Changes in RHEL 7 Security Technical Implementation Guide Version 1, Release 3

The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) was published last week. This release is Version 1, Release 3, and it contains four main changes: V-77819 - Multifactor authentication is required for graphical logins V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled V-77823 - Single user mode must require user authentication V-77825 - Address space layout randomization (ASLR) must be enabled Deep dive Let’s break down this list to understand what each one means....

2017-11-02 · 3 min · Major Hayden

systemd-networkd on Ubuntu 16.04 LTS (Xenial)

My OpenStack cloud depends on Ubuntu, and the latest release of OpenStack-Ansible (what I use to deploy OpenStack) requires Ubuntu 16.04 at a minimum. I tried upgrading the servers in place from Ubuntu 14.04 to 16.04, but that didn’t work so well. Those servers wouldn’t boot and the only recourse was a re-install. Once I finished re-installing them (and wrestling with several installer bugs in Ubuntu 16.04), it was time to set up networking....

2017-01-15 · 3 min · Major Hayden

Display auditd messages with journalctl

All systems running systemd come with a powerful tool for reviewing the system journal: journalctl. It allows you to get a quick look at the system journal while also allowing you to heavily customize your view of the log. I logged into a server recently that was having a problem and I found that the audit logs weren’t going into syslog. That’s no problem - they’re in the system journal. The system journal was filled with tons of other messages, so I decided to limit the output only to messages from the auditd unit:...

2017-01-05 · 3 min · Major Hayden

Automated security hardening with Ansible: May updates

Lots of work has gone into the openstack-ansible-security Ansible role since I delivered a talk about it last month at the OpenStack Summit in Austin. Attendees asked for quite a few new features and I’ve seen quite a few bug reports (and that’s a good thing). Here’s a list of the newest additions since the Summit: New features Ubuntu 16.04 LTS (Xenial) support The role now works with Ubuntu 16.04 and its newest features, including systemd....

2016-05-27 · 3 min · Major Hayden

Preventing Ubuntu 16.04 from starting daemons when a package is installed

I’ve gone on some mini-rants in other posts about starting daemons immediately after they’re installed in Ubuntu and Debian. Things are a little different in Ubuntu 16.04 and I thought it might be helpful to share some tips for that release. Before we do that, let’s go over something. I still don’t understand why this is a common practice within Ubuntu and Debian. Take a look at the postinst-systemd-start script within the init-systems-helpers package (source link):...

2016-05-05 · 2 min · Major Hayden

Talk Recap: Automated security hardening with OpenStack-Ansible

Today is the second day of the OpenStack Summit in Austin and I offered up a talk on host security hardening in OpenStack clouds. You can download the slides or watch the video here: Here’s a quick recap of the talk and the conversations afterward: Security tug-of-war Information security is a challenging task, mainly because it is more than just a technical problem. Technology is a big part of it, but communication, culture, and compromise are also critical....

2016-04-26 · 3 min · Major Hayden

Updating Dell PowerEdge BIOS from Linux

Updating Dell PowerEdge firmware from Linux is quite easy, but it isn’t documented very well. I ended up with a set of PowerEdge R710’s at work for a lab environment and the BIOS versions were different on each server. Downloading the latest firmware Start by heading over to Dell’s support site and enter your system’s service tag. You can use lshw to find your service tag: # lshw | head lab05 description: Rack Mount Chassis product: PowerEdge R710 () vendor: Dell Inc....

2016-01-18 · 3 min · Major Hayden

What I learned while securing Ubuntu

The blog posts have slowed down a bit lately because I’ve been heads down on a security project at work. I’m working with people in the OpenStack community to create a new Ansible role called openstack-ansible-security. The role aims to improve host security by using hardening standards to improve the configuration of various parts of the operating system. This means applying security hardening to Ubuntu 14.04 systems since that’s the only host operating system supported by openstack-ansible at the moment....

2015-10-14 · 7 min · Major Hayden

Improving LXC template security

I’ve been getting involved with the Fedora Security Team lately and we’re working as a group to crush security bugs that affect Fedora, CentOS (via EPEL) and Red Hat Enterprise Linux (via EPEL). During some of this work, I stumbled upon a group of Red Hat Bugzilla tickets talking about LXC template security. The gist of the problem is that there’s a wide variance in how users and user credentials are handled by the different LXC templates....

2015-06-18 · 2 min · Major Hayden

Install sysstat on Fedora 21

One of the first tools I learned about after working with Red Hat was sysstat. It can write down historical records about your server at regular intervals. This can help you diagnose CPU usage, RAM usage, or network usage problems. In addition, sysstat also provides some handy command line utilities like vmstat, iostat, and pidstat that give you a live view of what your system is doing. On Debian-based systems (including Ubuntu), you install the sysstat package and enable it with a quick edit to /etc/default/sysstat and the cron job takes it from there....

2014-12-12 · 2 min · Major Hayden