-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurisation_poste_de_travail.html
316 lines (307 loc) · 25.5 KB
/
securisation_poste_de_travail.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>et si on sécurisait nos PC ?</title><meta content="yes" name="apple-mobile-web-app-capable"><meta content="black-translucent" name="apple-mobile-web-app-status-bar-style"><meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui" name="viewport"><link href="reveal.js/css/reveal.css" rel="stylesheet"><link rel="stylesheet" href="reveal.js/css/theme/solarized.css" id="theme"><style>/* Stylesheet for CodeRay to match GitHub theme | MIT License | http://foundation.zurb.com */
/*pre.CodeRay {background-color:#f7f7f8;}*/
.CodeRay .line-numbers{border-right:1px solid #d8d8d8;padding:0 0.5em 0 .25em}
.CodeRay span.line-numbers{display:inline-block;margin-right:.5em;color:rgba(0,0,0,.3)}
.CodeRay .line-numbers strong{color:rgba(0,0,0,.4)}
table.CodeRay{border-collapse:separate;border-spacing:0;margin-bottom:0;border:0;background:none}
table.CodeRay td{vertical-align: top;line-height:1.45}
table.CodeRay td.line-numbers{text-align:right}
table.CodeRay td.line-numbers>pre{padding:0;color:rgba(0,0,0,.3)}
table.CodeRay td.code{padding:0 0 0 .5em}
table.CodeRay td.code>pre{padding:0}
.CodeRay .debug{color:#fff !important;background:#000080 !important}
.CodeRay .annotation{color:#007}
.CodeRay .attribute-name{color:#000080}
.CodeRay .attribute-value{color:#700}
.CodeRay .binary{color:#509}
.CodeRay .comment{color:#998;font-style:italic}
.CodeRay .char{color:#04d}
.CodeRay .char .content{color:#04d}
.CodeRay .char .delimiter{color:#039}
.CodeRay .class{color:#458;font-weight:bold}
.CodeRay .complex{color:#a08}
.CodeRay .constant,.CodeRay .predefined-constant{color:#008080}
.CodeRay .color{color:#099}
.CodeRay .class-variable{color:#369}
.CodeRay .decorator{color:#b0b}
.CodeRay .definition{color:#099}
.CodeRay .delimiter{color:#000}
.CodeRay .doc{color:#970}
.CodeRay .doctype{color:#34b}
.CodeRay .doc-string{color:#d42}
.CodeRay .escape{color:#666}
.CodeRay .entity{color:#800}
.CodeRay .error{color:#808}
.CodeRay .exception{color:inherit}
.CodeRay .filename{color:#099}
.CodeRay .function{color:#900;font-weight:bold}
.CodeRay .global-variable{color:#008080}
.CodeRay .hex{color:#058}
.CodeRay .integer,.CodeRay .float{color:#099}
.CodeRay .include{color:#555}
.CodeRay .inline{color:#000}
.CodeRay .inline .inline{background:#ccc}
.CodeRay .inline .inline .inline{background:#bbb}
.CodeRay .inline .inline-delimiter{color:#d14}
.CodeRay .inline-delimiter{color:#d14}
.CodeRay .important{color:#555;font-weight:bold}
.CodeRay .interpreted{color:#b2b}
.CodeRay .instance-variable{color:#008080}
.CodeRay .label{color:#970}
.CodeRay .local-variable{color:#963}
.CodeRay .octal{color:#40e}
.CodeRay .predefined{color:#369}
.CodeRay .preprocessor{color:#579}
.CodeRay .pseudo-class{color:#555}
.CodeRay .directive{font-weight:bold}
.CodeRay .type{font-weight:bold}
.CodeRay .predefined-type{color:inherit}
.CodeRay .reserved,.CodeRay .keyword {color:#000;font-weight:bold}
.CodeRay .key{color:#808}
.CodeRay .key .delimiter{color:#606}
.CodeRay .key .char{color:#80f}
.CodeRay .value{color:#088}
.CodeRay .regexp .delimiter{color:#808}
.CodeRay .regexp .content{color:#808}
.CodeRay .regexp .modifier{color:#808}
.CodeRay .regexp .char{color:#d14}
.CodeRay .regexp .function{color:#404;font-weight:bold}
.CodeRay .string{color:#d20}
.CodeRay .string .string .string{background:#ffd0d0}
.CodeRay .string .content{color:#d14}
.CodeRay .string .char{color:#d14}
.CodeRay .string .delimiter{color:#d14}
.CodeRay .shell{color:#d14}
.CodeRay .shell .delimiter{color:#d14}
.CodeRay .symbol{color:#990073}
.CodeRay .symbol .content{color:#a60}
.CodeRay .symbol .delimiter{color:#630}
.CodeRay .tag{color:#008080}
.CodeRay .tag-special{color:#d70}
.CodeRay .variable{color:#036}
.CodeRay .insert{background:#afa}
.CodeRay .delete{background:#faa}
.CodeRay .change{color:#aaf;background:#007}
.CodeRay .head{color:#f8f;background:#505}
.CodeRay .insert .insert{color:#080}
.CodeRay .delete .delete{color:#800}
.CodeRay .change .change{color:#66f}
.CodeRay .head .head{color:#f4f}</style><link href="reveal.js/lib/css/zenburn.css" rel="stylesheet"><script>document.write( '<link rel="stylesheet" href="reveal.js/css/print/' + ( window.location.search.match( /print-pdf/gi ) ? 'pdf' : 'paper' ) + '.css" type="text/css" media="print">' );</script></head><body><div class="reveal"><div class="slides"><section class="title"><h1>et si on sécurisait nos PC ?</h1><div class="preamble"><div class="paragraph"><p><span class="image"><img src="img/secure.gif" alt="pas très secure"></span></p></div>
<div class="paragraph"><p>(et Romain travaillerait sa concentration)</p></div></div></section>
<section id="_pourquoi"><h2>pourquoi ?</h2><div class="ulist"><ul><li class="fragment"><p>parce qu’on peut/doit</p></li><li class="fragment"><p>parce que l’attaque se fera sur le maillon faible</p></li><li class="fragment"><p>parce que la majeure partie du piratage vient de l’intérieur
<span class="image"><img src="img/thief.gif" alt="thief"></span></p></li></ul></div></section>
<section><section id="__quel_point"><h2>à quel point ?</h2><div class="paragraph"><p>La sécurisation d’un ordinateur nécessite l’évaluation de la menace et du risque, et l’établissement d’une solution mesurée.</p></div><div class="paragraph"><p><span class="image"><img src="img/trust.gif" alt="trust"></span></p></div></section><section id="_difficile_d_valuer_la_menace_et_le_risque"><h2>Difficile d’évaluer la menace et le risque</h2><div class="paragraph"><p>Un employé oublie son ordinateur portable dans le tram…​</p></div>
<div class="ulist"><ul><li class="fragment"><p>Son disque était-il chiffré ?</p></li><li class="fragment"><p>Si non, ses clefs SSH sont disponibles ?</p></li><li class="fragment"><p>Son script d’accès au VPN (sans double authentification) ?</p></li><li class="fragment"><p>A quelle plateforme a-t-il accès ?</p></li><li class="fragment"><p>Ne vient il pas de donner un accès libre à toutes nos plateformes client et à notre SI ?</p></li></ul></div></section><section id="_alors_que_le_cot"><h2>Alors que le coût…​</h2><div class="paragraph"><p>Ce n’est pas si difficile que ça, une étape à la fois.</p></div>
<div class="paragraph"><p><span class="image"><img src="img/clap.gif" alt="clap"></span></p></div></section></section>
<section><section id="_comment"><h2>comment ?</h2></section><section id="_rendre_illisible"><h2>rendre illisible</h2><div class="ulist"><ul><li><p>chiffrer les données stockées</p></li><li><p>chiffrer les données transmises</p></li></ul></div></section><section id="_rduire_la_surface_d_attaque"><h2>réduire la surface d’attaque</h2><div class="paragraph"><p>Plus on laisse de portes ouvertes…​</p></div>
<div class="paragraph"><p><span class="image"><img src="img/open.gif" alt="open"></span></p></div></section><section id="_n_exposer_que_le_ncssaire"><h2>n’exposer que le nécéssaire</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>nmap -p 1-65535 10.33.1.62
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-05 01:24 CET
Nmap scan report for 10.33.1.62
Host is up (0.000043s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds</code></pre></div></div></section><section id="_exhibitionniste"><h2>exhibitionniste</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>nmap -p 1-65535 10.33.1.38
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-06 09:53 CET
Nmap scan report for 10.33.1.38
Host is up (0.00077s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
3000/tcp open ppp
4713/tcp open pulseaudio
6660/tcp open unknown
17500/tcp open db-lsp
35323/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds</code></pre></div></div></section></section>
<section><section id="_mot_de_passe_something_you_know"><h2>mot de passe (something you know)</h2><div class="paragraph"><p>La première chose que l’on rencontre quand on veut se connecter à un PC ou un site web</p></div><div class="paragraph"><p><span class="image"><img src="img/pass.gif" alt="pass"></span></p></div></section><section id="_choix"><h2>choix</h2><div class="paragraph"><p><span class="image"><a class="image" href="https://xkcd.com/936/"><img src="img/xkcd.png" alt="password strength"></a></span></p></div></section><section id="_stockage_des_mots_de_passe"><h2>stockage des mots de passe</h2><div class="paragraph"><p>On écarte la solution du post-it sur le côté de l’écran.
<span class="image"><img src="img/postit.jpg" alt="password post-it"></span></p></div>
<div class="ulist"><ul><li class="fragment"><p><a href="http://keepass.info/" class="bare">http://keepass.info/</a></p></li><li class="fragment"><p><a href="https://www.lastpass.com/fr" class="bare">https://www.lastpass.com/fr</a></p></li><li class="fragment"><p><a href="https://lesspass.com/" class="bare">https://lesspass.com/</a></p></li><li class="fragment"><p><a href="https://www.passwordstore.org/" class="bare">https://www.passwordstore.org/</a></p></li><li class="fragment"><p><a href="https://products.office.com/fr-fr/excel" class="bare">https://products.office.com/fr-fr/excel</a></p></li></ul></div></section><section id="_une_clef_par_porte"><h2>Une clef par porte</h2><div class="paragraph"><p>Un mot de passe qui n’accède qu’à une chose, c’est moins dangereux quand c’est compromis.</p></div>
<div class="paragraph"><p><span class="image"><img src="img/ouch.gif" alt="ouch"></span></p></div></section><section id="_sauvegarde"><h2>sauvegarde</h2><div class="paragraph"><p>Pour les solutions locales, il FAUT sauvegarder</p></div>
<div class="paragraph"><p>D’une manière générale, il faut sauvegarder</p></div>
<div class="paragraph"><p>(et sécuriser les sauvegardes)</p></div></section></section>
<section><section id="_stockage"><h2>stockage</h2></section><section id="_prparation_habituelle_d_un_disque"><h2>préparation habituelle d’un disque</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary 2048s 100M
parted -s /dev/sda mkpart extended 101M 100%
parted -s /dev/sda mkpart logical 0 100M
parted -s /dev/sda mkpart logical 101 2048M
parted -s /dev/sda mkpart logical 2049 4196M
...
mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/sda2
mkfs.ext4 /dev/sda3
mkfs.ext4 /dev/sda4
mount /dev/sda3 /
mount /dev/sda1 /boot
mount /dev/sda2 /tmp
mount /dev/sda4 /var
...</code></pre></div></div></section><section id="_one_file_system_to_store_them_all"><h2>one file system to store them all</h2><div class="paragraph"><p>Un PC n’est pas un serveur.</p></div>
<div class="paragraph"><p><span class="image"><img src="img/heavy.gif" alt="heavy"></span></p></div></section><section id="_luks"><h2>luks</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary 2048s 100%
cryptsetup -s 512 -h sha512 luksFormat /dev/sda1
cryptsetup open /dev/sda1 hdd
mkfs.ext4 /dev/mapper/hdd
mount /dev/mapper/hdd /mnt</code></pre></div></div></section><section id="_swap"><h2>swap</h2><div class="paragraph"><p>Swapfile.</p></div>
<div class="listingblock"><div class="content"><pre class="CodeRay"><code>fallocate -l 8G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo -e "/swapfile\tnone\tdefaults\t0 0" >> /etc/fstab</code></pre></div></div></section><section id="_dd_avant_luks"><h2>dd avant luks</h2><div class="paragraph"><p>Avant de chiffrer un disque pas neuf, il faut l’écraser :</p></div>
<div class="literalblock"><div class="content"><pre>dd if=/dev/zero of=/dev/sda bs=10M</pre></div></div></section><section id="_fichier_clef"><h2>fichier clef</h2><div class="ulist"><ul><li><p>7 slots par luks</p></li><li><p>peuvent être une passphrase, mais aussi un fichier</p></li><li><p>fichier clef sur clef usb ? non.</p></li><li><p>fichier clef sur la partition luks ? oui.</p></li></ul></div></section><section id="_grub"><h2>grub</h2><div class="paragraph"><p>Deux lignes ajoutées :</p></div>
<div class="listingblock"><div class="content"><pre class="CodeRay"><code>GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/12345678-90ab-cdef-1234-567890abcdef:hdd resume=/dev/mapper/hdd resume_offset=102400"</code></pre></div></div>
<div class="paragraph"><p>102400 ?</p></div>
<div class="listingblock"><div class="content"><pre class="CodeRay"><code>filefrag -v /swapfile</code></pre></div></div></section><section id="_permissions_umask_ou_les_limites_du_least_privilege"><h2>permissions, umask ou les limites du least privilege</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>umask 077</code></pre></div></div>
<div class="paragraph"><p>mauvaise idée.</p></div>
<div class="paragraph"><p><span class="image"><img src="img/badperm.gif" alt="bad idea"></span></p></div></section></section>
<section><section id="_environnement_graphique"><h2>environnement graphique</h2></section><section id="_un_bon_pc_est_un_pc_lock"><h2>Un bon PC est un PC locké.</h2><div class="ulist"><ul><li><p>xscreensaver</p></li><li><p>xautolock</p></li></ul></div></section><section id="_un_bon_pc_est_un_pc_teind"><h2>Un bon PC est un PC éteind.</h2><div class="paragraph"><p>hiberner, eteindre, ne pas suspendre</p></div>
<div class="paragraph"><p><span class="image"><img src="img/sleep.gif" alt="sleep"></span></p></div></section><section id="_ne_traitez_pas_votre_linux_comme_un_windows"><h2>ne traitez pas votre Linux comme un Windows</h2><div class="ulist"><ul><li><p>Limitez le nombre de paquets installés</p></li><li><p>Connaissez-les</p></li></ul></div>
<div class="videoblock stretch"><video src="img/toomuch.mp4" width="100%" height="100%" data-autoplay controls loop>Your browser does not support the video tag.</video></div></section></section>
<section><section id="_rseau"><h2>réseau</h2></section><section id="_ipv6_or_not_ipv6"><h2>IPv6 or not IPv6 ?</h2><div class="paragraph"><p>not.</p></div>
<div class="videoblock stretch"><video src="img/shut.mp4" width="100%" height="100%" data-autoplay controls loop>Your browser does not support the video tag.</video></div></section><section id="_ssh"><h2>ssh</h2><div class="ulist"><ul><li><p>Pas de connexion en root ? Non</p></li><li><p>Pas de connexion par mot de passe ? Si</p></li><li><p>Pas de connexion du tout ? Si</p></li></ul></div>
<div class="listingblock"><div class="content"><pre class="CodeRay"><code>AddressFamily inet
PermitRootLogin no</code></pre></div></div></section><section id="_pam_ssh"><h2>pam_ssh</h2><div class="paragraph"><p>Ou comment avoir une passphrase sans la taper</p></div>
<div class="paragraph"><p>Configuration dans /etc/pam.d/login :</p></div>
<div class="listingblock"><div class="content"><pre class="CodeRay"><code>auth optional pam_ssh.so try_first_pass
session optional pam_ssh.so</code></pre></div></div></section><section id="_configuration_noyau"><h2>configuration noyau</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>net.ipv6.conf.all.disable_ipv6=1
net.ipv4.conf.all.forwarding=1
net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_timestamps=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.send_redirects=0</code></pre></div></div></section><section id="_firewall"><h2>firewall</h2><div class="paragraph"><p>(extrait)</p></div>
<div class="listingblock"><div class="content"><pre class="CodeRay"><code>-I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
-I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
-A INPUT -p icmp -j DROP
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst</code></pre></div></div>
<div class="paragraph"><p>(complet)</p></div>
<div class="paragraph"><p><a href="https://github.com/n0vember-/ansible-role-network/blob/master/files/etc/iptables/iptables.rules" class="bare">https://github.com/n0vember-/ansible-role-network/blob/master/files/etc/iptables/iptables.rules</a></p></div></section><section id="_dns"><h2>DNS</h2><div class="paragraph"><p><a href="https://freedns.zone/en/" class="bare">https://freedns.zone/en/</a></p></div></section></section>
<section><section id="_autre_chose"><h2>autre chose ?</h2></section><section id="_modules"><h2>modules</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>blacklist firewire_core</code></pre></div></div>
<div class="paragraph"><p>Désactiver l’USB ?</p></div></section></section>
<section id="_et_le_bios"><h2>et le bios ?</h2><div class="ulist"><ul><li><p>Mot de passe</p></li><li><p>Desactivation du boot sur USB</p></li><li><p>Mot de passe pour changer l’ordre de boot</p></li></ul></div></section>
<section><section id="_et_le_boot_loader"><h2>et le boot loader ?</h2><div class="paragraph"><p>Vous avez un TPM, utilisez Trusted Grub.</p></div></section><section id="_sans_trusted_grub"><h2>sans trusted grub</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code> # cat /sys/devices/pnp0/00:09/pcrs
PCR-00: A8 5A 84 B7 38 FC C0 CF 3A 44 7A 5A A7 03 83 0B BE E7 BD D9
PCR-01: 11 40 C1 7D 0D 25 51 9E 28 53 A5 22 B7 1F 12 24 47 91 15 CB
PCR-02: A3 82 9A 64 61 85 2C C1 43 ED 75 83 48 35 90 4F 07 A9 D5 2C
PCR-03: B2 A8 3B 0E BF 2F 83 78 29 9A 5B 2B DF C3 1E A9 55 AD 72 36
PCR-04: 78 93 CF 58 0E E1 A3 8F DA 6F E0 3B C9 53 76 28 12 93 EF 82
PCR-05: 72 A7 A9 6C 96 39 38 52 D5 9B D9 12 39 75 86 44 3E 20 10 2F
PCR-06: 92 20 EB AC 21 CE BA 8A C0 AB 92 0E D0 27 E4 F8 91 C9 03 EE
PCR-07: B2 A8 3B 04 BF 2F 83 74 29 9A 5B 4B DF C3 1E A9 55 AD 72 36
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</code></pre></div></div></section><section id="_avec_trusted_grub"><h2>avec trusted grub</h2><div class="ulist"><ul><li><p>PCR 0-7 Measured by BIOS</p></li><li><p>PCR 8 First sector of TrustedGRUB2 kernel (diskboot.img)</p></li><li><p>PCR 9 TrustedGRUB2 kernel (core.img)</p></li><li><p>PCR 10 Loader measurements - currently linux-kernel, initrd, ntldr, chainloader, multiboot, module</p></li><li><p>PCR 11 Contains all commandline arguments from scripts (e.g. grub.cfg) and those entered in the shell</p></li><li><p>PCR 12 LUKS-header</p></li><li><p>PCR 13 Parts of GRUB2 that are loaded from disk like GRUB2-modules</p></li></ul></div>
<div class="paragraph"><p>(PCR = Platform Configuration Registers)</p></div></section></section>
<section id="_automatisation"><h2>automatisation</h2><div class="ulist"><ul><li><p>Reproductible</p></li><li><p>Maitrisé</p></li></ul></div>
<div class="paragraph"><p><span class="image"><img src="img/maitrise.gif" alt="maitrise"></span></p></div></section>
<section id="_sauvegarde_2"><h2>sauvegarde</h2><div class="ulist"><ul><li><p>sur un disque chiffré bien sûr</p></li><li><p>ou dans un fichier chiffré</p></li></ul></div></section>
<section id="_rolling_release_on_the_river"><h2>rolling (release) on the river</h2><div class="paragraph"><p>"Je me maintiens au dernier niveau de bug connu."
©2003 Frank D.</p></div>
<div class="paragraph"><p><span class="image"><img src="img/bug.gif" alt="bug"></span></p></div></section>
<section id="_antivirus_hahaha"><h2>antivirus (hahaha)</h2></section>
<section><section id="_audit"><h2>audit</h2><div class="ulist"><ul><li><p>axes de sécurisation</p></li><li><p>patches de sécurité</p></li></ul></div><div class="paragraph"><p><span class="image"><img src="img/patch.gif" alt="patch"></span></p></div></section><section id="_lynis"><h2>lynis</h2><div class="paragraph"><p><span class="image"><img src="img/lynis.png" alt="lynis"></span></p></div></section><section id="_arch_audit"><h2>arch-audit</h2><div class="listingblock"><div class="content"><pre class="CodeRay"><code>$ arch-audit
Package bzip2 is affected by ["CVE-2016-3189"]. Medium risk!
Package curl is affected by ["CVE-2016-9594", "CVE-2016-9586"]. Update to 7.52.1-1!
Package gst-plugins-bad is affected by ["CVE-2016-9447", "CVE-2016-9446", "CVE-2016-9445"]. High risk!
Package jasper is affected by ["CVE-2016-8886"]. Medium risk!
Package libimobiledevice is affected by ["CVE-2016-5104"]. Low risk!
Package libtiff is affected by ["CVE-2015-7554"]. Critical risk!
Package libusbmuxd is affected by ["CVE-2016-5104"]. Low risk!
Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. High risk!
Package openssl is affected by ["CVE-2016-7055"]. Low risk!</code></pre></div></div></section></section>
<section id="_et_donc"><h2>et donc ?</h2><div class="paragraph"><p>Pas de solution sans prise de conscience</p></div></section></div></div><script src="reveal.js/lib/js/head.min.js"></script><script src="reveal.js/js/reveal.js"></script><script>// See https://github.com/hakimel/reveal.js#configuration for a full list of configuration options
Reveal.initialize({
// Display controls in the bottom right corner
controls: true,
// Display a presentation progress bar
progress: true,
// Display the page number of the current slide
slideNumber: false,
// Push each slide change to the browser history
history: false,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Vertical centering of slides
center: true,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// Turns fragments on and off globally
fragments: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// Hides the address bar on mobile devices
hideAddressBar: true,
// Opens links in an iframe preview overlay
previewLinks: false,
// Theme (e.g., beige, black, league, night, serif, simple, sky, solarized, white)
// NOTE setting the theme in the config no longer works in reveal.js 3.x
//theme: Reveal.getQueryHash().theme || 'solarized',
// Transition style (e.g., none, fade, slide, convex, concave, zoom)
transition: Reveal.getQueryHash().transition || 'slide',
// Transition speed (e.g., default, fast, slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds (e.g., none, fade, slide, convex, concave, zoom)
backgroundTransition: 'fade',
// Number of slides away from the current that are visible
viewDistance: 3,
// Parallax background image (e.g., "'https://s3.amazonaws.com/hakim-static/reveal-js/reveal-parallax-1.jpg'")
parallaxBackgroundImage: '',
// Parallax background size in CSS syntax (e.g., "2100px 900px")
parallaxBackgroundSize: '',
// The "normal" size of the presentation, aspect ratio will be preserved
// when the presentation is scaled to fit different resolutions. Can be
// specified using percentage units.
width: 960,
height: 700,
// Factor of the display size that should remain empty around the content
margin: 0.1,
// Bounds for smallest/largest possible scale to apply to content
minScale: 0.2,
maxScale: 1.5,
// Optional libraries used to extend on reveal.js
dependencies: [
{ src: 'reveal.js/lib/js/classList.js', condition: function() { return !document.body.classList; } },
{ src: 'reveal.js/plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'reveal.js/plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'reveal.js/plugin/zoom-js/zoom.js', async: true, condition: function() { return !!document.body.classList; } },
{ src: 'reveal.js/plugin/notes/notes.js', async: true, condition: function() { return !!document.body.classList; } }
]
});</script></body></html>