security

Add encrypted ssh keys to your workflow more efficiently with gnome-keyring in the sway window manager.

Keep prying eyes away from your sites behind Traefik with basic authentication. 🛃

Store encrypted kubernetes secrets safely in your gitops repository with easy-to-use age encryption. 🔐

Tailscale provides a handy private network mesh across multiple devices but it needs security just like any other network. 🕵

Learn how to forward ports with firewalld for IPv4 and IPv6 destinations. 🕵🏻

My team at Red Hat builds a lot of kernels in OpenShift pods as part of our work with the Continuous Kernel Integration (CKI) project.

My work at Red Hat involves testing lots and lots of kernels from various sources and we use GitLab CE to manage many of our repositories and run our CI jobs.

The Home Assistant project provides a great open source way to get started with home automtion that can be entirely self-contained within your home.

Firefox has some great features, but one of my favorites is the ability to disable autoplay for videos.

Environment variables are easy to add to OpenShift deployments, but a more secure way to add these variables is by referencing a secret.

The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) was published last week.

Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month.

The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role.

I merged some initial Debian support into the openstack-ansible-security role and ran into an issue enabling AppArmor.

DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes.

Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World”¹, covered a wide range of security concerns.

There were plenty of great quotes from the talk (scroll to the end for those) and I will summarize the main takeaways in this post.

People, process, and technology #

Bruce hits this topic a lot and for good reason: a weak link in any of the three could lead to a breach and a loss of data. He talked about the concept of security as a product and a process. Security is part of every product we consume. Whether it’s the safety of the food that makes it into our homes or the new internet-connected thermostat on the wall, security is part of the product.

The companies that sell these products have a wide variety of strategies for managing security issues. Vulnerabilities in an internet-connected teapot are not worth much since there isn’t a lot of value there. It’s probably safe to assume that a teapot will have many more vulnerabilities than your average Apple or Android mobile device. Vulnerabilities in those devices are extremely valuable because the data we carry on those devices is valuable.

Certainty vs. uncertainty #

The talk moved into incident response and how to be successful when the worst happens. Automation only works when there’s a high degree of certainty in the situation. If there are variables that can be plugged into an algorithm and a result comes out the other end, automation is fantastic.

Bruce recommended using orchestration when tackling uncertain situations, such as security incident responses. Orchestration involves people following processes and using technology where it makes sense.

He talked about going through TSA checkpoints where metal detectors and x-ray scanners essentially run the show. Humans are around when these pieces of technology detect a problem. If you put a weapon into your carry on, the x-ray scanner will notify a human and that human can take an appropriate response to escalate the problem. If a regular passenger has a firearm in a carry-on bag, the police should be alerted. If an Air Marshal has one, then the situation is handled entirely differently - by a human.

One other aspect he noted was around the uncertainty surrounding our data. Our control over our data, and our control over the systems that hold our data, is decreasing. Bruce remarked that he has more control over what his laptop does than his thermostat.

OODA loop #

Bruce raised awareness around the OODA loop and its value when dealing with security incidents. Savvy readers will remember that the OODA loop was the crux of my “Be an inspiration, not an impostor” talk about impostor syndrome.

His point was that the OODA loop is a great way to structure a response during a stressful situation. When the orchestration works well, the defenders can complete an OODA loop faster than their adversaries can. When it works really well, the defenders can find ways to disrupt the adversaries’ OODA loops and thwart the attack.

IBM Interconnect 2017 is coming up next month in Las Vegas.

All systems running systemd come with a powerful tool for reviewing the system journal: journalctl.

When I came back from the holiday break, I found that the openstack-ansible-security role wasn’t passing tests any longer.

Thanks to everyone who attended my talk at the OpenStack Summit in Barcelona!

I’ve recently updated this blog and icanhazip.

If you want to learn more about load balancers and security hardening in OpenStack clouds, join me on Thursday for the Rackspace Office Hours podcast1!

With the upcoming Red Hat Summit 2016 in San Francisco almost upon us, I decided to update the old SELinux shirts with two new designs:

Lots of work has gone into the openstack-ansible-security Ansible role since I delivered a talk about it last month at the OpenStack Summit in Austin.

NOTE: This post is a work in progress.

I’ve gone on some mini-rants in other posts about starting daemons immediately after they’re installed in Ubuntu and Debian.

Authenticating to a wired or wireless network using 802.

Today is the second day of the OpenStack Summit in Austin and I offered up a talk on host security hardening in OpenStack clouds.

OpenStack comes home to Austin on Monday for the OpenStack Summit!

On most IPv6-enabled networks, network addresses are distributed via stateless address autoconfiguration (SLAAC).

Let’s Encrypt has taken the world by storm by providing free SSL certificates that can be renewed via automated methods.

Although I use GNOME 3 as my desktop environment, I prefer KDE’s kwallet service to gnome-keyring for some functions.

I was recently asked to talk to Computer Information Systems students at the University of the Incarnate Word here in San Antonio about information security in the business world.

I spent some time working with macvlan interfaces on KVM hypervisors last weekend.

The blog posts have slowed down a bit lately because I’ve been heads down on a security project at work.

Although Time Warner Cable is now Spectrum and wide-dhcpv6 is quite old, this post is still what I’m using today (in 2019)!

I’ve decided to start a series of posts called “Chronicles of SELinux” where I hope to educate more users on how to handle SELinux denials with finesse rather than simply disabling it entirely.

This post originally appeared on the Fedora Magazine blog.

It seems like there’s a new way to run containers every week.

I started working on the Ansible CIS playbook for CentOS and RHEL 6 back in 2014 and I’ve made a few changes to increase quality and make it easier to use.

I’ve been getting involved with the Fedora Security Team lately and we’re working as a group to crush security bugs that affect Fedora, CentOS (via EPEL) and Red Hat Enterprise Linux (via EPEL).

After an unfortunate death of my Yubikey NEO and a huge mistake on backups, I’ve come to realize that it’s time for a new GPG key.

I recently updated the icanhazip FAQ about the resurgence of the Upatre malware and how it’s abusing icanhazip.

I recently picked up a RB850GX2 from my favorite Mikrotik retailer, r0c-n0c.

I really enjoy operating icanhazip.

The spring of 2015 marks eight years of this blog! I’ve learned plenty of tough lessons along the way and I’ve made some changes recently that might be handy for other people. After watching Sasha Laundy’s video from her awesome talk at Pycon 2015¹, I’m even more energized to share what I’ve learned with other people. (Seriously: Go watch that video or review the slides whether you work in IT or not. It’s worth your time.)

Let’s start from the beginning.

Libvirt is a handy way to manage containers and virtual machines on various systems. On most distributions, you can only access the libvirt daemon via the root user by default. I’d rather use a regular non-root user to access libvirt and limit that access via groups.

Keeping current with the latest trends and technologies in the realm of information security is critical and there are many options to choose from.

Managing firewall rules with iptables can be tricky at times.

Xen’s latest vulnerability, XSA-108, has generated a lot of buzz over the last week.