An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE

How many times have you had to staff the server room during the graveyard shift just to enter a password to unlock encrypted disks at boot time? Has this requirement kept you away from securing your data? What are your options?

Red Hat has included disk encryption for years with Linux Unified Key Setup-on-disk-format (LUKS). This solution is easy to implement and configure for your encryption needs, but

Continue reading “An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE”

Ultimate Guide to Red Hat Summit 2018 Labs: Hands-on with RHEL

This year you’ve got a lot of decisions to make before you got to Red Hat Summit in San Francisco, CA from 8-10 May 2018.

There are breakout sessionsbirds-of-a-feather sessionsmini sessionspanelsworkshops, and instructor led labs that you’re trying to juggle into your daily schedule. To help with these plans, let’s try to provide an overview of the labs in this series.

In this article let’s examine a track focusing only on Red Hat Enterprise Linux (RHEL). It’s a selection of labs where you’ll get hands-on with package management, OS security, dig into RHEL internals, build a RHEL image for the cloud and more.

The following hands-on labs are on the agenda, so let’s look at the details of each one.

Continue reading “Ultimate Guide to Red Hat Summit 2018 Labs: Hands-on with RHEL”

Segregating RHV Networks for the Slightly Paranoid

I recently had the pleasure of linking up with one of my favorite Red Hat colleagues (David “Pinky” Pinkerton) from Australia while we were both in Southeast Asia for a Red Hat event. We both have a propensity for KVM and Red Hat Virtualization (RHV) in particular, and he brought up a fantastic topic – truly segregated networks to support other security requirements. The reason came up because he had a “high security” client that needed to keep different traffic types separated within RHV, as the VMs were used to scan live malware. And that is why I made the comment about the (justifiably) paranoid.

Let’s take a look. |

Continue reading “Segregating RHV Networks for the Slightly Paranoid”

Built-in protection against USB security attacks with USBGuard

Most people don’t consider their average USB memory stick to be a security threat. In fact, in a social engineering experiment conducted in 2016 at the University of Illinois and detailed in this research paper, a group of researchers dropped 297 USB sticks outside in the parking lot, in the hallway, and classrooms. Of the 297 USB sticks dropped,

Continue reading “Built-in protection against USB security attacks with USBGuard”

Red Hat talks security at the 2017 RSA Conference in San Francisco

Watch out San Francisco, and get ready to make your datacenter more secure with Red Hat!

Love (for IT security) will definitely be in the air this Valentine’s week at RSA, where Red Hat will be presenting not only breakout sessions, but also a Birds-of-a-Feather and Peer2Peer Session. To learn more about Red Hat’s sessions at RSA, have a look at the details below.

Continue reading “Red Hat talks security at the 2017 RSA Conference in San Francisco”

Container Tidbits: Adding Capabilities to a Container

A few weeks ago, I wrote a blog on removing capabilities from a container. But what if you want to add capabilities?

While I recommend that people remove capabilities, in certain situations users need to add capabilities in order to get their container to run.

One example is when you have a app that needs a single capability, like an Network Time Protocol (NTP) daemon container that resets the system time on a machine. So if you wanted to run a container for an ntp daemon, you would need to do a --cap-add SYS_TIME. Sadly, many users don’t think this through, or understand what it means to add a capability.

Continue reading “Container Tidbits: Adding Capabilities to a Container”

Secure Your Containers with this One Weird Trick

Did you know there is an option to drop Linux capabilities in Docker? Using the docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.

The Day After is Too Late

There’s an unfortunate tendency in IT to think about security too late. People only buy a security system the day after they have been broken into.

Dropping capabilities can be low hanging fruit when it comes to improving container security.

What are Linux Capabilities?

According to the capabilities man page, capabilities are distinct units of privilege that can be independently enabled or disabled.

The way I describe it is that most people think of root as being all powerful. This isn’t the whole picture, the root user with all capabilities is all powerful. Capabilities were added to the kernel around 15 or so years ago to try to divide up the power of root.

Continue reading “Secure Your Containers with this One Weird Trick”

IoT in Enterprise: Scaling from Proof of Concept to Deployment

The Internet of Things (IoT) is gaining steam as businesses across various industries launch projects that instrument, gather, and analyze data to extract value from various connected devices.  While the general vision for IoT may be same – each company is pursuing its own unique approach on how to go about it. The adoption of standards and emergence of industry leaders will help the “wild west” situation we’re in but it is still unknown how long it will take to get there. How should businesses implement their IoT solutions in a way that will allow them flexibility and control no matter what the eventual IoT landscape looks like?

It is relatively easy to put together an IoT solution using

Continue reading “IoT in Enterprise: Scaling from Proof of Concept to Deployment”