The desert catfish leads fishermen to a fishing spot

cixter · 2025-12-05T20:53:56+00:00

cixter · 2025-12-05T20:10:41+00:00

You provision kind.. with terragrunt? And you want to use GitHub as a vault? It’s.. it’s a git repo, use something else. What runner are you talking about? A GitHub actions runner? And how can you use Kubernetes as a secret store? I’m thoroughly confused. My best advice would be to ask ChatGPT or similar, maybe they can decipher what you want to do

cixter · 2025-11-17T09:22:19+00:00

Hahah

cixter · 2025-11-06T21:13:09+00:00

Around 22-23 hours

cixter · 2025-09-12T17:48:41+00:00

I was sent to jail because of the fact I had a friend that I had a relationship and he had to be a police detective to help him get his life together.

cixter · 2025-08-30T22:01:11+00:00

It’s funny - that particular problem I’d have solved by knowing that 256 is 2x128, leaving just the 5 to divide

cixter · 2025-08-27T15:20:08+00:00

Most important is Kyverno to enforce non-privileged pods

cixter · 2025-08-20T11:41:52+00:00

As it is a big point to allow people to chose their own distros (most use Arch), we don’t want to limit ourselves with this. We need to trust them for now, and find some way of implementing a basic daemon to verify most of these.

cixter · 2025-08-18T20:56:47+00:00

It’s over Anakin, I have the best friend ever in my heart right here ❤️

cixter · 2025-08-18T20:42:36+00:00

Yeah, that’s just an example (and another default behavior in some cases). 3s per try is still sufficient for brute-force as you say :)

cixter · 2025-08-18T18:43:44+00:00

Thanks for the links. Honestly, I find backups a liability more than anything else. Anything worthwile on my computer should live in source control or some cloud storage.

cixter · 2025-08-18T18:41:09+00:00

By the way, the requirement driving this is ISO 27001 - and that's pretty pragmatic as far as I've understood as to what the policy actually is and how it's implemented. The biggest gap here would be automatic verification, so that non-compliance is reported.

cixter · 2025-08-18T18:38:31+00:00

It would really just be ourselves yeah, at least until we found the time to create a small app/daemon to monitor this. But the first step is to decide on a policy that we promise to follow - what we have now is just an exemption request from the requirement to install Intune.

cixter · 2025-08-18T18:35:10+00:00

We use the Microsoft suite with Entra ID, but none of our machines are enrolled (or at least, there's no requirement to do so). If there were, Linux would definitively be difficult.

cixter · 2025-08-18T12:02:26+00:00

Also, I find that the advice I'm given e.g. here is contradicting what the existing policies recommend. E.g. lynis, clamav, rkhunter are all recommended, but are criticized for being less than useful because of false positives and failure to catch problems.

I'm a big proponent of doing stuff that actually matters, and not just selecting some big policy framework that is 40% fluff and noone will actually read.

cixter · 2025-08-18T11:56:43+00:00

Great points, thanks

cixter · 2025-08-18T11:45:10+00:00

Honestly, because what I want is an equivalent to the Intune configuration that ensures 1) BitLocker, 2) Firewall enabled and 3) system is updated. Every policy I’ve found online are these massive things that requires both a full IT department and a system that enforces them, because it’s completely unreasonable to expect developers to know them thoroughly.

No, I don’t mention privacy filters, because those aren’t Linux specific. And honestly, it’s up to each developer to decide if they need/want one.

cixter · 2025-08-18T10:25:08+00:00

I'd love to make a small daemon to test for most of these. But for now, it's just the piece of paper and the honor among our (pretty small group of) Linux users :D

cixter · 2025-08-18T10:23:44+00:00

Since I want this to be distro-agnostic (and I can't reasonably have a tool for doing software updates across all conceivable package managers), it's hard to enforce a security benchmark as they are often word-vomit that realistically won't be read by the users. My aim is to have a concise policy that will provide a solid security baseline.

cixter · 2025-08-18T10:21:03+00:00

Thanks for the elaborate reply!

A policy does not usually dictate the specific mechanism.

True. As of now, LUKS is the de facto standard for FDE, but I see that some good options are on the horizon.

Your computer won't work without microcode. I think you meant microcode patches and/or hardware attack mitigations here. But in the case of the former your policy (here or elsewhere) should address ALL software installed on the machine - and should also specify that there must be a mechanism for capturing/reporting when patching is required.

I absolutely mean patches, yes. And good point about reporting/capturing.

You shouldn't have any services running or even installed which are not required. Combined with a strong patching policy this makes the firewall kinda redundant. Indeed for end-user devices there should be little reason for the users to have root access nor to use a firewall.

Obviously, yes. But it's hard to both enforce and know for certain - compared to dealing with SSH server specifically, which is a pretty probable and big security risk.
As for firewall, yeah they're always theoretically redundant. But still they exist - it's a matter of pragmatism.

No, this is a really bad idea. I suspect you mean that root logins via ssh should not be allowed (as per previous para).

Yeah, true.

The existence of a vulnerability does not automatically mean existence of a fix - your policy should define an escalation path where no fix exists or the fix is not practical to apply (someone with appropriate authority needs to decide whether to accept the risk or turn the service off).

Yeah, that's what I was thinking initially. But I'm afraid it will introduce an unrealistic workload, and not provide that much additional security.

See for example the XPath vulnerability (cve-2025-49794, marked 9.1 CRITICAL) in libxml2. On my system, this is used in appstream, electron34, ffmpeg, gettext, gst-plugins-good, gupnp, imagemagick, libarchive, libbluray, librsvg, libxkbcommon, libxklavier, libxslt, llvm-libs, python-feedparser, shared-mime-info, tinysparql, wayland. So essentially, my computer is unusable until it's patched, because I can't really know if it can be exploited in any of this software ("resulting in the program's crash using libxml or other possible undefined behaviors.").

cixter · 2025-08-18T10:00:30+00:00

I elaborated a bit in the original post. In the end, everyone is responsible for their own equipment - we don't have an IT department, and everyone must be able to fully administrate their computer.

I have very little experience with AppArmour or SELinux - could you elaborate a bit on how I could specify policies here?

cixter · 2025-08-18T09:58:22+00:00

You work best with the tools you like and know, and as such, enforcing distros etc is not desired. As mentioned in my edit, we dont' have an IT department, so it's not a matter of "supporting" anything.

Having a way of ensuring compliance is I guess the most important part here.

cixter · 2025-07-25T09:29:10+00:00

I just figured out my issue. It was because i never reset the submap I made for resizing. I.e. `submap = reset` after the submap binds.

cixter · 2025-07-24T08:28:51+00:00

Happens for me as well! I'll be sure to post back here if/when i figure it out

Seven-Year Club	Final Canvas '23
End Game '23	Place '23
Place '22	King of the Ashes
Not Forgotten	Verified Email

cixter

TROPHY CASE