diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/README.en.md" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/README.en.md" new file mode 100644 index 0000000000000000000000000000000000000000..c4d7c4187dd8a1f71e4eef0ae625710c1222e1b2 --- /dev/null +++ "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/README.en.md" @@ -0,0 +1,57 @@ +## SIG Details +### SIG target + **System security sharing technology library** + +Through continuous improvement of Linux operating system product foundation and enhancement requirements related components, tools and processes, promote security cooperation within the community, promote security knowledge sharing and exchange, reduce security development and operation and maintenance costs. + + **Exploration of frontier technology of system security** + +Research on the security features and attack means of Linux operating system, propose corresponding solutions and preventive measures, and continue to explore the application of eBPF technology in the security field and the security of AI-enabled systems. + + **System security cooperation ecosystem** + +Establish a complete open source operating system security ecosystem, influence more security vendors, developers and users to participate in the security construction of the operating system, jointly create an operating system security environment, and build a Linux system security ecosystem. + +### SIG member +Member role +Xu Zheng (Inspur Information) owner +Xu Fei (Inspur Information) maintainer +Dry Yue (Alibaba Cloud) maintainer +Tianjia Zhang (Alibaba Cloud) maintainer +Zhen Peng (Inspur Information) maintainer +Cao Peiqing (Tongxin) maintainer +### Item list + **KSecure** + +KSecure is a lightweight security defense component for the operating system. Based on the open source cloud-native runtime security software KubeArmor, KSECURE uses eBPF technology to design and develop security functions that improve the detection and defense capabilities of the operating system. While enhancing the security and compliance of the operating system, KSECURE provides the following security features: Solve the stability and performance problems caused by the traditional kernel module approach. + + **KSMSuite** + +KSMSuite, National Secret suite. By adapting and developing national secret algorithms of some common and important encryption libraries/middleware under Linux system, it can meet the needs of upper-layer applications for national secret algorithms. The National Secret suite initially includes cryptography, gnutls, nettle and other components. + + **KSCLM** + +KSLCM, by configuring the user shell path item in the /etc/passwd file, guides the command execution entry of the user after logging in to the operating system to the server command line management program. This program will group different users, and set different instruction/parameter lists and execution policies (black list or white list) for different groups, so as to filter risk instructions in the case of normal business operations, to ensure the purpose of operating system security. This module meets security baseline requirements related to rights management and built-in operating system security (OS). + +### Work plan and deliverables +- Open source and optimization of system security software +- Carry out the system security application scheme and reference implementation +- Communication group +- Stud discussion group + +### SIG plans to deliver results +- New open source, optimized system security software distributions (code), components +- System security solution Reference +### Target group for SIG +- Linux security research, application developers +- AnolisOS derivative publisher +- AnolisOS user +### SIG group preparatory work +- SIG member introduction and ecological construction operation +- SIG page creation +- SIG releases and publicizes +### SIG daily operations plan +- Biweekly meeting +- Meeting minutes +- Results released official announcement +- SIG project monthly/quarterly report \ No newline at end of file diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/README.md" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/README.md" new file mode 100644 index 0000000000000000000000000000000000000000..b727173b7ecb3e232993fe87d04e06a0d9b80e3c --- /dev/null +++ "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/README.md" @@ -0,0 +1,80 @@ +## SIG详细介绍 + +### SIG目标 + + +**系统安全共享技术库** + +通过不断完善Linux操作系统产品基础和增强要求的相关组件、工具和流程,推动社区内的安全合作,促进安全知识的共享和交流,降低安全开发运维成本。 + +**系统安全前沿技术探索** + +针对Linux操作系统的安全特性和攻击手段进行研究,提出相应的解决方案和防范措施,持续探索eBPF技术在安全领域的应用、AI赋能系统安全等。 + +**系统安全协作生态圈** + +建立完善的开源操作系统安全生态,影响更多的安全厂商、开发者和用户参与到操作系统的安全建设中来,共同打造操作系统安全环境,构建Linux系统安全生态圈。 + + +### SIG成员 + +| 成员 | 角色 | +| ---------------- | -------------- | +| 徐峥(浪潮信息) | owner | +| 徐飞(浪潮信息) | maintainer | +| 乾越(阿里云) | maintainer | +| 张天佳(阿里云) | maintainer | +| 甄鹏(浪潮信息) | maintainer | +| 曹佩庆(统信) | maintainer | + +### 项目清单 +**KSecure** + +KSecure,安全组件是一款操作系统轻量化安全防御组件,采用eBPF技术路线,在开源云原生运行时安全软件KubeArmor基础上,设计和开发了安全功能,提升了操作系统检测和防御能力,在增强操作系统安全性和合规性的同时,解决传统内核模块方式带来的系统稳定性和性能问题。 + +---------- + +**KSMSuite** + +KSMSuite,国密套件。通过对Linux系统下一些常用、重要加密库/中间件的国密算法适配开发,满足上层应用对国密算法的需求。国密套件初步包含cryptography、gnutls、nettle等组件。 + +---------- + +**KSCLM** + +KSLCM,通过配置/etc/passwd文件中的用户shell路径项,将用户登录操作系统后指令执行入口引导至服务器命令行管理程序;本程序会将不同用户进行分组,并对不同的组设置不同的指令/参数名单及执行策略(黑名单或白名单),达到在允许正常业务操作的情况下过滤风险指令,达到保证操作系统安全的目的。本模块可满足权限管理、内置操作系统安全(OS)等相关安全基线要求。 + +### 工作计划及交付物 + + - 开展系统安全软件开源与优化 + - 开展系统安全应用方案与参考实现 + +### 交流群 + +钉钉讨论群 + +“龙蜥社区系统安全SIG交流群”钉钉群号: 74890001865 + +### SIG计划输出成果 + + - 新开源、优化的系统安全软件发行版(代码)、组件 + - 系统安全解决方案参考 + +### SIG面向的目标群体 + + - 广大Linux安全研究、应用开发者 + - 龙蜥OS衍生版发行商 + - 龙蜥OS用户 + +### SIG组筹备工作 + + - SIG member 引入和生态建设运营 + - SIG页面创建 + - SIG发布、宣传 + +### SIG日常运营计划 + + - 双周会 + - 会议纪要 + - 成果发布官宣 + - SIG项目月报/季报 \ No newline at end of file diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/assets/\347\263\273\347\273\237\345\256\211\345\205\250SIG\351\222\211\351\222\211\347\276\244.png" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/assets/\347\263\273\347\273\237\345\256\211\345\205\250SIG\351\222\211\351\222\211\347\276\244.png" new file mode 100644 index 0000000000000000000000000000000000000000..11738015dc33a84f7e5e6c4d236319c1b2fdd0e9 Binary files /dev/null and "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/assets/\347\263\273\347\273\237\345\256\211\345\205\250SIG\351\222\211\351\222\211\347\276\244.png" differ diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/KSecure\351\241\271\347\233\256/.keep" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/KSecure\351\241\271\347\233\256/.keep" new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/Meetup/.keep" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/Meetup/.keep" new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/SIG\344\276\213\344\274\232/.keep" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/SIG\344\276\213\344\274\232/.keep" new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/SIG\344\276\213\344\274\232/SIG\344\276\213\344\274\232(202xxx-xxx-5).md" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/SIG\344\276\213\344\274\232/SIG\344\276\213\344\274\232(202xxx-xxx-5).md" new file mode 100644 index 0000000000000000000000000000000000000000..7dbba648e4e2a18e209ad331e6c36253f753b682 --- /dev/null +++ "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/SIG\344\276\213\344\274\232/SIG\344\276\213\344\274\232(202xxx-xxx-5).md" @@ -0,0 +1,11 @@ +## 会议主题 + + +## 会议时间 + + +## 参会人 + + + +## 会议记要 diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/\347\224\250\346\210\267\346\214\207\345\215\227/.keep" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/\347\224\250\346\210\267\346\214\207\345\215\227/.keep" new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/\347\224\250\346\210\267\346\214\207\345\215\227/\346\214\207\345\215\227.md" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/content/\347\224\250\346\210\267\346\214\207\345\215\227/\346\214\207\345\215\227.md" new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/sig-info.yaml" "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/sig-info.yaml" new file mode 100644 index 0000000000000000000000000000000000000000..b841e78edf23af109620ef4d78e1490a2010eac7 --- /dev/null +++ "b/sig/\347\263\273\347\273\237\345\256\211\345\205\250SIG/sig-info.yaml" @@ -0,0 +1,49 @@ +name: 系统安全 +en_name: syssecurity +home_page: https://openanolis.cn/sig/syssecurity +description: 随着数字化时代的到来,云计算、大数据、人工智能等技术的广泛应用,操作系统承载越来越多的关键业务和数据,其安全性对于信息系统的运转和发展具有至关重要的作用。因此,加强操作系统安全防护、提高安全意识和防范能力是数字化时代的重要任务之一。系统安全SIG致力于系统安全领域的深入研究,并与广大开发者一起通过各类安全工具构建安全生态。我们致力于提高系统安全性,保护用户数据和应用程序免受攻击和威胁,并推动整个安全生态的发展。 +en_description: With the advent of the digital era, cloud computing, big data, artificial intelligence and other technologies are widely used, and the operating system carries more and more key businesses and data, and its security plays a crucial role in the operation and development of information systems. Therefore, it is one of the important tasks in the digital age to strengthen the security protection of the operating system and improve the security awareness and prevention ability. System Security SIG is committed to in-depth research in the field of system security, and together with the majority of developers through various security tools to build a security ecosystem. We are committed to improving system security, protecting user data and applications from attacks and threats, and advancing the entire security ecosystem. +mailing_list: +maintainers: +- openanolis_id: ieixuzheng + gitee_id: + +contributors: +- openanolis_id: fei_xu + gitee_id: april1016 +- openanolis_id: qianyue123 + gitee_id: qianyue123 +- openanolis_id: uudiin + gitee_id: tj +- openanolis_id: zhang_binbj + gitee_id: zhangbin_bj +- openanolis_id: weizhw + gitee_id: weizhw +- openanolis_id: liuqinggong + gitee_id: Empty8888 +- openanolis_id: caopeiqing@uniontech.com + gitee_id: uos_caopeiqing +- openanolis_id: qinzhiben@uniontech.com + gitee_id: qinzhiben +- openanolis_id: zengwei1@uniontech.com + gitee_id: zeng-wei2000 +- openanolis_id: yuxiaojun@uniontech.com + gitee_id: slark_yuxiaojun +- openanolis_id: wangjia@uniontech.com + gitee_id: neoMX +- openanolis_id: xiaobo@uniontech.com + gitee_id: bobbyxiao +- openanolis_id: xiongyi@uniontech.com + gitee_id: bear_xiong123 +- openanolis_id: kongxinglong@uniontech.com + gitee_id: alongnice +- openanolis_id: wanhui@uniontech.com + gitee_id: gogolovefish +- openanolis_id: mawei@uniontech.com + gitee_id: movie0125 +- openanolis_id: guocanfeng@uniontech.com + gitee_id: gcf2000 + +repositories: +- repo: + - anolis/ksecure