cvechecker update

A while ago, I got the request to enhance cvechecker with support for providing a list of installed software (or software you want to watch over with cvechecker) even if cvechecker isn't able to detect that software on your system. I've implemented this and it is currently available in the …

more ...

File System Labels in Linux Sea

I have added some information on file system labels in Linux Sea (PDF). If you don't know what labels are (or UUIDs), here is a quick summary.

Most, if not all file systems, assign a universally unique identifier (UUID) which looks like a random hexadecimal string to each file system …

more ...

SELinux for Gentoo Hardened

Recently, most of the SELinux-related ebuilds from the hardened overlay have been moved to the official Portage tree. Hopefully, this will trigger more people / organizations to try Gentoo Hardened with SELinux and help us improve the ebuilds. They're still marked as \~arch (as they should be). The draft SELinux handbook …

more ...

"Gentoo in production?" Oh no, not again...

I think it is that time of the year again, where people get some crazy ideas. Again I discussed the what must be the gazillion-th time I've been asked "Do you think Gentoo is ripe for use in production?". Honestly, I always tell myself to ignore those discussions but I've …

more ...

Confining user applications

Ever since I started using SELinux, I'm getting more and more fond of what it can do for (security) administrators. Lately, I've started confining user applications (like skype) in the idea that I do not want any application connecting to the Internet or working with content received from untrusted sources …

more ...

Why I have backups

You often read stories about people who have data loss and did not keep any (recent) backups, and are now fully equipped with a state-of-the-art backup mechanism. So no - no such failure story here but an example why backups are important.

Yesterday I had a vicious RAID/LVM failure. Due …

more ...

cvechecker 2.0 released

Okay, enough play - time for a new release. Since cvechecker 1.0 was released, a few important changes have been made to the cvechecker tools:

  • You can now tell cvechecker to only check newly added files, or remove a set of files from its internal database. Previously, you had to …
more ...


Delta processing in cvechecker

The cvechecker application will support delta file processing as well as higher version matching with its next release. The functionality is currently in version control and I still have to work out quite a few things before they can go live, but the functionality is there.

Now why would these …

more ...

SELinux enforcing for console activity

I'm now able to boot into my system with SELinux in enforcing mode (without unconfined domains), do standard system administration tasks as root / sysadm_r (including the relevant Portage activities) and work as a regular user as long as I don't want to run in Xorg. I'm not going to focus …

more ...