Project MySelfa project by cschum The goal of Project MySelf is to build a system to collect data about yourself in a safe and private way, so that you control your data and you can decide what happens with it. Read more |
updating rpms in docker containersa project by jordimassaguerpla The docker way of updating containers is to build a new image with the updated binaries and files, which creates a security concern. The docker way is not anymore running "zypper update" in the containment but to update the whole image in the image registry (hub docker if we are talking about public registry) and then pull the image update from there, stop the outdated containments and replace them by starting new containments based on the new image. |
zypper-docker with multiple backends and an APIa project by mssola During the last CSM workshop I started to refactor zypper-docker in a way that: - The CLI code and the "library" part got split. |
Diving into Qubes OSa project by thardeck What is Qubes OSQubes OS is an operating system based on Linux with security in mind. |
Do something useful with the TPMan idea by mwilck Almost all our laptops, and many servers, feature a TPM today. The TPM doesn't have the best reputation in the community because it could be used to lock down platforms or do nasty things with DRM. Under normal conditions on PCs, the TPM is controlled by the system owner and could actually be useful for almost anything involving crypto. Unfortunately the integration of the TPM in the OS is essentially non-existent. The introduction of the TPM2.0 standard complicates matters, because we now have two different devices with different APIs. The goal of this project would be to identify reasonable use cases for the TPM, evaluate exisiting projects, and create ways how to integrate it into various workflows in openSUSE. |
Analyze the security of Linux HTTPS connections and monitor the traffic of "smart" devicesan invention by thardeck I have Raspberry Pi with WLAN and an additional network module which can be run as a WIFI access point. Plan |
Securing a CMS by using a hidden CMS and exporting static html to a web servera project by johannes_p Small non profit organisations or activist groups need a Web presence that is easy to maintain by several authors. When using a CMS they do not have the resources to secure the CMS from the various possible attacs most CMSes are notorious for. Defacement or placing malicious content can damage the reputation of such non profit organisations. The solution would be to combine an of the shelf CMS with a static web server that is hosted on a different IP address. The authors would access the CMS through a kind of remote access gateway e.g. openvpn) where access can be well secured with certificates or even hardware tokens. |
Generate CVRFan invention by msmeissn CVRF is a standard where security advisories are encoded in a XML format. We are currently not generating such a format, but it seems to be getting more attention. |
Improve supplychain security in the build servicean idea by kbabioch In the past I've worked on a set of scripts to identify potential for improvement of the supply chain within our build service. For now RPM files can be scanned for unused signature files that are available upstream and look for potentially unused |
Improving the Security of OpenPGP USB Token with a Secure Chipa project by biergaizi OpenPGP Card is an ISO/IEC 7816-4 compatible smartcard that is integrated with many OpenPGP functions, including signature, encryption, and authentication. It provides an trustful computing environment isolated from the host computer, to guard one's private keys from attacks and exposures. ZetiControl in Germany is the first manufacturer of OpenPGP Card based on BasicCard platform. Since then, compatible USB tokens have also been manufactured, such as Yubikey and Nitrokey. Currently for compatible USB tokens, there are two approaches of OpenPGP Card implementation: |
libpathrsa project by cyphar The plan is to implement a safe path resolution library for Linux to avoid the plentiful numbers of security vulnerabilities that have been seen in the wild related to path resolution race conditions and various other attacks. I've been working on kernel-space solutions but even if they were merged, it is difficult to use them safely directly. So this library intends to provide simple wrappers that everyone can use. https://github.com/openSUSE/libpathrs |
Kanidm: A safe and modern IDM systeman invention by firstyear This hackweek I'll be working on Kanidm, an IDM system written in Rust for modern systems authentication. The github repo has a detailed "getting started" on the readme. Kanidm Github |
Kanidm - A modern opensource IDMa project by firstyear Project DescriptionKanidm is a modern, fast, opensource IDM aiming to be an alternative to projects like 389-ds, freeipa, samba 4 and others. Inspired by many identity as a services, many features of this project aim to advance the state of what is possible with opensource security and IDM today. |
Dawnscanner: revive the project and create an RPM packagea project by pperego Project DescriptionDawnscanner was a ruby code security static analyzer I created in 2013 and led until a couple of years ago. Unfortunately in my last two jobs, my focus was less on ruby code, so the project lost some traction. |
Kanidm - Modern Opensource Identity Managementan invention by firstyear Project DescriptionKanidm is a identity management system (a store of accounts, groups and more) that supports authentication to opensuse, web sites, networks, and more. The project has a focus on respect of humans, correctness, simplicity and performance. In previous hackweeks we have implemented cryptographic authentication (webauthn), wasm based web UI and more. |
FIDO2 emulationa project by mkoutny Project DescriptionFIDO2 is set of specifications for multi-factor authentication. It is based on asymmetric cryptography with secrets stored in a HW token. The token must support the protocol to be usable. |
Learn more about Application Security (AppSec) Open Source Tools and Testing Techniquesan idea by heidi.bronson Project DescriptionApplication security (AppSec) is a threat that all organizations are facing. While we have QA engineers and security teams to help avoid these threats, true AppSec can only be obtained by giving developers the tools to find and fix vulnerabilities before their code is pushed into the deployment pipeline. As a software engineer, I want to make sure that my applications are secure. During this hackweek, I want to study the OWASP Top 10 vulnerabilities, related testing techniques, and open source tools that can be used to test our applications and keep them safe from malicious actors. |
Project Verifree : internal key server(s)a project by mcaj Project descriptionThe project Verifree is about GPG key server. The goal is build a Key server, where users are able to |
Poking technologies for enrolling customer key to kernel trusted keyringa project by joeyli Project DescriptionThe keys in db or mok can be used to verify boot loader and kernel binary for booting. But upstream kernel doesn't trust them for enrolling to trusted keyring because they are enrolled outside the boundaries of kernel. Which means that IMA can not use db/mok keys for verification. |
Model checking the BPF verifiera project by shunghsiyu Project DescriptionBPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490). |
rust security reviews and cargo-creva project by jzerebecki Project DescriptionLook into things that make security/code reviews of rust code easier and play with cargo-crev. |
Explore Crev as collaborative code audita project by pperego Project DescriptionCrev [1] is a collaborative code audit idea. Since it's common that more security engineers can work on the same projects, or there can be a different person auditing a piece of code after some time, there is the need to keep track of the code audit notes in a non-repudiable way. |
Rancher Token Revokeran invention by mbolot Project DescriptionThe token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically. |
Run sandboxed Firefox with image and sound inside a containeran invention by nguyens Project DescriptionRunning a web browser from your PC can cause all sorts of security or anonymity issues; e-g: content downloaded could be run automatically from your PC, resulting in disk encryption or other unpleasant events. It would be great if we could run most of this in a container so that we have as much of the web browser sandboxed, and limit the PC's exposure to security events. |
Sandboxed USB Inspectionan invention by nguyens Project DescriptionUSB devices can be dangerous to read directly from your PC. There are countless stories of PCs being infected (e-g: filesystem encrypted) because a USB device was read without first checking the USB content. But how do you check the device content without having a look at it first?! |
Create tool for managing RPM package signing keysan invention by dheidler Project descriptionIIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. |
Predefined app security policy template for NeuVectoran idea by feih Project DescriptionIdea is to predefine a set of security policies for popular container applications just for example MySQL, Nginx etc..., with these predefined security policies, users can just download unpack it to use. No need to worry too much about detailed security settings/configurations for this application container. The policies could be any policies that Kubernetes supported and/or NeuVector supported. |
Port NeuVector zero-trust security functions to host/VMan idea by feih Project DescriptionToday, NeuVector only support container environment. It does a lot of security functions and many of those are actually not limited to only protect containers technically. Sometimes, we are seeing requests/asks about providing similar functions to protect servers & VMs. So, it is technically possible. Some of the zero-trust security protections are still pretty unique if we port it over to host/VM side. Welcome if you are interested to help and give it a try! |
Kanidm: A safe and modern IDM systeman idea by firstyear Kanidm is an IDM system written in Rust for modern systems authentication. The github repo has a detailed "getting started" on the readme. Kanidm Github |