security/wiki
8
0
Fork 1
generated from sig_core/wiki-template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Deployed 0480992 with MkDocs version: 1.5.3

Browse Source
This commit is contained in:
2023-12-28 15:26:16 +00:00
parent 8d74e84714
commit 33b5e8c9ce
15 changed files with 71 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
404.html
View File

@ -14,7 +14,7 @@
<link rel="icon" href="/assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
index.html
View File

@ -18,7 +18,7 @@
<link rel="icon" href="assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
issues/CVE-2023-23583/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
issues/CVE-2023-4911/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

15
news/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">
@ -322,6 +322,15 @@
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#december-27-2023" class="md-nav__link">
<span class="md-ellipsis">
December 27, 2023
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#december-18-2023" class="md-nav__link">
<span class="md-ellipsis">
@ -745,6 +754,8 @@
<h1 id="news">News<a class="headerlink" href="#news" title="Permanent link">&para;</a></h1>
<p>These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.</p>
<h2 id="december-27-2023">December 27, 2023<a class="headerlink" href="#december-27-2023" title="Permanent link">&para;</a></h2>
<p><a href="../packages/control/">control</a> <code>0.8.0-5</code> can now manage user password hashing scheme and password policy in use by PAM-aware programs.</p>
<h2 id="december-18-2023">December 18, 2023<a class="headerlink" href="#december-18-2023" title="Permanent link">&para;</a></h2>
<p>This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.</p>
<p><a href="../packages/control/">control</a> <code>0.8.0-4</code> can now manage 3 privileged programs from <code>util-linux</code> (and <code>util-linux-core</code>): <code>mount</code>, <code>umount</code> (one "facility" for both), and <code>write</code>. Its wiki page has been reworked.</p>
@ -791,7 +802,7 @@ A typical facility is a SUID/SGID/setcap program or a configuration setting of a
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 18, 2023</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 27, 2023</span>
</span>

39
packages/control/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">
@ -560,6 +560,15 @@
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#control-pam" class="md-nav__link">
<span class="md-ellipsis">
control-pam
</span>
</a>
</li>
</ul>
@ -749,7 +758,7 @@
<h1 id="extra-package-control">Extra package: control<a class="headerlink" href="#extra-package-control" title="Permanent link">&para;</a></h1>
<h2 id="el9">EL9<a class="headerlink" href="#el9" title="Permanent link">&para;</a></h2>
<ul>
<li>Version <code>0.8.0-4.el9_3.security</code></li>
<li>Version <code>0.8.0-5.el9_3.security</code></li>
</ul>
<h3 id="package-summary">Package summary<a class="headerlink" href="#package-summary" title="Permanent link">&para;</a></h3>
<p><code>control</code> provides a common interface to register and control (what it calls) system facilities.
@ -759,15 +768,28 @@ We manage permissions on SUID/SGID/setcap programs because those programs pose r
<p><code>control</code> originates in Owl and is actively maintained in ALT Linux.</p>
<h3 id="usage-in-rocky-linux">Usage in Rocky Linux<a class="headerlink" href="#usage-in-rocky-linux" title="Permanent link">&para;</a></h3>
<p>While the original <code>control</code> package in Owl and ALT Linux merely provides the common interface mentioned above for other packages to register their facilities with (and many packages in those distros do), it's been adapted in Rocky Linux to provide its own sub-packages with facility specifications and RPM trigger scripts for other packages coming from EL. This way, we can <code>control</code> those facilities and have custom settings persist (be automatically saved and restored) over package upgrades without us having to maintain forks of those other packages.</p>
<p>The available facilities, their current settings, and lists of possible settings can be queried by running the <code>control</code> command without parameters. With all currently available sub-packages installed, its output may be:</p>
<p>The available facilities, their current settings, and lists of possible settings can be queried by running the <code>control</code> command without parameters. With all currently available sub-packages installed and upstream default settings, its output is:</p>
<div class="highlight"><pre><span></span><code>chage public (public restricted)
gpasswd public (public wheelonly restricted)
mount public (public wheelonly unprivileged restricted)
newgidmap public (public wheelonly restricted)
newgrp public (public wheelonly restricted)
newuidmap public (public wheelonly restricted)
password-hash sha512crypt (sha512crypt yescrypt)
password-policy pwquality (pwquality passwdqc)
write public (public restricted)
</code></pre></div>
<p>With maximum security hardening, it changes to:</p>
<div class="highlight"><pre><span></span><code>chage restricted (public restricted)
gpasswd restricted (public wheelonly restricted)
mount restricted (public wheelonly unprivileged restricted)
newgidmap restricted (public wheelonly restricted)
newgrp restricted (public wheelonly restricted)
newuidmap restricted (public wheelonly restricted)
password-hash yescrypt (sha512crypt yescrypt)
password-policy passwdqc (pwquality passwdqc)
write restricted (public restricted)
</code></pre></div>
<p>The default settings (typically <code>public</code>) correspond to EL packages' defaults (and are typically the most relaxed security-wise).</p>
<p>Please refer to <code>control(8)</code> man page for command-line usage syntax.</p>
<h3 id="sub-packages">Sub-packages<a class="headerlink" href="#sub-packages" title="Permanent link">&para;</a></h3>
@ -778,8 +800,15 @@ write public (public restricted)
<p>Facility specifications corresponding to the <code>shadow-utils</code> package. Currently, these allow to <code>control</code> access to 5 privileged programs - 3 of them (<code>chage</code>, <code>gpasswd</code>, and <code>newgrp</code>) are by default SUID root and 2 (<code>newuidmap</code> and <code>newgidmap</code>) are <code>cap_setuid=ep</code>.</p>
<h4 id="control-util-linux">control-util-linux<a class="headerlink" href="#control-util-linux" title="Permanent link">&para;</a></h4>
<p>Facility specifications corresponding to the <code>util-linux</code> and <code>util-linux-core</code> packages. Currently, these allow to <code>control</code> access to 3 privileged programs - 2 of them (<code>mount</code> and <code>umount</code>) are by default SUID root and 1 (<code>write</code>) SGID <code>tty</code>.</p>
<h4 id="control-pam">control-pam<a class="headerlink" href="#control-pam" title="Permanent link">&para;</a></h4>
<p>Facility specifications corresponding to the <code>pam</code> package. Currently, these allow to <code>control</code> user password hashing scheme and password policy in use by PAM-aware programs.</p>
<h3 id="change-log">Change log<a class="headerlink" href="#change-log" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code>* Mon Dec 18 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-4
<div class="highlight"><pre><span></span><code>* Wed Dec 27 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-5
- Install control(8) mode 755 since some of its features work as non-root
- Add sub-package with facilities and triggers for pam password hashing and
password policy
* Mon Dec 18 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-4
- Add sub-package with facilities and triggers for util-linux
* Mon Dec 18 2023 Solar Designer &lt;solar@openwall.com&gt; 0.8.0-3
@ -819,7 +848,7 @@ write public (public restricted)
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 18, 2023</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 27, 2023</span>
</span>

2
packages/glibc/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
packages/hardened_malloc/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
packages/lkrg/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
packages/microcode_ctl/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

2
packages/openssh/index.html
View File

@ -20,7 +20,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">

6
packages/passwdqc/index.html
View File

@ -18,7 +18,7 @@
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.2">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.3">
@ -771,7 +771,7 @@
<p>There are 5 sub-packages:</p>
<h4 id="pam_passwdqc">pam_passwdqc<a class="headerlink" href="#pam_passwdqc" title="Permanent link">&para;</a></h4>
<p><code>pam_passwdqc</code> is a PAM module that is normally invoked on password changes by programs such as <code>passwd(1)</code>. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.</p>
<p>Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, please edit PAM configuration files e.g. like <a href="https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371">shown here</a>.</p>
<p>Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, on EL9 use our <a href="../control/">control</a>, or on either EL8 or EL9 you may edit PAM configuration files manually e.g. like <a href="https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371">shown here</a>.</p>
<h4 id="passwdqc-utils">passwdqc-utils<a class="headerlink" href="#passwdqc-utils" title="Permanent link">&para;</a></h4>
<p><code>pwqcheck</code> and <code>pwqgen</code> are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts.</p>
<p>The <code>pwqfilter</code> program searches, creates, or updates binary passphrase filter files, which can also be used with <code>pwqcheck</code> and <code>pam_passwdqc</code>. This can be used for checking of user-provided passwords against existing data breaches, which is recommended in the current NIST guidance, specifically in publication 800-63B sections 5.1.1.2 and A.3. Paid pre-generated filter files are available from Openwall at the project homepage above, but with this tool you can also generate your own.</p>
@ -801,7 +801,7 @@
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 25, 2023</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 27, 2023</span>
</span>

2
search/search_index.json
View File

File diff suppressed because one or more lines are too long

22
sitemap.xml
View File

@ -2,57 +2,57 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://sig-security.rocky.page/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/news/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/issues/CVE-2023-23583/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/issues/CVE-2023-4911/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/control/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/glibc/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/hardened_malloc/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/lkrg/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/microcode_ctl/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/openssh/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://sig-security.rocky.page/packages/passwdqc/</loc>
<lastmod>2023-12-18</lastmod>
<lastmod>2023-12-28</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

BIN
sitemap.xml.gz
View File

Binary file not shown.