Severity analysis of vulnerabilities by experts from the information security industry is rarely based on real code review. In the ‘Badlock’ case, most read our CVE descriptions and built up a score representing a risk this CVE poses to a user. There is nothing wrong with this approach if it is done correctly. CVEs are analyzed in isolation; as if no other issue exists. In the case of a ‘Badlock‘ there were eight CVEs. The difference is the fact that one of them was in a foundational component used by most of the code affected by the remaining seven CVEs. That very specific CVE was
Continue reading “How Badlock Was Discovered and Fixed”
Hello again! I have not had time to blog in awhile. What happened? I picked up some additional responsibilities and these consumed a lot of my time. But now… I am back and will be blogging once again.
Time goes on and there are (many) new topics that are worth sharing with you. The first subject that I want to cover is the new Identity Management (IdM) features in Red Hat Enterprise Linux 7.2. While the release happened nearly three months ago – it’s still worth me providing an overview of new features and functionality. Another subject that people often ask about nowadays is the conversion from 3rd party vendor solutions to the IdM offering from Red Hat. We see a lot of interest in this area and I want to share some hints for when it is a good idea to use what we offer and when it might not be. Finally, there are also some emerging technologies
Continue reading “Back to Blogging: New Identity Management Features in RHEL 7.2”
Six years ago, we worked closely with Microsoft to deliver on a significant and widespread customer request: the ability for our respective operating systems to function as guests on each other’s hypervisor. This was then codified by the certification of Hyper-V as a supported hypervisor for use with Red Hat Enterprise Linux and the certification of Red Hat products as supported hypervisors for use with Windows which both companies have maintained for the past six years.
More than half a decade later, customers are now asking Red Hat and Microsoft to have Red Hat Enterprise Linux as a supported guest in the Azure Cloud. We both heard you! Thanks to a deep commitment by both companies, this day has arrived and, together, we are responding to another important customer ask with full support.
As the game show host says, “But wait! there’s more!” In March 2014, we announced that we were bringing Microsoft .NET capabilities to OpenShift Origin. We now expect that Microsoft .NET capabilities will grow past OpenShift Origin to include
Continue reading “Red Hat Enterprise Linux on Azure? .NET as an RPM and Container from Red Hat? Sweet!”
In my last post I reviewed some of my observations from the RSA Security Conference. As mentioned, I enjoyed the opportunity to speak with conference attendees about Red Hat’s Identity Management (IdM) offerings. That said, I was quick to note that whether I’m out-and-about staffing an event or “back home” answering e-mails – one of the most frequently asked questions I receive goes something like this: “…I’m roughly familiar with both direct and indirect integration options… and I’ve read some of the respective ‘pros’ and ‘cons’… but I’m still not sure which approach to use… what should I do?” If you’ve ever asked a similar question – I have some good news – today’s post will help you to determine which option aligns best with your current (and future) needs.
Continue reading “Direct, or Indirect, that is the Question…”
As many specialists in the security world know – the RSA Security Conference is one of the biggest security conferences in North America. This year it was once again held in San Francisco at the Moscone Center. Every year the conference gets bigger and bigger, bringing in more and more people and companies from all over the world.
If you attended – you may have noticed that Red Hat had a booth this year. Located in the corner of the main expo floor (not far from some of the “big guys” like: IBM, Microsoft, EMC, CA Technologies, and Oracle) we were in a great location – receiving no shortage of traffic. In fact, despite staffing the booth with six Red Hatters we didn’t have any “down time” – everyone seemed to be interested in what Red Hat has to offer in security.
Over the course of the conference I made a few interesting observations…
Continue reading “RSA Security Conference 2015 in Review: Three Observations”
Over the last 18 months, especially since the general availability of Red Hat Enterprise Linux 7, “containers” have emerged as a hot topic. With the more recent introduction of Red Hat Enterprise Linux Atomic Host, an operating system optimized for running the next generation of applications with Linux containers, one might wonder… what about virtualization? In that the benefits of containerization seem to overlap those of traditional virtualization, how do organizations know when to pick one approach over the other?
Continue reading “Virtual Machines or Containers? Maybe Both?”
This post is dedicated to the new SSSD features in Red Hat Enterprise Linux 7.1 that have significance when SSSD is used by itself (i.e. without IdM integration) – for example, when connecting directly to Active Directory (AD) or some other Directory Server.
Control Access to Linux Machines with Active Directory GPO
A common use case for managing computer-based access control in an Active Directory environment is through the use of GPO policy settings related to Windows Logon Rights. The Administrator who maintains a heterogeneous AD and Red Hat Enterprise Linux network without an IdM server has traditionally had to face the challenging task of centrally controlling access to the Linux machines without being able to update the SSSD configuration on each and every client machine.
In Red Hat Enterprise Linux 7.1, the Administrator is (now) able to
Continue reading “New SSSD Features in Red Hat Enterprise Linux 7.1”
As mentioned in my previous post there are multiple ways to connect a Linux system to Active Directory (AD) directly. With this in mind, let us review the following list of options…
- The legacy integration option: this is a solution where (likely older) native Linux tools are used to connect to an LDAP server of your choice (e.g. AD).
- The traditional integration option: this is a solution based on Samba winbind.
- The third-party integration option: this is a solution based on (proprietary) commercial software.
- The contemporary integration option: this is a solution based on SSSD.
Legacy Integration Option
In the case of the legacy integration option (see figure above), a Linux system is connected to AD using LDAP for identity lookup and LDAP or Kerberos for authentication. It pretty much solves the problem of basic user authentication. That said, such a solution has the following significant limitations:
Continue reading “Overview of Direct Integration Options”
Have you ever purchased a new dishwasher? For those of you who have, you know that the dishes don’t get washed until your “purchase” is picked-up/delivered, the old dishwasher is removed, and the new unit is hooked-up. In fact, until the new dishwasher is hooked-up, it simply doesn’t work. The dishwasher can be smart, stylish, noiseless, and/or energy-efficient… but none of this matters if it’s not properly connected. At the end of the day, if you want to enjoy the luxury of automatic dish washing, one thing is clear: your new dishwasher needs to be hooked-up.
The act of hooking-up a dishwasher is not unlike adding a Linux system to an existing enterprise IT environment. When you deploy a Linux system, it too needs to be “hooked-up”. As the data that flows through your environment consists of different kinds of objects (e.g. users, groups, hosts, and services) the associated identity information is not unlike the water in your dishwasher. Without this identity information
Continue reading “An Introduction to Interoperability Challenges in the Modern Enterprise”