System Administration

Alternative for netstat: ss tool

Newer distributions do not use netstat anymore in favor of other tools like ss. This alternative tool can show in-depth information about socket statistics.

Summary of Alternative for netstat: ss tool

The ss tool helps system administrators and security professionals to display information about network connected applications. Learn how to maximize its potential and get everything out of this nifty tool.

Alternatives to Bastille Linux: system hardening with Lynis

Bastille Linux is a great tool for hardening of Linux systems. With the project looking outdated (or even dead), there are new alternatives to Bastille. One example is hardening your system after...

Summary of Alternatives to Bastille Linux: system hardening with Lynis

Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.

Read the full article…

AppArmor

AppArmor is the profile-based security security framework and available on many Debian-based distributions. In this article we look at the basics of this security framework, its purpose and features.

Summary of AppArmor

AppArmor is the profile-based security security framework and available on many Debian-based distributions. In this article we look at the basics of this security framework, its purpose and features. History AppArmor was developed by Canonical Ltd. and therefore included in their own Ubuntu distribution. included in Ubuntu and other Debian-based distributions What is AppArmor? AppArmor is a profile-based MAC framework. As the name implies, profiles are used that focus on simplifying security management.

Read the full article…

Auditing systemd: solving failed units with systemctl

Sometimes systemd units like services and timers may fail. Learn how to troubleshoot such issues and resolve them much easier.

Summary of Auditing systemd: solving failed units with systemctl

Solving failed units with systemctl Systemd is an alternative service manager to the more traditional init system. To ensure the system is healthy, failed units should be investigated on a regular basis. Sooner or later a unit might fail and showing up the systemctl listing. In this article we have a look at how to solve it. Why do services fail? During the start of the system, enabled services are started and queued to be executed.

Read the full article…

Automatic Security Updates with DNF

The dnf package manager and dnf-automatic tool can be used for automated security patching on Linux systems. It requires only a few steps to set it up.

Summary of Automatic Security Updates with DNF

The Dandified YUM tool, DNF, has become a powerful package manager for systems running Fedora. As it looks now, it will become also the default package manager for CentOS 8 and RHEL 8. One of the benefits from dnf is the option to retrieve security information very easily. This allows us to use it for automatic security patching of our Linux systems. Let’s explore the options and see how dnf-automatic can help us with fully automated patching.

Read the full article…

AWK Cheat Sheet

When it comes to a powerful tools on Linux, AWK is definitely one to know. This cheat sheet explains the basics and shows many useful one-liners

Summary of AWK Cheat Sheet

When it comes to a powerful tools on Linux, AWK is definitely one to know. This cheat sheet explains the basics and shows many useful one-liners

Configure the time zone (TZ) on Linux systems

Having the right time zone on Linux systems helps with troubleshooting. Learn how to see and configure the right time zone on most Linux distributions.

Summary of Configure the time zone (TZ) on Linux systems

Having the right time set on a Linux system is important for data synchronization, forensics, and troubleshooting. Next step is to configure the correct time zone. This article will help you: See the current time configuration Learn how to configure the time zone Time zone information We will have a look on how to check and configure the time zone on Linux systems. Show current time zone Most new Linux distributions use systemd now.

Read the full article…

Determine Processes Which Need a Restart with checkrestart/needrestart

Just patching software packages is not enough. We cover a few utilities which help you to determine which processes need a restart to complete software patch management.

Summary of Determine Processes Which Need a Restart with checkrestart/needrestart

Proper software patch management helps reducing weaknesses on your systems. But even if you patched an outdated system, old processes and libraries can continue to run in memory. For example when a library is updated, an active program might still use the old version. To really finish the process of software patching, we have to do more. This includes preparation, performing the update and finally check if we need a restart of software components.

Read the full article…

Discover to which package a file belongs to

With the right Linux software tools, it is easy to find to which package a file belongs. Or the opposite, what files are part of an installed package.

Summary of Discover to which package a file belongs to

Sometimes you want to know the related package of a file, before installation, or when it is already there. This is of great help during system hardening or general system cleanups. In this article we have a look at several ways to determine the relationships between files and the package they belong to. We have gathered this information for multiple Linux distributions. Most options used in this article have also a long format option.

Read the full article…

Find Differences Between Two Daily Lynis Audits

It can be useful to see the differences between scans of Lynis, especially when running it daily. Learn how to do this with just a few steps

Summary of Find Differences Between Two Daily Lynis Audits

Lately I saw a great feature request for Lynis, to detect differences between two runs of Lynis. Wouldn’t it be great to run Lynis daily and then see if anything changes and act upon those differences? While our auditing tool doesn’t have such an option itself, it is very easy to implement something and fine-tune it to your needs. Report Lynis has two important files to which is logs data:

Read the full article…

Finding boot logs in systemd journals

This article shows how to find boot logs in the systemd journal. Learn the commands to query all relevant information.

Summary of Finding boot logs in systemd journals

Systemd used a binary log to store information about specific events. These events include the boot sequence and the related output. In this article we have a look at finding our boot logs in systemd journals. Binary logging When using systemd, boot data is stored in journals, a binary format. There is big benefit of saving boot data in a binary format: log information of each boot can be stored separately, linked to other pieces of information, and queried easier and quicker.

Read the full article…

How to change file permissions

Learn how to change the file permissions of files and directories on a Linux system. Follow the examples and make your system more secure.

Summary of How to change file permissions

Changing file permissions: chmod The primary command to change file permissions on a Linux system is chmod. It’s a basic system administration utility and pre-installed on the system. To make changes to an existing directory or file, it is first good to look up the existing permissions. This can be done using the ls -l command, that lists them with the long format. ls -l /etc/hosts -rw-r--r-- 1 root root 241 Feb 2 19:10 /etc/hosts There are two syntax styles to tell chmod what the new value should be.

Read the full article…

How to check if your Arch Linux system needs a reboot

Want to check if a reboot of the system is needed on Arch Linux? Here is how that can be done including the relevant commands.

Summary of How to check if your Arch Linux system needs a reboot

By default Arch will install the kernel in /boot with the name vmlinuz-linux. To determine if the system is running the latest kernel, we can compare the running kernel and the one on disk. Running kernel One way to determine the running kernel is with the uname command. By default installed and with the -r parameter it will provide the kernel release version. # uname -r 3.17.4-1-ARCH Kernel on disk Checking the latest kernel on disk is almost as easy.

Read the full article…

How to clear the ARP cache on Linux?

Clearing the ARP cache on Linux is easy with the arp or ip utility. This blog post will help you to clear the cache with examples for both utilities.

Summary of How to clear the ARP cache on Linux?

There are several reasons when you might need to clear your ARP cache. There are two common ways on Linux systems, typically using the arp or ip utility. Depending on your Linux distribution and the availability, we suggest using the ip tool. Clearing cache with ip Newer Linux distributions have the ip utility. The ip tool has a more advanced way to clear out the full ARP cache. ip -s -s neigh flush all

Read the full article…

How to Disable “System program problem detected”

This article shows how to deal with the message System program problem detected

Summary of How to Disable “System program problem detected”

Sometimes programs crash, usually for a different variety of reasons. While it is good to do research and find the underlying cause, sometimes you simply want to disable any reporting. Clean up /var/crash First thing to do is check your /var/crash directory and see if there are any “crash” files. These are just normal text files and include details about a process. If you have a process crashing regularly, you most likely want to report it, so the vendor can implement a fix.

Read the full article…

How to see all virtual hosts in nginx

Want to see all configured virtual hosts on a server running nginx? Here is a method to achieve this quickly by using a default configuration option.

Summary of How to see all virtual hosts in nginx

How to display the configured hosts by filtering out the server_name entries

How to see the version of Oracle Linux

Oracle Linux is based on Red Hat Enterprise Linux. At first, it may be confusing to determine what specific Oracle version of the operating system is used.

Summary of How to see the version of Oracle Linux

Determine Oracle Linux version Oracle Linux is based on Red Hat Enterprise Linux. At first, it may be confusing to determine what specific operating system is running. This is because both have the /etc/redhat-release file. If that file exists, use the cat command to display the contents. Next step is to determine if there is a /etc/oracle-release file as well. If so, then you can be sure that Oracle Linux is running.

Read the full article…

How to solve an expired key (KEYEXPIRED) with apt

Software updates and package management is easy, until you get a KEYEXPIRED message. In this article we should how it happens and the way to solve it.

Summary of How to solve an expired key (KEYEXPIRED) with apt

Software updates and package management is easy with systems based on Debian or Ubuntu. Just apt-get update (or apt update) and run an upgrade. But sometimes you may encounter the following situation: a KEYEXPIRED message. KEYEXPIRED message # apt-get update && apt-get upgrade Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB] Hit:2 http://nl.archive.ubuntu.com/ubuntu xenial InRelease Get:3 http://nl.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB] Hit:4 http://nl.archive.ubuntu.com/ubuntu xenial-backports InRelease Hit:5 https://packages.cisofy.com/community/lynis/deb stable InRelease Get:6 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [373 kB] Ign:7 http://nginx.

Read the full article…

How to solve Shellshock on Debian and Ubuntu

Also Debian and Ubuntu are vulnerable for Shellshock vulnerability in Bash. That's why it is important to run apt update and perform an upgrade of Bash.

Summary of How to solve Shellshock on Debian and Ubuntu

Protect against Shellshock Shellshock is a serious software weakness, or vulnerability, in Bash. This shell is used on almost all Unix based systems, including Debian and Ubuntu. As it can be used without much effort and remotely exploit systems, it has a maximum vulnerability score according to CVSS. Upgrade Bash First update the software repository with apt-get, using the update parameter. apt-get update && apt-get install -only-upgrade bash Your system should now have a newer version of bash.

Read the full article…

How to use grep (with examples)

Grep is a powerful utility on Linux. Want to get more out of the tool? This article will show you how to use it including many practical examples.

Summary of How to use grep (with examples)

The grep command is one of the oldest tools for Linux and other platforms. Actually, it is older than Linux itself. It was written by Ken Thompson more than 45 years ago! The name grep stands for “globally regular expression print”. This name comes from its predecessor ed and the specific mode in which you would globally search, using a regular expression, and print the output. The related command was “g/re/p”.

Read the full article…

Installation of Lynis on Arch Linux systems

Lynis is available as a package for Arch Linux and installation is just a few steps. We look at the options to install Lynis on your favorite Linux distro.

Summary of Installation of Lynis on Arch Linux systems

Tutorial for Lynis installation on Arch Linux Pacman Arch Linux is getting more popular, due to its great community support and the way it is organized. Being a “rolling release” system, it is continuously up-to-date. Of course you want to make sure your security defenses are equally up-to-date, so that’s where Lynis comes in. Normally pacman is used for installing new packages. Unfortunately, the lynis package does not show up.

Read the full article…

Installing ClamAV on CentOS 7 and Using Freshclam

By default a ClamAV installation on CentOS 7 is not working. In this blog post we reconfigure the required systemd and configuration files for freshclam and clamd.

Summary of Installing ClamAV on CentOS 7 and Using Freshclam

Including the usage of Freshclam To get ClamAV on CentOS installed, we have to use the EPEL repository (Extra Packages for Enterprise Linux). Fortunately, the Fedora project provides this with an easy installation. Unfortunately the default configuration is not properly working. In this post we collect some of the issues and required changes. Let’s start with installing the EPEL support. yum install epel-release Next step is installing all ClamAV components.

Read the full article…

Introduction in Linux file permissions

Learn the basics of how a Linux system applies file permissions. We look into examples, to demystify what the file permissions mean and how to troubleshoot common issues.

Summary of Introduction in Linux file permissions

Every file that is stored has a set of file permissions stored within the filesystem. This data about the actual data, it called meta-data. Let have a look at how file permissions work on Linux systems and how to read and understand them. Read, Write, and Execute Linux file permissions are divided into three main categories: Read (r): Allows users to view the contents of a file or directory Write (w): Grants users the ability to modify the contents of a file or directory Execute (x): Enables users to execute a file or access the contents of a directory User, Group, and Others These permissions are each assigned to three entities:

Read the full article…

Kill a process that won't respond to CTRL+C

Got a process that won't respond to CTRL+C? With this tip you can kill almost all processes without having to open a second terminal.

Summary of Kill a process that won't respond to CTRL+C

Sometimes a process gets stuck and how often you try, it won’t respond to the combination of CTRL+C. One option is to open a second shell, then perform a kill. kill 1234 Pushing a job to the background While this works, there is usually a much easier way. This involves pushing a running process into the background by pressing CTRL+Z. [1]+ Stopped ./runserver Kill the process To get it back to the foreground, we would normally run fg.

Read the full article…

Linux Audit Framework 101 – Basic Rules for Configuration

The Linux audit framework is a very powerful tool to monitor files, directories and system calls. It helps with troubleshooting, accounting and intrusion detection.

Summary of Linux Audit Framework 101 – Basic Rules for Configuration

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.

Read the full article…

Linux capabilities 101

Introduction guide and tutorial about the inner workings of Linux capabilities and how these capabilities are applied when running Linux processes.

Summary of Linux capabilities 101

Security of Linux systems and applications can be greatly improved by using hardening measures. One of these measures is called Linux capabilities. Capabilities are supported by the kernel for some while now. Using capabilities we can strengthen applications and containers. Unfortunately, this powerful tool is still underutilized. Time to change that! This article helps to understand and apply them. What are Linux capabilities? Normally the root user (or any ID with UID of 0) gets a special treatment when running processes.

Read the full article…

Linux Capabilities: Hardening Linux binaries by removing setuid

Setuid binaries may be a risk for the system. We will investigate how to remove the setuid bit and use Linux capabilities instead, to reduce the risks.

Summary of Linux Capabilities: Hardening Linux binaries by removing setuid

Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds.

Read the full article…

Linux file permissions

Learn the basics of file permissions on Linux systems and common filesystems such as ext4, XFS, and ZFS. Guided by examples, everyone is able to learn how they work.

Summary of Linux file permissions

File permissions are stored together with the data on a disk. The Linux kernel uses them to decide which users and processes can access what file. This page can be considered as a good cheat sheet, while the underlying articles explain how to use this information. Main permissions Read (r): Allows users to view the contents of a file or directory Write (w): Grants users the ability to modify the contents of a file or directory Execute (x): Enables users to execute a file or access the contents of a directory Permission Abbreviation Octal value Read r 4 Write w 2 Execute x 1 Possible combinations:

Read the full article…

Linux Filesystems

All articles about the purpose of a filesystem and how it works. Learn how to become a specialist to further secure your system.

Summary of Linux Filesystems

Linux systems use a filesystem to store and process data. In this section we have a look at what a filesystem and supporting articles to learn more about it. Purpose of a Filesystem At its core, a filesystem is the method by which data is organized and stored on a storage device. The storage device is typically a hard drive or solid-state drive (SSD), but it can also be memory. It provides the framework for managing files, directories, and other data structures.

Read the full article…

Linux Security for DevOps

With security getting more and more attention, we focus on Linux security for DevOps. Also DevOps will need hardening, auditing and dealing with compliance.

Summary of Linux Security for DevOps

During the last years the role of DevOps evolved. This person could be described as the hybrid: a system administrator with development skills, or the developer which is also infrastructure savvy. With Linux and so many available tooling, it is becoming easier for people to learn both development and managing infrastructures. We are especially interested in Linux security for DevOps and what they can apply. Automation is key Repeating work is not only boring, but also a waste of time.

Read the full article…

Linux security frameworks

Linux security frameworks restrict unauthorized access by defining a policy and a set of predefined rules. In this article we look their purpose and how they work.

Summary of Linux security frameworks

Linux security frameworks restrict unauthorized access by defining a policy and a set of predefined rules. In this article we look their purpose and how they work. Purpose of security frameworks Linux security frameworks aim to enforce mandatory access controls (MAC). This is a way of saying to restrict the actions that processes and users can perform on the system. Unlike discretionary access controls (DAC), which rely on the discretion of users and processes, MAC frameworks enforce policies defined by the system administrator.

Read the full article…

Linux security guide: the extended version

Feeling overwhelmed with the options available to secure your Linux system? With this guide, we walk step-by-step through the option, tools, and resources.

Summary of Linux security guide: the extended version

Feeling overwhelmed with the resources available to secure your Linux system? With this Linux security guide, we walk step-by-step through the options, tools, and resources. After reading this article, you will be able to make educated decisions about what Linux security defenses to implement for your systems. You will be introduced to the right tools that help you automate and test your improvements. Instead, related articles and resources will be available in the text.

Read the full article…

Linux tools to bulk rename files

Want to rename files in bulk, but looking for a good tool that can be used on Linux? This article has your covered, with several options.

Summary of Linux tools to bulk rename files

Rnr The first tool to cover is called rnr and is written in Rust. It can be downloaded on GitHub where also some good examples can be found on how to use the tool. Let’s try it out on a directory that we have with Markdown files. Due to a conversion, the file names include a date. As this is no longer needed, we want to strip out the date and only get the bit after the third hyphen.

Read the full article…

Missing Packages: Don’t Trust External Repositories!

Should you external repositories or not? In this article we look at why trusting external repositories might be a bad thing.

Summary of Missing Packages: Don’t Trust External Repositories!

If you are in the business of system administration, you know the big dilemma when it comes to installing software: missing packages. Yes, a lot of packages are available in the repositories of your Linux distribution, but not the one you need. Or when it is, it is horribly outdated. So you reach out to external resources, like community maintained repositories, right? With Lynis, we face this same issue. While most of the distributions have Lynis in the repository, it is often outdated.

Read the full article…

Monitor file access by Linux processes

Linux is powerful with the help of small utilities like lsof and strace. They help with monitoring disk and file activity, of new and running processes.

Summary of Monitor file access by Linux processes

Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity.

Read the full article…

Mosh, the SSH Alternative Option for System Administration

Learn about Mosh, an alternative for SSH. Let's dive into the reasons why it makes sense to learn about Mosh.

Summary of Mosh, the SSH Alternative Option for System Administration

Mosh, or mobile shell, is the ideal tool for remote system administration. While SSH is great, Mosh beats it in several areas. Let’s dive into the reasons why it makes sense to learn about Mosh. Pros Session Resumption Remember the last time your connection was interrupted? It it frustrating and sometimes even leads to losing some of your work. The stable TCP connection is not always a blessing. Mosh comes to the rescue, especially for less stable connections.

Read the full article…

OpenSCAP on CentOS 7 – Installing from source

Sometimes we need to build things from source. In this article we install OpenSCAP on CentOS 7 by compiling and installing it manually.

Summary of OpenSCAP on CentOS 7 – Installing from source

Installing from source Security automation is hot and we love it. One way is using the OpenSCAP toolkit. Unfortunately it is not mature enough, so you might want to build and install it from source. We share our findings while creating our test environment. Install required components On our minimum installed CentOS 7 system, we need to install a few components. Most are related to compiling C++ and parsing XML files.

Read the full article…

Optimize SSL/TLS for Maximum Security and Speed

Everyone loves secure websites, as long as they are quick. Let's configure our website for maximum security and performance, at the same time.

Summary of Optimize SSL/TLS for Maximum Security and Speed

High Goal Setting Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all. Additionally, we believe that we doing everything we can on our website, practicing security hardening ourselves.

Read the full article…

Perform NetBSD security audit with pkg_admin

NetBSD can perform a security audit on its packages with the pkg_admin tool. With the check and audit parameters it can perform security check in seconds.

Summary of Perform NetBSD security audit with pkg_admin

Security audit of NetBSD software packages with pkg_admin NetBSD is especially known for it’s diverse platforms it can run on. What is less known is the ability to audit the installed packages. In this article we have a look on how to audit NetBSD and ensure the file integrity of your packages. Performing a security audit is easy, as long as you use the right tool! Packages When using packages, their metadata will be installed in directory within /var/db/pkg.

Read the full article…

Processes

This section provides tips and tricks to deal with processes on Linux systems. Got another tip? Let it know!

Summary of Processes

A Linux systems without processes is not possible. So we collect tips to deal with processes and improve your skills.

Protect Linux systems against SSLv3 Poodle vulnerability

The Poodle vulnerability is discovered in October 2014, putting all systems using SSL 3.0 at risk. We share steps to mitigate this vulnerability on Linux based systems.

Summary of Protect Linux systems against SSLv3 Poodle vulnerability

What is the Poodle vulnerability ? The “Poodle” vulnerability is basicly an attack on the SSL 3.0 protocol. It is discovered in October 2014. The flaw is in the protocol itself (not implementation), which makes the issue applicable for all products using SSL 3.0. TLS 1.0 and later are considered safe against the attack. How does the attack work? While we won’t go into too much depth of encryption and ciphers, we will share some basics.

Read the full article…

SELinux

SELinux is a well-known security framework on Linux systems like Red Hat Enterprise Linux. Let's have a look at the basics of this framework, such as its purpose and features.

Summary of SELinux

SELinux is a well-known security framework on Linux systems like Red Hat Enterprise Linux. Let’s have a look at the basics of this framework, such as its purpose and features. History SELinux was developed by the National Security Agency (NSA) and integrated into many Linux distributions, including Red Hat Enterprise Linux (RHEL) and CentOS. Purpose SELinux is a MAC framework that enforces fine-grained access controls. SELinux achieves this by labeling files, processes, and network ports with security contexts.

Read the full article…

Shell scripting

From beginning to advanced users, these articles will cover your needs when it comes to creating better shell scripts. Shell-scripting is more powerful than you might think!

Summary of Shell scripting

Shell scripting is a powerful way to assist in automation of repeating tasks. While fairly easy to learn, the shell scripting language has a lot of caveats. In this area we collect tips and tricks to help you creating better shell scripts.

Software Patch Management for Maximum Linux Security

Linux systems have a lot of software packages, resulting in regular upgrades and updates. Proper software patch management is key and we share how to do it.

Summary of Software Patch Management for Maximum Linux Security

Maximum Linux security with proper software patch management Software upgrades are almost as old as the first lines of software code. Still companies struggle to properly update software, also when it comes to security patching. In this article we have a look at the reason behind patching and some methods to keep your systems humming, with fresh packages. Why Update? To most of us, it instantly makes sense to keep the software on your systems up-to-date.

Read the full article…

Tlsdate: The Secure Alternative for ntpd, ntpdate and rdate

Normal NTP can be difficult to set-up, especially for desktop systems which don't need a very accurate time. The tool tlsdate might be a great alternative.

Summary of tlsdate: The Secure Alternative for ntpd, ntpdate and rdate

The Secure Alternative for ntpd, ntpdate and rdate The common protocol to synchronize the time, is named Network Time Protocol, or NTP. While this protocol works great for synchronizing systems to one or more multiple time sources, it is not always easy to set-up. One alternative is using tlsdate, a secure replacement to keep your systems in sync. About the Project The software is written in 2012 by Jacob Appelbaum and can be found at GitHub: tlsdate.

Read the full article…

Troubleshooting a full /boot partition on Ubuntu

Is your /boot partition full and apt can no longer install updates? Learn how to fix this issue and what you can do to prevent it.

Summary of Troubleshooting a full /boot partition on Ubuntu

A regular issue with systems running Ubuntu is that may fill up the /boot partition. You might have discovered it when running apt, which refused to work. That is unfortunate, as you also need apt to resolve the issue. After trying several options, we found a way to resolve this catch 22, with just three steps. Opposed to other solutions, you don’t need to move files or do other tricky things on your system.

Read the full article…

Troubleshooting Linux Time Synchronization with NTP

Time synchronization is an important system administration task for Linux systems. This guide explains how to configure, and also troubleshoot time issues.

Summary of Troubleshooting Linux Time Synchronization with NTP

Time Synchronization The network time protocol helps computer systems to synchronize their time. We know this protocol by its shorter name NTP. In the past, it was not really a big issue if your system was a few minutes off. This changed with the interconnected world we are now living in. One of the better examples is networks relying on the authentication protocol Kerberos. If your system time is not correct, you may not be able to authenticate.

Read the full article…

Ubuntu system hardening guide for desktops and servers

Step by step guide to secure any Ubuntu desktop or server. Harden your Ubuntu during installation and afterwards with the available security tips.

Summary of Ubuntu system hardening guide for desktops and servers

The system hardening process of a system is critical during and after installation. It helps the system to perform its duties properly. This blog post shows you several tips for Ubuntu system hardening. It will dive into the most critical steps to take first. Then more specific hardening steps can be added on top of these. As most security guides only tell you what to do, we will also go into more detail on why a specific security measure is important.

Read the full article…

Understanding what runs on your Linux system (and why)

Linux systems have a lot of processes running by default. Let's dive into how programs are started and how you can see all details of each running process.

Summary of Understanding what runs on your Linux system (and why)

Linux processes and daemons Each Linux system has a bunch of processes running. Most of these processes might be familiar to you if you regularly use a command like ps or top to display them. Processes may look like just an item in a list. They are actually complicated pieces of code that are tamed by a memory manager. To truly understand how your system is running, knowledge of process (or memory) management is of great help.

Read the full article…

Updating all OpenBSD packages with pkg_add

To ensure your system is secure and stable, package management is an important task. To achieve that, use pkg_add to update your installed OpenBSD packages.

Summary of Updating all OpenBSD packages with pkg_add

Using pkg_add Keeping your systems stable and secure Every system needs to stay up-to-date with its packages, including OpenBSD. Most OpenBSD users already use pkg_add for the installation of packages. This utility can also be used for package upgrades. Option 1: Use /etc/installurl Newer OpenBSD versions use the file /etc/installurl to select the mirror for pkg_add. Option 2: PKG_PATH The first thing to do is defining your PKG_PATH. This will usually be the address of a FTP or HTTP server, which has the latest packages available.

Read the full article…

Using SSH keys instead of passwords

Linux systems are usually managed remotely with SSH, with many system administrators still using passwords. Time to switch over to SSH keys and here is how to do that.

Summary of Using SSH keys instead of passwords

Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before. Generating the SSH key Depending on your desktop platform, we first have to create a key pair.

Read the full article…

Using unattended-upgrades on Debian and Ubuntu

To counter the biggest threat to software packages, Debian and Ubuntu based systems can use unattended-upgrades, to install security patches automatically.

Summary of Using unattended-upgrades on Debian and Ubuntu

To counter the biggest threat to software packages, they should be updated on a regular basis. Vulnerabilities are discovered on a daily basis, which also requires we monitor daily. Software patching takes time, especially when testing and reboots are needed. Fortunately, systems running Debian and Ubuntu can use unattended-upgrades to achieve automated patch management for security updates. Installation With most software packages, unattended-upgrades has to be installed. apt install unattended-upgrades

Read the full article…

Yum plugins: Available plugins and built-in security support

To determine the available yum plugins, we analyze them for our goal: discovering if security support is in the yum plugins itself or built-in by default.

Summary of Yum plugins: Available plugins and built-in security support

Enhancing yum Determine available plugins and built-in security support To enhance the support in our auditing tool Lynis, we wanted to know if yum supports security related functions by using a plugin or having it as built-in functionality. Yum Yum, or Yellowdog Updater Modified, is a software management tool for Linux based systems. Usually it is used on systems running SuSE or Red Hat based (like RHEL, Fedora or CentOS). Plugins extend the functionality of yum, to improve its functionality.

Read the full article…