RHEL 7 STIG v1 updates for openstack-ansible-security
Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”
Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World”1, covered a wide range of security concerns.
There were plenty of great quotes from the talk (scroll to the end for those) and I will summarize the main takeaways in this post.
People, process, and technology #
Bruce hits this topic a lot and for good reason: a weak link in any of the three could lead to a breach and a loss of data. He talked about the concept of security as a product and a process. Security is part of every product we consume. Whether it’s the safety of the food that makes it into our homes or the new internet-connected thermostat on the wall, security is part of the product.
The companies that sell these products have a wide variety of strategies for managing security issues. Vulnerabilities in an internet-connected teapot are not worth much since there isn’t a lot of value there. It’s probably safe to assume that a teapot will have many more vulnerabilities than your average Apple or Android mobile device. Vulnerabilities in those devices are extremely valuable because the data we carry on those devices is valuable.
Certainty vs. uncertainty #
The talk moved into incident response and how to be successful when the worst happens. Automation only works when there’s a high degree of certainty in the situation. If there are variables that can be plugged into an algorithm and a result comes out the other end, automation is fantastic.
Bruce recommended using orchestration when tackling uncertain situations, such as security incident responses. Orchestration involves people following processes and using technology where it makes sense.
He talked about going through TSA checkpoints where metal detectors and x-ray scanners essentially run the show. Humans are around when these pieces of technology detect a problem. If you put a weapon into your carry on, the x-ray scanner will notify a human and that human can take an appropriate response to escalate the problem. If a regular passenger has a firearm in a carry-on bag, the police should be alerted. If an Air Marshal has one, then the situation is handled entirely differently - by a human.
One other aspect he noted was around the uncertainty surrounding our data. Our control over our data, and our control over the systems that hold our data, is decreasing. Bruce remarked that he has more control over what his laptop does than his thermostat.
OODA loop #
Bruce raised awareness around the OODA loop and its value when dealing with security incidents. Savvy readers will remember that the OODA loop was the crux of my “Be an inspiration, not an impostor” talk about impostor syndrome.
His point was that the OODA loop is a great way to structure a response during a stressful situation. When the orchestration works well, the defenders can complete an OODA loop faster than their adversaries can. When it works really well, the defenders can find ways to disrupt the adversaries’ OODA loops and thwart the attack.
Five reasons why I’m excited about POWER9
IBM Interconnect 2017 first day keynote recap
Reflecting on 10 years of (mostly) technical blogging
OpenStack isn’t dead. It’s boring. That’s a good thing.
What I’m looking forward to at IBM Interconnect 2017
systemd-networkd on Ubuntu 16.04 LTS (Xenial)
ICC color profile for Lenovo ThinkPad X1 Carbon 4th generation
Display auditd messages with journalctl
augenrules fails with “rule exists” when loading rules into auditd
OpenPOWER Summit Europe 2016 Recap
Talk Recap: Holistic Security for OpenStack Clouds
Why should students learn to write code?
What’s Happening in OpenStack-Ansible (WHOA) – September 2016
Power 8 to the people
IBM Edge 2016: Day 2 Recap
IBM Edge 2016: Day 1 Recap
Getting ready for IBM Edge 2016
HTTP/2 for the blog and icanhazip.com
What’s Happening in OpenStack-Ansible (WHOA) – August 2016
Preventing critical services from deploying on the same OpenStack host
OpenStack instances come online with multiple network ports attached
Setting up a telnet handler for OpenStack Zuul CI jobs in GNOME 3
What’s Happening in OpenStack-Ansible (WHOA) – July 2016
Join me on Thursday to talk about OpenStack LBaaS and security hardening
Bring back two and three finger taps in Fedora 24
Talk recap: The friendship of OpenStack and Ansible
My list of must-see sessions at Red Hat Summit 2016
New SELinux shirts are available
What’s Happening in OpenStack-Ansible (WHOA) – June 2016
Automated security hardening with Ansible: May updates
Test Fedora 24 Beta in an OpenStack cloud
Troubleshooting OpenStack network connectivity
Getting started with gertty
Preventing Ubuntu 16.04 from starting daemons when a package is installed
802.1x with NetworkManager using nmcli
Talk Recap: Automated security hardening with OpenStack-Ansible
Lessons learned: Five years of colocation
OpenStack Summit in Austin is almost here!
Thunderbird opens multiple windows
Enable IPv6 privacy in NetworkManager
Automated Let’s Encrypt DNS challenges with Rackspace Cloud DNS
Mouse cursor disappears in GNOME 3
Recovering deleted Chrome bookmarks on Linux
Fight cynicism with curiosity
Segmentation faults with sphinx and pyenv
Enabling kwallet after accidentally disabling it
Tinkering with systemd’s predictable network names
Updating Dell PowerEdge BIOS from Linux
Nobody is using your software project. Now what?
supernova 2.2.0 is available
Custom keyboard shortcuts for Evolution in GNOME
Talking to college students about information security
systemd-networkd and macvlan interfaces
GRE tunnels with systemd-networkd
What I learned while securing Ubuntu
Customizing systemd’s network device names
First thoughts: Linux on the Supermicro 5028D-TN4T
systemd in Fedora 22: Failed to restart service: Access Denied
Time Warner Road Runner, Linux, and large IPv6 subnets
supernova is coming to Fedora repositories
Chronicles of SELinux: Dealing with web content in unusual directories
Impostor syndrome talk: FAQs and follow-ups
Build a high performance KVM hypervisor on Rackspace’s OnMetal servers
Build a network router and firewall with Fedora 22 and systemd-networkd
Slides from my Texas Linux Fest 2015 talk
Understanding systemd’s predictable network device names
Using systemd-networkd with bonding on Rackspace’s OnMetal servers
Research Paper: Securing Linux Containers
Fedora Flock 2015: Keynote slides
Review: JayBird BlueBuds X Sport Bluetooth Headphones
Less than a week until Fedora Flock 2015
Automated testing for Ansible CIS playbook on RHEL/CentOS 6
Live migration failures with KVM and libvirt
Very slow ssh logins on Fedora 22
Restoring wireless and Bluetooth state after reboot in Fedora 22
Making things more super with supernova 2.0
Aruba access points, EAP, and wpa_supplicant 2.4 bugs
Allow new windows to steal focus in GNOME 3
Stumbling into the world of 4K displays [UPDATED]
Fedora 22 and rotating GNOME wallpaper with systemd timers
Book Review: Linux Kernel Development
Improving LXC template security
Time for a new GPG key
Chrome 43 stuck in HiDPI mode
cups.service start operation timed out in Fedora 22
PulseAudio popping with multiple sounds in Fedora 22
Upatre and icanhazip
Adventures with GRE and IPSec on Mikrotik routers
Xen 4.5 crashes during boot on Fedora 22
You have a problem and icanhazip.com isn’t one of them
Keep old kernels with yum and dnf
Automatic package updates with dnf
Tweetdeck’s Chrome notifications stopped working
HOWTO: Mikrotik OpenVPN server
Mikrotik firewalls have been good to me over the years and they work well for multiple purposes. Creating an OpenVPN server on the device can allow you to connect into your local network when you’re on the road or protect your traffic when you’re using untrusted networks.
Although Miktrotik’s implementation isn’t terribly robust (TCP only, client cert auth is wonky), it works quite well for most users. I’ll walk you through the process from importing certificates through testing it out with a client.
Rackspace::Solve Atlanta Session Recap: “The New Normal”
This post originally appeared on the Rackspace Blog and I’ve posted it here for readers of this blog. Feel free to send over any comments you have!
Most IT professionals would agree that 2014 was a long year. Heartbleed, Shellshock, Sandworm and POODLE were just a subset of the vulnerabilities that caused many of us to stay up late and reach for more coffee. As these vulnerabilities became public, I found myself fielding questions from non-technical family members after they watched the CBS Evening News and wondered what was happening. Security is now part of the popular discussion.
Aaron Hackney and I delivered a presentation at Rackspace::Solve Atlanta called “The New Normal” where we armed the audience with security strategies that channel spending to the most effective security improvements. Our approach at Rackspace is simple and balanced: use common sense prevention strategies, invest heavily in detection, and be sure you’re ready to respond when (not if) disaster strikes. We try to help companies prioritize by focusing on a few key areas. Know when there’s a breach. Know what they touched. Know who’s responsible. Below, I’ve included five ways to put this approach into practice.
Woot! Eight years of my blog
The spring of 2015 marks eight years of this blog! I’ve learned plenty of tough lessons along the way and I’ve made some changes recently that might be handy for other people. After watching Sasha Laundy’s video from her awesome talk at Pycon 20151, I’m even more energized to share what I’ve learned with other people. (Seriously: Go watch that video or review the slides whether you work in IT or not. It’s worth your time.)
Let’s start from the beginning.
Run virsh and access libvirt as a regular user
Libvirt is a handy way to manage containers and virtual machines on various systems. On most distributions, you can only access the libvirt daemon via the root user by default. I’d rather use a regular non-root user to access libvirt and limit that access via groups.