Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id DE142782C00 for ; Tue, 8 Jun 2021 08:45:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 231AD5BDE0; Tue, 8 Jun 2021 10:45:52 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scDSd2oyrpwF; Tue, 8 Jun 2021 10:45:50 +0200 (CEST) Date: Tue, 8 Jun 2021 08:45:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1623141949; bh=KJsY8/dIoQOKTuKfUrRs0EWp7sgEkyG1MgtMi2geFr8=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=OAMbKL6ZAJaCDOgyXxFgWXgZoXguyZyPeXapMGKYgOoItkymjQwZMZZ5eqYuOAzi6 dDQ25NKupeTAy43tmcSnHDB4bUKfakjOGKk133+3/T4f2g9iU+7LpvwumHeeEhx1Ki EdKtgIGI5asWHWEkdrMdcZH9HKtwmyDrNFt3qiy1CjzY6DqoolqeaBslBsow75z5DH CRB+T7bo5Ajf69OR1kZLyCrIsG6IlmyuwuMkr4VIDWuQgI8txiplnFIV1H2iwGfZvv 8oqwe56ThUJh+uT/udwUNVymdRz3XoDEToiYCNAN89Zc7mc/+NX6DonbadLrSVFUdo RqBfm3jpmR1EQ== From: Daniel Gray To: "Minkovich, Michael" Cc: alpine-user@lists.alpinelinux.org Subject: Re: FW: Security Best Practices Message-ID: <20210608084504.tlyl5men4bvxqngu@disroot.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: Autocrypt: addr=dng@disroot.org; prefer-encrypt=mutual; keydata= mDMEXc5cehYJKwYBBAHaRw8BAQdAN11rjEF22MjXDIwS8UeVsJBC9XWjfRXF7DXrGi4voV60K0R hbmllbCBOYXRoYW4gR3JheSA8ZG5ncmF5QHByaXZhY3l0b29scy5pbz6IlgQTFgoAPgIbAwULCQ gHAwUVCgkICwUWAgMBAAIeAQIXgBYhBFiPbk6r6Me1UtAPpkGRH3IrD5rjBQJdzmIvBQkEAbSwA AoJEEGRH3IrD5rjhjoBAOnQwHCfhdwrxP9kiir3TBokNiRFs0pflqojB56722BOAP4xUiIKoy6Y BLtH7wry7miemDmaCn3H/9WpBcI3F0P1ArQkRGFuaWVsIE5hdGhhbiBHcmF5IDxkbmdAZGlzcm9 vdC5vcmc+iJkEExYKAEECGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFCQQBtLAWIQRYj25Oq+ jHtVLQD6ZBkR9yKw+a4wUCXc5izgIZAQAKCRBBkR9yKw+a47p8AQDjyKazzC5wPND0gwYShv6fK g8yiorn0KA1+306UCbpTwD/YjKJLq0UqCcRPrNHX5pXItEmrBpTdmCUg6CxB6snBQO4OARdzlx6 EgorBgEEAZdVAQUBAQdAKJZAe1cb9U+1Vf/6Ae1wCVUUd8OMSKGMEbmd8BqkZhwDAQgHiHgEGBY KACAWIQRYj25Oq+jHtVLQD6ZBkR9yKw+a4wUCXc5cegIbDAAKCRBBkR9yKw+a46/PAP9qqQv4Jm PiEqPn9sKxbxL54Y3IsqCs4aMOmZXzHmrnkAD7B6Awq/ddG6uw/imWjsNso21I7ju/PJpm7dsbU BHtyws= On 21/06/03 06:15PM, Minkovich, Michael wrote: >I was wondering if there is a document you can share pertaining to >Alpine Linux security best practices/configuration? These guides generally have problems with scope as one size does not fit all. Some of the advice mentioned in general places like the Arch Wiki[1][2] can also be applied to Alpine Linux or at least get you to think about what you might need for your threat model. [1] https://wiki.archlinux.org/title/security [2] https://wiki.archlinux.org/title/Sysctl Products like Docker, LXD, KVM, etc generally recommend the use of Mandatory Access Control[4][5][6] for example. [3] https://docs.docker.com/engine/security/ [4] https://lxd.readthedocs.io/en/latest/security/ [5] https://www.redhat.com/sysadmin/apparmor-selinux-isolation And of course Redhat[6] has some useful documents for a top-level view on the topic. [6] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/overview-of-security-hardening-security-hardening -- Daniel Gray (dng) 0x41911F722B0F9AE3 https://social.privacytools.io/@dngray