Simplicity is a form of art...

Sustainability in IT

Sven Vermeulen — Sun, 25 Sep 2022 13:00:00 +0200

For one of the projects I'm currently involved in, we want to have a better view on sustainability within IT and see what we (IT) can contribute in light of the sustainability strategy of the company. For IT infrastructure, one would think that selecting more power-efficient infrastructure is the way to go, as well as selecting products whose manufacturing process takes special attention to sustainability.

There are other areas to consider as well, though. Reusability of IT infrastructure and optimal resource consumption are at least two other attention points that deserve plenty of attention. But let's start at the manufacturing process...

Certifications for products and companies

Eco certifications are a good start in the selection process. By selecting products with the right certification, companies can initiate their sustainable IT strategy with a good start. Such certifications look at the product and manufacturing, and see if they use proper materials, create products that can have extended lifetimes in the circular (reuse) economy, ensure the manufacturing processes use renewable energy and do not have harmful emissions, safeguard clean water, etc.

In the preliminary phase I am right now, I do not know yet which certifications make most sense to pursue and request. Sustainability is becoming big business, so plenty of certifications exist as well. From a cursory search, I'd reckon that the following certifications are worth more time:

EcoVadis provides business sustainability ratings that not only cover the ecological aspect, but also social and ethical performance.
ISO 14001 covers environmental management, looking at organizations' processes and systematic improvements contributing to sustainability.
Carbon Neutral focus on transparency in measurements and disclosure of emissions, and how the company is progressing in their strategy to reduce the impact on the environment.
TCO Certified attempts to address all stages of a manufacturing process, from material selection over social responsibility and hazardous substances up to electronic waste and circular economy.
Energy Star focuses on energy efficiency, and tries to use standardized methods for scoring appliances (including computers and servers).

Power efficiency

A second obvious part is on power efficiency. Especially in data center environments, which is the area that I'm interested in, power efficiency also influences the data center's capability of providing sufficient cooling to the servers and appliances. Roughly speaking, a 500 Watt server generates twice as much heat as a 250 Watt server. Now, that's oversimplifying, but for calculating heat dissipation in a data center, the maximum power of infrastructure is generally used for the calculations.

Now, we could start looking for servers with lower power consumption. But a 250 Watt server is most likely going to be less powerful (computing-wise) than a 500 Watt server. Hence, power efficiency should be considered in line with the purpose of the server, and thus also the workloads that it would have to process.

We can use benchmarks, like SPEC's CPU 2017 or SPEC's Cloud IaaS 2018 benchmarks, to compare the performance of systems. Knowing the server's performance for given workloads and the power consumption, allows architects to optimize the infrastructure.

Heat management (and more) in the data center

A large consumer of power in a data center environment are the environmental controls, with the cooling systems taking a big chunk out of the total power consumption. Optimizing the heat management in the data center has a significant impact on the power consumption. Such optimizations are not solely about reducing the electricity bill, but also about reusing the latent heat for other purposes. For instance, data center heat can be used to heat up nearby buildings.

A working group of the European Commission, the European Energy Efficiency Platform (E3P), publishes an annual set of best practices in the EU Code of Conduct on Data Center Energy Efficiency which covers areas such as airflow design patterns, operating temperature and humidity ranges, power management features in servers and appliances, infrastructure design aspects (like virtualization and appropriate, but no over-engineered redundancy), etc.

This practice goes much beyond the heat management alone (and is worth a complete read), covering the complete data center offering. Combining these practices with other areas of data center design (such as redundancy levels, covered by data center tiering) allows for companies that are looking at new data centers to overhaul their infrastructure and be much better prepared for sustainable IT.

Circular ecosystem

Another part that often comes up in sustainability measures is how reusable the infrastructure components are after their "first life". Infrastructure systems, which frequently renew after 4 to 5 years of activity, can be resold rather than destroyed. The same can be said for individual components.

Companies that deal with sensitive data regularly employ "Do Not Return" clauses in the purchases of storage devices. Disks are not returned if they are faulty, or just swapped for higher density disks. Instead, they are routinely destroyed to make sure no data leakage occurs.

Instead of destroying otherwise perfect disks (or disks that still have reusable components) companies could either opt for degaussing (which still renders the disk unusable, but has better recyclability than destroyed disks) or data wiping (generally through certified methods that guarantee the data cannot be retrieved).

Extended lifecycle

Systems are often working perfectly beyond their 4 to 5 year lifespans. Still, these systems are process-wise automatically renewed to get more efficient and powerful systems in place. But that might not always be necessary - beyond even the circular ecosystem remarks above (where such systems could be resold), these systems can even get extended lifecycle within the company.

If there is no need for a more powerful system, and the efficiency of the system is still high (or the efficiency can be improved through minor updates), companies can seek out ways to prolong the use of the systems. In previous projects, I advised that big data nodes can perfectly remain inside the cluster after their regular lifetime, as the platform software (Hadoop) can easily cope with failures if those would occur.

Systems can also be used to host non-production environments or support lab environments. Or they can be refurbished to ensure maximal efficiency while still being used in production. Microsoft for instance has a program called Microsoft Circular Centers which aims at a zero-waste sustainability within the data center, through reuse, repurpose and recycling.

Right-sizing the infrastructure

Right-sizing is to select and design infrastructure to deal with the workload, but not more. Having a set of systems at full capacity is better than having twice as many systems at half capacity, as this leads to power inefficiencies.

To accomplish right-sizing isn't as easy as selecting the right server for a particular workload. Workload is distributed, and systems are virtualized. Virtualization allows for much better right-sizing as you can distribute workload more optimally.

Companies with large amounts of systems can more efficiently distribute workload across their systems, making it easier to have a good consumption pattern. Smaller companies will notice that they need to design for the burst and maximum usage, whereas the average usage is far, far below that threshold.

Using cloud resources can help to deal with bursts and higher demand, while still having resources on-premise to deal with the regular workload. Such hybrid designs, however, can be complex, so make sure to address this with the right profiles (yes, I'm making a stand for architects here ;-)

Standardizing your infrastructure also makes this easier to accomplish. If the vast majority of servers are of the same architecture, and you standardize on as few operating systems, programming languages and what not, you can more easily distribute workload than when these systems have different architectures and purposes.

Automated workload and power management

Large environments will regularly have servers and infrastructure that is not continuously used at near full capacity. Workloads are frequently following a certain curve, such as higher demand during the day and lower at night. Larger platforms use this curve to schedule appropriate workload (like running heavy batch workload at night while keeping the systems available for operational workload during the day) so that the resources are more optimally used.

By addressing workload management and aligning power management, companies can improve their power usage by reducing active systems when there are less resource needs. This can be done gradually, such as putting CPUs in lower power modes (CPU power takes roughly 30% of a system's total power usage), but can expand to complete hosts being put in idle state.

We can even make designs where servers are shut down when unused. While this is frequently frowned upon, citing possible impact on hardware failures as well as reduced reactivity to sudden workload demand, proper shutdown techniques do offer significant power savings (as per a research article titled Quantifying the Impact of Shutdown Techniques for Energy-Efficient Data Centers).

Conclusion

Sustainability within IT focuses on several improvements and requirements. Certification helps in finding and addressing these, but this is not critical in any company's strategy. Companies can address sustainability easily without certification, but with proper attention and design.

Feedback? Comments? Don't hesitate to drop me an email, or join the discussion on Twitter.

Getting lost in the frameworks

Sven Vermeulen — Fri, 26 Aug 2022 13:00:00 +0200

The IT world is littered with frameworks, best practices, reference architectures and more. In an ever-lasting attempt to standardize IT, we often get lost in too many standards or specifications. For consultants, this is a gold-mine, as they jump in to support companies - for a fee, naturally - in adopting one or more of these frameworks or specifications.

While having references and specifications isn't a bad thing, there are always pros and cons.

Containers are the new IaaS

Sven Vermeulen — Sat, 21 May 2022 13:00:00 +0200

At work, as with many other companies, we're actively investing in new platforms, including container platforms and public cloud. We use Kubernetes based container platforms both on-premise and in the cloud, but are also very adamant that the container platforms should only be used for application workload that is correctly designed for cloud-native deployments: we do not want to see vendors packaging full operating systems in a container and then shouting they are now container-ready.

Defining what an IT asset is

Sven Vermeulen — Sun, 13 Feb 2022 13:00:00 +0100

One of the main IT processes that a company should strive to have in place is a decent IT asset management system. It facilitates knowing what assets you own, where they are, who the owner is, and provides a foundation for numerous other IT processes.

However, when asking "what is an IT asset", it gets kind off fuzzy...

An IT conceptual data model

Sven Vermeulen — Mon, 17 Jan 2022 10:00:00 +0100

This time a much shorter post, as I've been asked to share this information recently and found that it, by itself, is already useful enough to publish. It is a conceptual data model for IT services.

Ownership and responsibilities for infrastructure services

Sven Vermeulen — Thu, 13 Jan 2022 09:00:00 +0100

In a perfect world, using infrastructure or technology services would be seamless, without impact, without risks. It would auto-update, tailor to the user needs, detect when new features are necessary, adapt, etc. But while this is undoubtedly what vendors are saying their product delivers, the truth is way, waaaay different.

Managing infrastructure services implies that the company or organization needs to organize itself to deal with all aspects of supporting a service. What are these aspects? Well, let's go through those that are top-of-mind for me...

The pleasures of having DTAP

Sven Vermeulen — Thu, 30 Dec 2021 12:00:00 +0100

No, not Diphtheria, Tetanus, and Pertussis (vaccine), but Development, Test, Acceptance, and Production (DTAP): different environments that, together with a well-working release management process, provide a way to get higher quality and reduced risks in production. DTAP is an important cornerstone for a larger infrastructure architecture as it provides environments that are tailored to the needs of many stakeholders.

Creating an enterprise open source policy

Sven Vermeulen — Sat, 20 Nov 2021 15:00:00 +0100

Nowadays it is impossible to ignore, or even prevent open source from being active within the enterprise world. Even if a company only wants to use commercially backed solutions, many - if not most - of these are built with, and are using open source software.

However, open source is more than just a code sourcing possibility. By having a good statement within the company on how it wants to deal with open source, what it wants to support, etc. engineers and developers can have a better understanding of what they can do to support their business further.

In many cases, companies will draft up an open source policy, and in this post I want to share some practices I've learned on how to draft such a policy.

Hybrid cloud can be very complex

Sven Vermeulen — Mon, 08 Nov 2021 20:00:00 +0100

I am not an advocate for hybrid cloud architectures. Or at least, not the definition for hybrid cloud that assumes one (cloud or on premise) environment is just an extension of another (cloud or on premise) environment. While such architectures seem to be simple and fruitful - you can easily add some capacity in the other environment to handle burst load - they are a complex beast to tame.

Transparent encryption is not a silver bullet

Sven Vermeulen — Tue, 19 Oct 2021 08:20:00 +0200

Transparent encryption is relatively easy to implement, but without understanding what it actually means or why you are implementing it, you will probably make the assumption that this will prevent the data from being accessed by unauthorized users. Nothing can be further from the truth.

Evaluating the zero trust hype

Sven Vermeulen — Tue, 05 Oct 2021 00:00:00 +0200

Security vendors are touting the benefits of "zero trust" as the new way to approach security and security-conscious architecturing. But while there are principles within the zero trust mindset that came up in the last dozen years, most of the content in zero trust discussions is tied to age-old security propositions.

Scale is a cloud threat

Sven Vermeulen — Tue, 28 Sep 2021 17:00:00 +0200

Not that long ago, a vulnerability was found in Microsoft Azure Cosmos DB, a NoSQL SaaS database within the Microsoft Azure cloud. The vulnerability, which is dubbed ChaosDB by the Wiz Research Team, uses a vulnerability or misconfiguration in the Jupyter Notebook feature within Cosmos DB. This vulnerability allowed an attacker to gain access to other's Cosmos DB credentials. Not long thereafter, a second vulnerability dubbed OMIGOD showed that cloud security is not as simple as some vendors like you to believe.

These vulnerabilities are a good example of how scale is a cloud threat. Companies that do not have enough experience with public cloud might not assume this in their threat models.

Naming conventions

Sven Vermeulen — Wed, 15 Sep 2021 19:00:00 +0200

Naming conventions. Picking the right naming convention is easy if you are all by yourself, but hard when you need to agree upon the conventions in a larger group. Everybody has an opinion on naming conventions, and once you decide on it, you do expect everybody to follow through on it.

Let's consider why naming conventions are (not) important and consider a few examples to help in creating a good naming convention yourself.

Location view of infrastructure

Sven Vermeulen — Tue, 07 Sep 2021 18:00:00 +0200

In this last post on the infrastructure domain, I cover the fifth and final viewpoint that is important for an infrastructure domain representation, and that is the location view. As mentioned in previous posts, the viewpoints I think are most representative of the infrastructure domain are:

Like with the component view, the location view is a layered approach. While I initially wanted to call it the network view, "location" might be a broader term that matches the content better. Still, it's not a perfect name, but the name is less important than the content, not?

Process view of infrastructure

Sven Vermeulen — Wed, 01 Sep 2021 11:20:00 +0200

In my previous post, I started with the five different views that would support a good view of what infrastructure would be. I believe these views (component, location, process, service, and zoning) cover the breadth of the domain. The post also described the component view a bit more and linked to previous posts I made (one for services, another for zoning).

The one I want to tackle here is the most elaborate one, also the most enterprise-ish, and one that always is a balance on how much time and effort to put into it (as an architect), as well as hoping that the processes are sufficiently standardized in a flexible manner so that you don't need to cover everything again and again in each project.

So, let's talk about processes...

Component view of infrastructure

Sven Vermeulen — Fri, 27 Aug 2021 21:10:00 +0200

IT architects try to use views and viewpoints to convey the target architecture to the various stakeholders. Each stakeholder has their own interests in the architecture and wants to see their requirements fulfilled. A core role of the architect is to understand these requirements and make sure the requirements are met, and to balance all the different requirements.

Architecture languages or meta-models often put significant focus on these views. Archimate has a large annex on Example Viewpoints just for this purpose. However, unless the organization is widely accustomed to enterprise architecture views, it is unlikely that the views themselves are the final product: being able to translate those views into pretty slides and presentations is still an important task for architects when they need to present their findings to non-architecture roles.

Disaster recovery in the public cloud

Sven Vermeulen — Fri, 30 Jul 2021 20:00:00 +0200

The public cloud is a different beast than an on-premise environment, and that also reflects itself on how we (should) look at the processes that are actively steering infrastructure designs and architecture. One of these is the business continuity, severe incident handling, and the hopefully-never-to-occur disaster recovery. When building up procedures for handling disasters (DRP = Disaster Recovery Procedure or Disaster Recover Planning), it is important to keep in mind what these are about.

What is the infrastructure domain?

Sven Vermeulen — Mon, 19 Jul 2021 15:20:00 +0200

In my job as domain architect for "infrastructure", I often come across stakeholders that have no common understanding of what infrastructure means in an enterprise architecture. Since then, I am trying to figure out a way to easily explain it - to find a common, generic view on what infrastructure entails. If successful, I could use this common view to provide context on the many, many IT projects that are going around.

Organizing service documentation

Sven Vermeulen — Thu, 08 Jul 2021 09:20:00 +0200

As I mentioned in An IT services overview I try to keep track of the architecture and designs of the IT services and solutions in a way that I feel helps me keep in touch with all the various services and solutions out there. Similar to how system administrators try to find a balance while working on documentation (which is often considered a chore) and using a structure that is sufficiently simple and standard for the organization to benefit from, architects should try to keep track of architecturally relevant information as well.

So in this post, I'm going to explain a bit more on how I approach documenting service and solution insights for architectural relevance.

Not sure if TOSCA will grow further

Sven Vermeulen — Wed, 30 Jun 2021 14:30:00 +0200

TOSCA is an OASIS open standard, and is an abbreviation for Topology and Orchestration Specification for Cloud Applications. It provides a domain-specific language to describe how an application should be deployed in the cloud (the topology), which and how many resources it needs, as well as tasks to run when certain events occur (the orchestration). When I initially came across this standard, I was (and still am) interested in how far this goes. The promise of declaring an application (and even bundling the necessary application artefacts) within a single asset and then using this asset to deploy on whatever cloud is very appealing to an architect. Especially in organizations that have a multi-cloud strategy.

Integrating or customizing SaaS within your own cloud environment

Sven Vermeulen — Wed, 23 Jun 2021 15:10:00 +0200

Software as a Service (SaaS) solutions are often a quick way to get new capabilities into an organization’s portfolio. Smaller SaaS solutions are simple, web-based solutions which barely integrate with the organization’s other solutions, besides the identity and access management (which is often handled by federated authentication).

More complex or intermediate solutions require more integration focus, and a whole new market of Integration Platform as a Service (iPaaS) solutions came up to facilitate cross-cloud integrations. But even without the iPaaS offerings, integrations are often a mandatory part to leverage the benefits of the newly activated SaaS solution.

In this post I want to bring some thoughts on the integrations that might be needed to support customizing a SaaS solution.

An IT services overview

Sven Vermeulen — Mon, 14 Jun 2021 17:30:00 +0200

My current role within the company I work for is “domain architect”, part of the enterprise architects teams. The domain I am accountable for is “infrastructure”, which can be seen as a very broad one. Now, I’ve been maintaining an overview of our IT services before I reached that role, mainly from an elaborate interest in the subject, as well as to optimize my efficiency further.

Becoming a domain architect allows me to use the insights I’ve since gathered to try and give appropriate advice, but also now requires me to maintain a domain architecture. This structure is going to be the starting point of it, although it is not the true all and end all of what I would consider a domain architecture.

The three additional layers in the OSI model

Sven Vermeulen — Wed, 09 Jun 2021 11:10:00 +0200

At my workplace, I jokingly refer to the three extra layers on top of the OSI network model as a way to describe the difficulties of discussions or cases. These three additional layers are Financial Layer, Politics Layer and Religion Layer, and the idea is that the higher up you go, the more challenging discussions will be.

Virtualization vs abstraction

Sven Vermeulen — Thu, 03 Jun 2021 10:10:00 +0200

When an organization has an extensively large, and heterogeneous infrastructure, infrastructure architects will attempt to make itless complex and chaotic by introducing and maintaining a certain degree of standardization. While many might consider standardization as a rationalization (standardizing on a single database technology, single vendor for hardware, etc.), rationalization is only one of the many ways in which standards can simplify such a degree of complexity.

In this post, I'd like to point out two other, very common ways to standardize the IT environment, without really considering a rationalization: abstraction and virtualization.

SELinux System Administration 3rd Edition

Sven Vermeulen — Wed, 06 Jan 2021 20:00:00 +0100

As I mentioned previously, recently my latest installment of "SELinux System Administration" has been released by Packt Publishing. This is already the third edition of the book, after the first (2013) and second (2016) editions have gotten reasonable success given the technical and often hard nature of full SELinux administration.

Like with the previous editions, this book remains true to the public of system administrators, rather than SELinux policy developers. Of course, SELinux policy development is not ignored in the book.

Abstracting infrastructure complexity

Sven Vermeulen — Fri, 25 Dec 2020 23:00:00 +0100

IT is complex. Some even consider it to be more magic than reality. And with the ongoing evolutions and inventions, the complexity is not really going away. Sure, some IT areas are becoming easier to understand, but that is often offset with new areas being explored.

Companies and organizations that have a sizeable IT footprint generally see an increase in their infrastructure, regardless of how many rationalization initiatives that are started. Personally, I find it challenging, in a fun way, to keep up with the onslaught of new technologies and services that are onboarded in the infrastructure landscape that I'm responsible for.

But just understanding a technology isn't enough to deal with its position in the larger environment.

Working on infra strategy

Sven Vermeulen — Sun, 04 Oct 2020 13:20:00 +0200

After a long hiatus, I'm ready to take up blogging again on my public blog. With my day job becoming more intensive and my side-job taking the remainder of the time, I've since quit my work on the Gentoo project. I am in process of releasing a new edition of the SELinux System Administration book, so I'll probably discuss that more later.

Today, I want to write about a task I had to do this year as brand new domain architect for infrastructure.

cvechecker 3.9 released

Sven Vermeulen — Sun, 09 Sep 2018 13:20:00 +0200

Thanks to updates from Vignesh Jayaraman, Anton Hillebrand and Rolf Eike Beer, a new release of cvechecker is now made available.

This new release (v3.9) is a bugfix release.

Automating compliance checks

Sven Vermeulen — Sat, 03 Mar 2018 13:20:00 +0100

With the configuration baseline for a technical service being described fully (see the first, second and third post in this series), it is time to consider the validation of the settings in an automated manner. The preferred method for this is to use Open Vulnerability and Assessment Language (OVAL), which is nowadays managed by the Center for Internet Security, abbreviated as CISecurity. Previously, OVAL was maintained and managed by Mitre under NIST supervision, and Google searches will often still point to the old sites. However, documentation is now maintained on CISecurity's github repositories.

But I digress...

Documenting a rule

Sven Vermeulen — Wed, 24 Jan 2018 20:40:00 +0100

In the first post I talked about why configuration documentation is important. In the second post I looked into a good structure for configuration documentation of a technological service, and ended with an XCCDF template in which this documentation can be structured.

The next step is to document the rules themselves, i.e. the actual content of a configuration baseline.

Structuring a configuration baseline

Sven Vermeulen — Wed, 17 Jan 2018 09:10:00 +0100

A good configuration baseline has a readable structure that allows all stakeholders to quickly see if the baseline is complete, as well as find a particular setting regardless of the technology. In this blog post, I'll cover a possible structure of the baseline which attempts to be sufficiently complete and technology agnostic.

If you haven't read the blog post on documenting configuration changes, it might be a good idea to do so as it declares the scope of configuration baselines and why I think XCCDF is a good match for this.

Documenting configuration changes

Sven Vermeulen — Sun, 07 Jan 2018 21:20:00 +0100

IT teams are continuously under pressure to set up and maintain infrastructure services quickly, efficiently and securely. As an infrastructure architect, my main concerns are related to the manageability of these services and the secure setup. And within those realms, a properly documented configuration setup is in my opinion very crucial.

In this blog post series, I'm going to look into using the Extensible Configuration Checklist Description Format (XCCDF) as the way to document these. This first post is an introduction to XCCDF functionally, and what I position it for.

SELinux and extended permissions

Sven Vermeulen — Mon, 20 Nov 2017 17:00:00 +0100

One of the features present in the August release of the SELinux user space is its support for ioctl xperm rules in modular policies. In the past, this was only possible in monolithic ones (and CIL). Through this, allow rules can be extended to not only cover source (domain) and target (resource) identifiers, but also a specific number on which it applies. And ioctl's are the first (and currently only) permission on which this is implemented.

Note that ioctl-level permission controls isn't a new feature by itself, but the fact that it can be used in modular policies is.

SELinux Userspace 2.7

Sven Vermeulen — Tue, 26 Sep 2017 14:50:00 +0200

A few days ago, Jason "perfinion" Zaman stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a few new features, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.

Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).

Authenticating with U2F

Sven Vermeulen — Mon, 11 Sep 2017 18:25:00 +0200

In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.

Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk about the pam_u2f setup are indeed correct that it is fairly simple. For completeness sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.

Using nVidia with SELinux

Sven Vermeulen — Wed, 23 Aug 2017 19:04:00 +0200

Yesterday I've switched to the gentoo-sources kernel package on Gentoo Linux. And with that, I also attempted (succesfully) to use the propriatary nvidia drivers so that I can enjoy both a smoother 3D experience while playing minecraft, as well as use the CUDA support so I don't need to use cloud-based services for small exercises.

The move to nvidia was quite simple, as the nvidia-drivers wiki article on the Gentoo wiki was quite easy to follow.

Switch to Gentoo sources

Sven Vermeulen — Tue, 22 Aug 2017 19:04:00 +0200

You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.

That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.

Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).

Project prioritization

Sven Vermeulen — Tue, 18 Jul 2017 20:40:00 +0200

_{This is a long read, skip to “Prioritizing the projects and changes” for the
approach details...}

Organizations and companies generally have an IT workload (dare I say, backlog?) which needs to be properly assessed, prioritized and taken up. Sometimes, the IT team(s) get an amount of budget and HR resources to "do their thing", while others need to continuously ask for approval to launch a new project or instantiate a change.

Sizeable organizations even require engineering and development effort on IT projects which are not readily available: specialized teams exist, but they are governance-wise assigned to projects. And as everyone thinks their project is the top-most priority one, many will be disappointed when they hear there are no resources available for their pet project.

So... how should organizations prioritize such projects?

Structuring infrastructural deployments

Sven Vermeulen — Wed, 07 Jun 2017 20:40:00 +0200

Many organizations struggle with the all-time increase in IP address allocation and the accompanying need for segmentation. In the past, governing the segments within the organization means keeping close control over the service deployments, firewall rules, etc.

Lately, the idea of micro-segmentation, supported through software-defined networking solutions, seems to defy the need for a segmentation governance. However, I think that that is a very short-sighted sales proposition. Even with micro-segmentation, or even pure point-to-point / peer2peer communication flow control, you'll still be needing a high level overview of the services within your scope.

In this blog post, I'll give some insights in how we are approaching this in the company I work for. In short, it starts with requirements gathering, creating labels to assign to deployments, creating groups based on one or two labels in a layered approach, and finally fixating the resulting schema and start mapping guidance documents (policies) toward the presented architecture.

Matching MD5 SSH fingerprint

Sven Vermeulen — Thu, 18 May 2017 18:20:00 +0200

Today I was attempting to update a local repository, when SSH complained about a changed fingerprint, something like the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:p4ZGs+YjsBAw26tn2a+HPkga1dPWWAWX+NEm4Cv4I9s.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:9
ECDSA host key for 192.168.56.101 has changed and you have requested strict checking.
Host key verification failed.

Switched to Lineage OS

Sven Vermeulen — Sun, 09 Apr 2017 16:40:00 +0200

I have been a long time user of Cyanogenmod, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if LineageOS would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.

Today, I made my choice and installed LineageOS.

cvechecker 3.8 released

Sven Vermeulen — Mon, 27 Mar 2017 19:00:00 +0200

A new release is now available for the cvechecker application. This is a stupid yet important bugfix release: the 3.7 release saw all newly released CVEs as being already known, so it did not take them up to the database. As a result, systems would never check for the new CVEs.

Handling certificates in Gentoo Linux

Sven Vermeulen — Mon, 06 Mar 2017 22:20:00 +0100

I recently created a new article on the Gentoo Wiki titled Certificates which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle everything about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.

cvechecker 3.7 released

Sven Vermeulen — Thu, 02 Mar 2017 10:00:00 +0100

After a long time of getting too little attention from me, I decided to make a new cvechecker release. There are few changes in it, but I am planning on making a new release soon with lots of clean-ups.

I missed FOSDEM

Sven Vermeulen — Tue, 07 Feb 2017 17:06:00 +0100

I sadly had to miss out on the FOSDEM event. The entire weekend was filled with me being apathetic, feverish and overall zombie-like. Yes, sickness can be cruel. It wasn't until today that I had the energy back to fire up my laptop.

Sorry for the crew that I promised to meet at FOSDEM. I'll make it up, somehow.

SELinux System Administration, 2nd Edition

Sven Vermeulen — Thu, 22 Dec 2016 19:26:00 +0100

While still working on a few other projects, one of the time consumers of the past half year (haven't you noticed? my blog was quite silent) has come to an end: the SELinux System Administration - Second Edition book is now available. With almost double the amount of pages and a serious update of the content, the book can now be bought either through Packt Publishing itself, or the various online bookstores such as Amazon.

With the holidays now approaching, I hope to be able to execute a few tasks within the Gentoo community (and of the Gentoo Foundation) and get back on track. Luckily, my absence was not jeopardizing the state of SELinux in Gentoo thanks to the efforts of Jason Zaman.

GnuPG: private key suddenly missing?

Sven Vermeulen — Wed, 12 Oct 2016 18:56:00 +0200

After updating my workstation, I noticed that keychain reported that it could not load one of the GnuPG keys I passed it on.

 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 2167
 * Found existing gpg-agent: 2194
 * Warning: can't find 0xB7BD4B0DE76AC6A4; skipping
 * Known ssh key: /home/swift/.ssh/id_dsa
 * Known ssh key: /home/swift/.ssh/id_ed25519
 * Known gpg key: 0x22899E947878B0CE

I did not modify my key store at all, so what happened?

We do not ship SELinux sandbox

Sven Vermeulen — Tue, 27 Sep 2016 20:47:00 +0200

A few days ago a vulnerability was reported in the SELinux sandbox user space utility. The utility is part of the policycoreutils package. Luckily, Gentoo's sys-apps/policycoreutils package is not vulnerable - and not because we were clairvoyant about this issue, but because we don't ship this utility.

Mounting QEMU images

Sven Vermeulen — Mon, 26 Sep 2016 19:26:00 +0200

While working on the second edition of my first book, SELinux System Administration - Second Edition I had to test out a few commands on different Linux distributions to make sure that I don't create instructions that only work on Gentoo Linux. After all, as awesome as Gentoo might be, the Linux world is a bit bigger. So I downloaded a few live systems to run in Qemu/KVM.

Some of these systems however use cloud-init which, while interesting to use, is not set up on my system yet. And without support for cloud-init, how can I get access to the system?

Comparing Hadoop with mainframe

Sven Vermeulen — Wed, 15 Jun 2016 20:55:00 +0200

At my work, I have the pleasure of being involved in a big data project that uses Hadoop as the primary platform for several services. As an architect, I try to get to know the platform's capabilities, its potential use cases, its surrounding ecosystem, etc. And although the implementation at work is not in its final form (yay agile infrastructure releases) I do start to get a grasp of where we might be going.

For many analysts and architects, this Hadoop platform is a new kid on the block so I have some work explaining what it is and what it is capable of. Not for the fun of it, but to help the company make the right decisions, to support management and operations, to lift the fear of new environments. One thing I've once said is that "Hadoop is the poor man's mainframe", because I notice some high-level similarities between the two.

Template was specified incorrectly

Sven Vermeulen — Sun, 27 Mar 2016 13:32:00 +0200

After reorganizing my salt configuration, I received the following error:

[ERROR   ] Template was specified incorrectly: False

Enabling some debugging on the command gave me a slight pointer why this occurred:

[DEBUG   ] Could not find file from saltenv 'testing', u'salt://top.sls'
[DEBUG   ] No contents loaded for env: testing
[DEBUG   ] compile template: False
[ERROR   ] Template was specified incorrectly: False

I was using a single top file as recommended by Salt, but apparently it was still looking for top files in the other environments.

Yet, if I split the top files across the environments, I got the following warning:

[WARNING ] Top file merge strategy set to 'merge' and multiple top files found. Top file merging order is undefined; for better results use 'same' option

So what's all this about?

Using salt-ssh with agent forwarding

Sven Vermeulen — Sat, 26 Mar 2016 19:57:00 +0100

Part of a system's security is to reduce the attack surface. Following this principle, I want to see if I can switch from using regular salt minions for a saltstack managed system set towards salt-ssh. This would allow to do some system management over SSH instead of ZeroMQ.

I'm not confident yet that this is a solid approach to take (as performance is also important, which is greatly reduced with salt-ssh), and the security exposure of the salt minions over ZeroMQ is also not that insecure (especially not when a local firewall ensures that only connections from the salt master are allowed). But playing doesn't hurt.

Trying out imapsync

Sven Vermeulen — Sun, 13 Mar 2016 12:57:00 +0100

Recently, I had to migrate mail boxes for a couple of users from one mail provider to another. Both mail providers used IMAP, so I looked into IMAP related synchronization methods. I quickly found the imapsync application, also supported through Gentoo's repository.

New cvechecker release

Sven Vermeulen — Sat, 07 Nov 2015 11:07:00 +0100

A short while ago I got the notification that pulling new CVE information was no longer possible. The reason was that the NVD site did not support uncompressed downloads anymore. The fix for cvechecker was simple, and it also gave me a reason to push out a new release (after two years) which also includes various updates by Christopher Warner.

So cvechecker 3.6 is now available for general consumption.

Switching focus at work

Sven Vermeulen — Sun, 20 Sep 2015 13:29:00 +0200

Since 2010, I was at work responsible for the infrastructure architecture of a couple of technological domains, namely databases and scheduling/workload automation. It brought me in contact with many vendors, many technologies and most importantly, many teams within the organization. The focus domain was challenging, as I had to deal with the strategy on how the organization, which is a financial institution, will deal with databases and scheduling in the long term.

Getting su to work in init scripts

Sven Vermeulen — Mon, 14 Sep 2015 16:37:00 +0200

While developing an init script which has to switch user, I got a couple of errors from SELinux and the system itself:

~# rc-service hadoop-namenode format
Authenticating root.
 * Formatting HDFS ...
su: Authentication service cannot retrieve authentication info
(Ignored)

Custom CIL SELinux policies in Gentoo

Sven Vermeulen — Thu, 10 Sep 2015 07:13:00 +0200

In Gentoo, we have been supporting custom policy packages for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although binary packages are supported as well).

A recent commit now also allows CIL files to be used.

Using multiple OpenSSH daemons

Sven Vermeulen — Sun, 06 Sep 2015 16:37:00 +0200

I administer a couple of systems which provide interactive access by end users, and for this interactive access I position OpenSSH. However, I also use this for administrative access to the system, and I tend to have harder security requirements for OpenSSH than most users do.

For instance, on one system, end users with a userid + password use the sFTP server for publishing static websites. Other access is prohibited, so I really like this OpenSSH configuration to use chrooted users, internal sftp support, whereas a different OpenSSH is used for administrative access (which is only accessible by myself and some trusted parties).

Maintaining packages and backporting

Sven Vermeulen — Wed, 02 Sep 2015 20:33:00 +0200

A few days ago I committed a small update to policycoreutils, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.

Doing away with interfaces

Sven Vermeulen — Sat, 29 Aug 2015 11:30:00 +0200

CIL is SELinux' Common Intermediate Language, which brings on a whole new set of possibilities with policy development. I hardly know CIL but am (slowly) learning. Of course, the best way to learn is to try and do lots of things with it, but real-life work and time-to-market for now forces me to stick with the M4-based refpolicy one.

Still, I do try out some things here and there, and one of the things I wanted to look into was how CIL policies would deal with interfaces.

Slowly converting from GuideXML to HTML

Sven Vermeulen — Tue, 25 Aug 2015 11:30:00 +0200

Gentoo has removed its support of the older GuideXML format in favor of using the Gentoo Wiki and a new content management system for the main site (or is it static pages, I don't have the faintest idea to be honest). I do still have a few GuideXML pages in my development space, which I am going to move to HTML pretty soon.

In order to do so, I make use of the guidexml2wiki stylesheet I developed. But instead of migrating it to wiki syntax, I want to end with HTML.

Making the case for multi-instance support

Sven Vermeulen — Sat, 22 Aug 2015 12:45:00 +0200

With the high attention that technologies such as Docker, Rocket and the like get (I recommend to look at Bocker by Peter Wilmott as well ;-), I still find it important that technologies are well capable of supporting a multi-instance environment.

Being able to run multiple instances makes for great consolidation. The system can be optimized for the technology, access to the system limited to the admins of said technology while still providing isolation between instances. For some technologies, running on commodity hardware just doesn't cut it (not all software is written for such hardware platforms) and consolidation allows for reducing (hardware/licensing) costs.

Switching OpenSSH to ed25519 keys

Sven Vermeulen — Wed, 19 Aug 2015 18:26:00 +0200

With Mike's news item on OpenSSH's deprecation of the DSA algorithm for the public key authentication, I started switching the few keys I still had using DSA to the suggested ED25519 algorithm. Of course, I wouldn't be a security-interested party if I did not do some additional investigation into the DSA versus Ed25519 discussion.

Updates on my Pelican adventure

Sven Vermeulen — Sun, 16 Aug 2015 19:50:00 +0200

It's been a few weeks that I switched my blog to Pelican, a static site generator build with Python. A number of adjustments have been made since, which I'll happily talk about.

Finding a good compression utility

Sven Vermeulen — Thu, 13 Aug 2015 19:15:00 +0200

I recently came across a wiki page written by Herman Brule which gives a quick benchmark on a couple of compression methods / algorithms. It gave me the idea of writing a quick script that tests out a wide number of compression utilities available in Gentoo (usually through the app-arch category), with also a number of options (in case multiple options are possible).

Why we do confine Firefox

Sven Vermeulen — Tue, 11 Aug 2015 19:18:00 +0200

If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.

In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.

Can SELinux substitute DAC?

Sven Vermeulen — Sun, 09 Aug 2015 14:48:00 +0200

A nice twitter discussion with Erling Hellenäs caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?

SELinux is implemented through the Linux Security Modules framework which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through additional access checks. This criteria was made to have LSM be as minimally invasive as possible.

Filtering network access per application

Sven Vermeulen — Fri, 07 Aug 2015 03:49:00 +0200

Iptables (and the successor nftables) is a powerful packet filtering system in the Linux kernel, able to create advanced firewall capabilities. One of the features that it cannot provide is per-application filtering. Together with SELinux however, it is possible to implement this on a per domain basis.

SELinux does not know applications, but it knows domains. If we ensure that each application runs in its own domain, then we can leverage the firewall capabilities with SELinux to only allow those domains access that we need.

My application base: Obnam

Sven Vermeulen — Wed, 05 Aug 2015 22:35:00 +0200

It is often said, yet too often forgotten: taking backups (and verifying that they work). Taking backups is not purely for companies and organizations. Individuals should also take backups to ensure that, in case of errors or calamities, the all important files are readily recoverable.

For backing up files and directories, I personally use obnam, after playing around with Bacula and attic. Bacula is more meant for large distributed environments (although I also tend to use obnam for my server infrastructure) and was too complex for my taste. The choice between obnam and attic is even more personally-oriented.

Don't confuse SELinux with its policy

Sven Vermeulen — Mon, 03 Aug 2015 01:49:00 +0200

With the increased attention that SELinux is getting thanks to its inclusion in recent Android releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.

Switching to Pelican

Sven Vermeulen — Sun, 02 Aug 2015 04:09:00 +0200

Nothing beats a few hours of flying to get things moving on stuff. Being offline for a few hours with a good workstation helps to not be disturbed by external actions (air pockets notwithstanding).

Early this year, I expressed my intentions to move to Pelican from WordPress. I wasn't actually unhappy with WordPress, but the security concerns I had were a bit too much for blog as simple as mine. Running a PHP-enabled site with a database for something that I can easily handle through a static site, well, I had to try.

Loading CIL modules directly

Sven Vermeulen — Wed, 15 Jul 2015 15:54:00 +0200

In a previous post I used the secilc binary to load an additional test policy. Little did I know (and that's actually embarrassing because it was one of the things I complained about) that you can just use the CIL policy as modules directly.

With this I mean that a …

Restricting even root access to a folder

Sven Vermeulen — Sat, 11 Jul 2015 14:09:00 +0200

In a comment Robert asked how to use SELinux to prevent even root access to a directory. The trivial solution would be not to assign an administrative role to the root account (which is definitely possible, but you want some way to gain administrative access otherwise ;-)

Restricting root is one of the commonly referred features of a MAC (Mandatory Access Control) system. With a well designed user management and sudo environment, it is fairly trivial - but if you need to start from the premise that a user has direct root access, it requires some thought to implement it correctly. The main "issue" is not that it is difficult to implement policy-wise, but that most users will start from a pre-existing policy (such as the reference policy) and build on top of that.

Intermediate policies

Sven Vermeulen — Sun, 05 Jul 2015 18:17:00 +0200

When developing SELinux policies for new software (or existing ones whose policies I don't agree with) it is often more difficult to finish the policies so that they are broadly usable. When dealing with personal policies, having them "just work" is often sufficient. To make the policies reusable for distributions (or for the upstream project), a number of things are necessary:

Try structuring the policy using the style as suggested by refpolicy or Gentoo
Add the role interfaces that are most likely to be used or required, or which are in the current draft implemented differently
Refactor some of the policies to use refpolicy/Gentoo style interfaces
Remove the comments from the policies (as refpolicy does not want too verbose policies)
Change or update the file context definitions for default installations (rather than the custom installations I use)

Where does CIL play in the SELinux system?

Sven Vermeulen — Sat, 13 Jun 2015 23:12:00 +0200

SELinux policy developers already have a number of file formats to work with. Currently, policy code is written in a set of three files:

The .te file contains the SELinux policy code (type enforcement rules)
The .if file contains functions which turn a set of arguments into blocks of SELinux policy code (interfaces). These functions are called by other interface files or type enforcement files
The .fc file contains mappings of file path expressions towards labels (file contexts)

These files are compiled into loadable modules (or a base module) which are then transformed to an active policy. But this is not a single-step approach.

Live SELinux userspace ebuilds

Sven Vermeulen — Wed, 10 Jun 2015 20:07:00 +0200

In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the SELinux userspace so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.

PostgreSQL with central authentication and authorization

Sven Vermeulen — Mon, 25 May 2015 12:07:00 +0200

I have been running a PostgreSQL cluster for a while as the primary backend for many services. The database system is very robust, well supported by the community and very powerful. In this post, I'm going to show how I use central authentication and authorization with PostgreSQL.

Testing with permissive domains

Sven Vermeulen — Mon, 18 May 2015 13:40:00 +0200

When testing out new technologies or new setups, not having (proper) SELinux policies can be a nuisance. Not only are the number of SELinux policies that are available through the standard repositories limited, some of these policies are not even written with the same level of confinement that an administrator might expect. Or perhaps the technology to be tested is used in a completely different manner.

Without proper policies, any attempt to start such a daemon or application might or will cause permission violations. In many cases, developers or users tend to disable SELinux enforcing then so that they can continue playing with the new technology. And why not? After all, policy development is to be done after the technology is understood.

Audit buffering and rate limiting

Sven Vermeulen — Sun, 10 May 2015 14:18:00 +0200

Be it because of SELinux experiments, or through general audit experiments, sometimes you'll get in touch with a message similar to the following:

audit: audit_backlog=321 > audit_backlog_limit=320
audit: audit_lost=44395 audit_rate_limit=0 audit_backlog_limit=320
audit: backlog limit exceeded

The message shows …

Use change management when you are using SELinux to its fullest

Sven Vermeulen — Thu, 30 Apr 2015 20:58:00 +0200

If you are using SELinux on production systems (with which I mean systems that you offer services with towards customers or other parties beyond you, yourself and your ego), please consider proper change management if you don't do already. SELinux is a very sensitive security subsystem - not in the sense …

Moving closer to 2.4 stabilization

Sven Vermeulen — Mon, 27 Apr 2015 19:18:00 +0200

The SELinux userspace project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the Gentoo Hardened project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …

Trying out Pelican, part one

Sven Vermeulen — Fri, 06 Mar 2015 20:02:00 +0100

One of the goals I've set myself to do this year (not as a new year resolution though, I *really* want to accomplish this ;-) is to move my blog from Wordpress to a statically built website. And Pelican looks to be a good solution to do so. It's based on …

CIL and attributes

Sven Vermeulen — Sun, 15 Feb 2015 15:49:00 +0100

I keep on struggling to remember this, so let's make a blog post out of it ;-)

When the SELinux policy is being built, recent userspace (2.4 and higher) will convert the policy into CIL language, and then build the binary policy. When the policy supports type attributes, these are …

Have dhcpcd wait before backgrounding

Sven Vermeulen — Sun, 08 Feb 2015 16:50:00 +0100

Many of my systems use DHCP for obtaining IP addresses. Even though they all receive a static IP address, it allows me to have them moved over (migrations), use TFTP boot, cloning (in case of quick testing), etc. But one of the things that was making my efforts somewhat more …

Old Gentoo system? Not a problem...

Sven Vermeulen — Wed, 21 Jan 2015 23:05:00 +0100

If you have a very old Gentoo system that you want to upgrade, you might have some issues with too old software and Portage which can't just upgrade to a recent state. Although many methods exist to work around it, one that I have found to be very useful is …

SELinux is great for enterprises (but many don't know it yet)

Sven Vermeulen — Sat, 03 Jan 2015 13:36:00 +0100

Large companies that handle their own IT often have internal support teams for many of the technologies that they use. Most of the time, this is for reusable components like database technologies, web application servers, operating systems, middleware components (like file transfers, messaging infrastructure, ...) and more. All components that are …

Gentoo Wiki is growing

Sven Vermeulen — Sat, 03 Jan 2015 10:09:00 +0100

Perhaps it is because of the winter holidays, but the last weeks I've noticed a lot of updates and edits on the Gentoo wiki.

The move to the Tyrian layout, whose purpose is to eventually become the unified layout for all Gentoo resources, happened first. Then, three common templates (Code …

Why does it access /etc/shadow?

Sven Vermeulen — Tue, 30 Dec 2014 22:48:00 +0100

While updating the SELinux policy for the Courier IMAP daemon, I noticed that it (well, the authdaemon that is part of Courier) wanted to access /etc/shadow, which is of course a big no-no. It doesn't take long to know that this is through the PAM support (more specifically, pam …

Added UEFI instructions to AMD64/x86 handbooks

Sven Vermeulen — Tue, 23 Dec 2014 18:08:00 +0100

I just finished up adding some UEFI instructions to the Gentoo handbooks for AMD64 and x86 (I don't know how many systems are still using x86 instead of the AMD64 one, and if those support UEFI, but the instructions are shared and they don't collide). The entire EFI stuff can …

Handbooks moved

Sven Vermeulen — Sun, 14 Dec 2014 14:42:00 +0100

Yesterday the move of the Gentoo Wiki for the Gentoo handbooks (whose most important part are the installation instructions for the various supported architectures) has been concluded, with a last-minute addition being the one-page views so that users who want to can view the installation instructions completely within one view …

Gentoo Handbooks almost moved to wiki

Sven Vermeulen — Fri, 12 Dec 2014 17:35:00 +0100

Content-wise, the move is done. I've done a few checks on the content to see if the structure still holds, translations are enabled on all pages, the use of partitions is sufficiently consistent for each architecture, and so on. The result can be seen on the gentoo handbook main page …

Sometimes I forget how important communication is

Sven Vermeulen — Wed, 10 Dec 2014 20:38:00 +0100

Free software (and documentation) developers don't always have all the time they want. Instead, they grab whatever time they have to do what they believe is the most productive - be it documentation editing, programming, updating ebuilds, SELinux policy improvements and what not. But they often don't take the time to …

No more DEPENDs for SELinux policy package dependencies

Sven Vermeulen — Sun, 02 Nov 2014 14:51:00 +0100

I just finished updating 102 packages. The change? Removing the following from the ebuilds:

DEPEND="selinux? ( sec-policy/selinux-${packagename} )"

In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …

Using multiple priorities with modules

Sven Vermeulen — Fri, 31 Oct 2014 18:24:00 +0100

One of the new features of the 2.4 SELinux userspace is support for module priorities. The idea is that distributions and administrators can override a (pre)loaded SELinux policy module with another module without removing the previous module. This lower-version module will remain in the store, but will not …

Migrating to SELinux userspace 2.4 (small warning for users)

Sven Vermeulen — Thu, 30 Oct 2014 19:44:00 +0100

In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …

Lots of new challenges ahead

Sven Vermeulen — Sun, 19 Oct 2014 16:01:00 +0200

I've been pretty busy lately, albeit behind the corners, which leads to a lower activity within the free software communities that I'm active in. Still, I'm not planning any exit, on the contrary. Lots of ideas are just waiting for some free time to engage. So what are the challenges …

After SELinux System Administration, now the SELinux Cookbook

Sven Vermeulen — Wed, 24 Sep 2014 20:10:00 +0200

Almost an entire year ago (just a few days apart) I announced my first published book, called SELinux System Administration. The book covered SELinux administration commands and focuses on Linux administrators that need to interact with SELinux-enabled systems.

An important part of SELinux was only covered very briefly in the …

Showing return code in PS1

Sven Vermeulen — Sun, 31 Aug 2014 01:14:00 +0200

If you do daily management on Unix/Linux systems, then checking the return code of a command is something you'll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing …

Gentoo Hardened august meeting

Sven Vermeulen — Fri, 29 Aug 2014 16:43:00 +0200

Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.

Lead elections

The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)

Toolchain

blueness (Anthony G …

Switching to new laptop

Sven Vermeulen — Tue, 19 Aug 2014 22:11:00 +0200

I'm slowly but surely starting to switch to a new laptop. The old one hasn't completely died (yet) but given that I had to force its CPU frequency at the lowest Hz or the CPU would burn (and the system suddenly shut down due to heat issues), and that the …

Some changes under the hood

Sven Vermeulen — Sat, 09 Aug 2014 21:45:00 +0200

In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.

First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …

Gentoo Hardened July meeting

Sven Vermeulen — Fri, 01 Aug 2014 21:48:00 +0200

I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.

Toolchain

GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …

Segmentation fault when emerging packages after libpcre upgrade?

Sven Vermeulen — Wed, 09 Jul 2014 20:35:00 +0200

SELinux users might be facing failures when emerge is merging a package to the file system, with an error that looks like so:

>>> Setting SELinux security labels
/usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault      /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
 * ERROR: dev-libs/libpcre-8 …

Multilib in Gentoo

Sven Vermeulen — Wed, 02 Jul 2014 21:03:00 +0200

One of the areas in Gentoo that is seeing lots of active development is its ongoing effort to have proper multilib support throughout the tree. In the past, this support was provided through special emulation packages, but those have the (serious) downside that they are often outdated, sometimes even having …

D-Bus and SELinux

Sven Vermeulen — Mon, 30 Jun 2014 20:07:00 +0200

After a post about D-Bus comes the inevitable related post about SELinux with D-Bus.

Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …

D-Bus, quick recap

Sven Vermeulen — Sun, 29 Jun 2014 19:16:00 +0200

I've never fully investigated the what and how of D-Bus. I know it is some sort of IPC, but higher level than the POSIX IPC methods. After some reading, I think I start to understand how it works and how administrators can work with it. So a quick write-down is …

Chroots for SELinux enabled applications

Sven Vermeulen — Sun, 22 Jun 2014 20:16:00 +0200

Today I had to prepare a chroot jail (thank you grsecurity for the neat additional chroot protection features) for a SELinux-enabled application. As a result, "just" making a chroot was insufficient: the application needed access to /sys/fs/selinux. Of course, granting access to /sys is not something I like …

Gentoo Hardened, June 2014

Sven Vermeulen — Sun, 15 Jun 2014 21:28:00 +0200

Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.

On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …

Visualizing constraints

Sven Vermeulen — Sat, 31 May 2014 03:47:00 +0200

SELinux constraints are an interesting way to implement specific, well, constraints on what SELinux allows. Most SELinux rules that users come in contact with are purely type oriented: allow something to do something against something. In fact, most of the SELinux rules applied on a system are such allow rules …

Revamped our SELinux documentation

Sven Vermeulen — Mon, 12 May 2014 22:15:00 +0200

In the move to the Gentoo wiki, I have updated and revamped most of our SELinux documentation. The end result can be seen through the main SELinux page. Most of the content is below this page (as subpages).

We start with a new introduction to SELinux article which goes over …

Dropping sesandbox support

Sven Vermeulen — Fri, 09 May 2014 21:03:00 +0200

A vulnerability in seunshare, part of policycoreutils, came to light recently (through bug 509896). The issue is within libcap-ng actually, but the specific situation in which the vulnerability can be exploited is only available in seunshare.

Now, seunshare is not built by default on Gentoo. You need to define USE …

Stepping through the build process with ebuild

Sven Vermeulen — Sun, 20 Apr 2014 11:59:00 +0200

Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …

If things are weird, check for policy.29

Sven Vermeulen — Thu, 17 Apr 2014 21:01:00 +0200

Today we analyzed a weird issue one of our SELinux users had with their system. He had a denial when calling audit2allow, informing us that sysadm_t had no rights to read the SELinux policy. This is a known issue that has been resolved in our current SELinux policy repository …

What is that net-pf-## thingie?

Sven Vermeulen — Tue, 01 Apr 2014 19:46:00 +0200

When checking audit logs, you might come across applications that request loading of a net-pf-## module, with ## being an integer. Having requests for net-pf-10 is a more known cause (enable IPv6) but what about net-pf-34?

The answer can be found in /usr/src/linux/include/linux/socket.h:

#define AF …

Proof of concept for USE enabled policies

Sven Vermeulen — Mon, 31 Mar 2014 18:33:00 +0200

tl;dr: Some (-9999) policy ebuilds now have USE support for building in (or leaving out) SELinux policy statements.

One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …

Decoding the hex-coded path information in AVC denials

Sven Vermeulen — Sun, 30 Mar 2014 16:37:00 +0200

When investigating AVC denials, some denials show a path that isn't human readable, like so:

type=AVC msg=audit(1396189189.734:1913): avc:  denied  { execute } for  pid=17955 comm="emerge" path=2F7661722F666669737A69596157202864656C6574656429 dev="dm-3" ino=1838 scontext=staff_u:sysadm_r:portage_t tcontext=staff_u:object_r:var_t …

Managing Inter-Process Communication (IPC)

Sven Vermeulen — Sun, 30 Mar 2014 12:50:00 +0200

As a Linux administrator, you'll eventually need to concern you about Inter-Process Communication (IPC). The IPC primitives that most POSIX operating systems provide are semaphores, shared memory and message queues. On Linux, the first utility that helps you with those primitives is ipcs. Let's start with semaphores first.

Semaphores in …

Querying SELinux policy for boolean information

Sven Vermeulen — Fri, 28 Mar 2014 23:38:00 +0100

Within an SELinux policy, certain access vectors (permissions) can be conditionally granted based on the value of a SELinux boolean.

To find the list of SELinux booleans that are available on your system, you can use the getsebool -a method, or semanage boolean -l. The latter also displays the description …

Online hardened meeting of March

Sven Vermeulen — Thu, 27 Mar 2014 23:44:00 +0100

I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.

Toolchain

GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes …

Fixing the busybox build failure

Sven Vermeulen — Wed, 26 Mar 2014 14:18:00 +0100

Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate /usr and LVM for everything except /boot):

* busybox: >> Compiling...
* ERROR: Failed to compile the "all" target...
* 
* -- Grepping log... --
* 
*           - busybox-1.7.4-signal-hack.patch …

Talk about SELinux on GSE Linux/Security

Sven Vermeulen — Tue, 25 Mar 2014 23:11:00 +0100

On today's GSE Linux / GSE Security meeting (in cooperation with IMUG) I gave a small (30 minutes) presentation about what SELinux is. The slides are online and cover two aspects of SELinux: some of its design principles, and then a set of features provided by SELinux. The talk is directed …

Create your own SELinux Gentoo profile

Sven Vermeulen — Mon, 24 Mar 2014 21:51:00 +0100

Or any other profile for that matter ;-)

A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn't have a <some profilename>/selinux equivalent. Because we don't create SELinux profiles for all possible profiles out there, having a way to do this …

Hidden symbols and dynamic linking

Sven Vermeulen — Mon, 24 Mar 2014 21:14:00 +0100

A few weeks ago, we introduced an error in the (\~arch) libselinux ebuild which caused the following stacktrace to occur every time the semanage command was invoked:

~ # semanage
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/semanage", line 27, in 
    import seobject
  File "/usr/lib64/python2.7 …

Closing week? No, starting week...

Sven Vermeulen — Sun, 16 Mar 2014 21:36:00 +0100

I've been away for a while, and this week will (hopefully) be the last week of all the effort that is causing this. And that means I'll get back to blogging, documentation development, SELinux integration, SELinux policy development and more. To be honest, I'm eagerly awaiting this moment of getting …

Switching context depending on user code-wise

Sven Vermeulen — Sun, 12 Jan 2014 22:43:00 +0100

I blogged about how SELinux decides what the context should be for a particular Linux user; how it checks the default context(s) and tells the SELinux-aware application on what the new context should be. Let's look into the C code that does so, and how an application should behave …

Can Gentoo play a role in a RHEL-only environment?

Sven Vermeulen — Thu, 09 Jan 2014 04:13:00 +0100

Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …

Linux protip: environment for a process

Sven Vermeulen — Tue, 07 Jan 2014 04:31:00 +0100

Just a quick pro-tip: if you need to know the environment variables for a process, you can see them in that process' /proc/${PID}/environ file. The file however shows the environment variables on one line, with a null character as separator. With a simple sed you can show it …

How does foo_t get this privilege?

Sven Vermeulen — Sun, 05 Jan 2014 04:14:00 +0100

Today a question was raised how the unprivileged user domain user_t was allowed to write to cgroup_t files. There is nothing obvious about that in the roles/unprivuser.te file, so what gives?

I used a simple script (which I've been using for a while already) called seshowtree …

Oh it is cron again...

Sven Vermeulen — Fri, 03 Jan 2014 21:05:00 +0100

Today I was pointed to the following error:

test fcron[6722]: fcron[6722] 3.1.2 started
test fcron[6722]: Cannot bind socket to '/var/run/fcron.fifo': Permission denied
test fcron[6722]:  "at" reboot jobs will only be run at computer's startup.
test fcron[6722]: updating configuration from …

Private key handling and SELinux protection

Sven Vermeulen — Thu, 02 Jan 2014 04:00:00 +0100

In this post I'll give some insight in a possible SELinux policy for a script I wrote.

The script is a certificate authority handling script, in which I can generate a private key (and certificate assigned to it), sign the certificate either by itself (for the root CA key) or …

Limiting file access with SELinux alone?

Sven Vermeulen — Tue, 31 Dec 2013 21:18:00 +0100

While writing a small script to handle simple certificate authority activities using OpenSSL, I considered how to properly protect the files that OpenSSL uses for these activities. As you are probably aware, a system that hosts the necessary files for CA activities (like signing certificate requests) should be very secure …

Upgrading old Gentoo installations

Sven Vermeulen — Sun, 29 Dec 2013 14:18:00 +0100

Today I got "pinged" on bug #463240 about the difficulty of upgrading a Gentoo Linux deployment after a long time of inactivity on the system. We already have an Upgrading Gentoo article on the Gentoo wiki that describes in great detail how upgrades can be accomplished. But one of the …

Giving weights to compliance rules

Sven Vermeulen — Thu, 26 Dec 2013 04:13:00 +0100

Now that we wrote up a few OVAL statements and used those instead of SCE driven checks (where possible), let's finish up and go back to the XCCDF document and see how we can put weights in place.

The CVE (Common Vulnerability Exposure) standard allows for vulnerabilities to be given …

Doing a content check with OVAL

Sven Vermeulen — Tue, 24 Dec 2013 04:25:00 +0100

Let's create an OVAL check to see if /etc/inittab's single user definitions only refer to /sbin/sulogin or /sbin/rc single. First, the skeleton:

(XML content lost during blog conversion)

The first thing we notice is that there are several namespaces defined within OVAL. These namespaces refer to …

What is OVAL?

Sven Vermeulen — Sun, 22 Dec 2013 04:40:00 +0100

Time to discuss OVAL (Open Vulnerability Assessment Language). In all the previous posts I focused the checking of rules (does the system comply with the given rule) on scripts, through the Script Check Engine supported by openscap. The advantage of SCE is that most people can quickly provide automated checks …

December hardened meeting

Sven Vermeulen — Fri, 20 Dec 2013 10:20:00 +0100

Yesterday evening (UTC, that is) the members of the Gentoo Hardened project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.

Toolchain

A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.

And …

Remediation through SCAP

Sven Vermeulen — Fri, 20 Dec 2013 04:47:00 +0100

I promised in my previous post to give some information about remediation.

Remediation is the process where you fix a system to become compliant again after finding out there is a violation on the system. The easiest form of remediation of course is to just notify the administrator and give …

GPT or MBR in the Gentoo Handbook

Sven Vermeulen — Wed, 18 Dec 2013 12:25:00 +0100

I just committed a set of changes against the Gentoo Handbook (x86 and amd64) with the intent to have better instructions on GPT (GUID Partition Table) layout versus MBR (Master Boot Record) or MSDOS-style layout.

The part on "Preparing the Disks" saw the most changes. It starts with explaining the …

Running a bit with the XCCDF document

Sven Vermeulen — Wed, 18 Dec 2013 04:23:00 +0100

In my previous post I introduced automated checking of rules through SCE (Script Check Engine). Let's focus a bit more now on running with an XCCDF document: how to automatically check the system, read the results and find more information of those results.

To provide a usable example, you can …

Updated Linux Sea, now with viewport thingie

Sven Vermeulen — Mon, 16 Dec 2013 23:37:00 +0100

I just pushed out an update to Linux Sea (an online resource to introduce you to Linux, using Gentoo Linux as an example), including its PDF and ePub versions. The changes are pretty small (see its ChangeLog).

Together with the update, it now also includes a <meta name="viewport"...> so …

XCCDF - Documenting a bit more than just descriptions

Sven Vermeulen — Mon, 16 Dec 2013 04:58:00 +0100

In my previous post I made a skeleton XCCDF document. By now, we can create a well documented "baseline" (best practice) for our subject (say PostgreSQL). But for now I only talked about <description> whereas XCCDF allows many other tags as well.

You can add metadata information for a particular …

An XCCDF skeleton for PostgreSQL

Sven Vermeulen — Sat, 14 Dec 2013 04:00:00 +0100

In a previous post I wrote about the documentation structure I have in mind for a PostgreSQL security best practice. Considering what XCCDF can give us, the idea is to have the following structure:

Hardening PostgreSQL
+- Basic setup
+- Instance level configuration
|  +- Pre-startup configuration
|  `- PostgreSQL internal configuration
+- Database recommendations
`- User definitions …

Documenting security best practices - XCCDF introduction

Sven Vermeulen — Thu, 12 Dec 2013 16:04:00 +0100

When I have some free time, I try to work on a Gentoo Security Benchmark which not only documents security best practices (loosely based on the Gentoo Security Handbook which hasn't seen much updates in the last few years) but also uses the SCAP protocols. This set of protocols allows …

Gentoo SELinux policy release script

Sven Vermeulen — Wed, 11 Dec 2013 18:37:00 +0100

A few months ago, I wrote a small script that aids in the creation of new SELinux policy packages. The script is on the repository itself, in the gentoo/ subdirectory, and is called release-prepare.sh.

The reason for the script is that there are a number of steps to perform …

November online hardened meeting

Sven Vermeulen — Wed, 11 Dec 2013 12:12:00 +0100

Later than usual, as I wasn't able to make the meeting myself (thus had to wait for the meeting logs in order to draft up this summary), so here it is. The next meeting is scheduled for next week, btw ;-)

Toolchain

The 4.8.2 ebuild for GCC is available …

Majority of GDP documents moved to Gentoo wiki

Sven Vermeulen — Tue, 10 Dec 2013 16:03:00 +0100

The majority of the English gentoo documents that resided in www.gentoo.org/doc/en have now been moved to the Gentoo Wiki. All those documents have been made available in the main namespace, meaning that non-developers can continue to contribute on those articles and guides, fully in the spirit …

New SELinux userspace release

Sven Vermeulen — Tue, 05 Nov 2013 00:06:00 +0100

Between now and an hour, Gentoo users using the \~arch branch will notice that new versions of the SELinux userspace applications are now available. Released on October 30th, they contain many bug fixes sent previously as well as a couple of interesting developments and enhancements (more work on sepolicy, for …

The mix of libffi with other changes

Sven Vermeulen — Sun, 03 Nov 2013 10:27:00 +0100

I once again came across libffi. Not only does the libffi approach fight with SELinux alone, it also triggers the TPE (Trusted Path Execution) protections in grSecurity. And when I tried to reinstall Portage, Portage seemed to create some sort of runtime environment in a temporary directory as well, and …

Gentoo Hardened meeting 201310

Sven Vermeulen — Thu, 24 Oct 2013 23:25:00 +0200

We gathered online again to talk about the progress, changes and other stuff related to the Gentoo Hardened project.

New Developer

We welcomed Zero_Chaos as a new addition to our team. Big welcome, with the usual IRC kick in between, ensued.

Toolchain

GCC 4.8.x is unmasked and …

In-browser encryption for online password management

Sven Vermeulen — Sun, 20 Oct 2013 21:29:00 +0200

Lately I've been trying to find a good free software project that uses PHP or cgi-bin (one of the requirements for this particular organization) that allows its users to store passwords centrally, but uses encryption on the browser level before the passwords are sent to the central server. I've found …

A bug please...

Sven Vermeulen — Mon, 30 Sep 2013 21:53:00 +0200

I know contacting me (or other developers) through IRC is often fast, but having a bug report on our bugzilla is very important to me and other developers. Allow me to explain a bit why.

First of all, IRC is ephemeral. If we are not immediately on IRC noticing it …

It has finally arrived: SELinux System Administration

Sven Vermeulen — Fri, 27 Sep 2013 15:10:00 +0200

Almost everyone has it - either physical or in their heads: a list of things you want to do or achieve before you... well, stop existing. Mine still has numerous things on it (I should get on it, I know) but one of the items on that list has recently been …

Aaaand we're back - hardened monthly meeting

Sven Vermeulen — Thu, 26 Sep 2013 22:22:00 +0200

It almost feels like we had our monthly online meeting just a week ago. Below a small write-up of the highlights. If you want to know the gory details, just wait a few hours/days until the IRC logs are sent out ;-) Now remember, the project does more than what …

Underestimated or underused: Portage (e)logging

Sven Vermeulen — Wed, 25 Sep 2013 10:09:00 +0200

Within 30 minutes of each other, two people on the #gentoo channel asked if Portage kept logs of the messages displayed during the build and installation of a package. Of course, the answer is a sounding "yes" - and depending on your needs, you can even save more of the logging …

Creating a poor man central SCAP system

Sven Vermeulen — Tue, 24 Sep 2013 13:35:00 +0200

A few weeks ago, I was asked to give some explanation about how SCAP content can be used in companies to improve their infrastructure knowledge. The focus back then was to look at benchmarks (secure states) and violations, but other functionality should not be ignored. I'm not going to talk …

Switching gpg key to 0x2EDD52403B68AF47

Sven Vermeulen — Thu, 19 Sep 2013 21:17:00 +0200

I recently switched my GnuPG key. The previous key - which is still in place for now (no revocation send out yet) - was 0x5DFAB3ECCDBA2FDB and was a 1024 bit DSA key. The new one, 0x2EDD52403B68AF47, is a 4096 bit RSA key. It also has the following preferences:

gpg> showpref
[ultimate] (1 …

cvechecker 3.3 released

Sven Vermeulen — Mon, 16 Sep 2013 16:06:00 +0200

I just uploaded a new release of cvechecker to the project files. The release is a (long overdue) bugfix release, but includes two small enhancements: support standard input for the binary list (so you can pipe the output of one command to cvechecker) and the introduction of the CVECHECKER_CONFFILE …

Gentoo Hardened progress report

Sven Vermeulen — Thu, 29 Aug 2013 20:27:00 +0200

Today, we had our monthly online meeting to discuss the progress amongst the various Gentoo Hardened projects. As usual, here is a small write-up.

Lead election

As every year, we also reviewed the current project leads. No surprises here, everybody is happy with the current leads so they are re-elected …

Umounting IPv6 NFS(v4) mounts

Sven Vermeulen — Fri, 23 Aug 2013 13:46:00 +0200

I had issues umounting my NFSv4 shares on an IPv6-only network. When trying to umount the share, it said that it couldn't find the mount in /proc/mounts:

~# umount /mnt/nfs/portage
/mnt/nfs/portage was not found in /proc/mounts

The solution: copy /proc/mounts to /etc/mtab, and …

Why our policies don't like emerge --config

Sven Vermeulen — Fri, 23 Aug 2013 11:53:00 +0200

One of the features that Portage provides is to have post-processing done on request of the administrator for certain packages. For instance, for the dev-db/postgresql-server package we can call its pkg_config() phase to create the PostgreSQL instance and configure it so that the configuration of the database is …

Network routing based on SELinux?

Sven Vermeulen — Wed, 21 Aug 2013 19:43:00 +0200

Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.

SELinux does not route traffic. SELinux is a local mandatory access control system …

Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?

Sven Vermeulen — Fri, 16 Aug 2013 09:17:00 +0200

As you are probably aware, Gentoo uses the reference policy as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use xdg_*_home_t customizable types to further restrict user application access has been sent up for …

Today was a productive day

Sven Vermeulen — Thu, 15 Aug 2013 20:58:00 +0200

Fixed 14 bugs today, with a few more pending (those for packages only get marked as FIXED if it is moved to the stable state). One of the changes is the GRUB2 support in the Gentoo Handbook (yes, finally, sorry about that). That opens up the road for the stabilization …

Some things sound more scary than they are

Sven Vermeulen — Thu, 15 Aug 2013 10:02:00 +0200

A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …

And now, 31 days later...

Sven Vermeulen — Thu, 01 Aug 2013 22:43:00 +0200

... the Gentoo Hardened team had its monthly online meeting again ;-)

On the agenda were the usual suspects, such as the toolchain. In this category, Zorry mentioned that he has a fix for GCC 4.8.1 for the hardenedno* and vanilla gcc-config options which will be added to the tree …

Putting OVAL at work

Sven Vermeulen — Thu, 01 Aug 2013 15:01:00 +0200

When we look at the SCAP security standards, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.

This is correct, but you need to remember that the standards are protocols, agreements that can be made …

Moving Gentoo docs to the wiki

Sven Vermeulen — Sun, 28 Jul 2013 11:22:00 +0200

Slowly but surely Gentoo documentation guides are being moved to the Gentoo Wiki. Thanks to the translation support provided by the infrastructure, all "reasons" not to go forward with this have been resolved. At first, I'm focusing on documentation with open bugs that have not been picked up (usually due …

Rebuilding SELinux contexts with sefcontext_compile

Sven Vermeulen — Mon, 08 Jul 2013 20:55:00 +0200

A recent update of libpcre caused the binary precompiled regular expression files of SELinux to become outdated (and even blatantly wrong). The details are in bug 471718 but that doesn't help the users that are already facing the problem, nor have we found a good place to put the fix …

Adding mcstrans to Gentoo

Sven Vermeulen — Sun, 07 Jul 2013 20:38:00 +0200

If you use SELinux, you might be using an MLS-enabled policy. These are policies that support sensitivity labels on resources and domains. In Gentoo, these are supported in the mcs and mls policy stores. Now sensitivity ranges are fun to work with, but the moment you have several sensitivity levels …

Hardening is our business... new monthly report ;-)

Sven Vermeulen — Thu, 27 Jun 2013 23:03:00 +0200

We're back with another report on the Gentoo Hardened project. Please excuse my brevity, as you've noticed I'm not that active (yet) due to work on an external project - I'll be back mid-July though. I promise.

On the Toolchain side, GCC 4.8.1 is in the tree and has …

My application base: graphviz

Sven Vermeulen — Sun, 09 Jun 2013 03:50:00 +0200

Visualization of data is often needed in order to understand what the data means. When data needs to be visualized automatically, I often use the graphviz tools. Not that they are extremely pretty, but it works very well and is made to be automated.

Let me give a few examples …

My application base: LibreOffice

Sven Vermeulen — Sat, 08 Jun 2013 03:50:00 +0200

Of course, working with a Linux desktop eventually requires you to work with an office suite. Although I have used alternatives like AbiWord and Calligra in the past, and although I do think that Google Docs might eventually become powerful enough to use instead, I'm currently using LibreOffice.

The use …

My application base: firefox

Sven Vermeulen — Fri, 07 Jun 2013 03:50:00 +0200

Browsers are becoming application disclosure frameworks rather than the visualization tools they were in the past. More and more services, like the Draw.io one I discussed not that long ago, are using browsers are their client side while retaining the full capabilities of end clients (such as drag and …

My application base: bash and kiss tools

Sven Vermeulen — Thu, 06 Jun 2013 03:50:00 +0200

Okay, this just had to be here. I'm an automation guy - partially because of my job in which I'm responsible for the long-term strategy behind batch, scheduling and workload automation, but also because I believe proper automation makes life just that much easier. And for personal work, why not automate …

My application base: geekie

Sven Vermeulen — Wed, 05 Jun 2013 03:50:00 +0200

In the past, when I had to manage my images (pictures) I used GQview (which started back in 2008). But the application doesn't get many updates, and if an application does not get many updates, it either means it is no longer maintained or that it does its job perfectly …

My application base: freemind

Sven Vermeulen — Tue, 04 Jun 2013 03:50:00 +0200

Anyone who is even remotely busy with innovation will know what mindmaps are. They are a means to visualize information, ideas or tasks in whatever structure you like. By using graphical annotations the information is easier to look through, even when the mindmap becomes very large. In the commercial world …

My application base: draw.io

Sven Vermeulen — Mon, 03 Jun 2013 03:50:00 +0200

The next few weeks (months even) will be challenging my free time as I'm working on (too many) projects simultaneously (sadly, only a few of those are free software related, most are house renovations). But that shouldn't stop me from starting a new set of posts, being my application base …

Using extended attributes for custom information

Sven Vermeulen — Sun, 02 Jun 2013 03:50:00 +0200

One of the things I have been meaning to implement on my system is a way to properly "remove" old files from the system. Currently, I do this through frequently listing all files, going through them and deleting those I feel I no longer need (in any case, I can …

Hacking java bytecode with dhex

Sven Vermeulen — Sat, 01 Jun 2013 03:50:00 +0200

I found myself in a weird situation: a long long time ago, I wrote a java application that I didn't touch nor ran for a few years. Today, I found it on a backup and wanted to run it again (its a graphical application for generating HTML pages). However, it …

A SELinux policy for incron: finishing up

Sven Vermeulen — Fri, 31 May 2013 03:50:00 +0200

After 9 posts, it's time to wrap things up. You can review the final results online (incron.te, incron.if and incron.fc) and adapt to your own needs if you want. But we should also review what we have accomplished so far...

We built the start of an entire …

A SELinux policy for incron: using booleans

Sven Vermeulen — Thu, 30 May 2013 03:50:00 +0200

After using a default set of directories to watch, and allowing admins to mark other types as such as well, let's consider another approach for making the policy more flexible: booleans. The idea now is that a boolean called incron_notify_non_security_files enables incrond to be notified on …

A SELinux policy for incron: marking types eligible for watching

Sven Vermeulen — Wed, 29 May 2013 03:50:00 +0200

In the previous post we made incrond able to watch public_content_t and public_content_rw_t types. However, this is not scalable, so we might want to be able to update the policy more dynamically with additional types. To accomplish this, we will make types eligible for watching …

A SELinux policy for incron: default set

Sven Vermeulen — Tue, 28 May 2013 03:50:00 +0200

I finished the last post a bit with a cliffhanger as incrond is still not working properly, and we got a few denials that needed to be resolved; here they are again for your convenience:

type=AVC msg=audit(1368734110.912:28353): avc:  denied  { getattr } for  pid=9716 comm="incrond …

A SELinux policy for incron: the incrond daemon

Sven Vermeulen — Mon, 27 May 2013 03:50:00 +0200

With incrontab_t (hopefully) complete, let's look at the incrond_t domain. As this domain will also be used to execute the user (and system) commands provided through the incrontabs, we need to consider how we are going to deal with this wide range of possible permissions that it might …

A SELinux policy for incron: new types and transitions

Sven Vermeulen — Sun, 26 May 2013 03:50:00 +0200

So I've shown the iterative approach used to develop policies. Again, please be aware that this is my way of developing policies, other policy developers might have a different approach. We were working on the incrontab command, so let's continue with trying to create a new user incrontab:

$ incrontab -e …

A SELinux policy for incron: basic set for incrontab

Sven Vermeulen — Sat, 25 May 2013 03:50:00 +0200

Now that our regular user is allowed to execute incrontab, let's fire it up and look at the denials to build up the policy.

$ incrontab --help

That doesn't show much does it? Well, if you look into the audit.log (or avc.log) file, you'll notice a lot of denials …

A SELinux policy for incron: our first interface

Sven Vermeulen — Fri, 24 May 2013 03:50:00 +0200

The next step after having a basic skeleton is to get incrontab running. We know however that everything invoked from the main daemon will be running with the rights of the daemon context (unless we would patch the source code, but that is beyond the scope of this set of …

A SELinux policy for incron: the basic skeleton

Sven Vermeulen — Thu, 23 May 2013 03:50:00 +0200

So, in the previous post I talked about incron and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we're going to create our own policy for it.

In SELinux, policies are generally …

A SELinux policy for incron: what does it do?

Sven Vermeulen — Wed, 22 May 2013 03:50:00 +0200

In this series of posts, we'll go through the creation of a SELinux policy for incron, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At …

Why oh why does a process run in unlabeled_t?

Sven Vermeulen — Tue, 21 May 2013 03:50:00 +0200

If you notice that a process is running in the unlabeled_t domain, the first question to ask is how it got there.

Well, one way is to have a process running in a known domain, like screen_t, after which the SELinux policy module that provides this domain is …

A simple IPv6 setup

Sven Vermeulen — Mon, 20 May 2013 03:50:00 +0200

For internal communication between guests on my workstation, I use IPv6 which is set up using the Router Advertisement "feature" of IPv6. The tools I use are dnsmasq for DNS/DHCP and router advertisement support, and dhcpcd as client. It might be a total mess (grew almost organically until it …

The weird "audit_access" permission

Sven Vermeulen — Sun, 19 May 2013 03:50:00 +0200

While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the dac_override and dac_read_search capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities …

Commandline SELinux policy helper functions

Sven Vermeulen — Sat, 18 May 2013 03:50:00 +0200

To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): seshowif, sefindif, seshowdef and sefinddef. The idea behind the methods is that I want to search (find) for an interface (if) or definition (def) that contains a particular method or …

Looking at the local Linux kernel privilege escalation

Sven Vermeulen — Fri, 17 May 2013 03:50:00 +0200

There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.

In …

Gentoo Hardened spring notes

Sven Vermeulen — Thu, 16 May 2013 22:54:00 +0200

We got back together on the #gentoo-hardened chat channel to discuss the progress of Gentoo Hardened, so it's time for another write-up of what was said.

Toolchain

GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …

Public support channels: irc

Sven Vermeulen — Thu, 16 May 2013 03:50:00 +0200

I've said it before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.

Consider the "Chat …

Overriding the default SELinux policies

Sven Vermeulen — Wed, 15 May 2013 03:50:00 +0200

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?

Well, sadly …

Highlevel assessment of Cdorked and Gentoo Hardened/SELinux

Sven Vermeulen — Tue, 14 May 2013 03:50:00 +0200

With all the reports surrounding Cdorked, I took a look at if SELinux and/or other Gentoo Hardened technologies could reduce the likelihood that this infection occurs on your system.

First of all, we don't know yet how the malware gets installed on the server. We do know that the …

SECMARK and SELinux

Sven Vermeulen — Mon, 13 May 2013 03:50:00 +0200

When using SECMARK, the administrator configures the iptables or netfilter rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …

Peer labeling in SELinux policy

Sven Vermeulen — Sun, 12 May 2013 03:50:00 +0200

Allow me to start with an important warning: I don't have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I've investigated in my attempt to understand SELinux policy writing for networking …

SELinux policy and network controls

Sven Vermeulen — Sat, 11 May 2013 03:50:00 +0200

Let's talk about how SELinux governs network streams (and how it reflects this into the policy).

When you don't do fancy stuff like SECMARK or netlabeling, then the classes that you should keep an eye on are tcp_socket and udp_socket (depending on the protocol). There used to be …

Gentoo metadata support for CPE

Sven Vermeulen — Fri, 10 May 2013 03:50:00 +0200

Recently, the metadata.xml file syntax definition (the DTD for those that know a bit of XML) has been updated to support CPE definitions. A CPE (Common Platform Enumeration) is an identifier that describes an application, operating system or hardware device using its vendor, product name, version, update, edition and …

Enabling Kernel Samepage Merging (KSM)

Sven Vermeulen — Thu, 09 May 2013 03:50:00 +0200

When using virtualization extensively, you will pretty soon hit the limits of your system (at least, the resources on it). When the virtualization is used primarily for testing (such as in my case), the limit is memory. So it makes sense to seek memory optimization strategies on such systems. The …

The Linux ".d" approach

Sven Vermeulen — Wed, 08 May 2013 03:50:00 +0200

Many services on a Linux system use a *.d directory approach to make their configuration easily configurable by other services. This is a remarkably simple yet efficient method for exposing services towards other applications. Let's look into how this .d approach works.

Take a look at the /etc/pam.d …

Added "predictable network interface" info into the handbook

Sven Vermeulen — Tue, 07 May 2013 03:50:00 +0200

Being long overdue - like many of our documentation-reported bugs :-( I worked on bug 466262 to update the Gentoo Handbook with information about Network Interface Naming. Of course, the installation instructions have also seen the necessary updates to refer to this change.

With some luck (read: time) I might be able …

Overview of Linux capabilities, part 3

Sven Vermeulen — Mon, 06 May 2013 03:50:00 +0200

In previous posts I talked about capabilities and gave an introduction to how this powerful security feature within Linux can be used (and also exploited). I also covered a few capabilities, so let's wrap this up with the remainder of them.

CAP_AUDIT_CONTROL: Enable and disable kernel auditing; change …

Overview of Linux capabilities, part 2

Sven Vermeulen — Sun, 05 May 2013 03:50:00 +0200

As I've (in a very high level) described capabilities and talked a bit on how to work with them, I started with a small overview of file-related capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).

CAP_IPC_LOCK …

Overview of Linux capabilities, part 1

Sven Vermeulen — Sat, 04 May 2013 03:50:00 +0200

In the previous posts, I talked about capabilities and how they can be used to allow processes to run in a privileged fashion without granting them full root access to the system. An example given was how capabilities can be leveraged to run ping without granting it setuid root rights …

Restricting and granting capabilities

Sven Vermeulen — Fri, 03 May 2013 03:50:00 +0200

As capabilities are a way for running processes with some privileges, without having the need to grant them root privileges, it is important to understand that they exist if you are a system administrator, but also as an auditor or other security-related function. Having processes run as a non-root user …

Capabilities, a short intro

Sven Vermeulen — Thu, 02 May 2013 03:50:00 +0200

Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …

SELinux mount options

Sven Vermeulen — Wed, 01 May 2013 03:50:00 +0200

When you read through the Gentoo Hardened SELinux handbook, you'll notice that we sometimes update /etc/fstab with some SELinux-specific settings. So, what are these settings about and are there more of them?

First of all, let's look at a particular example from the installation instructions so you see what …

Qemu-KVM monitor tips and tricks

Sven Vermeulen — Tue, 30 Apr 2013 03:50:00 +0200

When running KVM guests, the Qemu/KVM monitor is a nice interface to interact with the VM and do specific maintenance tasks on. If you run the KVM guests with VNC, then you can get to this monitor through Ctrl-Alt-2 (and Ctrl-Alt-1 to get back to the VM display). I …

photorec to the rescue

Sven Vermeulen — Mon, 29 Apr 2013 03:50:00 +0200

Once again PhotoRec has been able to save files from a corrupt FAT USB drive. The application scans the partition, looking for known files (based on the file magic) and then restores those files. The files are not named as they were though, so there is still some manual work …

Securely handling libffi

Sven Vermeulen — Sun, 28 Apr 2013 03:50:00 +0200

I've recently came across libffi again. No, not because it was mentioned during the Gentoo Hardened online meeting, but because my /var/tmp wasn't mounted correctly, and emerge (actually python) uses libffi. Most users won't notice this, because libffi works behind the scenes. But when it fails, it fails bad …

How logins get their SELinux user context

Sven Vermeulen — Sat, 27 Apr 2013 03:50:00 +0200

Sometimes, especially when users are converting their systems to be SELinux-enabled, their user context is wrong. An example would be when, after logon (in permissive mode), the user is in the system_u:system_r:local_login_t domain instead of a user domain like staff_u:staff_r:staff …

New SELinux userspace release

Sven Vermeulen — Fri, 26 Apr 2013 03:50:00 +0200

A new release of the SELinux userspace utilities was recently announced. I have made the packages for Gentoo available and they should now be in the main tree (\~arch of course). During the testing of the packages however, I made a stupid mistake of running the tests on the wrong …

Gentoo protip: using buildpkgonly

Sven Vermeulen — Thu, 25 Apr 2013 03:50:00 +0200

If you don't want to have the majority of builds run in the background while you are busy on the system, but you don't want to automatically install software in the background when you are not behind your desk, then perhaps you can settle for using binary packages. I'm not …

Using strace to troubleshoot SELinux problems

Sven Vermeulen — Wed, 24 Apr 2013 03:50:00 +0200

When SELinux is playing tricks on you, you can just "allow" whatever it wants to do, but that is not always an option: sometimes, there is no denial in sight because the problem lays within SELinux-aware applications (applications that might change their behavior based on what the policy sais or …

SLOT'ing the old swig-1

Sven Vermeulen — Tue, 23 Apr 2013 03:50:00 +0200

The SWIG tool helps developers in building interfaces/libraries that can be accessed from many other languages than the ones the library is initially written in or for. The SELinux userland utility setools uses it to provide Python and Ruby interfaces even though the application itself is written in C …

Mitigating DDoS attacks

Sven Vermeulen — Mon, 22 Apr 2013 03:50:00 +0200

Lately, DDoS attacks have been in the news more than I was hoping for. It seems that the botnets or other methods that are used to generate high-volume traffic to a legitimate service are becoming more and more easy to get and direct. At the time that I'm writing this …

Introducing selocal for small SELinux policy enhancements

Sven Vermeulen — Sun, 21 Apr 2013 03:50:00 +0200

When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …

Transforming GuideXML to DocBook

Sven Vermeulen — Sat, 20 Apr 2013 03:50:00 +0200

I recently committed an XSL stylesheet that allows us to transform the GuideXML documents (both guides and handbooks) to DocBook. This isn't part of a more elaborate move to try and push DocBook instead of GuideXML for the Gentoo Documentation though (I'd rather direct documentation development more to the Gentoo …

Comparing performance with sysbench: performance analysis

Sven Vermeulen — Fri, 19 Apr 2013 16:22:00 +0200

So in the past few posts I discussed how sysbench can be used to simulate some workloads, specific to a particular set of tasks. I used the benchmark application to look at the differences between the guest and host on my main laptop, and saw a major performance regression with …

Comparing performance with sysbench: memory, threads and mutexes

Sven Vermeulen — Fri, 19 Apr 2013 04:11:00 +0200

In the previous post, I gave some feedback on the cpu and fileio workload tests that sysbench can handle. Next on the agenda are the memory, threads and mutex workloads.

When using the memory workload, sysbench will allocate a buffer (provided through the --memory-block-size parameter, defaults to 1kbyte) and each …

Another Gentoo Hardened month has passed

Sven Vermeulen — Thu, 18 Apr 2013 23:36:00 +0200

Another month has passed, so time to mention again what we have all been doing lately ;-)

Toolchain

Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). asan support in …

Comparing performance with sysbench: cpu and fileio

Sven Vermeulen — Thu, 18 Apr 2013 21:31:00 +0200

Being busy with virtualization and additional security measures, I frequently come in contact with people asking me what the performance impact is. Now, you won't find the performance impact of SELinux here as I have no guests nor hosts that run without SELinux. But I did want to find out …

Simple drawing for I/O positioning

Sven Vermeulen — Thu, 18 Apr 2013 01:00:00 +0200

Instead of repeatedly trying to create an overview of the various layers involved with I/O operations within Linux on whatever white-board is in the vicinity, I decided to draw one up in Draw.io that I can then update as I learn more from this fascinating world. The drawing's …

What could SELinux have done to mitigate the postgresql vulnerability?

Sven Vermeulen — Tue, 16 Apr 2013 14:00:00 +0200

Gentoo is one of the various distributions which supports SELinux as a Mandatory Access Control system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent PostgreSQL vulnerability?

When correctly configured, the PostgreSQL daemon will run in the postgresql_t domain. In …

Integrity checking with AIDE

Sven Vermeulen — Thu, 11 Apr 2013 17:02:00 +0200

As to at least do some progress in the integrity part of Gentoo Hardened (a subproject I'd like to extend towards greater heights), I dediced to write up a small guide on how to work with AIDE. The tool is simple enough (and it allowed me to test its SELinux …

Not needing run_init for password-less service management

Sven Vermeulen — Tue, 09 Apr 2013 22:14:00 +0200

One of the things that has been bugging me was why, even with having pam_rootok.so set in /etc/pam.d/run_init, I cannot enjoy passwordless service management without using run_init directly:

# rc-service postgresql-9.2 status
Authenticating root.
Password:

# run_init rc-service postgresql-9.2 status
Authenticating root …

How far reaching vulnerabilities can go

Sven Vermeulen — Tue, 09 Apr 2013 19:39:00 +0200

If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …

Separate puppet provider for Gentoo/SELinux?

Sven Vermeulen — Sun, 07 Apr 2013 19:22:00 +0200

While slowly transitioning my playground infrastructure towards Puppet, I already am in process of creating a custom provider for things such as services. Puppet uses providers as "implementations" for the functions Puppet needs. For instance, for the service type (which handles init script services), there are providers for RedHat, Debian …

Matching packages with CVEs

Sven Vermeulen — Thu, 04 Apr 2013 21:44:00 +0200

I've come across a few posts on forums (Gentoo and elsewhere) asking why Gentoo doesn't make security-related patches on the tree. Some people think this is the case because they do not notice (m)any GLSAs, which are Gentoo's security advisories. However, it isn't that Gentoo doesn't push out security …

Linux Sea and ePub update

Sven Vermeulen — Tue, 02 Apr 2013 20:16:00 +0200

I just "published" a small update on the Linux Sea online book. Nothing major, some path updates (like the move to /etc/portage for the make.conf file). But I wouldn't put a blog post online if there wasn't anything else to say ;-)

Recently I was made aware that the …

Fiddling with puppet apply

Sven Vermeulen — Wed, 20 Mar 2013 12:31:00 +0100

As part of a larger exercise, I am switching my local VM set from a more-or-less scripted manual configuration towards a fully Puppet-powered one. Of course, it still uses a lot of custom modules and is most likely too ugly to expose to the wider internet, but it does seem …

SELinux tutorial series, update

Sven Vermeulen — Mon, 18 Mar 2013 23:22:00 +0100

Just a small update - the set of SELinux tutorials has been enhanced since my last blog post about it with information on SELinux booleans, customizable types, run-time modi (enforcing versus permissive), some bits about unconfined domains, information on policy loading, purpose of SELinux roles, SELinux users and an example on …

SELinux tutorial series

Sven Vermeulen — Fri, 15 Mar 2013 00:34:00 +0100

As we get a growing number of SELinux users within Gentoo Hardened and because the SELinux usage at the firm I work at is most likely going to grow as well, I decided to join the bunch of documents on SELinux that are "out there" and start a series of …

Gentoo Hardened progress meeting of march 2013

Sven Vermeulen — Thu, 07 Mar 2013 22:46:00 +0100

Another month has passed, so time for a new progress meeting...

Toolchain

GCC v4.7 has been unmasked, allowing a large set of users to test out the new GCC. It is also expected that GCC 4.8-rc1 will hit the tree next week. In the hardened-dev overlay, hardened support …

Uploading selinuxnode test VM

Sven Vermeulen — Mon, 25 Feb 2013 03:05:00 +0100

At the time of writing (but I'll delay the publication of this post a few hours), I'm uploading a new SELinux-enabled KVM guest image. This is not an update on the previous image though (it's a reinstalled system - after all, I use VMs for testing, so it makes sense to …

Working on a new selinuxnode VM

Sven Vermeulen — Sat, 23 Feb 2013 14:04:00 +0100

A long time ago, I made a SELinux enabled VM for people to play with, displaying a minimal Gentoo installation, including the hardening features it supports (PIE/PIC toolchain, grSecurity, PaX and SELinux). I'm currently trying to create a new one, which also includes IMA/EVM, but it looks like …

Transforming GuideXML to wiki

Sven Vermeulen — Tue, 12 Feb 2013 20:12:00 +0100

The Gentoo project has its own official wiki for some time now, and we are going to use it more and more in the next few months. For instance, in the last Gentoo Hardened meeting, we already discussed that most user-oriented documentation should be put on the wiki, and I've …

Gentoo Hardened goes onward (aka project meeting)

Sven Vermeulen — Thu, 07 Feb 2013 23:40:00 +0100

It's been a while again, so time for another Gentoo Hardened online progress meeting.

Toolchain

GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …

Why would paid-for support be better?

Sven Vermeulen — Mon, 31 Dec 2012 22:46:00 +0100

Last Saturday evening, I sent an e-mail to a low-volume mailinglist regarding IMA problems that I'm facing. I wasn't expecting an answer very fast of course, being holidays, weekend and a low-volume mailinglist. But hey - it is the free software world, so I should expect some slack on this, right …

IMA and EVM on Gentoo, part 2

Sven Vermeulen — Sat, 29 Dec 2012 23:42:00 +0100

I have been playing with Linux IMA/EVM on a Gentoo Hardened (with SELinux) system for a while and have been documenting what I think is interesting/necessary for Gentoo Linux users when they want to use IMA/EVM as well. Note that the documentation of the Linux IMA/EVM …

Gentoo Hardened IMA support

Sven Vermeulen — Thu, 27 Dec 2012 22:40:00 +0100

Adventurous users, contributors and developers can enable the Integrity Measurement Architecture subsystem in the Linux kernel with appraisal (since Linux kernel 3.7). In an attempt to support IMA (and EVM and other technologies) properly, the System Integrity subproject within Gentoo Hardened was launched a few months ago. And now …

Switching policy types in Gentoo/SELinux

Sven Vermeulen — Thu, 20 Dec 2012 11:31:00 +0100

When you are running Gentoo with SELinux enabled, you will be running with a particular policy type, which you can devise from either /etc/selinux/config or from the output of the sestatus command. As a user on our IRC channel had some issues converting his strict-policy system to mcs …

Another hardened month has passed...

Sven Vermeulen — Thu, 13 Dec 2012 10:02:00 +0100

... so it's time for a new update ;-)

Toolchain

GCC 4.8 is still in its stage 3 development phase, so Zorry will send out the patches to the GCC development community when this phase is done. For Gentoo hardened itself, we now support all architectures except for IA64 (which never …

Using pam_selinux to switch contexts

Sven Vermeulen — Mon, 10 Dec 2012 22:11:00 +0100

With SELinux managing the access controls of applications towards the resources on the system, a not-to-be forgotten important component on any Unix/Linux system is the authentication part. Most systems use or support PAM, the Pluggable Authentication Modules, and for SELinux this plays an important role.

Applications that are PAM-enabled …

Using stunnel for mutual authentication

Sven Vermeulen — Sat, 08 Dec 2012 14:24:00 +0100

Sometimes services do not support SSL/TLS, or if they do, they do not support using mutual authentication (i.e. requesting that the client also provides a certificate which is trusted by the service). If that is a requirement in your architecture, you can use stunnel to provide this additional …

nginx as reverse SMTP proxy

Sven Vermeulen — Thu, 06 Dec 2012 00:03:00 +0100

I've noticed that not that many resources are online telling you how you can use nginx as a reverse SMTP proxy. Using a reverse SMTP proxy makes sense even if you have just one mail server back-end, either because you can easily switch towards another one, or because you want …

Why you need the real_* thing with genkernel

Sven Vermeulen — Sun, 25 Nov 2012 21:05:00 +0100

Today it bit me. I rebooted my workstation, and all hell broke loose. Well, actually, it froze. Literally, if you consider my root file system. When the system tried to remount the root file system read-write, it gave me this:

mount: / not mounted or bad option

So I did the …

The hardened project continues going forward...

Sven Vermeulen — Sat, 17 Nov 2012 21:34:00 +0100

This wednesday, the Gentoo Hardened team held its monthly online meeting, discussing the things that have been done the last few weeks and the ideas that are being worked out for the next. As I did with the last few meetings, allow me to summarize it for all interested parties …

Local policy management script

Sven Vermeulen — Sun, 11 Nov 2012 13:37:00 +0100

I've written a small script that I call selocal which manages locally needed SELinux rules. It allows me to add or remove SELinux rules from the command line and have them loaded up without needing to edit a .te file and building the .pp file manually. If you are interested …

Gentoo Hardened progress meeting

Sven Vermeulen — Sun, 14 Oct 2012 15:00:00 +0200

Not that long ago we had our monthly Gentoo Hardened project meeting (on October 3rd to be exact). On these meetings, we discuss the progress of the project since the last meeting.

For our toolchain domain, Zorry reported that the PIE patchset is updated for GCC, fixing bug #436924. Blueness …

git patch apply

Sven Vermeulen — Thu, 27 Sep 2012 20:45:00 +0200

I recently had to merge the changes made to an upstream project with a local repository. I took out the changes as patches through git format-patch (as the local repository isn't a clone of the remote one so I couldn't just create a branch and merge) and hoped to apply …

Perimeter security testing

Sven Vermeulen — Tue, 28 Aug 2012 22:47:00 +0200

I've been asked a few times how I would do perimeter security testing. Personally, I'm not an offensive security guy, more a defensive one, meaning I'm more about security-related defensive methods rather than PEN testing of any kind. But still, even in a defensive position, having a "view" on how …

Gentoo Hardened in August

Sven Vermeulen — Sat, 25 Aug 2012 17:18:00 +0200

Last wednesday Gentoo Hardened held its monthly online meeting to discuss the progress of the various subprojects, reconfirm the current project leads, talk about potential new projects and discuss some bugs that were getting on our nerves...

For the project leads, all current leads were reconfirmed: Zorry will keep tight …

Lots of work on supporting swig-2

Sven Vermeulen — Mon, 20 Aug 2012 20:50:00 +0200

The SELinux setools package provides a few of the commands I used the most when working with SELinux: sesearch for looking through the policy and seinfo to get information on type/attribute/role/... from the currently loaded policy.

This package uses swig, the Simplified (sic) Wrapper and Interface Generator to …

Adding roles to the Gentoo Hardened SELinux policy

Sven Vermeulen — Tue, 14 Aug 2012 20:39:00 +0200

I wrote a small section on how to create additional roles to the SELinux policy offered by Gentoo Hardened. Whereas the default policy that we provide only offers a few basic roles, any policy administrator can provide additional roles for the system.

By using additional roles, you can grant users …

Kickstarting the Integrity subproject

Sven Vermeulen — Mon, 30 Jul 2012 21:34:00 +0200

Now that Gentoo Hardened has its integrity subproject, I started with writing down the concepts (draft - will move to the project site when finished!) used within the subproject: what is integrity, how does trust fit into this, what kind of technologies will we look at, etc. I'm hoping that this …

Gentoo Hardened on the move

Sven Vermeulen — Thu, 26 Jul 2012 00:41:00 +0200

Gentoo Hardened is thriving and going forward. For those that don't exactly know what Gentoo Hardened is - it is a Gentoo project dedicated to bring Gentoo in a shape ready for highly secure, high stability production server environments. This is what we live by, and why we do what we …

Dynamic transitions in SELinux

Sven Vermeulen — Sun, 22 Jul 2012 21:11:00 +0200

In between talks on heap spraying techniques and visualization of data for fast analysis, I'm working on integrating the chromium SELinux policy that was offered in bug bug #412637 within Gentoo Hardened. If you take a look at the bug, you notice I'm not really fond of the policy because …

Hardening the Linux kernel updates

Sven Vermeulen — Sat, 21 Jul 2012 21:06:00 +0200

Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources …

Hardening the Linux kernel

Sven Vermeulen — Fri, 20 Jul 2012 22:05:00 +0200

I have moved out the kernel configuration settings (and sysctl stuff) from the Hardening Gentoo Linux benchmark into its own Hardening the Linux kernel guide. It covers some common hardening-related kernel configuration entries (although I'm sure I'm missing a lot of them still) as well as grSecurity and PaX settings …

Hardening OpenSSH

Sven Vermeulen — Wed, 18 Jul 2012 22:20:00 +0200

A while ago I wrote about a Gentoo Security Benchmark which would talk about hardening a Gentoo Linux installation. Within that document, I was documenting how to harden specific services as well. However, I recently changed my mind and wanted to move the hardening stuff for the services in separate …

Updated Gentoo Hardened/SELinux VM image

Sven Vermeulen — Mon, 16 Jul 2012 18:31:00 +0200

I have updated the Gentoo Hardened/SELinux VM image, available on the mirrors under experimental/amd64/qemu-selinux.

The new image now asks for the keyboard layout, has a short DHCP timeout value (5 seconds) and provides the nano editor. If you plan on running the image using qemu, please use …

Gentoo Hardened/SELinux VM image

Sven Vermeulen — Tue, 10 Jul 2012 21:27:00 +0200

A few weeks ago, I pushed out a VM image (Qemu QCOW2 format) to the /experimental/amd64/qemu-selinux/ location in our mirrors. This VM image (which is about 1.6 Gib large decompressed) provides a SELinux-enabled, Gentoo Hardened (with PaX and other grSecurity security settings) base installation. Thanks to the …

Gentoo Summer of Documentation - Let's do it!

Sven Vermeulen — Fri, 29 Jun 2012 19:16:00 +0200

The Gentoo Wiki folks have started a great idea (and immediately set a nice milestone), namely the Gentoo Wiki Summer of Documentation. By september, they want to double the amount of articles on the wiki.

I'll surely help out and participate where I can, and perhaps we can even go …

Had to edit /etc/init.d/root

Sven Vermeulen — Sun, 24 Jun 2012 15:38:00 +0200

For some reason, I had to edit my /etc/init.d/root file to use "mount /dev/root -n -o remount,rw /" instead of the standard "mount -n -o remount,rw /". Without this, it failed to remount the root file system in a read-write mode, which is of course not …

Overview of SELinux changes

Sven Vermeulen — Sun, 24 Jun 2012 14:32:00 +0200

Most users of Gentoo hardly take a look at the (installation) documentation when their installation has finished. After all, being a rolling distribution, there is little need to take a look at the instructions again. And for most Gentoo users, changes that are needed to be reviewed by existing users …

Python 3 support for SELinux userland, tests and policy rev 10

Sven Vermeulen — Sat, 26 May 2012 18:59:00 +0200

In the last few hours I pushed my local changes on the SELinux userland utilities towards the hardened-development overlay. The utilities not only include some bugfixes, but have now also seen a first set of tests towards Python 3.2. In the past, I've made a few attempts at making …

Catching up, but stuff is piling...

Sven Vermeulen — Thu, 24 May 2012 18:46:00 +0200

Those that are frequent the #gentoo-hardened chat channel know that I'm currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I'm still not there yet. I'm now hitting a weird bug which seems to come down to an incorrect free() on …

Keeping /selinux

Sven Vermeulen — Fri, 04 May 2012 22:26:00 +0200

Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version and you switch from /selinux to /sys/fs/selinux as the mountpoint for the SELinux file system, you might get into issues. Apparently, init (which is responsible for mounting the SELinux …

20120215 policies now stable

Sven Vermeulen — Sun, 29 Apr 2012 16:43:00 +0200

Today I've stabilized the sec-policy/selinux-* packages that provide the 20120215 "series" of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace …

Linux Sea now in ePub

Sven Vermeulen — Fri, 20 Apr 2012 17:31:00 +0200

On request of Matthew Marchese, I now automatically build an ePub version of Linux Sea for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources …

Why both chroot and SELinux?

Sven Vermeulen — Sun, 15 Apr 2012 09:41:00 +0200

In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?

Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate …

Chrooted BIND for IPv6 with SELinux

Sven Vermeulen — Sat, 14 Apr 2012 23:08:00 +0200

BIND, or Berkeley Internet Name Domain, is one of the Internet's most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I'll give …

Documentation updates for initramfs needed?

Sven Vermeulen — Thu, 12 Apr 2012 17:40:00 +0200

A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file bugreports and have them block bug #407959. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and …

Get your devtmpfs ready

Sven Vermeulen — Sat, 07 Apr 2012 22:10:00 +0200

If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have …

More on initramfs and SELinux

Sven Vermeulen — Sun, 25 Mar 2012 19:44:00 +0200

With the upcoming udev version not supporting separate /usr locations unless you boot with an initramfs, we are now starting to document how to create an initramfs to boot with. After all, systems with a separate /usr are not that uncommon.

As I've blogged about before, getting an initramfs to …

Hunting fuser

Sven Vermeulen — Mon, 12 Mar 2012 21:54:00 +0100

I am able to work on Gentoo and SELinux about one hour per day. It's more in total time, but being a bit exhausted makes me act a bit more slowly which boils down to about one hour per day. And one hour per day isn't bad, you're able to …

Introducing 2.20120215 policies

Sven Vermeulen — Sun, 26 Feb 2012 18:40:00 +0100

A few weeks after being released, we now have the 20120215-based policies available for our users (and also the newer userspace utilities). The packages currently reside in the hardened-dev overlay as they will need to see sufficient testing before we merge those to the main tree. For most users, nothing …

Transitioning to MCS policies

Sven Vermeulen — Fri, 24 Feb 2012 22:12:00 +0100

Since I started maintaining the SELinux policies for Gentoo Hardened, the policy types we supported were primarily strict and targeted. About half a year ago, we also started supported mcs and offered the possibility for using mls as well (but didn't really support that one).

With the recent release of …

This months' stabilization done, more to come

Sven Vermeulen — Sun, 29 Jan 2012 13:33:00 +0100

A small notification to tell you that the SELinux policies that were pushed to the main tree 30 days (or more) ago have now been stabilized (none of them introduced problems, although some of them have other bugs still open which are either fixed in \~arch or will be fixed …

Trying out initramfs with selinux and grsec

Sven Vermeulen — Sun, 15 Jan 2012 12:58:00 +0100

I'm no fan of initramfs. All my systems boot up just fine without it, so I often see it as an additional layer of obfuscation. But there are definitely cases where initramfs is needed, and from the looks of it, we might be needing to push out some documentation and …

Unix domain sockets are files

Sven Vermeulen — Sat, 31 Dec 2011 17:48:00 +0100

Probably not a first for many seasoned Linux administrators, and probably not correct accordingly to more advanced users than myself, but I just found out that Unix domain sockets are files. Even when they're not.

I have been looking at a weird SELinux denial I had occuring on my system …

Gentoo WiKi & Knowledge Base

Sven Vermeulen — Mon, 26 Dec 2011 20:01:00 +0100

I have been playing with the Gentoo Wiki the last few days and am very impressed with the work that both the wiki teams as well as existing contributors have already done to the place. The look and feel is very slick and editing works just as expected. One of …

Supporting fix scripts for XCCDF content and maintaining the documents

Sven Vermeulen — Fri, 23 Dec 2011 16:00:00 +0100

One of the features supported through OVAL (and Open-SCAP) is to generate fix scripts when a test has failed. The administrator can then verify this script (of course) and then execute it to correct wrong settings. So I decided to play around with this as well and enhanced the Gentoo …

SELinux Gentoo/Hardened state 2011-12-19

Sven Vermeulen — Mon, 19 Dec 2011 18:04:00 +0100

On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.

Since last meeting, the follow topics passed the revue.

sec-policy/selinux-base-policy, which is the "master …

Supporting CC-BY-SA 3.0

Sven Vermeulen — Tue, 29 Nov 2011 21:33:00 +0100

Until now, documents on the Gentoo website all had to be licensed under the Creative Commons Attribution/Share Alike license, version 2.5. Why? Because at the time of the license choice, that was probably the latest version at hand. In the XML code itself, the license tagging was done …

SELinux Gentoo/Hardened state 2011-11-17

Sven Vermeulen — Thu, 17 Nov 2011 23:29:00 +0100

A small write-down on the Gentoo Hardened SELinux state-of-affairs, largely triggered because there was an online meeting for the Gentoo Hardened project today.

The SELinux policies offered in the sec-policy category are based on the latest refpolicy release. The older policies have been removed from the Portage tree. The patches …

Gentoo Security Benchmark with OVAL and Open-SCAP

Sven Vermeulen — Wed, 16 Nov 2011 23:09:00 +0100

A while ago, I got referred to the Open Vulnerability and Assessment Language, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can interpret it. Actually, it is a set of these …

Centers of Excellence

Sven Vermeulen — Tue, 25 Oct 2011 20:12:00 +0200

When dealing with software (I'll talk about software here, but the information is applicable to most technologies, such as appliances and operating systems) many organizations want to have "centers of excellence" with respect to the software. These teams are responsible for positioning the software within the organization, supporting the software …

SELinux' 2011/07 releases now stable

Sven Vermeulen — Sun, 23 Oct 2011 15:07:00 +0200

A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the Gentoo SELinux Handbook with the changes I presented on our gentoo-hardened mailinglist. After some time, I'll remove the now …

Gentoo Hardened SELinux policies, rev 5

Sven Vermeulen — Thu, 13 Oct 2011 18:30:00 +0200

I've pushed out selinux-base-policy version 2.20110726-r5 to the hardened-dev overlay. It does not hold huge changes, most of them are rewrites or updates on pre-existing patches (on the SELinux policies) to make them conform the refpolicy naming conventions and other guidelines. It includes preliminary support for the XDG Specification …

Upgrading GCC, revisited

Sven Vermeulen — Thu, 13 Oct 2011 18:23:00 +0200

Gentoo has, since long, had a GCC Upgrading guide. A long time ago, upgrading GCC required quite a lot of side activities and was often considered a risky upgrade. But times change, and so do the GCC upgrade cycles. Improved compatibility as well as a better understood impact made GCC …

Mitigating risks, part 5 - application firewalls

Sven Vermeulen — Wed, 05 Oct 2011 23:38:00 +0200

The last isolation-related aspect on risk mitigation is called application firewalls. Like more "regular" firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don't. But unlike these regular firewalls, application firewalls work on higher-level protocols (like HTTP, FTP) that …

Quickly setup a Gentoo system

Sven Vermeulen — Sat, 24 Sep 2011 15:34:00 +0200

In order to verify if the installation instructions in the Gentoo Handbook are still valid, and to allow me to quickly seed new Gentoo installations in a virtual environment, I wrote a very ugly (really) script to automatically "stage" a Gentoo Linux installation in a KVM guest. This is not …

Power management guide updated

Sven Vermeulen — Fri, 23 Sep 2011 21:57:00 +0200

The Gentoo Power Management Guide is now updated. It is a full rewrite, focusing currently on two main toolsets: Laptop Mode Tools and cpufreqd. I was pleasantly surprised by the number of features that the laptop mode tools package provided.

Of course, this does not mean that the guide is …

Mitigating risks, part 4 - Mandatory Access Control

Sven Vermeulen — Fri, 23 Sep 2011 20:16:00 +0200

I've talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn't help there, and system hardening can only go that far. The additional countermeasures that …

Catching up

Sven Vermeulen — Sun, 18 Sep 2011 16:51:00 +0200

As mentioned on the gentoo-doc mailinglist, all documentation bugs (that we know of) related to openrc have been fixed. It was already a week like so, but the last dependency on our "tracker" bug was an open one (asking if more needs to be done or not) from which we …

Mitigating risks, part 3 - hardening

Sven Vermeulen — Tue, 13 Sep 2011 22:46:00 +0200

While I'm writing this post, my neighbor is shouting. He's shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don't worry, he's not fighting - it is how he expresses his (positive) feelings about his religion.

Security is, for some, also …

Mitigating risks, part 2 - service isolation

Sven Vermeulen — Fri, 09 Sep 2011 23:12:00 +0200

Internet: absolute communication, absolute isolation
\~Paul Carvel

The quote might be ripped out of its context completely, since it wasn't made when talking about risks and the assurance you might need to get in order to reduce risks. But it does give a nice introduction to the second part of …

Mitigating risks, part 1

Sven Vermeulen — Mon, 05 Sep 2011 22:05:00 +0200

We are running Foobar 2.0 on Tomcat 4. We know that Tomcat 4 isn't supported, but hey - our (internal) customer is happy that the Foobar application works and would like to keep it that way. Upgrading to Tomcat 5 or higher is not possible - Foobar 2.0 only works …

Now using refpolicy 2.20110726

Sven Vermeulen — Sun, 04 Sep 2011 20:38:00 +0200

A few days ago, I committed the SELinux policy modules that are based on the 2.20110726 set released upstream. For those that are using Gentoo Hardened with SELinux, you'll find them if you use the \~arch set for the sec-policy category.

When I talk about upstream, it usually is …

Use parted for large partitions

Sven Vermeulen — Wed, 24 Aug 2011 23:46:00 +0200

A few bugs that were sitting in Gentoo's bugzilla for the documentation were related to large partitions (2 TB and higher). Previously, this wasn't as much as an issue since the number of users that have 2+ TB partitions are fairly slim. But of course time flies, hardware becomes cheaper …

Easy documentation updates thanks to the many contributions

Sven Vermeulen — Mon, 22 Aug 2011 23:01:00 +0200

As mentioned previously, I took a stab at the Gentoo Guide to OpenLDAP Authentication, updating its configuration settings as well as give an introduction to its replication mechanism. Although I am no OpenLDAP guru at all, I set up a similar architecture for testing some SELinux policy changes. This test …

Ready, set, commit!

Sven Vermeulen — Fri, 12 Aug 2011 22:35:00 +0200

Yesterday, I have entered the realms of Gentoo Development again. But as it was getting late then, I had to wait before the first commits happened. So this evening, things were done. The first couple of documentation bugs (mostly related to OpenRC) have been committed to the Gentoo CVS repository …

checksec kernel security

Sven Vermeulen — Sun, 24 Jul 2011 00:18:00 +0200

I have blogged about checksec.sh earlier before. Jono, one of the #gentoo-hardened IRC-members, kindly pointed me to its --kernel option. So I feel obliged to give its options a stab as well. So, here goes the next batch of OPE-style (One Paragraph Explanations).

~# checksec.sh --kernel
* Kernel protection information …

emerge-webrsync and gpg verification

Sven Vermeulen — Fri, 22 Jul 2011 14:33:00 +0200

Gentoo has been working on its security from very early on. One of the (many) features it supports is to allow users to validate the state of the portage tree. Ebuild signing (where developers sign the Manifest file with their key) is one of the layers offered by Gentoo, but …

Preliminary SELinux MCS support in Gentoo Hardened

Sven Vermeulen — Thu, 21 Jul 2011 22:04:00 +0200

Users tracking the hardened-dev overlay for SELinux packages will notice yet another update on the selinux-base-policy package. This time however, the change is a little more than just a policy update. With this new revision, preliminary support for Multi-Category Security (aka MCS) is added.

MCS is an update on the …

High level explanation on some binary executable security

Sven Vermeulen — Fri, 15 Jul 2011 22:01:00 +0200

One very important functionality offered by Gentoo Hardened is a specific toolchain (compiler, libraries and more) that contains patches to make the built binaries a bit more protected from certain vulnerabilities. Explaining all those in detail is too much for a simple blog post like this, but some time ago …

Some people on #selinux are ... dolphins

Sven Vermeulen — Thu, 14 Jul 2011 20:00:00 +0200

A very useful resource for anyone working on or with SELinux policies is the #selinux chat channel on irc.freenode.net. People like Dominick Grift and Dan Walsh you would first think are IRC bots (being online all the time, answering questions), but I recently read that they must be …

On the new SELinux profiles

Sven Vermeulen — Thu, 14 Jul 2011 19:31:00 +0200

Ever since Anthony put in the new SELinux profiles - which was long due - they have seen quite a few tests and the necessary, evolutionary updates. No changes that broke things, no oddities that would give a WTF to whomever is using it. The latest updates were to remove some obsolete …

Gentoo Hardened SELinux state

Sven Vermeulen — Sat, 09 Jul 2011 16:39:00 +0200

Since last post, we've been working on the further stabilization and bug fixing of the SELinux policies within Gentoo Hardened. You might have noticed that we started working on the QA of the packages, like I promised in the last post. The binaries within selinux-base-policy are now published somewhere on …

What's next after stabilization?

Sven Vermeulen — Mon, 13 Jun 2011 20:46:00 +0200

The last few weeks have shown quite a few interesting improvements on Gentoo Hardened's SELinux state. We now have improved (simplified) Gentoo profile support, supporting SELinux on no-multilib (an often requested feature, now finally in), we stabilized the 2.20101213 policies that are in the tree and are cleaning up …

Policy 25, 26

Sven Vermeulen — Wed, 01 Jun 2011 21:32:00 +0200

Recently I've seen quite a few messages on IRC pop up about policy.25 or even policy.26 so I harassed the guys in the chat channel to talk about it. Apparently, these new binary policy formats add support for filename transitions and non-process role transitions.

Currently, when you initiate …

SELinux file contexts

Sven Vermeulen — Sun, 15 May 2011 13:39:00 +0200

If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …

SELinux Gentoo profile updates

Sven Vermeulen — Tue, 03 May 2011 23:17:00 +0200

The SELinux support within Gentoo Hardened is continuing to go forward. Anthony G. Basile has been working on the new SELinux Gentoo profiles which were in dire need of updates. With the rework, we'll also support the AMD64 no-multilib environment properly. With the new profiles we'll also make USE="open …

SELinux User-Based Access Control

Sven Vermeulen — Mon, 02 May 2011 22:14:00 +0200

Within the reference policy, support is given to a feature called UBAC constraints. Here, UBAC stands for User Based Access Control. The idea behind the constraint is that any activity between two types (say foo_t and bar_t) can be prohibited if the user contexts of the resources that …

SELinux and noatsecure, or why portage complains about LD_PRELOAD and libsandbox.so

Sven Vermeulen — Fri, 22 Apr 2011 21:00:00 +0200

If you're fiddling with SELinux policies, you will eventually notice that the reference policy by default hides certain privilege requests (which are denied). One of them is noatsecure. But what is noatsecure? To describe noatsecure, I first need to describe what atsecure is. And to describe what that is, we …

cvechecker 3.0

Sven Vermeulen — Tue, 12 Apr 2011 22:47:00 +0200

I'm pleased to announce the immediate availability of cvechecker 3.0. It contains two major feature enhancements: watchlists and MySQL support.

watchlists allow cvechecker to track and report on CVEs for software that cvechecker didn't detect on the system (or perhaps even isn't installed on the system). You can use …

cvechecker updates

Sven Vermeulen — Sun, 27 Mar 2011 22:20:00 +0200

The in-svn version of cvechecker has seen quite a few changes in the last few days. I'm adding support for MySQL to it. This support will be added in three steps:

support the same features as cvechecker currently does using sqlite
streamline the database code so that duplicate code in …

Restoring configuration files on Gentoo

Sven Vermeulen — Sat, 19 Mar 2011 16:32:00 +0100

If you work with Gentoo, you're probably aware of tools like etc-update and dispatch-conf. If you use dispatch-conf, you might know that it supports rcs for version control of the changes it makes. But if you have enabled it, you might be wondering how to actually restore configuration files with …

Updates on SELinux docs, added FAQ

Sven Vermeulen — Wed, 09 Mar 2011 22:17:00 +0100

As you're probably noticing from my twitter feed and the various posts earlier in my blog, I'm helping out with the Gentoo Hardened folks to get the SELinux support state up to par. Today, the Gentoo Hardened/SELinux Handbook had a few updates, but the most important change is that …

Portage fails to build due to SELinux?

Sven Vermeulen — Thu, 03 Mar 2011 00:26:00 +0100

If you're having troubles getting Portage to build packages due to SELinux, then the reason usually is that it is unable to transition to the proper portage domains. You'll get a nice OSError back with an ugly backtrace, saying somewhere that "setexeccon" is misbehaving.

Now, the real issue (not being …

Updates on the Gentoo Hardened SELinux state

Sven Vermeulen — Wed, 02 Mar 2011 23:09:00 +0100

For those following the progress of SELinux support in Gentoo Hardened...

In the hardened-development overlay, the selinux-base-policy package has been updated, hopefully fixing a nasty issue with support for the targeted policy (up to today, I only tested strict policies so I missed that). It also fixes an issue with …

Temporary script for Gentoo Hardened SELinux users

Sven Vermeulen — Sun, 27 Feb 2011 17:37:00 +0100

If you are currently using Gentoo Hardened with SELinux, you might have noticed that we are currently lacking the proper dependencies within our Portage tree upon the SELinux policies (or, in other words, installing a package doesn't guarantee that the SELinux policy needed for that package is pulled in as …

About time...

Sven Vermeulen — Thu, 24 Feb 2011 21:44:00 +0100

I was just wondering why "UTC" stood for "Coordinated Universal Time". Apparently (okay, citing Wikipedia here, so be critical), it's of two main reasons: English and French speaking folks that were participating in that discussion wanted their language to be presented in the abbreviation (English wants "CUT - Coordinated Universal Time …

cvechecker update

Sven Vermeulen — Sat, 19 Feb 2011 16:31:00 +0100

A while ago, I got the request to enhance cvechecker with support for providing a list of installed software (or software you want to watch over with cvechecker) even if cvechecker isn't able to detect that software on your system. I've implemented this and it is currently available in the …

File System Labels in Linux Sea

Sven Vermeulen — Sat, 12 Feb 2011 20:42:00 +0100

I have added some information on file system labels in Linux Sea (PDF). If you don't know what labels are (or UUIDs), here is a quick summary.

Most, if not all file systems, assign a universally unique identifier (UUID) which looks like a random hexadecimal string to each file system …

SELinux for Gentoo Hardened

Sven Vermeulen — Sun, 06 Feb 2011 23:26:00 +0100

Recently, most of the SELinux-related ebuilds from the hardened overlay have been moved to the official Portage tree. Hopefully, this will trigger more people / organizations to try Gentoo Hardened with SELinux and help us improve the ebuilds. They're still marked as \~arch (as they should be). The draft SELinux handbook …

"Gentoo in production?" Oh no, not again...

Sven Vermeulen — Fri, 21 Jan 2011 21:59:00 +0100

I think it is that time of the year again, where people get some crazy ideas. Again I discussed the what must be the gazillion-th time I've been asked "Do you think Gentoo is ripe for use in production?". Honestly, I always tell myself to ignore those discussions but I've …

Confining user applications

Sven Vermeulen — Sun, 16 Jan 2011 16:23:00 +0100

Ever since I started using SELinux, I'm getting more and more fond of what it can do for (security) administrators. Lately, I've started confining user applications (like skype) in the idea that I do not want any application connecting to the Internet or working with content received from untrusted sources …

Why I have backups

Sven Vermeulen — Thu, 30 Dec 2010 20:06:00 +0100

You often read stories about people who have data loss and did not keep any (recent) backups, and are now fully equipped with a state-of-the-art backup mechanism. So no - no such failure story here but an example why backups are important.

Yesterday I had a vicious RAID/LVM failure. Due …

cvechecker 2.0 released

Sven Vermeulen — Wed, 01 Dec 2010 22:29:00 +0100

Okay, enough play - time for a new release. Since cvechecker 1.0 was released, a few important changes have been made to the cvechecker tools:

You can now tell cvechecker to only check newly added files, or remove a set of files from its internal database. Previously, you had to …

Helping with version detection rules in cvechecker

Sven Vermeulen — Sat, 27 Nov 2010 17:59:00 +0100

The new development snapshot, available from the cvechecker project site, contains a helper script that returns potential version detection rules for your system if the current cvechecker database doesn't detect your software. The script is currently available for Gentoo (called cverules_gentoo) but other distributions can be easily added. The …

Delta processing in cvechecker

Sven Vermeulen — Tue, 02 Nov 2010 00:30:00 +0100

The cvechecker application will support delta file processing as well as higher version matching with its next release. The functionality is currently in version control and I still have to work out quite a few things before they can go live, but the functionality is there.

Now why would these …

SELinux enforcing for console activity

Sven Vermeulen — Sat, 30 Oct 2010 21:30:00 +0200

I'm now able to boot into my system with SELinux in enforcing mode (without unconfined domains), do standard system administration tasks as root / sysadm_r (including the relevant Portage activities) and work as a regular user as long as I don't want to run in Xorg. I'm not going to …

Risk identification

Sven Vermeulen — Thu, 14 Oct 2010 20:18:00 +0200

Risk identification is a difficult subject. Analysts need it to defend mitigation strategies or to suggest investments. Yet risk identification is often a subjective method, especially in the IT industry. How do you give a number on a certain risk? When do you believe that that number exceeds a threshold …

cvechecker 1.0 released

Sven Vermeulen — Fri, 01 Oct 2010 21:34:00 +0200

With only a few small bugfixes between this release and the previous one, cvechecker 1.0 has finally been released. It runs fine on my few systems and I have not gotten any bugreports from other users anymore. It can definitely need more rules to identify installed software (those rules …

SELinux quicky

Sven Vermeulen — Tue, 14 Sep 2010 23:44:00 +0200

I've been using SELinux for a few days now (in permissive mode, just to get to know things) and have learned a few interesting commands (or other nice-to-know's) for using SELinux. Since I'm going to forget those the moment all is running well, I'll "document" them here ;-) I'm not going …

Switching to hardened

Sven Vermeulen — Sun, 12 Sep 2010 13:41:00 +0200

Yesterday (and this night) I successfully converted my system to a Gentoo Hardened system. In my case, this currently means that PaX has been enabled and I am currently running the system (which is an x86_64 laptop) with SELinux in permissive mode (so it won't enforce the policies yet …

prezi presentations

Sven Vermeulen — Fri, 10 Sep 2010 10:40:00 +0200

While doing some research on current rich internet applications / web application platforms, I discovered an online presentation site/tool called Prezi. This online application allows you to make dynamic presentations differently from the standard presentation software like OpenOffice.org's Impress. A nice example can be found online as well of …

cvechecker 0.6 released

Sven Vermeulen — Wed, 08 Sep 2010 21:41:00 +0200

This release makes me quite happy, because it resolves one major PITA I had (performance), but you know how things go. If it works fine for the developer, it's probably an abomination for the rest of the world. Anyhow, cvechecker version 0.6 is now available. It improves reporting performance …

Linux Sea last content chapter

Sven Vermeulen — Sat, 04 Sep 2010 22:42:00 +0200

The last chapter in Linux Sea focuses on Using A Shell. This seems to me like a nice last chapter, as it confronts the user with the exciting world of shell scripts. I hope that the chapters in the book are sufficiently stuffed so that beginners (who are not afraid …

devops - how hard can it/it can be

Sven Vermeulen — Sat, 04 Sep 2010 09:17:00 +0200

Dieter made a good reference to devops and the open source community and (correctly) points out that, even in a more collaborative scene such as the free software communities', there is still distinction between development and operations. And it isn't hard to see commonalities between enterprise organizations and free software …

Linux Sea: log file management and backups

Sven Vermeulen — Thu, 02 Sep 2010 14:31:00 +0200

I've added two more chapters to the Linux Sea book. The first one is about Log file management, the second one about Taking Backups. They're far from finished, but I thought that those two topics are important for day-to-day Gentoo usage and shouldn't be left out of the Linux Sea …

cvechecker 0.5 released

Sven Vermeulen — Thu, 02 Sep 2010 00:57:00 +0200

A new intermediate release of cvechecker is now released. The tool is reported to build properly on NetBSD and FreeBSD as well (although much user experience there is still welcome), introduces a cvereport command (example output), has lowered its initial dependency requirements and pullcves now only loads the CVE XML …

qemu monitor cd change

Sven Vermeulen — Mon, 30 Aug 2010 21:38:00 +0200

I've been playing around with kvm (which uses qemu) to try out other operating systems and Linux distributions. Up until now, little progress on that part (not because it is difficult, just little time) but there are a few things worth mentioning. For this post, let's start with a quicky …

Added "iw" support to Linux Sea

Sven Vermeulen — Thu, 26 Aug 2010 01:42:00 +0200

The wireless driver developers are actively working on a new wireless toolset called "iw", slowly deprecating the older wireless-tools toolset (which contains the "iwconfig" command). Kasumi_Ninja reported to me in the Gentoo Forums that it would be nice to add information on iw to Linux Sea, so I did …

cvechecker 0.4 released

Sven Vermeulen — Wed, 25 Aug 2010 23:55:00 +0200

Albeit with less updates than 0.3 had, cvechecker 0.4 brings in internal project files reorganization (more to the liking of the GNU autoconf/automake standards - I think), fixes a databaseleak (instead of memoryleak ;-) bug and introduces a teenie weenie bit more intelligent pullcves command (with multiple return code …

I remain impressed by the free software community

Sven Vermeulen — Wed, 25 Aug 2010 00:42:00 +0200

My current personal projects, Linux Sea and cvechecker, are actively being watched by the free software community. For the Linux Sea book, I get nice feedback and ideas on the Gentoo Forums and on the cvechecker application, people such as Nigel Horne are helping out in various ways - including feature …

cvechecker userguide

Sven Vermeulen — Sun, 22 Aug 2010 17:37:00 +0200

Just a quick note, I've created and uploaded the cvechecker userguide.

cvechecker 0.3 released

Sven Vermeulen — Fri, 20 Aug 2010 22:15:00 +0200

Time for a new intermediate cvechecker release, so here it is. Changes include (beyond the usual bugfixes) different CSV output (with some sort of version support) so that it can be easily used for reporting purposes, removal of debugging/verbose items and added example files for reporting.

cvechecker 0.2 released

Sven Vermeulen — Mon, 16 Aug 2010 21:35:00 +0200

I've made version 0.2 available of cvechecker. It fixes some build warnings and also supports the normal "make install" step. The pullcves command now also pulls in the latest versions.dat file. Special thanks to Per Andersson for reporting that the ./configure didn't fail if sqlite3 or libconfig wasn't …

cvechecker 0.1 released

Sven Vermeulen — Sat, 14 Aug 2010 22:03:00 +0200

cvechecker version 0.1 is out. This is the first publicly available development release, so it's still far from production-ready yet. However, it is usable so it can now be publicly analyzed to remove all icky bugs and such. I'm not planning (m)any new features (apart from the reporting …

HP webcam on Linux

Sven Vermeulen — Fri, 13 Aug 2010 18:18:00 +0200

Okay, getting the HP webcam running on Linux wasn't hard at all. Enable Video For Linux (CONFIG_VIDEO_DEV) which can be found in the Linux kernel configuration at Device Drivers, Multimedia Support. Then, select Video capture adapters and inside that menu, select V4L USB devices and then USB Video …

New laptop, time to play

Sven Vermeulen — Fri, 13 Aug 2010 01:33:00 +0200

I gave myself a nice treat and bought a new laptop. After some consideration, I decided to go with the HP Pavilion DV7 3150EB. Years ago, I didn't take an HP laptop as the reviews were not that satisfying. However, it looks as if that is past. So I first …

Linux Sea sources online, cvechecker still in development

Sven Vermeulen — Fri, 23 Jul 2010 20:59:00 +0200

First of all, I've put the sources for Linux Sea online at GitHub. Not only does that safeguard any latest changes from not hitting my backup in time before my laptop dies (it's terminal, but I can't let him go yet ;-) but it also allows people who want to help …

cvechecker in development mode

Sven Vermeulen — Mon, 12 Jul 2010 20:31:00 +0200

A while ago I had the idea to create a simple tool that checks the CVE database against my current system. It would allow me to check if my system is somewhat up to date (no pending security vulnerabilities), but also to get an automated overview of the various software …

OVAL, SCAP, CVE, CPE, ...

Sven Vermeulen — Sat, 05 Jun 2010 15:13:00 +0200

For a personal POC I wanted to see if it is possible to generate, based on the collection of CVE entries publicly available, a report informing a system administrator about possible vulnerabilities. Nothing fancy, just based upon versions.

A simple example: tool detects Perl, acquires installed Perl version, then matches …

Listing files of (not) installed software

Sven Vermeulen — Sat, 05 Jun 2010 10:54:00 +0200

Everyone that has been using Gentoo for a while now knows about tools such as qlist that show you the list of files installed by an (installed) package, or qfile that allows you to find which package provided a particular file on your system.

One thing lacking is to be …

GSE TWS BeLux 2010

Sven Vermeulen — Thu, 03 Jun 2010 23:21:00 +0200

Today, IBM generously hosted the GSE TWS BeLux 2010 conference. Although it was organized together with the GSE DB2 conference (which I would also have loved to attend) I must say I was pretty impressed with the topics given, especially those after the lunch.

For me, personally, the topic on …

Question yourself v3

Sven Vermeulen — Wed, 19 May 2010 22:11:00 +0200

Another update to Quizzer, now at version 3. But more importantly, updates to the Linux Sea related chapters are made available online - get a taste for it at the online quizzer set.

Feedback is, as always, very much appreciated.

Question yourself v2

Sven Vermeulen — Tue, 11 May 2010 20:59:00 +0200

A new version of the Quizzer webscript is available. The demo has also been updated with quick tests on the first few chapters of Linux Sea.

More exercises on the following chapters will follow soon.

Updates to the script include visual accept/reject of single-choice and multiple choice answers and …

Question yourself

Sven Vermeulen — Sun, 02 May 2010 23:58:00 +0200

Do you ever write down things in the hope you never forget them, but still think it would be better if you could somehow take a test of that subject from time to time to make sure you don't forget?

I do, and I found it quite difficult to keep …

SAI and N-O-SQL

Sven Vermeulen — Thu, 22 Apr 2010 01:02:00 +0200

Yesterday (argh, the day before yesterday) I went to a SAI conference on nosql. In Belgium, SAI is a non-profit organization for IT people which focuses on knowledge sharing.

The conference that day was on nosql. The presentation given by OuterThought was very good and offered a nice introduction to …

A dozen pages added

Sven Vermeulen — Thu, 22 Apr 2010 00:53:00 +0200

Just a quick heads-up that a dozen pages in the Linux Sea book have been added. Nothing spectacular, just a few more paragraphs on services/runlevels, a few updates on software management and on boot failure resolutions.

License support in Gentoo

Sven Vermeulen — Tue, 16 Feb 2010 00:10:00 +0100

It's a bit sad that Gentoo didn't promote this more, but Gentoo users now have support for license-based masking.

What does this mean? Well, previously, Gentoo already supported various masking reasons (like stable versus staging - the x86 versus \~x86 saga, package.mask'ing - for security reasons or critical bugs, ...). Now, a …

Executing, but only when you're home

Sven Vermeulen — Mon, 18 Jan 2010 23:48:00 +0100

Sometimes you want to execute a particular command, but only when you're at home. Examples would be running fetchmail (or fetchnews) through cron, but you don't want this to run when you're in the train, connected to the Internet through GPRS...

My idea here would be to create a script …

Switching to database architecture

Sven Vermeulen — Fri, 11 Dec 2009 00:34:00 +0100

It's finally committed: I'm going to dive into the realms of database architecture. It's with some sentiment that I'm leaving the expertise field of Apache, J(2)EE and WebSphere, but seeing the database architecture field makes it up well. I'm starting to get acquainted with Oracle DB as first …

Translations to "Linux Sea"

Sven Vermeulen — Wed, 02 Dec 2009 17:38:00 +0100

A few people have contacted me if they were allowed to translate the online book I'm writing (Linux Sea). Of course they are, the license allows it. However, I recommend to wait a bit. At this moment, I'm not going to release the docbook sources (I'm not writing it in …

Small updates on Linux Sea

Sven Vermeulen — Mon, 19 Oct 2009 21:36:00 +0200

A few updates have made it to the Linux Sea book:

Information regarding ndiswrapper
Some information about udev and the symlinks that it creates

The PDF version has been updated as well.

Online image gallery

Sven Vermeulen — Mon, 05 Oct 2009 21:48:00 +0200

If you're not up to the various free image gallery sites, you might want to try out ZenPhoto. Quite powerful, easy to use and well themeable. Requires PHP / MySQL.

Added quota information

Sven Vermeulen — Tue, 01 Sep 2009 23:19:00 +0200

I've added quota support information to the Linux Sea book as well as information about the eclean command for cleaning distfiles and packages. The part on building a Linux kernel has been moved into its own chapter, the chapter on hardware support now has a bit more information about dealing …

Draft PDF for Linux Sea

Sven Vermeulen — Mon, 10 Aug 2009 22:27:00 +0200

I've added a draft PDF version of my Linux Sea document. If you don't mind the A4 papersize and the bad typesetting of the text boxes (I still have lots of overflows to correct) it is quite usable.

Darwin Information Typing Architecture

Sven Vermeulen — Sat, 18 Apr 2009 09:59:00 +0200

Having documented a lot in LaTeX (back in the old days at the university), GuideXML (Gentoo's document markup language) and DocBook (Linux Sea) I'm now pointing my arrows at DITA, the Darwin Information Typing Architecture.

DITA "forces" the technical writer in separating the content of his document in specialized subjects …

Linux Sea is progressing slowly but surely

Sven Vermeulen — Tue, 10 Feb 2009 23:33:00 +0100

My everlasting document, Linux Sea, is progressing slowely but surely. I've started a few new chapters and also initiated a chapter on Installing Gentoo (which is more a shortlist of tasks with pointers to earlier chapters).

I also took a different CSS (docbook.css file used by the FreeBSD handbook …

Extremely simple task manager

Sven Vermeulen — Thu, 18 Dec 2008 22:46:00 +0100

At work, I am often busy with quite a few projects. Yet, at times, I have no outstanding tasks because all of my tasks can only start when an event has occurred (like a server which is made available, or a budget that is approved) or another task has finished …

hex2passwd, a password generator

Sven Vermeulen — Thu, 25 Sep 2008 19:34:00 +0200

I know that repeatable password generators are less secure than random character generators. After all, if you want a strong password, you can simply perform head -c 8 /dev/urandom | mimencode to obtain a nice, random password string.

However, in certain cases you might want to generate passwords given a …

Adding exercises and resources

Sven Vermeulen — Mon, 15 Sep 2008 22:59:00 +0200

As stated earlier, I'm now focusing on the existing content of my (work-in-progress) ebook called Linux Sea (PDF, HTML). I'm going to add more text where appropriate, add exercises to each chapter as well as references to online resources.

When that's finished, I'll probably be writing a chapter on installing …

Linux Sea - Updates on graphical environment chapter

Sven Vermeulen — Thu, 21 Aug 2008 22:08:00 +0200

I've updated the chapter on graphical environments a bit to reflect how applications, window managers, X server and widget toolkits work together. Hopefully it isn't a big lie that I wrote there ;-)

I'll probably be doing a bit of clean ups the coming days before I start out with more …

Playing with gqview

Sven Vermeulen — Mon, 18 Aug 2008 15:48:00 +0200

Some time ago I received a digital camera; however, due to diskspace shortage I need to clean up my home directory. One of the directories that eats most of my sectors is one where I store all my pictures.

I know I have a lot of duplicate pictures, pictures deduced …