Simplicity is a form of art..., 09 Sep 2018 13:20:00 +0200cvechecker 3.9 released<p>Thanks to updates from Vignesh Jayaraman, Anton Hillebrand and Rolf Eike Beer, a new release of <a href="">cvechecker</a> is now made available.</p> <p>This new release (v3.9) is a bugfix release.</p> Sven VermeulenSun, 09 Sep 2018 13:20:00,2018-09-09:/2018/09/cvechecker-3.9-released/cvecheckerAutomating compliance checks<p>With the configuration baseline for a technical service being described fully (see the <a href="">first</a>, <a href="">second</a> and <a href="">third</a> post in this series), it is time to consider the validation of the settings in an automated manner. The preferred method for this is to use <em>Open Vulnerability and Assessment Language (OVAL)</em>, which is nowadays managed by the <a href="">Center for Internet Security</a>, abbreviated as CISecurity. Previously, OVAL was maintained and managed by Mitre under NIST supervision, and Google searches will often still point to the old sites. However, documentation is now maintained on CISecurity's <a href="">github repositories</a>.</p> <p>But I digress...</p> Sven VermeulenSat, 03 Mar 2018 13:20:00,2018-03-03:/2018/03/automating-compliance-checks/xccdfovalscapbaselineDocumenting a rule<p>In the <a href="">first post</a> I talked about why configuration documentation is important. In the <a href="">second post</a> I looked into a good structure for configuration documentation of a technological service, and ended with an XCCDF template in which this documentation can be structured.</p> <p>The next step is to document the rules themselves, i.e. the actual content of a configuration baseline.</p> Sven VermeulenWed, 24 Jan 2018 20:40:00,2018-01-24:/2018/01/documenting-a-rule/xccdfscapbaselineStructuring a configuration baseline<p>A good configuration baseline has a readable structure that allows all stakeholders to quickly see if the baseline is complete, as well as find a particular setting regardless of the technology. In this blog post, I'll cover a possible structure of the baseline which attempts to be sufficiently complete and technology agnostic.</p> <p>If you haven't read the blog post on <a href="">documenting configuration changes</a>, it might be a good idea to do so as it declares the scope of configuration baselines and why I think XCCDF is a good match for this.</p> Sven VermeulenWed, 17 Jan 2018 09:10:00,2018-01-17:/2018/01/structuring-a-configuration-baseline/xccdfscapbaselineDocumenting configuration changes<p>IT teams are continuously under pressure to set up and maintain infrastructure services quickly, efficiently and securely. As an infrastructure architect, my main concerns are related to the manageability of these services and the secure setup. And within those realms, a properly documented configuration setup is in my opinion very crucial.</p> <p>In this blog post series, I'm going to look into using the <em>Extensible Configuration Checklist Description Format (XCCDF)</em> as the way to document these. This first post is an introduction to XCCDF functionally, and what I position it for.</p> Sven VermeulenSun, 07 Jan 2018 21:20:00,2018-01-07:/2018/01/documenting-configuration-changes/xccdfscapbaselineSELinux and extended permissions<p>One of the features present in the <a href="">August release</a> of the SELinux user space is its support for ioctl xperm rules in modular policies. In the past, this was only possible in monolithic ones (and CIL). Through this, allow rules can be extended to not only cover source (domain) and target (resource) identifiers, but also a specific number on which it applies. And ioctl's are the first (and currently only) permission on which this is implemented.</p> <p>Note that ioctl-level permission controls isn't a new feature by itself, but the fact that it can be used in modular policies is.</p> Sven VermeulenMon, 20 Nov 2017 17:00:00,2017-11-20:/2017/11/selinux-and-extended-permissions/selinuxioctlSELinux Userspace 2.7<p>A few days ago, <a href="">Jason "perfinion" Zaman</a> stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a <a href="">few new features</a>, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.</p> <p>Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).</p> Sven VermeulenTue, 26 Sep 2017 14:50:00,2017-09-26:/2017/09/selinux-userspace-2.7/gentooselinuxuserspaceAuthenticating with U2F<p>In order to further secure access to my workstation, after the <a href="">switch to Gentoo sources</a>, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by <a href="">chaining authentication methods in OpenSSH</a>.</p> <p>Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk about the <code>pam_u2f</code> setup are indeed correct that it is fairly simple. For completeness sake, I've documented what I know on the Gentoo Wiki, as the <a href="">pam_u2f article</a>.</p> Sven VermeulenMon, 11 Sep 2017 18:25:00,2017-09-11:/2017/09/authenticating-with-u2f/gentoosecurityyubicou2fpamUsing nVidia with SELinux<p>Yesterday I've <a href="">switched to the gentoo-sources kernel package</a> on Gentoo Linux. And with that, I also attempted (succesfully) to use the propriatary nvidia drivers so that I can enjoy both a smoother 3D experience while playing minecraft, as well as use the CUDA support so I don't need to use cloud-based services for small exercises.</p> <p>The move to nvidia was quite simple, as the <a href="">nvidia-drivers wiki article</a> on the Gentoo wiki was quite easy to follow.</p> Sven VermeulenWed, 23 Aug 2017 19:04:00,2017-08-23:/2017/08/using-nvidia-with-selinux/gentooselinuxnvidiaSwitch to Gentoo sources<p>You've might already read it on the Gentoo news site, the <a href="">Hardened Linux kernel sources are removed from the tree</a> due to the <a href="">grsecurity</a> change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.</p> <p>That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. <a href=";utm_medium=feed&amp;utm_campaign=feed">Agostino Sarubbo has started providing sys-kernel/grsecurity-sources</a> for the users who want to stick with it, as it is based on <a href="">minipli's unofficial patchset</a>. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.</p> <p>Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).</p> Sven VermeulenTue, 22 Aug 2017 19:04:00,2017-08-22:/2017/08/switch-to-gentoo-sources/gentoohardenedgrsecurityselinuxProject prioritization<p><sub>This is a long read, skip to “Prioritizing the projects and changes” for the approach details...</sub></p> <p>Organizations and companies generally have an IT workload (dare I say, backlog?) which needs to be properly assessed, prioritized and taken up. Sometimes, the IT team(s) get an amount of budget and HR resources to "do their thing", while others need to continuously ask for approval to launch a new project or instantiate a change.</p> <p>Sizeable organizations even require engineering and development effort on IT projects which are not readily available: specialized teams exist, but they are governance-wise assigned to projects. And as everyone thinks their project is the top-most priority one, many will be disappointed when they hear there are no resources available for their pet project.</p> <p>So... how should organizations prioritize such projects?</p> Sven VermeulenTue, 18 Jul 2017 20:40:00,2017-07-18:/2017/07/project-prioritization/pmostrategySAFeprioritizationprojectStructuring infrastructural deployments<p>Many organizations struggle with the all-time increase in IP address allocation and the accompanying need for segmentation. In the past, governing the segments within the organization means keeping close control over the service deployments, firewall rules, etc.</p> <p>Lately, the idea of micro-segmentation, supported through software-defined networking solutions, seems to defy the need for a segmentation governance. However, I think that that is a very short-sighted sales proposition. Even with micro-segmentation, or even pure point-to-point / peer2peer communication flow control, you'll still be needing a high level overview of the services within your scope.</p> <p>In this blog post, I'll give some insights in how we are approaching this in the company I work for. In short, it starts with requirements gathering, creating labels to assign to deployments, creating groups based on one or two labels in a layered approach, and finally fixating the resulting schema and start mapping guidance documents (policies) toward the presented architecture.</p> Sven VermeulenWed, 07 Jun 2017 20:40:00,2017-06-07:/2017/06/structuring-infrastructural-deployments/segmentationzoningdeploymentslandscapeMatching MD5 SSH fingerprint<p>Today I was attempting to update a local repository, when SSH complained about a changed fingerprint, something like the following:</p> <div class="highlight"><pre><span></span>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:p4ZGs+YjsBAw26tn2a+HPkga1dPWWAWX+NEm4Cv4I9s. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/user/.ssh/known_hosts:9 ECDSA host key for has changed and you have requested strict checking. Host key verification failed. </pre></div> Sven VermeulenThu, 18 May 2017 18:20:00,2017-05-18:/2017/05/matching-md5-ssh-fingerprint/opensshfingerprintmd5Switched to Lineage OS<p>I have been a long time user of <a href="">Cyanogenmod</a>, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if <a href="">LineageOS</a> would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.</p> <p>Today, I made my choice and installed LineageOS.</p> Sven VermeulenSun, 09 Apr 2017 16:40:00,2017-04-09:/2017/04/switched-to-lineage-os/cyanogenmodlineageosmobileandroidcvechecker 3.8 released<p>A new release is now available for the <a href="">cvechecker</a> application. This is a stupid yet important bugfix release: the 3.7 release saw all newly released CVEs as being already known, so it did not take them up to the database. As a result, systems would never check for the new CVEs.</p> Sven VermeulenMon, 27 Mar 2017 19:00:00,2017-03-27:/2017/03/cvechecker-3.8-released/cvecheckerHandling certificates in Gentoo Linux<p>I recently created a new article on the Gentoo Wiki titled <a href="">Certificates</a> which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle <em>everything</em> about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.</p> Sven VermeulenMon, 06 Mar 2017 22:20:00,2017-03-06:/2017/03/handling-certificates-in-gentoo-linux/gentoocertificatesnsscvechecker 3.7 released<p>After a long time of getting too little attention from me, I decided to make a new <a href="">cvechecker</a> release. There are few changes in it, but I am planning on making a new release soon with lots of clean-ups.</p> Sven VermeulenThu, 02 Mar 2017 10:00:00,2017-03-02:/2017/03/cvechecker-3.7-released/cvecheckerI missed FOSDEM<p>I sadly had to miss out on the FOSDEM event. The entire weekend was filled with me being apathetic, feverish and overall zombie-like. Yes, sickness can be cruel. It wasn't until today that I had the energy back to fire up my laptop.</p> <p>Sorry for the crew that I promised to meet at FOSDEM. I'll make it up, somehow.</p> Sven VermeulenTue, 07 Feb 2017 17:06:00,2017-02-07:/2017/02/i-missed-fosdem/gentoofosdemSELinux System Administration, 2nd Edition<p>While still working on a few other projects, one of the time consumers of the past half year (haven't you noticed? my blog was quite silent) has come to an end: the <a href="">SELinux System Administration - Second Edition</a> book is now available. With almost double the amount of pages and a serious update of the content, the book can now be bought either through Packt Publishing itself, or the various online bookstores such as <a href="">Amazon</a>.</p> <p>With the holidays now approaching, I hope to be able to execute a few tasks within the Gentoo community (and of the Gentoo Foundation) and get back on track. Luckily, my absence was not jeopardizing the state of <a href="">SELinux</a> in Gentoo thanks to the efforts of Jason Zaman.</p> Sven VermeulenThu, 22 Dec 2016 19:26:00,2016-12-22:/2016/12/selinux-system-administration-2nd-edition/selinuxgentoorhelredhatpacktbookpublishingGnuPG: private key suddenly missing?<p>After updating my workstation, I noticed that keychain reported that it could not load one of the GnuPG keys I passed it on.</p> <div class="highlight"><pre><span></span> * keychain 2.8.1 ~ * Found existing ssh-agent: 2167 * Found existing gpg-agent: 2194 * Warning: can&#39;t find 0xB7BD4B0DE76AC6A4; skipping * Known ssh key: /home/swift/.ssh/id_dsa * Known ssh key: /home/swift/.ssh/id_ed25519 * Known gpg key: 0x22899E947878B0CE </pre></div> <p>I did not modify my key store at all, so what happened?</p> Sven VermeulenWed, 12 Oct 2016 18:56:00,2016-10-12:/2016/10/gnupg-private-key-suddenly-missing/gnupgWe do not ship SELinux sandbox<p>A few days ago a vulnerability was reported in the SELinux sandbox user space utility. The utility is part of the <code>policycoreutils</code> package. Luckily, Gentoo's <code>sys-apps/policycoreutils</code> package is not vulnerable - and not because we were clairvoyant about this issue, but because we don't ship this utility.</p> Sven VermeulenTue, 27 Sep 2016 20:47:00,2016-09-27:/2016/09/we-do-not-ship-selinux-sandbox/selinuxsandboxgentoovulnerabilityseunshareMounting QEMU images<p>While working on the second edition of my first book, <a href="">SELinux System Administration - Second Edition</a> I had to test out a few commands on different Linux distributions to make sure that I don't create instructions that only work on Gentoo Linux. After all, as awesome as Gentoo might be, the Linux world is a bit bigger. So I downloaded a few live systems to run in Qemu/KVM.</p> <p>Some of these systems however use <a href="">cloud-init</a> which, while interesting to use, is not set up on my system yet. And without support for cloud-init, how can I get access to the system?</p> Sven VermeulenMon, 26 Sep 2016 19:26:00,2016-09-26:/2016/09/mounting-qemu-images/qemuComparing Hadoop with mainframe<p>At my work, I have the pleasure of being involved in a big data project that uses Hadoop as the primary platform for several services. As an architect, I try to get to know the platform's capabilities, its potential use cases, its surrounding ecosystem, etc. And although the implementation at work is not in its final form (yay agile infrastructure releases) I do start to get a grasp of where we might be going.</p> <p>For many analysts and architects, this Hadoop platform is a new kid on the block so I have some work explaining what it is and what it is capable of. Not for the fun of it, but to help the company make the right decisions, to support management and operations, to lift the fear of new environments. One thing I've once said is that "Hadoop is the poor man's mainframe", because I notice some high-level similarities between the two.</p> Sven VermeulenWed, 15 Jun 2016 20:55:00,2016-06-15:/2016/06/comparing-hadoop-with-mainframe/hadoopmainframeTemplate was specified incorrectly<p>After reorganizing my salt configuration, I received the following error:</p> <div class="highlight"><pre><span></span>[ERROR ] Template was specified incorrectly: False </pre></div> <p>Enabling some debugging on the command gave me a slight pointer why this occurred:</p> <div class="highlight"><pre><span></span>[DEBUG ] Could not find file from saltenv &#39;testing&#39;, u&#39;salt://top.sls&#39; [DEBUG ] No contents loaded for env: testing [DEBUG ] compile template: False [ERROR ] Template was specified incorrectly: False </pre></div> <p>I was using a single top file as recommended by Salt, but apparently it was still looking for top files in the other environments.</p> <p>Yet, if I split the top files across the environments, I got the following warning:</p> <div class="highlight"><pre><span></span>[WARNING ] Top file merge strategy set to &#39;merge&#39; and multiple top files found. Top file merging order is undefined; for better results use &#39;same&#39; option </pre></div> <p>So what's all this about?</p> Sven VermeulenSun, 27 Mar 2016 13:32:00,2016-03-27:/2016/03/template-was-specified-incorrectly/saltUsing salt-ssh with agent forwarding<p>Part of a system's security is to reduce the attack surface. Following this principle, I want to see if I can switch from using regular salt minions for a saltstack managed system set towards <code>salt-ssh</code>. This would allow to do some system management over SSH instead of ZeroMQ.</p> <p>I'm not confident yet that this is a solid approach to take (as performance is also important, which is greatly reduced with <code>salt-ssh</code>), and the security exposure of the salt minions over ZeroMQ is also not that insecure (especially not when a local firewall ensures that only connections from the salt master are allowed). But playing doesn't hurt.</p> Sven VermeulenSat, 26 Mar 2016 19:57:00,2016-03-26:/2016/03/using-salt-ssh-with-agent-forwarding/saltTrying out imapsync<p>Recently, I had to migrate mail boxes for a couple of users from one mail provider to another. Both mail providers used IMAP, so I looked into IMAP related synchronization methods. I quickly found the <a href="">imapsync</a> application, also supported through Gentoo's repository.</p> Sven VermeulenSun, 13 Mar 2016 12:57:00,2016-03-13:/2016/03/trying-out-imapsync/imapsyncNew cvechecker release<p>A short while ago I got the notification that pulling new CVE information was no longer possible. The reason was that the NVD site did not support uncompressed downloads anymore. The fix for cvechecker was simple, and it also gave me a reason to push out a new release (after two years) which also includes various updates by Christopher Warner.</p> <p>So <a href="">cvechecker 3.6</a> is now available for general consumption.</p> Sven VermeulenSat, 07 Nov 2015 11:07:00,2015-11-07:/2015/11/new-cvechecker-release/cvecheckerSwitching focus at work<p>Since 2010, I was at work responsible for the infrastructure architecture of a couple of technological domains, namely databases and scheduling/workload automation. It brought me in contact with many vendors, many technologies and most importantly, many teams within the organization. The focus domain was challenging, as I had to deal with the strategy on how the organization, which is a financial institution, will deal with databases and scheduling in the long term.</p> Sven VermeulenSun, 20 Sep 2015 13:29:00,2015-09-20:/2015/09/switching-focus-at-work/workhadoopdockerGetting su to work in init scripts<p>While developing an init script which has to switch user, I got a couple of errors from SELinux and the system itself:</p> <div class="highlight"><pre><span></span><span class="go">~# rc-service hadoop-namenode format</span> <span class="go">Authenticating root.</span> <span class="go"> * Formatting HDFS ...</span> <span class="go">su: Authentication service cannot retrieve authentication info</span> <span class="go">(Ignored)</span> </pre></div> Sven VermeulenMon, 14 Sep 2015 16:37:00,2015-09-14:/2015/09/getting-su-to-work-in-init-scripts/selinuxinitrcCustom CIL SELinux policies in Gentoo<p>In Gentoo, we have been supporting <a href="">custom policy packages</a> for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although <a href="">binary packages</a> are supported as well).</p> <p>A recent <a href="">commit</a> now also allows CIL files to be used.</p> Sven VermeulenThu, 10 Sep 2015 07:13:00,2015-09-10:/2015/09/custom-cil-selinux-policies-in-gentoo/gentoocilselinuxebuildeclassUsing multiple OpenSSH daemons<p>I administer a couple of systems which provide interactive access by end users, and for this interactive access I position <a href="">OpenSSH</a>. However, I also use this for administrative access to the system, and I tend to have harder security requirements for OpenSSH than most users do.</p> <p>For instance, on one system, end users with a userid + password use the sFTP server for publishing static websites. Other access is prohibited, so I really like this OpenSSH configuration to use chrooted users, internal sftp support, whereas a different OpenSSH is used for administrative access (which is only accessible by myself and some trusted parties).</p> Sven VermeulenSun, 06 Sep 2015 16:37:00,2015-09-06:/2015/09/using-multiple-openssh-daemons/opensshsshu2fselinuxMaintaining packages and backporting<p>A few days ago I committed a small update to <code>policycoreutils</code>, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.</p> Sven VermeulenWed, 02 Sep 2015 20:33:00,2015-09-02:/2015/09/maintaining-packages-and-backporting/gentooebuildpatchingDoing away with interfaces<p>CIL is SELinux' Common Intermediate Language, which brings on a whole new set of possibilities with policy development. I hardly know CIL but am (slowly) learning. Of course, the best way to learn is to try and do lots of things with it, but real-life work and time-to-market for now forces me to stick with the M4-based refpolicy one.</p> <p>Still, I do try out some things here and there, and one of the things I wanted to look into was how CIL policies would deal with interfaces.</p> Sven VermeulenSat, 29 Aug 2015 11:30:00,2015-08-29:/2015/08/doing-away-with-interfaces/selinuxcilSlowly converting from GuideXML to HTML<p>Gentoo has removed its support of the older GuideXML format in favor of using the <a href="">Gentoo Wiki</a> and a new content management system for the main site (or is it static pages, I don't have the faintest idea to be honest). I do still have a few GuideXML pages in my development space, which I am going to move to HTML pretty soon.</p> <p>In order to do so, I make use of the <a href="">guidexml2wiki</a> stylesheet I <a href="">developed</a>. But instead of migrating it to wiki syntax, I want to end with HTML.</p> Sven VermeulenTue, 25 Aug 2015 11:30:00,2015-08-25:/2015/08/slowly-converting-from-guidexml-to-html/gentooguidexmlxmlxsltrstmediawikihtmlMaking the case for multi-instance support<p>With the high attention that technologies such as <a href="">Docker</a>, <a href="">Rocket</a> and the like get (I recommend to look at <a href="">Bocker</a> by Peter Wilmott as well ;-), I still find it important that technologies are well capable of supporting a multi-instance environment.</p> <p>Being able to run multiple instances makes for great consolidation. The system can be optimized for the technology, access to the system limited to the admins of said technology while still providing isolation between instances. For some technologies, running on commodity hardware just doesn't cut it (not all software is written for such hardware platforms) and consolidation allows for reducing (hardware/licensing) costs.</p> Sven VermeulenSat, 22 Aug 2015 12:45:00,2015-08-22:/2015/08/making-the-case-for-multi-instance-support/Switching OpenSSH to ed25519 keys<p>With Mike's <a href="">news item</a> on OpenSSH's deprecation of the <a href="">DSA algorithm</a> for the public key authentication, I started switching the few keys I still had using DSA to the suggested <a href="">ED25519</a> algorithm. Of course, I wouldn't be a security-interested party if I did not do some additional investigation into the DSA versus Ed25519 discussion.</p> Sven VermeulenWed, 19 Aug 2015 18:26:00,2015-08-19:/2015/08/switching-openssh-to-ed25519-keys/opensshsshgentooUpdates on my Pelican adventure<p>It's been a few weeks that I <a href="">switched</a> my blog to <a href="">Pelican</a>, a static site generator build with Python. A number of adjustments have been made since, which I'll happily talk about.</p> Sven VermeulenSun, 16 Aug 2015 19:50:00,2015-08-16:/2015/08/updates-on-my-pelican-adventure/blogpelicanwordpressFinding a good compression utility<p>I recently came across a <a href="">wiki page</a> written by <a href="">Herman Brule</a> which gives a quick benchmark on a couple of compression methods / algorithms. It gave me the idea of writing a quick script that tests out a wide number of compression utilities available in Gentoo (usually through the <code>app-arch</code> category), with also a number of options (in case multiple options are possible).</p> Sven VermeulenThu, 13 Aug 2015 19:15:00,2015-08-13:/2015/08/finding-a-good-compression-utility/gentoocompressionWhy we do confine Firefox<p>If you're a bit following the SELinux development community you will know <a href="">Dan Walsh</a>, a <a href="">Red Hat</a> security engineer. Today he <a href="">blogged</a> about <em>CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox</em>. He should've asked why the <em>reference policy</em> or <em>Red Hat/Fedora policy</em> does not confine Firefox, because SELinux is, as I've <a href="">mentioned before</a>, not the same as its policy.</p> <p>In effect, Gentoo's SELinux policy <em>does</em> confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to <a href="">develop desktop policies</a> in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.</p> Sven VermeulenTue, 11 Aug 2015 19:18:00,2015-08-11:/2015/08/why-we-do-confine-firefox/gentooselinuxpolicyfirefoxcvevulnerabilityxdgCan SELinux substitute DAC?<p>A nice <a href="">twitter discussion</a> with <a href="">Erling Hellenäs</a> caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?</p> <p>SELinux is implemented through the <a href="">Linux Security Modules framework</a> which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through <em>additional</em> access checks. This criteria was made to have LSM be as minimally invasive as possible.</p> Sven VermeulenSun, 09 Aug 2015 14:48:00,2015-08-09:/2015/08/can-selinux-substitute-dac/selinuxrefpolicylinuxdaclsmFiltering network access per application<p>Iptables (and the successor nftables) is a powerful packet filtering system in the Linux kernel, able to create advanced firewall capabilities. One of the features that it <em>cannot</em> provide is per-application filtering. Together with SELinux however, it is possible to implement this on a <em>per domain</em> basis.</p> <p>SELinux does not know applications, but it knows domains. If we ensure that each application runs in its own domain, then we can leverage the firewall capabilities with SELinux to only allow those domains access that we need.</p> Sven VermeulenFri, 07 Aug 2015 03:49:00,2015-08-07:/2015/08/filtering-network-access-per-application/selinuxnetworkiptablesMy application base: Obnam<p>It is often said, yet too often forgotten: taking backups (and verifying that they work). Taking backups is not purely for companies and organizations. Individuals should also take backups to ensure that, in case of errors or calamities, the all important files are readily recoverable.</p> <p>For backing up files and directories, I personally use <a href="">obnam</a>, after playing around with <a href="">Bacula</a> and <a href="">attic</a>. Bacula is more meant for large distributed environments (although I also tend to use obnam for my server infrastructure) and was too complex for my taste. The choice between obnam and attic is even more personally-oriented.</p> Sven VermeulenWed, 05 Aug 2015 22:35:00,2015-08-05:/2015/08/my-application-base-obnam/mabbackupobnamDon't confuse SELinux with its policy<p>With the increased attention that SELinux is getting thanks to its inclusion in recent <a href="">Android</a> releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.</p> Sven VermeulenMon, 03 Aug 2015 01:49:00,2015-08-03:/2015/08/dont-confuse-selinux-with-its-policy/selinuxpolicycilSwitching to Pelican<p>Nothing beats a few hours of flying to get things moving on stuff. Being offline for a few hours with a good workstation helps to not be disturbed by external actions (air pockets notwithstanding).</p> <p>Early this year, I expressed my <a href="">intentions to move to Pelican</a> from WordPress. I wasn't actually unhappy with WordPress, but the security concerns I had were a bit too much for blog as simple as mine. Running a PHP-enabled site with a database for something that I can easily handle through a static site, well, I had to try.</p> Sven VermeulenSun, 02 Aug 2015 04:09:00,2015-08-02:/2015/08/switching-to-pelican/blogpelicanwordpressLoading CIL modules directly<p>In a <a href="">previous post</a> I used the <code>secilc</code> binary to load an additional test policy. Little did I know (and that's actually embarrassing because it was one of the things I complained about) that you can just use the CIL policy as modules directly.</p> <!-- PELICAN_END_SUMMMARY --> <p>With this I mean that a …</p>Sven VermeulenWed, 15 Jul 2015 15:54:00,2015-07-15:/2015/07/loading-cil-modules-directly/cilselinuxRestricting even root access to a folder<p>In a <a href="">comment</a> Robert asked how to use SELinux to prevent even root access to a directory. The trivial solution would be not to assign an administrative role to the root account (which is definitely possible, but you want some way to gain administrative access otherwise ;-)</p> <p>Restricting root is one of the commonly referred features of a MAC (Mandatory Access Control) system. With a well designed user management and sudo environment, it is fairly trivial - but if you need to start from the premise that a user has direct root access, it requires some thought to implement it correctly. The main "issue" is not that it is difficult to implement policy-wise, but that most users will start from a pre-existing policy (such as the reference policy) and build on top of that.</p> Sven VermeulenSat, 11 Jul 2015 14:09:00,2015-07-11:/2015/07/restricting-even-root-access-to-a-folder/Intermediate policies<p>When developing SELinux policies for new software (or existing ones whose policies I don't agree with) it is often more difficult to finish the policies so that they are broadly usable. When dealing with personal policies, having them "just work" is often sufficient. To make the policies reusable for distributions (or for the upstream project), a number of things are necessary:</p> <ul> <li>Try structuring the policy using the style as suggested by refpolicy or Gentoo</li> <li>Add the role interfaces that are most likely to be used or required, or which are in the current draft implemented differently</li> <li>Refactor some of the policies to use refpolicy/Gentoo style interfaces</li> <li>Remove the comments from the policies (as refpolicy does not want too verbose policies)</li> <li>Change or update the file context definitions for default installations (rather than the custom installations I use)</li> </ul> Sven VermeulenSun, 05 Jul 2015 18:17:00,2015-07-05:/2015/07/intermediate-policies/communitycontributionspolicy developmentselinuxWhere does CIL play in the SELinux system?<p>SELinux policy developers already have a number of file formats to work with. Currently, policy code is written in a set of three files:</p> <ul> <li>The <code>.te</code> file contains the SELinux policy code (type enforcement rules)</li> <li>The <code>.if</code> file contains functions which turn a set of arguments into blocks of SELinux policy code (interfaces). These functions are called by other interface files or type enforcement files</li> <li>The <code>.fc</code> file contains mappings of file path expressions towards labels (file contexts)</li> </ul> <p>These files are compiled into loadable modules (or a base module) which are then transformed to an active policy. But this is not a single-step approach.</p> Sven VermeulenSat, 13 Jun 2015 23:12:00,2015-06-13:/2015/06/where-does-cil-play-in-the-selinux-system/cilselinuxuserspaceLive SELinux userspace ebuilds<p>In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the <a href="">SELinux userspace</a> so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.</p> Sven VermeulenWed, 10 Jun 2015 20:07:00,2015-06-10:/2015/06/live-selinux-userspace-ebuilds/cilGentooselinuxuserspacePostgreSQL with central authentication and authorization<p>I have been running a PostgreSQL cluster for a while as the primary backend for many services. The database system is very robust, well supported by the community and very powerful. In this post, I'm going to show how I use central authentication and authorization with PostgreSQL.</p> Sven VermeulenMon, 25 May 2015 12:07:00,2015-05-25:/2015/05/postgresql-with-central-authentication-and-authorization/postgresqlTesting with permissive domains<p>When testing out new technologies or new setups, not having (proper) SELinux policies can be a nuisance. Not only are the number of SELinux policies that are available through the standard repositories limited, some of these policies are not even written with the same level of confinement that an administrator might expect. Or perhaps the technology to be tested is used in a completely different manner.</p> <p>Without proper policies, any attempt to start such a daemon or application might or will cause permission violations. In many cases, developers or users tend to disable SELinux enforcing then so that they can continue playing with the new technology. And why not? After all, policy development is to be done <em>after</em> the technology is understood.</p> Sven VermeulenMon, 18 May 2015 13:40:00,2015-05-18:/2015/05/testing-with-permissive-domains/permissivepolicyselinuxsemanagetestAudit buffering and rate limiting<p>Be it because of SELinux experiments, or through general audit experiments, sometimes you'll get in touch with a message similar to the following:</p> <div class="highlight"><pre><span></span>audit: audit_backlog=321 &gt; audit_backlog_limit=320 audit: audit_lost=44395 audit_rate_limit=0 audit_backlog_limit=320 audit: backlog limit exceeded </pre></div> <!-- PELICAN_END_SUMMMARY --> <p>The message shows up when certain audit events could not be …</p>Sven VermeulenSun, 10 May 2015 14:18:00,2015-05-10:/2015/05/audit-buffering-and-rate-limiting/auditkernelsecurityselinuxUse change management when you are using SELinux to its fullest<p>If you are using SELinux on production systems (with which I mean systems that you offer services with towards customers or other parties beyond you, yourself and your ego), please consider proper change management if you don't do already. SELinux is a very sensitive security subsystem - not in the sense …</p>Sven VermeulenThu, 30 Apr 2015 20:58:00,2015-04-30:/2015/04/use-change-management-when-you-are-using-selinux-to-its-fullest/change managementpolicyselinuxMoving closer to 2.4 stabilization<p>The <a href="">SELinux userspace</a> project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the <a href="">Gentoo Hardened</a> project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …</p>Sven VermeulenMon, 27 Apr 2015 19:18:00,2015-04-27:/2015/04/moving-closer-to-2-4-stabilization/2.4GentoohardenedselinuxuserspaceTrying out Pelican, part one<p>One of the goals I've set myself to do this year (not as a new year resolution though, I *really* want to accomplish this ;-) is to move my blog from Wordpress to a statically built website. And <a href="">Pelican</a> looks to be a good solution to do so. It's based on …</p>Sven VermeulenFri, 06 Mar 2015 20:02:00,2015-03-06:/2015/03/trying-out-pelican-part-one/blogGentoohaskellpandocpelicanwordpressCIL and attributes<p>I keep on struggling to remember this, so let's make a blog post out of it ;-)</p> <p>When the SELinux policy is being built, recent userspace (2.4 and higher) will convert the policy into CIL language, and then build the binary policy. When the policy supports type attributes, these are …</p>Sven VermeulenSun, 15 Feb 2015 15:49:00,2015-02-15:/2015/02/cil-and-attributes/attributecilselinuxHave dhcpcd wait before backgrounding<p>Many of my systems use DHCP for obtaining IP addresses. Even though they all receive a static IP address, it allows me to have them moved over (migrations), use TFTP boot, cloning (in case of quick testing), etc. But one of the things that was making my efforts somewhat more …</p>Sven VermeulenSun, 08 Feb 2015 16:50:00,2015-02-08:/2015/02/have-dhcpcd-wait-before-backgrounding/dhcpdhcpcdGentooOld Gentoo system? Not a problem...<p>If you have a very old Gentoo system that you want to upgrade, you might have some issues with too old software and Portage which can't just upgrade to a recent state. Although many methods exist to work around it, one that I have found to be very useful is …</p>Sven VermeulenWed, 21 Jan 2015 23:05:00,2015-01-21:/2015/01/old-gentoo-system-not-a-problem/GentooportagesnapshottreeSELinux is great for enterprises (but many don't know it yet)<p>Large companies that handle their own IT often have internal support teams for many of the technologies that they use. Most of the time, this is for reusable components like database technologies, web application servers, operating systems, middleware components (like file transfers, messaging infrastructure, ...) and more. All components that are …</p>Sven VermeulenSat, 03 Jan 2015 13:36:00,2015-01-03:/2015/01/selinux-is-great-for-enterprises-but-many-dont-know-it-yet/companiesconfigurationengineeringenterpriseselinuxGentoo Wiki is growing<p>Perhaps it is because of the winter holidays, but the last weeks I've noticed a lot of updates and edits on the Gentoo wiki.</p> <p>The move to the <a href="">Tyrian</a> layout, whose purpose is to eventually become the unified layout for all Gentoo resources, happened first. Then, three common templates (<code>Code …</code></p>Sven VermeulenSat, 03 Jan 2015 10:09:00,2015-01-03:/2015/01/gentoo-wiki-is-growing/documentationGentoowikiWhy does it access /etc/shadow?<p>While updating the SELinux policy for the Courier IMAP daemon, I noticed that it (well, the authdaemon that is part of Courier) wanted to access <code>/etc/shadow</code>, which is of course a big no-no. It doesn't take long to know that this is through the PAM support (more specifically, <code>pam_unix …</code></p>Sven VermeulenTue, 30 Dec 2014 22:48:00,2014-12-30:/2014/12/why-does-it-access-etcshadow/chkpwdpamselinuxshadowunix_chkpwdAdded UEFI instructions to AMD64/x86 handbooks<p>I just finished up adding some UEFI instructions to the <a href="">Gentoo handbooks</a> for AMD64 and x86 (I don't know how many systems are still using x86 instead of the AMD64 one, and if those support UEFI, but the instructions are shared and they don't collide). The entire EFI stuff can …</p>Sven VermeulenTue, 23 Dec 2014 18:08:00,2014-12-23:/2014/12/added-uefi-instructions-to-amd64x86-handbooks/efiGentoohandbookuefiHandbooks moved<p>Yesterday the move of the <a href="">Gentoo Wiki</a> for the Gentoo handbooks (whose most important part are the installation instructions for the various supported architectures) has been concluded, with a last-minute addition being the <a href="">one-page views</a> so that users who want to can view the installation instructions completely within one view …</p>Sven VermeulenSun, 14 Dec 2014 14:42:00,2014-12-14:/2014/12/handbooks-moved/GentoohandbookwikiGentoo Handbooks almost moved to wiki<p>Content-wise, the move is done. I've done a few checks on the content to see if the structure still holds, translations are enabled on all pages, the use of partitions is sufficiently consistent for each architecture, and so on. The result can be seen on <a href="">the gentoo handbook main page …</a></p>Sven VermeulenFri, 12 Dec 2014 17:35:00,2014-12-12:/2014/12/gentoo-handbooks-almost-moved-to-wiki/GentoohandbookwikiSometimes I forget how important communication is<p>Free software (and documentation) developers don't always have all the time they want. Instead, they grab whatever time they have to do what they believe is the most productive - be it documentation editing, programming, updating ebuilds, SELinux policy improvements and what not. But they often don't take the time to …</p>Sven VermeulenWed, 10 Dec 2014 20:38:00,2014-12-10:/2014/12/sometimes-i-forget-how-important-communication-is/communicationdeveloperGentooselinuxtimeNo more DEPENDs for SELinux policy package dependencies<p>I just finished updating 102 packages. The change? Removing the following from the ebuilds:</p> <div class="highlight"><pre><span></span>DEPEND=&quot;selinux? ( sec-policy/selinux-${packagename} )&quot; </pre></div> <p>In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …</p>Sven VermeulenSun, 02 Nov 2014 14:51:00,2014-11-02:/2014/11/no-more-depends-for-selinux-policy-package-dependencies/DEPENDebuildGentooRDEPENDselinuxUsing multiple priorities with modules<p>One of the new features of the 2.4 SELinux userspace is support for module priorities. The idea is that distributions and administrators can override a (pre)loaded SELinux policy module with another module without removing the previous module. This lower-version module will remain in the store, but will not …</p>Sven VermeulenFri, 31 Oct 2014 18:24:00,2014-10-31:/2014/10/using-multiple-priorities-with-modules/prioritiespriorityselinuxsemoduleMigrating to SELinux userspace 2.4 (small warning for users)<p>In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …</p>Sven VermeulenThu, 30 Oct 2014 19:44:00,2014-10-30:/2014/10/migrating-to-selinux-userspace-2-4-small-warning-for-users/cilGentoomigrateselinuxsemanageupgradeuserspaceLots of new challenges ahead<p>I've been pretty busy lately, albeit behind the corners, which leads to a lower activity within the free software communities that I'm active in. Still, I'm not planning any exit, on the contrary. Lots of ideas are just waiting for some free time to engage. So what are the challenges …</p>Sven VermeulenSun, 19 Oct 2014 16:01:00,2014-10-19:/2014/10/lots-of-new-challenges-ahead/After SELinux System Administration, now the SELinux Cookbook<p>Almost an entire year ago (just a few days apart) I <a href="">announced</a> my first published book, called <a href="">SELinux System Administration</a>. The book covered SELinux administration commands and focuses on Linux administrators that need to interact with SELinux-enabled systems.</p> <p>An important part of SELinux was only covered very briefly in the …</p>Sven VermeulenWed, 24 Sep 2014 20:10:00,2014-09-24:/2014/09/after-selinux-system-administration-now-the-selinux-cookbook/Showing return code in PS1<p>If you do daily management on Unix/Linux systems, then checking the return code of a command is something you'll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing …</p>Sven VermeulenSun, 31 Aug 2014 01:14:00,2014-08-31:/2014/08/showing-return-code-in-ps1/bashps1rcshellGentoo Hardened august meeting<p>Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.</p> <p><em>Lead elections</em></p> <p>The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)</p> <p><em>Toolchain</em></p> <p>blueness (Anthony G …</p>Sven VermeulenFri, 29 Aug 2014 16:43:00,2014-08-29:/2014/08/gentoo-hardened-august-meeting/GentoohardenedircmeetingSwitching to new laptop<p>I'm slowly but surely starting to switch to a new laptop. The old one hasn't completely died (yet) but given that I had to force its CPU frequency at the lowest Hz or the CPU would burn (and the system suddenly shut down due to heat issues), and that the …</p>Sven VermeulenTue, 19 Aug 2014 22:11:00,2014-08-19:/2014/08/switching-to-new-laptop/efiGentoolaptopSome changes under the hood<p>In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.</p> <p>First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …</p>Sven VermeulenSat, 09 Aug 2014 21:45:00,2014-08-09:/2014/08/some-changes-under-the-hood/eclassGentoogithardenedrefpolicyselinuxGentoo Hardened July meeting<p>I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.</p> <p><em>Toolchain</em></p> <p>GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …</p>Sven VermeulenFri, 01 Aug 2014 21:48:00,2014-08-01:/2014/08/gentoo-hardened-july-meeting/GentoohardenedircmeetingSegmentation fault when emerging packages after libpcre upgrade?<p>SELinux users might be facing failures when emerge is merging a package to the file system, with an error that looks like so:</p> <div class="highlight"><pre><span></span>&gt;&gt;&gt; Setting SELinux security labels /usr/lib64/portage/bin/ line 1112: 23719 Segmentation fault /usr/sbin/setfiles &quot;${file_contexts_path}&quot; -r &quot;${D}&quot; &quot;${D}&quot; * ERROR: dev-libs/libpcre-8.35::gentoo …</pre></div>Sven VermeulenWed, 09 Jul 2014 20:35:00,2014-07-09:/2014/07/segmentation-fault-when-emerging-packages-after-libpcre-upgrade/file_contextsfixGentoolibselinuxpcreMultilib in Gentoo<p>One of the areas in Gentoo that is seeing lots of active development is its ongoing effort to have proper <a href="">multilib support</a> throughout the tree. In the past, this support was provided through special emulation packages, but those have the (serious) downside that they are often outdated, sometimes even having …</p>Sven VermeulenWed, 02 Jul 2014 21:03:00,2014-07-02:/2014/07/multilib-in-gentoo/D-Bus and SELinux<p>After a <a href="">post about D-Bus</a> comes the inevitable related post about SELinux with D-Bus.</p> <p>Some users might not know that D-Bus is an SELinux-aware application. That means it has SELinux-specific code in it, which has the D-Bus behavior based on the SELinux policy (and might not necessarily honor the "permissive …</p>Sven VermeulenMon, 30 Jun 2014 20:07:00,2014-06-30:/2014/06/d-bus-and-selinux/busconfigd-busdbuslinuxpolicyselinuxD-Bus, quick recap<p>I've never fully investigated the what and how of D-Bus. I know it is some sort of IPC, but higher level than the POSIX IPC methods. After some reading, I think I start to understand how it works and how administrators can work with it. So a quick write-down is …</p>Sven VermeulenSun, 29 Jun 2014 19:16:00,2014-06-29:/2014/06/d-bus-quick-recap/dbuslinuxChroots for SELinux enabled applications<p>Today I had to prepare a chroot jail (thank you grsecurity for the neat additional chroot protection features) for a SELinux-enabled application. As a result, "just" making a chroot was insufficient: the application needed access to <code>/sys/fs/selinux</code>. Of course, granting access to <code>/sys</code> is not something I like …</p>Sven VermeulenSun, 22 Jun 2014 20:16:00,2014-06-22:/2014/06/chroots-for-selinux-enabled-applications/bind-mountbindmountmountread-onlyroselinuxGentoo Hardened, June 2014<p>Friday the <a href="">Gentoo Hardened</a> project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.</p> <p>On the <strong>toolchain</strong> part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …</p>Sven VermeulenSun, 15 Jun 2014 21:28:00,2014-06-15:/2014/06/gentoo-hardened-june-2014/GentoohardenedircmeetingVisualizing constraints<p>SELinux constraints are an interesting way to implement specific, well, constraints on what SELinux allows. Most SELinux rules that users come in contact with are purely type oriented: allow something to do something against something. In fact, most of the SELinux rules applied on a system are such <code>allow</code> rules …</p>Sven VermeulenSat, 31 May 2014 03:47:00,2014-05-31:/2014/05/visualizing-constraints/constrainconstraintsdotgraphvizseinfoselinuxRevamped our SELinux documentation<p>In the move to the <a href="">Gentoo wiki</a>, I have updated and revamped most of our SELinux documentation. The end result can be seen through the <a href="">main SELinux page</a>. Most of the content is below this page (as subpages).</p> <p>We start with a new <a href="">introduction to SELinux</a> article which goes over …</p>Sven VermeulenMon, 12 May 2014 22:15:00,2014-05-12:/2014/05/revamped-our-selinux-documentation/documentationGentooselinuxwikiDropping sesandbox support<p>A <a href="">vulnerability in seunshare</a>, part of <code>policycoreutils</code>, came to light recently (through <a href="">bug 509896</a>). The issue is within <code>libcap-ng</code> actually, but the specific situation in which the vulnerability can be exploited is only available in <code>seunshare</code>.</p> <p>Now, <code>seunshare</code> is not built by default on Gentoo. You need to define <code>USE …</code></p>Sven VermeulenFri, 09 May 2014 21:03:00,2014-05-09:/2014/05/dropping-sesandbox-support/GentoohardenedpolicycoreutilsselinuxseunsharevulnerabilityStepping through the build process with ebuild<p>Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …</p>Sven VermeulenSun, 20 Apr 2014 11:59:00,2014-04-20:/2014/04/stepping-through-the-build-process-with-ebuild/ebuildphaseportageIf things are weird, check for policy.29<p>Today we analyzed a weird issue one of our SELinux users had with their system. He had a denial when calling <strong>audit2allow</strong>, informing us that <code>sysadm_t</code> had no rights to read the SELinux policy. This is a known issue that has been resolved in our current SELinux policy repository but …</p>Sven VermeulenThu, 17 Apr 2014 21:01:00,2014-04-17:/2014/04/if-things-are-weird-check-for-policy-29/load_policypolicyselinuxsemanageWhat is that net-pf-## thingie?<p>When checking audit logs, you might come across applications that request loading of a <code>net-pf-##</code> module, with <code>##</code> being an integer. Having requests for <code>net-pf-10</code> is a more known cause (enable IPv6) but what about <code>net-pf-34</code>?</p> <p>The answer can be found in <code>/usr/src/linux/include/linux/socket.h</code>:</p> <div class="highlight"><pre><span></span>#define AF_ATMPVC …</pre></div>Sven VermeulenTue, 01 Apr 2014 19:46:00,2014-04-01:/2014/04/what-is-that-net-pf-thingie/linuxmodule_requestnet-pfProof of concept for USE enabled policies<p><em>tl;dr:</em> Some (<code>-9999</code>) policy ebuilds now have <code>USE</code> support for building in (or leaving out) SELinux policy statements.</p> <p>One of the "problems" I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a "least privilege" policy that …</p>Sven VermeulenMon, 31 Mar 2014 18:33:00,2014-03-31:/2014/03/proof-of-concept-for-use-enabled-policies/alsapolicyselinuxDecoding the hex-coded path information in AVC denials<p>When investigating AVC denials, some denials show a path that isn't human readable, like so:</p> <div class="highlight"><pre><span></span>type=AVC msg=audit(1396189189.734:1913): avc: denied { execute } for pid=17955 comm=&quot;emerge&quot; path=2F7661722F666669737A69596157202864656C6574656429 dev=&quot;dm-3&quot; ino=1838 scontext=staff_u:sysadm_r:portage_t tcontext=staff_u:object_r:var_t tclass=file </pre></div> <p>To know what this …</p>Sven VermeulenSun, 30 Mar 2014 16:37:00,2014-03-30:/2014/03/decoding-the-hex-coded-path-information-in-avc-denials/avcdecodepathselinuxManaging Inter-Process Communication (IPC)<p>As a Linux administrator, you'll eventually need to concern you about <em>Inter-Process Communication (IPC)</em>. The IPC primitives that most POSIX operating systems provide are semaphores, shared memory and message queues. On Linux, the first utility that helps you with those primitives is <strong>ipcs</strong>. Let's start with semaphores first.</p> <p>Semaphores in …</p>Sven VermeulenSun, 30 Mar 2014 12:50:00,2014-03-30:/2014/03/managing-inter-process-communication-ipc/ipcipcrmipcslinuxmsgsemshmemQuerying SELinux policy for boolean information<p>Within an SELinux policy, certain access vectors (permissions) can be conditionally granted based on the value of a <em>SELinux boolean</em>.</p> <p>To find the list of SELinux booleans that are available on your system, you can use the <strong>getsebool -a</strong> method, or <strong>semanage boolean -l</strong>. The latter also displays the description …</p>Sven VermeulenFri, 28 Mar 2014 23:38:00,2014-03-28:/2014/03/querying-selinux-policy-for-boolean-information/booleanqueryselinuxsesearchOnline hardened meeting of March<p>I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.</p> <p><em>Toolchain</em></p> <p>GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the <a href="">changes …</a></p>Sven VermeulenThu, 27 Mar 2014 23:44:00,2014-03-27:/2014/03/online-hardened-meeting-of-march/GentoohardenedircmeetingFixing the busybox build failure<p>Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate <code>/usr</code> and LVM for everything except <code>/boot</code>):</p> <div class="highlight"><pre><span></span>* busybox: &gt;&gt; Compiling... * ERROR: Failed to compile the &quot;all&quot; target... * * -- Grepping log... -- * * - busybox-1.7.4-signal-hack.patch …</pre></div>Sven VermeulenWed, 26 Mar 2014 14:18:00,2014-03-26:/2014/03/fixing-the-busybox-build-failure/busyboxgenkernelGentooinitramfsinitrdnoexectmpTalk about SELinux on GSE Linux/Security<p>On today's <a href="">GSE Linux / GSE Security</a> meeting (in cooperation with <a href="">IMUG</a>) I gave a small (30 minutes) presentation about what SELinux is. The <a href="">slides are online</a> and cover two aspects of SELinux: some of its design principles, and then a set of features provided by SELinux. The talk is directed …</p>Sven VermeulenTue, 25 Mar 2014 23:11:00,2014-03-25:/2014/03/talk-about-selinux-on-gse-linuxsecurity/gsemainframes390xsecurityselinuxzenterpriseCreate your own SELinux Gentoo profile<p>Or any other profile for that matter ;-)</p> <p>A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn't have a <code>&lt;some profilename&gt;/selinux</code> equivalent. Because we don't create SELinux profiles for all possible profiles out there, having a way to do this …</p>Sven VermeulenMon, 24 Mar 2014 21:51:00,2014-03-24:/2014/03/create-your-own-selinux-gentoo-profile/GentooprofileHidden symbols and dynamic linking<p>A few weeks ago, we introduced an error in the (\~arch) <code>libselinux</code> ebuild which caused the following stacktrace to occur every time the <strong>semanage</strong> command was invoked:</p> <div class="highlight"><pre><span></span>~ # semanage Traceback (most recent call last): File &quot;/usr/lib/python-exec/python2.7/semanage&quot;, line 27, in import seobject File &quot;/usr/lib64/python2.7 …</pre></div>Sven VermeulenMon, 24 Mar 2014 21:14:00,2014-03-24:/2014/03/hidden-symbols-and-dynamic-linking/elfhiddenselinuxsymbolsClosing week? No, starting week...<p>I've been away for a while, and this week will (hopefully) be the last week of all the effort that is causing this. And that means I'll get back to blogging, documentation development, SELinux integration, SELinux policy development and more. To be honest, I'm eagerly awaiting this moment of getting …</p>Sven VermeulenSun, 16 Mar 2014 21:36:00,2014-03-16:/2014/03/closing-week-no-starting-week/Switching context depending on user code-wise<p>I blogged about how SELinux decides what the context should be for a particular Linux user; how it checks the default context(s) and tells the SELinux-aware application on what the new context should be. Let's look into the C code that does so, and how an application should behave …</p>Sven VermeulenSun, 12 Jan 2014 22:43:00,2014-01-12:/2014/01/switching-context-depending-on-user-code-wise/default_contextdomainlibselinuxselinuxselinux-awaretransitionCan Gentoo play a role in a RHEL-only environment?<p>Sounds like a stupid question, as the answer is already in the title. If a company has only RedHat Enterprise Linux as allowed / supported Linux platform (be it for a support model requirement, ISV certification, management tooling support or what not) how could or would Gentoo still play a role …</p>Sven VermeulenThu, 09 Jan 2014 04:13:00,2014-01-09:/2014/01/can-gentoo-play-a-role-in-a-rhel-only-environment/Gentoolinuxvappliancevirtual applianceLinux protip: environment for a process<p>Just a quick pro-tip: if you need to know the environment variables for a process, you can see them in that process' <code>/proc/${PID}/environ</code> file. The file however shows the environment variables on one line, with a null character as separator. With a simple <strong>sed</strong> you can show it …</p>Sven VermeulenTue, 07 Jan 2014 04:31:00,2014-01-07:/2014/01/linux-protip-environment-for-a-process/environlinuxprotipHow does foo_t get this privilege?<p>Today a question was raised how the unprivileged user domain <code>user_t</code> was allowed to write to <code>cgroup_t</code> files. There is nothing obvious about that in the <code>roles/unprivuser.te</code> file, so what gives?</p> <p>I used a simple script (which I've been using for a while already) called <strong>seshowtree</strong> which presents …</p>Sven VermeulenSun, 05 Jan 2014 04:14:00,2014-01-05:/2014/01/how-does-foo_t-get-this-privilege/policyselinuxseshowtreeOh it is cron again...<p>Today I was pointed to the following error:</p> <div class="highlight"><pre><span></span>test fcron[6722]: fcron[6722] 3.1.2 started test fcron[6722]: Cannot bind socket to &#39;/var/run/fcron.fifo&#39;: Permission denied test fcron[6722]: &quot;at&quot; reboot jobs will only be run at computer&#39;s startup. test fcron[6722]: updating configuration from …</pre></div>Sven VermeulenFri, 03 Jan 2014 21:05:00,2014-01-03:/2014/01/oh-it-is-cron-again/cronselinuxPrivate key handling and SELinux protection<p>In this post I'll give some insight in a <em>possible</em> SELinux policy for a script I wrote.</p> <p>The script is a certificate authority handling script, in which I can generate a private key (and certificate assigned to it), sign the certificate either by itself (for the root CA key) or …</p>Sven VermeulenThu, 02 Jan 2014 04:00:00,2014-01-02:/2014/01/private-key-handling-and-selinux-protection/cacertclipolicyselinuxLimiting file access with SELinux alone?<p>While writing a small script to handle simple certificate authority activities using OpenSSL, I considered how to properly protect the files that OpenSSL uses for these activities. As you are probably aware, a system that hosts the necessary files for CA activities (like signing certificate requests) should be very secure …</p>Sven VermeulenTue, 31 Dec 2013 21:18:00,2013-12-31:/2013/12/limiting-file-access-with-selinux-alone/accessaclfile accessGentooselinuxUpgrading old Gentoo installations<p>Today I got "pinged" on <a href="">bug #463240</a> about the difficulty of upgrading a Gentoo Linux deployment after a long time of inactivity on the system. We already have an <a href="">Upgrading Gentoo</a> article on the Gentoo wiki that describes in great detail how upgrades can be accomplished. But one of the …</p>Sven VermeulenSun, 29 Dec 2013 14:18:00,2013-12-29:/2013/12/upgrading-old-gentoo-installations/GentooportagesnapshotupgradeGiving weights to compliance rules<p>Now that we wrote up a few OVAL statements and used those instead of SCE driven checks (where possible), let's finish up and go back to the XCCDF document and see how we can put weights in place.</p> <p>The <strong>CVE (Common Vulnerability Exposure)</strong> standard allows for vulnerabilities to be given …</p>Sven VermeulenThu, 26 Dec 2013 04:13:00,2013-12-26:/2013/12/giving-weights-to-compliance-rules/ccsscvssscapxccdfDoing a content check with OVAL<p>Let's create an OVAL check to see if <code>/etc/inittab</code>'s single user definitions only refer to <code>/sbin/sulogin</code> or <code>/sbin/rc single</code>. First, the skeleton:</p> <p>(XML content lost during blog conversion)</p> <p>The first thing we notice is that there are several namespaces defined within OVAL. These namespaces refer to …</p>Sven VermeulenTue, 24 Dec 2013 04:25:00,2013-12-24:/2013/12/doing-a-content-check-with-oval/openscapovalscapxccdfWhat is OVAL?<p>Time to discuss <strong>OVAL (Open Vulnerability Assessment Language)</strong>. In all the <a href="">previous posts</a> I focused the checking of rules (does the system comply with the given rule) on scripts, through the Script Check Engine supported by openscap. The advantage of SCE is that most people can quickly provide automated checks …</p>Sven VermeulenSun, 22 Dec 2013 04:40:00,2013-12-22:/2013/12/what-is-oval/openscapovalscapscexccdfDecember hardened meeting<p>Yesterday evening (UTC, that is) the members of the <a href="">Gentoo Hardened</a> project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.</p> <p><em>Toolchain</em></p> <p>A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.</p> <p>And …</p>Sven VermeulenFri, 20 Dec 2013 10:20:00,2013-12-20:/2013/12/december-hardened-meeting/GentoohardenedircmeetingonlineRemediation through SCAP<p>I promised in my <a href="">previous post</a> to give some information about remediation.</p> <p>Remediation is the process where you fix a system to become compliant again after finding out there is a violation on the system. The easiest form of remediation of course is to just notify the administrator and give …</p>Sven VermeulenFri, 20 Dec 2013 04:47:00,2013-12-20:/2013/12/remediation-through-scap/openscapremediationscapxccdfGPT or MBR in the Gentoo Handbook<p>I just committed a set of changes against the Gentoo Handbook (x86 and amd64) with the intent to have better instructions on GPT (GUID Partition Table) layout versus MBR (Master Boot Record) or MSDOS-style layout.</p> <p>The part on "Preparing the Disks" saw the most changes. It starts with explaining the …</p>Sven VermeulenWed, 18 Dec 2013 12:25:00,2013-12-18:/2013/12/gpt-or-mbr-in-the-gentoo-handbook/documentationfdiskgdpGentoogpthandbookmbrpartedRunning a bit with the XCCDF document<p>In my <a href="">previous post</a> I introduced automated checking of rules through <em>SCE (Script Check Engine)</em>. Let's focus a bit more now on running with an XCCDF document: how to automatically check the system, read the results and find more information of those results.</p> <p>To provide a usable example, you can …</p>Sven VermeulenWed, 18 Dec 2013 04:23:00,2013-12-18:/2013/12/running-a-bit-with-the-xccdf-document/openscapscapscexccdfUpdated Linux Sea, now with viewport thingie<p>I just pushed out an update to <a href="">Linux Sea</a> (an online resource to introduce you to Linux, using Gentoo Linux as an example), including its PDF and ePub versions. The changes are pretty small (see its <a href="">ChangeLog</a>).</p> <p>Together with the update, it now also includes a <code>&lt;meta name="viewport"...&gt;</code> so …</p>Sven VermeulenMon, 16 Dec 2013 23:37:00,2013-12-16:/2013/12/updated-linux-sea-now-with-viewport-thingie/cssdocumentationGentoolinux seamobileXCCDF - Documenting a bit more than just descriptions<p>In my <a href="">previous post</a> I made a skeleton XCCDF document. By now, we can create a well documented "baseline" (best practice) for our subject (say PostgreSQL). But for now I only talked about <code>&lt;description&gt;</code> whereas XCCDF allows many other tags as well.</p> <p>You can add <em>metadata</em> information for a particular …</p>Sven VermeulenMon, 16 Dec 2013 04:58:00,2013-12-16:/2013/12/xccdf-documenting-a-bit-more-than-just-descriptions/openscapscapscexccdfAn XCCDF skeleton for PostgreSQL<p>In a <a href="">previous post</a> I wrote about the documentation structure I have in mind for a PostgreSQL security best practice. Considering what XCCDF can give us, the idea is to have the following structure:</p> <div class="highlight"><pre><span></span>Hardening PostgreSQL +- Basic setup +- Instance level configuration | +- Pre-startup configuration | `- PostgreSQL internal configuration +- Database recommendations `- User definitions …</pre></div>Sven VermeulenSat, 14 Dec 2013 04:00:00,2013-12-14:/2013/12/an-xccdf-skeleton-for-postgresql/postgresqlscapxccdfDocumenting security best practices - XCCDF introduction<p>When I have some free time, I try to work on a <a href="">Gentoo Security Benchmark</a> which not only documents security best practices (loosely based on the <a href="">Gentoo Security Handbook</a> which hasn't seen much updates in the last few years) but also uses the SCAP protocols. This set of protocols allows …</p>Sven VermeulenThu, 12 Dec 2013 16:04:00,2013-12-12:/2013/12/documenting-security-best-practices-xccdf-introduction/postgresqlscapxccdfGentoo SELinux policy release script<p>A few months ago, I wrote a small script that aids in the creation of new SELinux policy packages. The script is on the <a href=";a=summary">repository</a> itself, in the <code>gentoo/</code> subdirectory, and is called <code></code>.</p> <p>The reason for the script is that there are a number of steps to perform …</p>Sven VermeulenWed, 11 Dec 2013 18:37:00,2013-12-11:/2013/12/gentoo-selinux-policy-release-script/GentoohardenedpolicyreleaseselinuxNovember online hardened meeting<p>Later than usual, as I wasn't able to make the meeting myself (thus had to wait for the meeting logs in order to draft up this summary), so here it is. The next meeting is scheduled for next week, btw ;-)</p> <p><em>Toolchain</em></p> <p>The 4.8.2 ebuild for GCC is available …</p>Sven VermeulenWed, 11 Dec 2013 12:12:00,2013-12-11:/2013/12/november-online-hardened-meeting/GentoohardenedircmeetingonlineMajority of GDP documents moved to Gentoo wiki<p>The majority of the English gentoo documents that resided in <a href=""></a> have now been moved to the <a href="">Gentoo Wiki</a>. All those documents have been made available in the main namespace, meaning that non-developers can continue to contribute on those articles and guides, fully in the spirit …</p>Sven VermeulenTue, 10 Dec 2013 16:03:00,2013-12-10:/2013/12/majority-of-gdp-documents-moved-to-gentoo-wiki/documentationdocumentsgdpGentoowikiNew SELinux userspace release<p>Between now and an hour, Gentoo users using the \~arch branch will notice that new versions of the <a href="">SELinux userspace applications</a> are now available. Released on October 30th, they contain many bug fixes sent previously as well as a couple of interesting developments and enhancements (more work on sepolicy, for …</p>Sven VermeulenTue, 05 Nov 2013 00:06:00,2013-11-05:/2013/11/new-selinux-userspace-release-2/The mix of libffi with other changes<p>I <a href="">once again</a> came across libffi. Not only does the libffi approach fight with SELinux alone, it also triggers the TPE (Trusted Path Execution) protections in grSecurity. And when I tried to reinstall Portage, Portage seemed to create some sort of runtime environment in a temporary directory as well, and …</p>Sven VermeulenSun, 03 Nov 2013 10:27:00,2013-11-03:/2013/11/the-mix-of-libffi-with-other-changes/GentoohardenedlibffiportageselinuxGentoo Hardened meeting 201310<p>We gathered online again to talk about the progress, changes and other stuff related to the <a href="">Gentoo Hardened</a> project.</p> <p><em>New Developer</em></p> <p>We welcomed Zero_Chaos as a new addition to our team. Big welcome, with the usual IRC kick in between, ensued.</p> <p><em>Toolchain</em></p> <p>GCC 4.8.x is unmasked and ready …</p>Sven VermeulenThu, 24 Oct 2013 23:25:00,2013-10-24:/2013/10/gentoo-hardened-meeting-201310/GentoohardenedircmeetingonlineIn-browser encryption for online password management<p>Lately I've been trying to find a good free software project that uses PHP or cgi-bin (one of the requirements for this particular organization) that allows its users to store passwords centrally, but uses encryption on the browser level before the passwords are sent to the central server. I've found …</p>Sven VermeulenSun, 20 Oct 2013 21:29:00,2013-10-20:/2013/10/in-browser-encryption-for-online-password-management/aesencryptionjavascriptpasswordpasswordmanagementA bug please...<p>I know contacting me (or other developers) through IRC is often fast, but having a bug report on our <a href="">bugzilla</a> is very important to me and other developers. Allow me to explain a bit why.</p> <p>First of all, <em>IRC is ephemeral</em>. If we are not immediately on IRC noticing it …</p>Sven VermeulenMon, 30 Sep 2013 21:53:00,2013-09-30:/2013/09/a-bug-please/bugreportbugsbugzillaGentooIt has finally arrived: SELinux System Administration<p>Almost everyone has it - either physical or in their heads: a list of things you want to do or achieve before you... well, stop existing. Mine still has numerous things on it (I should get on it, I know) but one of the items on that list has recently been …</p>Sven VermeulenFri, 27 Sep 2013 15:10:00,2013-09-27:/2013/09/it-has-finally-arrived-selinux-system-administration/administrationbookfedoraGentoopacktpacktpubselinuxsystemAaaand we're back - hardened monthly meeting<p>It almost feels like we had our monthly online meeting just a week ago. Below a small write-up of the highlights. If you want to know the gory details, just wait a few hours/days until the IRC logs are sent out ;-) Now remember, the project does more than what …</p>Sven VermeulenThu, 26 Sep 2013 22:22:00,2013-09-26:/2013/09/aaaand-were-back-hardened-monthly-meeting/hardenedircmeetingUnderestimated or underused: Portage (e)logging<p>Within 30 minutes of each other, two people on the <code>#gentoo</code> channel asked if Portage kept logs of the messages displayed during the build and installation of a package. Of course, the answer is a sounding "yes" - and depending on your needs, you can even save more of the logging …</p>Sven VermeulenWed, 25 Sep 2013 10:09:00,2013-09-25:/2013/09/underestimated-or-underused-portage-elogging/elogGentoologgingportageCreating a poor man central SCAP system<p>A few weeks ago, I was asked to give some explanation about how SCAP content can be used in companies to improve their infrastructure knowledge. The focus back then was to look at benchmarks (secure states) and violations, but other functionality should not be ignored. I'm not going to talk …</p>Sven VermeulenTue, 24 Sep 2013 13:35:00,2013-09-24:/2013/09/creating-a-poor-man-central-scap-system/Switching gpg key to 0x2EDD52403B68AF47<p>I recently switched my GnuPG key. The previous key - which is still in place for now (no revocation send out yet) - was 0x5DFAB3ECCDBA2FDB and was a 1024 bit DSA key. The new one, 0x2EDD52403B68AF47, is a 4096 bit RSA key. It also has the following preferences:</p> <div class="highlight"><pre><span></span>gpg&gt; showpref [ultimate] (1 …</pre></div>Sven VermeulenThu, 19 Sep 2013 21:17:00,2013-09-19:/2013/09/switching-gpg-key-to-0x2edd52403b68af47/gpgkeycvechecker 3.3 released<p>I just uploaded a new release of <a href="">cvechecker</a> to the project files. The release is a (long overdue) bugfix release, but includes two small enhancements: support standard input for the binary list (so you can pipe the output of one command to cvechecker) and the introduction of the <code>CVECHECKER_CONFFILE</code> variable …</p>Sven VermeulenMon, 16 Sep 2013 16:06:00,2013-09-16:/2013/09/cvechecker-3-3-released/cvecheckerreleaseGentoo Hardened progress report<p>Today, we had our monthly online meeting to discuss the progress amongst the various Gentoo Hardened projects. As usual, here is a small write-up.</p> <p><em>Lead election</em></p> <p>As every year, we also reviewed the current project leads. No surprises here, everybody is happy with the current leads so they are re-elected …</p>Sven VermeulenThu, 29 Aug 2013 20:27:00,2013-08-29:/2013/08/gentoo-hardened-progress-report/Gentoohardenedircmeetingminutesprogress_reportreportUmounting IPv6 NFS(v4) mounts<p>I had issues umounting my NFSv4 shares on an IPv6-only network. When trying to umount the share, it said that it couldn't find the mount in <code>/proc/mounts</code>:</p> <div class="highlight"><pre><span></span>~# umount /mnt/nfs/portage /mnt/nfs/portage was not found in /proc/mounts </pre></div> <p>The solution: copy <code>/proc/mounts</code> to <code>/etc/mtab</code>, and …</p>Sven VermeulenFri, 23 Aug 2013 13:46:00,2013-08-23:/2013/08/umounting-ipv6-nfsv4-mounts/ip6ipv6linuxnfs4nfsv4umountWhy our policies don't like emerge --config<p>One of the features that Portage provides is to have post-processing done on request of the administrator for certain packages. For instance, for the <code>dev-db/postgresql-server</code> package we can call its <code>pkg_config()</code> phase to create the PostgreSQL instance and configure it so that the configuration of the database is stored …</p>Sven VermeulenFri, 23 Aug 2013 11:53:00,2013-08-23:/2013/08/why-our-policies-dont-like-emerge-config/Gentoopkg_configportageselinuxNetwork routing based on SELinux?<p>Today we had a question on #selinux if it was possible to route traffic of a specific process using SELinux. The answer to this is "no", although it has to be explained a bit in more detail.</p> <p>SELinux does not route traffic. SELinux is a local mandatory access control system …</p>Sven VermeulenWed, 21 Aug 2013 19:43:00,2013-08-21:/2013/08/network-routing-based-on-selinux/ipsecnetlabelnetworkingsecmarkselinuxUsing CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?<p>As you are probably aware, Gentoo uses the <a href="">reference policy</a> as its base for SELinux policies. Yes, we do customize it and not everything is already pushed upstream (for instance, our approach to use <code>xdg_*_home_t</code> customizable types to further restrict user application access has been sent up for comments …</p>Sven VermeulenFri, 16 Aug 2013 09:17:00,2013-08-16:/2013/08/using-custom_buildopt-in-refpolicy-for-use-flag-alike-functionality/booleanGentoopolicyselinuxuseuseflagToday was a productive day<p>Fixed 14 bugs today, with a few more pending (those for packages only get marked as FIXED if it is moved to the stable state). One of the changes is the <a href=";chap=10#grub2">GRUB2</a> support in the Gentoo Handbook (yes, finally, sorry about that). That opens up the road for the stabilization …</p>Sven VermeulenThu, 15 Aug 2013 20:58:00,2013-08-15:/2013/08/today-was-a-productive-day/gimptabletwacomSome things sound more scary than they are<p>A few days ago I finally got to the next thing on my <em>Want to do this year</em> list: put a new android (<a href="">Cyanogenmod</a>) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …</p>Sven VermeulenThu, 15 Aug 2013 10:02:00,2013-08-15:/2013/08/some-things-sound-more-scary-than-they-are/androidgrsecuritypaxselinuxtabletAnd now, 31 days later...<p>... the <a href="">Gentoo Hardened</a> team had its monthly online meeting again ;-)</p> <p>On the agenda were the usual suspects, such as the <em>toolchain</em>. In this category, Zorry mentioned that he has a fix for GCC 4.8.1 for the <code>hardenedno*</code> and vanilla <code>gcc-config</code> options which will be added to the tree …</p>Sven VermeulenThu, 01 Aug 2013 22:43:00,2013-08-01:/2013/08/and-now-31-days-later/GentoogrsecurityhardenedircirlmeetingminutespaxprojectselinuxtoolchainPutting OVAL at work<p>When we look at the <a href="">SCAP security standards</a>, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.</p> <p>This is correct, but you need to remember that the standards are protocols, agreements that can be made …</p>Sven VermeulenThu, 01 Aug 2013 15:01:00,2013-08-01:/2013/08/putting-oval-at-work/baselinebenchmarkovalsecurityxccdfMoving Gentoo docs to the wiki<p>Slowly but surely Gentoo documentation guides are being moved to the <a href="">Gentoo Wiki</a>. Thanks to the translation support provided by the infrastructure, all "reasons" not to go forward with this have been resolved. At first, I'm focusing on documentation with open bugs that have not been picked up (usually due …</p>Sven VermeulenSun, 28 Jul 2013 11:22:00,2013-07-28:/2013/07/moving-gentoo-docs-to-the-wiki/docsdocumentationgdpGentoowikiRebuilding SELinux contexts with sefcontext_compile<p>A recent update of <em>libpcre</em> caused the binary precompiled regular expression files of SELinux to become outdated (and even blatantly wrong). The details are in bug <a href="">471718</a> but that doesn't help the users that are already facing the problem, nor have we found a good place to put the fix …</p>Sven VermeulenMon, 08 Jul 2013 20:55:00,2013-07-08:/2013/07/rebuilding-selinux-contexts-with-sefcontext_compile/hardenedpcreselinuxAdding mcstrans to Gentoo<p>If you use SELinux, you might be using an MLS-enabled policy. These are policies that support sensitivity labels on resources and domains. In Gentoo, these are supported in the <code>mcs</code> and <code>mls</code> policy stores. Now sensitivity ranges are fun to work with, but the moment you have several sensitivity levels …</p>Sven VermeulenSun, 07 Jul 2013 20:38:00,2013-07-07:/2013/07/adding-mcstrans-to-gentoo/categoriesmcsmcstransmlsselinuxsensitivityHardening is our business... new monthly report ;-)<p>We're back with another report on the <a href="">Gentoo Hardened</a> project. Please excuse my brevity, as you've noticed I'm not that active (yet) due to work on an external project - I'll be back mid-July though. I promise.</p> <p>On the <em>Toolchain</em> side, GCC 4.8.1 is in the tree and has …</p>Sven VermeulenThu, 27 Jun 2013 23:03:00,2013-06-27:/2013/06/hardening-is-our-business-new-monthly-report/GentoohardenedircmeetingprogressMy application base: graphviz<p>Visualization of data is often needed in order to understand what the data means. When data needs to be visualized automatically, I often use the <a href="">graphviz</a> tools. Not that they are extremely pretty, but it works very well and is made to be automated.</p> <p>Let me give a few examples …</p>Sven VermeulenSun, 09 Jun 2013 03:50:00,2013-06-09:/2013/06/my-application-base-graphviz/dependenciesdotgraphvizmabneatoschedulingvisualizationvisualizeMy application base: LibreOffice<p>Of course, working with a Linux desktop eventually requires you to work with an office suite. Although I have used alternatives like AbiWord and Calligra in the past, and although I do think that Google Docs might eventually become powerful enough to use instead, I'm currently using <a href="">LibreOffice</a>.</p> <p>The use …</p>Sven VermeulenSat, 08 Jun 2013 03:50:00,2013-06-08:/2013/06/my-application-base-libreoffice/excellibreofficemabopenofficewordMy application base: firefox<p>Browsers are becoming application disclosure frameworks rather than the visualization tools they were in the past. More and more services, like the <a href=""></a> one I discussed not that long ago, are using browsers are their client side while retaining the full capabilities of end clients (such as drag and …</p>Sven VermeulenFri, 07 Jun 2013 03:50:00,2013-06-07:/2013/06/my-application-base-firefox/browserfirefoxmabMy application base: bash and kiss tools<p>Okay, this just had to be here. I'm an automation guy - partially because of my job in which I'm responsible for the long-term strategy behind batch, scheduling and workload automation, but also because I believe proper automation makes life just that much easier. And for personal work, why not automate …</p>Sven VermeulenThu, 06 Jun 2013 03:50:00,2013-06-06:/2013/06/my-application-base-bash-and-kiss-tools/bashdashmabscriptingMy application base: geekie<p>In the past, when I had to manage my images (pictures) I used <a href="">GQview</a> (which started back in <a href="">2008</a>). But the application doesn't get many updates, and if an application does not get many updates, it either means it is no longer maintained or that it does its job perfectly …</p>Sven VermeulenWed, 05 Jun 2013 03:50:00,2013-06-05:/2013/06/my-application-base-geekie/geeqiegimpgqviewimagesmabMy application base: freemind<p>Anyone who is even remotely busy with innovation will know what mindmaps are. They are a means to visualize information, ideas or tasks in whatever structure you like. By using graphical annotations the information is easier to look through, even when the mindmap becomes very large. In the commercial world …</p>Sven VermeulenTue, 04 Jun 2013 03:50:00,2013-06-04:/2013/06/my-application-base-freemind/freemindjavamabmindmanagermindmapstructurexmindMy application base: draw.io<p>The next few weeks (months even) will be challenging my free time as I'm working on (too many) projects simultaneously (sadly, only a few of those are free software related, most are house renovations). But that shouldn't stop me from starting a new set of posts, being <em>my application base …</em></p>Sven VermeulenMon, 03 Jun 2013 03:50:00,2013-06-03:/2013/06/my-application-base-draw-io/appbasearchitecturingdiadrawdraw.iomabvisioUsing extended attributes for custom information<p>One of the things I have been meaning to implement on my system is a way to properly "remove" old files from the system. Currently, I do this through frequently listing all files, going through them and deleting those I feel I no longer need (in any case, I can …</p>Sven VermeulenSun, 02 Jun 2013 03:50:00,2013-06-02:/2013/06/using-extended-attributes-for-custom-information/attributesexpirationextended attributeslinuxxattrHacking java bytecode with dhex<p>I found myself in a weird situation: a long long time ago, I wrote a java application that I didn't touch nor ran for a few years. Today, I found it on a backup and wanted to run it again (its a graphical application for generating HTML pages). However, it …</p>Sven VermeulenSat, 01 Jun 2013 03:50:00,2013-06-01:/2013/06/hacking-java-bytecode-with-dhex/bytecodedhexjavaA SELinux policy for incron: finishing up<p>After 9 posts, it's time to wrap things up. You can review the final results online (<a href="">incron.te</a>, <a href="">incron.if</a> and <a href="">incron.fc</a>) and adapt to your own needs if you want. But we should also review what we have accomplished so far...</p> <p>We built the start of an entire …</p>Sven VermeulenFri, 31 May 2013 03:50:00,2013-05-31:/2013/05/a-selinux-policy-for-incron-finishing-up/incronpolicyselinuxA SELinux policy for incron: using booleans<p>After using a default set of directories to watch, and <a href="">allowing admins to mark other types</a> as such as well, let's consider another approach for making the policy more flexible: booleans. The idea now is that a boolean called <em>incron_notify_non_security_files</em> enables <strong>incrond</strong> to be notified on changes on all possible …</p>Sven VermeulenThu, 30 May 2013 03:50:00,2013-05-30:/2013/05/a-selinux-policy-for-incron-using-booleans/booleanincronpolicyselinuxA SELinux policy for incron: marking types eligible for watching<p>In the <a herf="">previous post</a> we made <strong>incrond</strong> able to watch <code>public_content_t</code> and <code>public_content_rw_t</code> types. However, this is not scalable, so we might want to be able to update the policy more dynamically with additional types. To accomplish this, we will make types eligible for watching through an attribute.</p> <p>So how …</p>Sven VermeulenWed, 29 May 2013 03:50:00,2013-05-29:/2013/05/a-selinux-policy-for-incron-marking-types-eligible-for-watching/attributeincrondselinuxwatchA SELinux policy for incron: default set<p>I finished the last post a bit with a <a href="">cliffhanger</a> as <strong>incrond</strong> is still not working properly, and we got a few denials that needed to be resolved; here they are again for your convenience:</p> <div class="highlight"><pre><span></span>type=AVC msg=audit(1368734110.912:28353): avc: denied { getattr } for pid=9716 comm=&quot;incrond …</pre></div>Sven VermeulenTue, 28 May 2013 03:50:00,2013-05-28:/2013/05/a-selinux-policy-for-incron-default-set/booleansincrondpolicyselinuxA SELinux policy for incron: the incrond daemon<p>With <code>incrontab_t</code> (hopefully) complete, let's look at the <code>incrond_t</code> domain. As this domain will also be used to execute the user (and system) commands provided through the incrontabs, we need to consider how we are going to deal with this wide range of possible permissions that it might take. One …</p>Sven VermeulenMon, 27 May 2013 03:50:00,2013-05-27:/2013/05/a-selinux-policy-for-incron-the-incrond-daemon/incrondselinuxA SELinux policy for incron: new types and transitions<p>So I've shown the <a href="">iterative approach used</a> to develop policies. Again, please be aware that this is my way of developing policies, other policy developers might have a different approach. We were working on the <strong>incrontab</strong> command, so let's continue with trying to create a new user incrontab:</p> <div class="highlight"><pre><span></span>$ incrontab -e …</pre></div>Sven VermeulenSun, 26 May 2013 03:50:00,2013-05-26:/2013/05/a-selinux-policy-for-incron-new-types-and-transitions/incronpolicyselinuxA SELinux policy for incron: basic set for incrontab<p>Now that our <a href="">regular user is allowed</a> to execute <strong>incrontab</strong>, let's fire it up and look at the denials to build up the policy.</p> <div class="highlight"><pre><span></span>$ incrontab --help </pre></div> <p>That doesn't show much does it? Well, if you look into the <code>audit.log</code> (or <code>avc.log</code>) file, you'll notice a lot of denials …</p>Sven VermeulenSat, 25 May 2013 03:50:00,2013-05-25:/2013/05/a-selinux-policy-for-incron-basic-set-for-incrontab/incronincrontabpolicyselinuxA SELinux policy for incron: our first interface<p>The next step after having <a href="">a basic skeleton</a> is to get <strong>incrontab</strong> running. We know however that everything invoked from the main daemon will be running with the rights of the daemon context (unless we would patch the source code, but that is beyond the scope of this set of …</p>Sven VermeulenFri, 24 May 2013 03:50:00,2013-05-24:/2013/05/a-selinux-policy-for-incron-our-first-interface/incroninterfacepolicyA SELinux policy for incron: the basic skeleton<p>So, in the <a href="">previous post</a> I talked about <em>incron</em> and why I think moving it into the existing cron policy would not be a good idea. It works, somewhat, but is probably not that future-proof. So we're going to create our own policy for it.</p> <p>In SELinux, policies are generally …</p>Sven VermeulenThu, 23 May 2013 03:50:00,2013-05-23:/2013/05/a-selinux-policy-for-incron-the-basic-skeleton/fcincronpolicyselinuxskeletonteA SELinux policy for incron: what does it do?<p>In this series of posts, we'll go through the creation of a SELinux policy for <a href=";page=doc⟨=en">incron</a>, a simple inotify based cron-like application. I will talk about the various steps that I would take in the creation of this policy, and give feedback when certain decisions are taken and why. At …</p>Sven VermeulenWed, 22 May 2013 03:50:00,2013-05-22:/2013/05/a-selinux-policy-for-incron-what-does-it-do/incronpolicyselinuxWhy oh why does a process run in unlabeled_t?<p>If you notice that a process is running in the <code>unlabeled_t</code> domain, the first question to ask is how it got there.</p> <p>Well, one way is to have a process running in a known domain, like <code>screen_t</code>, after which the SELinux policy module that provides this domain is removed from …</p>Sven VermeulenTue, 21 May 2013 03:50:00,2013-05-21:/2013/05/why-oh-why-does-a-process-run-in-unlabeled_t/policyselinuxunlabeledA simple IPv6 setup<p>For internal communication between guests on my workstation, I use IPv6 which is set up using the <em>Router Advertisement</em> "feature" of IPv6. The tools I use are <a href="">dnsmasq</a> for DNS/DHCP and router advertisement support, and <a href="">dhcpcd</a> as client. It might be a total mess (grew almost organically until it …</p>Sven VermeulenMon, 20 May 2013 03:50:00,2013-05-20:/2013/05/a-simple-ipv6-setup/dhcpcddnsmasqip6ipv6raThe weird "audit_access" permission<p>While writing up the posts on capabilities, one thing I had in my mind was to give some additional information on frequently occurring denials, such as the <em>dac_override</em> and <em>dac_read_search</em> capabilities, and when they are triggered. For the DAC-related capabilities, policy developers often notice that these capabilities are triggered without …</p>Sven VermeulenSun, 19 May 2013 03:50:00,2013-05-19:/2013/05/the-weird-audit_access-permission/accessauditaudit_accessselinuxCommandline SELinux policy helper functions<p>To work on SELinux policies, I use a couple of functions that I can call on the shell (command line): <strong>seshowif</strong>, <strong>sefindif</strong>, <strong>seshowdef</strong> and <strong>sefinddef</strong>. The idea behind the methods is that I want to search (<em>find</em>) for an interface (<em>if</em>) or definition (<em>def</em>) that contains a particular method or …</p>Sven VermeulenSat, 18 May 2013 03:50:00,2013-05-18:/2013/05/commandline-selinux-policy-helper-functions/bashdefinitionfunctionsinterfacepolicyselinuxsupportLooking at the local Linux kernel privilege escalation<p>There has been a few posts already on the local Linux kernel privilege escalation, which has received the <a href="">CVE-2013-2094</a> ID. <a href="">arstechnica</a> has a write-up with links to good resources on the Internet, but I definitely want to point readers to the <a href="">explanation</a> that Brad Spengler made on the vulnerability.</p> <p>In …</p>Sven VermeulenFri, 17 May 2013 03:50:00,2013-05-17:/2013/05/looking-at-the-local-linux-kernel-privilege-escalation/eventgrsecuritykernexeclinuxpaxperfselinuxuderefvulnerabilityGentoo Hardened spring notes<p>We got back together on the <code>#gentoo-hardened</code> chat channel to discuss the progress of <a href="">Gentoo Hardened</a>, so it's time for another write-up of what was said.</p> <p><em>Toolchain</em></p> <p>GCC 4.8.1 will be out soon, although nothing major has occurred with it since the last meeting. There is a plugin …</p>Sven VermeulenThu, 16 May 2013 22:54:00,2013-05-16:/2013/05/gentoo-hardened-spring-notes/GentoohardenedircmeetingmonthlyonlinePublic support channels: irc<p>I've <a href="">said it</a> before - support channels for free software are often (imo) superior to the commercial support that you might get with vendors. And although those vendors often try to use "modern" techniques, I fail to see why the old, but proven/stable methods would be wrong.</p> <p>Consider the "Chat …</p>Sven VermeulenThu, 16 May 2013 03:50:00,2013-05-16:/2013/05/public-support-channels-irc/chatircsupportOverriding the default SELinux policies<p>Extending SELinux policies with additional rules is easy. As SELinux uses a <em>deny by default</em> approach, all you need to do is to <a href="">create a policy module</a> that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?</p> <p>Well, sadly …</p>Sven VermeulenWed, 15 May 2013 03:50:00,2013-05-15:/2013/05/overriding-the-default-selinux-policies/ebuildepatch_userGentoooverridepatchpolicyselinuxHighlevel assessment of Cdorked and Gentoo Hardened/SELinux<p>With all the <a href="">reports</a> surrounding <a href="">Cdorked</a>, I took a look at if SELinux and/or other Gentoo Hardened technologies could reduce the likelihood that this infection occurs on your system.</p> <p>First of all, we don't know yet how the malware gets installed on the server. We do know that the …</p>Sven VermeulenTue, 14 May 2013 03:50:00,2013-05-14:/2013/05/highlevel-assessment-of-cdorked-and-gentoo-hardenedselinux/apachecdorkedGentoohardenedimaselinuxSECMARK and SELinux<p>When using SECMARK, the administrator configures the <strong>iptables</strong> or <strong>netfilter</strong> rules to add a label to the packet data structure (on the host itself) that can be governed through SELinux policies. Unlike peer labeling, here the labels assigned to the network traffic is completely locally defined. Consider the following command …</p>Sven VermeulenMon, 13 May 2013 03:50:00,2013-05-13:/2013/05/secmark-and-selinux/policysecmarkselinuxPeer labeling in SELinux policy<p>Allow me to start with an important warning: I don't have much hands-on experience with the remainder of this post. Its based on the few resources I found on the Internet and a few tests done locally which I've investigated in my attempt to understand SELinux policy writing for networking …</p>Sven VermeulenSun, 12 May 2013 03:50:00,2013-05-12:/2013/05/peer-labeling-in-selinux-policy/cipsoipsecpeerpolicyselinuxSELinux policy and network controls<p>Let's talk about how SELinux governs network streams (and how it reflects this into the policy).</p> <p>When you don't do fancy stuff like SECMARK or netlabeling, then the classes that you should keep an eye on are <em>tcp_socket</em> and <em>udp_socket</em> (depending on the protocol). There used to be <em>node</em> and …</p>Sven VermeulenSat, 11 May 2013 03:50:00,2013-05-11:/2013/05/selinux-policy-and-network-controls/networkingpolicyselinuxGentoo metadata support for CPE<p>Recently, the <code>metadata.xml</code> file syntax definition (the DTD for those that know a bit of XML) has been updated to support CPE definitions. A <a href="">CPE</a> (Common Platform Enumeration) is an identifier that <a href="">describes</a> an application, operating system or hardware device using its vendor, product name, version, update, edition and …</p>Sven VermeulenFri, 10 May 2013 03:50:00,2013-05-10:/2013/05/gentoo-metadata-support-for-cpe/cpecveGentoometadatasecurityEnabling Kernel Samepage Merging (KSM)<p>When using virtualization extensively, you will pretty soon hit the limits of your system (at least, the resources on it). When the virtualization is used primarily for testing (such as in my case), the limit is memory. So it makes sense to seek memory optimization strategies on such systems. The …</p>Sven VermeulenThu, 09 May 2013 03:50:00,2013-05-09:/2013/05/enabling-kernel-samepage-merging-ksm/cowksmkvmlinuxvirtualizationThe Linux ".d" approach<p>Many services on a Linux system use a <code>*.d</code> directory approach to make their configuration easily configurable by other services. This is a remarkably simple yet efficient method for exposing services towards other applications. Let's look into how this <code>.d</code> approach works.</p> <p>Take a look at the <code>/etc/pam.d …</code></p>Sven VermeulenWed, 08 May 2013 03:50:00,2013-05-08:/2013/05/the-linux-d-approach/Added "predictable network interface" info into the handbook<p>Being long overdue - like many of our documentation-reported bugs :-( I worked on <a href="">bug 466262</a> to update the <a href="">Gentoo Handbook</a> with information about <a href=";chap=2#doc_chap4">Network Interface Naming</a>. Of course, the installation instructions have also seen the necessary updates to refer to this change.</p> <p>With some luck (read: time) I might be able …</p>Sven VermeulenTue, 07 May 2013 03:50:00,2013-05-07:/2013/05/added-predictable-network-interface-info-into-the-handbook/documentationgdpGentooudevOverview of Linux capabilities, part 3<p>In <a href="">previous</a> <a href="">posts</a> <a href="">I</a> <a href="">talked</a> about capabilities and gave an introduction to how this powerful security feature within Linux can be used (and also exploited). I also covered a few capabilities, so let's wrap this up with the remainder of them.</p> <dl> <dt>CAP_AUDIT_CONTROL</dt> <dd>Enable and disable kernel auditing; change auditing filter …</dd></dl>Sven VermeulenMon, 06 May 2013 03:50:00,2013-05-06:/2013/05/overview-of-linux-capabilities-part-3/capabilitiescapshlibcaplinuxOverview of Linux capabilities, part 2<p>As I've (in a very high level) <a href="">described capabilities</a> and talked a bit on how to <a href="">work with them</a>, I started with a small overview of <a href="">file-related</a> capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).</p> <dl> <dt>CAP_IPC_LOCK</dt> <dd>Allow the …</dd></dl>Sven VermeulenSun, 05 May 2013 03:50:00,2013-05-05:/2013/05/overview-of-linux-capabilities-part-2/capabilitiesgrsecuritylinuxnosuidselinuxtpeOverview of Linux capabilities, part 1<p>In the <a href="">previous</a> <a href="">posts</a>, I talked about capabilities and how they can be used to allow processes to run in a privileged fashion without granting them full root access to the system. An example given was how capabilities can be leveraged to run <strong>ping</strong> without granting it setuid root rights …</p>Sven VermeulenSat, 04 May 2013 03:50:00,2013-05-04:/2013/05/overview-of-linux-capabilities-part-1/capabilitieslinuxRestricting and granting capabilities<p>As <a href="">capabilities</a> are a way for running processes with some privileges, without having the need to grant them root privileges, it is important to understand that they exist if you are a system administrator, but also as an auditor or other security-related function. Having processes run as a non-root user …</p>Sven VermeulenFri, 03 May 2013 03:50:00,2013-05-03:/2013/05/restricting-and-granting-capabilities/capabilitieslinuxCapabilities, a short intro<p>Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …</p>Sven VermeulenThu, 02 May 2013 03:50:00,2013-05-02:/2013/05/capabilities-a-short-intro/capabilitieslinuxpingselinuxSELinux mount options<p>When you read through the <a href="">Gentoo Hardened SELinux handbook</a>, you'll notice that we sometimes update <code>/etc/fstab</code> with some SELinux-specific settings. So, what are these settings about and are there more of them?</p> <p>First of all, let's look at a particular example from the installation instructions so you see what …</p>Sven VermeulenWed, 01 May 2013 03:50:00,2013-05-01:/2013/05/selinux-mount-options/mountselinuxQemu-KVM monitor tips and tricks<p>When running KVM guests, the <a href="">Qemu/KVM monitor</a> is a nice interface to interact with the VM and do specific maintenance tasks on. If you run the KVM guests with VNC, then you can get to this monitor through <code>Ctrl-Alt-2</code> (and <code>Ctrl-Alt-1</code> to get back to the VM display). I …</p>Sven VermeulenTue, 30 Apr 2013 03:50:00,2013-04-30:/2013/04/qemu-kvm-monitor-tips-and-tricks/kvmmonitorqemuphotorec to the rescue<p>Once again <a href="">PhotoRec</a> has been able to save files from a corrupt FAT USB drive. The application scans the partition, looking for known files (based on the file magic) and then restores those files. The files are not named as they were though, so there is still some manual work …</p>Sven VermeulenMon, 29 Apr 2013 03:50:00,2013-04-29:/2013/04/photorec-to-the-rescue/corruptionphotorecrecoveryshredSecurely handling libffi<p>I've recently came across <a href="">libffi</a> again. No, not because it was mentioned during the <a href="">Gentoo Hardened</a> online meeting, but because my <code>/var/tmp</code> wasn't mounted correctly, and <strong>emerge</strong> (actually python) uses libffi. Most users won't notice this, because libffi works behind the scenes. But when it fails, it fails bad …</p>Sven VermeulenSun, 28 Apr 2013 03:50:00,2013-04-28:/2013/04/securely-handling-libffi/libffiselinuxstraceHow logins get their SELinux user context<p>Sometimes, especially when users are converting their systems to be SELinux-enabled, their user context is wrong. An example would be when, after logon (in permissive mode), the user is in the <code>system_u:system_r:local_login_t</code> domain instead of a user domain like <code>staff_u:staff_r:staff_t</code>.<br> So, how does a login get …</p>Sven VermeulenSat, 27 Apr 2013 03:50:00,2013-04-27:/2013/04/how-logins-get-their-selinux-user-context/contextselinuxuserNew SELinux userspace release<p>A new <a href="">release</a> of the SELinux userspace utilities was recently announced. I have made the packages for Gentoo available and they should now be in the main tree (\~arch of course). During the testing of the packages however, I made a stupid mistake of running the tests on the wrong …</p>Sven VermeulenFri, 26 Apr 2013 03:50:00,2013-04-26:/2013/04/new-selinux-userspace-release/automationregressionreleaseselinuxtesttestinguserspaceGentoo protip: using buildpkgonly<p>If you don't want to have the majority of builds run in the background while you are busy on the system, but you don't want to automatically install software in the background when you are not behind your desk, then perhaps you can settle for using <a href="">binary packages</a>. I'm not …</p>Sven VermeulenThu, 25 Apr 2013 03:50:00,2013-04-25:/2013/04/gentoo-protip-using-buildpkgonly/binpkgemergeGentooprotipUsing strace to troubleshoot SELinux problems<p>When SELinux is playing tricks on you, you can just "allow" whatever it wants to do, but that is not always an option: sometimes, there is no denial in sight because the problem lays within SELinux-aware applications (applications that might change their behavior based on what the policy sais or …</p>Sven VermeulenWed, 24 Apr 2013 03:50:00,2013-04-24:/2013/04/using-strace-to-troubleshoot-selinux-problems/debugselinuxstraceSLOT'ing the old swig-1<p>The <a href="">SWIG</a> tool helps developers in building interfaces/libraries that can be accessed from many other languages than the ones the library is initially written in or for. The SELinux userland utility <a href="">setools</a> uses it to provide Python and Ruby interfaces even though the application itself is written in C …</p>Sven VermeulenTue, 23 Apr 2013 03:50:00,2013-04-23:/2013/04/sloting-the-old-swig-1/GentooselinuxsetoolsslotswigMitigating DDoS attacks<p>Lately, DDoS attacks have been in the news more than I was hoping for. It seems that the botnets or other methods that are used to generate high-volume traffic to a legitimate service are becoming more and more easy to get and direct. At the time that I'm writing this …</p>Sven VermeulenMon, 22 Apr 2013 03:50:00,2013-04-22:/2013/04/mitigating-ddos-attacks/ddosdnsmitigationsecurityIntroducing selocal for small SELinux policy enhancements<p>When working with a SELinux-enabled system, administrators will eventually need to make small updates to the existing policy. Instead of building their own full policy (always an option, but most likely not maintainable in the long term) one or more SELinux policy modules are created (most distributions use a modular …</p>Sven VermeulenSun, 21 Apr 2013 03:50:00,2013-04-21:/2013/04/introducing-selocal-for-small-selinux-policy-enhancements/GentoopolicyselinuxselocalTransforming GuideXML to DocBook<p>I recently <a href=";view=log">committed</a> an XSL stylesheet that allows us to transform the GuideXML documents (both guides and handbooks) to DocBook. This isn't part of a more elaborate move to try and push DocBook instead of GuideXML for the Gentoo Documentation though (I'd rather direct documentation development more to the Gentoo …</p>Sven VermeulenSat, 20 Apr 2013 03:50:00,2013-04-20:/2013/04/transforming-guidexml-to-docbook/docbookGentooguidexmlpdfxslComparing performance with sysbench: performance analysis<p>So in the past few posts I discussed how <strong>sysbench</strong> can be used to simulate some workloads, specific to a particular set of tasks. I used the benchmark application to look at the differences between the guest and host on my main laptop, and saw a major performance regression with …</p>Sven VermeulenFri, 19 Apr 2013 16:22:00,2013-04-19:/2013/04/comparing-performance-with-sysbench-part-3/performancesysbenchComparing performance with sysbench: memory, threads and mutexes<p>In the previous post, I gave some feedback on the cpu and fileio workload tests that <a href="">sysbench</a> can handle. Next on the agenda are the <em>memory</em>, <em>threads</em> and <em>mutex</em> workloads.</p> <p>When using the <em>memory</em> workload, <strong>sysbench</strong> will allocate a buffer (provided through the <em>--memory-block-size</em> parameter, defaults to 1kbyte) and each …</p>Sven VermeulenFri, 19 Apr 2013 04:11:00,2013-04-19:/2013/04/comparing-performance-with-sysbench-part-2/memorymutexperformancesysbenchthreadingthreadsAnother Gentoo Hardened month has passed<p>Another month has passed, so time to mention again what we have all been doing lately ;-)</p> <p><em>Toolchain</em></p> <p>Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). <a href="">asan</a> support in …</p>Sven VermeulenThu, 18 Apr 2013 23:36:00,2013-04-18:/2013/04/another-gentoo-hardened-month-has-passed/asangccGentoogrsecurityhardenedintegrityircmeetingpaxselinuxuderefComparing performance with sysbench: cpu and fileio<p>Being busy with virtualization and additional security measures, I frequently come in contact with people asking me what the performance impact is. Now, you won't find the performance impact of SELinux here as I have no guests nor hosts that run without SELinux. But I did want to find out …</p>Sven VermeulenThu, 18 Apr 2013 21:31:00,2013-04-18:/2013/04/comparing-performance-with-sysbench/cpuhypervisoriokvmperformancesysbenchSimple drawing for I/O positioning<p>Instead of repeatedly trying to create an overview of the various layers involved with I/O operations within Linux on whatever white-board is in the vicinity, I decided to draw one up in <a href=""></a> that I can then update as I learn more from this fascinating world. The drawing's …</p>Sven VermeulenThu, 18 Apr 2013 01:00:00,2013-04-18:/2013/04/simple-drawing-for-io-positionin/iolinuxWhat could SELinux have done to mitigate the postgresql vulnerability?<p><a href="">Gentoo</a> is one of the various distributions which supports <a href="">SELinux</a> as a <em>Mandatory Access Control</em> system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent <a href="">PostgreSQL vulnerability</a>?</p> <p>When correctly configured, the PostgreSQL daemon will run in the <code>postgresql_t</code> domain. In SELinux-speak …</p>Sven VermeulenTue, 16 Apr 2013 14:00:00,2013-04-16:/2013/04/what-could-selinux-have-done-to-mitigate-the-postgresql-vulnerability/postgresqlselinuxvulnerabilityIntegrity checking with AIDE<p>As to at least do some progress in the integrity part of Gentoo Hardened (a subproject I'd like to extend towards greater heights), I dediced to write up a <a href="">small guide</a> on how to work with <a href="">AIDE</a>. The tool is simple enough (and it allowed me to test its SELinux …</p>Sven VermeulenThu, 11 Apr 2013 17:02:00,2013-04-11:/2013/04/integrity-checking-with-aide/aideintegrityNot needing run_init for password-less service management<p>One of the things that has been bugging me was why, even with having <code></code> set in <code>/etc/pam.d/run_init</code>, I cannot enjoy passwordless service management without using <strong>run_init</strong> directly:</p> <div class="highlight"><pre><span></span># rc-service postgresql-9.2 status Authenticating root. Password: # run_init rc-service postgresql-9.2 status Authenticating root. * status: started </pre></div> <p>So I …</p>Sven VermeulenTue, 09 Apr 2013 22:14:00,2013-04-09:/2013/04/not-needing-run_init-for-password-less-service-management/Gentoohardenedpamrootokrun_initselinuxHow far reaching vulnerabilities can go<p>If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …</p>Sven VermeulenTue, 09 Apr 2013 19:39:00,2013-04-09:/2013/04/how-far-reaching-vulnerabilities-can-go/firewallpatchingpostgresqlsecuritySeparate puppet provider for Gentoo/SELinux?<p>While slowly transitioning my playground infrastructure towards Puppet, I already am in process of creating a custom provider for things such as services. Puppet uses providers as "implementations" for the functions Puppet needs. For instance, for the <em>service</em> type (which handles init script services), there are providers for RedHat, Debian …</p>Sven VermeulenSun, 07 Apr 2013 19:22:00,2013-04-07:/2013/04/separate-puppet-provider-for-gentooselinux/GentooopenrcproviderpuppetselinuxMatching packages with CVEs<p>I've come across a few posts on forums (Gentoo and elsewhere) asking why Gentoo doesn't make security-related patches on the tree. Some people think this is the case because they do not notice (m)any GLSAs, which are Gentoo's security advisories. However, it isn't that Gentoo doesn't push out security …</p>Sven VermeulenThu, 04 Apr 2013 21:44:00,2013-04-04:/2013/04/matching-packages-with-cves/Linux Sea and ePub update<p>I just "published" a small update on the <a href="">Linux Sea</a> online book. Nothing major, some path updates (like the move to /etc/portage for the make.conf file). But I wouldn't put a blog post online if there wasn't anything else to say ;-)</p> <p>Recently I was made aware that the …</p>Sven VermeulenTue, 02 Apr 2013 20:16:00,2013-04-02:/2013/04/linux-sea-and-epub-update/epublinux sealinux_seaFiddling with puppet apply<p>As part of a larger exercise, I am switching my local VM set from a more-or-less scripted manual configuration towards a fully Puppet-powered one. Of course, it still uses a lot of custom modules and is most likely too ugly to expose to the wider internet, but it does seem …</p>Sven VermeulenWed, 20 Mar 2013 12:31:00,2013-03-20:/2013/03/fiddling-with-puppet-apply/providerpuppetselinuxserviceSELinux tutorial series, update<p>Just a small update - the <a href="">set of SELinux tutorials</a> has been enhanced since my last blog post about it with information on SELinux booleans, customizable types, run-time modi (enforcing versus permissive), some bits about unconfined domains, information on policy loading, purpose of SELinux roles, SELinux users and an example on …</p>Sven VermeulenMon, 18 Mar 2013 23:22:00,2013-03-18:/2013/03/selinux-tutorial-series-update/SELinux tutorial series<p>As we get a growing number of SELinux users within Gentoo Hardened and because the SELinux usage at the firm I work at is most likely going to grow as well, I decided to join the bunch of documents on SELinux that are "out there" and start a series of …</p>Sven VermeulenFri, 15 Mar 2013 00:34:00,2013-03-15:/2013/03/selinux-tutorial-series/articlesdocumentationGentoohardenedselinuxtutorialswikiGentoo Hardened progress meeting of march 2013<p>Another month has passed, so time for a new progress meeting...</p> <p><strong>Toolchain</strong></p> <p>GCC v4.7 has been unmasked, allowing a large set of users to test out the new GCC. It is also expected that GCC 4.8-rc1 will hit the tree next week. In the hardened-dev overlay, hardened support …</p>Sven VermeulenThu, 07 Mar 2013 22:46:00,2013-03-07:/2013/03/gentoo-hardened-progress-meeting-of-march-2013/GentoogrsecurityhardenedkernelpaxprofilesselinuxtoolchainUploading selinuxnode test VM<p>At the time of writing (but I'll delay the publication of this post a few hours), I'm uploading a new SELinux-enabled KVM guest image. This is not an update on the previous image though (it's a reinstalled system - after all, I use VMs for testing, so it makes sense to …</p>Sven VermeulenMon, 25 Feb 2013 03:05:00,2013-02-25:/2013/02/uploading-selinuxnode-test-vm/evmGentoogrsecurityhardenedimakvmselinuxvirtualWorking on a new selinuxnode VM<p>A long time ago, I made a <a href="">SELinux enabled VM</a> for people to play with, displaying a minimal Gentoo installation, including the hardening features it supports (PIE/PIC toolchain, grSecurity, PaX and SELinux). I'm currently trying to create a new one, which also includes IMA/EVM, but it looks like …</p>Sven VermeulenSat, 23 Feb 2013 14:04:00,2013-02-23:/2013/02/working-on-a-new-selinuxnode-vm/evmGentoohardenedimaselinuxselinuxnodevmTransforming GuideXML to wiki<p>The <a href="">Gentoo project</a> has its own <a href="">official wiki</a> for some time now, and we are going to use it more and more in the next few months. For instance, in the last Gentoo Hardened meeting, we already discussed that most user-oriented documentation should be put on the wiki, and I've …</p>Sven VermeulenTue, 12 Feb 2013 20:12:00,2013-02-12:/2013/02/transforming-guidexml-to-wiki/GentooguidexmlstylesheetwikixmlxslGentoo Hardened goes onward (aka project meeting)<p>It's been a while again, so time for another Gentoo Hardened online progress meeting.</p> <p><em>Toolchain</em></p> <p>GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …</p>Sven VermeulenThu, 07 Feb 2013 23:40:00,2013-02-07:/2013/02/gentoo-hardened-goes-onward-aka-project-meeting/GentoogrsecurityhardenedkernelmeetingminutesonlinepaxprofilesselinuxWhy would paid-for support be better?<p>Last Saturday evening, I sent an e-mail to a low-volume mailinglist regarding IMA problems that I'm facing. I wasn't expecting an answer very fast of course, being holidays, weekend and a low-volume mailinglist. But hey - it is the free software world, so I should expect some slack on this, right …</p>Sven VermeulenMon, 31 Dec 2012 22:46:00,2012-12-31:/2012/12/why-would-paid-for-support-be-better/IMA and EVM on Gentoo, part 2<p>I have been playing with <a href="">Linux IMA/EVM</a> on a Gentoo Hardened (with SELinux) system for a while and have been documenting what I think is interesting/necessary for Gentoo Linux users when they want to use IMA/EVM as well. Note that the documentation of the Linux IMA/EVM …</p>Sven VermeulenSat, 29 Dec 2012 23:42:00,2012-12-29:/2012/12/ima-and-evm-on-gentoo-part-2/Gentoo Hardened IMA support<p>Adventurous users, contributors and developers can enable the <em>Integrity Measurement Architecture</em> subsystem in the Linux kernel with appraisal (since Linux kernel 3.7). In an attempt to support IMA (and EVM and other technologies) properly, the <a href="">System Integrity</a> subproject within <a href="">Gentoo Hardened</a> was launched a few months ago. And now …</p>Sven VermeulenThu, 27 Dec 2012 22:40:00,2012-12-27:/2012/12/gentoo-hardened-ima-support/Switching policy types in Gentoo/SELinux<p>When you are running Gentoo with SELinux enabled, you will be running with a particular policy type, which you can devise from either <code>/etc/selinux/config</code> or from the output of the <strong>sestatus</strong> command. As a user on our IRC channel had some issues converting his strict-policy system to mcs …</p>Sven VermeulenThu, 20 Dec 2012 11:31:00,2012-12-20:/2012/12/switching-policy-types-in-gentooselinux/Another hardened month has passed...<p>... so it's time for a new update ;-)</p> <p><em>Toolchain</em></p> <p>GCC 4.8 is still in its stage 3 development phase, so Zorry will send out the patches to the GCC development community when this phase is done. For Gentoo hardened itself, we now support all architectures except for IA64 (which never …</p>Sven VermeulenThu, 13 Dec 2012 10:02:00,2012-12-13:/2012/12/another-hardened-month-has-passed/Using pam_selinux to switch contexts<p>With SELinux managing the access controls of applications towards the resources on the system, a not-to-be forgotten important component on any Unix/Linux system is the authentication part. Most systems use or support PAM, the <em>Pluggable Authentication Modules</em>, and for SELinux this plays an important role.</p> <p>Applications that are PAM-enabled …</p>Sven VermeulenMon, 10 Dec 2012 22:11:00,2012-12-10:/2012/12/using-pam_selinux-to-switch-contexts/Using stunnel for mutual authentication<p>Sometimes services do not support SSL/TLS, or if they do, they do not support using mutual authentication (i.e. requesting that the client also provides a certificate which is trusted by the service). If that is a requirement in your architecture, you can use <strong>stunnel</strong> to provide this additional …</p>Sven VermeulenSat, 08 Dec 2012 14:24:00,2012-12-08:/2012/12/using-stunnel-for-mutual-authentication/nginx as reverse SMTP proxy<p>I've noticed that not that many resources are online telling you how you can use nginx as a reverse SMTP proxy. Using a reverse SMTP proxy makes sense even if you have just one mail server back-end, either because you can easily switch towards another one, or because you want …</p>Sven VermeulenThu, 06 Dec 2012 00:03:00,2012-12-06:/2012/12/nginx-as-reverse-smtp-proxy/Why you need the real_* thing with genkernel<p>Today it bit me. I rebooted my workstation, and all hell broke loose. Well, actually, it froze. Literally, if you consider my root file system. When the system tried to remount the root file system read-write, it gave me this:</p> <div class="highlight"><pre><span></span>mount: / not mounted or bad option </pre></div> <p>So I did the …</p>Sven VermeulenSun, 25 Nov 2012 21:05:00,2012-11-25:/2012/11/why-you-need-the-real_-thing-with-genkernel/The hardened project continues going forward...<p>This wednesday, the <a href="">Gentoo Hardened</a> team held its monthly online meeting, discussing the things that have been done the last few weeks and the ideas that are being worked out for the next. As I did with the last few meetings, allow me to summarize it for all interested parties …</p>Sven VermeulenSat, 17 Nov 2012 21:34:00,2012-11-17:/2012/11/the-hardened-project-continues-going-forward/Local policy management script<p>I've written a small script that I call <strong>selocal</strong> which manages locally needed SELinux rules. It allows me to add or remove SELinux rules from the command line and have them loaded up without needing to edit a .te file and building the .pp file manually. If you are interested …</p>Sven VermeulenSun, 11 Nov 2012 13:37:00,2012-11-11:/2012/11/local-policy-management-script/Gentoo Hardened progress meeting<p>Not that long ago we had our monthly Gentoo Hardened project meeting (on October 3rd to be exact). On these meetings, we discuss the progress of the project since the last meeting.</p> <p>For our <em>toolchain</em> domain, Zorry reported that the PIE patchset is updated for GCC, fixing bug <a href="">#436924</a>. Blueness …</p>Sven VermeulenSun, 14 Oct 2012 15:00:00,2012-10-14:/2012/10/gentoo-hardened-progress-meeting/git patch apply<p>I recently had to merge the changes made to an upstream project with a local repository. I took out the changes as patches through <strong><code>git format-patch</code></strong> (as the local repository isn't a clone of the remote one so I couldn't just create a branch and merge) and hoped to apply …</p>Sven VermeulenThu, 27 Sep 2012 20:45:00,2012-09-27:/2012/09/git-patch-apply/Perimeter security testing<p>I've been asked a few times how I would do perimeter security testing. Personally, I'm not an offensive security guy, more a defensive one, meaning I'm more about security-related defensive methods rather than PEN testing of any kind. But still, even in a defensive position, having a "view" on how …</p>Sven VermeulenTue, 28 Aug 2012 22:47:00,2012-08-28:/2012/08/perimeter-security-testing/Gentoo Hardened in August<p>Last wednesday <a href="">Gentoo Hardened</a> held its monthly online meeting to discuss the progress of the various subprojects, reconfirm the current project leads, talk about potential new projects and discuss some bugs that were getting on our nerves...</p> <p>For the project leads, all current leads were reconfirmed: Zorry will keep tight …</p>Sven VermeulenSat, 25 Aug 2012 17:18:00,2012-08-25:/2012/08/gentoo-hardened-in-august/Lots of work on supporting swig-2<p>The SELinux <a href="">setools</a> <a href="">package</a> provides a few of the commands I used the most when working with SELinux: <strong>sesearch</strong> for looking through the policy and <strong>seinfo</strong> to get information on type/attribute/role/... from the currently loaded policy.</p> <p>This package uses <a href="">swig</a>, the Simplified (sic) Wrapper and Interface Generator to …</p>Sven VermeulenMon, 20 Aug 2012 20:50:00,2012-08-20:/2012/08/lots-of-work-on-supporting-swig-2/Adding roles to the Gentoo Hardened SELinux policy<p>I <a href=";chap=5#doc_chap4">wrote a small section</a> on how to create additional roles to the SELinux policy offered by Gentoo Hardened. Whereas the default policy that we provide only offers a few basic roles, any policy administrator can provide additional roles for the system.</p> <p>By using additional roles, you can grant users …</p>Sven VermeulenTue, 14 Aug 2012 20:39:00,2012-08-14:/2012/08/adding-roles-to-the-gentoo-hardened-selinux-policy/Kickstarting the Integrity subproject<p>Now that Gentoo Hardened has its <a href="">integrity</a> subproject, I started with writing down the <a href="">concepts</a> (draft - will move to the project site when finished!) used within the subproject: what is integrity, how does trust fit into this, what kind of technologies will we look at, etc. I'm hoping that this …</p>Sven VermeulenMon, 30 Jul 2012 21:34:00,2012-07-30:/2012/07/kickstarting-the-integrity-subproject/Gentoo Hardened on the move<p>Gentoo Hardened is thriving and going forward. For those that don't exactly know what <a href="">Gentoo Hardened</a> is - it is a Gentoo project dedicated to bring Gentoo in a shape ready for highly secure, high stability production server environments. This is what we live by, and why we do what we …</p>Sven VermeulenThu, 26 Jul 2012 00:41:00,2012-07-26:/2012/07/gentoo-hardened-on-the-move/Dynamic transitions in SELinux<p>In between talks on heap spraying techniques and visualization of data for fast analysis, I'm working on integrating the chromium SELinux policy that was offered in bug <a href="">bug #412637</a> within Gentoo Hardened. If you take a look at the bug, you notice I'm not really fond of the policy because …</p>Sven VermeulenSun, 22 Jul 2012 21:11:00,2012-07-22:/2012/07/dynamic-transitions-in-selinux/Hardening the Linux kernel updates<p>Thanks to a comment by Andy, the <a href="">guide</a> now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources about the …</p>Sven VermeulenSat, 21 Jul 2012 21:06:00,2012-07-21:/2012/07/hardening-the-linux-kernel-updates/Hardening the Linux kernel<p>I have moved out the kernel configuration settings (and <strong>sysctl</strong> stuff) from the <a href="">Hardening Gentoo Linux benchmark</a> into its own <a href="">Hardening the Linux kernel</a> guide. It covers some common hardening-related kernel configuration entries (although I'm sure I'm missing a lot of them still) as well as grSecurity and PaX settings …</p>Sven VermeulenFri, 20 Jul 2012 22:05:00,2012-07-20:/2012/07/hardening-the-linux-kernel/Hardening OpenSSH<p>A while ago I wrote about a <a href="">Gentoo Security Benchmark</a> which would talk about hardening a Gentoo Linux installation. Within that document, I was documenting how to harden specific services as well. However, I recently changed my mind and wanted to move the hardening stuff for the services in separate …</p>Sven VermeulenWed, 18 Jul 2012 22:20:00,2012-07-18:/2012/07/hardening-openssh/Updated Gentoo Hardened/SELinux VM image<p>I have updated the Gentoo Hardened/SELinux VM image, available on the mirrors under <code>experimental/amd64/qemu-selinux</code>.</p> <p>The new image now asks for the keyboard layout, has a short DHCP timeout value (5 seconds) and provides the nano editor. If you plan on running the image using qemu, please use …</p>Sven VermeulenMon, 16 Jul 2012 18:31:00,2012-07-16:/2012/07/updated-gentoo-hardenedselinux-vm-image/Gentoo Hardened/SELinux VM image<p>A few weeks ago, I pushed out a VM image (Qemu QCOW2 format) to the <code>/experimental/amd64/qemu-selinux/</code> location in our mirrors. This VM image (which is about 1.6 Gib large decompressed) provides a SELinux-enabled, Gentoo Hardened (with PaX and other grSecurity security settings) base installation. Thanks to the …</p>Sven VermeulenTue, 10 Jul 2012 21:27:00,2012-07-10:/2012/07/gentoo-hardenedselinux-vm-image/Gentoo Summer of Documentation - Let's do it!<p>The <a href="">Gentoo Wiki folks</a> have started a great idea (and immediately set a nice milestone), namely the <a href="">Gentoo Wiki Summer of Documentation</a>. By september, they want to double the amount of articles on the wiki.</p> <p>I'll surely help out and participate where I can, and perhaps we can even go …</p>Sven VermeulenFri, 29 Jun 2012 19:16:00,2012-06-29:/2012/06/gentoo-summer-of-documentation-lets-do-it/Had to edit /etc/init.d/root<p>For some reason, I had to edit my /etc/init.d/root file to use "mount /dev/root -n -o remount,rw /" instead of the standard "mount -n -o remount,rw /". Without this, it failed to remount the root file system in a read-write mode, which is of course not …</p>Sven VermeulenSun, 24 Jun 2012 15:38:00,2012-06-24:/2012/06/had-to-edit-etcinit-droot/Overview of SELinux changes<p>Most users of Gentoo hardly take a look at the (installation) documentation when their installation has finished. After all, being a rolling distribution, there is little need to take a look at the instructions again. And for most Gentoo users, changes that are needed to be reviewed by existing users …</p>Sven VermeulenSun, 24 Jun 2012 14:32:00,2012-06-24:/2012/06/overview-of-selinux-changes/Python 3 support for SELinux userland, tests and policy rev 10<p>In the last few hours I pushed my local changes on the SELinux userland utilities towards the <a href=";a=tree">hardened-development</a> overlay. The utilities not only include some bugfixes, but have now also seen a first set of tests towards Python 3.2. In the past, I've made a few attempts at making …</p>Sven VermeulenSat, 26 May 2012 18:59:00,2012-05-26:/2012/05/python-3-support-for-selinux-userland-tests-and-policy-rev-10/Catching up, but stuff is piling...<p>Those that are frequent the #gentoo-hardened chat channel know that I'm currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I'm still not there yet. I'm now hitting a weird <a href="">bug</a> which seems to come down to an incorrect free() on …</p>Sven VermeulenThu, 24 May 2012 18:46:00,2012-05-24:/2012/05/catching-up-but-stuff-is-piling/Keeping /selinux<p>Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version <em>and</em> you switch from <code>/selinux</code> to <code>/sys/fs/selinux</code> as the mountpoint for the SELinux file system, you might get into issues. Apparently, <strong>init</strong> (which is responsible for mounting the SELinux …</p>Sven VermeulenFri, 04 May 2012 22:26:00,2012-05-04:/2012/05/keeping-selinux/20120215 policies now stable<p>Today I've stabilized the <code>sec-policy/selinux-*</code> packages that provide the 20120215 "series" of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace …</p>Sven VermeulenSun, 29 Apr 2012 16:43:00,2012-04-29:/2012/04/20120215-policies-now-stable/Linux Sea now in ePub<p>On request of Matthew Marchese, I now automatically build an <a href="">ePub version</a> of <a href="">Linux Sea</a> for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources …</p>Sven VermeulenFri, 20 Apr 2012 17:31:00,2012-04-20:/2012/04/linux-sea-now-in-epub/Why both chroot and SELinux?<p>In my <a href="">previous post</a>, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?</p> <p>Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate …</p>Sven VermeulenSun, 15 Apr 2012 09:41:00,2012-04-15:/2012/04/why-both-chroot-and-selinux/Chrooted BIND for IPv6 with SELinux<p>BIND, or Berkeley Internet Name Domain, is one of the Internet's most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I'll give …</p>Sven VermeulenSat, 14 Apr 2012 23:08:00,2012-04-14:/2012/04/chrooted-bind-for-ipv6-with-selinux/Documentation updates for initramfs needed?<p>A quick help request from the community: if you know of any Gentoo documents that need updates in order for end users to know when and how to use initramfs, please file <a href="">bugreports</a> and have them <a href="">block bug #407959</a>. Currently, we have updated the Gentoo Handbook, Gentoo Quickinstall guides and …</p>Sven VermeulenThu, 12 Apr 2012 17:40:00,2012-04-12:/2012/04/documentation-updates-for-initramfs-needed/Get your devtmpfs ready<p>If you are using stable profiles, you might want to verify if you are already running a kernel with devtmpfs support enabled. Why? Well, currently you might not need it, but the upcoming openrc/udev packages require it and they currently do not fail at install time if you have …</p>Sven VermeulenSat, 07 Apr 2012 22:10:00,2012-04-07:/2012/04/get-your-devtmpfs-ready/More on initramfs and SELinux<p>With the upcoming udev version <em>not</em> supporting separate <code>/usr</code> locations unless you boot with an initramfs, we are <a href="">now</a> <a href="">starting</a> <a href="">to</a> document how to create an initramfs to boot with. After all, systems with a separate <code>/usr</code> are not that uncommon.</p> <p>As I've blogged about <a href="">before</a>, getting an initramfs to …</p>Sven VermeulenSun, 25 Mar 2012 19:44:00,2012-03-25:/2012/03/more-on-initramfs-and-selinux/Hunting fuser<p>I am able to work on Gentoo and SELinux about one hour per day. It's more in total time, but being a bit exhausted makes me act a bit more slowly which boils down to about one hour per day. And one hour per day isn't bad, you're able to …</p>Sven VermeulenMon, 12 Mar 2012 21:54:00,2012-03-12:/2012/03/hunting-fuser/Introducing 2.20120215 policies<p>A few weeks after being <a href="">released</a>, we now have the 20120215-based policies available for our users (and also the newer userspace utilities). The packages currently reside in the hardened-dev overlay as they will need to see sufficient testing before we merge those to the main tree. For most users, nothing …</p>Sven VermeulenSun, 26 Feb 2012 18:40:00,2012-02-26:/2012/02/introducing-2-20120215-policies/Transitioning to MCS policies<p>Since I started maintaining the <a href="">SELinux policies</a> for <a href="">Gentoo Hardened</a>, the policy types we supported were primarily <code>strict</code> and <code>targeted</code>. About half a year ago, we also started supported <code>mcs</code> and offered the possibility for using <code>mls</code> as well (but didn't really support that one).</p> <p>With the recent release of …</p>Sven VermeulenFri, 24 Feb 2012 22:12:00,2012-02-24:/2012/02/transitioning-to-mcs-policies/This months' stabilization done, more to come<p>A small notification to tell you that the SELinux policies that were pushed to the main tree 30 days (or more) ago have now been stabilized (none of them introduced problems, although some of them have other bugs still open which are either fixed in \~arch or will be fixed …</p>Sven VermeulenSun, 29 Jan 2012 13:33:00,2012-01-29:/2012/01/this-months-stabilization-done-more-to-come/Trying out initramfs with selinux and grsec<p>I'm no fan of initramfs. All my systems boot up just fine without it, so I often see it as an additional layer of obfuscation. But there are definitely cases where initramfs is needed, and from the <a href="">looks of it</a>, we might be needing to push out some documentation and …</p>Sven VermeulenSun, 15 Jan 2012 12:58:00,2012-01-15:/2012/01/trying-out-initramfs-with-selinux-and-grsec/Unix domain sockets are files<p>Probably not a first for many seasoned Linux administrators, and probably not correct accordingly to more advanced users than myself, but I just found out that Unix domain sockets are files. Even when they're not.</p> <p>I have been looking at a weird SELinux denial I had occuring on my system …</p>Sven VermeulenSat, 31 Dec 2011 17:48:00,2011-12-31:/2011/12/unix-domain-sockets-are-files/Gentoo WiKi & Knowledge Base<p>I have been playing with the <a href="">Gentoo Wiki</a> the last few days and am very impressed with the work that both the wiki teams as well as existing contributors have already done to the place. The look and feel is very slick and editing works just as expected. One of …</p>Sven VermeulenMon, 26 Dec 2011 20:01:00,2011-12-26:/2011/12/gentoo-wiki-knowledge-base/Supporting fix scripts for XCCDF content and maintaining the documents<p>One of the features supported through OVAL (and Open-SCAP) is to generate fix scripts when a test has failed. The administrator can then verify this script (of course) and then execute it to correct wrong settings. So I decided to play around with this as well and enhanced the <a href="">Gentoo …</a></p>Sven VermeulenFri, 23 Dec 2011 16:00:00,2011-12-23:/2011/12/supporting-fix-scripts-for-xccdf-content-and-maintaining-the-documents/SELinux Gentoo/Hardened state 2011-12-19<p>On december 14th, the <a href="">Gentoo Hardened</a> project had its monthly <a href="">online meeting</a> to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.</p> <p>Since last meeting, the follow topics passed the revue.</p> <ul> <li><a href="">sec-policy/selinux-base-policy</a>, which is the "master …</li></ul>Sven VermeulenMon, 19 Dec 2011 18:04:00,2011-12-19:/2011/12/selinux-gentoohardened-state-2011-12-19/Supporting CC-BY-SA 3.0<p>Until now, documents on the <a href="">Gentoo website</a> all had to be licensed under the <a href="">Creative Commons Attribution/Share Alike</a> license, version 2.5. Why? Because at the time of the license choice, that was probably the latest version at hand. In the XML code itself, the license tagging was done …</p>Sven VermeulenTue, 29 Nov 2011 21:33:00,2011-11-29:/2011/11/supporting-cc-by-sa-3-0/SELinux Gentoo/Hardened state 2011-11-17<p>A small write-down on the <a href="">Gentoo Hardened SELinux</a> state-of-affairs, largely triggered because there was an online meeting for the <a href="">Gentoo Hardened</a> project today.</p> <ul> <li>The SELinux policies offered in the <code>sec-policy</code> category are based on the latest refpolicy release. The older policies have been removed from the Portage tree. The patches …</li></ul>Sven VermeulenThu, 17 Nov 2011 23:29:00,2011-11-17:/2011/11/selinux-gentoohardened-state-2011-11-17/Gentoo Security Benchmark with OVAL and Open-SCAP<p>A while ago, I got referred to the <a href="">Open Vulnerability and Assessment Language</a>, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can interpret it. Actually, it is a set of these …</p>Sven VermeulenWed, 16 Nov 2011 23:09:00,2011-11-16:/2011/11/gentoo-security-benchmark-with-oval-and-open-scap/Centers of Excellence<p>When dealing with software (I'll talk about software here, but the information is applicable to most technologies, such as appliances and operating systems) many organizations want to have "centers of excellence" with respect to the software. These teams are responsible for positioning the software within the organization, supporting the software …</p>Sven VermeulenTue, 25 Oct 2011 20:12:00,2011-10-25:/2011/10/centers-of-excellence/SELinux' 2011/07 releases now stable<p>A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the <a href="">Gentoo SELinux Handbook</a> with the changes I presented on our <a href="">gentoo-hardened</a> mailinglist. After some time, I'll remove the now …</p>Sven VermeulenSun, 23 Oct 2011 15:07:00,2011-10-23:/2011/10/selinux-201107-releases-now-stable/Gentoo Hardened SELinux policies, rev 5<p>I've pushed out <code>selinux-base-policy</code> version 2.20110726-r5 to the <a href=";a=summary">hardened-dev</a> overlay. It does not hold huge changes, most of them are rewrites or updates on pre-existing patches (on the SELinux policies) to make them conform the refpolicy naming conventions and other guidelines. It includes preliminary support for the <a href="">XDG Specification …</a></p>Sven VermeulenThu, 13 Oct 2011 18:30:00,2011-10-13:/2011/10/gentoo-hardened-selinux-policies-rev-5/Upgrading GCC, revisited<p>Gentoo has, since long, had a GCC Upgrading guide. A long time ago, upgrading GCC required quite a lot of side activities and was often considered a risky upgrade. But times change, and so do the GCC upgrade cycles. Improved compatibility as well as a better understood impact made GCC …</p>Sven VermeulenThu, 13 Oct 2011 18:23:00,2011-10-13:/2011/10/upgrading-gcc-revisited/Mitigating risks, part 5 - application firewalls<p>The last <em>isolation-related</em> aspect on risk mitigation is called <strong>application firewalls</strong>. Like more "regular" firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don't. But unlike these regular firewalls, <a href="">application firewalls</a> work on higher-level protocols (like HTTP, FTP) that …</p>Sven VermeulenWed, 05 Oct 2011 23:38:00,2011-10-05:/2011/10/mitigating-risks-part-5-application-firewalls/Quickly setup a Gentoo system<p>In order to verify if the installation instructions in the Gentoo Handbook are still valid, and to allow me to quickly seed new Gentoo installations in a virtual environment, I wrote a <em>very ugly</em> (really) script to automatically "stage" a Gentoo Linux installation in a KVM guest. This is <strong>not …</strong></p>Sven VermeulenSat, 24 Sep 2011 15:34:00,2011-09-24:/2011/09/quickly-setup-a-gentoo-system/Power management guide updated<p>The <a href="">Gentoo Power Management Guide</a> is now updated. It is a full rewrite, focusing currently on two main toolsets: <a href="">Laptop Mode Tools</a> and <a href="">cpufreqd</a>. I was pleasantly surprised by the number of features that the laptop mode tools package provided.</p> <p>Of course, this does not mean that the guide is …</p>Sven VermeulenFri, 23 Sep 2011 21:57:00,2011-09-23:/2011/09/power-management-guide-updated/Mitigating risks, part 4 - Mandatory Access Control<p>I've talked about <a href="">service isolation</a> earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn't help there, and system hardening can only go that far. The additional countermeasures that …</p>Sven VermeulenFri, 23 Sep 2011 20:16:00,2011-09-23:/2011/09/mitigating-risks-part-4-mandatory-access-control/Catching up<p>As <a href="">mentioned</a> on the gentoo-doc mailinglist, all documentation bugs (that we know of) related to openrc have been fixed. It was already a week like so, but the last dependency on our "tracker" bug was an open one (asking if more needs to be done or not) from which we …</p>Sven VermeulenSun, 18 Sep 2011 16:51:00,2011-09-18:/2011/09/catching-up/Mitigating risks, part 3 - hardening<p>While I'm writing this post, my neighbor is shouting. He's shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don't worry, he's not fighting - it is how he expresses his (positive) feelings about his religion.</p> <p>Security is, for some, also …</p>Sven VermeulenTue, 13 Sep 2011 22:46:00,2011-09-13:/2011/09/mitigating-risks-part-3-hardening/Mitigating risks, part 2 - service isolation<blockquote> <p>Internet: absolute communication, absolute isolation<br> \~Paul Carvel</p> </blockquote> <p>The quote might be ripped out of its context completely, since it wasn't made when talking about risks and the assurance you might need to get in order to reduce risks. But it does give a nice introduction to the second part of …</p>Sven VermeulenFri, 09 Sep 2011 23:12:00,2011-09-09:/2011/09/mitigating-risks-part-2-service-isolation/Mitigating risks, part 1<blockquote> <p>We are running Foobar 2.0 on Tomcat 4. We know that Tomcat 4 isn't supported, but hey - our (internal) customer is happy that the Foobar application works and would like to keep it that way. Upgrading to Tomcat 5 or higher is not possible - Foobar 2.0 only works …</p></blockquote>Sven VermeulenMon, 05 Sep 2011 22:05:00,2011-09-05:/2011/09/mitigating-risks-part-1/Now using refpolicy 2.20110726<p>A few days ago, I committed the SELinux policy modules that are based on the 2.20110726 set released upstream. For those that are using Gentoo Hardened with SELinux, you'll find them if you use the \~arch set for the <code>sec-policy</code> category.</p> <p>When I talk about upstream, it usually is …</p>Sven VermeulenSun, 04 Sep 2011 20:38:00,2011-09-04:/2011/09/now-using-refpolicy-2-20110726/Use parted for large partitions<p>A few bugs that were sitting in Gentoo's bugzilla for the documentation were related to large partitions (2 TB and higher). Previously, this wasn't as much as an issue since the number of users that have 2+ TB partitions are fairly slim. But of course time flies, hardware becomes cheaper …</p>Sven VermeulenWed, 24 Aug 2011 23:46:00,2011-08-24:/2011/08/use-parted-for-large-partitions/Easy documentation updates thanks to the many contributions<p>As mentioned previously, I took a stab at the <a href="">Gentoo Guide to OpenLDAP Authentication</a>, updating its configuration settings as well as give an introduction to its replication mechanism. Although I am no OpenLDAP guru at all, I set up a similar architecture for testing some SELinux policy changes. This test …</p>Sven VermeulenMon, 22 Aug 2011 23:01:00,2011-08-22:/2011/08/easy-documentation-updates-thanks-to-the-many-contributions/Ready, set, commit!<p>Yesterday, I have entered the realms of Gentoo Development again. But as it was getting late then, I had to wait before the first commits happened. So this evening, things were done. The first couple of documentation bugs (mostly related to OpenRC) have been committed to the Gentoo CVS repository …</p>Sven VermeulenFri, 12 Aug 2011 22:35:00,2011-08-12:/2011/08/ready-set-commit/checksec kernel security<p>I have <a href="">blogged</a> about <a href=""></a> earlier before. Jono, one of the #gentoo-hardened IRC-members, kindly pointed me to its <code>--kernel</code> option. So I feel obliged to give its options a stab as well. So, here goes the next batch of OPE-style (One Paragraph Explanations).</p> <div class="highlight"><pre><span></span>~# --kernel * Kernel protection information …</pre></div>Sven VermeulenSun, 24 Jul 2011 00:18:00,2011-07-24:/2011/07/checksec-kernel-security/emerge-webrsync and gpg verification<p>Gentoo has been working on its <a href="">security</a> from very early on. One of the (many) features it supports is to allow users to validate the state of the portage tree. Ebuild signing (where developers sign the Manifest file with their key) is one of the layers offered by Gentoo, but …</p>Sven VermeulenFri, 22 Jul 2011 14:33:00,2011-07-22:/2011/07/emerge-webrsync-and-gpg-verification/Preliminary SELinux MCS support in Gentoo Hardened<p>Users tracking the <a href="">hardened-dev</a> overlay for SELinux packages will notice yet another update on the <code>selinux-base-policy</code> package. This time however, the change is <a href="">a little more</a> than just a policy update. With this new revision, preliminary support for <em>Multi-Category Security</em> (aka MCS) is added.</p> <p>MCS is an update on the …</p>Sven VermeulenThu, 21 Jul 2011 22:04:00,2011-07-21:/2011/07/preliminary-selinux-mcs-support-in-gentoo-hardened/High level explanation on some binary executable security<p>One very important functionality offered by <a href="">Gentoo Hardened</a> is a specific toolchain (compiler, libraries and more) that contains patches to make the built binaries a bit more protected from certain vulnerabilities. Explaining all those in detail is too much for a simple blog post like this, but some time ago …</p>Sven VermeulenFri, 15 Jul 2011 22:01:00,2011-07-15:/2011/07/high-level-explanation-on-some-binary-executable-security/Some people on #selinux are ... dolphins<p>A very useful resource for anyone working on or with SELinux policies is the #selinux chat channel on People like Dominick Grift and Dan Walsh you would first think are IRC bots (being online all the time, answering questions), but I recently read that they must be …</p>Sven VermeulenThu, 14 Jul 2011 20:00:00,2011-07-14:/2011/07/some-people-on-selinux-are-dolphins/On the new SELinux profiles<p>Ever since Anthony put in the <a href="">new SELinux profiles</a> - which was long due - they have seen quite a few tests and the necessary, evolutionary updates. No changes that broke things, no oddities that would give a WTF to whomever is using it. The latest updates were to remove some obsolete …</p>Sven VermeulenThu, 14 Jul 2011 19:31:00,2011-07-14:/2011/07/on-the-new-selinux-profiles/Gentoo Hardened SELinux state<p>Since last post, we've been working on the further stabilization and bug fixing of the SELinux policies within Gentoo Hardened. You might have noticed that we started working on the QA of the packages, like I promised in the last post. The binaries within <code>selinux-base-policy</code> are now published somewhere on …</p>Sven VermeulenSat, 09 Jul 2011 16:39:00,2011-07-09:/2011/07/gentoo-hardened-selinux-state/What's next after stabilization?<p>The last few weeks have shown quite a few interesting improvements on Gentoo Hardened's SELinux state. We now have improved (simplified) Gentoo profile support, supporting SELinux on no-multilib (an often requested feature, now finally in), we stabilized the 2.20101213 policies that are in the tree and are cleaning up …</p>Sven VermeulenMon, 13 Jun 2011 20:46:00,2011-06-13:/2011/06/whats-next-after-stabilization/Policy 25, 26<p>Recently I've seen quite a few messages on IRC pop up about <code>policy.25</code> or even <code>policy.26</code> so I harassed the guys in the chat channel to talk about it. Apparently, these new binary policy formats add support for filename transitions and non-process role transitions.</p> <p>Currently, when you initiate …</p>Sven VermeulenWed, 01 Jun 2011 21:32:00,2011-06-01:/2011/06/policy-25-26/SELinux file contexts<p>If you have been working with SELinux for a while, you know that file contexts are an important part of the policy and its enforcement. File contexts are used to inform the SELinux tools which type a file, directory, socket, ... should have. These types are then used to manage the …</p>Sven VermeulenSun, 15 May 2011 13:39:00,2011-05-15:/2011/05/selinux-file-contexts/SELinux Gentoo profile updates<p>The SELinux support within Gentoo Hardened is continuing to go forward. Anthony G. Basile has been working on the new SELinux Gentoo profiles which were in dire need of updates. With the rework, we'll also support the AMD64 no-multilib environment properly. With the new profiles we'll also make <em>USE="open_perms …</em></p>Sven VermeulenTue, 03 May 2011 23:17:00,2011-05-03:/2011/05/selinux-gentoo-profile-updates/SELinux User-Based Access Control<p>Within the reference policy, support is given to a feature called <em>UBAC constraints</em>. Here, UBAC stands for <em>User Based Access Control</em>. The idea behind the constraint is that any activity between two types (say <code>foo_t</code> and <code>bar_t</code>) can be prohibited if the user contexts of the resources that are using …</p>Sven VermeulenMon, 02 May 2011 22:14:00,2011-05-02:/2011/05/selinux-user-based-access-control/SELinux and noatsecure, or why portage complains about LD_PRELOAD and libsandbox.so<p>If you're fiddling with SELinux policies, you will eventually notice that the reference policy by default hides certain privilege requests (which are denied). One of them is noatsecure. But what is noatsecure? To describe noatsecure, I first need to describe what atsecure is. And to describe what that is, we …</p>Sven VermeulenFri, 22 Apr 2011 21:00:00,2011-04-22:/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/cvechecker 3.0<p>I'm pleased to announce the immediate availability of <a href="">cvechecker 3.0</a>. It contains two major feature enhancements: watchlists and MySQL support.</p> <p><em>watchlists</em> allow cvechecker to track and report on CVEs for software that cvechecker didn't detect on the system (or perhaps even isn't installed on the system). You can use …</p>Sven VermeulenTue, 12 Apr 2011 22:47:00,2011-04-12:/2011/04/cvechecker-3-0/cvechecker updates<p>The in-svn version of cvechecker has seen quite a few changes in the last few days. I'm adding support for MySQL to it. This support will be added in three steps:</p> <ol> <li>support the same features as cvechecker currently does using sqlite</li> <li>streamline the database code so that duplicate code in …</li></ol>Sven VermeulenSun, 27 Mar 2011 22:20:00,2011-03-27:/2011/03/cvechecker-updates/Restoring configuration files on Gentoo<p>If you work with Gentoo, you're probably aware of tools like <strong>etc-update</strong> and <strong>dispatch-conf</strong>. If you use <strong>dispatch-conf</strong>, you might know that it supports <strong>rcs</strong> for version control of the changes it makes. But if you have enabled it, you might be wondering how to actually restore configuration files with …</p>Sven VermeulenSat, 19 Mar 2011 16:32:00,2011-03-19:/2011/03/restoring-configuration-files-on-gentoo/Updates on SELinux docs, added FAQ<p>As you're probably noticing from my <a href="!/sjvermeu">twitter feed</a> and the various posts earlier in my blog, I'm helping out with the Gentoo Hardened folks to get the SELinux support state up to par. Today, the <a href="">Gentoo Hardened/SELinux Handbook</a> had a few updates, but the most important change is that …</p>Sven VermeulenWed, 09 Mar 2011 22:17:00,2011-03-09:/2011/03/updates-on-selinux-docs-added-faq/Portage fails to build due to SELinux?<p>If you're having troubles getting Portage to build packages due to SELinux, then the reason usually is that it is unable to transition to the proper portage domains. You'll get a nice OSError back with an ugly backtrace, saying somewhere that "setexeccon" is misbehaving.</p> <p>Now, the real issue (not being …</p>Sven VermeulenThu, 03 Mar 2011 00:26:00,2011-03-03:/2011/03/portage-fails-to-build-due-to-selinux/Updates on the Gentoo Hardened SELinux state<p>For those following the progress of SELinux support in Gentoo Hardened...</p> <p>In the <em>hardened-development</em> overlay, the <code>selinux-base-policy</code> package has been updated, hopefully fixing a nasty issue with support for the targeted policy (up to today, I only tested strict policies so I missed that). It also fixes an issue with …</p>Sven VermeulenWed, 02 Mar 2011 23:09:00,2011-03-02:/2011/03/updates-on-the-gentoo-hardened-selinux-state/Temporary script for Gentoo Hardened SELinux users<p>If you are currently using Gentoo Hardened with SELinux, you might have noticed that we are currently lacking the proper dependencies within our Portage tree upon the SELinux policies (or, in other words, installing a package doesn't guarantee that the SELinux policy needed for that package is pulled in as …</p>Sven VermeulenSun, 27 Feb 2011 17:37:00,2011-02-27:/2011/02/temporary-script-for-gentoo-hardened-selinux-users/About time...<p>I was just wondering why "UTC" stood for "Coordinated Universal Time". Apparently (okay, citing <a href="">Wikipedia</a> here, so be critical), it's of two main reasons: English and French speaking folks that were participating in that discussion wanted their language to be presented in the abbreviation (English wants "CUT - Coordinated Universal Time …</p>Sven VermeulenThu, 24 Feb 2011 21:44:00,2011-02-24:/2011/02/about-time/cvechecker update<p>A while ago, I got the request to enhance <a href="">cvechecker</a> with support for providing a list of installed software (or software you want to watch over with cvechecker) even if cvechecker isn't able to detect that software on your system. I've implemented this and it is currently available in the …</p>Sven VermeulenSat, 19 Feb 2011 16:31:00,2011-02-19:/2011/02/cvechecker-update/File System Labels in Linux Sea<p>I have added some information on file system labels in <a href="">Linux Sea</a> (<a href="">PDF</a>). If you don't know what labels are (or UUIDs), here is a quick summary.</p> <p>Most, if not all file systems, assign a universally unique identifier (UUID) which looks like a random hexadecimal string to each file system …</p>Sven VermeulenSat, 12 Feb 2011 20:42:00,2011-02-12:/2011/02/file-system-labels-in-linux-sea/SELinux for Gentoo Hardened<p>Recently, most of the SELinux-related ebuilds from the hardened overlay have been moved to the official Portage tree. Hopefully, this will trigger more people / organizations to try Gentoo Hardened with SELinux and help us improve the ebuilds. They're still marked as \~arch (as they should be). The draft <a href="">SELinux handbook …</a></p>Sven VermeulenSun, 06 Feb 2011 23:26:00,2011-02-06:/2011/02/selinux-for-gentoo-hardened/"Gentoo in production?" Oh no, not again...<p>I think it is that time of the year again, where people get some crazy ideas. Again I discussed the what must be the gazillion-th time I've been asked "Do you think Gentoo is ripe for use in production?". Honestly, I always tell myself to ignore those discussions but I've …</p>Sven VermeulenFri, 21 Jan 2011 21:59:00,2011-01-21:/2011/01/gentoo-in-production-oh-no-not-again/Confining user applications<p>Ever since I started using SELinux, I'm getting more and more fond of what it can do for (security) administrators. Lately, I've started confining user applications (like <strong>skype</strong>) in the idea that I do not want any application connecting to the Internet or working with content received from untrusted sources …</p>Sven VermeulenSun, 16 Jan 2011 16:23:00,2011-01-16:/2011/01/confining-user-applications/Why I have backups<p>You often read stories about people who have data loss and did not keep any (recent) backups, and are now fully equipped with a state-of-the-art backup mechanism. So no - no such failure story here but an example why backups are important.</p> <p>Yesterday I had a vicious RAID/LVM failure. Due …</p>Sven VermeulenThu, 30 Dec 2010 20:06:00,2010-12-30:/2010/12/why-i-have-backups/cvechecker 2.0 released<p>Okay, enough play - time for a new release. Since <strong>cvechecker 1.0</strong> was released, a few important changes have been made to the <a href="">cvechecker tools</a>:</p> <ul> <li>You can now tell cvechecker to only check newly added files, or remove a set of files from its internal database. Previously, you had to …</li></ul>Sven VermeulenWed, 01 Dec 2010 22:29:00,2010-12-01:/2010/12/cvechecker-2-0-released/Helping with version detection rules in cvechecker<p>The new development snapshot, available from the <a href="">cvechecker project site</a>, contains a helper script that returns potential version detection rules for your system if the current cvechecker database doesn't detect your software. The script is currently available for Gentoo (called <strong>cverules_gentoo</strong>) but other distributions can be easily added. The actual …</p>Sven VermeulenSat, 27 Nov 2010 17:59:00,2010-11-27:/2010/11/helping-with-version-detection-rules-in-cvechecker/Delta processing in cvechecker<p>The <a href="">cvechecker</a> application will support delta file processing as well as higher version matching with its next release. The functionality is currently in version control and I still have to work out quite a few things before they can go live, but the functionality is there.</p> <p>Now why would these …</p>Sven VermeulenTue, 02 Nov 2010 00:30:00,2010-11-02:/2010/11/delta-processing-in-cvechecker/SELinux enforcing for console activity<p>I'm now able to boot into my system with SELinux in enforcing mode (without unconfined domains), do standard system administration tasks as root / sysadm_r (including the relevant Portage activities) and work as a regular user as long as I don't want to run in Xorg. I'm not going to focus …</p>Sven VermeulenSat, 30 Oct 2010 21:30:00,2010-10-30:/2010/10/selinux-enforcing-for-console-activity/Risk identification<p>Risk identification is a difficult subject. Analysts need it to defend mitigation strategies or to suggest investments. Yet risk identification is often a subjective method, especially in the IT industry. How do you give a number on a certain risk? When do you believe that that number exceeds a threshold …</p>Sven VermeulenThu, 14 Oct 2010 20:18:00,2010-10-14:/2010/10/risk-identification/cvechecker 1.0 released<p>With only a few small bugfixes between this release and the previous one, <a href="">cvechecker 1.0</a> has finally been released. It runs fine on my few systems and I have not gotten any bugreports from other users anymore. It can definitely need more rules to identify installed software (those rules …</p>Sven VermeulenFri, 01 Oct 2010 21:34:00,2010-10-01:/2010/10/cvechecker-1-0-released/SELinux quicky<p>I've been using SELinux for a few days now (in permissive mode, just to get to know things) and have learned a few interesting commands (or other nice-to-know's) for using SELinux. Since I'm going to forget those the moment all is running well, I'll "document" them here ;-) I'm not going …</p>Sven VermeulenTue, 14 Sep 2010 23:44:00,2010-09-14:/2010/09/selinux-quicky/Switching to hardened<p>Yesterday (and this night) I successfully converted my system to a <a href="">Gentoo Hardened</a> system. In my case, this currently means that <a href="">PaX</a> has been enabled and I am currently running the system (which is an x86_64 laptop) with <a href="">SELinux</a> in permissive mode (so it won't enforce the policies yet, but …</p>Sven VermeulenSun, 12 Sep 2010 13:41:00,2010-09-12:/2010/09/switching-to-hardened/prezi presentations<p>While doing some research on current rich internet applications / web application platforms, I discovered an online presentation site/tool called <a href="">Prezi</a>. This online application allows you to make dynamic presentations differently from the standard presentation software like <a href="">'s Impress</a>. A nice example can be found <a href="">online</a> as well of …</p>Sven VermeulenFri, 10 Sep 2010 10:40:00,2010-09-10:/2010/09/prezi-presentations/cvechecker 0.6 released<p>This release makes me quite happy, because it resolves one major PITA I had (performance), but you know how things go. If it works fine for the developer, it's probably an abomination for the rest of the world. Anyhow, <a href="">cvechecker</a> version 0.6 is now available. It improves reporting performance …</p>Sven VermeulenWed, 08 Sep 2010 21:41:00,2010-09-08:/2010/09/cvechecker-0-6-released/Linux Sea last content chapter<p>The last chapter in <a href="">Linux Sea</a> focuses on <a href="">Using A Shell</a>. This seems to me like a nice last chapter, as it confronts the user with the exciting world of shell scripts. I hope that the chapters in the book are sufficiently stuffed so that beginners (who are not afraid …</p>Sven VermeulenSat, 04 Sep 2010 22:42:00,2010-09-04:/2010/09/linux-sea-last-content-chapter/devops - how hard can it/it can be<p>Dieter made a good reference to <a href="">devops and the open source community</a> and (correctly) points out that, even in a more collaborative scene such as the free software communities', there is still distinction between development and operations. And it isn't hard to see commonalities between enterprise organizations and free software …</p>Sven VermeulenSat, 04 Sep 2010 09:17:00,2010-09-04:/2010/09/devops-how-hard-can-itit-can-be/Linux Sea: log file management and backups<p>I've added two more chapters to the <a href="">Linux Sea</a> book. The first one is about <a href="">Log file management</a>, the second one about <a href="">Taking Backups</a>. They're far from finished, but I thought that those two topics are important for day-to-day Gentoo usage and shouldn't be left out of the Linux Sea …</p>Sven VermeulenThu, 02 Sep 2010 14:31:00,2010-09-02:/2010/09/linux-sea-log-file-management-and-backups/cvechecker 0.5 released<p>A new intermediate release of <a href="">cvechecker</a> is now released. The tool is reported to build properly on NetBSD and FreeBSD as well (although much user experience there is still welcome), introduces a <strong>cvereport</strong> command (<a href="">example output</a>), has lowered its initial dependency requirements and <strong>pullcves</strong> now only loads the CVE XML …</p>Sven VermeulenThu, 02 Sep 2010 00:57:00,2010-09-02:/2010/09/cvechecker-0-5-released/qemu monitor cd change<p>I've been playing around with kvm (which uses qemu) to try out other operating systems and Linux distributions. Up until now, little progress on that part (not because it is difficult, just little time) but there are a few things worth mentioning. For this post, let's start with a quicky …</p>Sven VermeulenMon, 30 Aug 2010 21:38:00,2010-08-30:/2010/08/qemu-monitor-cd-change/Added "iw" support to Linux Sea<p>The wireless driver developers are actively working on a <a href="">new wireless toolset called "iw"</a>, slowly deprecating the older wireless-tools toolset (which contains the "iwconfig" command). Kasumi_Ninja reported to me in the <a href="">Gentoo Forums</a> that it would be nice to add information on iw to <a href="">Linux Sea</a>, so I did. I …</p>Sven VermeulenThu, 26 Aug 2010 01:42:00,2010-08-26:/2010/08/added-iw-support-to-linux-sea/cvechecker 0.4 released<p>Albeit with less updates than 0.3 had, <a href="">cvechecker 0.4</a> brings in internal project files reorganization (more to the liking of the GNU autoconf/automake standards - I think), fixes a databaseleak (instead of memoryleak ;-) bug and introduces a teenie weenie bit more intelligent pullcves command (with multiple return code …</p>Sven VermeulenWed, 25 Aug 2010 23:55:00,2010-08-25:/2010/08/cvechecker-0-4-released/I remain impressed by the free software community<p>My current personal projects, <a href="">Linux Sea</a> and <a href="">cvechecker</a>, are actively being watched by the free software community. For the Linux Sea book, I get nice feedback and ideas on the <a href="">Gentoo Forums</a> and on the cvechecker application, people such as Nigel Horne are helping out in various ways - including <a href="">feature …</a></p>Sven VermeulenWed, 25 Aug 2010 00:42:00,2010-08-25:/2010/08/i-remain-impressed-by-the-free-software-community/cvechecker userguide<p>Just a quick note, I've created and uploaded the <a href="">cvechecker userguide</a>.</p>Sven VermeulenSun, 22 Aug 2010 17:37:00,2010-08-22:/2010/08/cvechecker-userguide/cvechecker 0.3 released<p>Time for a new intermediate <a href="">cvechecker</a> release, so here it is. Changes include (beyond the usual bugfixes) different CSV output (with some sort of version support) so that it can be easily used for reporting purposes, removal of debugging/verbose items and added example files for reporting.</p>Sven VermeulenFri, 20 Aug 2010 22:15:00,2010-08-20:/2010/08/cvechecker-0-3-released/cvechecker 0.2 released<p>I've made version 0.2 available of <a href="">cvechecker</a>. It fixes some build warnings and also supports the normal "make install" step. The <strong>pullcves</strong> command now also pulls in the latest <code>versions.dat</code> file. Special thanks to Per Andersson for reporting that the <code>./configure</code> didn't fail if sqlite3 or libconfig wasn't …</p>Sven VermeulenMon, 16 Aug 2010 21:35:00,2010-08-16:/2010/08/cvechecker-0-2-released/cvechecker 0.1 released<p>cvechecker <a href="">version 0.1</a> is out. This is the first publicly available development release, so it's still far from production-ready yet. However, it is usable so it can now be publicly analyzed to remove all icky bugs and such. I'm not planning (m)any new features (apart from the reporting …</p>Sven VermeulenSat, 14 Aug 2010 22:03:00,2010-08-14:/2010/08/cvechecker-0-1-released/HP webcam on Linux<p>Okay, getting the HP webcam running on Linux wasn't hard at all. Enable Video For Linux (CONFIG_VIDEO_DEV) which can be found in the Linux kernel configuration at Device Drivers, Multimedia Support. Then, select Video capture adapters and inside that menu, select V4L USB devices and then USB Video Class (UVC …</p>Sven VermeulenFri, 13 Aug 2010 18:18:00,2010-08-13:/2010/08/hp-webcam-on-linux/New laptop, time to play<p>I gave myself a nice treat and bought a new laptop. After some consideration, I decided to go with the HP Pavilion DV7 3150EB. Years ago, I didn't take an HP laptop as the reviews were not that satisfying. However, it looks as if that is past. So I first …</p>Sven VermeulenFri, 13 Aug 2010 01:33:00,2010-08-13:/2010/08/new-laptop-time-to-play/Linux Sea sources online, cvechecker still in development<p>First of all, I've put the sources for <a href="">Linux Sea</a> online at <a href="">GitHub</a>. Not only does that safeguard any latest changes from not hitting my backup in time before my laptop dies (it's terminal, but I can't let him go yet ;-) but it also allows people who want to help …</p>Sven VermeulenFri, 23 Jul 2010 20:59:00,2010-07-23:/2010/07/linux-sea-sources-online-cvechecker-still-in-development/cvechecker in development mode<p>A while ago I had the idea to create a simple tool that checks the CVE database against my current system. It would allow me to check if my system is somewhat up to date (no pending security vulnerabilities), but also to get an automated overview of the various software …</p>Sven VermeulenMon, 12 Jul 2010 20:31:00,2010-07-12:/2010/07/cvechecker-in-development-mode/OVAL, SCAP, CVE, CPE, ...<p>For a personal <abbr title="Proof Of Concept">POC</abbr> I wanted to see if it is possible to generate, based on the collection of CVE entries publicly available, a report informing a system administrator about possible vulnerabilities. Nothing fancy, just based upon versions.</p> <p>A simple example: tool detects Perl, acquires installed Perl version, then matches …</p>Sven VermeulenSat, 05 Jun 2010 15:13:00,2010-06-05:/2010/06/oval-scap-cve-cpe/Listing files of (not) installed software<p>Everyone that has been using Gentoo for a while now knows about tools such as <strong>qlist</strong> that show you the list of files installed by an (installed) package, or <strong>qfile</strong> that allows you to find which package provided a particular file on your system.</p> <p>One thing lacking is to be …</p>Sven VermeulenSat, 05 Jun 2010 10:54:00,2010-06-05:/2010/06/listing-files-of-not-installed-software/gentooGSE TWS BeLux 2010<p>Today, IBM generously hosted the <a href="">GSE TWS BeLux 2010 conference</a>. Although it was organized together with the GSE DB2 conference (which I would also have loved to attend) I must say I was pretty impressed with the topics given, especially those after the lunch.</p> <p>For me, personally, the topic on …</p>Sven VermeulenThu, 03 Jun 2010 23:21:00,2010-06-03:/2010/06/gse-tws-belux-2010/gseTWSQuestion yourself v3<p>Another update to <a href="">Quizzer</a>, now at version 3. But more importantly, updates to the <a href="">Linux Sea</a> related chapters are made available online - get a taste for it at the <a href="">online quizzer set</a>.</p> <p>Feedback is, as always, very much appreciated.</p>Sven VermeulenWed, 19 May 2010 22:11:00,2010-05-19:/2010/05/question-yourself-v3/Question yourself v2<p>A new version of the <a href="">Quizzer</a> webscript is available. The <a href="">demo</a> has also been updated with quick tests on the first few chapters of Linux Sea.</p> <p>More exercises on the following chapters will follow soon.</p> <p>Updates to the script include visual accept/reject of single-choice and multiple choice answers and …</p>Sven VermeulenTue, 11 May 2010 20:59:00,2010-05-11:/2010/05/question-yourself-v2/Question yourself<p>Do you ever write down things in the hope you never forget them, but still think it would be better if you could somehow take a test of that subject from time to time to make sure you don't forget?</p> <p>I do, and I found it quite difficult to keep …</p>Sven VermeulenSun, 02 May 2010 23:58:00,2010-05-02:/2010/05/question-yourself/SAI and N-O-SQL<p>Yesterday (argh, the day before yesterday) I went to a <a href="">SAI</a> conference on nosql. In Belgium, SAI is a non-profit organization for IT people which focuses on knowledge sharing.</p> <p>The conference that day was on nosql. The presentation given by <a href="">OuterThought</a> was very good and offered a nice introduction to …</p>Sven VermeulenThu, 22 Apr 2010 01:02:00,2010-04-22:/2010/04/sai-and-n-o-sql/Databasesenterprise architecturenosqlA dozen pages added<p>Just a quick heads-up that a dozen pages in the <a href="">Linux Sea</a> book have been added. Nothing spectacular, just a few more paragraphs on services/runlevels, a few updates on software management and on boot failure resolutions.</p>Sven VermeulenThu, 22 Apr 2010 00:53:00,2010-04-22:/2010/04/a-dozen-pages-added/License support in Gentoo<p>It's a bit sad that Gentoo didn't promote this more, but Gentoo users now have support for license-based masking.</p> <p>What does this mean? Well, previously, Gentoo already supported various masking reasons (like stable versus staging - the x86 versus \~x86 saga, package.mask'ing - for security reasons or critical bugs, ...). Now, a …</p>Sven VermeulenTue, 16 Feb 2010 00:10:00,2010-02-16:/2010/02/license-support-in-gentoo/Executing, but only when you're home<p>Sometimes you want to execute a particular command, but only when you're at home. Examples would be running fetchmail (or fetchnews) through cron, but you don't want this to run when you're in the train, connected to the Internet through GPRS...</p> <p>My idea here would be to create a script …</p>Sven VermeulenMon, 18 Jan 2010 23:48:00,2010-01-18:/2010/01/executing-but-only-when-youre-home/Switching to database architecture<p>It's finally committed: I'm going to dive into the realms of database architecture. It's with some sentiment that I'm leaving the expertise field of Apache, J(2)EE and WebSphere, but seeing the database architecture field makes it up well. I'm starting to get acquainted with Oracle DB as first …</p>Sven VermeulenFri, 11 Dec 2009 00:34:00,2009-12-11:/2009/12/switching-to-database-architecture/Translations to "Linux Sea"<p>A few people have contacted me if they were allowed to translate the online book I'm writing (<a href="">Linux Sea</a>). Of course they are, the license allows it. However, I recommend to wait a bit. At this moment, I'm not going to release the docbook sources (I'm not writing it in …</p>Sven VermeulenWed, 02 Dec 2009 17:38:00,2009-12-02:/2009/12/translations-to-linux-sea/Small updates on Linux Sea<p>A few updates have made it to the <a href="" title="Linux Sea (HTML)">Linux Sea</a> book:</p> <ul> <li>Information regarding ndiswrapper</li> <li>Some information about udev and the symlinks that it creates</li> </ul> <p>The <a href="" title="Linux Sea (PDF)">PDF</a> version has been updated as well.</p>Sven VermeulenMon, 19 Oct 2009 21:36:00,2009-10-19:/2009/10/small-updates-on-linux-sea/Online image gallery<p>If you're not up to the various free image gallery sites, you might want to try out <a href="">ZenPhoto</a>. Quite powerful, easy to use and well themeable. Requires PHP / MySQL.</p>Sven VermeulenMon, 05 Oct 2009 21:48:00,2009-10-05:/2009/10/online-image-gallery/Added quota information<p>I've added quota support information to the <a href="">Linux Sea</a> book as well as information about the eclean command for cleaning distfiles and packages. The part on building a Linux kernel has been moved into its own <a href="">chapter</a>, the chapter on <a href="">hardware support</a> now has a bit more information about dealing …</p>Sven VermeulenTue, 01 Sep 2009 23:19:00,2009-09-01:/2009/09/added-quota-information/Draft PDF for Linux Sea<p>I've added a draft <a href="">PDF</a> version of my Linux Sea document. If you don't mind the A4 papersize and the bad typesetting of the text boxes (I still have lots of overflows to correct) it is quite usable.</p>Sven VermeulenMon, 10 Aug 2009 22:27:00,2009-08-10:/2009/08/draft-pdf-for-linux-sea/Darwin Information Typing Architecture<p>Having documented a lot in LaTeX (back in the old days at the university), <a href="">GuideXML</a> (Gentoo's document markup language) and DocBook (<a href="">Linux Sea</a>) I'm now pointing my arrows at DITA, the <a href="">Darwin Information Typing Architecture</a>.</p> <p>DITA "forces" the technical writer in separating the content of his document in specialized subjects …</p>Sven VermeulenSat, 18 Apr 2009 09:59:00,2009-04-18:/2009/04/darwin-information-typing-architecture/Linux Sea is progressing slowly but surely<p>My everlasting document, <a href="">Linux Sea</a>, is progressing slowely but surely. I've started a few new chapters and also initiated a chapter on <a href="">Installing Gentoo</a> (which is more a shortlist of tasks with pointers to earlier chapters).</p> <p>I also took a different CSS (docbook.css file used by the FreeBSD handbook …</p>Sven VermeulenTue, 10 Feb 2009 23:33:00,2009-02-10:/2009/02/linux-sea-is-progressing-slowly-but-surely/Extremely simple task manager<p>At work, I am often busy with quite a few projects. Yet, at times, I have no outstanding tasks because all of my tasks can only start when an event has occurred (like a server which is made available, or a budget that is approved) or another task has finished …</p>Sven VermeulenThu, 18 Dec 2008 22:46:00,2008-12-18:/2008/12/extremely-simple-task-manager/hex2passwd, a password generator<p>I know that repeatable password generators are less secure than random character generators. After all, if you want a strong password, you can simply perform <strong>head -c 8 /dev/urandom | mimencode</strong> to obtain a nice, random password string.</p> <p>However, in certain cases you might want to generate passwords given a …</p>Sven VermeulenThu, 25 Sep 2008 19:34:00,2008-09-25:/2008/09/hex2passwd-a-password-generator/Adding exercises and resources<p>As stated earlier, I'm now focusing on the existing content of my (work-in-progress) ebook called Linux Sea (<a href="">PDF</a>, <a href="">HTML</a>). I'm going to add more text where appropriate, add exercises to each chapter as well as references to online resources.</p> <p>When that's finished, I'll probably be writing a chapter on installing …</p>Sven VermeulenMon, 15 Sep 2008 22:59:00,2008-09-15:/2008/09/adding-exercises-and-resources/Linux Sea - Updates on graphical environment chapter<p>I've updated the chapter on <a href="">graphical environments</a> a bit to reflect how applications, window managers, X server and widget toolkits work together. Hopefully it isn't a big lie that I wrote there ;-)</p> <p>I'll probably be doing a bit of clean ups the coming days before I start out with more …</p>Sven VermeulenThu, 21 Aug 2008 22:08:00,2008-08-21:/2008/08/linux-sea-updates-on-graphical-environment-chapter/Playing with gqview<p>Some time ago I received a digital camera; however, due to diskspace shortage I need to clean up my home directory. One of the directories that eats most of my sectors is one where I store all my pictures.</p> <p>I know I have a lot of duplicate pictures, pictures deduced …</p>Sven VermeulenMon, 18 Aug 2008 15:48:00,2008-08-18:/2008/08/playing-with-gqview/