1. 18 Sep, 2020 1 commit
  2. 17 Sep, 2020 4 commits
  3. 16 Sep, 2020 2 commits
  4. 15 Sep, 2020 3 commits
    • Jelle van der Waa's avatar
      Add arch-devops-private to devops onboarding · 058b5657
      Jelle van der Waa authored
      Closes: #131
      058b5657
    • Levente Polyak's avatar
      Merge branch 'feature/kernel-sysctl-hardening' into 'master' · dd918741
      Levente Polyak authored
      kernel: further default sysctl hardening
      
      See merge request !81
      dd918741
    • Levente Polyak's avatar
      kernel: further default sysctl hardening · b2ba1877
      Levente Polyak authored
      - unprivileged bpf: we do not need this on our infra, we can assume
        bpf() calls will happen with CAP_SYS_ADMIN if required.
      
      - unprivileged userns: we do not need this on our infra for none of
        our services or similar. Reduce attack surface by a huge margin
        including most recent CVE-2020-14386.
      
      - kptr restrict: we already check for CAP_SYSLOG and real ids but we
        really do not require any specific kernel pointers to be logged.
        Settings this to 2 instead to blank out all kernel pointers to
        protect against info leak.
      
      - kexec: disable kexec as we do never want to kexec our running servers
        into something else. Settings this sysctl disables kexec even if its
        compiled into the kernel.
      
      - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for
        the sacrifices off a bit performance for all users including
        privileged.
      b2ba1877
  5. 12 Sep, 2020 9 commits
  6. 10 Sep, 2020 3 commits
  7. 09 Sep, 2020 7 commits
  8. 08 Sep, 2020 7 commits
  9. 07 Sep, 2020 1 commit
  10. 06 Sep, 2020 3 commits