top of page
Search
sommerlockley424a1

The impact of Microsoft's security updates on Red Hat Enterprise Linux



In the previous article, we outlined how cultural dissonance can cause issues when cultures collide. In this article, we talk about what makes up cultural identity, and perhaps help you become more aware of your own cultural assumptions.


On the contrary, in collectivist cultures, the emphasis is more on belonging to part of a group. Collective responsibility and solidarity with others are valued, and when relationships are damaged, grudges can be held for a very long time. There is a strong focus on harmony over conflict, and "fitting in."




Red Hat to collide with Microsoft



In the business world, negotiation style is a key indicator of this dimension. If arguments are settled in an adversarial manner, with ideas being put to the test and challenged to see if they hold out, the culture is more masculine. More feminine cultures are focused on negotiation, by characterizing a shared problem, and collaborating as a group to get to a solution.


Cultures with a high uncertainty avoidance index typically have a strong focus on law and order, are heavily regulated, and have strong faith-based societies. In low uncertainty avoidance cultures, people are open to change and innovation, are more comfortable with taking risks for future gains, and in general favor less regulation and a greater focus on citizen participation in politics.


Finally (and much later than the others), Hofstede describes an axis based on the cultural emphasis on self-restraint. This is correlated with long-term vs short-term orientation, but is slightly different.


I am brand-new to RHEL, coming from a Windows-driven environment. I'm first looking to deploy a WordPress-enabled intranet site for our company with MS AD-integrated permissions, and so am looking to setup my first RHEL server to use AD logons, I've setup my RHEL server as a AD member via the SSSD configuration (no problem there), and have the settings placed to read GID/UID info from AD.


So I'm using Powershell to script this management. Three parts:1. Group GIDs. Read all existing GIDs, get the maximum GID present. Then add GIDs to groups without them, incrementing from the current max GID.2. User UIDs. Read all existing UIDs, get the maximum UID present. Then add UIDs to users without them, incrementing from the current max UID.3. Read User accounts again, getting their Primary Group and its GID, and setting each user accounts GID to be their Primary Group's GID.


I prefer to implement with the attributes stored in AD so it is the single point of truth. When you are using calculated/generated UID/GID on the RHEL side it makes querying the values from systems outside the Linux servers more difficult (ie. not a basic LDAP call).


kexec is a fastboot mechanism that allows to boot a Linux kernel from the context of an already running kernel without going through the BIOS. Since BIOS checks at startup can be very time consuming (especially on big servers with numerous peripherals), kexec can save a lot of time for developers who need to reboot a machine often for testing purposes. Using kexec for rebooting into a normal kernel is simple, but not within the scope of this article. See the kexec(1) man page.


kdump is a reliable kernel crash-dumping mechanism that utilizes the kexec software. The crash dumps are captured from the context of a freshly booted kernel; not from the context of the crashed kernel. Kdump uses kexec to boot into a second kernel whenever the system crashes. This second kernel, often called a capture kernel, boots with very little memory and captures the dump image.


Red Hat provides the KDump Helper tool to help you set up kdump in RHEL 5 and later.You can input a minimum amount of information and the tool will generate an all-in-one script for you to set up kdump with a very basic configuration, or you can generate a script to set up kdump with extended configurations for a number of particular scenarios (like system hang, Process D state, or soft lockups).Running the generated script will figure out the correct crashkernel= parameter and add it to the currently active grub menu line.You can refer to the the KDump Helper Blog post for more information, and leave any feedback at the KDump Helper App Info.


In more recent RHEL versions, and with the default compression level discarding pages not related to kernel memory, the average size of a vmcore is relatively small (when compared to total system RAM). You can refer to the latest user statistics in order to estimate the amount of free space to reserve for the dump target.


Cluster nodes can be fenced/rebooted before kdump has time to complete. In clustered environments it is generally necessary to configure additional time for kdump to complete before fencing.Please refer to the following for more information on clusters running the Red Hat High Availability, Resilient Storage Add-ons, RHEL Advanced Platform Cluster, or Red Hat Cluster Suite:How do I configure kdump for use with the RHEL High Availability Add-On?


Kdump on a xen server seems not to wok with makedumpfile standard args ... It has been demonstarted that the -E option added and the removal of any other flags is necessary for kdump to suceed. This is not documented and was found by our TAM in a non-published doc - Steve Vik


For a System with 64 GB Memory, do I need to go beyond crashkernel=128@16M ? Is it possible to do a crash analysis on a Fedora machine, or do I have to use RHEL to get the debug kernel RPMS installed?


New Stack founder and editor-in-chief, Alex Williams sat down with Lauren Cooney, founder and CEO, Spark Labs, Tyler Jewell, CEO, WSO2 and Chris Aniszczyk, CTO and COO, the Cloud Native Computing Foundation, to discuss the repercussions of this acquisition.


The core points discussed included the impact on the market, the impact on open source contributions made by Red Hat, the impact on the culture within Red Hat and the possible clash between the product teams of both companies fighting over the same clients. When companies bring two different cultures together, things could go wrong.


Aniszczyk agreed. As someone who has worked with both companies in past, he could clearly see the cultural difference. He said that many people at Red Hat, who came to the company from IBM, are concerned about the acquisition.


Today we see more and more attacks on operating systems taking advantage of various technologies, including obsolete cryptographic algorithms and protocols. As such, it is important for an operating system not only to carefully evaluate the new technologies that get introduced, but to also provide a process for phasing out technologies that are no longer relevant. Technologies with no practical use today increase the attack surface of the operating system and more specifically, in the cryptography field, introduce risks such as untrustworthy communication channels, when algorithms and protocols are being used after their useful lifetime.


That risk is not being confined to the users of the obsolete technologies; as the DROWN and other cross-protocol attacks have demonstrated, it is sufficient for a server to only enable a legacy protocol in parallel with the latest one, for all of its users to be vulnerable. Furthermore, the recent cryptographic advances against the SHA-1 algorithm used for digital signatures, demonstrate the need for algorithm agility in modern infrastructures. SHA-1 was an integral part of the Internet and private Public Key Infrastructures and despite that, we must envision a not so distant future with systems that no longer rely on SHA-1 for any cryptographic purpose.


To address the challenges above, with the release of Red Hat Enterprise Linux (RHEL) 7.4 beta, we are introducing several cryptographic updates to RHEL and we also are introducing a multitude of new features and enhancements. We continue and extend our protocol deprecation effort started in RHEL 6.9, improve access to kernel-provided PRNG with the getrandom system call, as well as ensure that HTTP/2 supporting technologies like ALPN in TLS, and DTLS 1.2, are supported universally in our operating system. Python applications are also made secure by default by enabling certificate verification by default in TLS sessions. We are also proud to bring the OpenSC smart card drivers into RHEL 7.4, incorporating our in-house developed drivers and merging our work with the OpenSC project community efforts. At the same time, the introduced crypto changes ensure that RHEL 7.4 meets the rigorous security certification requirements for FIPS140-2 cryptographic modules.


Note also, that through our review of accepted legacy hashes in the operating system we have discovered that the OpenSSL component enables obsolete hashes for digital signatures, such as SHA-0, MD5, and MD4. Since these hashes have no practical use today, and to reduce the risk of relying on legacy algorithms, we have decided to deviate from upstream OpenSSL settings and disable these hashes by default for all OpenSSL applications. That change is reversible (see release notes). Note that this issue was discussed with the upstream OpenSSL developers, and although that behavior is known to them, it is kept for backwards compatibility.


SHA-1 was published in 1993 and is still in use today in a variety of applications including but not limited to the web PKI. In particular, its primary use case is digital signatures on data, certificates, and OCSP responses. However, there are several known weaknesses on this hash and there was recently a demonstration of collision attack, something that, when combined with the experience of MD5 hash attacks, is an indication that a forged certificate attack may not be far in the future. For that reason, we have ensured that all our cryptographic tools1 which deal with digital signatures will no longer use SHA-1 as the default hash function, but instead switch to SHA2-256, which provides maximum compatibility with older clients.


We do not yet plan to disable SHA-1 system-wide in RHEL 7 as a significant amount of infrastructure still depends on it, and disabling it would severely disrupt operations. Nonetheless, we would like to recommend software engineers working on RHEL to no longer rely on SHA-1 for cryptographic purposes, and system administrators to verify that they no longer use certificates, OCSP stapled responses, or any other cryptographic structure with SHA-1 based signatures. 2ff7e9595c


1 view0 comments

Recent Posts

See All

Liberty magazine pdf baixar grátis

Liberty Unleashed: como jogar GTA III online em 2023 Grand Theft Auto III é um clássico jogo de ação em 3D lançado em 2001 pela Rockstar...

Baixar youtube 2019 apk

Como baixar e instalar o APK do YouTube 2019 no Android O YouTube é uma das plataformas de compartilhamento de vídeos mais populares do...

Comments


bottom of page