Security

What is Keycloak? Although security is a crucial aspect of any application, its implementation can be difficult. Worse, it is often neglected, poorly implemented and intrusive in the code. But lately, security servers have appeared which allow for outsourcing and delegating all the authentication and authorization aspects. Of these servers, one of the most promising is Keycloak, open-source, flexible, and agnostic of any technology, it is easily deployable/adaptable in its own infrastructure. Moreover, Keycloak is more than just an authentication...

Technology is an ever-expanding market full of opportunity and dedicated to making our lives more convenient and advanced in the process. Countless companies across the world have recognized the power in embracing technology to survive and prosper and, with this being said, the world has never been more advanced than it is today — with a future as bright as the people creating it. Furthermore, although many people believe that the modern generation is completely out of their minds and...

... with APIs, OpenID, and Microservices, Daria Mayorova and Mark Cheshire from Red Hat 3Scale shared their presentation on how to construct microservice-based applications with the benefits of API management. Some general characteristics of microservices include: componentization via service organized around business capabilities smart endpoints design for failure decoupling of components Typically, microservices are divided into to two general architectural buckets: Inner Architecture Any service communication with other microservices within a larger service boundary (think intra-application communication). Outer Architecture Border...

Expanding on Tristan's blog, where he spoke of enabling security for JBoss Data Grid caches, in this post we will cover how to add LDAP based security to the JDG caches. The principles and techniques remain defined by Tristan, but there are some minor changes that I will be highlighting in this blog for a successful working configuration of JDG enabled with LDAP security. Before we jump on to configuring the JDG for security, I would like to brush up...

Introduction Dependency management isn’t anything new, however, it has become more of an issue in recent times due to the popularity of frameworks and languages, which have large numbers of 3rd party plugins and modules. With Node.js, keeping dependencies secure is an ongoing and time-consuming task because the majority of Node.js projects rely on publicly available modules or libraries to add functionality. Instead of developers writing code, they end up adding a large number of libraries to their applications. The...

Since I've learned about nftables, I heard numerous times that it would provide better performance than its designated predecessor, iptables. Yet, I have never seen actual figures of performance comparisons between the two and so I decided to do a little side-by-side comparison. Basically, my idea was to find out how much certain firewall setups affect performance. In order to do that, I simply did a TCP stream test between two network namespaces on the same system and then added...

A few months ago, I had to write some internal GCC passes to perform static analysis on the GNU C Library (glibc). I figured I might as well write them as plugins since they were unlikely to see the light of day outside of my little sandbox. Being a long time GCC contributor, but having no experience writing plugins I thought it'd be a good way to eat our own dog food, and perhaps write about my experience. Unfortunately, I...

Web developers and IT professionals are the foundations of any quality business’ data security. However, with technology constantly changing and evolving as well as becoming more consumer-friendly, this data’s vulnerability only increases and it can often be hard to even notice how this new technology can actually affect your company until it occurs. Despite this, ignorance to modern hacking techniques does not refute their inability to transform even the smallest of devices into a weapon with which to infect or...

2016 was certainly an interesting year and, although we could probably discuss the election alone for an hour, there is one particular epidemic which has plagued the developer community in more ways than we probably care to mention. It seems as though even the best data encryption and reformatting of SSD’s is slowly becoming not enough when it comes to the continuous evolution of the hacker community and this is a pretty unsettling situation. In fact, in the first six...

In 2016, many improvements happened in the ABI static analysis framework that is Libabigail. In this article we'll present how fedabipkgdiff, a new Libabigail tool can help Fedora users, developers and others to analyze ABI changes of libraries carried by packages of the distribution. Introduction As many of you already know, the engine used to build RPM packages in the Fedora build system is named Koji. Thus, one can get Fedora RPMs from Koji using a web browser. In that...

Hash tables are an important part of dynamic programming languages. They are widely used because of their flexibility, and their performance is important for the overall performance of numerous programs. Ruby is not an exception. In brief, Ruby hash tables provide the following API: insert an element with given key if it is not yet on the table or update the element value if it is on the table delete an element with given key from the table get the...

This article describes the steps required to add buffer overflow protection to string functions. As a real-world example, we use the strlcpy function, which is implemented in the libbsd library on some GNU/Linux systems. This kind of buffer overflow protection uses a GNU Compiler Collection (GCC) feature for array size tracking (“source fortification”), accessed through the __builtin_object_size GCC built-in function. In general, these checks are added in a size-checking wrapper function around the original (wrapped) function, which is strlcpy in...

Part 2 of 2 In part one of this blog post, we mentioned a pain point in Container based environments. We introduced SCAP as a means to measure compliance in computer systems and introduced ManageIQ as a means of automating Cloud & Container based workflows. Tutorial: Using the OpenSCAP integration in ManageIQ In ManageIQ we have been working on leveraging OpenSCAP to show container images that infringe known vulnerabilities based on the latest CVE content distributed by Red Hat. Integrating...

Part 1 of 2 "Docker is about running random crap from the Internet as root on your host" - Dan Walsh Do you trust your containers? In container-based development flows, a developer will create an image to be the base for an application. Images are stateless, read only, and they are built in layers. These layers represent everything in an application's runtime environment but the kernel, which will be “borrowed” from the hosting machine. Such layers include distribution, packages, environment...

This is the first part of a 2 part article, part 2 (End To End Encryption With OpenShift Part 2: Re-encryption) will be authored by Matyas Danter, Sr Consultant with Red Hat, it will be published soon. This article aims to demonstrate use cases for Openshift routes to achieve end-to-end encryption. This is a desirable and sometimes mandated configuration for many verticals, which deal with strict regulations. For example, financial sectors often are extremely careful about their application security standards...

Wanting to become familiar with nftables, I decided to jump in at the deep end and just use it on my local workstation. The goal was to replace the existing iptables setup, ideally without any drawbacks. The following essay will guide you through what I have done in order to achieve that. In order to be able to follow, you should already be familiar with iptables and at least have a rough idea of what nftables are. I don't see...

Introduction Enabling SSL/TLS in a Fabric is slightly more complex than securing a jetty in a standalone Karaf container. In the following article, we are providing feedback on the overall process. For clarity and simplification, the article will be divided into two parts. Part1: The Management Console Part2: Securing Web Service:including gateway-http For the purpose of this PoC, the following environment will be used. Environment Host fabric1.example.com (192.168.56.1), localhost MacOS Host fabric2.example.com (192.168.56.101), RHEL 7.2 Virtual Box VM Host fabric3.example.com...

I was recently introduced to a published draft by the National Institute of Standards and Technology (NIST) from the U.S. Department of Commerce which talks about assessing the threats to mobile devices & infrastructure. The document discusses the Mobile Threat Catalogue which describes, identifies and structures the threats posed to mobile information systems. This blog summarizes the 50-page document with added context and commentary based on my experience in the mobile industry helping organizations building mobile apps. More than ever...

Nftables is a new packet classification framework that aims to replace the existing iptables, ip6tables, arptables and ebtables facilities. It aims to resolve a lot of limitations that exist in the venerable ip/ip6tables tools. The most notable capabilities that nftables offers over the old iptables are: Performance: Support for lookup tables - no linear rule evaluation required No longer enforces overhead of implicit rule counters and address/interface matching Usability: Transactional rule updates - all rules are applied atomically Applications can...

OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. Security context constraints allow administrators to control permissions for pods using the CLI. SCCs allow an administrator to control the following: Running of privileged containers. Capabilities a container can request to be added. Use of host directories as volumes. The SELinux context of the container. The user ID. The use of host namespaces and networking. Allocating an 'FSGroup' that...

Red Hat, Inc. recently released the Red Hat SSO product, which is an enterprise application designed to provide federated authentication for web and mobile applications. In the SAML world, RH SSO is known as an Identity Provider (IdP), meaning its role in life is to authenticate and authorize users for use in a federated identity management system. For example, it can be used to authenticate internal users against a corporate LDAP instance such that they can then access the corporate...

Recently, I was searching for a solution to configure the security domain of Red Hat JBoss Enterprise Application Platform with the local operating system based user registry so that the application could directly authenticate its users with local operating system users. I understood that it would be difficult to implement a generic solution, as authentication mechanisms are strikingly different between Windows and Unix/Linux. After checking several blogs and forums, I decided to implement this using JPAM for Unix/Linux and Waffle...

The sheer number of tasks involved in building out automation infrastructure for a new organization never ceases to amaze me. One of the most often overlooked groups of tasks, however, is security. Though I am in no way a security expert, I know there are some basic steps we should take to protect ourselves and our precious systems. I also know that not everyone who administers RHEL systems has an extensive background working with Linux. If, like me, you’re normally...

As you would expect, security is a key focus for Red Hat. Secure by default is more than a goal, it is a guiding principle across all product lines. Middleware is no exception and there are some amazing things going on in this space. Divya Mehra and Vikas Kumar of Red Hat walked us through some of the recent innovations, including the recently released Red Hat SSO, product built upon KeyCloak. Derek Walker of SWIFT also spoke about how the...

OpenSCAP is a security framework for determining the compliance of a system to some defined set of standards. Jeffrey Blank of the National Security Agency and Shawn Wells of Red Hat gave their talk on automated compliance. We, as an industry, needed standardized formats for automated checklists. Specifically, we needed: Standardized inputs Standardized outputs Provide product independence SCAP is the standard and its checklist language is called XCCDF. Check instructions are detailed in OVAL or OCIL languages, which are open...