How many times have you had to staff the server room during the graveyard shift just to enter a password to unlock encrypted disks at boot time? Has this requirement kept you away from securing your data? What are your options?
Red Hat has included disk encryption for years with Linux Unified Key Setup-on-disk-format (LUKS). This solution is easy to implement and configure for your encryption needs, but
Continue reading “An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE”
This year you’ve got a lot of decisions to make before you got to Red Hat Summit in San Francisco, CA from 8-10 May 2018.
There are breakout sessions, birds-of-a-feather sessions, mini sessions, panels, workshops, and instructor led labs that you’re trying to juggle into your daily schedule. To help with these plans, let’s try to provide an overview of the labs in this series.
In this article let’s examine a track focusing only on Red Hat Enterprise Linux (RHEL). It’s a selection of labs where you’ll get hands-on with package management, OS security, dig into RHEL internals, build a RHEL image for the cloud and more.
The following hands-on labs are on the agenda, so let’s look at the details of each one.
Continue reading “Ultimate Guide to Red Hat Summit 2018 Labs: Hands-on with RHEL”
I recently had the pleasure of linking up with one of my favorite Red Hat colleagues (David “Pinky” Pinkerton) from Australia while we were both in Southeast Asia for a Red Hat event. We both have a propensity for KVM and Red Hat Virtualization (RHV) in particular, and he brought up a fantastic topic – truly segregated networks to support other security requirements. The reason came up because he had a “high security” client that needed to keep different traffic types separated within RHV, as the VMs were used to scan live malware. And that is why I made the comment about the (justifiably) paranoid.
Let’s take a look. |
Continue reading “Segregating RHV Networks for the Slightly Paranoid”
Red Hat Product Security was made aware of a vulnerability affecting the Linux kernel’s implementation of the Bluetooth L2CAP protocol. The vulnerability was named BlueBorne and was assigned an ID – CVE-2017-1000251.
A vulnerable system would need to have Bluetooth (hardware + service) enabled and an attacking device would need to be within
Continue reading “BlueBorne – An Analysis”
Most people don’t consider their average USB memory stick to be a security threat. In fact, in a social engineering experiment conducted in 2016 at the University of Illinois and detailed in this research paper, a group of researchers dropped 297 USB sticks outside in the parking lot, in the hallway, and classrooms. Of the 297 USB sticks dropped,
Continue reading “Built-in protection against USB security attacks with USBGuard”
Watch out San Francisco, and get ready to make your datacenter more secure with Red Hat!
Love (for IT security) will definitely be in the air this Valentine’s week at RSA, where Red Hat will be presenting not only breakout sessions, but also a Birds-of-a-Feather and Peer2Peer Session. To learn more about Red Hat’s sessions at RSA, have a look at the details below.
Continue reading “Red Hat talks security at the 2017 RSA Conference in San Francisco”
A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?
While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.
One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a
--cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.
Continue reading “Container Tidbits: Adding Capabilities to a Container”
Did you know there is an option to drop Linux capabilities in Docker? Using the
docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.
The Day After is Too Late
There’s an unfortunate tendency in IT to think about security too late. People only buy a security system the day after they have been broken into.
Dropping capabilities can be low hanging fruit when it comes to improving container security.
What are Linux Capabilities?
According to the capabilities man page,
capabilities are distinct units of privilege that can be independently enabled or disabled.
The way I describe it is that most people think of root as being all powerful. This isn’t the whole picture, the
root user with all capabilities is all powerful. Capabilities were added to the kernel around 15 or so years ago to try to divide up the power of root.
Continue reading “Secure Your Containers with this One Weird Trick”
We often compare the security of containers to virtual machines and ask ourselves “…which is more secure?” I have argued for a while now that comparing containers to virtual machines is really a false premise – we should instead be comparing containers to
Continue reading “Container Tidbits: The Tenancy Scale”
The Internet of Things (IoT) is gaining steam as businesses across various industries launch projects that instrument, gather, and analyze data to extract value from various connected devices. While the general vision for IoT may be same – each company is pursuing its own unique approach on how to go about it. The adoption of standards and emergence of industry leaders will help the “wild west” situation we’re in but it is still unknown how long it will take to get there. How should businesses implement their IoT solutions in a way that will allow them flexibility and control no matter what the eventual IoT landscape looks like?
It is relatively easy to put together an IoT solution using
Continue reading “IoT in Enterprise: Scaling from Proof of Concept to Deployment”