Quickly setup a Gentoo system
by Sven Vermeulen, post on Sat 24 September 2011In order to verify if the installation instructions in the Gentoo Handbook are still valid, and to allow me to quickly seed new Gentoo installations in a virtual environment, I wrote a very ugly (really) script to automatically "stage" a Gentoo Linux installation in a KVM guest. This is not …
Power management guide updated
by Sven Vermeulen, post on Fri 23 September 2011The Gentoo Power Management Guide is now updated. It is a full rewrite, focusing currently on two main toolsets: Laptop Mode Tools and cpufreqd. I was pleasantly surprised by the number of features that the laptop mode tools package provided.
Of course, this does not mean that the guide is …
Mitigating risks, part 4 - Mandatory Access Control
by Sven Vermeulen, post on Fri 23 September 2011I've talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn't help there, and system hardening can only go that far. The additional countermeasures that …
Catching up
by Sven Vermeulen, post on Sun 18 September 2011As mentioned on the gentoo-doc mailinglist, all documentation bugs (that we know of) related to openrc have been fixed. It was already a week like so, but the last dependency on our "tracker" bug was an open one (asking if more needs to be done or not) from which we …
Mitigating risks, part 3 - hardening
by Sven Vermeulen, post on Tue 13 September 2011While I'm writing this post, my neighbor is shouting. He's shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don't worry, he's not fighting - it is how he expresses his (positive) feelings about his religion.
Security is, for some, also …
Mitigating risks, part 2 - service isolation
by Sven Vermeulen, post on Fri 09 September 2011Internet: absolute communication, absolute isolation
\~Paul Carvel
The quote might be ripped out of its context completely, since it wasn't made when talking about risks and the assurance you might need to get in order to reduce risks. But it does give a nice introduction to the second part of …
Mitigating risks, part 1
by Sven Vermeulen, post on Mon 05 September 2011We are running Foobar 2.0 on Tomcat 4. We know that Tomcat 4 isn't supported, but hey - our (internal) customer is happy that the Foobar application works and would like to keep it that way. Upgrading to Tomcat 5 or higher is not possible - Foobar 2.0 only works …
Now using refpolicy 2.20110726
by Sven Vermeulen, post on Sun 04 September 2011A few days ago, I committed the SELinux policy modules that are based on
the 2.20110726 set released upstream. For those that are using Gentoo
Hardened with SELinux, you'll find them if you use the \~arch set for
the sec-policy category.
When I talk about upstream, it usually is …
Use parted for large partitions
by Sven Vermeulen, post on Wed 24 August 2011A few bugs that were sitting in Gentoo's bugzilla for the documentation were related to large partitions (2 TB and higher). Previously, this wasn't as much as an issue since the number of users that have 2+ TB partitions are fairly slim. But of course time flies, hardware becomes cheaper …
Easy documentation updates thanks to the many contributions
by Sven Vermeulen, post on Mon 22 August 2011As mentioned previously, I took a stab at the Gentoo Guide to OpenLDAP Authentication, updating its configuration settings as well as give an introduction to its replication mechanism. Although I am no OpenLDAP guru at all, I set up a similar architecture for testing some SELinux policy changes. This test …