Personal Blog

DISA Updated the RHEL7 STIG! What changed between V1R1 –> V1R2?

This week DISA released an update to their RHEL7 STIG content, incrementing their release from V1R1 to V1R2. This update was unexpected; updates were not coordinated with DoD, NSA, NIST, or Red Hat — so what exactly changed?

Read More

RNGD and “Weak Cryptography” for Virtual Machines

There was recently a great post on Red Hat’s gov-sec mailing list that asked about random number generation inside virtual machines, what constitutes “weak cryptography,” how to increase performance, and generally make things better while staying inside Federal guidelines. Lets take this opportunity to trace through RHEL’s FIPS certifications to make a risk decision on what tools+techniques […]

Read More

Tackling compliance with OpenControl

    Placing information systems on government networks requires system owners to follow the NIST Risk Management framework, or an agency-specific tailored variant of it. Following this framework requires extensive documentation — even the government provided “Guide for Applying the Risk Management Framework to Federal Information Systems” is 102 pages long! The OpenControl project was created to […]

Read More

Quick review of SPAWAR SCC 4.2 Beta 1 with OpenSCAP/SCAP Security Guide

Earlier today (Fri 3-FEB-2017), SPAWAR released a beta edition of their SCAP Compliance Checker 4.2 Beta 1, also known as SPAWAR SCC. Their tool works across multiple operating systems and their latest release “adds NIST 800-53 mappings to reports when CCE/CCI references are included in the content.” The inclusion of NIST and CCE metadata is extremely helpful […]

Read More

Draft NIST 800-171 baseline for RHEL7

Initial guidance on configuring RHEL7 against NIST 800-171/CUI has been developed. Below is a short(ish) background on NIST 800-171/Controlled Unclassified Information, sample security compliance guides and reports, and how you can give feedback (or participate!) on this work.

Read More

Save the Date: Defense in Depth 2016

The Defense in Depth Workshop has brings Red Hat Security Engineering leads to McLean, VA for a day of collaboration and networking. It’s a chance for you to learn about the latest developments (upstream and enterprise) directly from the developers, and for Red Hat engineering to hear directly from you and better understand the challenges you’re […]

Read More

Announcing the RHEL7 FBI CJIS Profile!

Over the past 1-2 years we’ve been working across Public Sector to open source security baselines used within our defense, intelligence, and civilian communities. These baselines ultimately end up shipping natively in RHEL (and it’s derivatives, such as CentOS), which greatly reduces the time it takes to get Red Hat-based systems accredited on government networks. Today […]

Read More

Our Wedding!

Some teaser pictures from our wedding!

Read More

Save the Date: Defense in Depth 2015

  In 2013, a few Red Hatters wanted to host a security-focused technology day. After running the idea past our DoD/IC/Civilian communities, we hosted the first “Defense in Depth” day in June 2013. Over 2 years, Defense in Depth has become the largest technical event of Red Hat Public Sector — second to the Red […]

Read More