Automation

Alternatives to Bastille Linux: system hardening with Lynis

Bastille Linux is a great tool for hardening of Linux systems. With the project looking outdated (or even dead), there are new alternatives to Bastille. One example is hardening your system after...

Summary of Alternatives to Bastille Linux: system hardening with Lynis

Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.

Read the full article…

DevOps vs Security: Can Docker make a difference?

Docker Inc. is one of the pioneers in the world DevOps, Known for its toolkit around Linux container technology. Aren't we battling the same security issues we have seen before?

Summary of DevOps vs Security: Can Docker make a difference?

One of the pioneers in the world DevOps, is the company Docker Inc. Known for its toolkit around Linux container technology, they propel the way this technology evolves and is promoted to the world. With great achievements and interest from the outside world, also comes a lot of pressure. Competing products are showing up, resulting in a battle for features, pricing and customers. Unfortunately for security professionals like us, the many security lessons from the past seems to be forgotten.

Read the full article…

Find Differences Between Two Daily Lynis Audits

It can be useful to see the differences between scans of Lynis, especially when running it daily. Learn how to do this with just a few steps

Summary of Find Differences Between Two Daily Lynis Audits

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data:

Read the full article…

Find the alternatives: CIS-CAT auditing tool

Sometimes time or money is limited. We hunt to find great alternatives to commercial solutions. This time alternatives for the CIS auditing tool CIS-CAT.

Summary of Find the alternatives: CIS-CAT auditing tool

The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis.

Read the full article…

OpenSCAP on CentOS 7 – Installing from source

Sometimes we need to build things from source. In this article we install OpenSCAP on CentOS 7 by compiling and installing it manually.

Summary of OpenSCAP on CentOS 7 – Installing from source

Installing from source Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment. Install required components On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files.

Read the full article…

Security Automation for Linux: Are Humans Still Needed?

Machines are smarter, quicker and make less mistakes compared to humans. They might be the ultimate resource for security automation, securing our systems.

Summary of Security Automation for Linux: Are Humans Still Needed?

The problem with humans is that they are smart yet slow at the same time. They can’t react to simultaneous events and aren’t always working. Besides that, they make mistakes, have to deal with budgets and internal company politics. Information security is impacted by these effects as well. As you might have guessed the solution is in automation. SCAP (Security Content Automation Protocol) is one of the answers. Especially the automation part is interesting, as it can improve quality, decrease time efforts and remove the “boring” work.

Read the full article…

Security Best Practices for Building Docker Images

To ensure your Docker images are properly configured, we show some of the best practices. Building secure Docker containers doesn't have to be hard.

Summary of Security Best Practices for Building Docker Images

Docker simplifies software packaging by creating small software units. It starts with a base OS image, followed by software installation and finally the configuration adjustments. For building your own images, Docker uses small build files, with the less than original name Dockerfile. Docker build files simplify the build process and help creating consistent containers, over and over. Unfortunately developers don’t always take security into account during the build process, resulting in software which is installed insecurely.

Read the full article…

Security Integration: Configuration Management and Auditing

Configuration Management and Auditing. Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid...

Summary of Security Integration: Configuration Management and Auditing

Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.

Read the full article…

Shell scripting

From beginning to advanced users, these articles will cover your needs when it comes to creating better shell scripts. Shell-scripting is more powerful than you might think!

Summary of Shell scripting

Shell scripting is a powerful way to assist in automation of repeating tasks. While fairly easy to learn, the shell scripting language has a lot of caveats. In this area we collect tips and tricks to help you creating better shell scripts.

Tiger is History, Long Live Modern Alternatives!

The tiger tool was known for a long time to help with auditing Unix-based systems. Fortunately there are new tools that are better maintained.

Summary of Tiger is History, Long Live Modern Alternatives!

Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software. History of Tiger In its day, the tool was quite good.

Read the full article…

Using unattended-upgrades on Debian and Ubuntu

To counter the biggest threat to software packages, Debian and Ubuntu based systems can use unattended-upgrades, to install security patches automatically.

Summary of Using unattended-upgrades on Debian and Ubuntu

To counter the biggest threat to software packages, they should be updated on a regular basis. Vulnerabilities are discovered on a daily basis, which also requires we monitor daily. Software patching takes time, especially when testing and reboots are needed. Fortunately, systems running Debian and Ubuntu can use unattended-upgrades to achieve automated patch management for security updates. Installation With most software packages, unattended-upgrades has to be installed. apt install unattended-upgrades

Read the full article…

Why Linux security hardening scripts might backfire

We talk about the risks when using Linux security hardening scripts in this article. Hardening Linux with scripts might look like a nice idea, but is it?

Summary of Why Linux security hardening scripts might backfire

System administrators and engineers love to automate things. In the quest to get everything replaced by a script, automated hardening of systems is often requested. Unfortunately this automation might later backfire, resulting in a damaged trust in system hardening. Why System Hardening? The act of increasing system defenses is a good practice. It helps protecting your valuable data, so it can only be used by authorized people. System hardening itself consists of minimizing services and removing unneeded ones.

Read the full article…