This summer marked 15 years since we founded a dedicated Product Security team for Red Hat. While we often publish information in this blog about security technologies and vulnerabilities, we rarely give an introspection into the team itself. So I’d like, if I may, to take you on a little journey through those 15 years and call out some events that mean the most to me; particularly what’s changed and what’s stayed the same. In the coming weeks some other past and present members of the team...
Stability is one of the most important topics in IT. Although a system might have “five 9s” availability (up for 99.999% of time), there is still a chance of a disaster occurring. And when disaster strikes, the most important action for an IT team is to perform proper RCA (Root Cause Analysis). Luckily Red Hat Enterprise Linux created a feature to help with failed systems.
kdump is a feature of the linux kernel used to assist with crashed systems. kdump works by booting another...
Early in my career I was responsible for maintaining build machines for multiple software engineering teams. Those build machines not only built the actual binaries for the product but they also served up critical services leveraged by engineering teams across the company. Whenever we encountered networking issues with those machines, I distinctly remember opening my email inbox and being inundated with emails from coworkers complaining about problems connecting to those services. I had to...
alternate title: disconnected customers like nice things too.
The Red Hat Content Delivery Network (henceforth known as the CDN) is the source of content for Satellite 6. Understanding
This document aims to document
What the Red Hat CDN is
How to mirror it.
How to leverage many of the tools in the Satellite 6 product to easily mirror or copy it for disconnected usage
What is the Red Hat CDN?
The Red Hat Content Delivery Network, nominally accessed via cdn.redhat.com is a...
Shipped in Red Hat Satellite 6.2.2 are a number of tools to improve the renewal experience.
Subscriptions are attached to systems.
Subscriptions grant access to content.
Without a valid subscription, a system cannot access content.
What is a renewal?
A subscription renewal, for all effective purposes is when a subscription expires, and it is replaced with a new subscription. Renewals are at their core, a financial transaction between Red Hat and the customer, where the...
At Red Hat Summit this year, we announced the Red Hat Satellite organization in Github as a means to provide a location to curate scripts/projects that Red Hat employees, customers, and community members have written for usage with Red Hat Satellite.
We would like to leverage this organization in the following manner:
Provide a clearinghouse of well maintained, but officially unsupported tools known to work with a supported version of Satellite.
Allow users of Satellite such as yourselves to...
Every system administrator knows the feeling of having to wake up in the middle of the night because a server crashed or lost connectivity. This is where Red Hat Insights comes in. Thanks to our expansive knowledge base, the Insights team has been able to identify several critical stability issues that could cause a system outage. Don’t let these issues catch you by surprise. Check out our latest stability rules here!
The “rpmdbNextIterator” error exists in the...
Many of the various subscriptions that Red Hat offers are sold with the following spirit & terms
A subscription is purchased based upon the socket count of a hypervisor.
The subscriptions allows some number of quests (usually an UNLIMITED quantity, but sometimes values of 1 & 4 are used) to be instantiated on that hypervisor.
These subscriptions require virt-who, the daemon that collects & reports host/guest mapping. This document aims to provide some further insight to...
Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at...
CRC (Cyclic Redundancy Check) is a test to ensure data does not become corrupt when sent across networks or storage devices. The test begins by calculating a check value that is based on the data’s contents that will be sent over the network. The check value is recalculated when the data arrives at its destination, and if the recalculated check value differs from the initial check value, then the data has been corrupted.
CRC Errors and RHEL
Red Hat Enterprise Linux (RHEL) will log received CRC...
working title: of Men, Mice and Manifests
With the introduction of the newer Systems Management tools such as Satellite 6, we introduced a new concept, the Subscription Manifest (which are different from Satellite 5 Entitlement XML certificates), as the means to import Subscriptions into Satellite for the purposes of synchronizing content and attaching subscriptions to systems.
What is a subscription manifest?
A subscription manifest is a digitally signed zip file containing:
Satellite 6.2 ships with the much anticipated remote execution feature, which allows you to run scripts and jobs on a group of systems and then gather and view the output in the Satellite interface.
Remote Execution by itself works fine out of the box for new machines, but already existing machines need to be bootstrapped by adding an SSH public key to root's ~/.ssh/authorized_keys.
You can use Puppet to do this - assuming you are using Puppet at all - in two distinct ways:
- you can use a full...
A typical workflow for a Satellite 5 installtion involves maintaining strict control over exactly what changes are available to registered systems. This is accomplished by cloning the channels synchronized from Red Hat Network, and limiting the clones to a given subset of the 'current' state of the original channel. spacewalk-clone-by-date is a tool available as part of the Satellite 5 subscription which aims to ease the process of creating and maintaining cloned channels. However...
Red Hat is pleased to announce the general availability of Red Hat Satellite 6.2.
Red Hat Satellite 6.0 included a redesigned product architecture to manage new types of content on a wide variety of platforms, including bare-metal, private, and public clouds.
Satellite 6.2 continues to build on that release and features the following:
Increase Efficiency with Automated Workflows
Satellite 6.2 introduces remote execution, automating workflows and enabling users to take multiple actions against...
JBoss Enterprise Application Platform 7 allows the definition of Java Security Policies per application. The way it's implemented means that we'll also be able to define security policies per module, in addition to define one per application. The ability to apply the Java Security Manager per application, or per module in EAP 7, makes it a versatile tool in the mitigation of serious security issues, or useful for applications with strict security requirements.
The main difference between EAP 6...
Recent research by Chris Frohoff and Gabriel Lawrence has exposed gadget chains in various libraries that allow code to be executed during object deserialization in Java. They've done some excellent research, including publishing some code that allows anyone to serialize a malicious payload that when deserialized runs the operating system command of their choice, as the user which started the Java Virtual Machine (JVM). The vulnerabilities are not with the gadget chains themselves but with the...
As a valued customer you have access to extensive content and certain products for developer use, which help you create your applications quickly. We want to assist you wherever you may look for help. We know developers love StackOverflow. For a limited time, as a subscriber you can sign up for our StackOverflow Assistance pilot.
As part of this pilot, we will try to respond within 24 hours to your developer question on a Red Hat product within StackOverflow, if it hasn’t already been answered...
As part of the StackOverflow Pilot Program, the list of StackOverflow tags we will be monitoring include:
Red Hat Product Security has long provided various bits of machine-consumable information to customers and users via our Security Data page. Today we are pleased to announce that we have made it even easier to access and parse this data through our new Security Data API service.
While we have provided this information since January 2005, it required end users to download the content from the site, which meant you either downloaded many files and kept a local copy, or you were downloading large...
Humans have been measuring risk since the dawn of time. "I'm hungry, do I go outside my awesome cave here and forage for food? There might be something bigger, scarier, and hungrier than me out there...maybe I should wait?" Successfully navigating through life is a series of Risk/Reward calculations made each and every day. Sometimes, ideally, the choices are small ("Do I want fries with that?") while others can lead to catastrophic outcomes if the scenario isn't fully thought-through and...
Download the beta here
Review beta documentation
Open a ticket on the beta
Red Hat is pleased to announce the the second beta for Satellite 6.2. Beta 2 is immediately available to all current beta customers. The list of new features in this beta can be reviewed in the Beta 1 Announcement
Satellite 6.2 Beta - What's New
Lots of bug fixes based on your feedback
The first beta had very good adoption. Thank you for your time. Based on your feedback we have resolved many bugs. Specifically, you...
There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel.
seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the...
Quick Emulator (aka QEMU) is an open source systems emulator. It emulates various processors and their accompanying hardware peripherals like disc, serial ports, NIC et al. A serious vulnerability of out-of-bounds r/w access through the Video Graphics Array (VGA) emulator was discovered and reported by Mr Wei Xiao and Qinghao Tang of Marvel Team at 360.cn Inc. This vulnerability is formally known as Dark Portal. In this post we'll see how Dark Portal works and its mitigation.
VGA is a hardware...