Red Hat Enterprise Linux provides strong security features that align with the defense in depth philosophy. These include hardening the operating system, applying security patches, using SELinux for mandatory access control, and implementing strong authentication methods. Proper authorization and profiling of users is also important to only grant necessary privileges.
Java Day 2021, WeAreDevelopers, 2021-09-01, online: Moritz Kammerer (@Moritz Kammerer, Expert Software Engineer at QAware).
== Please download slides in case they are blurred! ===
In this talk, we took a look at how Microservices can be developed with Micronaut. Have a look if it has kept its promises.
JCON Online 2021, International Java Community Conference, 07.10.21, Moritz Kammerer (@Moritz Kammerer, Expert Software Engineer at QAware).
== Please download slides in case they are blurred! ===
In his talk we have had a look at how Microservices can be developed with Micronaut. In our slides you can find out if it kept its promise.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
A quick introduction to Python's Twisted networking library, given at a NZPUG meeting in April 2009.
Covers some of the stuff you can do with Twisted really easily, like an XMPP bot and an SSH/Telnet shell into your running applications.
Distributed system coordination by zookeeper and introduction to kazoo python...Jimmy Lai
Zookeeper is a coordination tool to let people build distributed systems easier. In this slides, the author summarizes the usage of zookeeper and provides Kazoo Python library as example.
Java Day 2021, WeAreDevelopers, 2021-09-01, online: Moritz Kammerer (@Moritz Kammerer, Expert Software Engineer at QAware).
== Please download slides in case they are blurred! ===
In this talk, we took a look at how Microservices can be developed with Micronaut. Have a look if it has kept its promises.
JCON Online 2021, International Java Community Conference, 07.10.21, Moritz Kammerer (@Moritz Kammerer, Expert Software Engineer at QAware).
== Please download slides in case they are blurred! ===
In his talk we have had a look at how Microservices can be developed with Micronaut. In our slides you can find out if it kept its promise.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
A quick introduction to Python's Twisted networking library, given at a NZPUG meeting in April 2009.
Covers some of the stuff you can do with Twisted really easily, like an XMPP bot and an SSH/Telnet shell into your running applications.
Distributed system coordination by zookeeper and introduction to kazoo python...Jimmy Lai
Zookeeper is a coordination tool to let people build distributed systems easier. In this slides, the author summarizes the usage of zookeeper and provides Kazoo Python library as example.
Slides for presentation on ZooKeeper I gave at Near Infinity (www.nearinfinity.com) 2012 spring conference.
The associated sample code is on GitHub at https://github.com/sleberknight/zookeeper-samples
"WTF is Twisted? (or; owl amongst the ponies)" is a talk that introduces the Twisted asynchronous programming framework, how it works, and what uses it.
Low latency microservices in java QCon New York 2016Peter Lawrey
In this talk we explore how Microservices and Trading System overlap and what they can learn from each other. In particular, how can we make microservices easy to test and performant. How can Trading System have shorter time to market and easier to maintain.
It is easy to monitor the performance of JVM if one knows how GC and Threads work in JVM. This presentation throws light on Collector types, HotSpot Collection Algorithms, Thread Monitoring, Method Profiling and Heap Profiling
For More information, refer to Java EE 7 performance tuning and optimization book:
The book is published by Packt Publishing:
http://www.packtpub.com/java-ee-7-performance-tuning-and-optimization/book
[Download the slide to get the entire talk in the form of presentation note embedded in the ppt] Apache ZooKeeper is the chosen leader in distributed coordination. In this talk, I have explored the atomic elements of Apache ZooKeeper, how it fits everything together and some of its popular use cases. For ZooKeeper simplicity is the key and as a consumer of the API, our imagination enables us to push the limits of the ZooKeeper world.
La scalabilité des applications est une préoccupation importante. Beaucoup de pertes en scalabilité proviennent de code contenant des locks qui produisent une importante contention en cas de forte charge.
Dans cette présentation nous allons aborder différentes techniques (striping, copy-on-write, ring buffer, spinning, ...) qui vont nous permettre de réduire cette contention ou d'obtenir un code sans lock. Nous expliquerons aussi les concepts de Compare-And-Swap et de barrières mémoires.
A tour of scalability improvements between Havana and Juno.
The presentation discusses results from an experimental campaign and the various features that enable the scalability improvements
Presentation from Aaron Rose and Salvatore Orlando.
Java Performance and Using Java Flight RecorderIsuru Perera
Slides used for an internal training. Explains why throughput and latency are important when measuring performance. How Java Flight Recording can be used to analyze performance issues.
Using Java Mission Control & Java Flight RecorderIsuru Perera
This presentation explains the Java Mission Control (JMC) and how to use it.
Java Mission Control has two main tools: JMX Console & Java Flight Recorder (JFR). These are very powerful tools provided by the Oracle JDK.
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
Designing secure architecture can always be more expensive, time consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Come to the session and learn what mistakes we eliminated when working with our customers.
Slides for presentation on ZooKeeper I gave at Near Infinity (www.nearinfinity.com) 2012 spring conference.
The associated sample code is on GitHub at https://github.com/sleberknight/zookeeper-samples
"WTF is Twisted? (or; owl amongst the ponies)" is a talk that introduces the Twisted asynchronous programming framework, how it works, and what uses it.
Low latency microservices in java QCon New York 2016Peter Lawrey
In this talk we explore how Microservices and Trading System overlap and what they can learn from each other. In particular, how can we make microservices easy to test and performant. How can Trading System have shorter time to market and easier to maintain.
It is easy to monitor the performance of JVM if one knows how GC and Threads work in JVM. This presentation throws light on Collector types, HotSpot Collection Algorithms, Thread Monitoring, Method Profiling and Heap Profiling
For More information, refer to Java EE 7 performance tuning and optimization book:
The book is published by Packt Publishing:
http://www.packtpub.com/java-ee-7-performance-tuning-and-optimization/book
[Download the slide to get the entire talk in the form of presentation note embedded in the ppt] Apache ZooKeeper is the chosen leader in distributed coordination. In this talk, I have explored the atomic elements of Apache ZooKeeper, how it fits everything together and some of its popular use cases. For ZooKeeper simplicity is the key and as a consumer of the API, our imagination enables us to push the limits of the ZooKeeper world.
La scalabilité des applications est une préoccupation importante. Beaucoup de pertes en scalabilité proviennent de code contenant des locks qui produisent une importante contention en cas de forte charge.
Dans cette présentation nous allons aborder différentes techniques (striping, copy-on-write, ring buffer, spinning, ...) qui vont nous permettre de réduire cette contention ou d'obtenir un code sans lock. Nous expliquerons aussi les concepts de Compare-And-Swap et de barrières mémoires.
A tour of scalability improvements between Havana and Juno.
The presentation discusses results from an experimental campaign and the various features that enable the scalability improvements
Presentation from Aaron Rose and Salvatore Orlando.
Java Performance and Using Java Flight RecorderIsuru Perera
Slides used for an internal training. Explains why throughput and latency are important when measuring performance. How Java Flight Recording can be used to analyze performance issues.
Using Java Mission Control & Java Flight RecorderIsuru Perera
This presentation explains the Java Mission Control (JMC) and how to use it.
Java Mission Control has two main tools: JMX Console & Java Flight Recorder (JFR). These are very powerful tools provided by the Oracle JDK.
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
Designing secure architecture can always be more expensive, time consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Come to the session and learn what mistakes we eliminated when working with our customers.
Creating HAGRAT, A Remote Access Tool (RAT) and the related Command and Control (C2) infrastructure for Penetration Testing exercises that simlate persistent, targeted attacks.
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
Presented at SHARE Conference, "SELinux: A Key Component in Secure Infrastructures"
Covers "what is SELinux?," Type Enforcement, SELinux Usage, and example scenarios.
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
Presented at IBM z/Expo 2008, Session ID zLS01. Talks through what SELinux is, introduces principal concepts of Type Enforcement, SELinux policies, and user/admin perspectives of managing a system with SELinux enabled.
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
Slides from 2018 MacAD.UK confernce
Synopsis: https://www.macad.uk/speaker/henry-stamerjohann/
When tasked with (re)building a security baseline for macOS clients, where do you start?
There’s obviously decisions to be made about what’s feasible in your organization (beyond if admin privileges should be the default). You need to weigh system stability and security with end-user productivity. Luckily for the macOS platform a rich ecosystem of tools exist to fill in the gaps and general guidance is available. The crucial part of making mindful and informed decisions is to first aggregate data from your IT environment. You can then decide what configurations to deploy and run recurring compliance checks based on an appropriate strategy. This session will cover fundamentals, highlight advanced considerations, and outline practical examples to apply when you’re conducting a (new) baseline for macOS clients.
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
Similar to Remote security with Red Hat Enterprise Linux (20)
Slides I published explaining OpenStack at the OpenSource conference in Milan 2016. Explain also how business processes are involved and explain OpenStack components
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
OpenStack can help your business in cutting costs and have a faster time to market. A lot of people are looking at OpenStack as an alternative to VMware and most of the vendors are trying to let you think that visualization is cloud. While Cloud implies a virtualized environment, virtualization is not a cloud.
This ebook will go through the concept of Cloud and help you understand the architecture of OpenStack and its benefits. It also explores DevOps and reveal the "secret ingredient" to have a successful cloud project.
This ebook was created to raise funds for the Nepalese population after the Earthquake in 2015.
OpenStack security is a huge topic. In these slides I presented at the OpenStack Day, I analyzed cloud security the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications.
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiGiuseppe Paterno'
No matter if you are a lonely system administrator or the CTO of the largest carrier in the World, getting to know what’s out there is a jungle. Is VMware still the lead? I’ve heard about OpenStack, how mature is that? And what this “Ganeti” I’ve never heard of?
Well, here I am. Guess what, you’re not the only one asking these questions. I traveled most of Europe hearing world’s most famous enterprises, banks and telcos and also in contact with many vendors’ labs, from San Francisco to Munich.
In this presentation I just wish to give a quick overview of the state-of-the-art in the IaaS and virtualization world. This is not a sales or marketing presentation: no vaporware, just pure and real experience from the field.
Enjoy the slides and stay tuned on my twitter channel on @gpaterno
La gestione delle identità per il controllo delle frodi bancarieGiuseppe Paterno'
Che differenza c'e' tra una banca retail e un private banking in ambito frodi? Assistiamo a diversi fenomeni nel private banking come l'uso di device mobili (tablet, smartphone, ...) e l'aumento delle frodi dovute al fattore umano. Il mio intervento a Forum Banca 2013 descrive i rischi del private banking e come sono stati risolti. Presentazione in collaborazione con Banca Esperia, gruppo Mediobanca.
Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. The presentation will examine the security implications of a Cloud infrastructure and possible remedies with practical examples.
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
E' noto che il Cloud consente di dare una maggiore flessibilità all'IT, garantendo una continuità del business e ottimizzando i costi. Ma quali sono le implicazioni sulla sicurezza aziendale? La cronaca recente ha evidenziato che anche nomi importanti quali IEEE, Apple e Samsung sono tra le vittime piu' famose dei furti di identita' nel Cloud. Se si adottano datacenter virtuali (IaaS) o applicazioni on-line (SaaS), si sposta il paradigma della sicurezza così' come concepita finora.
La presentazione analizzerà le implicazioni di sicurezza di una infrastruttura Cloud e i possibili rimedi, con esempi pratici.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Remote security with Red Hat Enterprise Linux
1. Remote security with
Red Hat Enterprise Linux
Giuseppe “Gippa” Paternò
Red Hat - Solution Architect & EMEA Security Prod. Expert
Visiting Researcher – Trinity College Dublin
gpaterno@redhat.com
paternog@cs.tcd.ie
2. Who am I
Currently Solution Architect and EMEA Security Expert in
Red Hat
Visiting Researcher at Trinity College Dublin
Previously Security Solution Architect in Sun and also in
IBM
Red Hat Certified Security Specialist (RHCSS), RH
Architect (RHCA) and Cisco Certified Network Professinal
(CCNP)
Part of the italian security community sikurezza.org
Forensic analisys for local govs
More on:
● http://www.gpaterno.com/
● http://www.scss.tcd.ie/Giuseppe.Paterno/
● http://www.linkedin.com/in/gpaterno
3. Agenda
The “Defense in Depth” philosophy
Advantages of OSS on Security
Statistics about Linux vulnerabilities
Security of the Operating System
●
●
Kernel security and other features
●
The importance of patching
●
Hardening, minimization and how Linux is positioned
MAC systems: SeLinux
Authentication and authorization
●
●
Intergration with Linux and with applications
●
Smart Cards and Biometric authentication
Authorization and profiling, i.e. assigning roles
Application protection
●
Be aware of the “default” installation
●
Use of the application-layer firewalls
4. “ The only truly secure system is one that is
powered off, cast in a block of concrete and sealed
in a lead-lined room with armed guards - and even
then I have my doubts. ”
Eugene H. Spafford, director of the Purdue Center for Education and Research in
Information Assurance and Security.
5. The “Defense in Depth” philosophy
Any system, configuration, application and even software
development have to be thought in a secure way
It uses several security layers to secure systems and data.
● Use of multiple computer security techniques to help
mitigate the risk of a one defence being compromised
or circumvented
● Ex: using antivirus on both workstations and file/mail
servers
This concept should be applied in every systems,
expecially on those that hold sensible data or whenever
security is highly required
6. The “Defense in Depth” philosophy
This translate in:
● Secure the OS
● Secure access to the network
● Use a common/central authentication and authorization
● Secure the applications
● Think and develop applications in a secure way
Red Hat Enterprise Linux is the only OS that
respect the “Defense in Depth” philosophy
7. Advantages of OSS on Security
Open Source means that the code is publically available
A great number of people (the community) can evaluate
the code of the project and:
● Find memory leaks in the code (programming error)
● Find a poorly secure algorithm/protocol (design error)
● Have a peer review (from expert people)
As a result we will (and a given vendor will):
● Have the best code and algorithm
● Have a quick fix for the problem (even in day 0)
● Most of the “white-hats” produces both an exploit
and a patch for the program
Most of the projects reuses standard algorithm/code
(libraries), thus eliminating common problems.
8. Linux (RHEL) default install
vulnerabilities:
Low 23%
82
117
Moderate 32%
160
Important 44%
3
Critical 1%
0
20
40
60
80
100
120
140
160
180
Number of vulnerabilities
9. Security of the OS:
hardening/minimization
Out of the box, nearly all operating systems are
configured insecurely. Hardening is minimizing a
computer's exposure to current and future threats.
How it works:
●
●
●
●
●
Remove unecessary users/groups
Disable unused services
Configure securely all used applications
Configure the strongest authentication possible
Use and configure firewalls/IDS/IPS/MAC Systems...
Fewer software components on a server means fewer
security holes to detect and fill
Minimizing the number of OS modules installed
on a server can greatly improve overall system
security by reducing the number of
vulnerabilities.
10. Security of the OS: how is Linux
Mostly Linux distribution are hardened and secured by
default (at least RHEL and Fedora are ;)
●
●
●
●
●
Only SSH opened and other services in loopback only
No unsecure/unencrypted services (telnet/ftp/r*)
Firewall and Mandatory Access Control (MAC) systems
enabled by default
All unnecessary users/groups set to nologin
Default packages set to minimum (minimization)
● The admin installs only what is strictly necessary to run
the server
● Minimal systems are usually supported!!
11. Security of the OS: kernel
Buffer overflow:
● It injects an arbitrary code (usually a shell)
in the program's data area and execute it
● Attackers gain access and privileges of the
exploited program
How to prevent:
● No-Execute and Exec-shield technology
● Software emulation of the no execute of
the data area
● Flag data memory as non-executable and
program memory as non-writeable
● PIE (Position Independent Executable)
● Randomization of the application address
in the stack
12. Security of the OS: other features
Restricted Memory Access
●
Restricts how the kernel memory (/dev/mem) can be overwritten. This
prevents several rootkits from functioning resulting in a safer and more
secure system.
Kernel signature (ksign)
●
●
Signature of kernel modules, to allow only certains gpg signed kernel
modules to be loadeed
Avoid rootkits than hide themselves
Secure application compile (FORTIFY_SOURCE and StackSmashing protector)
●
"FORTIFY_SOURCE" is a gcc option that detect and prevent a subset of the
buffer overflows before they can do damage (unchecked buffer size)
ELF (Executable and Linkable Format) Data Hardening
RPM Signing
●
Each package/application is signed from the vendor so that any change is
tracked (same effect as tripwire)
13. Security in the OS: MAC and SELinux
Mandatory Access Control (MAC) is a kind of access control
defined by the Trusted Computer System Evaluation Criteria
● “[...] restricting access to objects based on the sensitivity
of the information contained in the objects and the formal
authorization (i.e., clearance) of subjects to access
information of such sensitivity". (from Wikipedia)
The most used MAC system in Linux is Security Enhanced
Linux (SE Linux)
● Developed initially by NSA (National Security Agency)
● Several contributors, such as Red Hat, Tresys, IBM, ....
● Certified Common Criteria (EaL4+) and used by military
● When used in “stricted” mode is even more secure
● Based on policies that confine user programs and system
services to the minimum amount of privilege they require
to do their jobs
14. SE-Linux: overview
By default, anything not explicitly permitted is
denied
Rules are called “policies”
Two pre-defined policies in RHEL/Fedora, i.e.:
● targeted: only common daemons are confined
(typically only the one started from init.d/*),
leaving “unconfined” the others
● strict: any process within the system is confined
RHEL is in “targeted” mode by default, while fedora in
“strict”: daemons with remote access (apache, mysql, ...)
are protected by the SE-Linux “shield”
15. SE-Linux Security Context
All files and processes have a security context
The context has several elements, example:
user:role:type:sensitivity:category
User: root OR user_u (Processes: system_u)
Role: Files -> object_r ; Processes -> system_r
Type: Used by Type Enforcement to specify the nature of the
data
$ ps -ZC bash,sshd
LABEL
CMD
PID TTY
TIME
system_u:system_r:sshd_t:s0-s0:c0.c1023 1709 ? 00:00:00
sshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
32019 pts/0 00:00:00 bash
16. SE Linux: an italian success
We are protecting the italian government
employees' payslips and tax declaration
(around 4M users)
17. Security in the OS: patching
PATCHING IS IMPORTANT!!!
Always keep up-to-date the system's security patches
It is important a management system that is able to apply
all the patch seamless and avoid human errors
● After buffer overflows and “zero day”, the major
security concerns are about human error on
configuration files
That is:
● Applying automatically patch and rollback if necessary
● Compare software between machines (ex: cluster)
● Use a standard, proven, configuration file for common
services (ssh, authentication, ....) and distribute it
● An example is Red Hat Network Satellite
18. Authentication and authorization
Just to be clear on terms:
● Authentication is proving who you claim to be (who you
are)
Deals with identifying the users
● Can be:
● Username/Password (and variants such as kerberos)
● One Time Passwords (OTP)
● Two Factor (key based: Smart Cards/Biometric)
●
●
Authorization is giving permission to users (what you
can do). Sometimes referred as “profiling”.
After the authentication phase, the user is profiled
● The application (ex: login shell, web application, ...) will
give appropriate rights based upon certain parameters
● Parameters usually stored in LDAP, but also in databases
●
19. Strong authentication: Smart
Cards/Biometric/OTP
Autentication usually based on username and password
●
●
●
Passwords can easily eavesdropped
Kerberos and cryptography helps on protecting passwords
but ...
... don't prevent users to give away they're passwords or
copying it (keyloggers, post-it, social engineering, ...)
The best way is the famous “something you have” and
“something you know”
●
●
●
●
●
Smart Cards and biometric autentications cover “something
you have”
PINs or pass-phrases are usually “something you know”
The only way is stealing the smart card (and is not possible for
biometric apart kidnapping ;)
Smart Cards hold private keys of a PKI infrastructure (and PIN
or fingerprints unlock the keyring)
It can be revoked at any time
20. Authorization and Profiling (roles)
Every user should be granted the least privileges to do
the job
Profiles and roles should be stored on a central repository
●
●
Each application should be designed to use profiling
●
●
Advantage is that authorization is cross to all
systems/applications
Usually are stored in LDAP
● OpenLDAP and Fedora Directory Server (RHDS) are the
most famous in the OSS world
Java applications should use the JAAS APIs
PHP/C/C++/Python should perform look-ups in LDAP directly
Examples (in infrastructure software)
●
Apache with mod_authz_ldap
●
AllowUsers in SSH
●
Sudo with LDAP
21. Application Security
Each application should be configured securely!!!
●
●
●
●
This statement can't be stressed enough
Most of the “default installations” are opened
Hardening should involve the whole platform, not only the
OS
Configuration depends on the application itself
● Well-known for “infrastructure” software such as Jboss
● Contact your vendor or the OSS mailing lists for more
information
22. Application Security
Use application-layer firewalls
●
●
●
●
In the “Defense in Depth” philosophy give the edge
protection layer
Everything incapsulated on port 80/443 (and 25) !!!
The most valuable example in OSS is ModSecurity
● Web Application Firewall
● Real-Time Monitoring and Attack Detection
● Attack Prevention and Just-in-time Patching
Other examples: spamassassin, clamav, squid + dansguard,
SIP Express Router (SER), .....
23. Questions?
Thank you!
Giuseppe “Gippa” Paternò
Red Hat - Solution Architect & EMEA Security Prod. Expert
Visiting Researcher – Trinity College Dublin
gpaterno@redhat.com
paternog@cs.tcd.ie