Security

This is the second installment in a series about using Red Hat Identity Management (IdM) on Red Hat Enterprise Linux and Fedora (using the upstream FreeIPA project). As described in part 1 , IdM makes it very easy to build an enterprise-grade identity management solution, including a full enterprise PKI solution providing complete x509 certificate life cycle management. Most organizations start with a simple self-signed Certificate Authority (CA) certificate, perhaps generated using OpenSSL ; with a little configuration and a...

Red Hat Identity Manager (IdM), is designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and even Windows. At its core, IdM combines LDAP, Kerberos, DNS, and PKI with a rich management framework. Frequently, IdM is described as "Active Directory for Linux". Although, to be fair, Active Directory is really just a management framework around LDAP, Kerberos, DNS and PKI -- all of which were well established in the unix community long...

Over the last few weeks reports of crypto-ransomware have been circulated on the Internet and in the Press. While public details are sparse and victims are hesitant to share details, Red Hat is aware that older, un-patched versions of JBoss have been linked to several cases. The main flaw seen used has been CVE-2010-0738 . Unsecured consoles appear to have been the main culprit of allowing attackers into internal networks using the JexBoss testing tool. Red Hat JBoss Enterprise Application...

Entre l'attaque subie par Github la semaine dernière , et le hack de la chaîne TV5 , la présentation que j'ai faite avec François Le Droff vendredi 10 avril, à Devoxx France , sur la Java et la Sécurité ne pouvait tomber plus à point nommée: Devoxx 2015-barbus-et-barbares from François Le Droff Mon comparse ayant déjà pris le temps de publier les slides, j'ai pensé qu'il serait pertinent d'ajouter un lien ici vers ces derniers, car, après tout, si il...

Letting the containers out of containment I have written a lot about *Containing the Containers*, e.g. * Are Docker containers really secure? * and * Bringing new security features to Docker *. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let's talk about removing all the security! Safely? Packaging Model I envision a world where lots of software gets shipped in image format. In other words...

In the first of this series on Docker security , I wrote "containers do not contain." In this second article, I'll cover why and what we're doing about it. Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I'm also looking to protect containers from each other. With Docker we are using the...

This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed. Containers do not contain I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system. I have heard people say Docker containers are...

Introduction: The challenges around ABI compatibility Ensuring the forward compatibility of application binary interfaces (ABIs) exposed by native shared libraries has been a kind of black art for quite some time, due to many factors. The scope of the term ABI is quite broad, even when it is restricted to shared software libraries. It encompasses low-level concepts like the binary format, the processor instructions set used in the binary, the calling convention of the operating system on a given processor...

POODLE – An SSL 3.0 Vulnerability (CVE-2014-3566) Red Hat Product Security has been made aware of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. To mitigate this vulnerability, it is recommended that you explicitly disable SSL 3.0 in favor of TLS 1.1 or later in all affected packages. Read the whole article via Red...

About a year ago, Red Hat Product Security decided to move its blog, the Red Hat Security Blog , off of WordPress.com's infrastructure and onto Red Hat's OpenShift. There were some initial growing pains since this was a relatively new thing to do, but it wasn't long before the blog was in a stable environment. There were plans to put the application on a larger gear (it was hosted on a small gear) and to make it scalable (it wasn't)...

The malloc family of functions are critical for almost every serious application program. Its performance characteristics often have a big impact on the performance of applications. Given that the default malloc implementation needs to have consistent performance for all general cases, it makes available a number of tunables that can help developers tweak its behavior to suit their programs. About two years ago I had written an article on the Red Hat Customer Portal that described the high level design...

"The recent few days have been hectic for everyone who works in the Linux/Unix world. Bash security flaws have rocked the globe leaving people confused, worried, or just frustrated. Now that the storm is over and patches are available for most operating systems, here are the answers to some of the common questions we’ve been asked:" Read the whole article - from the Red Hat security engineering team: Frequently Asked Questions about the Shellshock Bash flaws | Red Hat Security...

by Grant Murphy "The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha...

b y siddharth "The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in various functions that perform operations on memory and strings. Not all types of buffer overflows can be detected with this macro, but it does provide an extra level of validation for some functions that are potentially a source of buffer overflow flaws. It protects both C and C++ code. FORTIFY_SOURCE works by computing the number of bytes that are going to be copied from a source...

Earlier this year we held an event called Red Hat Developer Exchange which is a one day conference for developers who leverage any of the Red Hat products. We had a great bunch of sessions but, one of the ones I did was about "Secure Development Practices." What does that mean, you might ask? Well, it means, what can I change about my methods and techniques to make it more likely that the development that takes place in my organization...

Dan Walsh writing a blog outside of DanWalsh.livejournal.com??? What is the world coming to? I was asked by Red Hat to start writing occasional articles for developers, so here it is. Writing SELinux Policy – A black art. I often find it comical that people think that writing SELinux policy is difficult. They imagine that the people doing it are GURU’s, The truth is, it is rather easy. Although, don’t tell my bosses that! There are some things that are...

I'm speaking as part of a panel on secure development practices for Red Hat Developer Exchange and the Red Hat Summit. I work on the Red Hat Product Security Team, a group whose purpose is to help Red Hat develop products as securely as possible. Quite often when people talk about software security it's an afterthought. You write your software, then you worry about security later. This can work sometimes, but it's also really expensive. Once you have a functioning...

RPM Package Manager (RPM) was created to deliver software to workstations and servers. Besides being an efficient software delivery mechanism, RPM also provides security features that assist system administrators with managing their software and trusting the code that is going into their infrastructure. What is an RPM? RPM is a package management system that bundles software source code or binaries together for easy installation on a computer. These files are tracked and allow for easy installation, upgrading, and removal. Since...

A new video focused on the "Security Mentality" in the secure programming series has been released. Some interesting things are covered about how developers think about security and why they accidentally introduce security flaws into their systems. As a corollary to Bruce Schneier's law, Josh offers "Any developer can build an application so secure that he or she cannot exploit it." Please watch the videos for some ideas about cheating and about how to avoid the biases in your own...

Authorization and Authentication are both important aspects to secure development. Come check out our latest video in the secure development series and learn about often overlooked authorization events in your applications. The video also discusses Cross-Site Request Forgeries ( CSRF ), what they are and how to avoid them (e.g. OWASP CSRF Prevention Cheat Sheet ).

The next secure development video is out! Come check out a quick video on the impact of numeric errors during your development process. The video covers such problems as Integer Overflows , and Array Index Errors (like Bounds Checking and Index Checking ). You can also find more information about overflows and security in general at The Open Web Application Security Project ( OWASP ). Please leave us your feedback or suggestions for other secure development topics you would like...

Software Developers always know they are supposed to be paying attention to security when they program. However, developers also know that without regular reminders both of the things they know and new threats, secure development practices can suffer. As a result, you might find the new series of videos from the Red Hat Product Security Team useful. The first two videos cover that age old topic, “Input Validation” with the first video a bit of an intro and covering XSS...