Evaluating the zero trust hype
by Sven Vermeulen, post on Tue 05 October 2021Security vendors are touting the benefits of "zero trust" as the new way to approach security and security-conscious architecturing. But while there are principles within the zero trust mindset that came up in the last dozen years, most of the content in zero trust discussions is tied to age-old security propositions.
Authenticating with U2F
by Sven Vermeulen, post on Mon 11 September 2017In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.
Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk
about the pam_u2f setup are indeed correct that it is fairly simple. For completeness
sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.
Audit buffering and rate limiting
by Sven Vermeulen, post on Sun 10 May 2015Be it because of SELinux experiments, or through general audit experiments, sometimes you'll get in touch with a message similar to the following:
audit: audit_backlog=321 > audit_backlog_limit=320
audit: audit_lost=44395 audit_rate_limit=0 audit_backlog_limit=320
audit: backlog limit exceeded
The message shows …
Talk about SELinux on GSE Linux/Security
by Sven Vermeulen, post on Tue 25 March 2014On today's GSE Linux / GSE Security meeting (in cooperation with IMUG) I gave a small (30 minutes) presentation about what SELinux is. The slides are online and cover two aspects of SELinux: some of its design principles, and then a set of features provided by SELinux. The talk is directed …
Putting OVAL at work
by Sven Vermeulen, post on Thu 01 August 2013When we look at the SCAP security standards, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.
This is correct, but you need to remember that the standards are protocols, agreements that can be made …
Gentoo metadata support for CPE
by Sven Vermeulen, post on Fri 10 May 2013Recently, the metadata.xml file syntax definition (the DTD for those
that know a bit of XML) has been updated to support CPE definitions. A
CPE (Common Platform Enumeration) is an
identifier that
describes an
application, operating system or hardware device using its vendor,
product name, version, update, edition and …
Mitigating DDoS attacks
by Sven Vermeulen, post on Mon 22 April 2013Lately, DDoS attacks have been in the news more than I was hoping for. It seems that the botnets or other methods that are used to generate high-volume traffic to a legitimate service are becoming more and more easy to get and direct. At the time that I'm writing this …
How far reaching vulnerabilities can go
by Sven Vermeulen, post on Tue 09 April 2013If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …