From bdf97e4c7e50c6e136f0e50470e50cecf3fe7cf6 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Wed, 8 Aug 2018 15:27:54 -0700
Subject: [PATCH 01/18] Initial commit of security.rst
A document describing design choices that highlight security in Clear Linux
---
source/clear-linux/concepts/security.rst | 212 +++++++++++++++++++++++
1 file changed, 212 insertions(+)
create mode 100644 source/clear-linux/concepts/security.rst
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
new file mode 100644
index 00000000..d635d56d
--- /dev/null
+++ b/source/clear-linux/concepts/security.rst
@@ -0,0 +1,212 @@
+
+.. _security:
+
+|CL| Security
+*********************
+
+|CL|, as it is distributed and maintained upstream, aims to make
+systemic and layered security conscious decisions, which are rooted
+within the project's codebase and philosophy.
+
+Below are just some examples of how:
+
+
+.. contents:: :local:
+ :depth: 2
+
+
+
+Security in Updates
+===================
+
+The |CL| team believes in the potential benefits of
+open-source software security, incremental updates, and
+rapidly resolving known security advisories.
+
+
+
+The latest Linux codebase
+--------------------------------
+
+The |CL| Project operates around the idea of open sourcing
+ideas and innovations upstream through the Linux kernel and
+using it to take advantage of the latest and greatest features.
+This includes security-centered innovations adopted in the Linux upstream.
+
+
+
+Automated Effective Updating
+----------------------------
+
+The |CL| upstream is updated at lightning pace, releasing full
+new versions of |CL| with incremental updates multiple times a day!
+
+This `rolling release model`_ allows |CL| users to not only take
+advantage of the latest Linux upstream innovations but also consume
+the latest security fixes of software packages as soon as they are available.
+There is no waiting for major or minor releases on |CL|.
+
+But an update is not effective if it is just simply downloaded onto a system.
+It needs to be obtained *AND* ensured that the new patched copy is being
+used; not an older copy loaded in memory. |CL| will let you know when a
+service needs to be rebooted or do it for your automatically after
+a software update, if desired.
+
+
+In |CL| updates are delivered automatically,efficiently,
+and effectively.For more information see `documentation about Software Updates`_ in |CL|.
+
+
+
+
+
+Automated CVE Scanning and Remediation
+--------------------------------------
+
+The sheer number of software packages and security vulnerabilities is growing
+at an exorbitant rate. Repositories of CVEs and their fixes, if known,
+are published by :abbr:`NIST` in a National Vulnerability Database
+\ |NVD|\ and at \ |MITRE|\ .
+
+
+|CL| takes a proactive and measured approach to addressing known
+and fixable Common Vulnerabilities and Exposures (CVEs) disclosures.
+|CL| packages are scanned against CVEs at least daily, and
+software patched in accordance to the fix. This scanning is automated
+with an open source tool - `cve-check-tool`_ - and any outstanding
+vulnerabilities monitored appropriately.
+
+
+These combined practices minimize the amount of
+time |CL| systems are exposed to unnecessary security risk.
+
+
+
+
+
+Security in Software
+====================
+
+
+Minimized attack surface
+-------------------------
+
+|CL| tries to make no assumptions about the usage of software that gets
+installed on a system. It will not enable system services simply because they
+have been installed. This helps avoid the inadvertent opening of a network
+port or sensitive service starting on its own, unless it has been explicitly
+configured to be that way by the system administrator.
+
+Additionally, |CL| removes legacy, unneeded, or redundant standards and
+components as much as possible to enable the use of best known security standards.
+
+
+
+Verified trust
+--------------------------
+
+|CL| encourages the use of secure practices such as encryption
+and digital signature verification throughout the system and discourages blind
+trust. Below are some examples:
+
+* All update operations from swupd are transparently encrypted and checked
+ against the |CL| maintainers' public key for authenticity.
+ More information can be found in this blog post:
+ `blog post about swupd security`_
+
+* Before being built, packages available from |CL| verify checksums and
+ signatures provided by third party project codebases and maintainers.
+
+* |CL| features a unified certificate store, `clrtrust`_ which comes
+ ready to work with well-known Certificate Authorities out of the box.
+ `clrtrust`_ also offers an easy to use command line interface for managing
+ system-wide chains of trust, instead of ignoring foreign certificates.
+
+
+
+
+
+
+Compiled with secure options
+---------------------------------------
+
+While |CL| packages are optimized for performance on
+Intel Architecture, security conscious kernel and compiler options are
+sensibly taken advantage of. Below are some examples of how:
+
+
+* Kernels shipped with Clear Linux are signed and disallow the usage of
+ custom kernel modules to maintain verifiable system integrity.
+
+* `Address space layout randomization (ASLR)`_ and
+ `Kernel address space layout randomization (KASLR)`_ are kernel features
+ which defends against certain memory based attacks.
+ More information can be found in a `blog post about PIE executables`_
+
+* `dm-verity`_ is a kernel mechanism readily available in |CL|
+ which verifies integrity of the devices being written to, like harddisks,
+ to help ensure they have not been tampered with.
+
+
+.. note::
+ Linux security modules which restrict program capabilities,
+ such as Security-Enhanced Linux (`SELinux`_) or AppArmor, are not implemented
+ by |CL| at this time.
+
+
+
+Security in System Design
+=========================
+
+Common and simple, yet effective, techniques are used throughout the
+|CL| system design to defend against common attack vectors and enable
+good security hygiene.
+
+
+
+Some examples are below:
+
+
+* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
+ during installation
+
+* Use the PAM cracklib module to harden user login and password security:
+
+ - No default username or root password set out of the box with
+ |CL|, you will be asked to set your own password immediately.
+
+ - Simple password are schemes, which are known to be easily compromised,
+ cannot be set in |CL|.
+
+ - A password blacklist is in place, to avoid system passwords being set to
+ passwords which have been compromised in the past.
+
+* `Tallow`_, a lightweight service which monitors for suspicious SSH login
+ patterns, is included with |CL|.
+
+
+
+
+
+
+.. _`documentation about Software Updates`: https://clearlinux.org/documentation/clear-linux/concepts/swupd-about
+.. _`cve-check-tool`: https://github.com/clearlinux/cve-check-tool
+.. _`blog post about swupd security`: https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture
+.. _`rolling release model`: https://en.wikipedia.org/wiki/Rolling_release
+.. _`clrtrust`: https://github.com/clearlinux/clrtrust
+.. _`Address space layout randomization (ASLR)`: https://en.wikipedia.org/wiki/Address_space_layout_randomization
+.. _`Kernel address space layout randomization (KASLR)`: https://lwn.net/Articles/569635/
+.. _`dm-verity`: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/device-mapper/verity.txt
+.. _`SELinux`: https://github.com/SELinuxProject
+.. _`Linux Unified Key Setup`: https://gitlab.com/cryptsetup/cryptsetup/
+.. _`blog post about PIE executables`: https://clearlinux.org/blogs/recent-gnu-c-library-improvements
+.. _`Tallow`: https://github.com/clearlinux/tallow
+
+.. |NVD| raw:: html
+
+ https://nvd.nist.gov/
+
+.. |MITRE| raw:: html
+
+ https://cve.mitre.org/
+
From dd823416cec362f022040b9d501ec4bd8317f0b4 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Thu, 9 Aug 2018 14:23:13 -0700
Subject: [PATCH 02/18] Remove ambigious note and formatting fixes.
---
source/clear-linux/concepts/security.rst | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index d635d56d..7978e53c 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -148,10 +148,6 @@ sensibly taken advantage of. Below are some examples of how:
to help ensure they have not been tampered with.
-.. note::
- Linux security modules which restrict program capabilities,
- such as Security-Enhanced Linux (`SELinux`_) or AppArmor, are not implemented
- by |CL| at this time.
@@ -181,8 +177,8 @@ Some examples are below:
- A password blacklist is in place, to avoid system passwords being set to
passwords which have been compromised in the past.
-* `Tallow`_, a lightweight service which monitors for suspicious SSH login
- patterns, is included with |CL|.
+* `Tallow`_, a lightweight service which monitors and blocks suspicious SSH
+ login patterns, is installed with the :command:`openssh-server` bundle.
From 224f1c3c2493a9380e439eff00d1c582aa27599d Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Fri, 10 Aug 2018 12:56:21 -0700
Subject: [PATCH 03/18] Minor edits
---
source/clear-linux/concepts/security.rst | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 7978e53c..e46a7426 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -5,8 +5,9 @@
*********************
|CL|, as it is distributed and maintained upstream, aims to make
-systemic and layered security conscious decisions, which are rooted
-within the project's codebase and philosophy.
+systemic and layered security conscious decisions, which are both
+performant and practical. This security philosophy is rooted within
+the project's codebase and operating culture.
Below are just some examples of how:
@@ -20,7 +21,7 @@ Security in Updates
===================
The |CL| team believes in the potential benefits of
-open-source software security, incremental updates, and
+software security through open sourcing, incremental updates, and
rapidly resolving known security advisories.
@@ -41,19 +42,18 @@ Automated Effective Updating
The |CL| upstream is updated at lightning pace, releasing full
new versions of |CL| with incremental updates multiple times a day!
-This `rolling release model`_ allows |CL| users to not only take
-advantage of the latest Linux upstream innovations but also consume
-the latest security fixes of software packages as soon as they are available.
+This `rolling release model`_ allows |CL| to consume the latest security
+fixes of software packages as soon as they become available.
There is no waiting for major or minor releases on |CL|.
But an update is not effective if it is just simply downloaded onto a system.
It needs to be obtained *AND* ensured that the new patched copy is being
-used; not an older copy loaded in memory. |CL| will let you know when a
+used; not an older copy loaded into memory. |CL| will let you know when a
service needs to be rebooted or do it for your automatically after
a software update, if desired.
-In |CL| updates are delivered automatically,efficiently,
+In |CL| updates are delivered automatically, efficiently,
and effectively.For more information see `documentation about Software Updates`_ in |CL|.
@@ -132,7 +132,7 @@ Compiled with secure options
While |CL| packages are optimized for performance on
Intel Architecture, security conscious kernel and compiler options are
-sensibly taken advantage of. Below are some examples of how:
+sensibly taken advantage of. Below are some examples:
* Kernels shipped with Clear Linux are signed and disallow the usage of
@@ -156,11 +156,7 @@ Security in System Design
Common and simple, yet effective, techniques are used throughout the
|CL| system design to defend against common attack vectors and enable
-good security hygiene.
-
-
-
-Some examples are below:
+good security hygiene. Below are are some examples:
* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
From 406aa79b6c3e957fa47cb78bf6ff72d6ce4c40ca Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 21 Aug 2018 10:51:54 -0700
Subject: [PATCH 04/18] Revise minimized attack surface section
---
source/clear-linux/concepts/security.rst | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index e46a7426..0bfc24c8 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -91,15 +91,19 @@ Security in Software
Minimized attack surface
-------------------------
-|CL| tries to make no assumptions about the usage of software that gets
-installed on a system. It will not enable system services simply because they
-have been installed. This helps avoid the inadvertent opening of a network
-port or sensitive service starting on its own, unless it has been explicitly
-configured to be that way by the system administrator.
+|CL| removes legacy, unneeded, or redundant standards and
+components as much as possible to enable the use of best known security
+standards. Below are some examples:
-Additionally, |CL| removes legacy, unneeded, or redundant standards and
-components as much as possible to enable the use of best known security standards.
+* `RC4`, `SSLv3`, `3DES`, and `SHA-1` ciphers which have had known
+ vulnerabilities, have been explicitly disabled within many |CL| packages to
+ avoid their accidental usage.
+* Services and subsystems which expose sensitive system information
+ have been removed such as the `finger` and `tcpwrappers`.
+
+* `SFTP` has been disabled by default due to security
+ considerations. See the `openssh-server reference page`_ for more details.
Verified trust
@@ -183,6 +187,7 @@ good security hygiene. Below are are some examples:
.. _`documentation about Software Updates`: https://clearlinux.org/documentation/clear-linux/concepts/swupd-about
.. _`cve-check-tool`: https://github.com/clearlinux/cve-check-tool
+.. _`openssh-server reference page`: https://clearlinux.org/documentation/clear-linux/reference/bundles/openssh-server
.. _`blog post about swupd security`: https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture
.. _`rolling release model`: https://en.wikipedia.org/wiki/Rolling_release
.. _`clrtrust`: https://github.com/clearlinux/clrtrust
From ca3e88d7cc9a23242b11fb6f6f0038d049e432ca Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 21 Aug 2018 12:22:38 -0700
Subject: [PATCH 05/18] Implement some feedback from @nesiusra
---
source/clear-linux/concepts/security.rst | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 0bfc24c8..541dff84 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -39,7 +39,7 @@ This includes security-centered innovations adopted in the Linux upstream.
Automated Effective Updating
----------------------------
-The |CL| upstream is updated at lightning pace, releasing full
+The |CL| content is updated at lightning pace, releasing full
new versions of |CL| with incremental updates multiple times a day!
This `rolling release model`_ allows |CL| to consume the latest security
@@ -69,13 +69,10 @@ are published by :abbr:`NIST` in a National Vulnerability Database
\ |NVD|\ and at \ |MITRE|\ .
-|CL| takes a proactive and measured approach to addressing known
+|CL| employs a proactive and measured approach to addressing known
and fixable Common Vulnerabilities and Exposures (CVEs) disclosures.
-|CL| packages are scanned against CVEs at least daily, and
-software patched in accordance to the fix. This scanning is automated
-with an open source tool - `cve-check-tool`_ - and any outstanding
-vulnerabilities monitored appropriately.
-
+Packages are automatically scanned against CVEs at least daily, and
+security updates and patches are deployed as soon as they are available.
These combined practices minimize the amount of
time |CL| systems are exposed to unnecessary security risk.
@@ -158,7 +155,7 @@ sensibly taken advantage of. Below are some examples:
Security in System Design
=========================
-Common and simple, yet effective, techniques are used throughout the
+Simple, yet effective, techniques are used throughout the
|CL| system design to defend against common attack vectors and enable
good security hygiene. Below are are some examples:
From 15a81d1347beb0bd681750f5bd9949b1ee6f2fad Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Thu, 23 Aug 2018 08:01:32 -0700
Subject: [PATCH 06/18] Fix a couple minor typos
---
source/clear-linux/concepts/security.rst | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 541dff84..62394af5 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -54,7 +54,8 @@ a software update, if desired.
In |CL| updates are delivered automatically, efficiently,
-and effectively.For more information see `documentation about Software Updates`_ in |CL|.
+and effectively. For more information see
+`documentation about Software Updates`_ in |CL|.
@@ -157,7 +158,7 @@ Security in System Design
Simple, yet effective, techniques are used throughout the
|CL| system design to defend against common attack vectors and enable
-good security hygiene. Below are are some examples:
+good security hygiene. Below are some examples:
* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
From a6a24fc132523ab9fcaf425dd581144eb1469791 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 28 Aug 2018 14:00:09 -0700
Subject: [PATCH 07/18] Add security doc to to concept toctree
---
source/clear-linux/concepts/concepts.rst | 1 +
1 file changed, 1 insertion(+)
diff --git a/source/clear-linux/concepts/concepts.rst b/source/clear-linux/concepts/concepts.rst
index 476b5c8f..612646b1 100644
--- a/source/clear-linux/concepts/concepts.rst
+++ b/source/clear-linux/concepts/concepts.rst
@@ -14,3 +14,4 @@ details relevant to the |CL| features.
mixer-about
bundles-about
restart
+ security
From 1258c5d4f477607fc850b06246119509675ca363 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 28 Aug 2018 15:36:14 -0700
Subject: [PATCH 08/18] Implement some changes requested by @intelkevinputnam
---
source/clear-linux/concepts/security.rst | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 62394af5..7445a337 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -1,16 +1,14 @@
.. _security:
-|CL| Security
+|CL|* Security
*********************
-|CL|, as it is distributed and maintained upstream, aims to make
+|CL|*, as it is distributed and maintained upstream, aims to make
systemic and layered security conscious decisions, which are both
performant and practical. This security philosophy is rooted within
the project's codebase and operating culture.
-Below are just some examples of how:
-
.. contents:: :local:
:depth: 2
@@ -20,7 +18,7 @@ Below are just some examples of how:
Security in Updates
===================
-The |CL| team believes in the potential benefits of
+The |CL| team believes in the benefits of
software security through open sourcing, incremental updates, and
rapidly resolving known security advisories.
@@ -46,7 +44,7 @@ This `rolling release model`_ allows |CL| to consume the latest security
fixes of software packages as soon as they become available.
There is no waiting for major or minor releases on |CL|.
-But an update is not effective if it is just simply downloaded onto a system.
+An update is not effective if it is just simply downloaded onto a system.
It needs to be obtained *AND* ensured that the new patched copy is being
used; not an older copy loaded into memory. |CL| will let you know when a
service needs to be rebooted or do it for your automatically after
@@ -71,7 +69,7 @@ are published by :abbr:`NIST` in a National Vulnerability Database
|CL| employs a proactive and measured approach to addressing known
-and fixable Common Vulnerabilities and Exposures (CVEs) disclosures.
+and fixable Common Vulnerabilities and Exposures (CVEs).
Packages are automatically scanned against CVEs at least daily, and
security updates and patches are deployed as soon as they are available.
From 700f2d754bdf931b312ee2f78900e9219f10f4cd Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 28 Aug 2018 15:40:06 -0700
Subject: [PATCH 09/18] Implement some changes requested by @intelkevinputnam
---
source/clear-linux/concepts/security.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 7445a337..0800093f 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -140,11 +140,11 @@ sensibly taken advantage of. Below are some examples:
* `Address space layout randomization (ASLR)`_ and
`Kernel address space layout randomization (KASLR)`_ are kernel features
- which defends against certain memory based attacks.
+ which defend against certain memory based attacks.
More information can be found in a `blog post about PIE executables`_
* `dm-verity`_ is a kernel mechanism readily available in |CL|
- which verifies integrity of the devices being written to, like harddisks,
+ which verifies integrity of the devices being written to, like hard disks,
to help ensure they have not been tampered with.
From 0e422f47339929a6ad752aadeeae9a6c85fe9b0a Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 28 Aug 2018 15:47:36 -0700
Subject: [PATCH 10/18] Implement some changes requested by @intelkevinputnam
---
source/clear-linux/concepts/security.rst | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 0800093f..375b0ddf 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -37,8 +37,7 @@ This includes security-centered innovations adopted in the Linux upstream.
Automated Effective Updating
----------------------------
-The |CL| content is updated at lightning pace, releasing full
-new versions of |CL| with incremental updates multiple times a day!
+|CL| is incrementally updated multiple times per day.
This `rolling release model`_ allows |CL| to consume the latest security
fixes of software packages as soon as they become available.
@@ -63,7 +62,7 @@ Automated CVE Scanning and Remediation
--------------------------------------
The sheer number of software packages and security vulnerabilities is growing
-at an exorbitant rate. Repositories of CVEs and their fixes, if known,
+exponentially. Repositories of CVEs and their fixes, if known,
are published by :abbr:`NIST` in a National Vulnerability Database
\ |NVD|\ and at \ |MITRE|\ .
@@ -160,14 +159,14 @@ good security hygiene. Below are some examples:
* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
- during installation
+ during installation.
* Use the PAM cracklib module to harden user login and password security:
- No default username or root password set out of the box with
|CL|, you will be asked to set your own password immediately.
- - Simple password are schemes, which are known to be easily compromised,
+ - Simple password schemes, which are known to be easily compromised,
cannot be set in |CL|.
- A password blacklist is in place, to avoid system passwords being set to
From e3ea11ab08db7180cd468487b139325f3ea1ddcc Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 28 Aug 2018 15:51:11 -0700
Subject: [PATCH 11/18] Expand and escape first CL mentions
---
source/clear-linux/concepts/security.rst | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 375b0ddf..f5aabbfc 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -1,10 +1,10 @@
.. _security:
-|CL|* Security
-*********************
+Clear Linux\* Security
+**********************
-|CL|*, as it is distributed and maintained upstream, aims to make
+Clear Linux\*, as it is distributed and maintained upstream, aims to make
systemic and layered security conscious decisions, which are both
performant and practical. This security philosophy is rooted within
the project's codebase and operating culture.
From 6aecafbb22a64eb4272be527bba0224f18a2e4c6 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 28 Aug 2018 16:19:15 -0700
Subject: [PATCH 12/18] Revise latest Linux section
---
source/clear-linux/concepts/security.rst | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index f5aabbfc..0a0ad393 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -27,10 +27,10 @@ rapidly resolving known security advisories.
The latest Linux codebase
--------------------------------
-The |CL| Project operates around the idea of open sourcing
-ideas and innovations upstream through the Linux kernel and
-using it to take advantage of the latest and greatest features.
-This includes security-centered innovations adopted in the Linux upstream.
+|CL| uses the newest version of the Linux kernel which allows the operating
+system to leverage the latest features from the upstream Linux kernel,
+including security fixes.
+
From 20cb86a11d55086821079f24bef6ce3e1d85f48c Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Thu, 30 Aug 2018 14:10:36 -0700
Subject: [PATCH 13/18] Add abbr to CVE and RST syntax fixes
---
source/clear-linux/concepts/security.rst | 26 ++++++++++++------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 0a0ad393..e07bc3dd 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -1,4 +1,3 @@
-
.. _security:
Clear Linux\* Security
@@ -25,7 +24,7 @@ rapidly resolving known security advisories.
The latest Linux codebase
---------------------------------
+-------------------------
|CL| uses the newest version of the Linux kernel which allows the operating
system to leverage the latest features from the upstream Linux kernel,
@@ -62,15 +61,16 @@ Automated CVE Scanning and Remediation
--------------------------------------
The sheer number of software packages and security vulnerabilities is growing
-exponentially. Repositories of CVEs and their fixes, if known,
-are published by :abbr:`NIST` in a National Vulnerability Database
-\ |NVD|\ and at \ |MITRE|\ .
+exponentially. Repositories of Common Vulnerabilities and Exposures (CVEs)
+and their fixes, if known, are published by :abbr:`NIST` in a
+National Vulnerability Database \ |NVD|\ and at \ |MITRE|\ .
-|CL| employs a proactive and measured approach to addressing known
-and fixable Common Vulnerabilities and Exposures (CVEs).
-Packages are automatically scanned against CVEs at least daily, and
-security updates and patches are deployed as soon as they are available.
+|CL| employs a proactive and measured approach to addressing known
+and fixable :abbr:`CVEs (Common Vulnerabilities and Exposures)`.
+Packages are automatically scanned against
+:abbr:`CVEs (Common Vulnerabilities and Exposures)` daily, and security
+patches are deployed as soon as they are available.
These combined practices minimize the amount of
time |CL| systems are exposed to unnecessary security risk.
@@ -102,7 +102,7 @@ standards. Below are some examples:
Verified trust
---------------------------
+--------------
|CL| encourages the use of secure practices such as encryption
and digital signature verification throughout the system and discourages blind
@@ -127,7 +127,7 @@ trust. Below are some examples:
Compiled with secure options
----------------------------------------
+----------------------------
While |CL| packages are optimized for performance on
Intel Architecture, security conscious kernel and compiler options are
@@ -140,7 +140,7 @@ sensibly taken advantage of. Below are some examples:
* `Address space layout randomization (ASLR)`_ and
`Kernel address space layout randomization (KASLR)`_ are kernel features
which defend against certain memory based attacks.
- More information can be found in a `blog post about PIE executables`_
+ More information can be found in a `blog post about PIE executables`_ .
* `dm-verity`_ is a kernel mechanism readily available in |CL|
which verifies integrity of the devices being written to, like hard disks,
@@ -161,7 +161,7 @@ good security hygiene. Below are some examples:
* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
during installation.
-* Use the PAM cracklib module to harden user login and password security:
+* Use of the PAM cracklib module to harden user login and password security:
- No default username or root password set out of the box with
|CL|, you will be asked to set your own password immediately.
From 260f5e4969a2b62e5c086a9cea3b8af7ecec4844 Mon Sep 17 00:00:00 2001
From: Kevin Putnam
Date: Thu, 6 Sep 2018 14:27:13 -0700
Subject: [PATCH 14/18] fixed wording of PAM cracklib bullet
---
source/clear-linux/concepts/security.rst | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index e07bc3dd..cf7162c7 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -161,7 +161,8 @@ good security hygiene. Below are some examples:
* Full disk encryption using `Linux Unified Key Setup`_ (LUKS) is available
during installation.
-* Use of the PAM cracklib module to harden user login and password security:
+* |CL| uses the PAM cracklib module to harden user login and password
+ security resulting in:
- No default username or root password set out of the box with
|CL|, you will be asked to set your own password immediately.
@@ -169,7 +170,7 @@ good security hygiene. Below are some examples:
- Simple password schemes, which are known to be easily compromised,
cannot be set in |CL|.
- - A password blacklist is in place, to avoid system passwords being set to
+ - A password blacklist, to avoid system passwords being set to
passwords which have been compromised in the past.
* `Tallow`_, a lightweight service which monitors and blocks suspicious SSH
From d67da866d106932de5325be39b7f3bcf045202a6 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Mon, 10 Sep 2018 16:13:33 -0700
Subject: [PATCH 15/18] Implement some changes requested by @mvincerx
---
source/clear-linux/concepts/security.rst | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index cf7162c7..75fa4cac 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -1,12 +1,11 @@
.. _security:
-Clear Linux\* Security
+Clear Linux\* OS Security
**********************
-Clear Linux\*, as it is distributed and maintained upstream, aims to make
-systemic and layered security conscious decisions, which are both
-performant and practical. This security philosophy is rooted within
-the project's codebase and operating culture.
+Clear Linux\* aims to make systemic and layered security-conscious decisions,
+that are both performant and practical. This security philosophy is rooted
+within the project's codebase and operating culture.
.. contents:: :local:
@@ -130,7 +129,7 @@ Compiled with secure options
----------------------------
While |CL| packages are optimized for performance on
-Intel Architecture, security conscious kernel and compiler options are
+Intel® Architecture, security conscious kernel and compiler options are
sensibly taken advantage of. Below are some examples:
From 28f0b5eacf8857246560880d40136b8184895606 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 11 Sep 2018 15:16:58 -0700
Subject: [PATCH 16/18] Implement changes brought up by @mvincerx
---
source/clear-linux/concepts/security.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 75fa4cac..3f81b6ed 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -3,7 +3,7 @@
Clear Linux\* OS Security
**********************
-Clear Linux\* aims to make systemic and layered security-conscious decisions,
+Clear Linux\* aims to make systemic and layered security-conscious decisions
that are both performant and practical. This security philosophy is rooted
within the project's codebase and operating culture.
@@ -129,7 +129,7 @@ Compiled with secure options
----------------------------
While |CL| packages are optimized for performance on
-Intel® Architecture, security conscious kernel and compiler options are
+Intel® architecture, security conscious kernel and compiler options are
sensibly taken advantage of. Below are some examples:
From a79bb5b7a3012890ac67688b6790b8390c29d013 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Tue, 11 Sep 2018 16:59:43 -0700
Subject: [PATCH 17/18] Fix indents
---
source/clear-linux/concepts/security.rst | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 3f81b6ed..6a6979b1 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -163,14 +163,14 @@ good security hygiene. Below are some examples:
* |CL| uses the PAM cracklib module to harden user login and password
security resulting in:
- - No default username or root password set out of the box with
- |CL|, you will be asked to set your own password immediately.
+ - No default username or root password set out of the box with
+ |CL|, you will be asked to set your own password immediately.
- - Simple password schemes, which are known to be easily compromised,
- cannot be set in |CL|.
+ - Simple password schemes, which are known to be easily compromised,
+ cannot be set in |CL|.
- - A password blacklist, to avoid system passwords being set to
- passwords which have been compromised in the past.
+ - A password blacklist, to avoid system passwords being set to
+ passwords which have been compromised in the past.
* `Tallow`_, a lightweight service which monitors and blocks suspicious SSH
login patterns, is installed with the :command:`openssh-server` bundle.
From 2a448cc41548ba5fd2a648f1e65235db767fdfe8 Mon Sep 17 00:00:00 2001
From: puneetse <22071208+puneetse@users.noreply.github.com>
Date: Wed, 12 Sep 2018 11:35:03 -0700
Subject: [PATCH 18/18] Implement fixes raised by @mvincerx
---
source/clear-linux/concepts/security.rst | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source/clear-linux/concepts/security.rst b/source/clear-linux/concepts/security.rst
index 6a6979b1..9bfe90ff 100644
--- a/source/clear-linux/concepts/security.rst
+++ b/source/clear-linux/concepts/security.rst
@@ -3,7 +3,7 @@
Clear Linux\* OS Security
**********************
-Clear Linux\* aims to make systemic and layered security-conscious decisions
+Clear Linux\* OS aims to make systemic and layered security-conscious decisions
that are both performant and practical. This security philosophy is rooted
within the project's codebase and operating culture.
@@ -167,10 +167,10 @@ good security hygiene. Below are some examples:
|CL|, you will be asked to set your own password immediately.
- Simple password schemes, which are known to be easily compromised,
- cannot be set in |CL|.
+ cannot be set in |CL|.
- A password blacklist, to avoid system passwords being set to
- passwords which have been compromised in the past.
+ passwords which have been compromised in the past.
* `Tallow`_, a lightweight service which monitors and blocks suspicious SSH
login patterns, is installed with the :command:`openssh-server` bundle.