1. 22 Sep, 2020 12 commits
  2. 21 Sep, 2020 9 commits
  3. 20 Sep, 2020 3 commits
  4. 18 Sep, 2020 1 commit
  5. 17 Sep, 2020 4 commits
  6. 16 Sep, 2020 2 commits
  7. 15 Sep, 2020 3 commits
    • Jelle van der Waa's avatar
      Add arch-devops-private to devops onboarding · 058b5657
      Jelle van der Waa authored
      Closes: #131
    • Levente Polyak's avatar
      Merge branch 'feature/kernel-sysctl-hardening' into 'master' · dd918741
      Levente Polyak authored
      kernel: further default sysctl hardening
      See merge request !81
    • Levente Polyak's avatar
      kernel: further default sysctl hardening · b2ba1877
      Levente Polyak authored
      - unprivileged bpf: we do not need this on our infra, we can assume
        bpf() calls will happen with CAP_SYS_ADMIN if required.
      - unprivileged userns: we do not need this on our infra for none of
        our services or similar. Reduce attack surface by a huge margin
        including most recent CVE-2020-14386.
      - kptr restrict: we already check for CAP_SYSLOG and real ids but we
        really do not require any specific kernel pointers to be logged.
        Settings this to 2 instead to blank out all kernel pointers to
        protect against info leak.
      - kexec: disable kexec as we do never want to kexec our running servers
        into something else. Settings this sysctl disables kexec even if its
        compiled into the kernel.
      - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for
        the sacrifices off a bit performance for all users including
  8. 12 Sep, 2020 6 commits