Exploring the age-old question of "who watches the watchers". Or more accurately for IT professionals - how do we provide governance for security platforms?

Who watches the watchers?

Understanding Red Hat Advanced Cluster Security for Kubernetes (RHACS) admission control can be challenging. This article takes a closer look at admission control, and the different configuration settings.

Demystifying RHACS Admission Control

Red Hat Advanced Cluster Security for Kubernetes 4.6 has landed, with one of the mostly hotly requested features - policy-as-code!

Getting started with RHACS Policy-as-Code

Learning Kubernetes network policy can be challenging for new platform engineers. Generative AI provides an excellent way to help generate and understand network policy, and in this article, I look at how we can teach an AI model to create network policy using InstructLab.

Teaching AI models about Kubernetes network policy

In this article I look at some approaches to "tame" OpenShift audit and event data, and show how you can use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to create immediate alerts from OpenShift audit events.

Taming OpenShift Audit with RHACS

InstructLab is an open source framework for adding skills and knowledge to generative AI models, and I want to make it "go fast" on WSL.

Making InstructLab 'go fast' on WSL

AWS IAM Roles Anywhere allows you to grant secure, temporary access to AWS services, for workloads anywhere. In this article I'm going to take a look at how you can use IAM Roles Anywhere together with Ansible.

Ansible and AWS IAM Roles Anywhere

GPUs are the tools-of-the-trade for artificial intelligence and machine learning. In this article I look at how to use NVIDIA GPUs on OpenShift, and expose GPUs to both containers and virtual machines.

Get to grips with NVIDIA GPUs and OpenShift

Recently I've been involved in a project to run a healthcare data service on OpenShift. It's been really interesting learning about FHIR, SNOMED CT, and all manner of health-related application protocols and frameworks.

Ontoserver on OpenShift

Red Hat Advanced Cluster Security for Kubernetes (RHACS) v4.4 introduces a new container image scanning capability, Scanner V4. This article takes a closer look at Scanner V4 and how it compares with the existing RHACS scanning capability.

Getting started with RHACS Scanner V4

Phishing-resistant multi-factor authentication is a critical security control in 2024, and this article takes you through configuring it for OpenShift with Keycloak

Phishing-resistant MFA for OpenShift

A detailed look at my OpenShift Virtualization lab build.

OpenShift Virtualization Lab Build

Can you install OpenShift and OpenShift Virtualization in your home lab? The answer is a definitive *yes*

OpenShift on an R620

Over the last few months I have been busily building out the Kacti open source project. This is an intro to the project, its goals and roadmap, and a quick-start tutorial.

Introducing Kacti

This article looks at how you can build a screensaver for your video calls. It works across all video calling platforms and the best part is - it's all open source!

Building a screensaver for your video calls with open source

The Center for Internet Security (CIS) Benchmarks provide a system hardening profile for servers and applications. What parts of the benchmark apply to containers? And how do we use them?

Exploring the CIS benchmarks and containers

Core to any DevSecOps program is measurement and metrics. How many releases did we perform this week? How did that compare with last week? What was the lead time for changes? In this article I want to introduce a new metric for DevSecOps adoption, and how we can start to measure this throughout the cloud-native application lifecycle.

A new metric for DevSecOps adoption

A deep dive into Red Hat Advanced Cluster Security for Kubernetes (RHACS), Red Hat Security Advisories (RHSAs), and Common Vulnerabilities and Exposures (CVEs). No mention of lions, tigers, or bears.

RHSAs, CVEs, and RHACS (oh my)

A couple of months ago I wrote an article on StackRox and another open source project, GTFOBins. The first article looked at identifying GTFOBins components during development, and this article looks at identifying GTFOBins execution inside containers at runtime.

GTFOBins and StackRox - part II

Recently I picked up a QMK-compatible keyboard, and wanted to see how I could modify my OpenShift development workflows to suit.

Hacking OpenShift Productivity with QMK

The OpenShift release image is a critical component of the software supply-chain for OpenShift. In this article I want to take a closer look at the release image, and how it's verified.

Demystifying the OpenShift release image

A few weeks I wrote an article on 'Living off the Land' and containers. GTFOBins is an open source project tracking binaries that could be used to support a 'Living off the Land' strategy, and this article explores integrations with StackRox.

GTFOBins and StackRox

Sigstore and StackRox are open source projects helping to address security challenges. Sigstore looks at the software supply chain, and StackRox at Kubernetes-native security models - what do they look like together?

Sigstore and StackRox

A recent Microsoft threat intelligence report called attention to "living off the land" techniques. I thought it would be interesting to see how containers and containerised applications inherently help to mitigate these techniques.

Living off the land and containers

Keycloak can support some interesting authentication and authorisation flows, one of which is creating users and assigning roles ahead of upstream identity provider authentication.

Pre-creating users and roles in Keycloak

Sigstore is an open source project enabling anyone to sign and validate software releases, including container images. This article takes a closer look at Sigstore and some of the innovation happening around the project.

Sigstore - Signature Sorcery

A recent FortiOS vulnerability is being actively exploited. Ansible can be used to implement a mitigation.

Automating Fortinet FortiGate devices with Ansible

Did you know that you can create Ansible playbooks with ChatGPT?

Creating Ansible playbooks with ChatGPT

In the last article I looked at automating some of the tests available for Windows servers and desktops in the ACSC Essential Eight assessment guide. This article looks at how we can measure assessment activity - how often are we assessing systems, and are they passing the tests?

Measuring Essential Eight Assessment Activity

Recently the Australian Cyber Security Centre released an Essential Eight assessment guide. This article looks at automating some of the tests in the guide with Ansible.

Automating the Essential Eight Assessment Guide

Ansible provides a way to automate functional verification tests. This article looks at an improved approach to automating functional verification tests that I introduced in an earlier article.

Improved Functional Verification Testing with Ansible

Functional verification provides a way that we can attest to the configuration of a device or system, and verify compliance controls. This article looks at a functional verification approach using Ansible.

Functional Verification Testing with Ansible

What do you do when you need to give away swag, but don't have a wheel? You build one on OpenShift!

The Red Hat Swag Wheel at Gartner

A quick look at the File Access Policy Analyzer, an open source tool simplifying application control implementation

Up and running with the File Access Policy Analyzer

RSA Conference 2022 again highlighted that many data breaches are due to unpatched systems. In this article I look at some of the technologies available to help organisations ensure that updates are applied across their hybrid cloud environments

Automated security patching with Ansible

Application control is a critical security control, allowing you to specifically authorise applications, processes and shared libraries. This blog introduces some ofthe resources you can use to learn more about application control, and get hands-on.

Hands-on with Application Control for Linux

Many organisations take the same approach to securing virtual machines, which I call 'Access & Agents'. While effective for virtual machines and other legacy infrastructure, this approach doesn't translate across to containers and Kubernetes, and this article looks at why.

Access & Agents

Did you know that you can scan the internal OpenShift registry for security issues? Read on to find out how.

Scanning the OpenShift Internal Registry

A quick guide on how to integrate a Kubernetes-native security platform with quay.io private repositories

Scanning Quay.io private repositories for CVEs

Automation allows organisations to scale security workflows across hybrid cloud environments. In this article I take a closer look at automating application control, and how you can use Ansible roles to create reusable automation content.

Automating application control

What's the difference between institutional and industry knowledge, and what can you do to bring these into balance?

Maintaining a knowledge balance

What does it mean to be "Kubernetes-native"? And what does Kubernetes-native security look like?

Kubernetes-native security and least surprise

Injecting integrity checks to application control processes is a winning security combination. Application control allows you to specify that only certain processes can execute on a system - but how do you know they are the right processes? How can you ensure that the code that you want to execute is the code that actually executes?

Application control and integrity checks

Application control seems to be one of those elusive security controls that organisations spend years chasing. How can we validate which processes are authorised to run on a system, and then enforce this?

Application control for everyone

How do you protect your threat intelligence sharing platform from compromise? Read on to learn how SELinux and podman can support a containerised MISP deployment.

Open source threat intelligence and SELinux

Compliance evokes images of checking boxes. The real purpose of IT system compliance is risk migitation, and it probably just needs a better name

All Posts

Who watches the watchers?

Demystifying RHACS Admission Control

Getting started with RHACS Policy-as-Code

Teaching AI models about Kubernetes network policy

Taming OpenShift Audit with RHACS