Catching up
by Sven Vermeulen, post on Sun 18 September 2011As mentioned on the gentoo-doc mailinglist, all documentation bugs (that we know of) related to openrc have been fixed. It was already a week like so, but the last dependency on our "tracker" bug was an open one (asking if more needs to be done or not) from which we …
Mitigating risks, part 3 - hardening
by Sven Vermeulen, post on Tue 13 September 2011While I'm writing this post, my neighbor is shouting. He's shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don't worry, he's not fighting - it is how he expresses his (positive) feelings about his religion.
Security is, for some, also …
Mitigating risks, part 2 - service isolation
by Sven Vermeulen, post on Fri 09 September 2011Internet: absolute communication, absolute isolation
\~Paul Carvel
The quote might be ripped out of its context completely, since it wasn't made when talking about risks and the assurance you might need to get in order to reduce risks. But it does give a nice introduction to the second part of …
Mitigating risks, part 1
by Sven Vermeulen, post on Mon 05 September 2011We are running Foobar 2.0 on Tomcat 4. We know that Tomcat 4 isn't supported, but hey - our (internal) customer is happy that the Foobar application works and would like to keep it that way. Upgrading to Tomcat 5 or higher is not possible - Foobar 2.0 only works …
Now using refpolicy 2.20110726
by Sven Vermeulen, post on Sun 04 September 2011A few days ago, I committed the SELinux policy modules that are based on
the 2.20110726 set released upstream. For those that are using Gentoo
Hardened with SELinux, you'll find them if you use the \~arch set for
the sec-policy category.
When I talk about upstream, it usually is …
Use parted for large partitions
by Sven Vermeulen, post on Wed 24 August 2011A few bugs that were sitting in Gentoo's bugzilla for the documentation were related to large partitions (2 TB and higher). Previously, this wasn't as much as an issue since the number of users that have 2+ TB partitions are fairly slim. But of course time flies, hardware becomes cheaper …
Easy documentation updates thanks to the many contributions
by Sven Vermeulen, post on Mon 22 August 2011As mentioned previously, I took a stab at the Gentoo Guide to OpenLDAP Authentication, updating its configuration settings as well as give an introduction to its replication mechanism. Although I am no OpenLDAP guru at all, I set up a similar architecture for testing some SELinux policy changes. This test …
Ready, set, commit!
by Sven Vermeulen, post on Fri 12 August 2011Yesterday, I have entered the realms of Gentoo Development again. But as it was getting late then, I had to wait before the first commits happened. So this evening, things were done. The first couple of documentation bugs (mostly related to OpenRC) have been committed to the Gentoo CVS repository …
checksec kernel security
by Sven Vermeulen, post on Sun 24 July 2011I have
blogged
about checksec.sh earlier
before. Jono, one of the #gentoo-hardened IRC-members, kindly pointed
me to its --kernel option. So I feel obliged to give its options a
stab as well. So, here goes the next batch of OPE-style (One Paragraph
Explanations).
~# checksec.sh --kernel
* Kernel protection information …emerge-webrsync and gpg verification
by Sven Vermeulen, post on Fri 22 July 2011Gentoo has been working on its security from very early on. One of the (many) features it supports is to allow users to validate the state of the portage tree. Ebuild signing (where developers sign the Manifest file with their key) is one of the layers offered by Gentoo, but …