Simplicity is a form of art...

Mitigating risks, part 2 - service isolation
by Sven Vermeulen, post on Fri 09 September 2011

Internet: absolute communication, absolute isolation
\~Paul Carvel

The quote might be ripped out of its context completely, since it wasn't made when talking about risks and the assurance you might need to get in order to reduce risks. But it does give a nice introduction to the second part of …

Mitigating risks, part 1
by Sven Vermeulen, post on Mon 05 September 2011

We are running Foobar 2.0 on Tomcat 4. We know that Tomcat 4 isn't supported, but hey - our (internal) customer is happy that the Foobar application works and would like to keep it that way. Upgrading to Tomcat 5 or higher is not possible - Foobar 2.0 only works …

checksec kernel security
by Sven Vermeulen, post on Sun 24 July 2011

I have blogged about checksec.sh earlier before. Jono, one of the #gentoo-hardened IRC-members, kindly pointed me to its --kernel option. So I feel obliged to give its options a stab as well. So, here goes the next batch of OPE-style (One Paragraph Explanations).

~# checksec.sh --kernel
* Kernel protection information …

High level explanation on some binary executable security
by Sven Vermeulen, post on Fri 15 July 2011

One very important functionality offered by Gentoo Hardened is a specific toolchain (compiler, libraries and more) that contains patches to make the built binaries a bit more protected from certain vulnerabilities. Explaining all those in detail is too much for a simple blog post like this, but some time ago …

cvechecker 3.0
by Sven Vermeulen, post on Tue 12 April 2011

I'm pleased to announce the immediate availability of cvechecker 3.0. It contains two major feature enhancements: watchlists and MySQL support.

watchlists allow cvechecker to track and report on CVEs for software that cvechecker didn't detect on the system (or perhaps even isn't installed on the system). You can use …

cvechecker updates
by Sven Vermeulen, post on Sun 27 March 2011

The in-svn version of cvechecker has seen quite a few changes in the last few days. I'm adding support for MySQL to it. This support will be added in three steps:

  1. support the same features as cvechecker currently does using sqlite
  2. streamline the database code so that duplicate code in …

cvechecker update
by Sven Vermeulen, post on Sat 19 February 2011

A while ago, I got the request to enhance cvechecker with support for providing a list of installed software (or software you want to watch over with cvechecker) even if cvechecker isn't able to detect that software on your system. I've implemented this and it is currently available in the …

cvechecker 2.0 released
by Sven Vermeulen, post on Wed 01 December 2010

Okay, enough play - time for a new release. Since cvechecker 1.0 was released, a few important changes have been made to the cvechecker tools:

  • You can now tell cvechecker to only check newly added files, or remove a set of files from its internal database. Previously, you had to …

Helping with version detection rules in cvechecker
by Sven Vermeulen, post on Sat 27 November 2010

The new development snapshot, available from the cvechecker project site, contains a helper script that returns potential version detection rules for your system if the current cvechecker database doesn't detect your software. The script is currently available for Gentoo (called cverules_gentoo) but other distributions can be easily added. The actual …

Delta processing in cvechecker
by Sven Vermeulen, post on Tue 02 November 2010

The cvechecker application will support delta file processing as well as higher version matching with its next release. The functionality is currently in version control and I still have to work out quite a few things before they can go live, but the functionality is there.

Now why would these …