Today is the second day of the OpenStack Summit in Austin and I offered up a talk on host security hardening in OpenStack clouds. You can download the slides or watch the video here:
Here’s a quick recap of the talk and the conversations afterward:
Security tug-of-war Information security is a challenging task, mainly because it is more than just a technical problem. Technology is a big part of it, but communication, culture, and compromise are also critical.
Updating Dell PowerEdge firmware from Linux is quite easy, but it isn’t documented very well. I ended up with a set of PowerEdge R710’s at work for a lab environment and the BIOS versions were different on each server.
Downloading the latest firmware Start by heading over to Dell’s support site and enter your system’s service tag. You can use lshw to find your service tag:
lshw | head lab05 description: Rack Mount Chassis product: PowerEdge R710 () vendor: Dell Inc.
The blog posts have slowed down a bit lately because I’ve been heads down on a security project at work. I’m working with people in the OpenStack community to create a new Ansible role called openstack-ansible-security. The role aims to improve host security by using hardening standards to improve the configuration of various parts of the operating system.
This means applying security hardening to Ubuntu 14.04 systems since that’s the only host operating system supported by openstack-ansible at the moment.
I’ve been getting involved with the Fedora Security Team lately and we’re working as a group to crush security bugs that affect Fedora, CentOS (via EPEL) and Red Hat Enterprise Linux (via EPEL). During some of this work, I stumbled upon a group of Red Hat Bugzilla tickets talking about LXC template security.
The gist of the problem is that there’s a wide variance in how users and user credentials are handled by the different LXC templates.
One of the first tools I learned about after working with Red Hat was sysstat. It can write down historical records about your server at regular intervals. This can help you diagnose CPU usage, RAM usage, or network usage problems. In addition, sysstat also provides some handy command line utilities like vmstat, iostat, and pidstat that give you a live view of what your system is doing.
On Debian-based systems (including Ubuntu), you install the sysstat package and enable it with a quick edit to /etc/default/sysstat and the cron job takes it from there.