Michael AM Felt

Michael AM Felt




Bookmark and Share
RSS

Recent Posts

  • Why I Stay Away From Using gcc (on AIX)
    10/03/2017
  • SUDO-RBAC Phase 1
    09/27/2017
  • Sweet32 Birthday! Your First Thoughts?
    09/11/2017
  • Security Isn’t Just Technology
    09/04/2017
  • What OpenSSH Are You Using?
    08/17/2017
  • SENDMAIL SSL efix: a Painless ifix

    There is a good chance you are not using sendmail at all (on AIX) to receive mail. However, if you are, you should be using sendmail plus ssl. If you are using sendmail and ssl you have probably applied the fix suppiled last August (First Issued: Fri Aug  7 15:15:59 CDT 2015 |Updated: Tue Aug 18 09:19:51 CDT 2015.

    Read More

    Posted: May 12, 2016 |

    Using AIXPERT to Generate Compliance Reports

    AIXPERT is an easy to use interface to both harden and verify compliance with one or more standards. A standard can be one published by a third party (e.g., CIS), one from core AIX, one from PowerSC or one of these copied and customised for your situation. The format is XML.

    Read More

    Posted: April 12, 2016 |

    Getting Ready for Tomorrow's Cryptography Demands

    A comment from a reader (thanks again) reminded me about the compile/build option of no OpenSSL or libreSSL. And as he comments, this does simplify the maintenance of OpenSSH - one less library to support.

    Read More

    Posted: September 28, 2015 |

    OpenSSL, Sendmail and the LOGJAM Vulnerability

    In my last blog, I wrote about keeping OpenSSL current via the webpacks. In part, that's because OpenSSL is something to blog about. Please note that there are really important CVEs to be patched - but if you look at the recent Java patches - patches are also needed to fix the following OpenSSL related CVEs:

    Read More

    Posted: August 12, 2015 |

    How to Keep OpenSSL Up-to-Date

    Keeping OpenSSL up-to-date is becoming a chore. And waiting for an update in a service pack may not be the best way to do this - for many reasons.
     
     

    Read More

    Posted: August 03, 2015 |

    OpenSSH-6.8p1 With LibreSSL (LibreSSH) Is Now!

    OpenSSH with LibreSSL is now available. I have tested LibreSSH on AIX 5.3 TL7, AIX 6.1 TL7 and AIX 7.1 TL3 and it works on all of them. The starting point in each case is that openssl.base and openssh.base were also installed. The special behavior is that aixtools.libressl.openssh copies the config files and keys from /etc/ssh to /var/openssh/etc and "downgrades" the ciphers and Key Exchange Algorithms (KexAlgorithms) so that they are equivalent (more on that later). This is to be sure you have connectivity with your current clients after installation. Note: the SRC subsystem for sshd is also modified to start "LibreSSH".

    Read More

    Posted: July 06, 2015 |

    Updating to the Latest AIX Technology Level

    How about an update on the latest Technology Level on AIX? Why bother updating to the latest TL? Well, hopefully you’re already using aixpert for your basic hardening. If you’re not, I recommend using -- as a starting point -- the CIS benchmark for AIX 6.1 or 7.1. 

    Read More

    Posted: June 24, 2015 |

    OpenSSH Built on LibreSSL

    Last year, OpenSSL got a lot of bad press – and some felt very deserved bad press. These were addressed by the OpenSSL developers and we have newer versions that have patched these “concerns.”

    Another group of developers (OpenBSD) is much more critical of the current state of OpenSSL – even after the patches – because they feel there are inherent problems with the way OpenSSL has developed. They took the course of “putting their money where their mouth is” and started their own branch of OpenSSL – naming it “LibreSSL.”

    Read More

    Posted: April 26, 2015 |

    Please Answer This

    What is your primary concern when you think about IT security?

    Read More

    Posted: April 02, 2015 |

    SSL – You Have a Choice Very Soon!

    First thing: What’s in a name? We generally speak and write SSL, but what we really should mean is TLS. For this blog, I shall continue this convention of SSL but soon I shall speak TLS only!

    Read More

    Posted: February 17, 2015 |

    Displaying results 11-20 (of 42)
     |<  <  1 - 2 - 3 - 4 - 5  >  >|