cron.weekly issue #69: SHA-1, Kernel exploit, pssh, securitybot, nscan, Kernel 4.10, live kernel patching & moreFebruary 26, 2017 - Mattias Geniar
Welcome to cron.weekly issue #69 for Sunday, February 26th, 2017.
My this is a big release again, lots of interesting things happened in Linux & open source the last week! Two security issues (SHA-1 collisions and a new kernel exploit), many interesting new projects like securitybot & upspin and so many new guides to share including live and semi-live kernel patching.
I hope it rains today so we all have an excuse to stay in and cuddle behind the warmth of our PC.
Google has, after a considerable amount of time and CPU power, created a SHA1 collision: 2 PDF documents have the same SHA1 hash. This makes it theoretically possible to fake SSL certificates, git commits, PGP signatures, … SHA1 was already deprecated, but if you still have it active in your infrastructure, now’s the time to disable it.
This may or may not affect you, depending on your setup and privacy/disclosure policy: Cloudflare had a period where it accidentally leaked memory info of other sites proxied through their setup, much like Heartbleed did a few years ago. Props to Cloudflare for handling the incident and their full write-up.
A new kernel exploit in the DCCP module that provides local users on a system with a reliable way to become root. This is just as serious as the Dirty Cow vulnerability from a few months ago. Patching is, in most cases, relatively easy though. And to think just a few weeks ago I linked to an article called “DCCP: The socket type you probably never heard of“. Well, we’ve heard of it now.
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
Your database is a uniquely demanding and complex tier in your app, & needs database-specific instrumentation. See query & server performance with amazing clarity, & find performance problems that you couldn’t detect before. Start a free trial for instant value. (Sponsored)
One of the biggest players in the ‘unikernel’ space reaches a new 3.0 milestone: a modern, modular library operating system that allows the creation of small, secure, legacy-free services. If you’d like to read more on the concept of a unikernel, see one of my earlier posts: what is a unikernel?
Some days I wonder how I could’ve ever lived without it: pssh is a program for executing ssh in parallel on a number of hosts. I’ve linked to the manpage, pssh is essentially in every package manager already.
Securitybot is an open-source implementation of a distributed alerting chat bot. Distributed alerting improves the monitoring efficiency of your security team and can help you catch security incidents faster and more efficiently.
A Web server for Dat and HTTPS, with zero-config TLS. Dat sites are hosted at public keys, which are the equivalent of IP addresses in the P2P network.
bombardier is a HTTP(S) benchmarking tool. It is written in Go programming language and uses excellent fasthttp instead of Go’s default http library, because of its lightning fast performance.
Nscan is a fast Network scanner optimized for internet-wide scanning purposes and inspired by Masscan and Zmap. It has it’s own tiny TCP/IP stack and uses Raw sockets to send TCP SYN probes.
Trojan Scan is a simple shell script that allows for simple but relatively effective checking for trojans, rootkits and other malware that may be using your server and network for unwanted (and possibly illegal) purposes.
A new file sharing project by the team at Google to make sharing files easier. It is not a file system, but a set of protocols and reference implementations that can be used to join things like file systems and other storage services to the name space. Their introductory blogpost explains the reasoning behind the project.
Stethoscope is a web application that collects information for a given user’s devices and gives them clear and specific recommendations for securing their systems.
More than 13.000 commits in this release, with improvements to bpf, new hardware support, improvements to ext4/xfs & many small fixes.
diffoscope will try to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human readable form to compare them. It can compare two tarballs, ISO images, or PDF just as easily.
Mmake is a small program which wraps make to provide additional functionality, such as user-friendly help output, remote includes, and eventually more. It otherwise acts as a pass-through to standard make.
A Python tool/library which can analyze the SSL configuration of a server by connecting to it and detect various issues (bad certificates, dangerous cipher suites, lack of session resumption, etc.).
Open Source Event Manager. An event management tool tailored to Free and Open Source Software conferences. http
Guides & tutorials
A practical set of tips and tricks for running Docker in production, learned from failure and incidents. Lots of “do not do this” takeaways if you ever plan to run Docker yourself!
Another set of practical tips, this time for running a Kubernetes infrastructure: Terraform for infrastructure management and a fair amount of Kubernetes tips on how to install & where to get your upstream packages.
You can use kexec to install and load a kernel without doing the entire bootloader & hardware initialization. For systems that are slow to boot (due to memory checks in POST), this can save minutes during a reboot of your system.
Real live kernel patching is … complicated, as this post describes. But a proper write-up on all the steps involved in using kpatch for doing full in-memory kernel patching.
Another set of practical tips for running containers, once again focussed on Kubernetes: when and where to bundle containers in pods, how to assess security in such a situation, tips on tagging & versioning your containers, …
Some pretty low level and advanced stuff in here: a new tool is used, c2c, to assess the performance impact of false cache sharing in a NUMA environment running multi-threaded applications.
A proper comparison between Cacti and Zabbix and a highlight for why, in this users’ case, Zabbix won for their monitoring needs.
This must have been an intensive debug hunt: when a TZ environment variable is set, you can save many system calls that would otherwise be needed to check the local time of the machine.
A heavy benchmark of three distributed, consistent key-value stores: etcd, Zookeeper, and Consul.
On a fresh Linux box, you probably have over a thousand binaries installed, of which you might actively use 20-50. This post details the other 950 (sort of). Many unheard commands, very detailed write-up, something to bookmark and read a few commands a day!
Each his or her own favorite $EDITOR, this guide gets you started with vim. I like how they immediately recognise that vim isn’t easy to get started with. Hang in there, it gets better!