Security professional Michael Boelen writes about Linux security, system hardening, and related subjects. He worked as a consultant for multinational companies before he started CISOfy. Michael is involved with open source software and created several projects. Among them are Rootkit Hunter (rkhunter), a malware scanner for Linux and other platforms. He is also the creator and lead developer of Lynis, a tool that helps with hardening Linux systems. You can find more information about Michael on his website https://michaelboelen.com or via Twitter.

Tuning auditd: high-performance Linux Auditing

The Linux Audit framework is a powerful tool to audit system events. From running executables up to system calls, everything can be logged. However, all this audit logging comes at the price of decreased system performance. Let’s have a look at how we can optimize our audit rules. Performance tips Good auditd performance will reduce stress on the Linux kernel and lower its impact. Before changing anything to your system, we suggest benchmarking your system performance before and after. This […]

Read more

Protecting the browser: Web of Trust

Protecting the web browser Usually we focus on the blog on the server side of things, helping to protect the data of users, customers and ourselves. What we commonly overlook is the end of the connection, the web browser of the user. In the upcoming posts we will look at alternative measures we can take, to protect data there as well. Malware, spam, scam? As we all know, the web is full of good things. But unfortunately it happens also […]

Read more

Lock Down Strategies for Linux Servers

Locking Down Linux: Strategies Most of the security defenses on Linux, are based on the earlier performed hardening activities. By locking down components on the system, the chance of a full compromise is lowered. This step-by-step locking down is a time consuming process. Time to review some of the strategies which can be applied when you want to secure your systems. Strategy 1: Locking down processes The first area to lock down are system processes. After all, each system needs […]

Read more

Find the alternatives: CIS-CAT auditing tool

Alternatives to the CIS-CAT auditing tool The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing […]

Read more

Viewing available test categories in Lynis

Test categories in Lynis When auditing a server, it may be useful to only run a particular category of tests, like firewall related tests. In that case the –tests-category parameter can be used, together with the category name. Available categories To determine what categories are available, Lynis has a built-in parameter –view-categories which lists all available files. Most of the names are self-explanatory on what of tests they include. For more information about the included tests, have a look in […]

Read more

Security Best Practices for Building Docker Images

Security Best Practices: Building Docker Images Docker simplifies software packaging by creating small software units. It starts with a base OS image, followed by software installation and finally the configuration adjustments. For building your own images, Docker uses small build files, with the less than original name Dockerfile. Docker build files simplify the build process and help creating consistent containers, over and over. Unfortunately developers don’t always take security into account during the build process, resulting in software which is installed insecurely. […]

Read more

Security Integration: Configuration Management and Auditing

Configuration Management and Auditing Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually. […]

Read more

Using SSH keys instead of passwords

Using SSH keys instead of passwords Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before. Creating the key Depending on your desktop platform, […]

Read more

Optimize SSL/TLS for Maximum Security and Speed

Optimize SSL/TLS for Maximum Security and Speed High Goal Setting Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all. Additionally, we believe that we doing everything we can on our website, practicing security […]

Read more

Using unattended-upgrades on Debian and Ubuntu

Using unattended-upgrades on Debian and Ubuntu To counter the biggest threat to software packages, they should be updated on a regular basis. Vulnerabilities are discovered on a daily basis, which also requires we monitor daily. Software patching takes time, especially when testing and reboots are needed. Fortunately, systems running Debian and Ubuntu can use unattended-upgrades to achieve automated patch management for security updates. Installation With most software packages, unattended-upgrades has to be installed. root@system:~# apt-get install unattended-upgrades If you are […]

Read more

Securing nginx configurations: implementing OCSP stapling

Securing nginx configurations Implementing OCSP stapling in nginx OCSP stapling is a logical follow-up on Online Certificate Status Protocol. OCSP itselfs just checks if certificate is still valid by determining if it is on a revocation list. The original OCSP protocol forces the client to check for the status of a certificate. This results in a lot of traffic for the CA behind the certificate. OCSP stapling moves the check to the owner of the certificate. On a regular basis […]

Read more

5 Basic Principles of Linux System Security

5 Basic Principles of Linux System Security It is still common that people do not know where to start when it comes to information security. With 5 basic principles we can improve the Linux system security and question ourselves if we have done enough.   1. Know your system(s) The first principle is about knowing what your system is supposed to do. What is its primary role, what software packages does it need and who needs access? By knowing the […]

Read more

Using ClamAV for Linux PCI DSS requirement 5: Malware

PCI DSS requirement 5: Malware and Anti-Virus An important part in the PCI DSS compliance, is checking for malicious software, or malware. By using anti-virus software like ClamAV, malware threats can be detected, and in most cases prevented. In this article we focus mainly on Linux environments, but of course most of these tips will apply to other platforms like Mac OS. 5.1. Verify presence of software 5.1 For a sample of system components including all operating system types commonly […]

Read more

Password Security with Linux /etc/shadow file

Password Security on Linux Using the /etc/shadow file Linux systems use a password file to store accounts, commonly available as /etc/passwd. For additional safety measures, a shadow copy of this file is used which includes the passwords of your users. Or actually hashed password, for maximum security. An example of a password entry in /etc/shadow may look like this: user1:$6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tKXiOGNCfWBsrTGY7wtC6Cep6co9eVNkRFrpK6koXs1NU3AZQF8v/:16092:0:99999:7::: For proper display, let’s split this up in several fields: user1 $6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tK<truncated> 16092 0 99999 7 <nothing> <nothing> Field explanations […]

Read more

Updating all OpenBSD packages with pkg_add

Using pkg_add Keeping your systems stable and secure Every system needs to stay up-to-date with its packages, including OpenBSD. Most OpenBSD users already use pkg_add for the installation of packages. This utility can also be used for package upgrades. Option 1: Use /etc/installurl Newer OpenBSD versions use the file /etc/installurl to select the mirror for pkg_add. Option 2: PKG_PATH The first thing to do is defining your PKG_PATH. This will usually be the address of a FTP or HTTP server, which […]

Read more
167891015