August 2018 - Arch-devops - lists.archlinux.org

[arch-devops] Shutting down dragon (backup server)
by Florian Pritz 31 Aug '18

31 Aug '18

Hi, I'll turn off dragon.archlinux.org in 2 weeks unless someone objects. It used to host our backups, but these have since moved to vostok.archlinux.org. Evangelos and me checked if there are any important files left on there, but we couldn't find any. If someone else wants to check, you'll have two weeks to speak up. Otherwise I'll null the disks and cancel the contract. Florian

1 1

[arch-devops] Github Domain Verification
by Giancarlo Razzolini 10 Aug '18

10 Aug '18

Hi All, I have added verification for our organization's domain on github [0]. This is an extra security feature that shows a "verified" badge [1] on our organization's profile. This is to help avoid impersonations to both our users and to our developers. Make sure you're always seeing the verified badge when using it. Regards, Giancarlo Razzolini [0] https://help.github.com/articles/verifying-your-organization-s-domain/ [1] https://paste.xinu.at/CgBNjk/

1 0

[arch-devops] Hetzner 2FA and CAA added to domains
by Giancarlo Razzolini 07 Aug '18

07 Aug '18

Hi All, I have enabled Certificate Authority Authorization (RFC 6844) on both our main domains, archlinux.org and pkgbuild.com. Since we only use letsencrypt to issue certificates, I have added a CAA record only allowing it to issue SSL certificates. We can easily change it if needed in the future. I have also enabled 2FA for hetzner. Since it allows more than one token, the idea is for each one of us in the devops team to have a separate token. I'm going to send you all an encrypted email with the recovery key. This key should only be used in the unlikely event that we have any of our 2FA compromised or we need to login to the account in and emergency. If we use this recovery key, a new one should be issued and emailed to all the members again. I have created a token for myself, and I'm going to add another "master" token that I'll add to the ansible vault. You guys can use this token to login and create another for yourself. Please add your ansible username to the description, like I have done for my token. Aaron, since you don't have root access to the ansible repository, I can either give you access or, if you don't want to handle ansible stuff, I can email separately to you both the recovery key and the "master" token seed so you can create your own. Cheers, Giancarlo Razzolini

1 0

[arch-devops] [RFC] Better security through Content Security Policy and other headers.
by Jelle van der Waa 04 Aug '18

04 Aug '18

Hi All, Below is a proposal to increase our websecurity for *.archlinux.org # Goal Better security through Content Security Policy and other headers. # How Either sending CSP headers via nginx or modifying the web application to send the correct headers. Configuring via nginx is probably the easiest way to distribute these changes. # Which sites bugs.archlinux.org bbs.archlinux.org wiki.archlinux.org git.archlinux.org pkgbuild.com pkgbuild.com/~* mailman.archlinux.org kanboard.archlinux.org planet.archlinux.org archlinux.org (django) aur.archlinux.org Excluded is security.archlinux.org, which already includes all of the below headers via flask-talisman. # Which headers ## X-XSS-Protection The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. This is mostly superseded by CSP, but still is not harmfull to add. add_header X-Xss-Protection "1; mode=block" always; ## X-Content-Type-Options The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. Check bugtracker/archweb if this breaks attachments or other files which are download. add_header X-Content-Type-Options "nosniff" always; ## X-Frame-Options The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. I don't believe we want to allow embedding our websites. add_header X-Frame-Options "SAMEORIGIN" always; ## Content-Security-Policy The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS). This might differ a bit per site, Archweb for example requires unsafe-inline / unsafe-eval for JavaScript and CSS. But all our loaded content should be from the same origin and restricted. An example policy would be: add_header Content-Security-Policy "default-src 'self'; style-src 'self'; font-src 'self'; form-action 'self';" # Challenges * inline JavaScript => archweb/aurweb => use a nonce or rewrite. * inline CSS => archweb/aurweb => use a nonce or rewrite. * unsafe-eval => this should never be allowed and should be fixed # Verifying The following website nicely shows the enabled security headers. https://securityheaders.com/ More information about these headers can be found here. https://scotthelme.co.uk/hardening-your-http-response-headers/ -- Jelle van der Waa

2 1