Archive for the ‘Security’ Category

SSH is a great tool for accessing systems remotely to perform system management tasks.  It can also be a security risk if it is not configured properly. Many administrators start with the best intentions.  Password complexity rules are put in place that require long passwords with a robust mixture of uppercase, lowercase, numbers and special characters.  Alternatively, a policy of using SSH public keys is implemented. In most, cases this is a great setup. However, there are times when a single method for authentication does not fit well.   (more…)

It is easier today than ever before to maintain the security posture of your servers thanks to the SCAP Security Guide, an open source project creating and providing SCAP security policies (such as PCI-DSS, STIG and USGCB) for various platforms – namely Red Hat Enterprise Linux 6 and 7, Fedora, Firefox, and others.

In this post, I will show how the SCAP Security Guide can be used to automate the application of a security policy on Red Hat Enterprise Linux and (RHEL) then validated with the official DoD STIG configuration that the Defense Information Systems Agency (DISA) publishes. (more…)

When I was still doing IT Operations work, I dreamt of a day when a system could be secured and done so reliably during the installation process.  Sure, I had scripts and other tools at my disposal, but the problem with them was that there was not consensus that the actions I was taking to secure the server was actually correct.  Additionally, what happened if the checks and remediation steps that I was performing changed?  How long, if ever, would it take me to change my scripts?

With the advent of SCAP and the associated tools, achieving compliance during installation has never been easier.  Long gone are the worries that I used to have and I can now be sure that the systems I am installing are secure from the first time that they touch the network. (more…)

A lot of people are probably looking at all of the OpenStack offerings that are out there today and wondering “Which one should I use?”  or “What feature makes one company’s OpenStack better the others?”  One feature that causes Red Hat’s offering to stand out among the others is the inclusion of sVirt.  In the simplest terms, sVirt is SELinux for virtualization.  It implements Mandatory Access Controls to provide protection from potential attacks that could result in hosts or virtual machine instances being compromised.  Other Red Hat products take advantage of sVirt as well, including the stand alone KVM hypervisor that comes with Red Hat Enterprise Linux and Red Hat Enterprise Virtualization. (more…)

SCAP and Remediation

Posted: September 8, 2013 in Security
Tags: ,

Chances are if you are a security conscious server administrator that you have had to endure the hardship of locking down a server.  A lot of times the lockdown process consists of following a checklist and completing several hours of configuration changes, scans and more configuration changes.  You have probably also noticed that even with a detailed checklist, scans often reveal that no two server are configured in the same manner.  Fortunately, the work being done on the Security Configuration Automation Protocol (SCAP) and the SCAP Security Guide (SSG) is going to make your life easier.

The National Institute of Standards and Technology (NIST) is spearheading the use of SCAP and says it is “a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.”

In this post I am going to demonstrate how to install and use the OpenSCAP scanner along with content from the SCAP Security Guide (SSG) website to scan and secure a Red Hat Enterprise Linux 6 server.  If you decide to try this, do it on a test server since the configuration changes could affect your ability to access the server. (more…)