mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-11-17 03:51:35 -05:00
Reannge Content
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
e5756f2f4e
commit
fc005e7b31
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: "Docker and OCI Hardening"
|
title: "Docker and OCI Hardening"
|
||||||
date: 2022-03-30T21:23:12Z
|
date: 2022-03-30T21:23:12Z
|
||||||
tags: ['Operating Systems', 'Linux', 'Container', 'Security']
|
tags: ['Applications', 'Linux', 'Container', 'Security']
|
||||||
author: Wonderfall
|
author: Wonderfall
|
||||||
canonicalURL: https://wonderfall.dev/docker-hardening/
|
canonicalURL: https://wonderfall.dev/docker-hardening/
|
||||||
ShowCanonicalLink: true
|
ShowCanonicalLink: true
|
||||||
@ -255,4 +255,4 @@ Still not convinced? What if I told you a container can leverage the same techno
|
|||||||
|
|
||||||
If you're running untrusted workloads, I highly suggest you consider gVisor instead of a traditional container runtime. Your definition of "untrusted" may vary: for me, almost everything should be considered untrusted. That is how modern security works, and how mobile operating systems work. It's quite simple, security should be simple, and gVisor simply offers native security.
|
If you're running untrusted workloads, I highly suggest you consider gVisor instead of a traditional container runtime. Your definition of "untrusted" may vary: for me, almost everything should be considered untrusted. That is how modern security works, and how mobile operating systems work. It's quite simple, security should be simple, and gVisor simply offers native security.
|
||||||
|
|
||||||
Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of.
|
Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of.
|
@ -80,7 +80,7 @@ allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
|
|||||||
|
|
||||||
This is a mere sample of the [SELinux exceptions](https://android.googlesource.com/platform/system/sepolicy/+/refs/tags/android-12.0.0_r21/private) that have to be made on older API levels so that you can understand why it matters.
|
This is a mere sample of the [SELinux exceptions](https://android.googlesource.com/platform/system/sepolicy/+/refs/tags/android-12.0.0_r21/private) that have to be made on older API levels so that you can understand why it matters.
|
||||||
|
|
||||||
It turns out the official F-Droid client doesn't care much about this since it lags behind quite a bit, **[targeting the API level 25](https://gitlab.com/fdroid/fdroidclient/-/blob/2a8b16683a2dbee16d624a58e7dd3ea1da772fbd/app/build.gradle#L33)** (Android 7.1) of which some SELinux exceptions were shown above. As a workaround, some users recommended third-party clients such as [Foxy Droid](https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/) or [Aurora Droid](https://f-droid.org/en/packages/com.aurora.adroid/). While these clients might be technically better, they're poorly maintained for some, and they also introduce yet another party to the mix. [Droid-ify](https://github.com/Iamlooker/Droid-ify) (recently rebreanded to Neo-Store) seems to be a better option than the official client in most aspects.
|
It turns out the official F-Droid client doesn't care much about this since it lags behind quite a bit, **[targeting the API level 25](https://gitlab.com/fdroid/fdroidclient/-/blob/2a8b16683a2dbee16d624a58e7dd3ea1da772fbd/app/build.gradle#L33)** (Android 7.1) of which some SELinux exceptions were shown above. As a workaround, some users recommended third-party clients such as [Foxy Droid](https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/) or [Aurora Droid](https://f-droid.org/en/packages/com.aurora.adroid/). While these clients might be technically better, they're poorly maintained for some, and they also introduce yet another party to the mix. [Droid-ify](https://github.com/Iamlooker/Droid-ify) (recently rebranded to Neo-Store) seems to be a better option than the official client in most aspects.
|
||||||
|
|
||||||
Furthermore, F-Droid **doesn't enforce a minimum target SDK** for the official repository. Play Store [does that quite aggressively](https://developer.android.com/google/play/requirements/target-sdk) for new apps and app updates:
|
Furthermore, F-Droid **doesn't enforce a minimum target SDK** for the official repository. Play Store [does that quite aggressively](https://developer.android.com/google/play/requirements/target-sdk) for new apps and app updates:
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: "Using Lokinet on Qubes OS"
|
title: "Using Lokinet on Qubes OS"
|
||||||
date: 2022-07-27
|
date: 2022-07-27
|
||||||
tags: ['Operating Systems', 'Qubes OS', 'Anonymity', 'Privacy']
|
tags: ['Applications', 'Qubes OS', 'Anonymity', 'Privacy']
|
||||||
author: Tommy
|
author: Tommy
|
||||||
---
|
---
|
||||||
|
|
@ -72,4 +72,4 @@ Restart the `sshd` service and try to connect to your server using your key hand
|
|||||||
## That's cool, right?
|
## That's cool, right?
|
||||||
If you don't have a security key, you can buy one from [YubiKey](https://www.yubico.com/fr/store/) (I'm very happy with my 5C NFC by the way), [Nitrokey](https://www.nitrokey.com/), [SoloKeys](https://solokeys.com/) or [OnlyKey](https://onlykey.io/) (to name a few). If you have an Android device with a hardware security module (HSM), such as the Google Pixels equipped with Titan M (Pixel 3+), you could even use them as bluetooth security keys.
|
If you don't have a security key, you can buy one from [YubiKey](https://www.yubico.com/fr/store/) (I'm very happy with my 5C NFC by the way), [Nitrokey](https://www.nitrokey.com/), [SoloKeys](https://solokeys.com/) or [OnlyKey](https://onlykey.io/) (to name a few). If you have an Android device with a hardware security module (HSM), such as the Google Pixels equipped with Titan M (Pixel 3+), you could even use them as bluetooth security keys.
|
||||||
|
|
||||||
*No reason to miss out on the party if you can afford it!*
|
*No reason to miss out on the party if you can afford it!*
|
@ -14,14 +14,14 @@ sed -i '/^tags:.*/a author: Wonderfall' './content/apps/F-Droid Security Analysi
|
|||||||
|
|
||||||
#Docker and OCI Hardening
|
#Docker and OCI Hardening
|
||||||
echo "Fetching and Modifying the Docker and OCI Hardening post"
|
echo "Fetching and Modifying the Docker and OCI Hardening post"
|
||||||
rm -rf './content/os/Docker and OCI Hardening.md'
|
rm -rf './content/apps/Docker and OCI Hardening.md'
|
||||||
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/os/Docker and OCI Hardening.md'
|
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/apps/Docker and OCI Hardening.md'
|
||||||
sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/os/Docker and OCI Hardening.md'
|
sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/apps/Docker and OCI Hardening.md'
|
||||||
sed -i '/draft:.*/d' './content/os/Docker and OCI Hardening.md'
|
sed -i '/draft:.*/d' './content/apps/Docker and OCI Hardening.md'
|
||||||
sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Container', 'Security']/" './content/os/Docker and OCI Hardening.md'
|
sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/apps/Docker and OCI Hardening.md'
|
||||||
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/os/Docker and OCI Hardening.md'
|
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/Docker and OCI Hardening.md'
|
||||||
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/os/Docker and OCI Hardening.md'
|
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/apps/Docker and OCI Hardening.md'
|
||||||
sed -i '/^tags:.*/a author: Wonderfall' './content/os/Docker and OCI Hardening.md'
|
sed -i '/^tags:.*/a author: Wonderfall' './content/apps/Docker and OCI Hardening.md'
|
||||||
|
|
||||||
#Securing OpenSSH with FIDO2
|
#Securing OpenSSH with FIDO2
|
||||||
echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"
|
echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"
|
||||||
|
Loading…
Reference in New Issue
Block a user