Blueborne – How to disable Bluetooth in Fedora

Yesterday 2017-09-13 Redhat released infomation about the mitigation of the Blueborne vulnerability in RHEL: https://access.redhat.com/security/vulnerabilities/blueborne. For Fedora the new updates are probably still in the build queue and/or being QAed by the community. For a quick fix, you can disable Bluetooth similar than in RHEL: Stopping Bluetooth related service systemctl stop bluetooth.service systemctl disable bluetooth.service systemctl mask bluetooth.service Disable the Kernel modules echo “install bnep /bin/true” >> /etc/modprobe.d/disable-bluetooth.conf echo “install bluetooth /bin/true” >> /etc/modprobe.d/disable-bluetooth.conf echo “install btusb /bin/true” >> /etc/modprobe.d/disable-bluetooth.conf ….Read More

Improve your bash shell working experience

This article shows some hints how to improve your bash shell working experience to reach higher productivity. Just simple shortcuts that are not so well known. Using the History The bash history is underestimated when it comes to usability. Here some nice stuff to do with the history. Search the history Every command is kept in the history. The simplest way to use the history is using the cursor-up/down keys. Most users are aware or [ctrl]-r. Usually you hit [ctrl]-r ….Read More

Using Ansible to automate oVirt and RHV environments

Bored of clicking in the WebUI of RHV or oVirt? Automate it with Ansible! Set up a complete virtualization environment within a few minutes. Some time ago, Ansible includes a module for orchestrating RHV environments. It allows you to automate the setup of such an environment as well as automating daily tasks. Preparation Of course, Ansible can not automate all tasks, you need to set up a few things manually. Lets assume you want your oVirt-engine or RHV-manager running outside ….Read More

Signing Linux Kernel Modules and enforce to load only signed Modules

Introduction With the enforcement of loading only signed Linux Kernel Modules you can greatly enhance the security of your Systems. There are basically two methods of enforcement: Secure (UEFI) Boot and the other is a grub parameter. When using Secure boot you can sign own (or 3rd party) Kernel modules by yourself and add your public key as a MOK (Machine Owner Key) in UEFI. When not using Secure Boot, you can not load self signed modules due to the ….Read More

Setting up a 6in4 tunnel with Fedora

Why using IPv6 Tunnels anyway? Today, most Internet access providers are IPv6 enabled. However, unfortunately the majority of them do not provide a static /64 prefix, you will get it dynamically assigned. Some providers can assign you a static prefix for a surcharge. That’s useless if you want to ensure end-to-end connectivity with your Gadgets at home. Choosing a tunnel provider Since 2004 I had my own IPv6 prefix from SixXS. Pretty sad that they are shutting down its services ….Read More

Audit your systems for security compliance with OpenSCAP

Introduction to (Open)SCAP SCAP stands for Security Content Automation Protocol. It is an open standard which defines methods for security policy compliance, vulnerability management and measurement etc. This article focuses on the operating system compliance part of SCAP. It comes originally from the US National Institute of Standards and Technology (NIST) to provide a way for US government agencies to audit its systems for regulatory compliance. OpenSCAP is a NIST validated open source implementation of SCAP. Why should I make ….Read More

Using Unbound for recursive DNS lookup

Some organizations decide to use its internal authoritative DNS servers as recursive DNS because of easiness and reverse lookup of internal RFC 1918 networks works out of the box. That should be avoided for (at least) two reasons: Cache poisoning can cause security nightmares Authoritative answers are never cached and can cause a high load on the DNS servers. Cache poisoning is a problem that can lead to severe problems, as more and more information is stored in DNS. Examples: ….Read More

Disabling NetworkManager on Servers and Workstations

Why not using NetworkManager in some cases NetworkManager is a great tool for managing connectivity on Notebooks and other mobile devices, On server or desktop machines with a complex network setup such as a combination of bonding, bridging and VLAN its probably not the best choice, at least I was not able to configure it that way. This was some time ago (approx 1y), meanwhile it may have changed. Removing NetworkManager Unfortunately on a desktop system its impossible to get ….Read More