Simplicity is a form of art...

Gentoo Hardened on the move
by Sven Vermeulen, post on Thu 26 July 2012

Gentoo Hardened is thriving and going forward. For those that don't exactly know what Gentoo Hardened is - it is a Gentoo project dedicated to bring Gentoo in a shape ready for highly secure, high stability production server environments. This is what we live by, and why we do what we …

Dynamic transitions in SELinux
by Sven Vermeulen, post on Sun 22 July 2012

In between talks on heap spraying techniques and visualization of data for fast analysis, I'm working on integrating the chromium SELinux policy that was offered in bug bug #412637 within Gentoo Hardened. If you take a look at the bug, you notice I'm not really fond of the policy because …

Hardening the Linux kernel updates
by Sven Vermeulen, post on Sat 21 July 2012

Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources …

Hardening the Linux kernel
by Sven Vermeulen, post on Fri 20 July 2012

I have moved out the kernel configuration settings (and sysctl stuff) from the Hardening Gentoo Linux benchmark into its own Hardening the Linux kernel guide. It covers some common hardening-related kernel configuration entries (although I'm sure I'm missing a lot of them still) as well as grSecurity and PaX settings …

Hardening OpenSSH
by Sven Vermeulen, post on Wed 18 July 2012

A while ago I wrote about a Gentoo Security Benchmark which would talk about hardening a Gentoo Linux installation. Within that document, I was documenting how to harden specific services as well. However, I recently changed my mind and wanted to move the hardening stuff for the services in separate …

Updated Gentoo Hardened/SELinux VM image
by Sven Vermeulen, post on Mon 16 July 2012

I have updated the Gentoo Hardened/SELinux VM image, available on the mirrors under experimental/amd64/qemu-selinux.

The new image now asks for the keyboard layout, has a short DHCP timeout value (5 seconds) and provides the nano editor. If you plan on running the image using qemu, please use …

Gentoo Hardened/SELinux VM image
by Sven Vermeulen, post on Tue 10 July 2012

A few weeks ago, I pushed out a VM image (Qemu QCOW2 format) to the /experimental/amd64/qemu-selinux/ location in our mirrors. This VM image (which is about 1.6 Gib large decompressed) provides a SELinux-enabled, Gentoo Hardened (with PaX and other grSecurity security settings) base installation. Thanks to the …

Gentoo Summer of Documentation - Let's do it!
by Sven Vermeulen, post on Fri 29 June 2012

The Gentoo Wiki folks have started a great idea (and immediately set a nice milestone), namely the Gentoo Wiki Summer of Documentation. By september, they want to double the amount of articles on the wiki.

I'll surely help out and participate where I can, and perhaps we can even go …

Had to edit /etc/init.d/root
by Sven Vermeulen, post on Sun 24 June 2012

For some reason, I had to edit my /etc/init.d/root file to use "mount /dev/root -n -o remount,rw /" instead of the standard "mount -n -o remount,rw /". Without this, it failed to remount the root file system in a read-write mode, which is of course not …

Overview of SELinux changes
by Sven Vermeulen, post on Sun 24 June 2012

Most users of Gentoo hardly take a look at the (installation) documentation when their installation has finished. After all, being a rolling distribution, there is little need to take a look at the instructions again. And for most Gentoo users, changes that are needed to be reviewed by existing users …