• Log Analyzer

    We are proud to introduce a new Red Hat Access Labs app: Log Analyzer Log Analyzer is a multi-purpose log parsing web application with an emphasis on break/fix and identification of errors in your log files. Currently there are plenty of enterprise solutions in the log parsing arena but none that work in an on-demand fashion and none that tie into Red Hat's ecosystem. This app fills that void and provides a means to parse your logs (see the info page for currently supported log types) into a...
    Posted 2014-05-09T17:37:53+00:00 - 7
  • Defeating memory comparison timing oracles

    The standard C functions for comparing two strings of the same length, memcmp can be implemented naïvely as follows: For each byte in the two strings: From both strings, load the byte at the position currently under consideration and compare their values. If they are not equal, return some value matching the sign of their difference (as unsigned bytes). If no differing bytes are discovered, return 0. From time to time, there are reports that this implementation results in a timing oracle...
    Posted 2014-05-07T13:30:00+00:00 - 0
  • File System Layout Calculator

    We're proud to introduce a new Red Hat Access Labs app: File System Layout Calculator. To create file systems on multi-disk RAID arrays, you need to use the mkfs command with proper arguments. You need to carefully calculate the value for arguments like stride and stripe-width to make sure that your file systems align with the underlying RAID arrays and that you have maximized performance. This app is designed to save you the trouble of making tedious and error-prone calculations by creating...
    Posted 2014-05-05T03:30:02+00:00 - 5
  • SSL/TLS Everywhere – visions of a secure OpenStack

    As most people familiar with OpenStack are already aware, it is made up of many software components that are typically deployed in a distributed manner. The more scalable an OpenStack deployment is, the more distributed the underlying components are as the infrastructure is usually scaled out horizontally on commodity hardware. As a consequence of this distributed architecture, there are many communication channels used between all of the software components. We have users communicating...
    Posted 2014-04-23T13:42:34+00:00 - 0
  • At the Summit? Visit the Customer Experience Booth!

    At the Summit? Stop by the Customer Experience booth and do the following: Talk to Red Hat Support Engineers about your technical issues, upcoming products, or anything else you can think of! Enter our tech challenge for a chance to win a pair of Bose QC-15 noise canceling headphones. Interested in further details? Swing by the booth! Not sure where our booth is? From the main entry point to the Moscone Center South on Howard Street, simply walk in and instead of getting on the escalators,...
    Posted 2014-04-15T22:36:45+00:00 - 0
  • Moscone Center Gearing up for Red Hat Summit!

    Sitting here at the Moscone Center in San Francisco, one can sense a palpable excitement for the upcoming Red Hat Summit! Keynotes begin tonight and the customer experience booth opens at 5pm. Come on by and take our skills test to see how you do. Not in San Francisco? Don't worry, head on over to http://www.redhat.com/summit/ and live stream the keynotes tonight starting at 6:30pm PDT / 9:30pm EDT / 1:30am UTC. Too late in the evening for you? The keynotes will be recorded and those are...
    Posted 2014-04-14T20:21:07+00:00 - 0
  • New SELinux Feature: File Name Transitions

    In Red Hat Enterprise Linux 7, we have fixed one of the biggest issues with SELinux where initial creation of content by users and administrators can sometimes get the wrong label. The new feature makes labeling files easier for users and administrators. The goal is to prevent the accidental mislabeling of file objects. Accidental Mislabeling Users and administrators often create files or directories that do not have the same label as the parent directory, and then they forget to fix the label...
    Posted 2014-04-14T13:30:49+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: systemd-journald

    A lot has already been written about systemd-journald. For example, this article describes the security benefits of the journal. I would argue that systemd-journal is not a full replacement for syslog. The syslog format is ubiquitous, and I don't see it going away. On all Red Hat Enterprise Linux 7 machines, syslog will still be on by default. This is because it's still the defacto mechanism for centralizing your logging data, and most tools that analyze log data read syslog data. The journald...
    Posted 2014-04-11T13:30:53+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp

    One of the reasons I am really excited about Red Hat Enterprise Linux 7 is the amount of new security features we have added, and not all of them involve SELinux. Today, I want to talk about PrivateTmp. One of my goals over the years has been to stop system services from using /tmp. I blogged about this back in 2007. Anytime I have discovered a daemon using /tmp, I have tried to convince the packager to move the temporary content and FIFO files to the /run directory. If the content was...
    Posted 2014-04-09T13:30:19+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: systemd Starting Daemons

    Why is this a security feature? In previous releases of Red Hat Enterprise Linux, system daemons would be started in one of two ways: At boot, init (sysV) launches an initrc script and then this script launches the daemon. An admin can log in and launch the init script by hand, causing the daemon to run. Let me show you what this means from an SELinux point of view. NOTE: In the code below, @ means execute, --> indicates transition, and === indicates a client/server communication. The...
    Posted 2014-04-08T13:30:52+00:00 - 0
  • New Red Hat Enterprise Linux 7 Security Feature: systemd Starting Daemons

    Why is this a security feature? In previous releases of Red Hat Enterprise Linux, system daemons would be started in one of two ways: At boot, init (sysV) launches an initrc script and then this script launches the daemon. An admin can log in and launch the init script by hand, causing the daemon to run. Let me show you what this means from an SELinux point of view. NOTE: In the code below, @ means execute, --> indicates transition, and === indicates a client/server communication. The...
    Posted 2014-04-08T13:30:52+00:00 - 0
  • Changes to the Customer Portal

    The latest release of the Customer Portal offers a few new changes with regard to content and our navigational layout that we’re really excited about. We recently introduced new product pages that serve as centralized locations for you to find all available resources in relation to a product. These pages offer direct access to our knowledge, documentation, videos, discussions, and more. We're happy to announce that we now offer pages for all of Red Hat's currently supported products. We've...
    Posted 2014-04-04T13:50:34+00:00 - 3
  • KDump Helper

    We're proud to introduce a new Red Hat Access Labs app: KDump Helper. KDump is a reliable kernel crash-dumping mechanism that captures crash dumps for troubleshooting issues like kernel crashes, hangs, and reboots. Setting up KDump usually requires a series of steps and configurations. We developed the KDump Helper app to simplify the process and reduce the effort required to set KDump up on your machines. Input a minimum amount of information and this app will generate an all-in-one script for...
    Posted 2014-04-04T03:27:36+00:00 - 1
  • Welcome to the New Customer Portal Blogs!

    With this latest site release for the Red Hat Customer Portal, we're adding a new blog feature that we're very excited about. These blogs give us the ability to provide a unique channel of information and interaction to you, our customers. You'll have the opportunity to stay up to date on our various products and services, and we encourage you to share your ideas and suggestions with our various Red Hat contributors. The initial set of Customer Portal blogs covers areas such as security,...
    Posted 2014-04-03T22:10:28+00:00 - 2
  • Java Embedded Vulnerability Detector

    Introducing a New Access Labs App: Java Embedded Vulnerability Detector Upload your JAR (or class) files and this app will tell you if any of your files match one of the many publicly distributed files that the Red Hat Security team has identified as containing a known security flaw, or CVE.. A CVE is an item in a list of known vulnerabilities in all software. It provides a common way for people from different organizations to identify a particular known vulnerability. Often when building your...
    Posted 2014-04-01T17:48:12+00:00 - 3
  • The Right Performance Tool for the Task

    As an engineer who works on performance tools at Red Hat, I often get seemingly simple questions along the lines of, "How do I get performance tool X to collect Y data?" Unfortunately, many times the answer is that "tool X does not measure Y." This leads to a dicussion about the performance problem being investigated. With additional background information, it becomes much easier to suggest more promising tools and techniques to get the desired measurements. Given the number of performance...
    Posted 2014-03-31T18:04:57+00:00 - 0
  • Determining Whether an Application Has Poor Cache Performance

    Modern computer systems include cache memory to hide the higher latency and lower bandwidth of RAM memory from the processor. The cache has access latencies ranging from a few processor cycles to 10 or 20 cycles, rather than the hundreds of cycles needed to access RAM. If the processor must frequently obtain data from the RAM rather than the cache, performance will suffer. With Red Hat Enterprise Linux 6 and later distributions, the system use of cache can be measured with the perf utility...
    Posted 2014-03-26T20:39:35+00:00 - 0
  • Examining Huge Pages or Transparent Huge Pages Performance

    All modern processors use page-based mechanisms to translate the user-space processes virtual addresses into physical addresses for RAM. The pages are commonly 4KB in size, and the processor can hold a limited number of virtual-to-physical address mappings in the Translation Lookaside Buffers (TLB). The number of TLB entries ranges from tens to hundreds of mappings. This limits a processor to a few megabytes of memory it can address without changing the TLB entries. When a virtual-to-physical...
    Posted 2014-03-26T20:35:16+00:00 - 0
  • Enhance application security with FORTIFY_SOURCE

    The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in various functions that perform operations on memory and strings. Not all types of buffer overflows can be detected with this macro, but it does provide an extra level of validation for some functions that are potentially a source of buffer overflow flaws. It protects both C and C++ code. FORTIFY_SOURCE works by computing the number of bytes that are going to be copied from a source to the destination. In...
    Posted 2014-03-26T13:30:10+00:00 - 0
  • Introducing Red Hat Access Labs!

    We are thrilled to announce Red Hat Access Labs! Red Hat Access Labs is a new way for Red Hat engineers to deliver tools to help improve performance, quickly troubleshoot issues, identify security problems, or assist with any other issue we see our customers experiencing in their IT environments. Go to the Access Labs landing page to check out the five applications we've launched so far. Here's the inaugural group: SCSI Decoder: Quickly detect, decode, and resolve SCSI error messages...
    Posted 2014-03-19T13:32:12+00:00 - 0
  • The trouble with snprintf

    At least historically, misuse of functions like strcpy, strcat, and sprintf was a common source of buffer overflow vulnerabilities. Therefore, in 1997, the Single UNIX Specification, Version 2, included a new interface for string construction that provided an explicit length of the output string: snprintf. This function can be used for string construction with explicit length checking. Originally, it could be used in the following way: /* buff is a pointer to a buffer of blen characters...
    Posted 2014-03-12T13:30:40+00:00 - 0
  • Security audits through reimplementation

    For many networking protocols and file formats exist which interoperate with each other. Developing an implementation for a protocol or format diverges from previous implementations in subtle ways, at least initially. Such differences can uncover previously unnoticed corner cases which are not handled properly, and sometimes reveal security vulnerabilities. For example, in the mid-90s, it was discovered that Samba's SMB client, smbclient, did not restrict user name length in the same way...
    Posted 2014-02-26T14:30:23+00:00 - 0
  • Embedded Vulnerability Detection command line tool

    The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha...
    Posted 2014-02-05T14:30:45+00:00 - 0
  • Java deserialization flaws: Part 2, XML deserialization

    All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. In the first part of this two-part series, we looked at some of the unexpected security consequences which can arise from usage of binary deserialization in Java applications. This second part of the series will focus on security issues related to XML deserialization. XML Deserialization An alternative approach to Java's native binary serialization is...
    Posted 2014-01-23T14:30:05+00:00 - 0
  • CWE Vulnerability Assessment Report 2013

    Common Weakness Enumeration (CWE) is a list or dictionary of common software weaknesses. Red Hat has adopted CWE as a common language for describing and classifying vulnerabilities, used as a base for evaluation and prevention of weaknesses. Results of classifications are reviewed periodically and are used to direct our efforts in strengthening security of development practices, tools, assessment services, education programs and documentation. As a part of this effort Red Hat Customer Portal...
    Posted 2014-01-15T14:30:10+00:00 - 0

Pages

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.