Focus on Security PresentationBucks Community College

Keith Calligan, Senior ConsultantRHCSA, CISSP

Red Hat10/4/19

The content set forth herein does not constitute in any way a binding or legal agreement or impose any legal obligation or duty on Red Hat.

This information is provided for discussion purposes only and is subject to change for any or no reason.

AGENDA

Red Hat and Security in the CommunityWhat we are seeing as trends in :1. Creating secure foundations2. Enabling hybrid cloud deployments3. Automating security compliance

Where else to go for more informationQ&A

RED HAT AND SECURITY?

Red Hat is not a security company, but….We build security into everything we ship and deliver security capabilities

DECISIONS● There are literally

THOUSANDS of packages that make up our Product Portfolio.

○ Product Security actively monitors over 450,000 packages

● How does Red Hat decide what packages or features get included?

RED HAT'S UNIQUE APPROACHFROM COMMUNITY TO ENTERPRISE

Upstream First ! We are Community Leaders !

RED HAT SUPPLY CHAIN SECURITYReducing Risk and Making Open Source Consumable by the Enterprise

Compile flags for hardening + preventing exploits

Static code analysis

Fedora new package review request in Bugzilla

Tracking packages for release versions in Fedora

All packages digitally signedSecure Distribution

Continuous security

monitoring & updates

Extensive QA testing per release

Selected Fedora packages make it into RH internal git repo for RHEL. Developer must sign all commits.

SECURITY THROUGHOUT THE STACK + LIFECYCLE

TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFTWARE

RED HAT SECURITY ADVISORIES

DESIGN BUILD RUN MANAGE & AUTOMATE

ADAPT

CERTIFICATIONS?

● Federal Information Protection Standard (FIPS)

● US Public Sector - often required by any regulated customer

● Requires use only of approved algorithms and key sizes

● Vendor implementation independently verified and proven

● Only valid for the specific module (not downstream, not other distros)

SECURITY CERTIFICATION

● World-wide recognition of independently verified security claims

● Required by many public sector agencies

● RHEL, Certificate Server and others

● Many years of investment with aggressive re-certifications planned

● Only valid for the product certified (i.e. not downstream / not other distros)

1. CREATING SECURE FOUNDATION2. ENABLING HYBRID CLOUD DEPLOYMENTS3. AUTOMATING COMPLIANCE

CREATING SECURE FOUNDATIONSThe foundation drives the security of the rest of the stack

Preventing intrusions and attacks● SELinux mandatory access controls to prevent breaches with bare metal, VMs and Containers● USBGuard prevents mounting of rogue / suspect USB devices● UEFI Secure Boot for verified integrity of boot image● Trusted Platform Module (TPM) 2.0 support for hardware based key storage● Smartcard and HSM support for tamper proof digital certificate storage

Cryptographic protection● Wide variety of strong, peer-reviewed and FIPS certified crypto algorithms for privacy● Encrypted data at rest and in-flight throughout the Red Hat software stack● Deprecation of old crypto algorithms to remove attack vectors

Networking / Firewall● NFTables firewall for stateful firewalls with online policy change● IPSec and MACSec L2 for encrypted network communications

1. CREATING SECURE FOUNDATION

2. ENABLING HYBRID CLOUD DEPLOYMENTS

3. AUTOMATING SECURITY COMPLIANCE

HYBRID CLOUD PLATFORMSRed Hat Virtualization, Red Hat OpenStack Platform and Red Hat OpenShift Container Platform*

Control● Content scanning upon deployment to prevent non-compliant instances from running● Signing and scanning of Container images to allow verification of trust back to build time● SELinux mount points for isolation of container block devices and file systems● Red Hat CoreOS (minimized, immutable OS) powering OpenShift 4.x

Defend● SVirt provides automatic SELinux protecting VMs, Containers and host from exploiting each other● Security Context Controls and non-root Containers for limiting risk and exploits● Automatic firewall and VPN encrypted (MACSec L2, TLS & IPSec) communications between guests and hosts● Automatic firewall configuration● Isolation of users and root processes and namespaces from each other for strong protection

Extend● Partners for PKI, identity, encryption and storage integration - extensible scanning API

TRUSTING THE CLOUD - THE CONTAINER HEALTH INDEX

● Trusted Container Images

● Letter grades A through F○ Age of Image

○ Unapplied updates

○ Signed status

● Updated, maintained

● Unique, easy to use

COREOS VULNERABILITY SCANNER - CLAIR● Part of CoreOS acquisition

● Integrates with Quay

container private registry

● Continuously scans your

own container images

● Easily identify issues

1. CREATING SECURE FOUNDATION2. ENABLING HYBRID CLOUD DEPLOYMENTS

3. AUTOMATING COMPLIANCE

AUTOMATING SECURITY COMPLIANCEAre you sure you are running a secure system?

● OpenSCAP compliance scanning of a system ○ Both CVE exposure detection & security configuration validation○ Automation of remediation w/Ansible, per-system or w/Satellite○ Variety of compliance standard profiles : DISA STIG, PCI-DSS, USGCB...

● Compliance at install-time for RHEL● Red Hat Insights service for proactive health & security monitoring● Common Criteria and FIPS certification of solutions

○ Enterprise Linux, Certificate Server, JBOSS, etc.● Security Patch Remediation and Response● Vulnerability API allowing you to query our database

RED HAT PRODUCT SECURITY

Investigating issues and then Identifying affected

products

Communicating resolution options to ensure subscribers

can protect themselves. CSAw process for significant issues.

Determining any necessary remediation

actionsEvaluating the impact

Red Hat Product Security works constantly to ensure timely and appropriate security fixes for our supported products and services. Our security response process is carefully designed and thoroughly validated to manage

vulnerabilities.

Our team ensures product and service security by:

WHAT IS A SECURITY VULNERABILITY?

A security vulnerability is a software, hardware or firmware flaw that could allow an attacker to interact with a system in a way it is not supposed to.

There are many types of security vulnerabilities, among which the most concerning are:

● Compromise of sensitive data (keys, financial information, customer information)● Ability to execute arbitrary code on remote systems● Denial of availability for mission-critical services

The severity of a vulnerability is determined by:

● the complexity of the vulnerability being exploited, ● the impact to the system or asset that is exposed, and ● the value of that system or asset

HOW A VULN REPORT TURNS INTO A PATCH

COMMON VULNERABILITIES AND EXPOSURES

CVEs provide a transparent, vendor-agnostic way to identify and track security issues and identifies A unique vulnerability

● Red Hat Product Security assigns CVEs to every security issue that impacts our products

● CVEs may be assigned retroactively to previous bugs that are found to be security-relevant

● All CVEs affecting Red Hat products are listed in our public database

https://access.redhat.com/security/security-updates/#/cve

VULNERABILITY METRICSA snapshot of Red Hat Product Security response over the years

https://www.redhat.com/security/data/metrics/

IN CONCLUSION...

Keith Calligankcalliga@redhat.com