Signing Linux Kernel Modules and enforce to load only signed Modules

Introduction With the enforcement of loading only signed Linux Kernel Modules you can greatly enhance the security of your Systems. There are basically two methods of enforcement: Secure (UEFI) Boot and the other is a grub parameter. When using Secure boot you can sign own (or 3rd party) Kernel modules by yourself and add your public key as a MOK (Machine Owner Key) in UEFI. When not using Secure Boot, you can not load self signed modules due to the ….Read More

Audit your systems for security compliance with OpenSCAP

Introduction to (Open)SCAP SCAP stands for Security Content Automation Protocol. It is an open standard which defines methods for security policy compliance, vulnerability management and measurement etc. This article focuses on the operating system compliance part of SCAP. It comes originally from the US National Institute of Standards and Technology (NIST) to provide a way for US government agencies to audit its systems for regulatory compliance. OpenSCAP is a NIST validated open source implementation of SCAP. Why should I make ….Read More

Using Unbound for recursive DNS lookup

Some organizations decide to use its internal authoritative DNS servers as recursive DNS because of easiness and reverse lookup of internal RFC 1918 networks works out of the box. That should be avoided for (at least) two reasons: Cache poisoning can cause security nightmares Authoritative answers are never cached and can cause a high load on the DNS servers. Cache poisoning is a problem that can lead to severe problems, as more and more information is stored in DNS. Examples: ….Read More

Disabling NetworkManager on Servers and Workstations

Why not using NetworkManager in some cases NetworkManager is a great tool for managing connectivity on Notebooks and other mobile devices, On server or desktop machines with a complex network setup such as a combination of bonding, bridging and VLAN its probably not the best choice, at least I was not able to configure it that way. This was some time ago (approx 1y), meanwhile it may have changed. Removing NetworkManager Unfortunately on a desktop system its impossible to get ….Read More

Configure SSSD to work on IPv6-only Hosts

SSSD is used for the client side of IPA and other centralized Identity Management Services. Unfortunately it does not behave as it should. The default is to look up first IPv4 addresses and if that fails IPv6 should be used. Well, if IPv4 fails, the whole request fails and you got weird error messages when joining an IPA domain. As the pool for IPv4 addresses is depleted, IPv6 is getting more and more important. Thus, IPv6-only hosts are on the ….Read More

Secure your system with SELinux

Introduction to SELinux SELinux is well known as the most sophisticated Linux Mandatory Access Control (MAC) System. If you install any Fedora or Redhat operating System it is enabled by default and running in enforcing mode. So far so good. Its available for many years and its not rocket science to use it. This article is supposed to give you some hints how to make your system even more secure and how to solve some troubles SELinux may have on your system. DAC ….Read More

Install and configure DKIM with Postfix on RHEL7

Introduction DKIM (Domain Keys Identified Mail) is a measure against email spoofing, Phishing and SPAM mails. Its easy to implement as you will learn in this article. DKIM signs emails on the outgoing SMTP server, the receiving SMTP can verify the signature by looking up the mail._domainkey TXT DNS record of the respective domain to check if the email originates from that domain or if it is forged. This howto can be used to implement DKIM on a SMTP server ….Read More

Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO

Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so. First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles. Creating a Kerberos Service Priciple Ensure you have a Kerberos ticket as admin user ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~# ipa1:~# ipa service-add imap/mail.example.com ——————————————— Added service “imap/mail.example.com@EXAMPLE.COM” ——————————————— ….Read More