https://me.harvester.fr/tags/systems-administration/Systems AdministrationHugoBlox Kit (https://hugoblox.com)en-usSat, 25 May 2024 00:00:00 +0000https://me.harvester.fr/media/icon_hu_59c72f5082cfcb9b.pnghttps://me.harvester.fr/tags/systems-administration/https://me.harvester.fr/project/chainguard-images/Sat, 25 May 2024 00:00:00 +0000https://me.harvester.fr/project/chainguard-images/<p><strong>chainguard-images</strong> is a curated collection of secure, minimal, and production-ready container images built on top of Chainguard&rsquo;s distroless base images (Wolfi/Apko). By stripping out unnecessary tools, shells, package managers, and libraries, these images achieve an extremely small footprint and approach a <strong>Zero-CVE</strong> status by design.</p> <p>This collection packages various applications and language runtimes, ensuring secure-by-default execution in modern container orchestration stacks.</p> <h3 id="security-benefits-of-distroless">Security Benefits of Distroless</h3> <ul> <li><strong>Minimizing Attack Surface:</strong> Removing standard shell binaries (<code>/bin/sh</code>, <code>/bin/bash</code>) and diagnostic tools prevents attackers from executing arbitrary commands upon compromise.</li> <li><strong>Vulnerability reduction:</strong> Eliminating unused packages results in container images that trigger fewer CVE alerts in security scanners.</li> <li><strong>Secure Ingestion:</strong> Optimized for high-assurance and air-gapped container registries that require signed, low-overhead artifacts.</li> <li><strong>Reproducible Builds:</strong> Compiled using secure and verifiable declarative build files.</li> </ul>https://me.harvester.fr/project/openstreetmap-tile-server/Thu, 23 May 2024 00:00:00 +0000https://me.harvester.fr/project/openstreetmap-tile-server/<p><strong>openstreetmap-tile-server</strong> is a deployment configuration and guide for hosting a local, offline OpenStreetMap (OSM) tile server. Designed specifically for high-security, air-gapped, or isolated network environments, it enables applications to render mapping data without requesting external web resources.</p> <p>This stack leverages Docker to simplify deployment, package ingestion, and render pipeline orchestration.</p> <h3 id="stack-components">Stack Components</h3> <ul> <li><strong>Database:</strong> PostgreSQL with PostGIS extensions to manage geographical data.</li> <li><strong>Ingestion:</strong> Osm2pgsql for importing and styling <code>.osm.pbf</code> map files.</li> <li><strong>Renderer:</strong> Mapnik and renderd for rendering vector map data into raster tiles.</li> <li><strong>Tile Server:</strong> Apache with mod_tile to serve pre-rendered or on-the-fly map tiles.</li> <li><strong>Front-End Integration:</strong> Simple Leaflet-based templates for verifying local tile rendering.</li> </ul> <h3 id="usage-outline">Usage Outline</h3> <p>Pre-render tiles or import specific geographical datasets (e.g., country extracts from Geofabrik) to serve them locally within your network. Useful for command-and-control centers, localized flight-tracking platforms, and telemetry dashboards operating in secure perimeters.</p>https://me.harvester.fr/project/exploit-protection-policy/Wed, 22 May 2024 00:00:00 +0000https://me.harvester.fr/project/exploit-protection-policy/<p><strong>Exploit-Protection-policy</strong> provides a production-hardened Exploit Protection (EP) policy tailored for Windows 10 and Windows 11 systems. It combines multiple industry-standard security baselines with advanced restrictions to maximize security without breaking compatibility with everyday applications.</p> <p>This policy has been tested in air-gapped systems to protect endpoints from advanced threat vectors while maintaining productivity.</p> <h3 id="merged-security-baselines">Merged Security Baselines</h3> <ul> <li><strong>DISA STIG</strong> Exploit Protection v3.</li> <li><strong>Microsoft Security Baseline</strong> Exploit Protection policy (specifically aligned for enterprise systems).</li> <li><strong>milgradesec&rsquo;s</strong> custom Exploit Protection rule configurations.</li> </ul> <h3 id="key-protections-enforced">Key Protections Enforced</h3> <ul> <li><strong>System-Wide Mitigations:</strong> Enforces fundamental protections such as Control Flow Guard (CFG), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Heap Protection by default.</li> <li><strong>Advanced Payload Controls:</strong> Restricts execution vectors using Export Address Filtering (EAF/EAF+), Import Address Filtering (IAF), and Return-Oriented Programming (ROP) mitigations.</li> <li><strong>Image &amp; Code Integrity Restrictions:</strong> Blocks loading of low-integrity or remote images, preventing malicious library injection.</li> <li><strong>Application-Specific Tuning:</strong> Includes pre-configured exceptions and application rules to balance high-security containment with software compatibility.</li> </ul>https://me.harvester.fr/project/security-admx/Sun, 19 May 2024 00:00:00 +0000https://me.harvester.fr/project/security-admx/<p><strong>Security-ADMX</strong> is a collection of custom Administrative Templates (<code>.admx</code> and <code>.adml</code>) specifically designed for hardening Windows 10 and Windows 11 workstations. It allows system administrators and security engineers to configure advanced security settings via local or domain Group Policy (GPO) that are otherwise difficult or tedious to manage.</p> <p>Developed out of the need to streamline security compliance across embedded and workstation deployments, this project packages several security controls into easily manageable policies.</p>