Software

Querying pacman

Query tools like dpkg to show installed packages

Show installed package on the most common Linux distributions

Vulnerabilities happen and are usually fairly quickly fixed. This is also true for Arch Linux. This rolling distribution can be considered to be always up-to-date, as it uses the latest versions of software packages from the upstream. When there is an update, it doesn’t take long that it becomes available and can be installed with package manager pacman.

One problem that remained was the inability to quickly test if you have any vulnerable packages. After all running pacman -Suy daily works, but that doesn’t say much if known issues were found. Till now, with the new arch-audit tool.

The world has changed a lot in the last era, especially when it comes to computing. This applies also to the services we run on our Linux systems. Some of these services (like rlogin), were previously the defacto tools to do administration. Now they are considered to be bad and insecure.

What makes a service insecure?

Services can become insecure when they have characteristics like:

• No (or weak) authentication
• No (or weak) encryption
• Insecure protocols
• Running as root

Authentication insecurities

One example might be if a program only requires a password or pin, without any information like an username. This happens often in physical solutions, but sometimes also in software. The risk involved is two-folded: it is easy to guess and provides no (or weak) accounting.

If you are in the business of system administration, you know the big dilemma when it comes to installing software: missing packages. Yes, a lot of packages are available in the repositories of your Linux distribution, but not the one you need. Or when it is, it is horribly outdated. So you reach out to external resources, like community maintained repositories, right?

With Lynis, we face this same issue. While most of the distributions have Lynis in the repository, it is often outdated. We could do packaging ourselves, and most likely will in the future. But for now, that task is taking too much time with the regular updates we provide. Packaging, testing, and checking is a delicate process, often better done by people who know that specific Linux distribution from the inside out.

Using pkg_add

Keeping your systems stable and secure

Every system needs to stay up-to-date with its packages, including OpenBSD. Most OpenBSD users already use pkg_add for the installation of packages. This utility can also be used for package upgrades.

Option 1: Use /etc/installurl

Newer OpenBSD versions use the file /etc/installurl to select the mirror for pkg_add.

Option 2: PKG_PATH

The first thing to do is defining your PKG_PATH. This will usually be the address of a FTP or HTTP server, which has the latest packages available. To have this variable set every time you log in, use the file .profile in your home directory (e.g. /root/.profile). Add the full export line below:

Maximum Linux security with proper software patch management

Software upgrades are almost as old as the first lines of software code. Still companies struggle to properly update software, also when it comes to security patching. In this article we have a look at the reason behind patching and some methods to keep your systems humming, with fresh packages.

Why Update?

To most of us, it instantly makes sense to keep the software on your systems up-to-date. But still, sometimes we have to explain others why we do actually need a process to apply software updates and patches.

If you audit systems on a regular basis, you eventually will come across an OpenBSD system. OpenBSD is known for its heavy focus on security, resulting in an operating system with a low footprint and well-audited source code.

While most operating systems are pretty secure, they quickly will introduce new security holes when installing external software components. Although OpenBSD does careful checks for packages they add, those might be containing still a vulnerability, waiting to be discovered. So in this article we have a close look at dealing with packages and what to look for when auditing them.

Protect against Shellshock

Shellshock is a serious software weakness, or vulnerability, in Bash. This shell is used on almost all Unix based systems, including Debian and Ubuntu. As it can be used without much effort and remotely exploit systems, it has a maximum vulnerability score according to CVSS.

Upgrade Bash

First update the software repository with apt-get, using the update parameter.

This was the big question we asked ourselves recently, when reading a few of them. With Linux and other Unix systems being decently hardened by default, would it still make sense to invest a lot of time to harden your system?

Hardening guides

Years ago both Windows and Linux were easy targets. A lot of system software was installed by default and these services were targeted often by malicious people and scripts. Then hardening guides came along on how to secure these services and protect systems.

People wonder about the main differences between Lynis and the Lynis Enterprise version. In this article we have a look on what both products are and how you can choose between the two.

Lynis

Lynis is a security auditing tool for Linux and Unix based systems. With its GPLv3 license it’s open source and freely available. The tool was first released in 2007 and has undergone a lot of development during the years. Lynis is a popular tool (1000+ downloads in just a few weeks after each release) and used by many system administrators, security professionals and auditors.

No system can do its job without any installed software packages. However after installation of the system, or running it for a while, it often becomes unclear why some software was ever installed. This article looks at methods on auditing installed software, check for security updates and the related follow-up.

Package managers

To enable system administrators to properly manage software and upgrading them, Linux uses a package manager. This suite often consists of a package database, the software packages itself and several support tools. These tools in particular are used to query the database, install/remove software and assist in the upgrade process. But as usual, there are often some less known parameters which might make your job easier. For auditors it is especially interesting to know what options are available, to gather more specific information focused on proper software management.