Redirect local ports with firewalld
·645 words·4 mins
Redirecting local ports with iptables directly isn’t too difficult,
but can we use firewalld to get the same result? 🧱
Security
2024
2023
Launch a watchtower container via podman quadlets
·648 words·4 mins
Podman’s new quadlet feature lets you specify container launch configuration via
simple systemd-like unit files. 📦
1Password quick access in Sway
·238 words·2 mins
1Password has a handy quick access launcher and you can bring it on screen for fast
access to passwords and two factor codes in Sway. 🔐
Migrating to AWS CloudFront
·2326 words·11 mins
New experiences bring joy! After working with fun AWS CloudFront hacks at work this week,
I decided to migrate this blog to AWS S3 and CloudFront. ⛅
Automatic container updates with watchtower
·481 words·3 mins
Watchtower keeps an eye on your running containers and updates them when new containers appear upstream. 📦
2022
Connect 1Password's CLI and app in i3 with lxpolkit
·610 words·3 mins
1Password’s CLI tool connects via PolicyKit to the 1Password application for authentication, but this isn’t the easiest in i3. 🔑
Use GNOME Keyring with Sway
·1060 words·5 mins
Add encrypted ssh keys to your workflow more efficiently with gnome-keyring in the sway window manager.
Basic authentication with Traefik on kubernetes
·873 words·5 mins
Keep prying eyes away from your sites behind Traefik with basic authentication. 🛃
Encrypted gitops secrets with flux and age
·1628 words·8 mins
Store encrypted kubernetes secrets safely in your gitops repository with easy-to-use age encryption. 🔐
2021
Secure Tailscale networks with firewalld
·645 words·4 mins
Tailscale provides a handy private network mesh across multiple devices but it needs security just like any other network. 🕵
Forwarding ports with firewalld
·726 words·4 mins
Learn how to forward ports with firewalld for IPv4 and IPv6 destinations. 🕵🏻
2019
Inspecting OpenShift cgroups from inside the pod
·1052 words·5 mins
My team at Red Hat builds a lot of kernels in OpenShift pods as part of our work with the Continuous Kernel Integration (CKI) project.
Running Ansible in OpenShift with arbitrary UIDs
·590 words·3 mins
My work at Red Hat involves testing lots and lots of kernels from various sources and we use GitLab CE to manage many of our repositories and run our CI jobs.
Running Home Assistant in a Docker container with a Z-Wave USB stick
·645 words·4 mins
The Home Assistant project provides a great open source way to get started with home automtion that can be entirely self-contained within your home.
2018
Disable autoplay for videos in Firefox 65
·142 words·1 min
Firefox has some great features, but one of my favorites is the ability to disable autoplay for videos.
Use a secret as an environment variable in OpenShift deployments
·304 words·2 mins
Environment variables are easy to add to OpenShift deployments, but a more secure way to add these variables is by referencing a secret.
2017
Changes in RHEL 7 Security Technical Implementation Guide Version 1, Release 3
·501 words·3 mins
The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) was published last week.
Apply the STIG to even more operating systems with ansible-hardening
·215 words·2 mins
Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month.
Old role, new name: ansible-hardening
·164 words·1 min
The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role.
Enable AppArmor on a Debian Jessie cloud image
·472 words·3 mins
I merged some initial Debian support into the openstack-ansible-security role and ran into an issue enabling AppArmor.
RHEL 7 STIG v1 updates for openstack-ansible-security
·204 words·1 min
DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes.
Display auditd messages with journalctl
·525 words·3 mins
All systems running systemd come with a powerful tool for reviewing the system journal: journalctl.
augenrules fails with “rule exists” when loading rules into auditd
·425 words·2 mins
When I came back from the holiday break, I found that the openstack-ansible-security role wasn’t passing tests any longer.
2016
Talk Recap: Holistic Security for OpenStack Clouds
·541 words·3 mins
Thanks to everyone who attended my talk at the OpenStack Summit in Barcelona!
Automated security hardening with Ansible: May updates
·434 words·3 mins
Lots of work has gone into the openstack-ansible-security Ansible role since I delivered a talk about it last month at the OpenStack Summit in Austin.
Troubleshooting OpenStack network connectivity
·1140 words·6 mins
NOTE: This post is a work in progress.
Preventing Ubuntu 16.04 from starting daemons when a package is installed
·359 words·2 mins
I’ve gone on some mini-rants in other posts about starting daemons immediately after they’re installed in Ubuntu and Debian.
802.1x with NetworkManager using nmcli
·263 words·2 mins
Authenticating to a wired or wireless network using 802.
Talk Recap: Automated security hardening with OpenStack-Ansible
·597 words·3 mins
Today is the second day of the OpenStack Summit in Austin and I offered up a talk on host security hardening in OpenStack clouds.
Enable IPv6 privacy in NetworkManager
·480 words·3 mins
On most IPv6-enabled networks, network addresses are distributed via stateless address autoconfiguration (SLAAC).
Automated Let’s Encrypt DNS challenges with Rackspace Cloud DNS
·693 words·4 mins
Let’s Encrypt has taken the world by storm by providing free SSL certificates that can be renewed via automated methods.
Enabling kwallet after accidentally disabling it
·242 words·2 mins
Although I use GNOME 3 as my desktop environment, I prefer KDE’s kwallet service to gnome-keyring for some functions.
2015
Talking to college students about information security
·1430 words·7 mins
I was recently asked to talk to Computer Information Systems students at the University of the Incarnate Word here in San Antonio about information security in the business world.
systemd-networkd and macvlan interfaces
·562 words·3 mins
I spent some time working with macvlan interfaces on KVM hypervisors last weekend.
What I learned while securing Ubuntu
·1308 words·7 mins
The blog posts have slowed down a bit lately because I’ve been heads down on a security project at work.
Time Warner Road Runner, Linux, and large IPv6 subnets
·802 words·4 mins
Although Time Warner Cable is now Spectrum and wide-dhcpv6 is quite old, this post is still what I’m using today (in 2019)!
Chronicles of SELinux: Dealing with web content in unusual directories
·1343 words·7 mins
I’ve decided to start a series of posts called “Chronicles of SELinux” where I hope to educate more users on how to handle SELinux denials with finesse rather than simply disabling it entirely.
Build a network router and firewall with Fedora 22 and systemd-networkd
·926 words·5 mins
This post originally appeared on the Fedora Magazine blog.
Research Paper: Securing Linux Containers
·456 words·3 mins
It seems like there’s a new way to run containers every week.
Automated testing for Ansible CIS playbook on RHEL/CentOS 6
·127 words·1 min
I started working on the Ansible CIS playbook for CentOS and RHEL 6 back in 2014 and I’ve made a few changes to increase quality and make it easier to use.
Improving LXC template security
·312 words·2 mins
I’ve been getting involved with the Fedora Security Team lately and we’re working as a group to crush security bugs that affect Fedora, CentOS (via EPEL) and Red Hat Enterprise Linux (via EPEL).
Time for a new GPG key
·254 words·2 mins
After an unfortunate death of my Yubikey NEO and a huge mistake on backups, I’ve come to realize that it’s time for a new GPG key.
Adventures with GRE and IPSec on Mikrotik routers
·1696 words·8 mins
I recently picked up a RB850GX2 from my favorite Mikrotik retailer, r0c-n0c.
You have a problem and icanhazip.com isn’t one of them
·432 words·3 mins
I really enjoy operating icanhazip.
Run virsh and access libvirt as a regular user
·194 words·1 min
Libvirt is a handy way to manage containers and virtual machines on various systems. On most distributions, you can only access the libvirt daemon via the root user by default. I’d rather use a regular non-root user to access libvirt and limit that access via groups.
2014
Trust an IP address with firewalld’s rich rules
·308 words·2 mins
Managing firewall rules with iptables can be tricky at times.
Apache’s mod_proxy, mod_ssl, and BitTorrent Sync
·337 words·2 mins
BitTorrent Sync allows you to keep files synchronized between multiple computers or mobile devices.
Etsy reminds us that information security is an active process
·83 words·1 min
I’m always impressed with the content published by folks at Etsy and Ben Hughes’ presentation from DevOpsDays Minneapolis 2014 is no exception.
AVC: denied dyntransition from sshd
·163 words·1 min
I’ve been working with some Fedora environments in chroots and I ran into a peculiar SELinux AVC denial a short while ago: