Marcus Meissner
msmeissn
- ibs-maintenance-team 2 tasks
- maintenance-opensuse.org 3 tasks
- proactive-security 0 tasks
- qam-openqa 7 tasks
- reactive-security 0 tasks
- security-team 30 tasks
Involved Projects and Packages
NOTE: Automatically created during Factory devel project migration by admin.
Cosign aims to make signatures invisible infrastructure.
Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in
NOTE: Automatically created during Factory devel project migration by admin.
NOTE: Automatically created during Factory devel project migration by admin.
FIPSCheck is a library for integrity verification of FIPS validated
modules. The package also provides helper binaries for creation and
verification of the HMAC-SHA256 checksum files.
The haveged daemon feeds the linux entropy pool with random
numbers generated from hidden processor state.
For more information see http://www.issihosts.com/haveged/
The hmaccalc package contains tools which can calculate HMAC (hash-based
message authentication code) values for files. The names and interfaces are
meant to mimic the sha*sum tools provided by the coreutils package.
Tools for EVM enrolling of the Integrity Measurement Architecture EVM Tools.
SINIT AC modules for trusted boot on Intel(R) Trusted Execution Technology(INTER(R) TXT) ssystems
NOTE: Automatically created during Factory devel project migration by admin.
libkcapi allows user-space to access the Linux kernel crypto API.
libkcapi uses this Netlink interface and exports easy to use APIs so that a developer does not need to consider the low-level Netlink interface handling.
The library does not implement any cipher algorithms. All consumer requests are sent to the kernel for processing. Results from the kernel crypto API are returned to the consumer via the library API.
The kernel interface and therefore this library can be used by unprivileged processes.
The focus during the development of this library is put on speed. This library does not perform any memcpy for processing the cryptographic data! The library uses scatter / gather lists to eliminate the need for moving data around in memory.
libkcapi allows user-space to access the Linux kernel crypto API.
libkcapi uses this Netlink interface and exports easy to use APIs so that a developer does not need to consider the low-level Netlink interface handling.
The library does not implement any cipher algorithms. All consumer requests are sent to the kernel for processing. Results from the kernel crypto API are returned to the consumer via the library API.
The kernel interface and therefore this library can be used by unprivileged processes.
The focus during the development of this library is put on speed. This library does not perform any memcpy for processing the cryptographic data! The library uses scatter / gather lists to eliminate the need for moving data around in memory.
A library providing TPM functionality for VMs. Targeted for integration
into Qemu.
Lynis is a security and system auditing tool. It scans a system on the most interesting parts useful for audits, like:
- Security enhancements
- Logging and auditing options
- Banner identification
- Software availability
Lynis is released as a GPL licensed project and free for everyone to use.
See http://www.rootkit.nl for a full description and documentation.
OpenSCAP is a set of open source libraries providing an easier path for integration of the SCAP line of standards.
SCAP is a line of standards managed by NIST with the goal of providing a standard language for the expression of Computer Network Defense related information.
More information about SCAP can be found at nvd.nist.gov.
openscap report generator
Control physical access to a linux computer by locking all of its virtual
terminals / consoles.
physlock is an alternative to vlock, it is equivalent to `vlock -an'. It is
written because vlock blocks some linux kernel mechanisms like hibernate and
suspend and can therefore only be used with some limitations. physlock is
designed to be more lightweight, it does not have a plugin interface and it is
not started using a shell script wrapper.
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website
The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.
Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.
Package built based on https://github.com/ComplianceAsCode/content
scrub overwrites hard disks, files, and other devices with repeating
patterns intended to make recovering data from these devices more
difficult. Although physical destruction is unarguably the most reliable
method of destroying sensitive data, it is inconvenient and costly. For
certain classes of data, organizations may be willing to do the next
best thing which is scribble on all the bytes until retrieval would
require heroic efforts in a lab.
scrub implements several different algorithms for this:
nnsa - U.S. NNSA Policy Letter NAP-14.1-C
dod - U.S. DoD 5220.22-M
usarmy - U.S. Army AR380-19
bsi - German Center of Security in Information Technologies
gutmann - 35-pass algorithm from Peter Gutmann's 1996 paper
schneier - algorithm described in Bruce Schneier's Applied Cryptography (1996)
pfitzner7 - Roy Pfitzner's 7-random-pass method
pfitzner33 - Roy Pfitzner's 33-random-pass method
The SWTPM package provides TPM emulators with different front-end interfaces
to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux
CUSE interface for the creation of multiple native /dev/vtpm* devices.
Those can be the targets of multiple QEMU cuse-tpm instances.
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured and verified launch of an OS kernel/VMM.
Tomoyo userland tools.