Security

This is the first part of a 2 part article, part 2 (End To End Encryption With OpenShift Part 2: Re-encryption) will be authored by Matyas Danter, Sr Consultant with Red Hat, it will be published soon. This article aims to demonstrate use cases for Openshift routes to achieve end-to-end encryption. This is a desirable and sometimes mandated configuration for many verticals, which deal with strict regulations. For example, financial sectors often are extremely careful about their application security standards...

Wanting to become familiar with nftables, I decided to jump in at the deep end and just use it on my local workstation. The goal was to replace the existing iptables setup, ideally without any drawbacks. The following essay will guide you through what I have done in order to achieve that. In order to be able to follow, you should already be familiar with iptables and at least have a rough idea of what nftables are. I don't see...

Introduction Enabling SSL/TLS in a Fabric is slightly more complex than securing a jetty in a standalone Karaf container. In the following article, we are providing feedback on the overall process. For clarity and simplification, the article will be divided into two parts. Part1: The Management Console Part2: Securing Web Service:including gateway-http For the purpose of this PoC, the following environment will be used. Environment Host fabric1.example.com (192.168.56.1), localhost MacOS Host fabric2.example.com (192.168.56.101), RHEL 7.2 Virtual Box VM Host fabric3.example.com...

I was recently introduced to a published draft by the National Institute of Standards and Technology (NIST) from the U.S. Department of Commerce which talks about assessing the threats to mobile devices & infrastructure. The document discusses the Mobile Threat Catalogue which describes, identifies and structures the threats posed to mobile information systems. This blog summarizes the 50-page document with added context and commentary based on my experience in the mobile industry helping organizations building mobile apps. More than ever...

Nftables is a new packet classification framework that aims to replace the existing iptables, ip6tables, arptables and ebtables facilities. It aims to resolve a lot of limitations that exist in the venerable ip/ip6tables tools. The most notable capabilities that nftables offers over the old iptables are: Performance: Support for lookup tables - no linear rule evaluation required No longer enforces overhead of implicit rule counters and address/interface matching Usability: Transactional rule updates - all rules are applied atomically Applications can...

OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. Security context constraints allow administrators to control permissions for pods using the CLI. SCCs allow an administrator to control the following: Running of privileged containers. Capabilities a container can request to be added. Use of host directories as volumes. The SELinux context of the container. The user ID. The use of host namespaces and networking. Allocating an 'FSGroup' that...

Red Hat, Inc. recently released the Red Hat SSO product, which is an enterprise application designed to provide federated authentication for web and mobile applications. In the SAML world, RH SSO is known as an Identity Provider (IdP), meaning its role in life is to authenticate and authorize users for use in a federated identity management system. For example, it can be used to authenticate internal users against a corporate LDAP instance such that they can then access the corporate...

Recently, I was searching for a solution to configure the security domain of Red Hat JBoss Enterprise Application Platform with the local operating system based user registry so that the application could directly authenticate its users with local operating system users. I understood that it would be difficult to implement a generic solution, as authentication mechanisms are strikingly different between Windows and Unix/Linux. After checking several blogs and forums, I decided to implement this using JPAM for Unix/Linux and Waffle...

The sheer number of tasks involved in building out automation infrastructure for a new organization never ceases to amaze me. One of the most often overlooked groups of tasks, however, is security. Though I am in no way a security expert, I know there are some basic steps we should take to protect ourselves and our precious systems. I also know that not everyone who administers RHEL systems has an extensive background working with Linux. If, like me, you’re normally...

As you would expect, security is a key focus for Red Hat. Secure by default is more than a goal, it is a guiding principle across all product lines. Middleware is no exception and there are some amazing things going on in this space. Divya Mehra and Vikas Kumar of Red Hat walked us through some of the recent innovations, including the recently released Red Hat SSO, product built upon KeyCloak. Derek Walker of SWIFT also spoke about how the...

OpenSCAP is a security framework for determining the compliance of a system to some defined set of standards. Jeffrey Blank of the National Security Agency and Shawn Wells of Red Hat gave their talk on automated compliance. We, as an industry, needed standardized formats for automated checklists. Specifically, we needed: Standardized inputs Standardized outputs Provide product independence SCAP is the standard and its checklist language is called XCCDF. Check instructions are detailed in OVAL or OCIL languages, which are open...

Cryptography is something that technical folks either get excited over or completely tune out. There does not seem to be much of a middle ground. That said, cryptography is such an essential component of modern life that without it, the Internet and many, many companies would crumble. To make matters more complicated, cryptography is an area that is always changing. Today's modern crypto primitives might be broken before you drink your coffee tomorrow morning. Look at how quickly POODLE changed...

KeyCloak is the upstream project for the newly released Red Hat Single Sign On (SSO) product. The project and product goes well beyond a traditional SAML Identity Provider, supporting federation protocols such as OAuth 2.0 and OpenID Connect. While it is built upon JBoss EAP 7, both KeyCloak and RH-SSO are designed to be standalone systems for providing website authentication and authorization services. In fact, Red Hat believes in RH-SSO so much, that we just switched the authentication system for...

This is the second installment in a series about using Red Hat Identity Management (IdM) on Red Hat Enterprise Linux and Fedora (using the upstream FreeIPA project). As described in part 1, IdM makes it very easy to build an enterprise-grade identity management solution, including a full enterprise PKI solution providing complete x509 certificate life cycle management. Most organizations start with a simple self-signed Certificate Authority (CA) certificate, perhaps generated using OpenSSL; with a little configuration and a few commands...

Red Hat Identity Manager (IdM), is designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and even Windows. At its core, IdM combines LDAP, Kerberos, DNS, and PKI with a rich management framework. Frequently, IdM is described as "Active Directory for Linux". Although, to be fair, Active Directory is really just a management framework around LDAP, Kerberos, DNS and PKI -- all of which were well established in the unix community long...

Over the last few weeks reports of crypto-ransomware have been circulated on the Internet and in the Press. While public details are sparse and victims are hesitant to share details, Red Hat is aware that older, un-patched versions of JBoss have been linked to several cases. The main flaw seen used has been CVE-2010-0738. Unsecured consoles appear to have been the main culprit of allowing attackers into internal networks using the JexBoss testing tool. Red Hat JBoss Enterprise Application Platform...

Entre l'attaque subie par Github la semaine dernière, et le hack de la chaîne TV5, la présentation que j'ai faite avec François Le Droff vendredi 10 avril, à Devoxx France, sur la Java et la Sécurité ne pouvait tomber plus à point nommée: Devoxx 2015-barbus-et-barbares from François Le Droff Mon comparse ayant déjà pris le temps de publier les slides, j'ai pensé qu'il serait pertinent d'ajouter un lien ici vers ces derniers, car, après tout, si il y a bien...

Letting the containers out of containment I have written a lot about *Containing the Containers*, e.g. * Are Docker containers really secure?* and * Bringing new security features to Docker*. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let's talk about removing all the security! Safely? Packaging Model I envision a world where lots of software gets shipped in image format. In other words, the application...

In the first of this series on Docker security, I wrote "containers do not contain." In this second article, I'll cover why and what we're doing about it. Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I'm also looking to protect containers from each other. With Docker we are using the layered...

This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed. Containers do not contain I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system. I have heard people say Docker containers are...

Introduction: The challenges around ABI compatibility Ensuring the forward compatibility of application binary interfaces (ABIs) exposed by native shared libraries has been a kind of black art for quite some time, due to many factors. The scope of the term ABI is quite broad, even when it is restricted to shared software libraries. It encompasses low-level concepts like the binary format, the processor instructions set used in the binary, the calling convention of the operating system on a given processor...

POODLE – An SSL 3.0 Vulnerability (CVE-2014-3566) Red Hat Product Security has been made aware of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. To mitigate this vulnerability, it is recommended that you explicitly disable SSL 3.0 in favor of TLS 1.1 or later in all affected packages. Read the whole article via Red...

About a year ago, Red Hat Product Security decided to move its blog, the Red Hat Security Blog, off of WordPress.com's infrastructure and onto Red Hat's OpenShift. There were some initial growing pains since this was a relatively new thing to do, but it wasn't long before the blog was in a stable environment. There were plans to put the application on a larger gear (it was hosted on a small gear) and to make it scalable (it wasn't), but...

The malloc family of functions are critical for almost every serious application program. Its performance characteristics often have a big impact on the performance of applications. Given that the default malloc implementation needs to have consistent performance for all general cases, it makes available a number of tunables that can help developers tweak its behavior to suit their programs. About two years ago I had written an article on the Red Hat Customer Portal that described the high level design...