Red Hat Security: Linux in Physical, Virtual, and Cloud
- Section Managing Security and Risk
- Quiz: Managing Security and Risk
- Managing RHEL Security with Red Hat Errata
- Guided Exercise: Managing RHEL Security with Red Hat Errata
- Reviewing Recommended Security Practices
- Guided Exercise: Implementing Recommended Security Practices
- Lab: Managing Security and Risk
- Summary
Abstract
| Goal |
Define and implement strategies to manage security on Red Hat Enterprise Linux systems. |
| Sections |
|
| Lab |
|
Describe fundamental concepts of security management for Red Hat Enterprise Linux servers and how to approach the security management process.
A risk is any event that presents the possibility of loss, such as financial loss, productivity loss, or service delays. Continuous risk management is the process of taking a proactive approach to discover potential risk, assess facts, and act based on the facts to resolve those risks. Monitoring risk indicators and the actions that are taken to resolve them are important for effective risk management. Communicating to stakeholders what those risk indicators are, the actions that are taken to resolve them, and the results, all promote confidence and stability in the process.
The following diagram illustrates a process for continuously managing security risks by maintaining constant attention to potential security vulnerabilities and taking a proactive approach to maintaining a secure computing environment.
Managing security in your computing environments is a collection of continuous activities. Red Hat offers solutions that enable security in each phase of the continuous security lifecycle. The following diagram illustrates a continuous security lifecycle that incorporates the risk management lifecycle.
Security must be both proactive and reactive. It must be considered at every stage of your application and infrastructure lifecycle. You must integrate security experts into your application, deployment, and infrastructure teams.
- Design
Develop security requirements, design security processes and procedures, and communicate so that all team members take these considerations into account when designing applications and infrastructure for continuous security and compliance. Collaboratively develop and communicate your security policy and procedures.
In this stage, you might consider what security policies you must comply with, and implement the controls and technologies to maintain compliance.
Red Hat consultants and partners are available to help customers design security into their applications and infrastructure as well as into their application development lifecycle and operations management process.
- Build
Build security features into your applications and your infrastructure.
Automate and integrate security testing into your continuous integration and continuous deployment process. Use test outcomes to trigger appropriate action: deploy or prevent deployment.
Define security profiles and automate the configuration of those profiles whenever new systems are deployed.
You implement your designs and build your applications, and determine how to deploy them to production in a repeatable, reliable, and secure way. In this stage, you could also deploy and provision the infrastructure to support these servers, by using tools such as Kickstart, Red Hat Satellite, and Red Hat Ansible Automation Platform.
Red Hat provides stable and safe development platforms and middleware to design and create your applications.
- Run
Run on trusted platforms with built-in security features, such as SELinux.
You can take advantage of the tools that Red Hat provides to help operate your systems with full support. Red Hat helps to secure your systems by providing tools such as SELinux, which help to protect your systems from hackers who exploit security-related issues.
- Manage
Maintain an up-to-date catalog of assets, and monitor access and usage. Deploy a management solution that provides a single management interface across your footprints: physical, virtual, and private and public cloud. You can actively manage users and access.
Red Hat Satellite can help you to track systems that are deployed in your environment and to keep them up-to-date with errata. You can use other management tools, such as Red Hat Ansible Automation Platform, to remediate configuration drift and to ensure that your servers and applications are correctly configured and deployed.
Using these solutions, you can automatically apply, audit, and remediate security and regulatory compliance policies across workloads, whether deployed to bare-metal or virtual servers, with a container, on premise, or in a public, private, or hybrid cloud.
- Adapt
Use analytics and automation to adapt, revise, update, and remediate as the landscape changes. You must update access settings when roles and responsibilities change.
You can use tools such as Red Hat Insights to proactively adapt to emerging issues such as common misconfigurations or new security issues that Red Hat identifies.
As you adapt to the ever-changing security landscape, you can revisit the design stage, and start the cycle over again.
Securing computing infrastructures has changed significantly in recent years. Keeping your operating systems updated with the latest security patches is no longer sufficient. Operating system providers must be more proactive in combating security problems.
The Red Hat Product Security team analyzes threats and vulnerabilities against all products, and provides relevant advice and updates through the Red Hat Customer Portal. Red Hat provides patches to supported versions of Red Hat products, often on the same day that the vulnerability is first published. These patches minimize disruption, because enterprises can continue to work safely with current versions, and upgrade to later versions when the business is ready.
The Red Hat Product Security team provides the needed guidance, stability, and security to deploy enterprise solutions.
Help to protect customers from security concerns when using Red Hat products and services.
Investigate, track, and explain security issues that might affect users of Red Hat supported products and services.
Be the point of contact for customers, users, and researchers who find security issues in Red Hat products and services, and publish the procedures for resolving those issues.
Ensure timely security fixes, and help customers to find, obtain, and publish security advisories and updates.
Help customers keep their systems updated to minimize the risk of security issues and to provide automated analysis of security practices.
Work with other Linux vendors and open source software to reduce the risk of security issues through information sharing and peer review.
Red Hat takes security seriously, and aims to take immediate action to address security-related problems that involve Red Hat products and services.
The Red Hat Product Security team is a point of contact for security issues with Red Hat products. This team investigates and verifies the issues. The team analyzes the affected products, identifies the impact, and provides the required corrective action. When a security update is released, the team also publishes a public notification in a Red Hat Security Advisory (RHSA).
Report any suspected security vulnerability for a Red Hat product or service to Red Hat Product Security at secalert@redhat.com.
Only members of the Red Hat Product Security team, which is a restricted and carefully chosen group of Red Hat employees, have access to material that is sent to the secalert@redhat.com email address.
Email that is sent to secalert@redhat.com is read and acknowledged by a team member within three working days.
For complex issues that require significant attention, Red Hat opens an investigation and provides you with a mechanism to check the status of the team's progress at any time.
Any information that you share with Red Hat about security issues that are not public knowledge is kept confidential within Red Hat.
This information is not provided to any third parties without your permission.
Red Hat Product Security provides objective information about security risks that affect you, regardless of possible media hype. Red Hat uses the following workflow to communicate accurate information about how these vulnerabilities affect you, so that you can make informed decisions.
The Red Hat Product Security team rates the impact of security issues in Red Hat products by using a 4-point scale (Critical, Important, Moderate, and Low), as well as Common Vulnerability Scoring System (CVSS) scores.
These ratings provide a prioritized risk assessment to help you to understand and schedule upgrades to your systems, so that you can make informed decisions about the risk that each issue poses to your unique environment.
The ratings consider the potential risk based on a technical analysis of the exact flaw and its type, but not the current threat level. A given rating might not change if an exploit or worm is released later for a flaw, or if the flaw is available before the release of a fix.
Table 1.1. Issue Severity Classification
| Severity rating | Description |
|---|---|
| Critical impact |
This rating is given to flaws that a remote unauthenticated attacker could exploit, and that could compromise the system (arbitrary code execution) without requiring user interaction. Worms could exploit these types of vulnerabilities: Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact. |
| Important impact |
This rating is given to flaws that can compromise the confidentiality, integrity, or availability of resources. These flaws are the types of vulnerabilities that allow local users to gain privileges, by allowing unauthenticated remote users to view resources, execute arbitrary code, or cause a denial of service. |
| Moderate impact |
This rating is given to flaws that might be more difficult to exploit, but could lead to some compromise of the confidentiality, integrity, or availability of resources under certain circumstances. These types of vulnerabilities could have a Critical or Important impact, but are less exploited, based on a technical evaluation of the flaw, or they affect unlikely configurations. |
| Low impact |
This rating is given to all other issues that have a security impact. These types of vulnerabilities are believed to require unlikely circumstances to be exploited, or are cases where a successful exploit would have minimal consequences. |
A Red Hat security advisory can contain fixes for several vulnerabilities, and for packages for several products. Each issue in an advisory has an impact rating for each product. The overall severity of an advisory is the highest severity out of all the individual issues, across all the products that the advisory targets. For simplicity, advisories show only the overall severity (except for kernel advisories, which list the severity of each issue). The advisories contain links to the relevant entries in Red Hat's bug-tracking system, where you can examine individual impacts and additional commentary.
When a technology is enabled by default that blocks the exploitation of a vulnerability across all architectures, Red Hat adjusts the severity level of that vulnerability. When a technology reduces the risk of a vulnerability, Red Hat adjusts the severity level and explains the decision in the bug-tracking entry.
