Simplicity is a form of art...

Transforming GuideXML to wiki
by Sven Vermeulen, post on Tue 12 February 2013

The Gentoo project has its own official wiki for some time now, and we are going to use it more and more in the next few months. For instance, in the last Gentoo Hardened meeting, we already discussed that most user-oriented documentation should be put on the wiki, and I've …

Gentoo Hardened goes onward (aka project meeting)
by Sven Vermeulen, post on Thu 07 February 2013

It's been a while again, so time for another Gentoo Hardened online progress meeting.

Toolchain

GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …

Why would paid-for support be better?
by Sven Vermeulen, post on Mon 31 December 2012

Last Saturday evening, I sent an e-mail to a low-volume mailinglist regarding IMA problems that I'm facing. I wasn't expecting an answer very fast of course, being holidays, weekend and a low-volume mailinglist. But hey - it is the free software world, so I should expect some slack on this, right …

IMA and EVM on Gentoo, part 2
by Sven Vermeulen, post on Sat 29 December 2012

I have been playing with Linux IMA/EVM on a Gentoo Hardened (with SELinux) system for a while and have been documenting what I think is interesting/necessary for Gentoo Linux users when they want to use IMA/EVM as well. Note that the documentation of the Linux IMA/EVM …

Gentoo Hardened IMA support
by Sven Vermeulen, post on Thu 27 December 2012

Adventurous users, contributors and developers can enable the Integrity Measurement Architecture subsystem in the Linux kernel with appraisal (since Linux kernel 3.7). In an attempt to support IMA (and EVM and other technologies) properly, the System Integrity subproject within Gentoo Hardened was launched a few months ago. And now …

Switching policy types in Gentoo/SELinux
by Sven Vermeulen, post on Thu 20 December 2012

When you are running Gentoo with SELinux enabled, you will be running with a particular policy type, which you can devise from either /etc/selinux/config or from the output of the sestatus command. As a user on our IRC channel had some issues converting his strict-policy system to mcs …

Another hardened month has passed...
by Sven Vermeulen, post on Thu 13 December 2012

... so it's time for a new update ;-)

Toolchain

GCC 4.8 is still in its stage 3 development phase, so Zorry will send out the patches to the GCC development community when this phase is done. For Gentoo hardened itself, we now support all architectures except for IA64 (which never …

Using pam_selinux to switch contexts
by Sven Vermeulen, post on Mon 10 December 2012

With SELinux managing the access controls of applications towards the resources on the system, a not-to-be forgotten important component on any Unix/Linux system is the authentication part. Most systems use or support PAM, the Pluggable Authentication Modules, and for SELinux this plays an important role.

Applications that are PAM-enabled …

Using stunnel for mutual authentication
by Sven Vermeulen, post on Sat 08 December 2012

Sometimes services do not support SSL/TLS, or if they do, they do not support using mutual authentication (i.e. requesting that the client also provides a certificate which is trusted by the service). If that is a requirement in your architecture, you can use stunnel to provide this additional …

nginx as reverse SMTP proxy
by Sven Vermeulen, post on Thu 06 December 2012

I've noticed that not that many resources are online telling you how you can use nginx as a reverse SMTP proxy. Using a reverse SMTP proxy makes sense even if you have just one mail server back-end, either because you can easily switch towards another one, or because you want …