Follow:

Latest articles in ‘Linux’

  1. 'Cheatsheet/selinux' topic logo

    SELinux cheatsheet

    Published: Fri 08 September 2017 in Cookbook.
    A mind-refresher on SELinux main commands, files and behavior.

    This page is only designed as a memory-refresher. SElinux may be a complex thing to get right, if you are not familiar with it yet I highly encourage you to read Sven Vermeulen books.

    SELinux state

    To detect whether SELinux is enabled or not:

    • From a script, selinuxenabled doesn’t produce any output and its exit code gives SELinux status.
    • From an interactive prompt, sestatus provides more information.

    SELinux main configuration file is /etc/selinux/config, it defines:

    • SELINUX=: SELinux state:

      • enforcing: Enabled and block unauthorized actions (policy violations).

      • permissive: Enabled, but only logs unauthorized actions and does not block them (useful for development and HIDS purposes).

      • disabled: SELinux is completely disabled.

        Warning

        If SELinux has been temporarily disabled (which is not recommended, there are usually cleaner ways to proceed), a global relabel will be required before re-enabling SELinux.

        More information.

    • SELINUXTYPE=: The policy currently in use, available policies depend …

    Continue
  2. cover_administration picture

    SELinux System Administration & SELinux Cookbook (Sven Vermeulen)

    Published: Wed 06 September 2017 in Library.
    The best book to discover SELinux and learn how to take the most out of it.

    Sven Vermeulen, the author of these two books, is deeply involved in the Gentoo community.

    Quoting his biography from the book introduction:

    In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project.

    He is both knowledgeable technically, pedagogically and in SELinux. In these books, he uses his talent to spread the light on a domain which is often conceived as obscure and daunting, explaining in a clear and effective way how and why the things are the way they are so everything finally takes its place into our minds.

    Don’t let the affiliation with the Gentoo project let you think that these books are only about Gentoo. These books …

    Continue
  3. LPIC-3_303 picture

    Linux LPIC certification review

    Published: Sun 03 September 2017 in Opinions.
    Facts, advices and personal impressions on the Linux LPIC certification (all levels).

    The five Ws

    • What: The Linux Professional Institute Certification (LPIC) is a technical certification on GNU/Linux systems administration. This certification is vendor-neutral and covers the major GNU/Linux distributions (Debian, SUSE, Red Hat) and their derivatives.

      With the Linux Essentials certification aside (it targets end-users, not administrators), the LPIC certification path has three main levels:

      • LPIC-1 “Linux Administrator”: This level studies the GNU/Linux system itself: how it works, how to administrate the local system with some knowledge on troubleshooting and main services.

      • LPIC-2 “Linux Engineer”: This level has two folds: on one side you study advanced administration and troubleshooting techniques, on the other you now envision the GNU/Linux system as part of the corporate ecosystem and study the administration of the most common network services (here again vendor neutral, so you should be comfortable with both Apache and Nginx HTTP servers for instance).

      • LPIC-3 …

    Continue
  4. 'Hardening' topic logo

    Isolate your services using jails and containers

    Published: Thu 10 August 2017 in Cookbook.
    Use FreeBSD jails and Linux LXC efficiently to make you server both more secure and easier to manage.

    Containers and jails allow you to make your system more secure, more reliable, more flexible and, at the end of the day, easier to manage. Once you get used to it, it become difficult to conceive to setup a server without such features.

    But what are they exactly?

    Containers and jails

    Containers and jails designate different implementations of operating-system-level virtualization. Like a lot of low-level security features we encounter in today’s world, this functionality can be traced back to the old mainframes, where reliability and parallelism are at the core of the system, and which allow to partition a host system into smaller isolated systems.

    This feature then went through commercial Unixes to finally reach open-source operating systems. The first open-source OS to really implement this feature was FreeBSD which offers its jail functionality since 2000 (FreeBSD 4.0). In the mean time there were several more-or-less successful attempts …

    Continue
  5. 'Selinux' topic logo

    Can SELinux really confine the root user?

    Published: Thu 20 August 2015 in Opinions.
    How but most importantly why SELinux allows to confine even the root user.

    Several projects such as [this one][play_root] propose a free root access to a Linux box in order to demonstrate SELinux confinement abilities. Even given a root access on a box, SELinux still prevents any harm from being done.

    Is this for real or is there any trick behing such setup?

    This is indeed possible because SELinux does not actually care about the current Unix user: all it sees is a supplementary metadata called the context (which includes, among other fields, a domain field) and which lets SELinux decide whether the requested action can be authorized or not.

    What one usually conceives as the root user should be mapped in SELinux as a root Unix user running either the unconfined_t or sysadm_t SELinux domain. It is the classical full-powered omnipotent root user.

    However, one could perfectly setup his system to spawn a root shell (I mean root Unix user shell …

    Continue
  6. 'Hardening' topic logo

    Do randomized PIDs bring more security?

    Published: Sat 23 May 2015 in Opinions.
    The limits of randomness-based security and the position of the main free *nixes on the subject.

    The issue

    I read an article in the french magazine MISC (no. 74 - July/August, 2014) publishing a flaw affecting stunnel and libssh.

    To make things short, this flaw relies on the fact that a hello cookie created by the server is generated using the current Unix timestamp (so up to the second) and the PID of the process handling the request. The exploit sends a high number of connection attempts in order to force the server to generate duplicated cookies. At the end this attacks aims to deduce the server private keys.

    The author explains that such attack is not realizable on systems using traditionnal sequential PID because it would require more than 65000 connections attempts to made in less than one second.

    However, thanks to random PIDs used on some “hardened” systems the author demonstrates that, with 20 connection attempts per seconds, there is statistically more than one …

    Continue

Popular tags see all

Website

Author

Follow