#Security
9 posts
Django Advanced #7: Deployment security — settings split, ALLOWED_HOSTS, CSRF, secret management
Settings split patterns, django-environ, DEBUG/ALLOWED_HOSTS/CSRF/HSTS, SECRET_KEY management, and manage.py check --deploy — what to verify before putting Django into production.
AWS Advanced #6: Secrets Manager / Parameter Store
How Secrets Manager and SSM Parameter Store differ, automatic rotation, fetching from code (boto3 / caching / Powertools), ECS and Lambda integration, IaC wiring, cost comparison — AWS secret / configuration management.
RHEL Advanced #5: Security Hardening — auditd, OpenSCAP, FIPS
The three pillars of operational security stacked on top of SELinux. auditd for recording every change to the system with ausearch/aureport, OpenSCAP for automated checking and remediation against CIS, STIG, PCI-DSS, and FIPS mode required by government and financial certifications — all in one cycle.
RHEL Advanced #4: SELinux Advanced — Writing Policy and audit2allow
Going one level higher than the intermediate post: the structure of .te/.fc/.if policy files, the flow and limits of generating modules with audit2allow, the procedure to compile and install with checkmodule / semodule_package / semodule by hand, plus booleans and interfaces — all in one cycle. The goal is to follow an AVC denial all the way through to a permanent policy module.
Docker Advanced #3: Image Security — non-root, distroless, Trivy Scans
A practical toolkit for container security. Dropping to a non-root USER, read-only root with tmpfs, dropping capabilities, narrowing the attack surface with distroless, scanning known CVEs with Trivy/Grype, and linting Dockerfiles with hadolint.
AWS Basics #6: Security Basics — MFA, Key Rotation, Least Privilege
Enforcing MFA on root and IAM users, automating access-key rotation, auditing permissions with IAM Access Analyzer, least-privilege patterns, and the incidents you actually see in production.
RHEL Intermediate #1: Intro to SELinux — Enforcing/Permissive, Labels, Troubleshooting
A beginner-friendly introduction to SELinux, RHEL's last security layer. Covers the three modes Enforcing/Permissive/Disabled, the shape of labels (context) attached to every file and process, viewing them with ls -Z / ps -Z, fixing labels with chcon/restorecon, making permanent changes via semanage fcontext, toggling booleans, and troubleshooting AVC denials with audit2allow and sealert.
RHEL Basics #7: Basic Security — firewalld, SSH Hardening
RHEL's firewall abstraction firewalld and its zone model, the firewall-cmd command set (permanent vs runtime), the four standard SSH hardening steps — disable password auth, key-based auth, lock down root login, change the port, split sshd_config.d. The final post of the series.
AWS Basics #2: IAM — Users, Groups, Roles, Policies
The four elements of IAM — Users, Groups, Roles, Policies. JSON policy syntax, the essence of AssumeRole, and permission design patterns that hold up in production.