SELinux Gentoo/Hardened state 2011-11-17
by Sven Vermeulen, post on Thu 17 November 2011A small write-down on the Gentoo Hardened SELinux state-of-affairs, largely triggered because there was an online meeting for the Gentoo Hardened project today.
- The SELinux policies offered in the
sec-policycategory are based on the latest refpolicy release. The older policies have been removed from the Portage tree. The patches …
Gentoo Security Benchmark with OVAL and Open-SCAP
by Sven Vermeulen, post on Wed 16 November 2011A while ago, I got referred to the Open Vulnerability and Assessment Language, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can interpret it. Actually, it is a set of these …
Centers of Excellence
by Sven Vermeulen, post on Tue 25 October 2011When dealing with software (I'll talk about software here, but the information is applicable to most technologies, such as appliances and operating systems) many organizations want to have "centers of excellence" with respect to the software. These teams are responsible for positioning the software within the organization, supporting the software …
SELinux' 2011/07 releases now stable
by Sven Vermeulen, post on Sun 23 October 2011A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the Gentoo SELinux Handbook with the changes I presented on our gentoo-hardened mailinglist. After some time, I'll remove the now …
Gentoo Hardened SELinux policies, rev 5
by Sven Vermeulen, post on Thu 13 October 2011I've pushed out selinux-base-policy version 2.20110726-r5 to the
hardened-dev
overlay. It does not hold huge changes, most of them are rewrites or
updates on pre-existing patches (on the SELinux policies) to make them
conform the refpolicy naming conventions and other guidelines. It
includes preliminary support for the XDG
Specification …
Upgrading GCC, revisited
by Sven Vermeulen, post on Thu 13 October 2011Gentoo has, since long, had a GCC Upgrading guide. A long time ago, upgrading GCC required quite a lot of side activities and was often considered a risky upgrade. But times change, and so do the GCC upgrade cycles. Improved compatibility as well as a better understood impact made GCC …
Mitigating risks, part 5 - application firewalls
by Sven Vermeulen, post on Wed 05 October 2011The last isolation-related aspect on risk mitigation is called application firewalls. Like more "regular" firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don't. But unlike these regular firewalls, application firewalls work on higher-level protocols (like HTTP, FTP) that …
Quickly setup a Gentoo system
by Sven Vermeulen, post on Sat 24 September 2011In order to verify if the installation instructions in the Gentoo Handbook are still valid, and to allow me to quickly seed new Gentoo installations in a virtual environment, I wrote a very ugly (really) script to automatically "stage" a Gentoo Linux installation in a KVM guest. This is not …
Power management guide updated
by Sven Vermeulen, post on Fri 23 September 2011The Gentoo Power Management Guide is now updated. It is a full rewrite, focusing currently on two main toolsets: Laptop Mode Tools and cpufreqd. I was pleasantly surprised by the number of features that the laptop mode tools package provided.
Of course, this does not mean that the guide is …
Mitigating risks, part 4 - Mandatory Access Control
by Sven Vermeulen, post on Fri 23 September 2011I've talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn't help there, and system hardening can only go that far. The additional countermeasures that …