Changes in RHEL 7 Security Technical Implementation Guide Version 1, Release 3

The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) was published last week. This release is Version 1, Release 3, and it contains four main changes: V-77819 - Multifactor authentication is required for graphical logins V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled V-77823 - Single user mode must require user authentication V-77825 - Address space layout randomization (ASLR) must be enabled Deep dive Let’s break down this list to understand what each one means.
Read more →

systemd-networkd on Ubuntu 16.04 LTS (Xenial)

My OpenStack cloud depends on Ubuntu, and the latest release of OpenStack-Ansible (what I use to deploy OpenStack) requires Ubuntu 16.04 at a minimum. I tried upgrading the servers in place from Ubuntu 14.04 to 16.04, but that didn’t work so well. Those servers wouldn’t boot and the only recourse was a re-install. Once I finished re-installing them (and wrestling with several installer bugs in Ubuntu 16.04), it was time to set up networking.
Read more →

Display auditd messages with journalctl

All systems running systemd come with a powerful tool for reviewing the system journal: journalctl. It allows you to get a quick look at the system journal while also allowing you to heavily customize your view of the log. I logged into a server recently that was having a problem and I found that the audit logs weren’t going into syslog. That’s no problem - they’re in the system journal. The system journal was filled with tons of other messages, so I decided to limit the output only to messages from the auditd unit:
Read more →

Automated security hardening with Ansible: May updates

Lots of work has gone into the openstack-ansible-security Ansible role since I delivered a talk about it last month at the OpenStack Summit in Austin. Attendees asked for quite a few new features and I’ve seen quite a few bug reports (and that’s a good thing). Here’s a list of the newest additions since the Summit: New features Ubuntu 16.04 LTS (Xenial) support The role now works with Ubuntu 16.04 and its newest features, including systemd.
Read more →

Preventing Ubuntu 16.04 from starting daemons when a package is installed

I’ve gone on some mini-rants in other posts about starting daemons immediately after they’re installed in Ubuntu and Debian. Things are a little different in Ubuntu 16.04 and I thought it might be helpful to share some tips for that release. Before we do that, let’s go over something. I still don’t understand why this is a common practice within Ubuntu and Debian. Take a look at the postinst-systemd-start script within the init-systems-helpers package (source link):
Read more →