Linux

Show directory contents sorted by modification date and time

Systemd uses different types of units. One of them is the timer unit, which can be used to schedule a periodic task. This timer unit is linked to an existing service unit and will activate the service according to the defined schedule. The timer unit can be defined using the information about systemd timers. Timers use one or more OnCalendar definitions to specify when execution of the timer should happen. As systemd timers are very versatile and provide good monitoring options, they are a good replacement of cronjobs.

Systemd is nowadays a common system and service manager for Linux systems. But how do you know for sure that it is being active? The easiest way is to have a look at PID number 1. This is the first process started after the kernel itself. With the help of ps we can determine the underlying command behind this initial process. ps -p 1 -o comm= This command defines what columns should be part of the output, where only shows the actual command.

When the SSH agent is running, the ssh-add command can be used to load a SSH key. The SSH agent then will request a password when needed, and load the key details in memory. Adding the SSH key just requires the path to the private key. ssh-add ~/.ssh/id_ed25519 When the key is loaded, use the -l or -L option to show the identities that the SSH agent has. ssh-add -l

The systemctl command show active unit. To see only services that are enabled, we need to filter the output. This can be achieved using the list-unit-files subcommand and combined with the --state= option. As we are interested in enabled services only, set the value to enabled. Want to parse the output with a script? Consider adding --legend=false to remove the header and footer text (X unit files listed.). Usage systemctl list-unit-files --type=service --state=enabled UNIT FILE STATE VENDOR PRESET apparmor.

Introduction This is a hardening profile to help securing nginx by using systemd unit configuration. It’s goal is to restrict what nginx can do and make it harder for any possible vulnerability to be misused. The rationale for the selected settings is based on the analysis as part of the article Hardening nginx with systemd security features.

Why and when to use SocketBindAllow The setting SocketBindAllow is used together with SocketBindDeny and defines restrictions on the usage of the system call bind on a network socket. Settings Both SocketBindAllow and SocketBindDeny use a bind-rule. See SocketBindDeny for the details. Generic advice This setting is useful in combination with SocketBindDeny to create an allow-list. Examples Allow binding on TCP port 80 [Service] SocketBindDeny=any SocketBindAllow=tcp:80 Allow binding on port 443 (IPv4/IPv6, TCP/UDP)

Why and when to use SocketBindDeny The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind on a network socket. Settings If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed. By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.

Why and when to use DevicePolicy The setting DevicePolicy aims to reduce access to devices in /dev. By default, there is no limitation to access devices. Settings The value strict is the most strict, as the name implies. This is suitable for services that do not need any access, like custom shell scripts. Unless output is being redirect to /dev/null, then access could be granted with DeviceAllow=/dev/null. Generic advice Aim for using ‘strict’ when possible and define entries that should be allowed.

Why and when to use DeviceAllow The setting DeviceAllow aims to reduce access or its level to devices in /dev. By default, there is no limitation to access devices. Settings Define DeviceAllow with the path and access level. DeviceAllow=/dev/sda3 r General advice For most services it might be easier to use ProtectDevices=yes to reduce the devices that can be access.

Introduction Linux uses capabilities to split privileged actions from the actual root user, making it possible that some processes perform them, often as a non-privileged user. If you are new to this subject, have a look at the Linux capabilities 101.

Discover the reasons why a systemd unit went into a failed state

Systemd stores the configuration for units, like services, in individual unit files. When changes are made to these units, a reload might be needed. This is where systemctl daemon-reload comes into play. But what exactly does the daemon-reload subcommand really do? In short: rerun generators, reload units files, recreate the dependency tree. Let’s have a look at the more detailed answer. Running generators Generators are helper scripts to convert non-native scripts to unit files that are usuable by systemd.

Systemd may need to reload a part of the unit configuration if changes were made. To find out if the related systemctl daemon-reload command is needed, the state of the individual units can be tested. This is done by querying the property using the --property=NeedDaemonReload option. Testing a single service like nginx, can be done this way: # systemctl show --property=NeedDaemonReload --value nginx.service yes This output will return a ‘yes’ or ’no’ value.

Systemd can restrict services from using particular syscalls with the help of the unit setting SystemCallFilter. Instead of mentioning all individual syscalls, systemd has predefined sets that can be used. These sets group functions that are related. To see which syscalls are part of a set, use the systemd-analyze command. # systemd-analyze syscall-filter @ipc @ipc # SysV IPC, POSIX Message Queues or other IPC ipc memfd_create mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink msgctl msgget msgrcv msgsnd pipe pipe2 process_madvise process_vm_readv process_vm_writev semctl semget semop semtimedop semtimedop_time64 shmat shmctl shmdt shmget See systemd syscall filtering for all details.

Why and when to use SystemCallFilter The setting SystemCallFilter aims to prevent misuse of syscalls that are not needed for normal functioning of a process. This powerful filtering restricts the abilities of a process, but requires understanding of processes by the system administrator. See the overview of Linux syscalls for more details. Configuration This setting takes a space-separated list and may be specified multiple times. Allow-listing By default the list contains the entries of allowed system call names.

Overview of syscalls in systemd by group

Systemd and its services can be in several states, such as enabled, disabled, failed, running. If you no longer need a particular service to run, then the first step is to stop a service. systemctl stop nginx.service But stopping a service is not the same as disabling a service. With that comes a very frequently asked question: what is the difference between a service that is disabled and one that is masked?

Systemd allows service units to be configured using a drop-in file, which is often called override.conf. It overrides the vendor-supplied version of a service to customize it. Instead of duplicating the configuration, the override file contains the differences. Editing service file Changing a service can be done using systemctl, followed by the edit subcommand and service unit. The editor that is configured on the system will be opened and any changes can be made between the comment section at the top and the comment section a little bit lower.

The systemctl command will normally all active units. To filter this output to just the running services, we can combine the options --type= and --state=. For this particular case we set the type to service and the type state to running. Usage # systemctl --type=service --state=running --legend=false accounts-daemon.service loaded active running Accounts Service avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack colord.service loaded active running Manage, Install and Generate Color Profiles dbus-broker.

Elevating permissions

Elevating permissions

Systemd introduced run0 as its alternative to sudo. One of the features if a colored background when your privileges are elevated. To disable this behaviour, use the option --background= with an empty value. run0 --background= The red background now will be gone, which can be useful if the color conflicts with the output or when it is unwanted.

Why and when to use MemoryDenyWriteExecute The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically. Usage [Service] MemoryDenyWriteExecute=yes InaccessiblePaths=/dev/shm SystemCallFilter=~memfd_create Caveats To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well. Generic advice For most common services this option can be implemented and will increase the security of a service.

Why and when to use InaccessiblePaths The setting InaccessiblePaths defines paths that should never be accessible. Instead of using the principles of an allow list, it is an explicit deny list. It can be used to block access by a process to a location with sensitive data or a path commonly misused for exploits. Values Define the paths that are granted write access. [Service] InaccessiblePaths=/dev/shm When a path is prefixed with a minus (-), it is ignored if it does not exist When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.

To remove any trailing whitespace from a file, we can use sed. By using in-place editing -i, sed can be provided with a search-and-replace action to filter out whitespace at the end of each line. By replacing it with nothing, it will effectively be removed. sed -i 's/[[:space:]]*$//' mytextfile.txt Explanation -i = inline file edit s/ = search [[:space:]]*$ = search one or more occurences of whitespace just before the end of the line // = No text, so any occurences of the whitespace will be emptied The [[:space:]] is called a character class and refers to space characters.

To insert a line at the beginning of a file, we can use sed to achieve this task. By using in-place editing -i, we can instruct sed to make a change to an existing file. The next step is to tell sed what to change or insert and at what place. sed -i '1i # New first line' mytextfile.txt Explanation -i = inline file edit 1i = insert at first line # New first line = Text to add

The systemctl command has multiple options to show the memory usage. With the status subcommand followed by the service, it will show the basics, including memory usage. To retrieve the information that easier to parse, then use show followed by --property=MemoryCurrent and the service name. Usage The status output will include memory usage. systemctl status nginx ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.

The systemctl command can be used to show all settings of an unit, such as a service. To display the full list of applicable settings, use the show subcommand followed by the unit name. Besides the settings, the output will also include actual runtime information, such as memory usage, when the unit was started, etc. Usage Just provide the unit file to see all available information. # systemctl show nginx.service Type=forking Restart=no PIDFile=/run/nginx.

The systemctl command can show settings of a systemd unit, such as a service. It can also assist in overriding these settings by using the edit subcommand followed by the unit name. This will open the editor that is configured on the system and create the override file. Usage Run the edit command with the unit, and the editor like vim or nano will show up. ### Editing /etc/systemd/system/nginx.service.d/override.conf ### Anything between here and the comment below will become the new contents of the file [Service] ProtectSystem=strict ReadWritePaths=/run /var/log/nginx ### Lines below this comment will be discarded <snip> Important: Do not remove the comments and only insert or change between the specified comment lines.

Why and when to use ReadWritePaths The setting ReadWritePaths grants read and write permissions to defined paths. It can be used in combination with other settings like ‘ProtectSystem=strict’ to make the full file system read-only, and then open up a few paths that are required for a service to run correctly. Values Define the paths that are granted write access. [Service] ProtectSystem=strict ReadWritePaths=/run /var/log/nginx When a path is prefixed with a minus (-), it is ignored if it does not exist When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.

Introduction Nginx is still a popular web server and powering a part of the web. Wouldn’t it be great if we could secure it a little bit more? In this article we use the security features to secure systemd units and services and apply it to nginx. If you are not familiar yet with the unit settings of systemd, then this document would be a good introduction into the subject.

Secure services with these features

Why and when to use ProcSubset The setting ProcSubset controls the “subset” mount option of /proc for the unit. Caveats This function does not if the “subnet” option for procfs is not supported. Generic advice The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care.

Why and when to use RestrictAddressFamilies The setting RestrictAddressFamilies aims to restrict what socket address families can be used. When using it, the default is that it is used as an allow-list and define what address families can be used. Settings When this setting is not configured, there are no restrictions to what address families can be used. Setting the value to none will block all address families. To block specific address families only, a ~ can be used to turn the allow-list into a deny-list.

Why and when to use ProtectProc The setting ProtectProc aims to protect information that normally can be retrieved from /proc. Settings The value default, which is also the default, will not restrict access. Value invisible will hide information, where ptraceable restrict the set to only processes that be monitored with the system call ptrace(). The value noaccess is the most strict option. Caveats This setting will not have effect if the kernel does not support the hidepid mount option per individual mount point.

Why and when to use ProtectHome The setting ProtectHome aims to protect home directories. These three paths are included: /home /root /run/user Settings The default no will not restrict access to the home directories. Using yes will active full protection, not allowing access. The value read-only will make the paths read-only, so no data can be written to it. With tmpfs a temporary file system is being used, also read-only, yet it hides the actual home directories.

Background The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg. When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer. Generic advice For most common services access to the kernel log ring buffer is not need, therefore safe to disable (ProtectKernelLogs=yes).

Explanation Kernel modules can provide additional functionality when using a modular Linux kernel, which is applicable to most systems. When this setting is set to yes, it tries to prevent the unit from loading kernel modules. This is achieved by removing the CAP_SYS_MODULE from the capability bounding set. Generic advice Most units do not need the permission to load kernel modules, so typically a unit can be configured with ProtectKernelModules=true.

The control group of a process can be retrieved from the /proc directory. We only need to know the PID of the process, which can be found using ps or pidof. Usage If we know that our PID is 1234, then showing the cgroup is as easy as using cat to see the contents of the ‘cgroup’ file. cat /proc/1234/cgroup To see the cgroup for the nginx process (or one of them), we could something like this.

The ps command can show the control group of a process using the -o option, followed by the right column names. Usage To show processes and the control group, we can filter the output columns. # ps -e -o pid,cgroup:64,args PID CGROUP COMMAND 1 0::/init.scope /lib/systemd/systemd --system --deserialize 58 2 - [kthreadd] 3 - [rcu_gp] <snip> 576 - [xprtiod] 634 0::/system.slice/dbus.service @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 640 0::/system.slice/networkd-dispatcher.service /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers 645 - [nfsiod] 653 0::/system.

The timedatectl command can show the time, time zone information, and its status. Add the timesync-status subcommand to see synchronization details. Usage Use timedatectl with the timesync-status command to see the actual status. Under normal conditions, the leap should show ’normal'. # timedatectl timesync-status Server: 185.125.190.56 (ntp.ubuntu.com) Poll interval: 34min 8s (min: 32s; max 34min 8s) Leap: normal Version: 4 Stratum: 2 Reference: 4FF33C32 Precision: 1us (-25) Root distance: 762us (max: 5s) Offset: +882us Delay: 15.

With the hostnamectl command basic system information like the operating system, hostname, and machine ID can be displayed. Usage Run the command without any parameters to get the status displayed, including the machine ID. hostnamectl

The systemctl command can be used to show dependencies between units with the list-dependencies subcommand. A nicely human-readable output will be displayed showing the selected unit, followed by the dependencies that rely on this unit. This is useful when a unit is in a failed state due to a dependency on another unit. Usage To see which units require the multi-user target to be active: # systemctl list-dependencies multi-user.target multi-user.target ● ├─apport.

The systemctl command can show the available systemd unit types when using the option --type=help. Usage # systemctl --type=help Available unit types: service mount swap socket target device automount timer path slice scope

The systemctl command will show by default all active units. To filter down on a particular unit type, use the --type= option, followed by the type. Not sure what types are available? Run systemctl --type=help. Usage systemctl list-units --type=target

To limit the maximum size that journals may use on the system, define the setting SystemMaxUse in /etc/systemd/journald.conf. Save the file, confirm that the settings are correct, then restart the journal daemon. Configuration Open /etc/systemd/journald.conf, copy the commented line, remove the hash, and assign it a value. SystemMaxUse=256M Note: depending on how many events happen on a system, this value might be too small. Make sure that the size for logs is big enough.

The journalctl command can be used to show the journal. By using the --disk-usage option, the size of the journal is displayed. This includes the archived and active journal files. When the journal is using too much disk space, consider performing a vacuum task. Usage Showing the disk usage is quick and easy. # journalctl --disk-usage Archived and active journals take up 56.0M in the file system. Does the journal take up too much space?

The journalctl command can show all events related to the kernel itself usig the --dmesg option. This option will filter out kernel messages and has a similar output as the dmesg command. Usage Use the full or shorter option to query the kernel messages. journalctl -k Looking for only the kernel messages of today? Combine it with the --since= option. journalctl -k -S "today"

Systemd units define resources that can be used by the system. Examples of these units are a service, path, socket, and timer. Each unit type has its own basic set of properties that then individually can be configured. Unit types can be recognized by their file extension. A service will use the ‘.service’ extension, making it easy to recognize. Units are usually managed with the systemctl command. See systemd unit types and their purpose for a full overview of the units.

The journalctl command shows by default the oldest entries it has in the journal. Typically we are not interested in that, for that purpose there is the --since= option. This option defines that entries should be after the specified moment in time. Besides using an actual date, a shortened name like ’today’ can also be used that automatically defines the date and time. Usage To see the entries of today, use the aptly named ’today'.

The journalctl command can show continuously new log entries with the --follow option. When new entries are added to the journal, they are automatically shown. Usage The follow option is a great option to continuously monitor a particular unit. journalctl --follow --unit=nginx.service Without providing a unit, all system events will be shown and followed.

The journalctl command can show the events from its journal by --unit= followed by the service or its unit name. This way events will be filtered, making it much easier to troubleshoot a particular service. Example journalctl -u nginx.service

Reload systemd

Systemd is a system and service manager. The name is short for ‘system daemon’, an ongoing service that manages the system. As it is also a service manager, it is responsible for start, stopping, and monitoring services. Systemd replaces the SysV init system and focuses on performance and resource management. It was created by Lennart Poettering in 2010, with Fedora Linux being the first to adopt it in May 2011. In 2015, several major Linux distributions started shipping with systemd.

Systemd units that are in a masked state are administratively disabled. While being in this state, they can not be started until they are unmasked. Typically a unit is masked when it should not start by default or manually, to prevent it causing issues or running an unwanted service. With systemctl and the subcommand mask, a systemd unit can be masked. Relevant FAQ: How to see all masked units with systemctl?

Systemd has a range of commands to interact with the systemd services and functions. Typically daemons will have a ’d’ in their name, such as systemd-networkd, while client tools end with ‘ctl’ (systemctl). Here is an overview of the available commands and their purpose. Primary commands Journalctl Events are stored in a journal, similar to what syslog does. The biggest exception is the way log information is stored and how it is queried.

The ProxyJump defines a bastion host (jump host, jump server, jump box) to use. Values Value Meaning none Disable ProxyJump functionality HOST Define the hostname of the bastion host [USER]HOST[:PORT] Define one or more parameters of the bastion host URI Define parameters in URI format Hostname Format: hostname User Format: user@hostname Port Format: hostname:port Command-line usage ssh -J bastion destinationsystem These parameters can also be specified in the format as a URI .

The ForwardAgent option specifies if SSH agent forwarding is allowed or not. ForwardAgent values Value Meaning Yes Agent forwarding is allowed No (default) Agent forwarding is not allowed PATH Path to the agent socket $VARIABLE Environment variable that stores the path Security caution Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection.

The agent forwarding feature in SSH allows using your local SSH agent to be reached through an existing SSH connection. This way you don’t have to store copies of your private keys on intermediate systems to use them for authentication. While SSH agent forward simplifies things, it also introduces a new risk related to Unix domain socket. If a user on the intermediate system can access the related socket, then it may abuse this connection back to the SSH agent to authenticate on your behalf.

The ssh-agent command is started manually using eval $(ssh-agent). This will initiate the SSH agent and make it available for clients, such as ssh, to use it. To confirm that the agent is running is by looking at the SSH_AUTH_SOCK environment variable. Automatic start of SSH agent Gnome Keyring SSH Agent When using Gnome, it typically comes with its SSH agent as part of Keyring. This will automatically load any files in ~/.

The ssh-agent command starts the SSH agent, a helper utility to store private keys when using public key authentication. The ssh-agent process is usually started at the the beginning of a login session and then can be connected to by a SSH client. Clients can detect the environment variable named SSH_AUTH_SOCK. Related settings on the client IdentityAgent

Disable usage of SSH agent identities

The IdentityAgent option specifies what UNIX-domain socket to use to communicate with the authentication agent. When configured, it overrides the environment variable SSH_AUTH_SOCK and provides the option to select a specific agent. Besides the option to define a socket, the location of the socket can also be provided by the SSH_AUTH_SOCK environment variable. In that case the value should defined as “SSH_AUTH_SOCK” (without quotes). If the value starts with a ‘$’, it indicates that another enviroment variable is to be used.

The file /etc/ssh/ssh_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the system-wide settings for the SSH client. It can be overriden by storing settings in ~/.ssh/config that takes precedence. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH client configuration.

Configuration files /etc/ssh/ssh_config ~/.ssh/config Configuration settings The client knows a lot of individual settings that may be configured in a configuration file or via the command-line. IdentityAgent Configure the socket to use for the SSH agent. See IdentityAgent Port Defines the port to be used. By default, the SSH server is configured with port 22 (TCP). ProxyJump Defines a bastion host (jump host, jump server, jump box) to connect to the destination system.

For the SSH client there are typically two places where configuration files are stored: in the home directory of the user and a global configuration file. User configuration Location: ~/.ssh/config This file is stored in the home directory of an user. It is optional and by default no file is available. System-wide configuration Location: /etc/ssh/ssh_config Overrides via: /etc/ssh/ssh_config.d/*.conf The default settings are in the ssh_config file. The system administrator may add customizations to this file, but typically it is advised to override settings using a separate configuration file.

Querying pacman

The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file. Values Value Automatically save new host keys Action if host key changed yes No Refuse ask No, ask Refuse accept-new Yes Refuse no | off Yes Connect When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.

One of the common methods to authenticate with a SSH server is using the combination of a username and password. With the option PasswordAuthentication we can define if we want to use this type of authentication. While yes is the default, it might be useful to disable it for hosts that require public key authentication. This way we instruct the client to only try that.

What is security through obscurity? Security through obscurity (STO) is hiding, masking, or concealing parts of a system to enhance its security. By itself this does not increase the security level, but it can be an effective method in combination with a layered security defense. So it complements the overall security efforts, but alone is it not to be considered a real security measure. Another part of security through obscurity is the principle of hiding in plain sight.

Killing processes with a filter

Disable check for host authenticity

Why change your SSH port? Systems that are available via the internet and can’t be fully protected with a firewall, they might benefit from running on a different TCP port than the default 22. This way automated scanners will less likely probe your system(s), as they don’t know what port you use for SSH. Changing your SSH port won’t make a system more secure in itself, and therefore is often called security through obscurity.

Configure a Message of the Day The MOTD is typically stored in /etc/motd or a related directory, such as /etc/update-motd.d or /etc/motd.d/. The related message or messages are then displayed after a user is logged in. Another option is that the MOTD is displayed using the PAM configuration. To see if this is the case, perform a grep in your PAM configuration directory. grep -ir motd /etc/pam.d | grep -v ":#"

Escape sequences are a patterns of keys that are recognized to send special instructions. To see the ones that are supported, press tilde (~) followed by a question mark (?). Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - request rekey ~V/v - decrease/increase verbosity (LogLevel) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~?

Use an escape sequence to terminate a connection that is stuck

Remove a passphrase from existing SSH key

How to see the available SSH keys in the OpenSSH authentication agent

The kill command is used on Linux to send a process signals. This can be a numeric value or its defined name (e.g. SIGTERM).

Zombies…

Killing zombies, for fun?

Search for PID and process name

Retrieve PIDs for a service

Linux uses signals to interact and define the state of a process. It uses POSIX reliable and real-time signals. The first are considered standard signals. Many programs are build using glibc and therefore use functions like kill(2) to send a signal to a process or processes group, or even all processes on the system. A process can decide to ignore a signal or take an action after it is received by a signal handler, a routine to catch incoming signals.

Stop a process by searching for its name

This class defines the parameters related to the networking stack.

This sysctl key defines if a system should allow forwarding of IPv4 network packets. This functionality is required for systems that act as a gateway or router. IP forwarding is normally not required for most desktops and servers.

Show your local IP address

Query the IP address of your internet connection

Show the active DNS server

Find the files that are writable

Managing packages

Show disk usage by files and directories

Show hidden files

Show files bigger or smaller than a specified size

Show when the last modification was made within a directory

Show used and free disk space

Show used and free disk space

With the help of usbmon we have a cost-effective solution to monitor USB communications between the kernel and a hardware device. It is an alternative to hardware USB protocol analyzers for those on a budget or having to do it once. Loading of usbmon kernel module The first step is to load the related kernel module. This can be done using the modprobe command. $ sudo modprobe usbmon Validate if the usbmon kernel module is loaded using the lsmod command.

The file /etc/ssh/sshd_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the primary set of settings, with the option of being overridden by configuration files from /etc/ssh/sshd_config.d/*.conf. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH server configuration.

Most Linux systems are connected to a network as a client system, or to provide services to other systems. Knowing how to configure, monitor, and audit the network configuration is more than useful. In this section we look at the available options. Network configuration The system itself can’t talk with other systems if it doesn’t have any protocol to communicate. Nowadays that is mostly IP . The local configuration for the network is usually stored in /etc/network or in a network manager in /etc.

Show number of open connections per protocol

Show start time of a process

Show uptime of the system

Show actual bandwidth usage

Got a busy system that comes to a halt due it being too busy? In this article we look at troubleshooting issues related to CPU usage. Monitoring CPU usage The tool top might be the most familiar tool to monitor CPU or memory usage. A good alternative is the pidstat tool. It can be using an interval and easily show active processes, followed by a summary. # pidstat 3 Linux 6.

Within a shell script we can test for the presence of directories and files. In this article we look at the basics and the more exotic options available. Testing the presence and type of a file can be done using the test command. For shell scripts, it is more common to use the [ command. Yes, it is an actual command. However, it may also be available as a so-called builtin and part of the shell.

Network connectivity starts at a device that links the system to a network, and for Linux systems that is no different. Depending on the physical layer, such as Ethernet of Wi-Fi, the transactions between be better or worse. Besides physical limitations, there is congestion and packet loss that may introduce issues. In this section we look at troubleshooting network performance issues, tooling, and examples. Interfaces The first step is to learn what links we have towards the network.

The lscpu command retrieves information about the the CPU architecture. The sources to retrieve this information include /proc/cpuinfo, pseudo file system sysfs, and available libraries. Examples of information includes: Cores CPUs BogoMIPS Byte order Cache sharing Caches Family Model Stepping NUMA nodes Threads Sockets Virtualization details Vulnerabilities The tool is both suitable for using in the terminal and manual interpretation, but also for automated processing. When its output is piped to other another application, it is aware that any screen markup should be left out.

Users of the command-line are typically aware of the netstat command. The package that netstat belongs to is getting deprecated and slowly replaced with tools like ip. This is also where nstat comes in, a more modern approach to pulling in data from the kernel. Another benefit is that it can retrieve more information than netstat. This is due to the static list of metrics that netstat looks for, while nstat will parse output files from /proc.

Physical RAM is used to store information. Linux divides this RAM into smaller chunks, named memory pages. When there is no more normal memory available, the Linux kernel might need to temporarily store information aside. This is called paging or swap space. During the process of paging, memory pages will be moved from the RAM to the disk. This way memory is freed up for active processes, while older information is temporarily stored on the disk.

This sysctl key controls the use of the performance events system. It restricts what actions an unprivileged user can do when using the perf tools. This setting is useful to limit the access to possibly sensitive information that can be gathered from the kernel and processes. Debian-based systems may have higher numbers available than the current upper limit of 2, which is also the default value.

Find the Linux distribution name and version

All hardware exposed

Show memory details

Learn how to purge data before deleting a file

Find out when a file was initially created

Learn what it means when the kernel is tainted

Learn about the specific cause that tainted the kernel

Introduction The sysctl tool allows configuring kernel parameters or tunables. By changing related sysctl keys and their individual values, the system behavior can be changed. Several keys are related to security and can help with kernel hardening, or system hardening in general. Files and locations The configuration of sysctl is typically spread over multiple files and paths. Systems with systemd will have additional paths. Files are read in order and the first match of a kernel setting is used.

This class defines global kernel parameters.

This is a setting that you would normally not change. It is a state that shows if the kernel was tainted. If the value is higher than zero, than it is tainted. Relevant FAQ: What is a tainted kernel?

The Linux kernel consists of a massive code base including device internals up to external interfaces. Not surprisingly that the kernel also needs attention to security principles to avoidcommon programming or configuration flaws. In this section the kernel is covered, from tuning it via sysctl, up to frameworks that may help improving the security of the kernel itself.

No more networking secrets

Show network link statistics to discover errors or dropped packets

Show open file information

Reveal all those sockets

Query tools like dpkg to show installed packages

Show installed package on the most common Linux distributions

Show BIOS information using dmidecode

Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.

Leverage the du command to find the biggest directories

Show all masked units

Perform smarter queries when requesting information from journalctl

Disable a service or specific unit with systemctl

Start and enable a unit with one command

Show failed systemd units with systemctl

Control those processes and timers

Learn how to define the Expires header in nginx to improve the caching of static assets.

Parse files quicker with smarter expressions

Every file that is stored has a set of file permissions stored within the filesystem. This data about the actual data, it called meta-data. Let have a look at how file permissions work on Linux systems and how to read and understand them. Read, Write, and Execute Linux file permissions are divided into three main categories: Read (r): Allows users to view the contents of a file or directory Write (w): Grants users the ability to modify the contents of a file or directory Execute (x): Enables users to execute a file or access the contents of a directory User, Group, and Others These permissions are each assigned to three entities:

Linux systems use a file system to store and process data. In this section we have a look at what a file system and supporting articles to learn more about it. Purpose of a file system At its core, a file system is the method by which data is organized and stored on a storage device. The storage device is typically a hard drive or solid-state drive (SSD), but it can also be memory.

When you create a shell script, many things can go wrong. With a few basics you can catch errors easier and at the same time make your scripts (more) failsafe. The beauty of shell scripting is that with just a few steps this can be achieved! Empty variables: nounset (-u) A very typical issue in shell scripts is an incorrect or empty variable. Usually this happens due to a typo, but sometimes also assignments can be wrong.

Shell scripts can be powerful for automation. Sometimes, we want to ask the user for input. Let’s have a look at a few options that can be very handy for your next shell script! Fill a variable with input provided by the user If we like the user to provide us with some details, like a name, email address, or hostname, we can use the read command. read -p "What is your name?

Rnr The first tool to cover is called rnr and is written in Rust. It can be downloaded on GitHub where also some good examples can be found on how to use the tool. Let’s try it out on a directory that we have with Markdown files. Due to a conversion, the file names include a date. As this is no longer needed, we want to strip out the date and only get the bit after the third hyphen.

Some of the true craftsmanship in the world we take for granted. One of these things is the common tools on Linux, like ps and ls. Even though the commands might be perceived as simple, there is more to it when looking under the hood. This is where ELF or the Executable and Linkable Format comes in. A file format that used a lot, yet truly understood by only a few.

If you run a Linux server, software patching is a task that will have to be performed on a regular basis. Although most programs can be auto-restarted with a tool like needrestart, there is one exception: the kernel. Wouldn’t it be a nice if we could update the kernel without the mandatory reboot? Here is livepatch, the feature of the Linux kernel that makes it possible. Let’s discover how it works and if you can use it on your system.

Every Linux system will benefit from more security, especially if it contains sensitive data. With so many resources available on the internet, one might think that securing Linux has become easy. We know it is not. Linux system hardening takes a good amount of understanding about how the Linux kernel works. It also requires a good understanding of the operating system principles. In this guide, we will help you to get this understanding and provide you with tips and tools.

Linux security (2017 edition) The year is closing, so it is time to review Linux security. Like last year, we look at the state of Linux security. A collection of the finest moments. Did we forget something important? Let us know in the comments. This post will remain updated in the upcoming weeks. As this post may appear on HN, Reddit, Slashdot, and other high-traffic sites, this post is heavily cached.

Myth busting: Linux security As the author of Lynis, I have to run several Linux systems for testing Linux security defenses. And if you do something long enough, some get to see you as a Linux security expert. When that happens, you get asked questions. Surprisingly they are often related to some of the myths. Time to share a few I got asked. If you received this link from me directly, then most likely you asked one :)

What is GDPR? GDPR or General Data Protection Regulation is a regulation to protect personal data from citizens of the European Union (EU). When speaking about stored data, it includes the handling of data at any given time, from the initial creation of the data, until the final deletion of it. One of the important parts is the right to ‘know’. That means that individuals can ask what data is stored about them.

Linux and password strength One of the options to improve password security is by setting a minimum length. This prevents users from choosing easy passwords. As part of Linux system hardening, you don’t want your passwords to be cracked too quickly by modern password crackers. Configuration Let’s have a look at how to configure password security and in particular the length and its strength. Login settings The first area where you can set a password length is in /etc/login.

Learn how to use nftables in this introduction guide to the tool. With common examples, frequently asked questions, and generic tips.

Also wondering what particular files do on Linux? One of those files we recently rediscovered during auditing is the /etc/networks file. For some reason it was always there, yet we never change it. Output of /etc/networks When looking at the man page of networks(5) we learn its purpose (almost instantly): It translates between IP ranges and network names It is used for tools like netstat and route It only works on class A, B, or C networks It does not work on subnets Surprisingly enough a test with subnetting actually showed the right names during our test.

Linux malware, research, and more With great pleasure, we interviewed unixfreaxjp. He is the leader and founder of the malware research group MalwareMustDie. We want to learn about their activities, Linux malware, and useful skills for security professionals. Keep reading! Interview MalwareMustDie About the MalwareMustDie organization So for those never heard about MalwareMustDie, can you tell us who you are? As stated on our web site. MalwareMustDie, is a white-hat anti cybercrime security research workgroup.

Determine Oracle Linux version Oracle Linux is based on Red Hat Enterprise Linux. At first, it may be confusing to determine what specific operating system is running. This is because both have the /etc/redhat-release file. If that file exists, use the cat command to display the contents. Next step is to determine if there is a /etc/oracle-release file as well. If so, then you can be sure that Oracle Linux is running.

Discover quickly which file(s) and package are matched together.

The grep command is one of the oldest tools for Linux and other platforms. Actually, it is older than Linux itself. It was written by Ken Thompson more than 45 years ago! The name grep stands for “globally regular expression print”. This name comes from its predecessor ed and the specific mode in which you would globally search, using a regular expression, and print the output. The related command was “g/re/p”.

Software updates and package management is easy with systems based on Debian or Ubuntu. Just apt-get update (or apt update) and run an upgrade. But sometimes you may encounter the following situation: a KEYEXPIRED message. KEYEXPIRED message # apt-get update && apt-get upgrade Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB] Hit:2 http://nl.archive.ubuntu.com/ubuntu xenial InRelease Get:3 http://nl.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB] Hit:4 http://nl.archive.ubuntu.com/ubuntu xenial-backports InRelease Hit:5 https://packages.cisofy.com/community/lynis/deb stable InRelease Get:6 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [373 kB] Ign:7 http://nginx.

The biggest open source company is nowadays Red Hat. It is known for its contributions to many open source projects, including the Linux kernel itself. Less known is that Red Hat is involved in different Linux distributions, directly or indirectly. Fedora Fedora has received many updates and individual releases over the years. It is a playground for new functionality. Often new technology is found here. It can be compared with other distributions like Arch Linux, except that it is slightly less aggressive in deploying the latest software components for everything.

Ransomware on the Linux Platform Times are changing when it comes to Linux malware. Since a long time we had backdoors, PHP shells, and even rootkits. But it won’t take long that ransomware will catch up on the Linux platform. We hope you are reading this to counter the threat, not because it is already too late. Ransomware invasion Ransomware is a little devil. It encrypts your valuable data and protects it with a generated key.

The GNU/Linux kernel powers a lot of systems, from big mainframes to the Android device in your pocket. If you want to achieve more security on your Linux systems, it would make sense to start hardening there, right? While securing the kernel looks easy at first sight, there is more to it than initially meets the eye. We will have a look at some kernel options and how to select the best sysctl values for Linux systems.

Why that is not a reality, and we might never achieve it. Linux gained great popularity over the last 10 years, powering our servers and smartphones. With all the efforts put in creating more secure software, it seems installing security updates will remain a weekly task. Will this ever change? Security is Hard Properly securing a system means different things for different people. So let’s take the assumption that every system has a particular goal, secondly that it should be properly secured.

What is Linux privilege escalation? Privilege escalation is the process of elevating your permission level, by switching from one user to another one and gain more privileges. For example, a normal user on Linux can become root or get the same permissions as root. This can be authorized usage, with the use of the su or sudo command. It can also be unauthorized, for example when an attacker leverages a software bug.

The Dandified YUM tool, DNF, has become a powerful package manager for systems running Fedora. As it looks now, it will become also the default package manager for CentOS 8 and RHEL 8. One of the benefits from dnf is the option to retrieve security information very easily. This allows us to use it for automatic security patching of our Linux systems. Let’s explore the options and see how dnf-automatic can help us with fully automated patching.

Malicious software plague computers for more than 40 years. It is hard to think this threat will ever stop. The Linux platform definitely has their share of malware, although many people never experienced it firsthand. Let’s dive into this subject and discover why your system might actually being compromised at this very moment. The types of malware To understand the risks, you have to understand the threats and weaknesses. When we talk about malware, there are different family types, each with their own threat and method of attack.

The seasoned Linux administrator will be familiar with iptables, the network traffic filter. If you ever configured a Linux system with an ethernet bridge configuration, you might even have worked with ebtables. Or possibly you wanted to filter ARP traffic and used arptables? Newcomer nftables has arrived, with the purpose to replace iptables, ip6tables, ebtables and arptables. As with every big upcoming change, it is good to know the differences. We explain what makes nftables different to iptables, and why you want to adopt it in the near future.

Most system administrators will already be familiar with iptables. It is around for quite a while and is enabled by default within the Linux kernel. We can use iptables to block one, multiple IP addresses, or even full networks. This may come in handy when you get repeating port scans or see failed login attempts in your log files. Time to get started and block some IP addresses! Check existing iptables configuration The first step is to validate existing iptables rules.

If you worked with a computer the last decade, you know the importance of keeping your software up-to-date. Those who don’t, are stacking up vulnerabilities, waiting for them to being exploited by others. Although Linux and most software are open source and can be reviewed, security flaws in software packages remain. While it isn’t easy to close every vulnerability on your system, we can at least create a stable process around it.

The network configuration is a common place to start during system configuration, security audits, and troubleshooting. It can reveal useful information like MAC and IP addresses. This guide helps you to gather this information on Linux, including listing all available network interfaces and its details. Show network interfaces Linux Every Linux distribution is using its own way of configuring the network configuration details. Therefore, it is good to know which tools can be used to query these details in a generic way.

The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit. It is important to note that this guide is a set of generic tips. Your IT environment might require additional security measures.

Troubleshoot and monitor all processes

Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity.

The Linux kernel is modular, which makes it more flexible than monolithic kernels. New functionality can be easily added to a run kernel, by loading the related module. While that is great, it can also be misused. You can think of loading malicious modules (e.g. rootkits), or unauthorized access to the server and copy data via a USB port. In our previous article about kernel modules, we looked at how to prevent loading any module.

Disable loading kernel module on Linux systems The Linux kernel can be configured to disallow loading new kernel modules. This feature is especially useful for high secure systems, or if you care about securing your system to the fullest. In this article, we will have a look at the configuration of this option. At the same time allowing legitimate kernel modules to be loaded. Disable kernel modules Newer kernel modules have a sysctl variable named kernel.

Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.

Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before. Generating the SSH key Depending on your desktop platform, we first have to create a key pair.

SSH daemon The OpenSSH daemon is named sshd and typically this is also the process visible in a process listing. The main listener usually has a full path visible, while active SSH sessions get their own child process. Configuration files /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf The configuration file sshd_config is the primary file for the settings. Any settings in a configuration file specified in /etc/ssh/sshd_config.d will overwrite those listed in the primary configuration file.

Linux systems use a password file to store accounts, commonly available as /etc/passwd. For additional safety measures, a shadow copy of this file is used which includes the passwords of your users. Or actually hashed password, for maximum security. An example of a password entry in /etc/shadow may look like this: user1:$6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tKXiOGNCfWBsrTGY7wtC6Cep6co9eVNkRFrpK6koXs1NU3AZQF8v/:16092:0:99999:7::: For proper display, let’s split this up in several fields: user1 $6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tK 16092 0 99999 7 empty empty Field explanations Time to have a look what all these strings mean:

Some areas are within the PCI DSS standard are definitely not directly clear when reading the description. Section 10.2.7 is one of them. It talks about the creation and deletion of system-level objects and specifically the ability to log them. System-level objects? The guidance in 10.2.7 speaks about malware and mentions database related items. That does not make auditing very obvious, as malware usually targets binaries. Therefore we have to look first what a system-level object is.

Background of Linux security modules Like normal kernel modules, security modules extend the basic functionality of the Linux kernel. The need for a modular structure was proposed when SELinux was being introduced. There was a little discussion to use modules or not, as SELinux was the only one being available. Some people proposed apply it as a kernel patch, but in the end Linux creator Torvalds, decided to make this type of functionality modular.

Everything you need to know about Docker security. Introduction into Docker Docker became very popular in a matter of just a few years. Operating systems like CoreOS use Docker to power the system by running applications on top of their own lightweight platform. Docker in its turn, provides utilities around technologies like Linux container technology (e.g. LXC, systemd-nspawn, libvirt). Previously Docker could be described as the “automated LXC”, now it’s actually even more powerful.

PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins. To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat over the years.

Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user or those accounts with similar administrative privileges. 10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged. The Linux kernel allows the monitoring of executed commands. This monitoring and logging can be done with the Linux audit framework. Using this framework, we can monitor the right system calls and create an audit trail.

By default Arch will install the kernel in /boot with the name vmlinuz-linux. To determine if the system is running the latest kernel, we can compare the running kernel and the one on disk. Running kernel One way to determine the running kernel is with the uname command. By default installed and with the -r parameter it will provide the kernel release version. # uname -r 3.17.4-1-ARCH Kernel on disk Checking the latest kernel on disk is almost as easy.

The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables. Where iptables rules are harder to parse, nftables comes by default with an exporting facility. Exports formats include JSON and XML. Command syntax When using the command line utility nft for the first time, it looks a little bit unfriendly to the user. No suggestions on what to do, nor clear help on often used commands.

Security of Linux systems and applications can be greatly improved by using hardening measures. One of these measures is called Linux capabilities. Capabilities are supported by the kernel for some while now. Using capabilities we can strengthen applications and containers. Unfortunately, this powerful tool is still underutilized. Time to change that! This article helps to understand and apply them. What are Linux capabilities? Normally the root user (or any ID with UID of 0) gets a special treatment when running processes.

Hardening the kernel with kernel.yama.ptrace_scope Ptrace is a great troubleshooting tool for developers to determine how a process functions. It can be used to find programming flaws, like memory leakage. On the other hand, the tool also be used by people with malicious intent. For example to debug a process as a non-privileged user and find the contents of application memory. Yama Linux has the ability to include Linux Security Modules, to provide additional features with the means of a module.

Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds.

A.1.2.c Verify that an entity’s users do not have write access to shared system binaries Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible. Paths for system binaries Depending on the distribution used there are several directories which have shared system binaries.

Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.

Every system needs some level of protection. Still, many people simply forget to do it, or can not find the time to properly do it. To be as efficient and effective as possible, let’s take at a structured way for security scanning your Linux machines. The 5 dummy steps are: 1. Focus on risk Like not every company is a bank, our systems are not all part of a top secret mission.

Our security auditing tool Lynis is a toolkit consisting of several shell scripts. Many users of the software actually never realized it was written as a bunch of shells scripts. Now that the secret is out, it is time to learn why we used shell scripting. Here are 5 reasons! 1. Shell scripting is powerful Yes, people asked us why our tool Lynis was not written in Perl, Python, Ruby, C++ etc.

Administrators of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot? Required restart required? This Ubuntu system needs a restart Required reboot Software can contain issues, which we call bugs. Most bugs are just annoying if you encounter them and can be fixed by upgrading to a newer version of the software.

Information security is possibly one of the hardest subjects in IT. Doing too less and you risk of security breaches. Doing too much will restrict the core businesses of your organization. With a proper security program, implementing Linux security can be greatly simplified. By having a structured approach, the strength of the defenses will increase, while risks decrease. In this article, we have a look at how to properly prepare security projects and changes.

Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists.. But checklists are good, right?

During the last years the role of DevOps evolved. This person could be described as the hybrid: a system administrator with development skills, or the developer which is also infrastructure savvy. With Linux and so many available tooling, it is becoming easier for people to learn both development and managing infrastructures. We are especially interested in Linux security for DevOps and what they can apply. Automation is key Repeating work is not only boring, but also a waste of time.

Malware, or malicious software is also an issue on Linux systems. Let’s have a look into this threat and what actions you can take. What is a rootkit? A rootkit is a set of tools with the goal to hide its presence and to continue providing system access to an attacker. The word rootkit comes from the root user, which is the administrator account on Linux systems and Unix-clones. The kit refers to a toolkit, or a set of tools.

Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems. Security events First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems. 1. File changes Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.

Proper software management is an important part in keeping your system secured. Acting on time is important, especially when network services have discovered security vulnerabilities. Vulnerable packages Usually packages with known security vulnerabilities, get priority and updates are soon available. The risk in installing these packages is fairly low, as they don’t introduce new features. Instead, they fix the related security hole, which sometimes is nothing more than 1 single character!

From the initial start of the Linux operating system, the first processes are already born. In this article we have a look on dealing with processes. In particular we look at how to do process auditing. Whenever you are an auditor, system administrator or just a Linux enthusiast, you can’t ignore processes and should know how to deal with them. Process listing For most people working on Linux systems, it might be obvious to display running processes with ps.

Learn the basics of Linux server hardening and what kind of measures and tools you can implement.

Now open source software and platforms are very common, the need for knowledge in this area is increasing. Becoming a technical auditor with specialized knowledge about Linux, might be a clever move. Technical When specializing in Linux, the auditing area is already more technically oriented, instead of the processes. A true Linux auditor knows more than the basics of Linux. In-depth knowledge is required, like what file systems are common, how permissions are arranged, popular applications are common (at the presentation layer, middleware, backend).

In this article we answer the big question on Linux systems “what to audit?”. Where do you start and what is useful to audit? We apply our three C’s in this article to determine what we should look for when auditing a Linux system. Current state What is the current state of the system and how does it compare to previous time? Ideal situation: compare current state of the system with a predefined baseline or previous scan

This guide helps people new to the Linux platform to get a grasp on how the system works. Whenever you are an IT auditor, or simply want to know more about the basics, this guide helps you in determining where to start an audit. Processes Each operating system consists of smaller running processes. In case of Linux this is true as well and can be displayed with the ps tool. Without parameters it will already show some processes, but the list is not complete.

Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate.

Every system is as strong as its weakest link. In the case of an operating system like Linux, one weakness in the kernel could result in a security breach. This article covers the Linux kernel features and how they work. Kernel features Live kernel patching As the kernel is similar to other software, it receives updates to improve it. Now and then a security weakness is discovered in one of the subsystems of the Linux kernel.

Auditing a system can be a time-consuming job, which is no different when conducting a Linux server security audit. Within this article, we give some highlights regarding the audit and tips to automate them by using Lynis. The business goal Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down? Usually each system has a clear role or multiple roles, like being a web server.

There are several open source vulnerability scanners for Linux, like OpenVAS. While tools like these are powerful as well, we will have a look at Lynis, our auditing tool to detect vulnerabilities of Linux and Unix systems. Why is it different than others and how can it help you in securing your systems? Vulnerabilities Every piece of software will have sooner or later a vulnerability, a minor or major weakness which can be abused by evildoers.

The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing. Auditing goals By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include: Audit file access and modification See who changed a particular file Detect unauthorized changes Monitoring of system calls and functions Detect anomalies like crashing processes Set tripwires for intrusion detection purposes Record commands used by individual users Components The framework itself has several components:

Within the field of the audit profession the usage of CAAT (Computer-assisted audit techniques) or CAATTs (computer-assisted audit tools and techniques) is growing. Lynis is filling this gap for Linux and Unix based systems. It’s a well-known and stable tool in this area and improves the audit process by automation. Only a few items could then be checked manually. This saves time, makes the audit more predictable and increases the quality of the overall audit.

The question regarding the need for antivirus for Linux is after years still relevant. It is asked at forums and shows up regularly at Quora. As the original author of rkhunter, a malware scanner for Linux and Unix systems, I analyzed many malicious software components. You might be wondering that if there is malware, there is also a need for a scanner, right? It is actually not that easy to answer.

Learn the steps to take when you suspect that your Linux system is compromised.

No system can do its job without any installed software packages. However after installation of the system, or running it for a while, it often becomes unclear why some software was ever installed. This article looks at methods on auditing installed software, check for security updates and the related follow-up. Package managers To enable system administrators to properly manage software and upgrading them, Linux uses a package manager. This suite often consists of a package database, the software packages itself and several support tools.

Securing a Linux system can take a lot of time. For this purpose we have written Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. The main audience for this tool is auditors, security professionals, penetrating testers and system administrators. First audit Most Linux distributions already have Lynis in their software repository.

Within this article we have a look on how to audit and check the network configuration of Linux and other systems. The main focus is on gathering information and discover how systems are configured. By taking these steps we will do a manual audit. For efficiency reasons we suggest to use an automated tool like Lynis. Where to start? Each Linux distribution has their own way and files to configure the network.