DevConf.cz 2021

Docker containers are the new way developers package applications. Due to the ease of use and deployment, more and more applications are getting deployed in containers for production use. With so many moving parts, it becomes imperative that we have the capability to continuously scan Docker containers for security issues. We will explore following points in our discussion:
- Understanding continuous security concepts
- Automating vulnerability assessments of Docker containers using Ansible
- Scheduled scans using Ansible Tower for Docker security
- Scheduled scans using Ansible Tower for operating systems and kernel security
- Scheduled scans for file integrity checks, host level monitoring using Ansible for various compliance initiatives

As technology advances, there are USB devices that may destroy your computer and even official enterprise USB devices infected with malware. With that in mind, have you ever felt uneasy about your system's security? That's the reason why USBGuard has been created, thus it can prevent any such attack. Furthermore it's being enhanced and maintained on a regular basis.
USBGuard is a software framework that protects your system against rogue USB devices (a.k.a. BadUSB) by implementing basic allowlisting and blocklisting capabilities. It's a great addition to anyone needing to protect a Linux system.

In this session you will be presented with a brief overview of USBGuard focusing on latest usability enhancements.

Decentralized SELinux policy project (DSP) is here to help developers ship custom SELinux policies together with their components. This allows for each package to be tested and delivered to users together with tailor-made security policy (as opposed to waiting for a new release of distribution policy).
In this talk I will show you what this process entails, list pros and cons, and explain how it influences the rest of the system. The newest addition to DSP is a test suite aimed at secure policy writing and proper packaging practises.

How can you be sure your bare metal, virtual machines or containers are secure and do not contain any known vulnerabilities? How much can you trust your security scanner? How has the security scanning landscape changed over the years and what is next? What are the proverbial pits that security scanners often fall into? Those are some of the questions that we will try to answer in this talk. These answers largely depend on what security metadata is available for the software you are using and so we will cover common security metadata formats, sources and how to use them effectively. We will focus on standard formats such as OVAL and CVRF and several vendor sources

The ecosystem of TLS certificates is rather complicated. Just OpenSSL has over 75 different possible errors only related to certificate validation, some of them somewhat cryptic. Furthermore, other libraries have incompatible error sets, complicating knowledge transfer.
Usable X.509 Errors (https://x509errors.org) is a project attempting to improve the situation. It compares errors from commonly used libraries (OpenSSL, GnuTLS, Botan, mbedTLS), consolidating the corresponding documentation from all those libraries in a single place. It tries to explain what the validation errors mean by devising better documentation and providing ready-to-use sample certificates for testing.
The presented research is a part of the academic cooperation of Red Hat Czech and Masaryk University.

This will be a talk about a new project called 'rekor'. Rekor is a project to provide a cryptographic, immutable, append only software release ledger using merkle trees. Rekor is being developed in collaboration between Red Hat OCTO and Google.

Of all the new post quantum algorithms we are looking at to replace our traditional RSA and Eliptic Curve systems, Lattice base algorithms are both the most promising, but also the most opaque. NIST is almost certain to choose Lattice base as one of the algorithms they plan on standardizing on in 2021. This talk will help users who have a general feel for how RSA and ECC work get that same familiarity with Lattice functions. NIST is almost certain to choose Lattice base as one of the algorithms they plan on standardizing on in 2021.

The talk will show the additions and enhancements for the deployment and management of IdM based solutions using Ansible with the ansible-freeipa project. This includes Ansible roles and modules to automate functions related to deployment and configuration as well as maintenance of IdM. The talk will provide an overview over new modules and roles in ansible-freeipa, like for example DNS and RBAC modules and also backup and restore roles. A demo will show the deployment of a IdM cluster with server, replicas and clients and also the use of several management modules.

Authentication and IDM technologies are at the core of our system and network security. Whether it's logging into our personal laptop, or a corporate website, authentication is how we define roles and privileges to our users and ourselves. Opensource has a number of IDM offerings, as do corporate offerings. In this talk, we'll explore some of the history of these projects and what they offer, the direction that authentication and security is moving in. We'll also introduce Kanidm, a new opensource IDM system that has been created to adapt to these changes in IDM and security, and talk about what it's achieved in a short space of time, and what the future holds for it.

Enarx is an open source project to allow you to deploy sensitive workloads on untrusted hosts in the public cloud, private cloud, Edge, IoT - wherever! We use TEEs (Trusted Execution Environments) such as Intel's SGX and AMD's SEV to deploy into "Keeps", confidentiality and integrity protected WebAssembly run-times. In this talk, we'll give a demo of the latest state, and discuss architecture and some of the more tricky implementation details. A knowledge of systems programming, Rust, micro-kernels, syscalls, WebAssembly, trust management or distributed client-server architecture might be helpful, but we don't expect you to be an expert in all (or any!) of them.

In the presentation we will cover:
1. What is FreeIPA
2. What are use-cases [Integrations]
3. Security benefits of FreeIPA, i.e how IPA can be used to build security within Environment
4. Future scope of FreeIPA moving forward

In this session we are going to show you how easy it can be to raise the security of your system using readily available technologies. We will guide you through it via a presentation and demos which will enable you to set up an environment capable of allowing users to do certain administrative actions, rejecting unwanted usb devices or allowing only trusted application to be executed, automatically unlocking encrypted drives at boot time under specific conditions or collecting system logs centrally over a secure channel. We are also going to shed some light on the efforts we devote to keeping and even improving the level of quality RHEL is known for.

Over the past few years, major websites started offering a 2-factor authentication option based on hardware devices. The latest effort in this area is FIDO2, which comprises two closely related standards: WebAuthn for communicating between websites and a client (web browser), and CTAP2 (Client To Authenticator Protocol) for interacting with authenticator devices.

On the client side, however, there is still room for improvement. Although major web browsers have already adopted the CTAP2 protocol, they currently require direct access to the devices through a low-level transport such as USB HID. This can be problematic when authentication is required inside an isolated environment, such as in a sandbox or container: the application provider would have to request full access to USB, whereas its usage is sorely for user authentication.

To mitigate this situation, we have implemented a proxy service that allows applications to access CTAP2 authenticator devices in a secure manner. With this service, the host has fine grained access control over authenticator devices, while the applications can take advantage of the device discovery mechanism provided by the host. In this talk, we will look at the design of the proxy service considering potential use-cases and challenges in terms of security. If time allows, we will show a demonstration using the current state of implementation.

The slides can be built at: https://gitlab.com/npocs/presentation-devconf-2021