I read quite often about how a minimal operating system, with all things unnecessary for its expected functionality removed, is "more secure" because of the minimal attack surface. While there is definitely something to be said for reducing the attack surface, having a minimal OS is not necessarily a good security practice. "But Matt, if I … Continue reading Reduced footprint vs minimal footprint
I've recently been playing with OpenWRT, and decided to see if I could use Ansible to manage it. From a basic install of OpenWRT, here is what needs to be done to be able to manage with Ansible: Use the WebUI to upload your SSH public key Install a few packages, either via the WebUI … Continue reading Using Ansible with OpenWRT
I've found myself with a lot of nerve-wracking thumb-twiddling time in the hospital over the past few weeks. So, needing to secure my internet access across an open public WiFi and needing a project to distract myself a bit, I decided I wanted a device or collection of devices that perform the following roles: - … Continue reading A personal mobile LAN
I've spent a few hours banging my head against something that - in retrospect - is pretty obvious: "delegate_to" does not respect the "ansible_user" inventory variable. Challenge delegate_to is used to execute a task on a host other than the one targeted for playbook execution. Compare these three tasks: - command: echo Hello World - command: … Continue reading Ansible quirks: Delegating a task with a unique remote user
The recent high-profile “Meltdown” and “Spectre” security event did more than expose newly-discovered problems in processor architectures dating back decades. It also exposed gaps in the Security Lifecycle Program for many organizations, possibly even in your own.
The details of this security event are already well-documented (see the original security notification in Red Hat’s Portal or this 3-minute video providing a high-level overview). So, what can your IT organization do to be better prepared for the next security event? Here are four practical actions you can take now to improve your Security Lifecycle Program.
If you are in I.T., you've heard about Meltdown and Spectre by now. So - what are you going to do about it? Don't panic, follow your existing High Priority Security Patching processes. Start assessing, in your test environment, the performance impact of patches against your performance-sensitive workloads, especially those with heavy disk I/O or … Continue reading How to approach KPTI remediation
If you are trying to create an HBAC rule in FreeIPA to allow users to log on to Fedora 27 workstations via GDM, you will need to do the following: - Create a new HBAC service in FreeIPA, called "systemd-user" - Create an HBAC rule that includes "gdm", "gdm-password", and "systemd-user", granting access to your … Continue reading Managing access to Fedora 27 workstation with FreeIPA and HBAC