diff --git a/content/os/Docker and OCI Hardening.md b/content/apps/Docker and OCI Hardening.md similarity index 99% rename from content/os/Docker and OCI Hardening.md rename to content/apps/Docker and OCI Hardening.md index fb55e73..e647e93 100644 --- a/content/os/Docker and OCI Hardening.md +++ b/content/apps/Docker and OCI Hardening.md @@ -1,7 +1,7 @@ --- title: "Docker and OCI Hardening" date: 2022-03-30T21:23:12Z -tags: ['Operating Systems', 'Linux', 'Container', 'Security'] +tags: ['Applications', 'Linux', 'Container', 'Security'] author: Wonderfall canonicalURL: https://wonderfall.dev/docker-hardening/ ShowCanonicalLink: true @@ -255,4 +255,4 @@ Still not convinced? What if I told you a container can leverage the same techno If you're running untrusted workloads, I highly suggest you consider gVisor instead of a traditional container runtime. Your definition of "untrusted" may vary: for me, almost everything should be considered untrusted. That is how modern security works, and how mobile operating systems work. It's quite simple, security should be simple, and gVisor simply offers native security. -Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of. +Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of. \ No newline at end of file diff --git a/content/apps/F-Droid Security Analysis.md b/content/apps/F-Droid Security Analysis.md index 297f0ab..52ee420 100644 --- a/content/apps/F-Droid Security Analysis.md +++ b/content/apps/F-Droid Security Analysis.md @@ -80,7 +80,7 @@ allow untrusted_app_25 proc_tty_drivers:file r_file_perms; This is a mere sample of the [SELinux exceptions](https://android.googlesource.com/platform/system/sepolicy/+/refs/tags/android-12.0.0_r21/private) that have to be made on older API levels so that you can understand why it matters. -It turns out the official F-Droid client doesn't care much about this since it lags behind quite a bit, **[targeting the API level 25](https://gitlab.com/fdroid/fdroidclient/-/blob/2a8b16683a2dbee16d624a58e7dd3ea1da772fbd/app/build.gradle#L33)** (Android 7.1) of which some SELinux exceptions were shown above. As a workaround, some users recommended third-party clients such as [Foxy Droid](https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/) or [Aurora Droid](https://f-droid.org/en/packages/com.aurora.adroid/). While these clients might be technically better, they're poorly maintained for some, and they also introduce yet another party to the mix. [Droid-ify](https://github.com/Iamlooker/Droid-ify) (recently rebreanded to Neo-Store) seems to be a better option than the official client in most aspects. +It turns out the official F-Droid client doesn't care much about this since it lags behind quite a bit, **[targeting the API level 25](https://gitlab.com/fdroid/fdroidclient/-/blob/2a8b16683a2dbee16d624a58e7dd3ea1da772fbd/app/build.gradle#L33)** (Android 7.1) of which some SELinux exceptions were shown above. As a workaround, some users recommended third-party clients such as [Foxy Droid](https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/) or [Aurora Droid](https://f-droid.org/en/packages/com.aurora.adroid/). While these clients might be technically better, they're poorly maintained for some, and they also introduce yet another party to the mix. [Droid-ify](https://github.com/Iamlooker/Droid-ify) (recently rebranded to Neo-Store) seems to be a better option than the official client in most aspects. Furthermore, F-Droid **doesn't enforce a minimum target SDK** for the official repository. Play Store [does that quite aggressively](https://developer.android.com/google/play/requirements/target-sdk) for new apps and app updates: diff --git a/content/os/Using Lokinet on Qubes OS.md b/content/apps/Using Lokinet on Qubes OS.md similarity index 98% rename from content/os/Using Lokinet on Qubes OS.md rename to content/apps/Using Lokinet on Qubes OS.md index 5f31bf5..571ea30 100644 --- a/content/os/Using Lokinet on Qubes OS.md +++ b/content/apps/Using Lokinet on Qubes OS.md @@ -1,7 +1,7 @@ --- title: "Using Lokinet on Qubes OS" date: 2022-07-27 -tags: ['Operating Systems', 'Qubes OS', 'Anonymity', 'Privacy'] +tags: ['Applications', 'Qubes OS', 'Anonymity', 'Privacy'] author: Tommy --- diff --git a/content/os/Securing OpenSSH with FIDO2.md b/content/os/Securing OpenSSH with FIDO2.md index 038e93e..266577c 100644 --- a/content/os/Securing OpenSSH with FIDO2.md +++ b/content/os/Securing OpenSSH with FIDO2.md @@ -72,4 +72,4 @@ Restart the `sshd` service and try to connect to your server using your key hand ## That's cool, right? If you don't have a security key, you can buy one from [YubiKey](https://www.yubico.com/fr/store/) (I'm very happy with my 5C NFC by the way), [Nitrokey](https://www.nitrokey.com/), [SoloKeys](https://solokeys.com/) or [OnlyKey](https://onlykey.io/) (to name a few). If you have an Android device with a hardware security module (HSM), such as the Google Pixels equipped with Titan M (Pixel 3+), you could even use them as bluetooth security keys. -*No reason to miss out on the party if you can afford it!* +*No reason to miss out on the party if you can afford it!* \ No newline at end of file diff --git a/external-blogs.sh b/external-blogs.sh index d3f1af5..9522ad6 100755 --- a/external-blogs.sh +++ b/external-blogs.sh @@ -14,14 +14,14 @@ sed -i '/^tags:.*/a author: Wonderfall' './content/apps/F-Droid Security Analysi #Docker and OCI Hardening echo "Fetching and Modifying the Docker and OCI Hardening post" -rm -rf './content/os/Docker and OCI Hardening.md' -curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/os/Docker and OCI Hardening.md' -sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/os/Docker and OCI Hardening.md' -sed -i '/draft:.*/d' './content/os/Docker and OCI Hardening.md' -sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Container', 'Security']/" './content/os/Docker and OCI Hardening.md' -sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/os/Docker and OCI Hardening.md' -sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/os/Docker and OCI Hardening.md' -sed -i '/^tags:.*/a author: Wonderfall' './content/os/Docker and OCI Hardening.md' +rm -rf './content/apps/Docker and OCI Hardening.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/apps/Docker and OCI Hardening.md' +sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/apps/Docker and OCI Hardening.md' +sed -i '/draft:.*/d' './content/apps/Docker and OCI Hardening.md' +sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/apps/Docker and OCI Hardening.md' +sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/Docker and OCI Hardening.md' +sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/apps/Docker and OCI Hardening.md' +sed -i '/^tags:.*/a author: Wonderfall' './content/apps/Docker and OCI Hardening.md' #Securing OpenSSH with FIDO2 echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"