How to check if your Arch Linux system needs a reboot

Arch Linux reboots How to check if a reboot is needed By default Arch will install the kernel in /boot with the name vmlinuz-linux. To determine if the system is running the latest kernel, we can compare the running kernel and the one on disk. Running kernel One way to determine the running kernel is with the uname command. By default installed and with the -r parameter it will provide the kernel release version. [root@archlinux ~]# uname -r 3.17.4-1-ARCH Kernel […]

Read more

Exporting nftables rules and configuration

Exporting nftables rules The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables. Where iptables rules are harder to parse, nftables comes by default with an exporting facility. Exports formats include JSON and XML. Command syntax When using the command line utility nft for the first time, it looks a little bit unfriendly to the user. No suggestions on what to do, nor clear help on often used commands. To […]

Read more

Linux Capabilities 101

Linux Capabilities 101 Tutorial about how capabilities work in Linux Even seasoned Linux administrators may not see capabilities a lot in their daily duties, but they are still used all the time. This features was added to Linux 2.2 and gave us new possibilities regarding security. In this guide we have an in-depth look on how can leverage them to increase security. The problem It is good to know why capabilities were implemented at the first place. Let’s assume we […]

Read more

Protect against ptrace of processes: kernel.yama.ptrace_scope

Protect against the usage of Ptrace Hardening the kernel with kernel.yama.ptrace_scope Ptrace is a great troubleshooting tool for developers to determine how a process functions. It can be used to find programming flaws, like memory leakage. On the other hand, the tool also be used by people with malicious intent. For example to debug a process as a non-privileged user and find the contents of application memory. Yama Linux has the ability to include Linux Security Modules, to provide additional […]

Read more

PCI DSS (v3) Linux: No write access to shared system binaries (A.1.2.c)

No write access to shared system binaries A.1.2.c Verify that an entity‚Äôs users do not have write access to shared system binaries Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible. Paths for system binaries Depending on the distribution used there are several directories which […]

Read more

Alternatives to Bastille Linux: system hardening with Lynis

System hardening with Lynis Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats. […]

Read more

Linux Security Scanning for Dummies

Linux Security Scanning for Dummies Every system needs some level of protection. Still, many people simply forget to do it, or can not find the time to properly do it. To be as efficient and effective as possible, let’s take at a structured way for security scanning your Linux machines. The 5 dummy steps are: 1. Focus on risk Like not every company is a bank, our systems are not all part of a top secret mission. We have to […]

Read more

Check for a required reboot on Debian and Ubuntu systems

Required restart required? Administrators of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot? Required reboot Software can contain issues, which we call bugs. Most bugs are just annoying if you encounter them and can be fixed by upgrading to a newer version of the software. Other bugs are special in the way that they may leak sensitive […]

Read more
1345678