Remediation through SCAP
by Sven Vermeulen, post on Fri 20 December 2013I promised in my previous post to give some information about remediation.
Remediation is the process where you fix a system to become compliant again after finding out there is a violation on the system. The easiest form of remediation of course is to just notify the administrator and give …
Running a bit with the XCCDF document
by Sven Vermeulen, post on Wed 18 December 2013In my previous post I introduced automated checking of rules through SCE (Script Check Engine). Let's focus a bit more now on running with an XCCDF document: how to automatically check the system, read the results and find more information of those results.
To provide a usable example, you can …
XCCDF - Documenting a bit more than just descriptions
by Sven Vermeulen, post on Mon 16 December 2013In my previous
post I
made a skeleton XCCDF document. By now, we can create a well documented
"baseline" (best practice) for our subject (say PostgreSQL). But for now
I only talked about <description>
whereas XCCDF allows many other tags
as well.
You can add metadata information for a particular …
An XCCDF skeleton for PostgreSQL
by Sven Vermeulen, post on Sat 14 December 2013In a previous post I wrote about the documentation structure I have in mind for a PostgreSQL security best practice. Considering what XCCDF can give us, the idea is to have the following structure:
Hardening PostgreSQL
+- Basic setup
+- Instance level configuration
| +- Pre-startup configuration
| `- PostgreSQL internal configuration
+- Database recommendations
`- User definitions …
Documenting security best practices - XCCDF introduction
by Sven Vermeulen, post on Thu 12 December 2013When I have some free time, I try to work on a Gentoo Security Benchmark which not only documents security best practices (loosely based on the Gentoo Security Handbook which hasn't seen much updates in the last few years) but also uses the SCAP protocols. This set of protocols allows …
The mix of libffi with other changes
by Sven Vermeulen, post on Sun 03 November 2013I once again came across libffi. Not only does the libffi approach fight with SELinux alone, it also triggers the TPE (Trusted Path Execution) protections in grSecurity. And when I tried to reinstall Portage, Portage seemed to create some sort of runtime environment in a temporary directory as well, and …
In-browser encryption for online password management
by Sven Vermeulen, post on Sun 20 October 2013Lately I've been trying to find a good free software project that uses PHP or cgi-bin (one of the requirements for this particular organization) that allows its users to store passwords centrally, but uses encryption on the browser level before the passwords are sent to the central server. I've found …
Switching gpg key to 0x2EDD52403B68AF47
by Sven Vermeulen, post on Thu 19 September 2013I recently switched my GnuPG key. The previous key - which is still in place for now (no revocation send out yet) - was 0x5DFAB3ECCDBA2FDB and was a 1024 bit DSA key. The new one, 0x2EDD52403B68AF47, is a 4096 bit RSA key. It also has the following preferences:
gpg> showpref
[ultimate] (1 …
cvechecker 3.3 released
by Sven Vermeulen, post on Mon 16 September 2013I just uploaded a new release of cvechecker
to the project files. The release is a (long overdue) bugfix release,
but includes two small enhancements: support standard input for the
binary list (so you can pipe the output of one command to cvechecker)
and the introduction of the CVECHECKER_CONFFILE
variable …
Putting OVAL at work
by Sven Vermeulen, post on Thu 01 August 2013When we look at the SCAP security standards, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.
This is correct, but you need to remember that the standards are protocols, agreements that can be made …