#SCAP Security Guide
Explore tagged Tumblr posts
Text
Openscap: Open Source Vulnerability and Compliance Scanner
Openscap: Open Source Vulnerability and Compliance Scanner @vexpert #vmwarecommunities #100daysofhomelab #homelab #OpenSCAPintroduction #OpenSCAPscannerinstallation #SecurityContentAutomationProtocol #Linuxsecurity
Open-source security tools are not only cost-effective, they are also very powerful. OpenSCAP is a robust line of defense in achieving and maintaining system security compliance. It delivers many features, including for the community and enterprise businesses. Table of contentsWhat is OpenSCAP?Diving Deeper into the SCAP Security GuideCustomizing OpenSCAP with Your Own Content FilesOpenSCAP…
View On WordPress
#Customizing OpenSCAP content files#Cybersecurity best practices#OpenSCAP commands#OpenSCAP for enterprise systems#OpenSCAP introduction#OpenSCAP scanner installation#Red Hat Enterprise Linux security#SCAP Security Guide#Security Content Automation Protocol#SUSE Linux Enterprise Server security
0 notes
Text
Oracle Linux 8首個重要維護版本更新發布
圖片來自於 Oracle
Oracle在更新日誌中寫道:“在Oracle Linux 8中,適用於傳統Oracle Linux 8服務器的核心操作環境和相關軟件包是通過整合BaseOS和Applications Streams方式進行發行的。BaseOS為您提供了運行環境的運行用戶空間。ApplicationStreams提供了一系列應用程序以前在軟件集合以及其他產品和程序中分發的文件,可以在用戶空間中運行。”
Oracle Linux 8 Update 1更新中最值得關注的是,適用於64位(x86_64)Intel和AMD平台的Red Hat兼容內核(RHCK)Linux 4.18.0-147.el8內核軟件包。該軟件包修復了諸多BUG,安全更新和功能增強,而且還移除了對Btrfs和OCFS2文件系統的支持,並將VDO Ansible模塊移至Ansible軟件包。此外,它還作為開發人員預覽版添加了對64位ARM(AArch64)平台的安裝支持。
此版本還引入了Udica,以允許用戶通過創建定制的安全策略來更好地控制容器如何訪問主機系統資源。其他更新的組件包括MySQL 8.0, SELinux user-space tools 2.9 with boltd_t SELinux type for managing Thunderbolt 3 devices and bpf SELinux policy for controlling Berkeley Packet Filter, SELinux policy 3.14.3, SETools 4.2.2, OpenSSH 8.0p1, OpenSCAP 1.3 .1和scap-security-guide 0.1.44.
在本次Oracle Linux 8 Update 1更新中,Cockpit Web控制台也獲得了更新。支持同步多線程(SMT)配置,並具有禁用SMT的功能,對虛擬機管理頁面的改進以及更新的網絡頁面(新功能)防火牆設置。此外該版本添加了針對英特爾Optane DC永久內存技術的內存模式。
那些對在其個人計算機或服務器上運行Oracle Linux 8 Update 1感興趣的人可以立即從Oracle軟件交付云免費下載ISO安裝映像,以及通過Oracle Container Registry和Docker Hub的官方Docker映像。用戶還可以從Unbreakable Linux Network(ULN)和Oracle Linux yum服務器下載單個RPM軟件包。
.
from Oracle Linux 8首個重要維護版本更新發布 via KKNEWS
0 notes
Text
LINUX SECURITY
Security is the big issue in IT environment now the companies are phasing a lot of money for that in Linux os provides high-level security to there clients.so that Linux os is used largely in the bigger IT environments. And Linux os is used in the server side as well. And another advantage of Linux os is it is an open source .so these are the factors that attract Linux os to the IT industry largely than the other os in the IT world
Organizations today are seeking to increase productivity, flexibility and innovation to deliver services faster without sacrificing security, stability and performance. As large IT infrastructure continues to expand and evolve, security in IT must be automated to scale and mitigate risks to achieve compliance and meet the needs of the business.
Why should security and compliance be automated? According to the year 2017 Verizon Data Breach Report, “80% of hacking-related reports leveraged either stolen and/or weak passwords”. Ensuring protection against stolen and/or weak passwords is preventable by defining and implementing strong password policies using automation. In this article by Gartner, “99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident”. Automation can help enforce and ensure security and compliance and help protect against security vulnerabilities and security breaches.
Red Hat Enterprise Linux provides security technologies, certifications, and the ongoing support of the Product Security team to combat vulnerabilities, protect your data and meet regulatory compliance CCNA courses in Kochi.
SCAP tools and content that help users to create a standard security system checklists for enterprise systems in the IT environment. Had better meet the varied security needs of hybrid computing, Red Hat Enterprise Linux 7.5 provides enhanced software security automation to mitigate risk through the integration of OpenSCAP with Red Hat Ansible Automation. The remediations are generated in the form of Ansible playbooks, either based on profiles or based on scan results.
A playbook based on a SCAP Security Guide that contains all the rules that are needed and the system is remediated according to the guide regardless of the state of the machine. On the other hand, playbooks based on scan results contain only fixes for rules that failed during an evaluation
0 notes
Text
CentOS 8.0 ya disponible, incluye las novedades de Red Hat Enterprise Linux 8.0
Hace unos instantes, CentOS Development Team ha tenido el placer de anunciar el lanzamiento de CentOS 8.0. Se trata de la última versión de un sistema basado en Red Hat Enterprise Linux reconstruida para su uso general y llega con muchas de las novedades más destacadas de RHEL 8, la última versión de Red Hat. La principal diferencia entre ambos sistemas operativo es que CentOS es una versión gratuita del sistema operativo en el que se basa.
CentOS 8.0 ha estado en desarrollo durante varios meses y ya está aquí como la única alternativa gratuita de Red Hat, puesto que el proyecto de Scientific Linux fue descontinuado en abril después de 14 años de actividad. El anuncio de la nueva versión no ha llegado solo, o mejor dicho han anunciado dos versiones en una: la CentOS 8.0 que será lo que veníamos conociendo hasta ahora y una nueva opción que han llamado CentOS Stream.
(adsbygoogle = window.adsbygoogle || []).push({});
CentOS 8.0 llega junto a la versión CentOS Stream para desarrolladores
Tal y como leemos en la página de descargas de centos.org, ahora tenemos dos maneras de consumir la plataforma CentOS: Centos Linux y CentOS Stream. La primera es una versión “reconstruida” del código fuente gratuito de Red Hat Enterprise Linux, mientras que la segunda es “una distribución intermedia que proporciona un camino despejado para participar en la creación de la próxima versión de RHEL“. Tenéis toda la información sobre CentOS Stream en la wiki del proyecto a la que podemos acceder desde aquí.
No se han detallado todas las diferencias entre ambas versiones, pero sí que mencionan que el kernel será diferente, usando la versión Stream uno más actualizado que una versión normal que usará Linux 4.18. Entre los paquetes que se han actualizado en CentOS 8.0, tenemos los de:
abrt
anaconda
apache-commons-net
basesystem
cloud-init
cockpit
compat-glibc
dhcp
firefox
fwupdate
grub2
httpd
initial-setup
ipa
kabi-yum-plugins
kernel
kde-settings
libreport
oscap-anaconda-addon
PackageKit
pcs
plymouth
redhat-lsb
redhat-rpm-config
scap-security-guide
shim
shim-signed
sos
subscription-manager
system-config-date
system-config-kdump
thunderbird
xulrunner
yum
Los interesados en instalar esta versión gratuita de RHEL 8, podéis descargar las nuevas imágenes desde aquí.
(adsbygoogle = window.adsbygoogle || []).push({});
Fuente: Linux Adictos https://www.linuxadictos.com/centos-8-0-ya-disponible-incluye-las-novedades-de-red-hat-enterprise-linux-8-0.html
0 notes
Text
F27 rpmdb bug, auditd and augenrules
Saw a similar rpmdb lock bug to this: https://bugzilla.redhat.com/show_bug.cgi?id=918184 Have enabled the audit log to watch out for it in the future.
ush@gargantua ~]$ sudo dnf update [sudo] password for ush: warning: rpmdb: BDB2053 Freeing read locks for locker 0xc24: 12836/139735431249280
The auditd logging system is completely independent of syslog and derivatives http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ Q: is it now more integrated with journald? PanuMatilainen suggested https://bugzilla.redhat.com/show_bug.cgi?id=918184#c1
# echo "-w /var/lib/rpm/Packages -p war -k rpmdb" >> /etc/audit/audit.rules # systemctl restart auditd.service After that, the next time that something has misbehaved and you get those "freeing read locks ...: /" messages, you can look rpmdb accessing processes by their pid with # ausearch -k rpmdb --pid To identify the troublemaker for sure, the pid of the "freeing read locks" message needs to be matched to those of audit logs. Taking the original message as an example: BDB2053 Freeing read locks for locker 0x1bf4: 4981/140246004406208 Here, the pid of the naughty process who left locks behind is 4981. So to search for the process that caused it, you need to do: # ausearch -k rpmdb --pid 4981
Instead have appended the new audit rule to /etc/audit/rules.d/audit.rules The systemctl restart of the auditd is no longer possible. Use augenrules instead. Do I really need to disable the -a never,task and what is its actual impact on performance?:
[ush@gargantua ~]$ sudo auditctl -l -a never,task [ush@gargantua ~]$ sudo augenrules --load No rules [ush@gargantua ~]$ sudo auditctl -l -a never,task -w /var/lib/rpm/Packages -p rwa -k rpmdb
This seems to be the best reference (is pointed to in the systemd unit) https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events https://security.stackexchange.com/questions/4629/simple-example-auditd-configuration Seems like the rules should be broken into 3 types in /etc/audit/rules.d/audit.rules (for clarity): CONTROL, FILE/DIRECTORY, SYSCALL (see man audit.rules). Syscall rules should follow the template:
-a action,list -S syscall -F field=value -k keyname
-a {always,never},{task,exit,user,exclude} -S {name or number} -S {othername or number} -F {auid,uid,euid,suid,fsuid,obj_uid,gid,egid,sgid,fsgid,obj_gid} -k $keyname-defined-by-you
Then
aureport --start this-week --key --summary
This related post is interesting in context of how augenrules works by merging all the contents of rules.d https://github.com/OpenSCAP/scap-security-guide/issues/551 This is a good first part of two-part tutorial https://www.tecmint.com/linux-system-auditing-with-auditd-tool-on-centos-rhel/
0 notes
Text
American NIST initiatives in IoT security
*There are rather a lot. Because there are rather a lot of security problems.
https://www.nist.gov/itl/applied-cybersecurity/nist-initiatives-iot
NIST initiatives in IoT
IoT Work
Initiative
More Information & Opportunities
Lightweight Encryption NISTIR 8114(link is external)
Need to identify the classes of IoT devices that cannot do full-strength cryptography
NCCoE IoT-Based Automated Distributed Threats Building Block
Aims to improve the resiliency of IoT devices against distributed attacks and improve the service availability characteristics of the internet by mitigating the propagation of attacks across the network
Network of Things Special Publication 800-183(link is external)
Provides a model and terminology for describing IoTs
Opportunity to map the model to lower-level architectures and designs
Vehicle-to-vehicle transportation
NIST participates in international standard development for vehicle cybersecurity
NIST consults domestically on automotive security
Cybersecurity for Smart Grid Systems NISTIR 7628 revision 1(link is external)
Possible explosive growth in numbers of sensors and actuators, with security requirements
Exploring opportunity to map to IoT models (like SP 800-183)
Cybersecurity for Cyber Physical Systems Framework Document(link is external)
Opportunity to map to IoT models (like SP 800-183)
BLE Bluetooth Special Publication 800-121(link is external)
Discusses security considerations for devices that might implement Bluetooth or Bluetooth Low Energy communication protocols
NCCoE Wireless Medical Infusion Pumps Building Block
Working with industry partners to develop implementation guidance for the wireless medical infusion pumps use case
RFID Security Guidelines Special Publication 800-98(link is external)
Information disclosure issue; impoverished version of an IoT
Guide to Industrial Control Systems (ICS) Security Special Publication 800-82(link is external)
Overlay for SP 800-53 for control system environments, taking into account their specialized challenges
Supply Chain Risk Management Special Publication 800-161(link is external)
Supply chain risk management practices
Blockchain
NIST is exploring how do fundamental blockchain features and resource requirements relate to IoT? (e.g., “proof of work”)
Hardware Roots of Trust Special Publication 800-147(link is external)
Assured boot and state attestation
Galois IoT authentication & PDS Pilot Pilot Project
Pilot deploying strong authentication for IoT-connected smart building
Enables access to IoT devices and sharing device data across organizational entities
GSMA Trusted Identities Pilot
Pilot Project
GSMA, NIST and San Diego Health Connect working together to enable more secure access to electronic health records to emergency first responders in the field
Cloud Security Special Publication 800-144(link is external)
Cloud definition
IoT-Related Work
Initiative
Cybersecurity Framework Framework
Approach for managing and reducing cybersecurity risk
Privacy Engineering
Program
Privacy risks in IoT
Cybersecurity Framework Profile for Manufacturing White Paper(link is external)
Profile maps manufacturing processes to the Cybersecurity Framework
Multi-laboratory effort within NIST
National Vulnerability Database Database
A resource for cataloging IoT vulnerabilities
Security of Interactive and Automated Access Management Using Secure Shell (SSH) NISTIR 7966(link is external)
Essential utility for management of distributed devices
Security Systems Engineering Special Publication 800-160(link is external)
Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems
Security Content Automation Protocol (SCAP) Standards and Guidelines Special Publication 800-126 revision 2(link is external)
Specifications for representing security configuration and vulnerability information
Potential Future NIST Efforts
NIST Publication on The Status of International Cybersecurity Standardization for the Internet of Things (IoT)....
0 notes
Text
Master Your Security Foundation: Harden Your Systems
According to a survey conducted by Tenable in late 2016, only 50% of our customers use our configuration auditing capabilities. That’s the bad news. The good news is that those who do use it really like it. But back to the bad news; Tenable and the Center for Internet Security sponsored a separate research project that found that only 55% of organizations enforce secure configuration standards for laptops, workstations and servers. That leaves a lot of systems with potentially unnecessarily open ports and services, weak or default passwords, overly broad user rights and other configuration weaknesses.
If you’ve read my recent blog posts, you understand the importance of having only authorized devices and software on your network. The next step, according to the CIS Critical Security Controls, is to securely configure (harden) the authorized hardware and software of your mobile devices, laptops, workstations and servers. The CIS is not alone in this recommendation – other security frameworks and compliance standards echo the importance of securely configuring your systems as well.
Standard
“Securely Configure your Systems” Control Objective
PCI DSS
2.2: Develop configuration standards for all system components.
NIST Cybersecurity Framework
PR.IP-1: Baseline configurations are created and maintained.
ISO/IEC 27002:2013
A.14.2.8: System security testing
A.18.2.3: Technical compliance review
NIST 800-53 rev 4
CM-2: Baseline configuration
CM-6 Configuration settings
CM-7 Least functionality
Even if you follow strict configuration management and provision secure “golden” images, you should still audit configurations frequently to identify the inevitable configuration drift that occurs as configurations are manually modified. Additionally, you should securely configure the entire stack, not just the operating system – especially for internet-facing servers. Don’t ignore virtualization, cloud infrastructure, container platforms, containers, web servers and database servers. Like the proverbial chain, security is only as strong as the weakest layer of the stack.
Configure the entire stack, not just the operating system
You can get started with configuration standards available from multiple sources. The CIS publishes more than three dozen Benchmarks, DISA publishes a number of Security Technical Implementation Guides (STIGs), and many vendors publish their own guidelines. You may need to tailor the standards to your organization’s specific requirements. The key is to get started!
Tenable can help
Tenable offers more than 300 configuration audit files that cover multiple versions of popular operating systems, cloud infrastructure, web servers, databases, Windows productivity apps and network devices. Additionally, SecurityCenter® 5 is fully certified against Security Content Automation Protocol (SCAP) 1.2. SCAP, a methodology used to evaluate vulnerability management, measurement and policy compliance of security software solutions, is recommended by CIS to streamline reporting and integration. It is also meets NIST and FISMA reporting requirements.
SecurityCenter offers three reporting mechanisms to address a range of requirements. Each can be scoped for specific business systems to focus results:
Reports by asset type list setting-by-setting and system-by-system audit results and identify settings requiring remediation.
Dashboards display compliance status, allowing users to drill into details as needed (see example below).
Assurance Report Cards (ARCs) communicate a compliance status overview that can be communicated to business owners and non-technical stakeholders (see example below).
The CIS Audit Summary dashboard organizes CIS Benchmark results by asset type. You can easily add and delete asset types to match your environment.
The CIS CSC: Secure Configuration Assurance Report Card evaluates policy compliance and presents pass/fail results for policy test.
Learn more
The CIS Critical Security Controls include seven sub-controls that support Secure Configurations for Hardware and Software. A detailed discussion of these sub-controls is beyond the scope of this blog – but we can help you learn more. Tenable is hosting a webinar on June 21st when we will dive into the control details, show you how Tenable can help and answer your questions. This webinar is the third of a five-part series that will explore each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course, Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course, Implementing and Auditing the Critical Security Controls – in Depth. In addition to presenting valuable content, we will reserve time for questions and answers.
Look for future blogs where I will discuss the remaining Foundational Cyber Hygiene controls:
Continuous vulnerability assessment and remediation
Controlled use of administrative privileges
from Master Your Security Foundation: Harden Your Systems
0 notes
Text
Liberada la nueva versión de Oracle Linux 7.7 con características de RHEL 7.7 y más
Oracle Linux es una distribución de GNU/Linux basada en Red Hat, reempaquetada y distribuida por Oracle, disponible bajo la GNU (GPL). esta distribución de Linux se usa en productos de Oracle, la compañía que absorbió el negocio de Sun Microsystems
La semana Oracle anuncio el lanzamiento de la nueva versión de su distribución de Linux industrial Oracle Linux 7.7, la cual esta creada sobre la base de la base de paquetes Red Hat Enterprise Linux 7.7. Además del paquete de Kernel RHEL (3.10.0-1062).
(adsbygoogle = window.adsbygoogle || []).push({});
Esta nueva versión de Oracle Linux incluye el kernel Unbreakable Enterprise Kernel 5 (4.14.35-1902.3.2), lanzado hace algunos meses. Las fuentes de Kernel, que incluyen desgloses en parches individuales, están disponibles en el repositorio público de Oracle Git.
El Kernel se posiciona como una alternativa al paquete de Kernel regular proporcionado en Red Hat Enterprise Linux y proporciona una serie de características avanzadas , como la integración de DTrace y el soporte mejorado de Btrfs. Además del núcleo, la funcionalidad de Oracle Linux 7.7 es similar a RHEL 7.7.
Principales características de Oracle Linux 7.7
Esta nueva versión Oracle Linux 7.7, como fue mencionado al inicio esta basada en RHEL 7.7 por lo que casi todos los cambios anteriores mencionados y algunos de siguientes también son característicos de RHEL 7.7
(adsbygoogle = window.adsbygoogle || []).push({});
En Oracle Linux 7.7 NetworkManager agrega la capacidad de establecer reglas de enrutamiento por dirección de origen (enrutamiento de políticas) y soporte para el filtrado de VLAN en las interfaces de puente de red.
Para contenedores e imágenes en formato UBI (Imagen base universal), se ha agregado soporte para escanear contenido para cumplir con la Guía de seguridad SCAP.
Además de que el soporte de Btrfs ha quedado obsoleto en el núcleo de RHEL (para usar Btrfs, debe usar los núcleos UEK R4 y UEK R5). Los paquetes de MySQL que deben descargarse desde un repositorio yum separado se han eliminado de esta nueva versión.
Para el instalador gráfico, se han agregado definiciones para habilitar el modo de subprocesamiento múltiple simultáneo (SMT) en el sistema y la salida de una advertencia correspondiente.
También se añadió la compatibilidad con DAX (acceso directo al FS sin pasar por el caché de la página sin usar el nivel de dispositivo de bloque) en ext4 y XFS, así como el soporte de OverlayFS y un controlador actualizado para NVMe / FC QLogic qla2xxxx.
Para la paquetería del sistema, se destacan las nuevas versiones actualizadas de los paquetes NSS (Servicios de seguridad de red), scap-security-guide 0.1.43, shadow-utils 4.6, gcc-library 8.3.1, linuxptp 2.0, tuned 2.11, chrony 3.4. Se agregaron paquetes python3 con el intérprete Python 3.6.
Para probar en el núcleo UEK R5, se proponen características experimentales:
EL poder importar y exportar contenedores en Systemd
Algunos diseños para crear almacenamiento en forma de dispositivos de bloque y almacenamiento de objetos para pNFS
Un subsistema HMM (gestión de memoria heterogénea) para usar dispositivos con sus propias unidades de gestión de memoria
Modo sin IOMMU
Controladores Cisco VIC InfiniBand e ibusnic_verbs
soporte para SR-IOV (Virtualización de E / S de raíz única) en el controlador qlcnic
Soporte para TNC ( Trusted Network Connect ), soporte para entrada / salida usando múltiples colas (scsi-mq, Multi-queue) en SCSI
plugin para administrar matrices de almacenamiento a través de la API libStorageMgmt.
Descargar Oracle Linux 7.7
Oracle Linux puede ser descargado gratuitamente desde el servicio de entrega electrónica de Oracle (Oracle’s E-delivery service), y puede ser redistribuido libremente.
Si estas interesado en poder descargar la nueva versión de Oracle Linux para poder probarla en tu equipo o en una maquina virtual.
Basta con que te dirijas a la página web oficial del proyecto y en la sección de descargas encontraremos el enlace para descargar el sistema, o si lo prefieres te dejo el enlace aquí. El enlace para poder solicitar la descarga es este.
Es importante mencionar que para realizar la descargar sin restricciones se debe realizar un registro previo gratuito, con el cual posteriormente podrás continuar accesando a los posteriores lanzamientos.
La imagen iso de instalación, de 4,7 GB de tamaño se distribuye para las arquitecturas x86_64 y ARM64 (aarch64).
Fuente: Linux Adictos https://www.linuxadictos.com/liberada-la-nueva-version-de-oracle-linux-7-7-con-caracteristicas-de-rhel-7-7-y-mas.html
0 notes