Supporting fix scripts for XCCDF content and maintaining the documents
by Sven Vermeulen, post on Fri 23 December 2011One of the features supported through OVAL (and Open-SCAP) is to generate fix scripts when a test has failed. The administrator can then verify this script (of course) and then execute it to correct wrong settings. So I decided to play around with this as well and enhanced the Gentoo …
SELinux Gentoo/Hardened state 2011-12-19
by Sven Vermeulen, post on Mon 19 December 2011On december 14th, the Gentoo Hardened project had its monthly online meeting to discuss the current state of affairs of its projects and subprojects. Amongst them, the updates on the SELinux-front were presented as well.
Since last meeting, the follow topics passed the revue.
- sec-policy/selinux-base-policy, which is the "master …
Supporting CC-BY-SA 3.0
by Sven Vermeulen, post on Tue 29 November 2011Until now, documents on the Gentoo website all had to be licensed under the Creative Commons Attribution/Share Alike license, version 2.5. Why? Because at the time of the license choice, that was probably the latest version at hand. In the XML code itself, the license tagging was done …
SELinux Gentoo/Hardened state 2011-11-17
by Sven Vermeulen, post on Thu 17 November 2011A small write-down on the Gentoo Hardened SELinux state-of-affairs, largely triggered because there was an online meeting for the Gentoo Hardened project today.
- The SELinux policies offered in the
sec-policycategory are based on the latest refpolicy release. The older policies have been removed from the Portage tree. The patches …
Gentoo Security Benchmark with OVAL and Open-SCAP
by Sven Vermeulen, post on Wed 16 November 2011A while ago, I got referred to the Open Vulnerability and Assessment Language, which seems to be an open specification (or even standard) for defining security content/information and being able to document such things in a way that tools can interpret it. Actually, it is a set of these …
Centers of Excellence
by Sven Vermeulen, post on Tue 25 October 2011When dealing with software (I'll talk about software here, but the information is applicable to most technologies, such as appliances and operating systems) many organizations want to have "centers of excellence" with respect to the software. These teams are responsible for positioning the software within the organization, supporting the software …
SELinux' 2011/07 releases now stable
by Sven Vermeulen, post on Sun 23 October 2011A few minutes ago, I stabilized both the 2.20110726 policies as well as the SELinux userspace utilities that were stable (upstream) on 20110727. With the change, I also updated the Gentoo SELinux Handbook with the changes I presented on our gentoo-hardened mailinglist. After some time, I'll remove the now …
Gentoo Hardened SELinux policies, rev 5
by Sven Vermeulen, post on Thu 13 October 2011I've pushed out selinux-base-policy version 2.20110726-r5 to the
hardened-dev
overlay. It does not hold huge changes, most of them are rewrites or
updates on pre-existing patches (on the SELinux policies) to make them
conform the refpolicy naming conventions and other guidelines. It
includes preliminary support for the XDG
Specification …
Upgrading GCC, revisited
by Sven Vermeulen, post on Thu 13 October 2011Gentoo has, since long, had a GCC Upgrading guide. A long time ago, upgrading GCC required quite a lot of side activities and was often considered a risky upgrade. But times change, and so do the GCC upgrade cycles. Improved compatibility as well as a better understood impact made GCC …
Mitigating risks, part 5 - application firewalls
by Sven Vermeulen, post on Wed 05 October 2011The last isolation-related aspect on risk mitigation is called application firewalls. Like more "regular" firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don't. But unlike these regular firewalls, application firewalls work on higher-level protocols (like HTTP, FTP) that …