Automation
Proper automation does not only save you time, it may improve the security of your Linux systems. Learn what and how to automate using these articles.
Shell scripting
From beginnergs up to advanced users, these articles will cover your needs when it comes to creating better shell scripts.
Summary
Shell scripting is a powerful way to assist in automation of repeating tasks. While fairly easy to learn, the shell scripting language has a lot of caveats. In this area we collect tips and tricks to help you creating better shell scripts.
Tiger is History, Long Live Modern Alternatives!
The tiger tool was known for a long time to help with auditing Unix-based systems. Fortunately there are new tools that are better maintained.
Summary
Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software. History of Tiger In its day, the tool was quite good.
Find differences between two daily Lynis audits
It can be useful to see the differences between scans of Lynis, especially when running it daily. Learn how to do this with just a few steps
Summary
Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data:
DevOps vs Security: Can Docker make a difference?
Docker Inc. is one of the pioneers in the world DevOps, Known for its toolkit around Linux container technology.
Summary
One of the pioneers in the world DevOps, is the company Docker Inc. Known for its toolkit around Linux container technology, they propel the way this technology evolves and is promoted to the world. With great achievements and interest from the outside world, also comes a lot of pressure. Competing products are showing up, resulting in a battle for features, pricing and customers. Unfortunately for security professionals like us, the many security lessons from the past seems to be forgotten.
Find the alternatives: CIS-CAT auditing tool
Sometimes time or money is limited. We hunt to find great alternatives to commercial solutions. This time alternatives for the CIS auditing tool CIS-CAT.
Summary
The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis.
Security Best Practices for Building Docker Images
To ensure your Docker images are properly configured, we show some of the best practices. Building secure Docker containers doesn't have to be hard.
Summary
Docker simplifies software packaging by creating small software units. It starts with a base OS image, followed by software installation and finally the configuration adjustments. For building your own images, Docker uses small build files, with the less than original name Dockerfile. Docker build files simplify the build process and help creating consistent containers, over and over. Unfortunately developers don’t always take security into account during the build process, resulting in software which is installed insecurely.
Security Integration: Configuration Management and Auditing
Configuration management and system auditing go hand in hand. Learn why and this combination is so powerful.
Summary
Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.
Using unattended-upgrades on Debian and Ubuntu
To counter the biggest threat to software packages, Debian and Ubuntu based systems can use unattended-upgrades, to install security patches automatically.
Summary
To counter the biggest threat to software packages, they should be updated on a regular basis. Vulnerabilities are discovered on a daily basis, which also requires we monitor daily. Software patching takes time, especially when testing and reboots are needed. Fortunately, systems running Debian and Ubuntu can use unattended-upgrades to achieve automated patch management for security updates. Installation With most software packages, unattended-upgrades has to be installed. apt install unattended-upgrades
Why Linux security hardening scripts might backfire
We talk about the risks when using Linux security hardening scripts in this article. Hardening Linux with scripts might look like a nice idea, but is it?
Summary
System administrators and engineers love to automate things. In the quest to get everything replaced by a script, automated hardening of systems is often requested. Unfortunately this automation might later backfire, resulting in a damaged trust in system hardening. Why System Hardening? The act of increasing system defenses is a good practice. It helps protecting your valuable data, so it can only be used by authorized people. System hardening itself consists of minimizing services and removing unneeded ones.
Alternatives to Bastille Linux: system hardening with Lynis
Bastille Linux is a great tool for hardening of Linux systems. With the project looking outdated (or even dead), there are new alternatives to Bastille.
Summary
Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.
Security Automation for Linux: Are Humans Still Needed?
Machines are smarter, quicker and make less mistakes compared to humans. They might be the ultimate resource for security automation, securing our systems.
Summary
The problem with humans is that they are smart yet slow at the same time. They can’t react to simultaneous events and aren’t always working. Besides that, they make mistakes, have to deal with budgets and internal company politics. Information security is impacted by these effects as well. As you might have guessed the solution is in automation. SCAP (Security Content Automation Protocol) is one of the answers. Especially the automation part is interesting, as it can improve quality, decrease time efforts and remove the “boring” work.
OpenSCAP on CentOS 7 – Installing from source
Sometimes we need to build things from source. In this article we install OpenSCAP on CentOS 7 by compiling and installing it manually.
Summary
Installing from source Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment. Install required components On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files.