SSH is a great tool for accessing systems remotely to perform system management tasks.  It can also be a security risk if it is not configured properly. Many administrators start with the best intentions.  Password complexity rules are put in place that require long passwords with a robust mixture of uppercase, lowercase, numbers and special characters.  Alternatively, a policy of using SSH public keys is implemented. In most, cases this is a great setup. However, there are times when a single method for authentication does not fit well.   Read the rest of this entry »

It is easier today than ever before to maintain the security posture of your servers thanks to the SCAP Security Guide, an open source project creating and providing SCAP security policies (such as PCI-DSS, STIG and USGCB) for various platforms – namely Red Hat Enterprise Linux 6 and 7, Fedora, Firefox, and others.

In this post, I will show how the SCAP Security Guide can be used to automate the application of a security policy on Red Hat Enterprise Linux and (RHEL) then validated with the official DoD STIG configuration that the Defense Information Systems Agency (DISA) publishes. Read the rest of this entry »

This is a blog that I did for work. Enjoy.

When I was still doing IT Operations work, I dreamt of a day when a system could be secured and done so reliably during the installation process.  Sure, I had scripts and other tools at my disposal, but the problem with them was that there was not consensus that the actions I was taking to secure the server was actually correct.  Additionally, what happened if the checks and remediation steps that I was performing changed?  How long, if ever, would it take me to change my scripts?

With the advent of SCAP and the associated tools, achieving compliance during installation has never been easier.  Long gone are the worries that I used to have and I can now be sure that the systems I am installing are secure from the first time that they touch the network. Read the rest of this entry »

One of the strengths of OpenStack is that it exposes a very rich API that can be used to control every aspect of your cloud.  Likewise, one of the more intriguing ways of interacting with an OpenStack cloud is programatically.  There is a Ruby Gem named Fog that allows such interaction.  Details on the API methods that Fog provides support for can be found at – the website for Fog: The Ruby Cloud Services Library. Read the rest of this entry »

I was recently asked to show an example of how Windows Server 2012 running Internet Information Service (IIS) 8 can scale out in an OpenStack environment. I accepted the challenge and this post is the result.  To accomplish the task, I did a default install of an evaluation version of Windows Server 2012 and installed/configured IIS8 along with support.  I then created a very simple web page that uses server variables and the current date an time to create some dynamic content.  Lastly, I installed the CloudBase Cloud-Init service so that Windows Server could talk to the OpenStack metadata service.  I hope you enjoy the video. Read the rest of this entry »

After a long delay (I was moving into a new house and work keeps me very busy) here is the second part of my post on creating scale out workloads in OpenStack using Heat and Ceilometer.  In part one, we broke down the different parts of the Heat template that we will be using in this part of the posting.  We also covered how I had images and software repos configured to support the WordPress website the template will be deploying.  In this part, we will deploy the application, or stack as it is called in OpenStack lingo, and look at different ways to monitor the application to see what is going on. Read the rest of this entry »

Recently, I have been spending a fair amount of time tinkering with Red Hat Enterprise Linux OpenStack Platform 5 (RHEL-OSP 5) which is Red Hat’s Icehouse based offering of OpenStack.  My goal was to learn how to get OpenStack to scale workloads up and down as needed.  Elasticity like this is one of the essential characteristics of cloud computing as defined by the National Institute of Science and Technology (NIST), and is one of the capabilities that OpenStack has that traditional data center virtualization systems typically don’t possess. Read the rest of this entry »

A lot of people are probably looking at all of the OpenStack offerings that are out there today and wondering “Which one should I use?”  or “What feature makes one company’s OpenStack better the others?”  One feature that causes Red Hat’s offering to stand out among the others is the inclusion of sVirt.  In the simplest terms, sVirt is SELinux for virtualization.  It implements Mandatory Access Controls to provide protection from potential attacks that could result in hosts or virtual machine instances being compromised.  Other Red Hat products take advantage of sVirt as well, including the stand alone KVM hypervisor that comes with Red Hat Enterprise Linux and Red Hat Enterprise Virtualization. Read the rest of this entry »

SCAP and Remediation

Posted: September 8, 2013 in Security
Tags: ,

Chances are if you are a security conscious server administrator that you have had to endure the hardship of locking down a server.  A lot of times the lockdown process consists of following a checklist and completing several hours of configuration changes, scans and more configuration changes.  You have probably also noticed that even with a detailed checklist, scans often reveal that no two server are configured in the same manner.  Fortunately, the work being done on the Security Configuration Automation Protocol (SCAP) and the SCAP Security Guide (SSG) is going to make your life easier.

The National Institute of Standards and Technology (NIST) is spearheading the use of SCAP and says it is “a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.”

In this post I am going to demonstrate how to install and use the OpenSCAP scanner along with content from the SCAP Security Guide (SSG) website to scan and secure a Red Hat Enterprise Linux 6 server.  If you decide to try this, do it on a test server since the configuration changes could affect your ability to access the server. Read the rest of this entry »