How to display directory contents sorted by modification time

Learn how to sort the output of the ls command to list a directory contents by its modification time.


Show directory contents sorted by modification date and time

How to schedule a periodic task with systemd

Schedule a repeating task via systemd by using a timer. Learn how to configure and use it.


Systemd uses different types of units. One of them is the timer unit, which can be used to schedule a periodic task. This timer unit is linked to an existing service unit and will activate the service according to the defined schedule. The timer unit can be defined using the information about systemd timers. Timers use one or more OnCalendar definitions to specify when execution of the timer should happen. As systemd timers are very versatile and provide good monitoring options, they are a good replacement of cronjobs.


The command systemd-analyze helps analyzing systemd components to optimize the system including performance and security.


How to check if systemd is being used or active

Learn how to quickly confirm that systemd is being used as your system and service manager.


Systemd is nowadays a common system and service manager for Linux systems. But how do you know for sure that it is being active? The easiest way is to have a look at PID number 1. This is the first process started after the kernel itself. With the help of ps we can determine the underlying command behind this initial process. ps -p 1 -o comm= This command defines what columns should be part of the output, where only shows the actual command.

How to add a SSH key to the SSH agent

Learn how to load and use your SSH key together with a SSH agent.


When the SSH agent is running, the ssh-add command can be used to load a SSH key. The SSH agent then will request a password when needed, and load the key details in memory. Adding the SSH key just requires the path to the private key. ssh-add ~/.ssh/id_ed25519 When the key is loaded, use the -l or -L option to show the identities that the SSH agent has. ssh-add -l

How to see all enabled services with systemctl

The systemctl command can be used to show all service units and filter those that are enabled.


The systemctl command show active unit. To see only services that are enabled, we need to filter the output. This can be achieved using the list-unit-files subcommand and combined with the --state= option. As we are interested in enabled services only, set the value to enabled. Want to parse the output with a script? Consider adding --legend=false to remove the header and footer text (X unit files listed.). Usage systemctl list-unit-files --type=service --state=enabled UNIT FILE STATE VENDOR PRESET apparmor.

Nginx hardening profile

Harden the nginx configuration with the help of systemd sandboxing capabilities and restricting resources.


Introduction This is a hardening profile to help securing nginx by using systemd unit configuration. It’s goal is to restrict what nginx can do and make it harder for any possible vulnerability to be misused. The rationale for the selected settings is based on the analysis as part of the article Hardening nginx with systemd security features.

SocketBindAllow setting

Allow systemd units to use system call bind() on sockets specified with the unit setting SocketBindAllow.


Why and when to use SocketBindAllow The setting SocketBindAllow is used together with SocketBindDeny and defines restrictions on the usage of the system call bind on a network socket. Settings Both SocketBindAllow and SocketBindDeny use a bind-rule. See SocketBindDeny for the details. Generic advice This setting is useful in combination with SocketBindDeny to create an allow-list. Examples Allow binding on TCP port 80 [Service] SocketBindDeny=any SocketBindAllow=tcp:80 Allow binding on port 443 (IPv4/IPv6, TCP/UDP)

SocketBindDeny setting

Restrict systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.


Why and when to use SocketBindDeny The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind on a network socket. Settings If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed. By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.

DevicePolicy setting

Restrict systemd units to access devices in the /dev directory with the unit setting DevicePolicy.


Why and when to use DevicePolicy The setting DevicePolicy aims to reduce access to devices in /dev. By default, there is no limitation to access devices. Settings The value strict is the most strict, as the name implies. This is suitable for services that do not need any access, like custom shell scripts. Unless output is being redirect to /dev/null, then access could be granted with DeviceAllow=/dev/null. Generic advice Aim for using ‘strict’ when possible and define entries that should be allowed.

DeviceAllow setting

Restrict systemd units to access devices in the /dev directory with the unit setting DeviceAllow.


Why and when to use DeviceAllow The setting DeviceAllow aims to reduce access or its level to devices in /dev. By default, there is no limitation to access devices. Settings Define DeviceAllow with the path and access level. DeviceAllow=/dev/sda3 r General advice For most services it might be easier to use ProtectDevices=yes to reduce the devices that can be access.


Everything related to Linux capabilities, like articles and an overview of the available capabilities.


Overview of Linux capabilities

An overview of the available Linux capabilities that allow processes to perform privileged actions.


Introduction Linux uses capabilities to split privileged actions from the actual root user, making it possible that some processes perform them, often as a non-privileged user. If you are new to this subject, have a look at the Linux capabilities 101.

Troubleshooting a failed systemd unit (with examples)

Learn how to troubleshoot failed systemd units, examples, possible causes, and how to resolve them.


Discover the reasons why a systemd unit went into a failed state

What does systemctl daemon-reload do?

When making changes to systemd unit files, you may need to use systemctl daemon-reload. This article explains what happens next.


Systemd stores the configuration for units, like services, in individual unit files. When changes are made to these units, a reload might be needed. This is where systemctl daemon-reload comes into play. But what exactly does the daemon-reload subcommand really do? In short: rerun generators, reload units files, recreate the dependency tree. Let’s have a look at the more detailed answer. Running generators Generators are helper scripts to convert non-native scripts to unit files that are usuable by systemd.

How to check if 'systemctl daemon-reload' is needed

When systemd units are changed, a 'systemctl daemon-reload' might be needed. Need to know if this is the case? Let's test for that.


Systemd may need to reload a part of the unit configuration if changes were made. To find out if the related systemctl daemon-reload command is needed, the state of the individual units can be tested. This is done by querying the property using the --property=NeedDaemonReload option. Testing a single service like nginx, can be done this way: # systemctl show --property=NeedDaemonReload --value nginx.service yes This output will return a ‘yes’ or ’no’ value.

How to see which syscalls are part of a systemd syscall filter set

Learn how to see what syscalls are part of a particular syscall filter set in systemd.


Systemd can restrict services from using particular syscalls with the help of the unit setting SystemCallFilter. Instead of mentioning all individual syscalls, systemd has predefined sets that can be used. These sets group functions that are related. To see which syscalls are part of a set, use the systemd-analyze command. # systemd-analyze syscall-filter @ipc @ipc # SysV IPC, POSIX Message Queues or other IPC ipc memfd_create mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink msgctl msgget msgrcv msgsnd pipe pipe2 process_madvise process_vm_readv process_vm_writev semctl semget semop semtimedop semtimedop_time64 shmat shmctl shmdt shmget See systemd syscall filtering for all details.

SystemCallFilter setting

Define if systemd units are allowed to use specific syscalls or groups with the unit setting SystemCallFilter.


Why and when to use SystemCallFilter The setting SystemCallFilter aims to prevent misuse of syscalls that are not needed for normal functioning of a process. This powerful filtering restricts the abilities of a process, but requires understanding of processes by the system administrator. See the overview of Linux syscalls for more details. Configuration This setting takes a space-separated list and may be specified multiple times. Allow-listing By default the list contains the entries of allowed system call names.

Overview of Linux syscalls

An overview of the available syscalls, or system functions, that allow processes to communicate with the kernel.


Systemd syscall filtering

Learn more about the system calls (syscalls) that systemd may use in commands and unit files, such as with SystemCallFilter property.


Overview of syscalls in systemd by group

What is the difference between systemctl disable and systemctl mask?

Want to disable a service, but wondering the difference between systemctl disable and systemctl mask? This article shows the differences between the two.


Systemd and its services can be in several states, such as enabled, disabled, failed, running. If you no longer need a particular service to run, then the first step is to stop a service. systemctl stop nginx.service But stopping a service is not the same as disabling a service. With that comes a very frequently asked question: what is the difference between a service that is disabled and one that is masked?

How to use systemctl edit to change a service?

Learn how to edit an existing systemd service unit with the systemctl edit command.


Systemd allows service units to be configured using a drop-in file, which is often called override.conf. It overrides the vendor-supplied version of a service to customize it. Instead of duplicating the configuration, the override file contains the differences. Editing service file Changing a service can be done using systemctl, followed by the edit subcommand and service unit. The editor that is configured on the system will be opened and any changes can be made between the comment section at the top and the comment section a little bit lower.

How to see only running services with systemctl

The systemctl command can be used to filter its output and only show all running services.


The systemctl command will normally all active units. To filter this output to just the running services, we can combine the options --type= and --state=. For this particular case we set the type to service and the type state to running. Usage # systemctl --type=service --state=running --legend=false accounts-daemon.service loaded active running Accounts Service avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack colord.service loaded active running Manage, Install and Generate Color Profiles dbus-broker.

Run0 cheat sheet

Learn how to get everything out of the run0 tool to increase your privilege level.


Elevating permissions

Run0: introduction and usage

Learn the goal and purpose of run0 and how to use it for elevating privileges.


Elevating permissions

How to disable the background color of run0

Learn how to disable the change of the background color when using run0.


Systemd introduced run0 as its alternative to sudo. One of the features if a colored background when your privileges are elevated. To disable this behaviour, use the option --background= with an empty value. run0 --background= The red background now will be gone, which can be useful if the color conflicts with the output or when it is unwanted.

MemoryDenyWriteExecute setting

Block the ability for systemd units to create or alter memory segments to become writable and executable as well with the unit setting MemoryDenyWriteExecute.


Why and when to use MemoryDenyWriteExecute The setting MemoryDenyWriteExecute will block the creation or alteration of a memory segment to become writable and executable as well. By enabling this limitation, it will increase the bar software exploits to change running code dynamically. Usage [Service] MemoryDenyWriteExecute=yes InaccessiblePaths=/dev/shm SystemCallFilter=~memfd_create Caveats To prevent circumvention of this setting, access to /dev/shm and the syscall memfd_create should be blocked as well. Generic advice For most common services this option can be implemented and will increase the security of a service.

InaccessiblePaths setting

Block systemd units to access specified paths with the unit setting InaccessiblePaths.


Why and when to use InaccessiblePaths The setting InaccessiblePaths defines paths that should never be accessible. Instead of using the principles of an allow list, it is an explicit deny list. It can be used to block access by a process to a location with sensitive data or a path commonly misused for exploits. Values Define the paths that are granted write access. [Service] InaccessiblePaths=/dev/shm When a path is prefixed with a minus (-), it is ignored if it does not exist When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.

How to remove trailing whitespace from a file

Learn how to remove trailing whitespace from a file using the sed command.


To remove any trailing whitespace from a file, we can use sed. By using in-place editing -i, sed can be provided with a search-and-replace action to filter out whitespace at the end of each line. By replacing it with nothing, it will effectively be removed. sed -i 's/[[:space:]]*$//' mytextfile.txt Explanation -i = inline file edit s/ = search [[:space:]]*$ = search one or more occurences of whitespace just before the end of the line // = No text, so any occurences of the whitespace will be emptied The [[:space:]] is called a character class and refers to space characters.

How to insert a line at the beginning of a file

Learn how to insert a line of text at the beginning of a file using the sed command.


To insert a line at the beginning of a file, we can use sed to achieve this task. By using in-place editing -i, we can instruct sed to make a change to an existing file. The next step is to tell sed what to change or insert and at what place. sed -i '1i # New first line' mytextfile.txt Explanation -i = inline file edit 1i = insert at first line # New first line = Text to add

Data processing: Frequently Asked Questions

Frequently asked questions about data and text processing.


How to see memory usage of a service with systemctl?

The systemctl command can be used to show the memory usage of a service managed by systemd.


The systemctl command has multiple options to show the memory usage. With the status subcommand followed by the service, it will show the basics, including memory usage. To retrieve the information that easier to parse, then use show followed by --property=MemoryCurrent and the service name. Usage The status output will include memory usage. systemctl status nginx ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.

How to see the active settings of a systemd unit

The systemctl command can be used to show the settings of a systemd unit, like a service.


The systemctl command can be used to show all settings of an unit, such as a service. To display the full list of applicable settings, use the show subcommand followed by the unit name. Besides the settings, the output will also include actual runtime information, such as memory usage, when the unit was started, etc. Usage Just provide the unit file to see all available information. # systemctl show nginx.service Type=forking Restart=no PIDFile=/run/nginx.

How to override the settings of a systemd unit

The systemctl command can be used to override settings of a systemd unit, like a service.


The systemctl command can show settings of a systemd unit, such as a service. It can also assist in overriding these settings by using the edit subcommand followed by the unit name. This will open the editor that is configured on the system and create the override file. Usage Run the edit command with the unit, and the editor like vim or nano will show up. ### Editing /etc/systemd/system/nginx.service.d/override.conf ### Anything between here and the comment below will become the new contents of the file [Service] ProtectSystem=strict ReadWritePaths=/run /var/log/nginx ### Lines below this comment will be discarded <snip> Important: Do not remove the comments and only insert or change between the specified comment lines.

ReadWritePaths setting

Grant systemd units to specified paths to read from and write to new or existing files with the unit setting ReadWritePaths.


Why and when to use ReadWritePaths The setting ReadWritePaths grants read and write permissions to defined paths. It can be used in combination with other settings like ‘ProtectSystem=strict’ to make the full file system read-only, and then open up a few paths that are required for a service to run correctly. Values Define the paths that are granted write access. [Service] ProtectSystem=strict ReadWritePaths=/run /var/log/nginx When a path is prefixed with a minus (-), it is ignored if it does not exist When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.

Hardening nginx with systemd security features

Secure your nginx service by using security features provided by systemd.


Introduction Nginx is still a popular web server and powering a part of the web. Wouldn’t it be great if we could secure it a little bit more? In this article we use the security features to secure systemd units and services and apply it to nginx. If you are not familiar yet with the unit settings of systemd, then this document would be a good introduction into the subject.

Systemd features to secure units and services

Learn more about systemd features that help in securing units and services.


Secure services with these features

ProcSubset setting

Restrict systemd units to access information from the /proc directory with the unit setting ProcSubset.


Why and when to use ProcSubset The setting ProcSubset controls the “subset” mount option of /proc for the unit. Caveats This function does not if the “subnet” option for procfs is not supported. Generic advice The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care.

RestrictAddressFamilies setting

Restrict systemd units using only specified socket address families with the unit setting RestrictAddressFamilies.


Why and when to use RestrictAddressFamilies The setting RestrictAddressFamilies aims to restrict what socket address families can be used. When using it, the default is that it is used as an allow-list and define what address families can be used. Settings When this setting is not configured, there are no restrictions to what address families can be used. Setting the value to none will block all address families. To block specific address families only, a ~ can be used to turn the allow-list into a deny-list.

ProtectProc setting

Restrict systemd units to access information from the /proc directory with the unit setting ProtectProc.


Why and when to use ProtectProc The setting ProtectProc aims to protect information that normally can be retrieved from /proc. Settings The value default, which is also the default, will not restrict access. Value invisible will hide information, where ptraceable restrict the set to only processes that be monitored with the system call ptrace(). The value noaccess is the most strict option. Caveats This setting will not have effect if the kernel does not support the hidepid mount option per individual mount point.

ProtectHome setting

Restrict systemd units to access data in home directories with the unit setting ProtectHome.


Why and when to use ProtectHome The setting ProtectHome aims to protect home directories. These three paths are included: /home /root /run/user Settings The default no will not restrict access to the home directories. Using yes will active full protection, not allowing access. The value read-only will make the paths read-only, so no data can be written to it. With tmpfs a temporary file system is being used, also read-only, yet it hides the actual home directories.

ProtectKernelLogs setting

Restrict systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.


Background The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg. When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer. Generic advice For most common services access to the kernel log ring buffer is not need, therefore safe to disable (ProtectKernelLogs=yes).

ProtectKernelModules setting

Restrict systemd units to load kernel modules with the ProtectKernelModules unit setting.


Explanation Kernel modules can provide additional functionality when using a modular Linux kernel, which is applicable to most systems. When this setting is set to yes, it tries to prevent the unit from loading kernel modules. This is achieved by removing the CAP_SYS_MODULE from the capability bounding set. Generic advice Most units do not need the permission to load kernel modules, so typically a unit can be configured with ProtectKernelModules=true.

How to see the cgroup of a process

Learn how to find the control group (cgroup) of a process by using /proc, pidof, or ps.


The control group of a process can be retrieved from the /proc directory. We only need to know the PID of the process, which can be found using ps or pidof. Usage If we know that our PID is 1234, then showing the cgroup is as easy as using cat to see the contents of the ‘cgroup’ file. cat /proc/1234/cgroup To see the cgroup for the nginx process (or one of them), we could something like this.

How to see cgroup in ps output

Want to see the control group in the output of the ps command? Here is how to tune your command options to include that.


The ps command can show the control group of a process using the -o option, followed by the right column names. Usage To show processes and the control group, we can filter the output columns. # ps -e -o pid,cgroup:64,args PID CGROUP COMMAND 1 0::/init.scope /lib/systemd/systemd --system --deserialize 58 2 - [kthreadd] 3 - [rcu_gp] <snip> 576 - [xprtiod] 634 0::/system.slice/dbus.service @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 640 0::/system.slice/networkd-dispatcher.service /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers 645 - [nfsiod] 653 0::/system.

How to see the time synchronization details with timedatectl

Show time synchronization details with the systemd timedatectl command and related subcommands.


The timedatectl command can show the time, time zone information, and its status. Add the timesync-status subcommand to see synchronization details. Usage Use timedatectl with the timesync-status command to see the actual status. Under normal conditions, the leap should show ’normal'. # timedatectl timesync-status Server: ( Poll interval: 34min 8s (min: 32s; max 34min 8s) Leap: normal Version: 4 Stratum: 2 Reference: 4FF33C32 Precision: 1us (-25) Root distance: 762us (max: 5s) Offset: +882us Delay: 15.

How to show the systemd machine ID

Find the machine ID that was generated by systemd.


With the hostnamectl command basic system information like the operating system, hostname, and machine ID can be displayed. Usage Run the command without any parameters to get the status displayed, including the machine ID. hostnamectl

How to see the dependencies of a systemd unit

The systemctl command has the list-dependencies option to show dependencies between units. But there are more options to query a little bit more information.


The systemctl command can be used to show dependencies between units with the list-dependencies subcommand. A nicely human-readable output will be displayed showing the selected unit, followed by the dependencies that rely on this unit. This is useful when a unit is in a failed state due to a dependency on another unit. Usage To see which units require the multi-user target to be active: # systemctl list-dependencies ● ├─apport.

How to see the available systemd unit types

The systemctl command can be used to show all available systemd unit types.


The systemctl command can show the available systemd unit types when using the option --type=help. Usage # systemctl --type=help Available unit types: service mount swap socket target device automount timer path slice scope

How to see all active systemd units of one type

The systemctl command can be used to show all active systemd units of one particular type with the --type option.


The systemctl command will show by default all active units. To filter down on a particular unit type, use the --type= option, followed by the type. Not sure what types are available? Run systemctl --type=help. Usage systemctl list-units --type=target

How to limit the disk usage of the systemd journal

Learn how to define the maximum size that the systemd journal daemon may use for storing journals.


To limit the maximum size that journals may use on the system, define the setting SystemMaxUse in /etc/systemd/journald.conf. Save the file, confirm that the settings are correct, then restart the journal daemon. Configuration Open /etc/systemd/journald.conf, copy the commented line, remove the hash, and assign it a value. SystemMaxUse=256M Note: depending on how many events happen on a system, this value might be too small. Make sure that the size for logs is big enough.

How to see the size of the systemd journal


The journalctl command can be used to show the journal. By using the --disk-usage option, the size of the journal is displayed. This includes the archived and active journal files. When the journal is using too much disk space, consider performing a vacuum task. Usage Showing the disk usage is quick and easy. # journalctl --disk-usage Archived and active journals take up 56.0M in the file system. Does the journal take up too much space?

How to see kernel messages with journalctl

Learn how to show all kernel events by using journalctl and filter out the kernel entries in the journal.


The journalctl command can show all events related to the kernel itself usig the --dmesg option. This option will filter out kernel messages and has a similar output as the dmesg command. Usage Use the full or shorter option to query the kernel messages. journalctl -k Looking for only the kernel messages of today? Combine it with the --since= option. journalctl -k -S "today"

What is a systemd unit?

Learn more about systemd units and what they do.


Systemd units define resources that can be used by the system. Examples of these units are a service, path, socket, and timer. Each unit type has its own basic set of properties that then individually can be configured. Unit types can be recognized by their file extension. A service will use the ‘.service’ extension, making it easy to recognize. Units are usually managed with the systemctl command. See systemd unit types and their purpose for a full overview of the units.

How to see only recent journal entries

Learn how to filter journal entries by specifying a date or time interval.


The journalctl command shows by default the oldest entries it has in the journal. Typically we are not interested in that, for that purpose there is the --since= option. This option defines that entries should be after the specified moment in time. Besides using an actual date, a shortened name like ’today’ can also be used that automatically defines the date and time. Usage To see the entries of today, use the aptly named ’today'.

How to see new log entries automatically with journalctl

Learn how to continuously show new log entries with journalctl like the tail -f command.


The journalctl command can show continuously new log entries with the --follow option. When new entries are added to the journal, they are automatically shown. Usage The follow option is a great option to continuously monitor a particular unit. journalctl --follow --unit=nginx.service Without providing a unit, all system events will be shown and followed.

How to see logging for a specific unit or service

Limit the number of log entries from the systemd journal by filtering journalctl output by unit.


The journalctl command can show the events from its journal by --unit= followed by the service or its unit name. This way events will be filtered, making it much easier to troubleshoot a particular service. Example journalctl -u nginx.service

How to reload the systemd configuration

How can systemd be instructed to reload its configuration?


Reload systemd

What is systemd?

Learn what systemd is and the main components of this system and service manager.


Systemd is a system and service manager. The name is short for ‘system daemon’, an ongoing service that manages the system. As it is also a service manager, it is responsible for start, stopping, and monitoring services. Systemd replaces the SysV init system and focuses on performance and resource management. It was created by Lennart Poettering in 2010, with Fedora Linux being the first to adopt it in May 2011. In 2015, several major Linux distributions started shipping with systemd.

What is a masked systemd unit?

What does it mean when a systemd unit is masked? Learn about this state.


Systemd units that are in a masked state are administratively disabled. While being in this state, they can not be started until they are unmasked. Typically a unit is masked when it should not start by default or manually, to prevent it causing issues or running an unwanted service. With systemctl and the subcommand mask, a systemd unit can be masked. Relevant FAQ: How to see all masked units with systemctl?

Systemd commands

All commands related to systemd in one overview. Learn about their purpose and when to use them.


Systemd has a range of commands to interact with the systemd services and functions. Typically daemons will have a ’d’ in their name, such as systemd-networkd, while client tools end with ‘ctl’ (systemctl). Here is an overview of the available commands and their purpose. Primary commands Journalctl Events are stored in a journal, similar to what syslog does. The biggest exception is the way log information is stored and how it is queried.

SSH ProxyJump option

Learn about the SSH client option ProxyJump, that allows using a bastion host or jump server to connect to other systems.


The ProxyJump defines a bastion host (jump host, jump server, jump box) to use. Values Value Meaning none Disable ProxyJump functionality HOST Define the hostname of the bastion host [USER]HOST[:PORT] Define one or more parameters of the bastion host URI Define parameters in URI format Hostname Format: hostname User Format: user@hostname Port Format: hostname:port Command-line usage ssh -J bastion destinationsystem These parameters can also be specified in the format as a URI .

SSH ForwardAgent option

Learn about the ForwardAgent option, available values, the security risks, and how to configure it.


The ForwardAgent option specifies if SSH agent forwarding is allowed or not. ForwardAgent values Value Meaning Yes Agent forwarding is allowed No (default) Agent forwarding is not allowed PATH Path to the agent socket $VARIABLE Environment variable that stores the path Security caution Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection.

What is SSH agent forwarding?

Learn more about the SSH agent forwarding feature and what problems it tries to resolve.


The agent forwarding feature in SSH allows using your local SSH agent to be reached through an existing SSH connection. This way you don’t have to store copies of your private keys on intermediate systems to use them for authentication. While SSH agent forward simplifies things, it also introduces a new risk related to Unix domain socket. If a user on the intermediate system can access the related socket, then it may abuse this connection back to the SSH agent to authenticate on your behalf.

How to start the SSH agent?

When the SSH agent is not running, how can you start it? In this article we will have a look at the options.


The ssh-agent command is started manually using eval $(ssh-agent). This will initiate the SSH agent and make it available for clients, such as ssh, to use it. To confirm that the agent is running is by looking at the SSH_AUTH_SOCK environment variable. Automatic start of SSH agent Gnome Keyring SSH Agent When using Gnome, it typically comes with its SSH agent as part of Keyring. This will automatically load any files in ~/.

What is the purpose of the SSH agent?

What is the purpose of the SSH agent and when to use it?


The ssh-agent command starts the SSH agent, a helper utility to store private keys when using public key authentication. The ssh-agent process is usually started at the the beginning of a login session and then can be connected to by a SSH client. Clients can detect the environment variable named SSH_AUTH_SOCK. Related settings on the client IdentityAgent

How to disable the usage of the SSH agent

Learn how to disable the usage of the SSH agent when authenticating.


Disable usage of SSH agent identities

SSH IdentityAgent option

Learn about the IdentityAgent option, available values, and how to configure it.


The IdentityAgent option specifies what UNIX-domain socket to use to communicate with the authentication agent. When configured, it overrides the environment variable SSH_AUTH_SOCK and provides the option to select a specific agent. Besides the option to define a socket, the location of the socket can also be provided by the SSH_AUTH_SOCK environment variable. In that case the value should defined as “SSH_AUTH_SOCK” (without quotes). If the value starts with a ‘$’, it indicates that another enviroment variable is to be used.


The configuration file /etc/ssh/ssh_config contains settings related to the OpenSSH client. Learn more about this file its configuration.


The file /etc/ssh/ssh_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the system-wide settings for the SSH client. It can be overriden by storing settings in ~/.ssh/config that takes precedence. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH client configuration.

SSH client configuration

Linux systems are usually managed remotely with SSH. Learn how to configure and optimize the SSH client and improve its security.


Configuration files /etc/ssh/ssh_config ~/.ssh/config Configuration settings The client knows a lot of individual settings that may be configured in a configuration file or via the command-line. IdentityAgent Configure the socket to use for the SSH agent. See IdentityAgent Port Defines the port to be used. By default, the SSH server is configured with port 22 (TCP). ProxyJump Defines a bastion host (jump host, jump server, jump box) to connect to the destination system.

SSH configuration files

Learn about the locations where SSH client settings are configured and what precedence they take.


For the SSH client there are typically two places where configuration files are stored: in the home directory of the user and a global configuration file. User configuration Location: ~/.ssh/config This file is stored in the home directory of an user. It is optional and by default no file is available. System-wide configuration Location: /etc/ssh/ssh_config Overrides via: /etc/ssh/ssh_config.d/*.conf The default settings are in the ssh_config file. The system administrator may add customizations to this file, but typically it is advised to override settings using a separate configuration file.

How to show all installed packages with pacman

Query the pacman package manager on systems like Arch to show installed packages.


Querying pacman

SSH StrictHostKeyChecking option

Learn about the StrictHostKeyChecking option, available values, and how to configure it.


The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file. Values Value Automatically save new host keys Action if host key changed yes No Refuse ask No, ask Refuse accept-new Yes Refuse no | off Yes Connect When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.

SSH PasswordAuthentication option

Learn about the PasswordAuthentication option, available values, and how to configure it.


One of the common methods to authenticate with a SSH server is using the combination of a username and password. With the option PasswordAuthentication we can define if we want to use this type of authentication. While yes is the default, it might be useful to disable it for hosts that require public key authentication. This way we instruct the client to only try that.

Security Through Obscurity (STO)

What is security through obscurity and what are examples when it comes to Linux security and system hardening?


What is security through obscurity? Security through obscurity (STO) is hiding, masking, or concealing parts of a system to enhance its security. By itself this does not increase the security level, but it can be an effective method in combination with a layered security defense. So it complements the overall security efforts, but alone is it not to be considered a real security measure. Another part of security through obscurity is the principle of hiding in plain sight.

How to stop all processes of a single user

Learn how to stop all processes of a single user using the killall command.


Killing processes with a filter

How to disable the SSH host key check?

Learn how to disable the SSH check of host authenticity and key fingerprint with ssh option StrictHostKeyChecking.


Disable check for host authenticity

Security concepts

Learn common security concepts that also will apply when securing Linux environments, like system hardening and implementing security measures.


Change SSH server port number

Learn how to make changes to your SSH configuration to have it running on a different port than its default 22/TCP.


Why change your SSH port? Systems that are available via the internet and can’t be fully protected with a firewall, they might benefit from running on a different TCP port than the default 22. This way automated scanners will less likely probe your system(s), as they don’t know what port you use for SSH. Changing your SSH port won’t make a system more secure in itself, and therefore is often called security through obscurity.

Configure a SSH welcome message or banner

Learn how to configure a welcome messages for users before or after logging in via SSH.


Configure a Message of the Day The MOTD is typically stored in /etc/motd or a related directory, such as /etc/update-motd.d or /etc/motd.d/. The related message or messages are then displayed after a user is logged in. Another option is that the MOTD is displayed using the PAM configuration. To see if this is the case, perform a grep in your PAM configuration directory. grep -ir motd /etc/pam.d | grep -v ":#"

SSH escape sequences

Learn about the escape sequences that can be used with OpenSSH to initiate special commands.


Escape sequences are a patterns of keys that are recognized to send special instructions. To see the ones that are supported, press tilde (~) followed by a question mark (?). Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - request rekey ~V/v - decrease/increase verbosity (LogLevel) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~?

How to terminate a SSH connection that does not respond to CTRL+C

Learn about SSH escape sequences and how they can help with terminating a SSH connection that does not respond to CTRL+C.


Use an escape sequence to terminate a connection that is stuck

How to remove the passphrase from a SSH key

Remove the password or passphrase from a SSH key using the ssh-keygen command.


Remove a passphrase from existing SSH key

How to see the available SSH keys in the OpenSSH authentication agent

Show the available SSH keys that are loaded in the SSH authentication agent.


How to see the available SSH keys in the OpenSSH authentication agent

SSH: Frequently Asked Questions

Frequently asked questions about SSH, such as SSH keys, configuration, and usage.



The kill command can be used on Linux systems to send a defined signal to a process. Learn how to use it and what signals are available.


The kill command is used on Linux to send a process signals. This can be a numeric value or its defined name (e.g. SIGTERM).

What is a zombie process?

What is a zombie process on Linux and how to deal with it? In this article we will have a look at the details.



How to kill a zombie process

How to kill a zombie process if it does not respond to kill -9? Here are a few last steps that you can try.


Killing zombies, for fun?

How to show a running process name and its process ID (PID)

Find the process ID (PID) and process name on Linux with the help of the pgrep command.


Search for PID and process name

How to find all process IDs by its process name

Discover the process ID (PID) on Linux for a running process by searching for its process name.


Retrieve PIDs for a service

Linux process signals and their meaning

Want to know the difference between SIGHUP, SIGKILL, and SIGTERM? Learn about Linux process signals, including a list and description.


Linux uses signals to interact and define the state of a process. It uses POSIX reliable and real-time signals. The first are considered standard signals. Many programs are build using glibc and therefore use functions like kill(2) to send a signal to a process or processes group, or even all processes on the system. A process can decide to ignore a signal or take an action after it is received by a signal handler, a routine to catch incoming signals.

How to kill a running process by its name

Find and stop a running process on Linux by searching for its name using the killall or pkill command.


Stop a process by searching for its name

Processes: Frequently Asked Questions

Frequently asked questions about start and stop processes, discover information, and monitoring them.



Learn about the sysctl command and the values related to the network class.


This class defines the parameters related to the networking stack.

Sysctl: net.ipv4.ip_forward

The sysctl key net.ipv4.ip_forward key is used to define IP forwarding of IPv4 network packets. Learn about the possible values of this key and their meaning.


This sysctl key defines if a system should allow forwarding of IPv4 network packets. This functionality is required for systems that act as a gateway or router. IP forwarding is normally not required for most desktops and servers.

How to see the the network IP address of your system

Show the IP address of your system with the help of the ip command.


Show your local IP address

How to see the IP address of your internet connection

Show the IP address of your internet connection using the dig command.


Query the IP address of your internet connection

How to see which DNS server is used

Find the active DNS server being used by reviewing the network configuration, including common commands to query this information.


Show the active DNS server

How to find writable files

Learn how to the use the find command to find any files that are writable.


Find the files that are writable


The command apt-file can help with discovering which files belong to a package or what package installed or provides them.


Apt cheat sheet

The package manager apt gots much more options than one could think. In this cheat sheet they get uncovered.


Managing packages

How to see the size of a directory

Learn how to see the size of a directory or folder on Linux systems using the du command.


Show disk usage by files and directories

How to see hidden files

Learn how to see any hidden files on the command line or in the terminal using the ls command.


Show hidden files

How to see files great than a specific size

Learn how to see files smaller or bigger than a specific defined size on Linux, using the du command.


Show files bigger or smaller than a specified size

How to find when the last modification happened in a directory

Learn how to find the last modification time of a file or subdirectory in a specified directory on Linux.


Show when the last modification was made within a directory

How to see inode usage

Learn how to see inode usage on a Linux file system or mount point.


Show used and free disk space

How to see used and free disk space

Learn how to see used and disk space of file systems or mount point on Linux systems.


Show used and free disk space

Monitoring USB communications using usbmon interface

Learn how to monitor USB devices by using the usbmon kernel module together with Wireshark or Tshark.


With the help of usbmon we have a cost-effective solution to monitor USB communications between the kernel and a hardware device. It is an alternative to hardware USB protocol analyzers for those on a budget or having to do it once. Loading of usbmon kernel module The first step is to load the related kernel module. This can be done using the modprobe command. $ sudo modprobe usbmon Validate if the usbmon kernel module is loaded using the lsmod command.


The configuration file /etc/ssh/sshd_config contains settings related to the OpenSSH server daemon. Learn more about this file its configuration.


The file /etc/ssh/sshd_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the primary set of settings, with the option of being overridden by configuration files from /etc/ssh/sshd_config.d/*.conf. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH server configuration.


Everything related to networking, from the network configuration up to DNS resolving. Test and configure your system with these articles.


Most Linux systems are connected to a network as a client system, or to provide services to other systems. Knowing how to configure, monitor, and audit the network configuration is more than useful. In this section we look at the available options. Network configuration The system itself can’t talk with other systems if it doesn’t have any protocol to communicate. Nowadays that is mostly IP . The local configuration for the network is usually stored in /etc/network or in a network manager in /etc.

How to see the number of open connections on Linux

Show the number of open connections using the ss command on Linux.


Show number of open connections per protocol

How to see when a process was started

Show process details to learn more about when a process was started using the ps tool.


Show start time of a process

How to see when the system was started (uptime)

When did a system start? Learn how to query the boot time (uptime) of a system using commands like uptime and ps.


Show uptime of the system


The command smem can help showing memory usage, including the usage of swap.



The command iftop shows ongoing bandwidth usage on one or more network interfaces and is a great tool for troubleshooting network issues.


How to see active connections and bandwidth usage on Linux

Show actual bandwidth usage and active connections using the iftop tool on Linux.


Show actual bandwidth usage


The command pidstat provides details about CPU, memory, and disk activity by processes.


Troubleshooting CPU usage

Articles and information about troubleshooting system performance issues with focus on CPU usage.


Got a busy system that comes to a halt due it being too busy? In this article we look at troubleshooting issues related to CPU usage. Monitoring CPU usage The tool top might be the most familiar tool to monitor CPU or memory usage. A good alternative is the pidstat tool. It can be using an interval and easily show active processes, followed by a summary. # pidstat 3 Linux 6.

Check if a directory or file exists

How to check if a directory or file exists within shell script?


Within a shell script we can test for the presence of directories and files. In this article we look at the basics and the more exotic options available. Testing the presence and type of a file can be done using the test command. For shell scripts, it is more common to use the [ command. Yes, it is an actual command. However, it may also be available as a so-called builtin and part of the shell.


Articles and information about troubleshooting network performance issues and monitoring network statistics


Network connectivity starts at a device that links the system to a network, and for Linux systems that is no different. Depending on the physical layer, such as Ethernet of Wi-Fi, the transactions between be better or worse. Besides physical limitations, there is congestion and packet loss that may introduce issues. In this section we look at troubleshooting network performance issues, tooling, and examples. Interfaces The first step is to learn what links we have towards the network.


The lscpu command reports information about the CPU, such as architecture, vendor identification, virtualization features, cache, and even CPU vulnerabilities.


The lscpu command retrieves information about the the CPU architecture. The sources to retrieve this information include /proc/cpuinfo, pseudo file system sysfs, and available libraries. Examples of information includes: Cores CPUs BogoMIPS Byte order Cache sharing Caches Family Model Stepping NUMA nodes Threads Sockets Virtualization details Vulnerabilities The tool is both suitable for using in the terminal and manual interpretation, but also for automated processing. When its output is piped to other another application, it is aware that any screen markup should be left out.


Articles and information about how memory, such as RAM, is being used on Linux systems. Great for system administration and troubleshooting purposes.



The command nstat provides network interface statistics and can be used for monitoring and troubleshooting.


Users of the command-line are typically aware of the netstat command. The package that netstat belongs to is getting deprecated and slowly replaced with tools like ip. This is also where nstat comes in, a more modern approach to pulling in data from the kernel. Another benefit is that it can retrieve more information than netstat. This is due to the static list of metrics that netstat looks for, while nstat will parse output files from /proc.

System performance

Articles and tools to troubleshoot Linux system performance issues.


Swap memory information

Articles and tools to troubleshoot Linux system performance issues with focus on swap memory and its usage.


Physical RAM is used to store information. Linux divides this RAM into smaller chunks, named memory pages. When there is no more normal memory available, the Linux kernel might need to temporarily store information aside. This is called paging or swap space. During the process of paging, memory pages will be moved from the RAM to the disk. This way memory is freed up for active processes, while older information is temporarily stored on the disk.

Sysctl: kernel.perf_event_paranoid

Understand and configure the sysctl kernel.perf_event_paranoid key, including the possible values and their meaning.


This sysctl key controls the use of the performance events system. It restricts what actions an unprivileged user can do when using the perf tools. This setting is useful to limit the access to possibly sensitive information that can be gathered from the kernel and processes. Debian-based systems may have higher numbers available than the current upper limit of 2, which is also the default value.

Methods to find the Linux distribution and version

Learn how to find the Linux distribution and version of a system. Use the right tool or file to find the relevant details.


Find the Linux distribution name and version

System administration

Everything related to managing Linux systems, from discovering what Linux distribution is running, up to full configuration and automation.



All Linux commands that are relevant for system administration


Dmidecode cheat sheet

Want to see all hardware details of a system? Then dmidecode is your friend, helping to decode all information from the SMBIOS specification.


All hardware exposed

How to see memory information such as type and speed

Show memory information and details such as the number of banks in use, the memory type and speed.


Show memory details

How to securely delete a file and its contents

Need to delete the contents of a sensitive file? Instead of just deleting it with rm, look at this option first.


Learn how to purge data before deleting a file

How to see the creation date of a file

Learn how to use the stat command to find the initial creation time of a file, also known as its birth time.


Find out when a file was initially created

What is a tainted kernel

Learn what it means when the Linux kernel is marked as tainted, including finding the cause.


Learn what it means when the kernel is tainted

How to find the specific cause of a tainted kernel

Learn what it means when the Linux kernel is marked as tainted and in particular the underlying cause.


Learn about the specific cause that tainted the kernel

Kernel: Frequently Asked Questions

Frequently asked questions about the Linux kernel and kernel security.



Learn about the sysctl command and how it can help with kernel tunables to alter the system configuration and perform additional security hardening.


Introduction The sysctl tool allows configuring kernel parameters or tunables. By changing related sysctl keys and their individual values, the system behavior can be changed. Several keys are related to security and can help with kernel hardening, or system hardening in general. Files and locations The configuration of sysctl is typically spread over multiple files and paths. Systems with systemd will have additional paths. Files are read in order and the first match of a kernel setting is used.


Learn about the sysctl command and the values related to the kernel class.


This class defines global kernel parameters.


Understand and configure the sysctl kernel.tainted key, including the possible values and their meaning.


This is a setting that you would normally not change. It is a state that shows if the kernel was tainted. If the value is higher than zero, than it is tainted. Relevant FAQ: What is a tainted kernel?


Everything related to Linux kernel itself, from configuration to querying information.


The Linux kernel consists of a massive code base including device internals up to external interfaces. Not surprisingly that the kernel also needs attention to security principles to avoidcommon programming or configuration flaws. In this section the kernel is covered, from tuning it via sysctl, up to frameworks that may help improving the security of the kernel itself.

Ip cheat sheet

Want to see or configure every piece of information about networking, including routing on Linux? Forget tools like netstat and learn using the ip command.


No more networking secrets

How to see errors and dropped packets on a network interface on Linux

Show the network link details using the ip command to find out if a network has errors or dropped packets on a Linux system.


Show network link statistics to discover errors or dropped packets

Lsof cheat sheet

Get information about open files on Linux using the lsof command. This cheat sheet covers many common uses for using lsof and how to use it.


Show open file information

Ss cheat sheet

If you want to learn more about network connections on Linux, then ss is the tool to get the job done. Learn how to use it with this cheat sheet.


Reveal all those sockets

Networking: Frequently Asked Questions

Frequently asked questions about networking, such as DNS, IP configuration, TCP/UDP details, and more.


How to show all installed packages on Ubuntu

Query the package manager to show installed packages on Ubuntu systems including version details.


Query tools like dpkg to show installed packages

Package manager: Frequently Asked Questions

Frequently asked questions about software, such as package manager, package versions, and how to configure them.


List installed packages on a Linux system

Learn how to show all installed packages on Linux systems including AlmaLinux, Debian, OpenSUSE, and Ubuntu.


Show installed package on the most common Linux distributions

How to see BIOS details

Show bios details from within a Linux system. Learn how to query these details and where to find more information.


Show BIOS information using dmidecode

Hardware: Frequently Asked Questions

Frequently asked questions about hardware information such as bios, USB devices, memory, and other details.


Settings for systemd units

Units in systemd have their own set of configuration settings. This overview shows the availability and their purpose.


Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.

Systemd settings

Units in systemd have their own set of configuration settings. This overview shows the availability and their purpose.


How to find the biggest directories on disk

Find the biggest directories and files on disk by using the du command.


Leverage the du command to find the biggest directories

How to see all masked units with systemctl

Want to find all masked unit files? In this article we show how to do this with systemctl and query those units.


Show all masked units

How to see the last X lines with journalctl

Limit the output from journalctl by defining the number of lines you want to see.


Perform smarter queries when requesting information from journalctl

How to disable a systemd unit with systemctl

Want to disable a service or specific systemd unit? Use systemctl to configure units and disable it on boot or completely.


Disable a service or specific unit with systemctl

How to start and enable a unit with systemctl

Combine the start and enable command when using systemctl to get a unit like a service started at boot and right away.


Start and enable a unit with one command

How to show failed units with systemctl

Want to check the system for failed systemd units? In this article we show how to do this with systemctl and query the units with a failure state.


Show failed systemd units with systemctl

Systemd: Frequently Asked Questions

Frequently asked questions about systemd, systemctl, and journalctl. Learn by pratical examples how to use these tools.


File systems: Frequently Asked Questions

Frequently asked questions about file systems, file permissions, directories and files.


Systemctl cheat sheet

Learn how to get every piece of information from systemd units, such as services and timers, including its configuration and status.


Control those processes and timers

Adding the Expires header to improve caching static content in nginx

Want to improve caching on your nginx web server? Learn how to set the Expires header and enhance your nginx configuration.


Learn how to define the Expires header in nginx to improve the caching of static assets.

Strip one or more characters from a variable or output

Want to delete one or more characters from a variable or piped output? There are multiple ways to achieve this using standard system utilities.

AWK cheat sheet

When it comes to a powerful tools on Linux, AWK is definitely one to know. This cheat sheet explains the basics and shows many useful one-liners


Parse files quicker with smarter expressions

Introduction in Linux file permissions

Learn the basics of how a Linux system applies file permissions. We look at examples to demystify the permissions mean and learn to troubleshoot common issues.


Every file that is stored has a set of file permissions stored within the filesystem. This data about the actual data, it called meta-data. Let have a look at how file permissions work on Linux systems and how to read and understand them. Read, Write, and Execute Linux file permissions are divided into three main categories: Read (r): Allows users to view the contents of a file or directory Write (w): Grants users the ability to modify the contents of a file or directory Execute (x): Enables users to execute a file or access the contents of a directory User, Group, and Others These permissions are each assigned to three entities:

Linux file systems

All articles about the purpose of a file system and how it works. Learn how to become a specialist to further secure your system.


Linux systems use a file system to store and process data. In this section we have a look at what a file system and supporting articles to learn more about it. Purpose of a file system At its core, a file system is the method by which data is organized and stored on a storage device. The storage device is typically a hard drive or solid-state drive (SSD), but it can also be memory.

Making scripts (more) secure and safe

When you create a shell script, many things can go wrong. With a few basics you can catch errors easier and at the same time make your scripts (more) failsafe.


When you create a shell script, many things can go wrong. With a few basics you can catch errors easier and at the same time make your scripts (more) failsafe. The beauty of shell scripting is that with just a few steps this can be achieved! Empty variables: nounset (-u) A very typical issue in shell scripts is an incorrect or empty variable. Usually this happens due to a typo, but sometimes also assignments can be wrong.

Prompt for user input in a shell script

How to prompt users in your shell script, like asking answer Yes or No? In this article we look at options to achieve this.


Shell scripts can be powerful for automation. Sometimes, we want to ask the user for input. Let’s have a look at a few options that can be very handy for your next shell script! Fill a variable with input provided by the user If we like the user to provide us with some details, like a name, email address, or hostname, we can use the read command. read -p "What is your name?

Linux tools to bulk rename files

Want to rename files in bulk, but looking for a good tool that can be used on Linux? This article has your covered, with several options.


Rnr The first tool to cover is called rnr and is written in Rust. It can be downloaded on GitHub where also some good examples can be found on how to use the tool. Let’s try it out on a directory that we have with Markdown files. Due to a conversion, the file names include a date. As this is no longer needed, we want to strip out the date and only get the bit after the third hyphen.

The 101 of ELF files on Linux: Understanding and Analysis

An step-by-step introduction into ELF files. Learn the structure and format, to understand how binaries and libraries on Linux systems work.


Some of the true craftsmanship in the world we take for granted. One of these things is the common tools on Linux, like ps and ls. Even though the commands might be perceived as simple, there is more to it when looking under the hood. This is where ELF or the Executable and Linkable Format comes in. A file format that used a lot, yet truly understood by only a few.

Livepatch: Linux kernel updates without rebooting

Livepatch is a feature to do live kernel patching for Linux systems. It allows applying security updates without rebooting the system. Learn how it works!


If you run a Linux server, software patching is a task that will have to be performed on a regular basis. Although most programs can be auto-restarted with a tool like needrestart, there is one exception: the kernel. Wouldn’t it be a nice if we could update the kernel without the mandatory reboot? Here is livepatch, the feature of the Linux kernel that makes it possible. Let’s discover how it works and if you can use it on your system.

How to secure a Linux system

Looking to secure your Linux system? This security guide shows you how to perform system hardening and run technical audits to keep it in optimal condition.


Every Linux system will benefit from more security, especially if it contains sensitive data. With so many resources available on the internet, one might think that securing Linux has become easy. We know it is not. Linux system hardening takes a good amount of understanding about how the Linux kernel works. It also requires a good understanding of the operating system principles. In this guide, we will help you to get this understanding and provide you with tips and tools.

The state of Linux security in 2017

The year 2017 is closing, so it is time to review Linux security. Like last year, we look at the state of Linux security. A collection of the finest moments.


Linux security (2017 edition) The year is closing, so it is time to review Linux security. Like last year, we look at the state of Linux security. A collection of the finest moments. Did we forget something important? Let us know in the comments. This post will remain updated in the upcoming weeks. As this post may appear on HN, Reddit, Slashdot, and other high-traffic sites, this post is heavily cached.

Linux security myths

So what is true about Linux security and what isn't? In this article we look at common security myths when it comes to Linux.


Myth busting: Linux security As the author of Lynis, I have to run several Linux systems for testing Linux security defenses. And if you do something long enough, some get to see you as a Linux security expert. When that happens, you get asked questions. Surprisingly they are often related to some of the myths. Time to share a few I got asked. If you received this link from me directly, then most likely you asked one :)

GDPR Compliance: Technical Requirements for Linux Systems

An insight in the technical aspects and requirements for Linux systems when it comes to compliance with the GDPR, the General Data Protection Regulation.


What is GDPR? GDPR or General Data Protection Regulation is a regulation to protect personal data from citizens of the European Union (EU). When speaking about stored data, it includes the handling of data at any given time, from the initial creation of the data, until the final deletion of it. One of the important parts is the right to ‘know’. That means that individuals can ask what data is stored about them.

Configure the minimum password length on Linux systems

One of the options to improve password security is by setting a minimum password length. This article explains how to configure and test this security step.


Linux and password strength One of the options to improve password security is by setting a minimum length. This prevents users from choosing easy passwords. As part of Linux system hardening, you don’t want your passwords to be cracked too quickly by modern password crackers. Configuration Let’s have a look at how to configure password security and in particular the length and its strength. Login settings The first area where you can set a password length is in /etc/login.

Beginners guide to traffic filtering with nftables

The replacement of iptables is known as nftables. In this article, we learn to install nftables and configure it, to secure your Linux systems.


Learn how to use nftables in this introduction guide to the tool. With common examples, frequently asked questions, and generic tips.

The purpose of the /etc/networks file

Also wondering what some files are used for on Linux systems? In this article we have a look at the /etc/networks file.


Also wondering what particular files do on Linux? One of those files we recently rediscovered during auditing is the /etc/networks file. For some reason it was always there, yet we never change it. Output of /etc/networks When looking at the man page of networks(5) we learn its purpose (almost instantly): It translates between IP ranges and network names It is used for tools like netstat and route It only works on class A, B, or C networks It does not work on subnets Surprisingly enough a test with subnetting actually showed the right names during our test.

Interview: MalwareMustDie and their Linux malware research

Linux malware, research, and more in this interview with unixfreaxjp, te is the leader and founder of the malware research group MalwareMustDie.


Linux malware, research, and more With great pleasure, we interviewed unixfreaxjp. He is the leader and founder of the malware research group MalwareMustDie. We want to learn about their activities, Linux malware, and useful skills for security professionals. Keep reading! Interview MalwareMustDie About the MalwareMustDie organization So for those never heard about MalwareMustDie, can you tell us who you are? As stated on our web site. MalwareMustDie, is a white-hat anti cybercrime security research workgroup.

How to see the version of Oracle Linux

Oracle Linux is based on Red Hat Enterprise Linux. At first, it may be confusing to determine what specific Oracle version of the operating system is used.


Determine Oracle Linux version Oracle Linux is based on Red Hat Enterprise Linux. At first, it may be confusing to determine what specific operating system is running. This is because both have the /etc/redhat-release file. If that file exists, use the cat command to display the contents. Next step is to determine if there is a /etc/oracle-release file as well. If so, then you can be sure that Oracle Linux is running.

Discover to which package a file belongs to

With the right Linux software tools, it is easy to find to which package a file belongs. Or the opposite, what files are part of an installed package.


Discover quickly which file(s) and package are matched together.

How to use grep (with examples)

Grep is a powerful utility on Linux. Want to get more out of the tool? This article will show you how to use it including many practical examples.


The grep command is one of the oldest tools for Linux and other platforms. Actually, it is older than Linux itself. It was written by Ken Thompson more than 45 years ago! The name grep stands for “globally regular expression print”. This name comes from its predecessor ed and the specific mode in which you would globally search, using a regular expression, and print the output. The related command was “g/re/p”.

How to solve an expired key (KEYEXPIRED) with apt

Software updates and package management is easy, until you get a KEYEXPIRED message. In this article we should how it happens and the way to solve it.


Software updates and package management is easy with systems based on Debian or Ubuntu. Just apt-get update (or apt update) and run an upgrade. But sometimes you may encounter the following situation: a KEYEXPIRED message. KEYEXPIRED message # apt-get update && apt-get upgrade Get:1 xenial-security InRelease [94.5 kB] Hit:2 xenial InRelease Get:3 xenial-updates InRelease [95.7 kB] Hit:4 xenial-backports InRelease Hit:5 stable InRelease Get:6 xenial-updates/main amd64 Packages [373 kB] Ign:7 http://nginx.

Difference between CentOS, Fedora, and RHEL

Difference between CentOS, Fedora, and RHEL.


The biggest open source company is nowadays Red Hat. It is known for its contributions to many open source projects, including the Linux kernel itself. Less known is that Red Hat is involved in different Linux distributions, directly or indirectly. Fedora Fedora has received many updates and individual releases over the years. It is a playground for new functionality. Often new technology is found here. It can be compared with other distributions like Arch Linux, except that it is slightly less aggressive in deploying the latest software components for everything.

Linux and rise of Ransomware

The availability of ransomware on Linux is growing. This is the story behind how things started and what we can expect to be next in the near future.


Ransomware on the Linux Platform Times are changing when it comes to Linux malware. Since a long time we had backdoors, PHP shells, and even rootkits. But it won’t take long that ransomware will catch up on the Linux platform. We hope you are reading this to counter the threat, not because it is already too late. Ransomware invasion Ransomware is a little devil. It encrypts your valuable data and protects it with a generated key.

Linux hardening with sysctl settings

The Linux kernel can be secured as well. Learn how system hardening principles can be applied using sysctl settings.


The GNU/Linux kernel powers a lot of systems, from big mainframes to the Android device in your pocket. If you want to achieve more security on your Linux systems, it would make sense to start hardening there, right? While securing the kernel looks easy at first sight, there is more to it than initially meets the eye. We will have a look at some kernel options and how to select the best sysctl values for Linux systems.

How Linux Security Fails to be Simple

Linux Security Should be Simple, Right? Why that is not a reality, and we might never achieve it is discussed in this article.


Why that is not a reality, and we might never achieve it. Linux gained great popularity over the last 10 years, powering our servers and smartphones. With all the efforts put in creating more secure software, it seems installing security updates will remain a weekly task. Will this ever change? Security is Hard Properly securing a system means different things for different people. So let’s take the assumption that every system has a particular goal, secondly that it should be properly secured.

Understanding Linux Privilege Escalation and Defending Against It

The best way to defend a system is by understanding how attackers work. Learn about privilege escalation on Linux and discover the measures and tools.


What is Linux privilege escalation? Privilege escalation is the process of elevating your permission level, by switching from one user to another one and gain more privileges. For example, a normal user on Linux can become root or get the same permissions as root. This can be authorized usage, with the use of the su or sudo command. It can also be unauthorized, for example when an attacker leverages a software bug.

Automatic Security Updates with DNF

The dnf package manager and dnf-automatic tool can be used for automated security patching on Linux systems. It requires only a few steps to set it up.


The Dandified YUM tool, DNF, has become a powerful package manager for systems running Fedora. As it looks now, it will become also the default package manager for CentOS 8 and RHEL 8. One of the benefits from dnf is the option to retrieve security information very easily. This allows us to use it for automatic security patching of our Linux systems. Let’s explore the options and see how dnf-automatic can help us with fully automated patching.

Dealing with Linux Malware, Insights by the Author of rkhunter

Malicious software plague computers for more than 40 years and most likely this threat will never stop. What should you know about it to protect yourself?


Malicious software plague computers for more than 40 years. It is hard to think this threat will ever stop. The Linux platform definitely has their share of malware, although many people never experienced it firsthand. Let’s dive into this subject and discover why your system might actually being compromised at this very moment. The types of malware To understand the risks, you have to understand the threats and weaknesses. When we talk about malware, there are different family types, each with their own threat and method of attack.

Differences between iptables and nftables explained

An overview of the differences between firewall technologies iptables and nftables. We highlight the major differences like simplicity and management.


The seasoned Linux administrator will be familiar with iptables, the network traffic filter. If you ever configured a Linux system with an ethernet bridge configuration, you might even have worked with ebtables. Or possibly you wanted to filter ARP traffic and used arptables? Newcomer nftables has arrived, with the purpose to replace iptables, ip6tables, ebtables and arptables. As with every big upcoming change, it is good to know the differences. We explain what makes nftables different to iptables, and why you want to adopt it in the near future.

Block IP addresses in Linux with iptables

Use iptables and ipset to create a blacklist and block one or more IP addresses on Linux. This guide will explain how to use and configure blacklists.


Most system administrators will already be familiar with iptables. It is around for quite a while and is enabled by default within the Linux kernel. We can use iptables to block one, multiple IP addresses, or even full networks. This may come in handy when you get repeating port scans or see failed login attempts in your log files. Time to get started and block some IP addresses! Check existing iptables configuration The first step is to validate existing iptables rules.

Linux vulnerabilities: from detection to treatment

How to deal with Linux vulnerabilities? This article shares the insights, methods, and tools to help with detection and prevention on Linux systems.


If you worked with a computer the last decade, you know the importance of keeping your software up-to-date. Those who don’t, are stacking up vulnerabilities, waiting for them to being exploited by others. Although Linux and most software are open source and can be reviewed, security flaws in software packages remain. While it isn’t easy to close every vulnerability on your system, we can at least create a stable process around it.

List network interfaces on Linux

Show the available network interfaces and information on Linux with the right tools. We cover common replacements for iptables and netstat, with examples.


The network configuration is a common place to start during system configuration, security audits, and troubleshooting. It can reveal useful information like MAC and IP addresses. This guide helps you to gather this information on Linux, including listing all available network interfaces and its details. Show network interfaces Linux Every Linux distribution is using its own way of configuring the network configuration details. Therefore, it is good to know which tools can be used to query these details in a generic way.

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

This is the technical Linux guide to achieve compliance with the PCI DSS standard. Become compliant, with Linux tips for configuration and auditing.


The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit. It is important to note that this guide is a set of generic tips. Your IT environment might require additional security measures.

Strace cheat sheet

The strace utility is diverse and helpful in performance tuning, troubleshooting, and monitoring process activity. Get the most out of this powerful tool!


Troubleshoot and monitor all processes

Monitor file access by Linux processes

Linux is powerful with the help of small utilities like lsof and strace. They help with monitoring disk and file activity, of new and running processes.


Processes are the running workforce on a Linux system. Each process has a particular goal, like forking child processes, handling incoming user requests of monitoring other processes. As a system administrator or IT auditor, you might want to know at some point what disk activity occurs in a process. In this article, we have a look at a few options to quickly reveal what is occuring in a process, including disk and file activity.

Kernel hardening: Disable and blacklist Linux modules

The Linux kernel provides modular support to allow loading kernel modules during runtime. To prevent security issues, learn how to disable or blacklisting.


The Linux kernel is modular, which makes it more flexible than monolithic kernels. New functionality can be easily added to a run kernel, by loading the related module. While that is great, it can also be misused. You can think of loading malicious modules (e.g. rootkits), or unauthorized access to the server and copy data via a USB port. In our previous article about kernel modules, we looked at how to prevent loading any module.

Increase kernel integrity with disabled Linux kernel modules loading

The Linux kernel can be configured to disallow loading new kernel modules. Learn how to configure this.


Disable loading kernel module on Linux systems The Linux kernel can be configured to disallow loading new kernel modules. This feature is especially useful for high secure systems, or if you care about securing your system to the fullest. In this article, we will have a look at the configuration of this option. At the same time allowing legitimate kernel modules to be loaded. Disable kernel modules Newer kernel modules have a sysctl variable named kernel.

Security Integration: Configuration Management and Auditing

Configuration management and system auditing go hand in hand. Learn why and this combination is so powerful.


Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.

Using SSH keys instead of passwords

Linux systems are usually managed remotely with SSH, often still using passwords. Time to switch over to SSH keys and here is how to do that.


Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before. Generating the SSH key Depending on your desktop platform, we first have to create a key pair.

SSH server configuration

Linux systems are usually managed remotely with SSH. Learn how to configure the SSH server daemon and improve its security.


SSH daemon The OpenSSH daemon is named sshd and typically this is also the process visible in a process listing. The main listener usually has a full path visible, while active SSH sessions get their own child process. Configuration files /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf The configuration file sshd_config is the primary file for the settings. Any settings in a configuration file specified in /etc/ssh/sshd_config.d will overwrite those listed in the primary configuration file.

Password Security with Linux /etc/shadow file

Learn the structure of the /etc/shadow file and what the fields mean. After reading, the file should be less cryptic than it was before.


Linux systems use a password file to store accounts, commonly available as /etc/passwd. For additional safety measures, a shadow copy of this file is used which includes the passwords of your users. Or actually hashed password, for maximum security. An example of a password entry in /etc/shadow may look like this: user1:$6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tKXiOGNCfWBsrTGY7wtC6Cep6co9eVNkRFrpK6koXs1NU3AZQF8v/:16092:0:99999:7::: For proper display, let’s split this up in several fields: user1 $6$6Y/fI1nx$zQJj6AH9asTNfhxV7NoVgxByJyE.rVKK6tK 16092 0 99999 7 empty empty Field explanations Time to have a look what all these strings mean:

PCI DSS Linux: Creation and deletion of system-level objects

The PCI DSS standard defines Creation and deletion of system-level objects. For Linux systems this might be handled with the Linux audit framework.


Some areas are within the PCI DSS standard are definitely not directly clear when reading the description. Section 10.2.7 is one of them. It talks about the creation and deletion of system-level objects and specifically the ability to log them. System-level objects? The guidance in 10.2.7 speaks about malware and mentions database related items. That does not make auditing very obvious, as malware usually targets binaries. Therefore we have to look first what a system-level object is.

An Introduction Into Linux Security Modules

Security frameworks like SELinux, AppArmor, and SMACK, provide protection to Linux. Learn about these Linux security modules (LSM).


Background of Linux security modules Like normal kernel modules, security modules extend the basic functionality of the Linux kernel. The need for a modular structure was proposed when SELinux was being introduced. There was a little discussion to use modules or not, as SELinux was the only one being available. Some people proposed apply it as a kernel patch, but in the end Linux creator Torvalds, decided to make this type of functionality modular.

Docker Security: Best Practices for your Vessel and Containers

In-depth article about Docker security features, best practices and its history. With container technology evolving, Docker security can be challenging..


Everything you need to know about Docker security. Introduction into Docker Docker became very popular in a matter of just a few years. Operating systems like CoreOS use Docker to power the system by running applications on top of their own lightweight platform. Docker in its turn, provides utilities around technologies like Linux container technology (e.g. LXC, systemd-nspawn, libvirt). Previously Docker could be described as the “automated LXC”, now it’s actually even more powerful.

PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI DSS compliance control 10.2.4 mandates to monitor invalid logical access attempts. For Linux we can use the Linux audit framework to monitor for this event.


PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins. To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat over the years.

PCI DSS Linux: Logging of administrative actions with root privileges

PCI DSS requires logging of administrative actions, including commands executed by the root user or using sudo. Learn how to set up accounting and auditing.


Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user or those accounts with similar administrative privileges. 10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged. The Linux kernel allows the monitoring of executed commands. This monitoring and logging can be done with the Linux audit framework. Using this framework, we can monitor the right system calls and create an audit trail.

How to check if your Arch Linux system needs a reboot

Want to check if a reboot of the system is needed on Arch Linux? Here is how that can be done including the relevant commands.


By default Arch will install the kernel in /boot with the name vmlinuz-linux. To determine if the system is running the latest kernel, we can compare the running kernel and the one on disk. Running kernel One way to determine the running kernel is with the uname command. By default installed and with the -r parameter it will provide the kernel release version. # uname -r 3.17.4-1-ARCH Kernel on disk Checking the latest kernel on disk is almost as easy.

Exporting nftables rules and configuration

Nftables has an easy way to export firewall rules via the nft command line utility. Let's discover the options.


The usage of nftables will slowly grow in the upcoming years, with the goal to become the successor of iptables. Where iptables rules are harder to parse, nftables comes by default with an exporting facility. Exports formats include JSON and XML. Command syntax When using the command line utility nft for the first time, it looks a little bit unfriendly to the user. No suggestions on what to do, nor clear help on often used commands.

Linux capabilities 101

Introduction guide and tutorial about the inner workings of Linux capabilities and how these capabilities are applied when running Linux processes.


Security of Linux systems and applications can be greatly improved by using hardening measures. One of these measures is called Linux capabilities. Capabilities are supported by the kernel for some while now. Using capabilities we can strengthen applications and containers. Unfortunately, this powerful tool is still underutilized. Time to change that! This article helps to understand and apply them. What are Linux capabilities? Normally the root user (or any ID with UID of 0) gets a special treatment when running processes.

Protect against ptrace of processes: kernel.yama.ptrace_scope

Using the Linux Security Module (LSM) Yama we can protect the system against the usage of ptrace. The sysctl key kernel.yama.ptrace_scope sets the behavior.


Hardening the kernel with kernel.yama.ptrace_scope Ptrace is a great troubleshooting tool for developers to determine how a process functions. It can be used to find programming flaws, like memory leakage. On the other hand, the tool also be used by people with malicious intent. For example to debug a process as a non-privileged user and find the contents of application memory. Yama Linux has the ability to include Linux Security Modules, to provide additional features with the means of a module.

Linux Capabilities: Hardening Linux binaries by removing setuid

Setuid binaries may be a risk for the system. We will investigate how to remove the setuid bit and use Linux capabilities instead, to reduce the risks.


Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds.

PCI DSS Linux: No write access to shared system binaries

PCI compliance demands that no write access is allowed to shared system binaries. Let's use several tools to determine if write access is allowed.


A.1.2.c Verify that an entity’s users do not have write access to shared system binaries Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible. Paths for system binaries Depending on the distribution used there are several directories which have shared system binaries.

Alternatives to Bastille Linux: system hardening with Lynis

Bastille Linux is a great tool for hardening of Linux systems. With the project looking outdated (or even dead), there are new alternatives to Bastille.


Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.

Linux Security Scanning for Dummies

Security scanning can be boring and time consuming. In this article we have a look at how simple it can be, when it comes to security scans.


Every system needs some level of protection. Still, many people simply forget to do it, or can not find the time to properly do it. To be as efficient and effective as possible, let’s take at a structured way for security scanning your Linux machines. The 5 dummy steps are: 1. Focus on risk Like not every company is a bank, our systems are not all part of a top secret mission.

5 things you didn’t know about shell scripting

Shell scripting doesn't have to be boring. Let's look at a few common things that many don't know about about shell scripts.


Our security auditing tool Lynis is a toolkit consisting of several shell scripts. Many users of the software actually never realized it was written as a bunch of shells scripts. Now that the secret is out, it is time to learn why we used shell scripting. Here are 5 reasons! 1. Shell scripting is powerful Yes, people asked us why our tool Lynis was not written in Perl, Python, Ruby, C++ etc.

Check for a required reboot on Debian and Ubuntu systems

Debian based systems, like Ubuntu, need sometimes a reboot as well. We have a look on determining if a required reboot is needed and due to what packages.


Administrators of Debian-based systems know they have to reboot their systems, just like any other Linux distribution. However, why is the reboot needed? Could we monitor for which systems need an actual reboot? Required restart required? This Ubuntu system needs a restart Required reboot Software can contain issues, which we call bugs. Most bugs are just annoying if you encounter them and can be fixed by upgrading to a newer version of the software.

Security Program: Implementing Linux Security

We have a look at implementing Linux security in IT environments and the related success criteria. Let's plan for success and get those measures implemented!


Information security is possibly one of the hardest subjects in IT. Doing too less and you risk of security breaches. Doing too much will restrict the core businesses of your organization. With a proper security program, implementing Linux security can be greatly simplified. By having a structured approach, the strength of the defenses will increase, while risks decrease. In this article, we have a look at how to properly prepare security projects and changes.

Do NOT use Linux hardening checklists for your servers

The solution to avoid using Linux hardening checklists for your servers is simple. With proper automation and regular checks, checklists could be avoided.


Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists.. But checklists are good, right?

Linux Security for DevOps

With security getting more and more attention, we focus on Linux security for DevOps. Also DevOps will need hardening, auditing and dealing with compliance.


During the last years the role of DevOps evolved. This person could be described as the hybrid: a system administrator with development skills, or the developer which is also infrastructure savvy. With Linux and so many available tooling, it is becoming easier for people to learn both development and managing infrastructures. We are especially interested in Linux security for DevOps and what they can apply. Automation is key Repeating work is not only boring, but also a waste of time.

Detecting Linux rootkits

In this article about intrusion detection we have a look at Linux rootkits, what they do and how to detect them.


Malware, or malicious software is also an issue on Linux systems. Let’s have a look into this threat and what actions you can take. What is a rootkit? A rootkit is a set of tools with the goal to hide its presence and to continue providing system access to an attacker. The word rootkit comes from the root user, which is the administrator account on Linux systems and Unix-clones. The kit refers to a toolkit, or a set of tools.

Audit security events on Unix systems

Protecting computer networks consists of implementing preventative measures, including system auditing. Let's have a look how this relates to Linux.


Protecting computer networks consists of implementing preventative measures, but especially properly implementing detection methods. These digital tripwires can be used for intrusion detection, or proper handling security events on Unix systems. Security events First we have to define a few events which are or can be security related. To get easily started, we focus on 3 tips to implement security events on Unix systems. 1. File changes Some files you don’t want to change that often, like your DNS resolvers (/etc/resolv.

Audit SuSE with zypper: vulnerable packages

Stay up-to-date with security patching is part of a decent security management process. This article looks into vulnerable packages on OpenSuSE.


Proper software management is an important part in keeping your system secured. Acting on time is important, especially when network services have discovered security vulnerabilities. Vulnerable packages Usually packages with known security vulnerabilities, get priority and updates are soon available. The risk in installing these packages is fairly low, as they don’t introduce new features. Instead, they fix the related security hole, which sometimes is nothing more than 1 single character!

Auditing Linux processes: The Deep Dive!

In-depth article about auditing Linux processes. Determination of running processes, memory and on-disk structure and the proper tools for analyzing them.


From the initial start of the Linux operating system, the first processes are already born. In this article we have a look on dealing with processes. In particular we look at how to do process auditing. Whenever you are an auditor, system administrator or just a Linux enthusiast, you can’t ignore processes and should know how to deal with them. Process listing For most people working on Linux systems, it might be obvious to display running processes with ps.

Linux server hardening and best practices

One of the myths is that Linux systems are secure by default. Learn what kind of measures you can implement and which security tools help with that.


Learn the basics of Linux server hardening and what kind of measures and tools you can implement.

Become a Linux Auditor: What to know?

Tips for people who would like to perform audits on Linux and become a Linux auditor in particular. Including hints regarding certifications and tools.


Now open source software and platforms are very common, the need for knowledge in this area is increasing. Becoming a technical auditor with specialized knowledge about Linux, might be a clever move. Technical When specializing in Linux, the auditing area is already more technically oriented, instead of the processes. A true Linux auditor knows more than the basics of Linux. In-depth knowledge is required, like what file systems are common, how permissions are arranged, popular applications are common (at the presentation layer, middleware, backend).

Auditing Linux: what to audit?

When auditing a Linux system, it might be hard to determine what to audit actually. This article will provide some guidance and tips.


In this article we answer the big question on Linux systems “what to audit?”. Where do you start and what is useful to audit? We apply our three C’s in this article to determine what we should look for when auditing a Linux system. Current state What is the current state of the system and how does it compare to previous time? Ideal situation: compare current state of the system with a predefined baseline or previous scan

Become a Linux auditor: tips to start with auditing the Linux platform

Guide to become a Linux auditor in just a matter of minutes. Focus on how to determine running processes, installed software or possible vulnerabilities.


This guide helps people new to the Linux platform to get a grasp on how the system works. Whenever you are an IT auditor, or simply want to know more about the basics, this guide helps you in determining where to start an audit. Processes Each operating system consists of smaller running processes. In case of Linux this is true as well and can be displayed with the ps tool. Without parameters it will already show some processes, but the list is not complete.

Linux server security: Three steps to secure each system

Article about Linux server security and guidance for securing your Linux systems. Focus on auditing, hardening and compliance, to improve security defenses.


Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate.

Linux kernel security and how to improve it

Every system is as strong as its weakest link, especially the system kernel. This article explains Linux kernel security, what we can do and how to do so.


Every system is as strong as its weakest link. In the case of an operating system like Linux, one weakness in the kernel could result in a security breach. This article covers the Linux kernel features and how they work. Kernel features Live kernel patching As the kernel is similar to other software, it receives updates to improve it. Now and then a security weakness is discovered in one of the subsystems of the Linux kernel.

Conducting a Linux Server Security Audit

Performing a Linux server security audit can be a time consuming process. In this article the most important parts are explained including automation.


Auditing a system can be a time-consuming job, which is no different when conducting a Linux server security audit. Within this article, we give some highlights regarding the audit and tips to automate them by using Lynis. The business goal Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down? Usually each system has a clear role or multiple roles, like being a web server.

Open source vulnerability scanner for Linux systems – Lynis

Within this article we discuss the possibilities of using an open source vulnerability scanner for Linux based systems.


There are several open source vulnerability scanners for Linux, like OpenVAS. While tools like these are powerful as well, we will have a look at Lynis, our auditing tool to detect vulnerabilities of Linux and Unix systems. Why is it different than others and how can it help you in securing your systems? Vulnerabilities Every piece of software will have sooner or later a vulnerability, a minor or major weakness which can be abused by evildoers.

Configuring and auditing Linux systems with Audit daemon

Guide for auditing Linux systems by using the audit daemon and related utilities. This powerful audit framework has many possibilities for auditing Linux.


The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing. Auditing goals By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include: Audit file access and modification See who changed a particular file Detect unauthorized changes Monitoring of system calls and functions Detect anomalies like crashing processes Set tripwires for intrusion detection purposes Record commands used by individual users Components The framework itself has several components:

CAATTs for Linux: Lynis

Article about a tool within CAATTs for Linux: Lynis. Helping auditors with computer-assisted audit tools and techniques, with focus on Linux and Unix scans.


Within the field of the audit profession the usage of CAAT (Computer-assisted audit techniques) or CAATTs (computer-assisted audit tools and techniques) is growing. Lynis is filling this gap for Linux and Unix based systems. It’s a well-known and stable tool in this area and improves the audit process by automation. Only a few items could then be checked manually. This saves time, makes the audit more predictable and increases the quality of the overall audit.

Antivirus for Linux: is it really needed?

Is antivirus needed on Linux systems? The answer: it depends on your situation. Let's have a look why.


The question regarding the need for antivirus for Linux is after years still relevant. It is asked at forums and shows up regularly at Quora. As the original author of rkhunter, a malware scanner for Linux and Unix systems, I analyzed many malicious software components. You might be wondering that if there is malware, there is also a need for a scanner, right? It is actually not that easy to answer.

How to deal with a compromised Linux system

Is your Linux system compromised or does it run suspicious processes? Learn how to investigate the system and create an action plan.


Learn the steps to take when you suspect that your Linux system is compromised.

Auditing Linux: Software Packages and Managers

Article about how to audit and check installed software packages and their security by using the related package managers.


No system can do its job without any installed software packages. However after installation of the system, or running it for a while, it often becomes unclear why some software was ever installed. This article looks at methods on auditing installed software, check for security updates and the related follow-up. Package managers To enable system administrators to properly manage software and upgrading them, Linux uses a package manager. This suite often consists of a package database, the software packages itself and several support tools.

Securing Linux: Audit with Lynis (an introduction into auditing)

Introduction article into securing Linux based systems by performing a scan with Lynis. After this first audit it will be much easier to harden the system!


Securing a Linux system can take a lot of time. For this purpose we have written Lynis, a quick and small audit tool. It’s an open source tool and freely available. You just need root permissions and a common shell and you’re ready to do your first audit. The main audience for this tool is auditors, security professionals, penetrating testers and system administrators. First audit Most Linux distributions already have Lynis in their software repository.

Linux Audit: Auditing the Network Configuration

This article describes how to audit the network configuration of Unix and Linux based systems, with useful tips for auditors and system administrators.


Within this article we have a look on how to audit and check the network configuration of Linux and other systems. The main focus is on gathering information and discover how systems are configured. By taking these steps we will do a manual audit. For efficiency reasons we suggest to use an automated tool like Lynis. Where to start? Each Linux distribution has their own way and files to configure the network.