Red Hat Security Blog: April 2014 archives

  • SSL/TLS Everywhere – visions of a secure OpenStack

    As most people familiar with OpenStack are already aware, it is made up of many software components that are typically deployed in a distributed manner. The more scalable an OpenStack deployment is, the more distributed the underlying components are as the infrastructure is usually scaled out horizontally on commodity hardware. As a consequence of this distributed architecture, there are many communication channels used between all of the software components. We have users communicating...
    Posted 2014-04-23T13:42:34+00:00 - 0
  • New SELinux Feature: File Name Transitions

    In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label. The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects. Accidental Mislabeling Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label...
    Posted 2014-04-14T13:30:49+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: systemd-journald

    A lot has already been written about systemd-journald. For example, this article describes the security benefits of the journal. I would argue that systemd-journal is not a full replacement for syslog. The syslog format is ubiquitous, and I don't see it going away. On all Red Hat Enterprise Linux 7 machines, syslog will still be on by default. This is because it's still the defacto mechanism for centralizing your logging data, and most tools that analyze log data read syslog data. The journald...
    Posted 2014-04-11T13:30:53+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp

    One of the reasons I am really excited about Red Hat Enterprise Linux 7 is the amount of new security features we have added, and not all of them involve SELinux. Today, I want to talk about PrivateTmp. One of my goals over the years has been to stop system services from using /tmp. I blogged about this back in 2007. Anytime I have discovered a daemon using /tmp, I have tried to convince the packager to move the temporary content and FIFO files to the /run directory. If the content was...
    Posted 2014-04-09T13:30:19+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: systemd Starting Daemons

    Why is this a security feature? In previous releases of Red Hat Enterprise Linux, system daemons would be started in one of two ways: At boot, init (sysV) launches an initrc script and then this script launches the daemon. An admin can log in and launch the init script by hand, causing the daemon to run. Let me show you what this means from an SELinux point of view. NOTE: In the code below, @ means execute, --> indicates transition, and === indicates a client/server communication. The...
    Posted 2014-04-08T13:30:52+00:00 - 0

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.