Simplicity is a form of art...

File System Labels in Linux Sea
by Sven Vermeulen, post on Sat 12 February 2011

I have added some information on file system labels in Linux Sea (PDF). If you don't know what labels are (or UUIDs), here is a quick summary.

Most, if not all file systems, assign a universally unique identifier (UUID) which looks like a random hexadecimal string to each file system …

SELinux for Gentoo Hardened
by Sven Vermeulen, post on Sun 06 February 2011

Recently, most of the SELinux-related ebuilds from the hardened overlay have been moved to the official Portage tree. Hopefully, this will trigger more people / organizations to try Gentoo Hardened with SELinux and help us improve the ebuilds. They're still marked as \~arch (as they should be). The draft SELinux handbook …

"Gentoo in production?" Oh no, not again...
by Sven Vermeulen, post on Fri 21 January 2011

I think it is that time of the year again, where people get some crazy ideas. Again I discussed the what must be the gazillion-th time I've been asked "Do you think Gentoo is ripe for use in production?". Honestly, I always tell myself to ignore those discussions but I've …

Confining user applications
by Sven Vermeulen, post on Sun 16 January 2011

Ever since I started using SELinux, I'm getting more and more fond of what it can do for (security) administrators. Lately, I've started confining user applications (like skype) in the idea that I do not want any application connecting to the Internet or working with content received from untrusted sources …

Why I have backups
by Sven Vermeulen, post on Thu 30 December 2010

You often read stories about people who have data loss and did not keep any (recent) backups, and are now fully equipped with a state-of-the-art backup mechanism. So no - no such failure story here but an example why backups are important.

Yesterday I had a vicious RAID/LVM failure. Due …

cvechecker 2.0 released
by Sven Vermeulen, post on Wed 01 December 2010

Okay, enough play - time for a new release. Since cvechecker 1.0 was released, a few important changes have been made to the cvechecker tools:

  • You can now tell cvechecker to only check newly added files, or remove a set of files from its internal database. Previously, you had to …

Helping with version detection rules in cvechecker
by Sven Vermeulen, post on Sat 27 November 2010

The new development snapshot, available from the cvechecker project site, contains a helper script that returns potential version detection rules for your system if the current cvechecker database doesn't detect your software. The script is currently available for Gentoo (called cverules_gentoo) but other distributions can be easily added. The …

Delta processing in cvechecker
by Sven Vermeulen, post on Tue 02 November 2010

The cvechecker application will support delta file processing as well as higher version matching with its next release. The functionality is currently in version control and I still have to work out quite a few things before they can go live, but the functionality is there.

Now why would these …

SELinux enforcing for console activity
by Sven Vermeulen, post on Sat 30 October 2010

I'm now able to boot into my system with SELinux in enforcing mode (without unconfined domains), do standard system administration tasks as root / sysadm_r (including the relevant Portage activities) and work as a regular user as long as I don't want to run in Xorg. I'm not going to …

Risk identification
by Sven Vermeulen, post on Thu 14 October 2010

Risk identification is a difficult subject. Analysts need it to defend mitigation strategies or to suggest investments. Yet risk identification is often a subjective method, especially in the IT industry. How do you give a number on a certain risk? When do you believe that that number exceeds a threshold …