Loading…
DevConf.CZ 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security / IdM [clear filter]
Friday, January 25
 

1:00pm CET

Automated hardening of systems your way.
So you are a sysadmin responsible for a server, and you have to be sure that the system is hardened in some particular and maybe non-standard way. Then, meet your best friend - the project of the ComplianceAsCode initiative.
It features checks and hardening snippets in Ansible, Bash and SCAP-compliant formats, so you can use automation to determine the system's state and to keep the system hardened. Discover the smart way of system hardening - learn how to leverage the project:
  • Extend it - write your custom rules,
  • tailor existing rules to exactly suit your needs,
  • compose rules into your security profiles that you can use to audit your system against, and
  • test your custom content for robustness.
For the best interactive experience, bring a laptop with
  • these packages installed: git, Ansible, openscap and Python with the pytest, jinja2 and PyYAML Python packages.
  • the ComplianceAsCode/content repository cloned (or updated to it's current master branch).
  • the ComplianceAsCode/demo repository cloned. Check out it's README for useful tips and tricks for the workshop!
  • libvirt-powered Fedora VM, where the root user accepts your unlocked/passwordless SSH key (this is needed only to run tests).

Speakers
avatar for Watson Sato

Watson Sato

Software Engineer, Red Hat, Inc., Red Hat
Watson Sato is a Software Engineer at Red Hat, Inc working on OpenSCAP project. He is involved on development of the OpenSCAP scanner and ComplianceAsCode content.
avatar for Matěj Týč

Matěj Týč

Software Engineer, Red Hat


Friday January 25, 2019 1:00pm - 2:50pm CET
Workshop - A113
 
Saturday, January 26
 

9:00am CET

enterprise Linux crypto story
This session will go through the core crypto components of Red Hat enterprise Linux from kernel to openssl, go briefly through the requirements set for such components, and how their security is evaluated through certifications and other means.

Speakers
avatar for Anderson Sasaki

Anderson Sasaki

Software Engineer, Red Hat



Saturday January 26, 2019 9:00am - 9:25am CET
E105

9:30am CET

Why you shouldn't write crypto functions yourself
Writing cryptographic functions is not hard, you do not even need to understand the math behind the cryptographic primitive you want to implement to be able to construct a set of cunctions that correctly encrypts and decrypts ciphertext.
So why cryptographers keep saying you should not implement your own crypto ?
In this talk we'll show practical examples that explain why implementing a mathematical function correctly is only the easy part of the job, and where the devil in the detail lies. We'll also show how even thought through implementations sometimes can be attacked, and how they evolve over time.

Genral understanding of how modern CPUs work is useful to better understand the more technical parts. Knowledge of a programming language is highly recommended.

Speakers
avatar for Simo Sorce

Simo Sorce

Senior Principal Software Engineer, Red Hat
I work in the RHEL Crypto Team, I like Security related topics.



Saturday January 26, 2019 9:30am - 9:55am CET
E105

10:00am CET

Russian GOST cryptography in and near OpenSSL
There is a necessity to provide national cryptography in various applications. The presentation describes history, current state and future of Russian GOST support in OpenSSL and OpenSSL-based applications.

Russian GOST support in OpenSSL is divided between modifications of OpenSSL itself and the engine (https://github.com/gost-engine/engine) implementing the low-level cryptographic primitives. The presentation describes the edge cases of using externally provided algorithms, problems of support of the national specifics in OpenSSL and adopting applications and standards to support national cryptography.

The presentation contains history of the universal API for asymmetric cryptography in OpenSSL and provides some ideas about possible API development to make it more flexible.



Saturday January 26, 2019 10:00am - 10:50am CET
E105

11:00am CET

Overview of the NIST Post-Quantum Algorithms
This session will have a high level overview of the various NIST post-Quantum algorithms: 1) why they are needed, 2) how the families of the various algorithms work. 3) what are the broad characteristics of those families, 4) what algorithms are in those families, 5) how some of the one offs work. 6) Where to go to play with the algorithms. 5) What are the next steps in the competition.

Speakers
avatar for Bob Relyea

Bob Relyea

Principal Programmer, OASIS PKCS #11 co-chair., Red Hat
Bob Relyea is a principal programmer at Red Hat working on the Network Security System Library. Bob is also the co-chair for the OASIS PKCS #11 technical committee, having worked with PKCS #11 and PKCS #11 integration into NSS since 1995.



Saturday January 26, 2019 11:00am - 11:25am CET
E105

11:30am CET

TLS 1.3: what developers should know about the API
Major crypto libraries have adopted TLS 1.3 since its final publication in last August. Those libraries are carefully designed so applications can switch to the new protocol with minimal code modification. However, as TLS 1.3 also brings new features, such as post-handshake authentication and 0-RTT, applications need to use new API to take full advantage of the protocol.

In this presentation, we will go through the new API functions added for TLS 1.3 in multiple crypto libraries, see pros and cons of their design choices, and discuss the best practice in using those new functions.

Speakers
DU

Daiki Ueno

Engineer, Red Hat


tls13 pdf

Saturday January 26, 2019 11:30am - 11:55am CET
E105

12:00pm CET

Applications of TPM 2.0
Now that a complete TPM 2.0 infrastructure has been delivered in Linux, the focus is moving to building applications that benefit from TPM security. This session will cover the initial application of TPM in NBDE and explore other applications that can be built with TPM. Topics include protecting secrets with the TPM, measurement of the system and using system information to seal secrets, Trusted Boot, TPM signing of software patchesand protection of Edge systems. We will also address the use of trusted processing enclaves and complete system protection using TPM with trusted processing enclaves. Bonus topic: TPM secured Blockchains!

Speakers
avatar for Javier Martinez Canillas

Javier Martinez Canillas

Software Engineer, Red Hat
Javier is a Software Engineer in the Desktop Hardware Enablement team at Red Hat, working on the Fedora and RHEL bootloader stack.
avatar for Russell Doty

Russell Doty

Russell Doty is a Technology Product Manager at Red Hat., Red Hat
Russell Doty is a Technology Product Manager at Red Hat focusing on the requirements of Internet of Things (IoT), High Performance Computing, and AI/ML - all with a strong focus on security.



Saturday January 26, 2019 12:00pm - 12:50pm CET
E105

1:00pm CET

Minting and collecting SWID tags
What software is installed on machine X?

With new ways of distributing software like container images or web applications in various formats, trusted packaging tools and formats like rpm, deb, or pacman no longer provide complete answer to this simple question. That in turn makes it harder to scan for vulnerabilities, or prevents even basic software accounting.

We will look at SWID, 2015 standard for software identification that might be bringing a solution. We will explore the schema, some SWID tags, tools and content, and share preliminary results of quest for best practices, for turning the standard into useful mechanism for admins, security personnel, or software maintainers. Think about examples of convoluted deployment and come to find out if SWID can bring some order to the chaos.

Speakers
avatar for Jan Pazdziora

Jan Pazdziora

Sr. Principal Software Engineer, Red Hat
As a member of Security Engineering Special Projects group, Jan focuses on making security features seamlessly consumable by admins and users. Lately he's been working with software identities and SWID.



Saturday January 26, 2019 1:00pm - 1:25pm CET
E105

2:00pm CET

Migrating a Linux environment to IDM
As you would expect, Red Hat IT manages lots of Linux systems. This talk will discuss how we are slowly and methodically migrating them from classical LDAP and MIT Kerberos info and authentication backends to using IDM and sssd.

Benefits of the move will be shared and so will some of the lessons learned.

Speakers
avatar for Dustin Minnich

Dustin Minnich

Principal Systems Administrator, Red Hat
Been in IT for over a decade. Currently work for the Identity and Access Management IT team at Red Hat as a Principal Systems Administrator. RHCA certified.Strong believer in open source technologies and methodologies. Privacy and freedom of speech advocate.In my free time I enjoy... Read More →



Saturday January 26, 2019 2:00pm - 2:25pm CET
E105

3:30pm CET

System-wide crypto policies what and why
System-wide crypto policies are a fairly new thing in Fedora. In this talk I will introduce them and show the reasons why system-wide crypto policies are needed.
Then we look at them in more details - which are the currently provided policy levels, which core crypto components follow the policy, and how the policies are implemented.
I will also provide overview of what is in works and what are the future plans with the system-wide crypto policies features.
The attendants of the talk should have some basic knowledge of cryptography algorithms and secure protocols from the user's point of view.

Speakers
avatar for Tomáš Mráz

Tomáš Mráz

Principal Software Engineer, Red Hat
Tomáš Mráz is long time developer and package maintainer of security related software in Fedora and Red Hat Enterprise Linux, he also participates in the upstream OpenSSL community as a member of the OpenSSL committers team.



Saturday January 26, 2019 3:30pm - 3:55pm CET
E105

4:00pm CET

Using SELinux with container runtimes
This talk will explain how SELinux works with containers. We will show how to enable/disable SElinux using multiple different container runtimes and define the default types. The two default types for running containers are container_t which is a fully confined domain, which eliminates any use of the host files unless they are relabeled. Or spc_t, which is the type containers run with when SELinux is disabled for container separation, --privileged mode. Writing custom policy for each container that needed additional access would be very difficult and require a container policy writer. Lukas built a new standalone tool, udica for generating SELinux policy profiles for containers based on automatic inspecting these containers. Come to see how easy you can create own policy for container!

Speakers
avatar for Lukas Vrabec

Lukas Vrabec

Senior Software engineer & SELinux technology evangelist, Red Hat
Lukas Vrabec is a Senior Software engineer & SELinux technology evangelist at Red Hat. He is part of Security Controls team working on SELinux projects focusing especially on security policies. Lukas is author of udica, the tool for generating custom SELinux profiles for containers... Read More →
avatar for Daniel Walsh

Daniel Walsh

Senior Distinguished Engineer, Red Hat, Inc.
Daniel Walsh has worked in the computer security field for over 30 years.Dan is a Consulting Engineer at Red Hat. He joined Red Hat in August 2001.Dan leads the Red Hat Container Engineering team since August 2013, but hasbeen working on container tec



Saturday January 26, 2019 4:00pm - 4:50pm CET
E105
 
Sunday, January 27
 

9:00am CET

Scale Your Auditing Events
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.

Speakers
avatar for Philipp Krenn

Philipp Krenn

Developer Advocate, Elastic
Philipp lives to demo interesting technology. Having worked as a web, infrastructure, and database engineer for over ten years, Philipp is now a developer advocate and community team lead in EMEA at Elastic — the company behind the Elastic Stack consisting of Elasticsearch, Kibana... Read More →


Auditd pdf

Sunday January 27, 2019 9:00am - 9:50am CET
E112