbook main page …</a></p>Sven VermeulenFri, 12 Dec 2014 17:35:00 +0100tag:blog.siphos.be,2014-12-12:/2014/12/gentoo-handbooks-almost-moved-to-wiki/GentooGentoohandbookwikiSometimes I forget how important communication ishttps://blog.siphos.be/2014/12/sometimes-i-forget-how-important-communication-is/<p>Free software (and documentation) developers don't always have all the time they want. Instead, they grab whatever time they have to do what they believe is the most productive - be it documentation editing, programming, updating ebuilds, SELinux policy improvements and what not. But they often don't take the time to …</p>Sven VermeulenWed, 10 Dec 2014 20:38:00 +0100tag:blog.siphos.be,2014-12-10:/2014/12/sometimes-i-forget-how-important-communication-is/GentoocommunicationdeveloperGentooselinuxtimeNo more DEPENDs for SELinux policy package dependencieshttps://blog.siphos.be/2014/11/no-more-depends-for-selinux-policy-package-dependencies/<p>I just finished updating 102 packages. The change? Removing the following from the ebuilds:</p> <div class="highlight"><pre><span></span><code>DEPEND=&quot;selinux? ( sec-policy/selinux-${packagename} )&quot; </code></pre></div> <p>In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …</p>Sven VermeulenSun, 02 Nov 2014 14:51:00 +0100tag:blog.siphos.be,2014-11-02:/2014/11/no-more-depends-for-selinux-policy-package-dependencies/GentooDEPENDebuildGentooRDEPENDselinuxUsing multiple priorities with moduleshttps://blog.siphos.be/2014/10/using-multiple-priorities-with-modules/<p>One of the new features of the 2.4 SELinux userspace is support for module priorities. The idea is that distributions and administrators can override a (pre)loaded SELinux policy module with another module without removing the previous module. This lower-version module will remain in the store, but will not …</p>Sven VermeulenFri, 31 Oct 2014 18:24:00 +0100tag:blog.siphos.be,2014-10-31:/2014/10/using-multiple-priorities-with-modules/SELinuxprioritiespriorityselinuxsemoduleMigrating to SELinux userspace 2.4 (small warning for users)https://blog.siphos.be/2014/10/migrating-to-selinux-userspace-2-4-small-warning-for-users/<p>In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …</p>Sven VermeulenThu, 30 Oct 2014 19:44:00 +0100tag:blog.siphos.be,2014-10-30:/2014/10/migrating-to-selinux-userspace-2-4-small-warning-for-users/GentoocilGentoomigrateselinuxsemanageupgradeuserspaceLots of new challenges aheadhttps://blog.siphos.be/2014/10/lots-of-new-challenges-ahead/<p>I've been pretty busy lately, albeit behind the corners, which leads to a lower activity within the free software communities that I'm active in. Still, I'm not planning any exit, on the contrary. Lots of ideas are just waiting for some free time to engage. So what are the challenges …</p>Sven VermeulenSun, 19 Oct 2014 16:01:00 +0200tag:blog.siphos.be,2014-10-19:/2014/10/lots-of-new-challenges-ahead/MiscAfter SELinux System Administration, now the SELinux Cookbookhttps://blog.siphos.be/2014/09/after-selinux-system-administration-now-the-selinux-cookbook/<p>Almost an entire year ago (just a few days apart) I <a href="http://blog.siphos.be/2013/09/it-has-finally-arrived-selinux-system-administration/">announced</a> my first published book, called <a href="https://www.packtpub.com/networking-and-servers/selinux-system-administration">SELinux System Administration</a>. The book covered SELinux administration commands and focuses on Linux administrators that need to interact with SELinux-enabled systems.</p> <p>An important part of SELinux was only covered very briefly in the …</p>Sven VermeulenWed, 24 Sep 2014 20:10:00 +0200tag:blog.siphos.be,2014-09-24:/2014/09/after-selinux-system-administration-now-the-selinux-cookbook/SELinuxShowing return code in PS1https://blog.siphos.be/2014/08/showing-return-code-in-ps1/<p>If you do daily management on Unix/Linux systems, then checking the return code of a command is something you'll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing …</p>Sven VermeulenSun, 31 Aug 2014 01:14:00 +0200tag:blog.siphos.be,2014-08-31:/2014/08/showing-return-code-in-ps1/Gentoobashps1rcshellGentoo Hardened august meetinghttps://blog.siphos.be/2014/08/gentoo-hardened-august-meeting/<p>Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.</p> <p><em>Lead elections</em></p> <p>The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)</p> <p><em>Toolchain</em></p> <p>blueness (Anthony G …</p>Sven VermeulenFri, 29 Aug 2014 16:43:00 +0200tag:blog.siphos.be,2014-08-29:/2014/08/gentoo-hardened-august-meeting/GentooGentoohardenedircmeeting