[gull] sécurité

Fri May 19 20:28:32 CEST 2023

Quelques liens au sujet de la sécurité informatique :

Intel Management Engine, plus précisément Converged Security and Management Engine :

https://en.wikipedia.org/wiki/Intel_Management_Engine
https://www.intel.com/content/www/us/en/download/19392/intel-converged-security-and-management-engine-version-detection-tool-intel-csmevdt.html

AMD Platform Security Processors :

https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor

(Il y a une jolie collection de liens en références sur ces deux pages wikipedia).

Géopolitis "Tous espionnés" :

https://pages.rts.ch/emissions/geopolitis/13761978-tous-espionnes.html

Reportage "Pegasus, un espion dans votre poche" :

https://www.youtube.com/watch?v=-pIAM6ZH3IA

(J'hypothèse que les prochaines grosses du genre ce sera avec des toolkit sorits du monde sécuritaire par des flics pourris ou extrémistes...)

Kernel Self Protection Project :

http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Un script pour appliquer ces settings sur une config du noyau préexistante :

--8<--
#!/usr/bin/env python3

import argparse
import re
from pprint import pprint

reEn = re.compile("^(CONFIG[_A-Za-z0-9]+)\s*=\s*(y|m|-?[0-9]+|0x[0-9a-fA-F]+|\".*\")\s(.*)$")
reDis = re.compile("^\#\s*(CONFIG[_A-Za-z0-9]+)\s(.*)$")
reComment = re.compile("^\#\s*(.*)$")

def cf_parse(line):
if (m := reEn.match(line)):
return ('config', m.group(1), m.group(2))
elif (m := reDis.match(line)):
return ('config', m.group(1), 'n')
elif (m := reComment.match(line)):
return ('comment', m.group(1))
elif (line == '\n'):
return ('blank',)
else:
raise ValueError

def cf_write(cf_line):
# if blank return a CR
if (cf_line[0] == 'blank'):
return ''
# a comment, write it cleanly
elif (cf_line[0] == 'comment'):
if (cf_line[1] == ''):
return '#'
else:
return "# {}".format(cf_line[1])
elif (cf_line[0] == 'config'):
# a disbled config
if (cf_line[2] == 'n'):
return "# {} is not set".format(cf_line[1])
# a yes/module/int/hex int/string config line
else:
return "{}={}".format(cf_line[1], cf_line[2])

if __name__=="__main__":
ap = argparse.ArgumentParser(description=
""" Linux kernel configuration files blending, using one base file
and a probably smaller set of configurations which must takes
precedence on the base config. """)
ap.add_argument('base_config', nargs='?', default='.config')
ap.add_argument('precedence_config')
app = ap.parse_args()

print('# Blended linux kernel configuration using kconf-precedence.py')
print("# Base configuration file :", app.base_config)
print("# Precedence configuration file :", app.precedence_config)

fhb = open(app.base_config)
precedence = {}
fhp = open(app.precedence_config)

# parse precedence config
precedences = {}
for line in fhp.readlines():
cf = cf_parse(line)
if cf[0] == 'config':
# first in precedence val is a ref counter
precedences[cf[1]] = [0, cf[2]]

# parse and modifiy base config
for line in fhb.readlines():
cf = cf_parse(line)
if cf[0] == 'config':
try:
# increment traversed counter in precedence
precedences[cf[1]][0] += 1
# output precedence to stdout
print(cf_write( ('config', cf[1], precedences[cf[1]][1]) ))
except KeyError:
print(cf_write(cf))

# Output the precedences which are not in the base config set
print("# Now for the config statements remaining after base config iteration...")
# pprint(precedences)
for k in precedences.keys():
if precedences[k][0] == 0: # not traversed before
print(cf_write( ('config', k, precedences[k][1]) ))

print("# end of configuration")
--8<--

Très bon guide sécurité en terme de sysadmin Linux :

https://vez.mrsk.me/linux-hardening.html
https://news.ycombinator.com/item?id=33373021

Je cherche un latop intel 13ème génération avec Wireless désactivable de manière hardware (hardware RF Kill Switch) et mode HAP dans l'UEFI pour l'IME/CSEM pas trop trop cher, vos recommendations sont les bienvenues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://forum.linux-gull.ch/pipermail/gull/attachments/20230519/142d42c1/attachment.html>