Archives for Simplicity is a form of art...

Working on infra strategy

cvechecker 3.9 released

Automating compliance checks

Documenting a rule

Structuring a configuration baseline

Documenting configuration changes

SELinux and extended permissions

SELinux Userspace 2.7

Authenticating with U2F

Using nVidia with SELinux

Switch to Gentoo sources

Project prioritization

Structuring infrastructural deployments

Matching MD5 SSH fingerprint

Switched to Lineage OS

cvechecker 3.8 released

Handling certificates in Gentoo Linux

cvechecker 3.7 released

I missed FOSDEM

SELinux System Administration, 2nd Edition

GnuPG: private key suddenly missing?

We do not ship SELinux sandbox

Mounting QEMU images

Comparing Hadoop with mainframe

Template was specified incorrectly

Using salt-ssh with agent forwarding

Trying out imapsync

New cvechecker release

Switching focus at work

Getting su to work in init scripts

Custom CIL SELinux policies in Gentoo

Using multiple OpenSSH daemons

Maintaining packages and backporting

Doing away with interfaces

Slowly converting from GuideXML to HTML

Making the case for multi-instance support

Switching OpenSSH to ed25519 keys

Updates on my Pelican adventure

Finding a good compression utility

Why we do confine Firefox

Can SELinux substitute DAC?

Filtering network access per application

My application base: Obnam

Don't confuse SELinux with its policy

Switching to Pelican

Loading CIL modules directly

Restricting even root access to a folder

Intermediate policies

Where does CIL play in the SELinux system?

Live SELinux userspace ebuilds

PostgreSQL with central authentication and authorization

Testing with permissive domains

Audit buffering and rate limiting

Use change management when you are using SELinux to its fullest

Moving closer to 2.4 stabilization

Trying out Pelican, part one

CIL and attributes

Have dhcpcd wait before backgrounding

Old Gentoo system? Not a problem...

SELinux is great for enterprises (but many don't know it yet)

Gentoo Wiki is growing

Why does it access /etc/shadow?

Added UEFI instructions to AMD64/x86 handbooks

Handbooks moved

Gentoo Handbooks almost moved to wiki

Sometimes I forget how important communication is

No more DEPENDs for SELinux policy package dependencies

Using multiple priorities with modules

Migrating to SELinux userspace 2.4 (small warning for users)

Lots of new challenges ahead

After SELinux System Administration, now the SELinux Cookbook

Showing return code in PS1

Gentoo Hardened august meeting

Switching to new laptop

Some changes under the hood

Gentoo Hardened July meeting

Segmentation fault when emerging packages after libpcre upgrade?

Multilib in Gentoo

D-Bus and SELinux

D-Bus, quick recap

Chroots for SELinux enabled applications

Gentoo Hardened, June 2014

Visualizing constraints

Revamped our SELinux documentation

Dropping sesandbox support

Stepping through the build process with ebuild

If things are weird, check for policy.29

What is that net-pf-## thingie?

Proof of concept for USE enabled policies

Decoding the hex-coded path information in AVC denials

Managing Inter-Process Communication (IPC)

Querying SELinux policy for boolean information

Online hardened meeting of March

Fixing the busybox build failure

Talk about SELinux on GSE Linux/Security

Create your own SELinux Gentoo profile

Hidden symbols and dynamic linking

Closing week? No, starting week...

Switching context depending on user code-wise

Can Gentoo play a role in a RHEL-only environment?

Linux protip: environment for a process

How does foo_t get this privilege?

Oh it is cron again...

Private key handling and SELinux protection

Limiting file access with SELinux alone?

Upgrading old Gentoo installations

Giving weights to compliance rules

Doing a content check with OVAL

What is OVAL?

December hardened meeting

Remediation through SCAP

GPT or MBR in the Gentoo Handbook

Running a bit with the XCCDF document

Updated Linux Sea, now with viewport thingie

XCCDF - Documenting a bit more than just descriptions

An XCCDF skeleton for PostgreSQL

Documenting security best practices - XCCDF introduction

Gentoo SELinux policy release script

November online hardened meeting

Majority of GDP documents moved to Gentoo wiki

New SELinux userspace release

The mix of libffi with other changes

Gentoo Hardened meeting 201310

In-browser encryption for online password management

A bug please...

It has finally arrived: SELinux System Administration

Aaaand we're back - hardened monthly meeting

Underestimated or underused: Portage (e)logging

Creating a poor man central SCAP system

Switching gpg key to 0x2EDD52403B68AF47

cvechecker 3.3 released

Gentoo Hardened progress report

Umounting IPv6 NFS(v4) mounts

Why our policies don't like emerge --config

Network routing based on SELinux?

Using CUSTOM_BUILDOPT in refpolicy for USE flag-alike functionality?

Today was a productive day

Some things sound more scary than they are

And now, 31 days later...

Putting OVAL at work

Moving Gentoo docs to the wiki

Rebuilding SELinux contexts with sefcontext_compile

Adding mcstrans to Gentoo

Hardening is our business... new monthly report ;-)

My application base: graphviz

My application base: LibreOffice

My application base: firefox

My application base: bash and kiss tools

My application base: geekie

My application base: freemind

My application base:

Using extended attributes for custom information

Hacking java bytecode with dhex

A SELinux policy for incron: finishing up

A SELinux policy for incron: using booleans

A SELinux policy for incron: marking types eligible for watching

A SELinux policy for incron: default set

A SELinux policy for incron: the incrond daemon

A SELinux policy for incron: new types and transitions

A SELinux policy for incron: basic set for incrontab

A SELinux policy for incron: our first interface

A SELinux policy for incron: the basic skeleton

A SELinux policy for incron: what does it do?

Why oh why does a process run in unlabeled_t?

A simple IPv6 setup

The weird "audit_access" permission

Commandline SELinux policy helper functions

Looking at the local Linux kernel privilege escalation

Gentoo Hardened spring notes

Public support channels: irc

Overriding the default SELinux policies

Highlevel assessment of Cdorked and Gentoo Hardened/SELinux


Peer labeling in SELinux policy

SELinux policy and network controls

Gentoo metadata support for CPE

Enabling Kernel Samepage Merging (KSM)

The Linux ".d" approach

Added "predictable network interface" info into the handbook

Overview of Linux capabilities, part 3

Overview of Linux capabilities, part 2

Overview of Linux capabilities, part 1

Restricting and granting capabilities

Capabilities, a short intro

SELinux mount options

Qemu-KVM monitor tips and tricks

photorec to the rescue

Securely handling libffi

How logins get their SELinux user context

New SELinux userspace release

Gentoo protip: using buildpkgonly

Using strace to troubleshoot SELinux problems

SLOT'ing the old swig-1

Mitigating DDoS attacks

Introducing selocal for small SELinux policy enhancements

Transforming GuideXML to DocBook

Comparing performance with sysbench: performance analysis

Comparing performance with sysbench: memory, threads and mutexes

Another Gentoo Hardened month has passed

Comparing performance with sysbench: cpu and fileio

Simple drawing for I/O positioning

What could SELinux have done to mitigate the postgresql vulnerability?

Integrity checking with AIDE

Not needing run_init for password-less service management

How far reaching vulnerabilities can go

Separate puppet provider for Gentoo/SELinux?

Matching packages with CVEs

Linux Sea and ePub update

Fiddling with puppet apply

SELinux tutorial series, update

SELinux tutorial series

Gentoo Hardened progress meeting of march 2013

Uploading selinuxnode test VM

Working on a new selinuxnode VM

Transforming GuideXML to wiki

Gentoo Hardened goes onward (aka project meeting)

Why would paid-for support be better?

IMA and EVM on Gentoo, part 2

Gentoo Hardened IMA support

Switching policy types in Gentoo/SELinux

Another hardened month has passed...

Using pam_selinux to switch contexts

Using stunnel for mutual authentication

nginx as reverse SMTP proxy

Why you need the real_* thing with genkernel

The hardened project continues going forward...

Local policy management script

Gentoo Hardened progress meeting

git patch apply

Perimeter security testing

Gentoo Hardened in August

Lots of work on supporting swig-2

Adding roles to the Gentoo Hardened SELinux policy

Kickstarting the Integrity subproject

Gentoo Hardened on the move

Dynamic transitions in SELinux

Hardening the Linux kernel updates

Hardening the Linux kernel

Hardening OpenSSH

Updated Gentoo Hardened/SELinux VM image

Gentoo Hardened/SELinux VM image

Gentoo Summer of Documentation - Let's do it!

Had to edit /etc/init.d/root

Overview of SELinux changes

Python 3 support for SELinux userland, tests and policy rev 10

Catching up, but stuff is piling...

Keeping /selinux

20120215 policies now stable

Linux Sea now in ePub

Why both chroot and SELinux?

Chrooted BIND for IPv6 with SELinux

Documentation updates for initramfs needed?

Get your devtmpfs ready

More on initramfs and SELinux

Hunting fuser

Introducing 2.20120215 policies

Transitioning to MCS policies

This months' stabilization done, more to come

Trying out initramfs with selinux and grsec

Unix domain sockets are files

Gentoo WiKi & Knowledge Base

Supporting fix scripts for XCCDF content and maintaining the documents

SELinux Gentoo/Hardened state 2011-12-19

Supporting CC-BY-SA 3.0

SELinux Gentoo/Hardened state 2011-11-17

Gentoo Security Benchmark with OVAL and Open-SCAP

Centers of Excellence

SELinux' 2011/07 releases now stable

Gentoo Hardened SELinux policies, rev 5

Upgrading GCC, revisited

Mitigating risks, part 5 - application firewalls

Quickly setup a Gentoo system

Power management guide updated

Mitigating risks, part 4 - Mandatory Access Control

Catching up

Mitigating risks, part 3 - hardening

Mitigating risks, part 2 - service isolation

Mitigating risks, part 1

Now using refpolicy 2.20110726

Use parted for large partitions

Easy documentation updates thanks to the many contributions

Ready, set, commit!

checksec kernel security

emerge-webrsync and gpg verification

Preliminary SELinux MCS support in Gentoo Hardened

High level explanation on some binary executable security

Some people on #selinux are ... dolphins

On the new SELinux profiles

Gentoo Hardened SELinux state

What's next after stabilization?

Policy 25, 26

SELinux file contexts

SELinux Gentoo profile updates

SELinux User-Based Access Control

SELinux and noatsecure, or why portage complains about LD_PRELOAD and

cvechecker 3.0

cvechecker updates

Restoring configuration files on Gentoo

Updates on SELinux docs, added FAQ

Portage fails to build due to SELinux?

Updates on the Gentoo Hardened SELinux state

Temporary script for Gentoo Hardened SELinux users

About time...

cvechecker update

File System Labels in Linux Sea

SELinux for Gentoo Hardened

"Gentoo in production?" Oh no, not again...

Confining user applications

Why I have backups

cvechecker 2.0 released

Helping with version detection rules in cvechecker

Delta processing in cvechecker

SELinux enforcing for console activity

Risk identification

cvechecker 1.0 released

SELinux quicky

Switching to hardened

prezi presentations

cvechecker 0.6 released

Linux Sea last content chapter

devops - how hard can it/it can be

Linux Sea: log file management and backups

cvechecker 0.5 released

qemu monitor cd change

Added "iw" support to Linux Sea

cvechecker 0.4 released

I remain impressed by the free software community

cvechecker userguide

cvechecker 0.3 released

cvechecker 0.2 released

cvechecker 0.1 released

HP webcam on Linux

New laptop, time to play

Linux Sea sources online, cvechecker still in development

cvechecker in development mode


Listing files of (not) installed software

GSE TWS BeLux 2010

Question yourself v3

Question yourself v2

Question yourself


A dozen pages added

License support in Gentoo

Executing, but only when you're home

Switching to database architecture

Translations to "Linux Sea"

Small updates on Linux Sea

Online image gallery

Added quota information

Draft PDF for Linux Sea

Darwin Information Typing Architecture

Linux Sea is progressing slowly but surely

Extremely simple task manager

hex2passwd, a password generator

Adding exercises and resources

Linux Sea - Updates on graphical environment chapter

Playing with gqview