Archive
Posts in Security
Using docker volumes on SELinux-enabled servers
I was doing some testing this week and received the following error when I tried to access a volume inside a container: When I checked the system logs I saw the following error: The docker container was started with the "-v" option to bind mount a directory from the host: The error shown above was generated because I didn't tell my orchestration tool to apply an SELinux label to the volume I was trying to map into the container. In the SELinux world processes and file system objects are given contexts to describe their purpose. These contexts are then used by the kernel to allow processes to access file objects if policy allows it. To allow a docker container to access a volume on a SELinux-enabled host you need to attach the "z" or "Z" flag to the volume mount…
$ read more →Using fail2ban to lock out unwanted visitors to your SSH daemon
I have a number of digital ocean droplets and AWS instances that I use for personal projects. For convenience I leave SSH open to the world so I can access these systems wherever I'm at. This DEFINITELY isn't a best practice but my personal instances don't contain anything sensitive and can be rebuilt in minutes with ansible. A wide open TCP port 22 doesn't come without issues though…
$ read more →Using Linux auditing to observe program executions and file accesses
Linux systems have a rather nice auditing framework built into the kernel. This framework consists of a kernel component that inspects and filters events and a userland daemon (auditd) that takes the events and archives them to persistent storage. These audit log events can then be searched and summarized with the ausearch and aureport utilities. The following ausearch command will dump all audit records for UID 7005: Each audit event contains the type of event (system call executed, file read, etc.) as well as a bunch of user and system context…
$ read more →Tracking Linux UIDs across process creation
When you support mission critical systems it is critically important to know WHAT is running on your systems and WHO is running it. In the past it was sometimes a chore to tell which UID ran a program. This was especially true in the early days when programs fork()'ed and execve()'ed after escalating privileges. The which UID ran a program mystery has been mostly solved (I say mostly because user namespaces throw a few kinks into the equation) by auditing and the PAM loginuid module…
$ read more →Using the rsyslog MySQL plug-in to send syslog data to a SQL database
I have been experimenting with ways to better manage the logs my servers generate. Depending on who you ask, folks will recommend sending your logs to a remote syslog server that writes the logs to disk, some may recommend sending it to a log analysis tool similar to splunk, and others would recommend feeding it to a SQL database. I've talked before about setting up syslog-ng for remote logging, and in this case I wanted to experiment with something new. I also didn't have money to buy a tool like splunk, so I decided to start experimenting with funneling syslog data into a MyQSL database…
$ read more →