Security

Fedora logo
Article

ABI change analysis of Fedora packages

Dodji Seketeli

In 2016, many improvements happened in the ABI static analysis framework that is Libabigail . In this article we'll present how fedabipkgdiff , a new Libabigail tool can help Fedora users, developers and others to analyze ABI changes of libraries carried by packages of the distribution. Introduction As many of you already know, the engine used to build RPM packages in the Fedora build system is named Koji . Thus, one can get Fedora RPMs from Koji using a web...

Ruby logo
Article

Towards Faster Ruby Hash Tables

Vladimir Makarov

Hash tables are an important part of dynamic programming languages. They are widely used because of their flexibility, and their performance is important for the overall performance of numerous programs. Ruby is not an exception. In brief, Ruby hash tables provide the following API: insert an element with given key if it is not yet on the table or update the element value if it is on the table delete an element with given key from the table get the...

GNU C library
Article

Adding buffer overflow detection to string functions

Florian Weimer

This article describes the steps required to add buffer overflow protection to string functions. As a real-world example, we use the strlcpy function, which is implemented in the libbsd library on some GNU/Linux systems. This kind of buffer overflow protection uses a GNU Compiler Collection (GCC) feature for array size tracking (“source fortification”), accessed through the __builtin_object_size GCC built-in function. In general, these checks are added in a size-checking wrapper function around the original (wrapped) function, which is strlcpy in...

A Practical Introduction to Docker Container Terminology
Article

Container Images Compliance - what we built at ManageIQ to remove a security pain point - part 2

Mooli Tayer

Part 2 of 2 In part one of this blog post, we mentioned a pain point in Container based environments. We introduced SCAP as a means to measure compliance in computer systems and introduced ManageIQ as a means of automating Cloud & Container based workflows. Tutorial: Using the OpenSCAP integration in ManageIQ In ManageIQ we have been working on leveraging OpenSCAP to show container images that infringe known vulnerabilities based on the latest CVE content distributed by Red Hat. Integrating...

A Practical Introduction to Docker Container Terminology
Article

Container Images Compliance - what we built at ManageIQ to remove a security pain point - part 1

Mooli Tayer

Part 1 of 2 "Docker is about running random crap from the Internet as root on your host" - Dan Walsh Do you trust your containers? In container-based development flows, a developer will create an image to be the base for an application. Images are stateless, read only, and they are built in layers. These layers represent everything in an application's runtime environment but the kernel, which will be “borrowed” from the hosting machine. Such layers include distribution, packages, environment...

Using API keys securely in your OpenShift microservices and applications
Article

End To End Encryption With OpenShift Part 1: Two-Way SSL

Ron Sengupta

This is the first part of a 2 part article, part 2 (End To End Encryption With OpenShift Part 2: Re-encryption) will be authored by Matyas Danter, Sr Consultant with Red Hat, it will be published soon. This article aims to demonstrate use cases for Openshift routes to achieve end-to-end encryption. This is a desirable and sometimes mandated configuration for many verticals, which deal with strict regulations. For example, financial sectors often are extremely careful about their application security standards...

Migrating my iptables setup to nftables
Article

Migrating my iptables setup to nftables

Phil Sutter

Wanting to become familiar with nftables, I decided to jump in at the deep end and just use it on my local workstation. The goal was to replace the existing iptables setup, ideally without any drawbacks. The following essay will guide you through what I have done in order to achieve that. In order to be able to follow, you should already be familiar with iptables and at least have a rough idea of what nftables are. I don't see...

Article Thumbnail
Article

Securing Fuse 6.3 Fabric Cluster Management Console with SSL/TLS

Elvadas Nono

Introduction Enabling SSL/TLS in a Fabric is slightly more complex than securing a jetty in a standalone Karaf container. In the following article, we are providing feedback on the overall process. For clarity and simplification, the article will be divided into two parts. Part1: The Management Console Part2: Securing Web Service:including gateway-http For the purpose of this PoC, the following environment will be used. Environment Host fabric1.example.com (192.168.56.1), localhost MacOS Host fabric2.example.com (192.168.56.101), RHEL 7.2 Virtual Box VM Host fabric3.example.com...

Mobile security
Article

What is mobile security? What is the mobile security ecosystem?

Javier Perez

I was recently introduced to a published draft by the National Institute of Standards and Technology (NIST) from the U.S. Department of Commerce which talks about assessing the threats to mobile devices & infrastructure. The document discusses the Mobile Threat Catalogue which describes, identifies and structures the threats posed to mobile information systems. This blog summarizes the 50-page document with added context and commentary based on my experience in the mobile industry helping organizations building mobile apps. More than ever...

Article Thumbnail
Article

What comes after 'iptables'? Its successor, of course: `nftables`

Florian Westphal

Nftables is a new packet classification framework that aims to replace the existing iptables, ip6tables, arptables and ebtables facilities. It aims to resolve a lot of limitations that exist in the venerable ip/ip6tables tools. The most notable capabilities that nftables offers over the old iptables are: Performance: Support for lookup tables - no linear rule evaluation required No longer enforces overhead of implicit rule counters and address/interface matching Usability: Transactional rule updates - all rules are applied atomically Applications can...

Using API keys securely in your OpenShift microservices and applications
Article

Understanding OpenShift Security Context Constraints

Alessandro Arrichiello

OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. Security context constraints allow administrators to control permissions for pods using the CLI. SCCs allow an administrator to control the following: Running of privileged containers. Capabilities a container can request to be added. Use of host directories as volumes. The SELinux context of the container. The user ID. The use of host namespaces and networking. Allocating an 'FSGroup' that...

Article Thumbnail
Article

How Red Hat re-designed its Single Sign On (SSO) architecture, and why.

Brian Atkisson

Red Hat, Inc. recently released the Red Hat SSO product, which is an enterprise application designed to provide federated authentication for web and mobile applications. In the SAML world, RH SSO is known as an Identity Provider (IdP), meaning its role in life is to authenticate and authorize users for use in a federated identity management system. For example, it can be used to authenticate internal users against a corporate LDAP instance such that they can then access the corporate...

Article Thumbnail
Article

Using the operating system to authenticate users on Red Hat JBoss Enterprise Application Platform (EAP) ?

Siddhartha De

Recently, I was searching for a solution to configure the security domain of Red Hat JBoss Enterprise Application Platform with the local operating system based user registry so that the application could directly authenticate its users with local operating system users. I understood that it would be difficult to implement a generic solution, as authentication mechanisms are strikingly different between Windows and Unix/Linux. After checking several blogs and forums, I decided to implement this using JPAM for Unix/Linux and Waffle...

Article Thumbnail
Article

CI Security on Red Hat Enterprise Linux from a Windows Perspective

Andrew Male

The sheer number of tasks involved in building out automation infrastructure for a new organization never ceases to amaze me. One of the most often overlooked groups of tasks, however, is security. Though I am in no way a security expert, I know there are some basic steps we should take to protect ourselves and our precious systems. I also know that not everyone who administers RHEL systems has an extensive background working with Linux. If, like me, you’re normally...

Article Thumbnail
Article

Summit Live Blog: Middleware security: Authentication, authorization, and auditing services

Brian Atkisson

As you would expect, security is a key focus for Red Hat. Secure by default is more than a goal, it is a guiding principle across all product lines. Middleware is no exception and there are some amazing things going on in this space. Divya Mehra and Vikas Kumar of Red Hat walked us through some of the recent innovations, including the recently released Red Hat SSO, product built upon KeyCloak . Derek Walker of SWIFT also spoke about how...

Article Thumbnail
Article

DevNation Blog: End-to-end OpenSCAP for automated compliance

Brian Atkisson

OpenSCAP is a security framework for determining the compliance of a system to some defined set of standards. Jeffrey Blank of the National Security Agency and Shawn Wells of Red Hat gave their talk on automated compliance. We, as an industry, needed standardized formats for automated checklists. Specifically, we needed: Standardized inputs Standardized outputs Provide product independence SCAP is the standard and its checklist language is called XCCDF. Check instructions are detailed in OVAL or OCIL languages, which are open...

Article Thumbnail
Article

DevNation Live Blog: Cryptography: What every application developer needs to know

Brian Atkisson

Cryptography is something that technical folks either get excited over or completely tune out. There does not seem to be much of a middle ground. That said, cryptography is such an essential component of modern life that without it, the Internet and many, many companies would crumble. To make matters more complicated, cryptography is an area that is always changing. Today's modern crypto primitives might be broken before you drink your coffee tomorrow morning. Look at how quickly POODLE changed...

Article Thumbnail
Article

DevNation Live Blog: You've got microservices... Let's secure them

Brian Atkisson

KeyCloak is the upstream project for the newly released Red Hat Single Sign On (SSO) product. The project and product goes well beyond a traditional SAML Identity Provider, supporting federation protocols such as OAuth 2.0 and OpenID Connect. While it is built upon JBoss EAP 7, both KeyCloak and RH-SSO are designed to be standalone systems for providing website authentication and authorization services. In fact, Red Hat believes in RH-SSO so much, that we just switched the authentication system for...

Article Thumbnail
Article

Red Hat Identity Manager: Part 2 - Enterprise PKI Made Easy

Brian Atkisson +1

This is the second installment in a series about using Red Hat Identity Management (IdM) on Red Hat Enterprise Linux and Fedora (using the upstream FreeIPA project). As described in part 1 , IdM makes it very easy to build an enterprise-grade identity management solution, including a full enterprise PKI solution providing complete x509 certificate life cycle management. Most organizations start with a simple self-signed Certificate Authority (CA) certificate, perhaps generated using OpenSSL ; with a little configuration and a...

Article Thumbnail
Article

Red Hat Identity Manager: Part 1 - Overview and Getting started

Brian Atkisson

Red Hat Identity Manager (IdM), is designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and even Windows. At its core, IdM combines LDAP, Kerberos, DNS, and PKI with a rich management framework. Frequently, IdM is described as "Active Directory for Linux". Although, to be fair, Active Directory is really just a management framework around LDAP, Kerberos, DNS and PKI -- all of which were well established in the unix community long...

Article Thumbnail
Article

Security update: SAMAS/SamSam Ransomware and JBoss

Chris Robinson

Over the last few weeks reports of crypto-ransomware have been circulated on the Internet and in the Press. While public details are sparse and victims are hesitant to share details, Red Hat is aware that older, un-patched versions of JBoss have been linked to several cases. The main flaw seen used has been CVE-2010-0738 . Unsecured consoles appear to have been the main culprit of allowing attackers into internal networks using the JexBoss testing tool. Red Hat JBoss Enterprise Application...

Article Thumbnail
Article

Java and Sécurité à Devoxx France (French)

Romain Pelisse

Entre l'attaque subie par Github la semaine dernière , et le hack de la chaîne TV5 , la présentation que j'ai faite avec François Le Droff vendredi 10 avril, à Devoxx France , sur la Java et la Sécurité ne pouvait tomber plus à point nommée: Devoxx 2015-barbus-et-barbares from François Le Droff Mon comparse ayant déjà pris le temps de publier les slides, j'ai pensé qu'il serait pertinent d'ajouter un lien ici vers ces derniers, car, après tout, si il...

Docker Logo
Article

Introducing a *Super* Privileged Container Concept

Daniel Walsh

Letting the containers out of containment I have written a lot about *Containing the Containers*, e.g. * Are Docker containers really secure? * and * Bringing new security features to Docker *. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let's talk about removing all the security! Safely? Packaging Model I envision a world where lots of software gets shipped in image format. In other words...

Docker Logo
Article

Opensource.com - Bringing new security features to Docker

Daniel Walsh

In the first of this series on Docker security , I wrote "containers do not contain." In this second article, I'll cover why and what we're doing about it. Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I'm also looking to protect containers from each other. With Docker we are using the...