Simplicity is a form of art...

Limiting file access with SELinux alone?
by Sven Vermeulen, post on Tue 31 December 2013

While writing a small script to handle simple certificate authority activities using OpenSSL, I considered how to properly protect the files that OpenSSL uses for these activities. As you are probably aware, a system that hosts the necessary files for CA activities (like signing certificate requests) should be very secure …

Upgrading old Gentoo installations
by Sven Vermeulen, post on Sun 29 December 2013

Today I got "pinged" on bug #463240 about the difficulty of upgrading a Gentoo Linux deployment after a long time of inactivity on the system. We already have an Upgrading Gentoo article on the Gentoo wiki that describes in great detail how upgrades can be accomplished. But one of the …

Giving weights to compliance rules
by Sven Vermeulen, post on Thu 26 December 2013

Now that we wrote up a few OVAL statements and used those instead of SCE driven checks (where possible), let's finish up and go back to the XCCDF document and see how we can put weights in place.

The CVE (Common Vulnerability Exposure) standard allows for vulnerabilities to be given …

Doing a content check with OVAL
by Sven Vermeulen, post on Tue 24 December 2013

Let's create an OVAL check to see if /etc/inittab's single user definitions only refer to /sbin/sulogin or /sbin/rc single. First, the skeleton:

(XML content lost during blog conversion)

The first thing we notice is that there are several namespaces defined within OVAL. These namespaces refer to …

What is OVAL?
by Sven Vermeulen, post on Sun 22 December 2013

Time to discuss OVAL (Open Vulnerability Assessment Language). In all the previous posts I focused the checking of rules (does the system comply with the given rule) on scripts, through the Script Check Engine supported by openscap. The advantage of SCE is that most people can quickly provide automated checks …

December hardened meeting
by Sven Vermeulen, post on Fri 20 December 2013

Yesterday evening (UTC, that is) the members of the Gentoo Hardened project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.

Toolchain

A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.

And …

Remediation through SCAP
by Sven Vermeulen, post on Fri 20 December 2013

I promised in my previous post to give some information about remediation.

Remediation is the process where you fix a system to become compliant again after finding out there is a violation on the system. The easiest form of remediation of course is to just notify the administrator and give …

GPT or MBR in the Gentoo Handbook
by Sven Vermeulen, post on Wed 18 December 2013

I just committed a set of changes against the Gentoo Handbook (x86 and amd64) with the intent to have better instructions on GPT (GUID Partition Table) layout versus MBR (Master Boot Record) or MSDOS-style layout.

The part on "Preparing the Disks" saw the most changes. It starts with explaining the …

Running a bit with the XCCDF document
by Sven Vermeulen, post on Wed 18 December 2013

In my previous post I introduced automated checking of rules through SCE (Script Check Engine). Let's focus a bit more now on running with an XCCDF document: how to automatically check the system, read the results and find more information of those results.

To provide a usable example, you can …

Updated Linux Sea, now with viewport thingie
by Sven Vermeulen, post on Mon 16 December 2013

I just pushed out an update to Linux Sea (an online resource to introduce you to Linux, using Gentoo Linux as an example), including its PDF and ePub versions. The changes are pretty small (see its ChangeLog).

Together with the update, it now also includes a <meta name="viewport"...> so …