Archive for category linux

How to determine if your Red Hat Enterprise Linux 7 system is vulnerable to a specific CVE

Let’s say we are looking to determine if our system is vulnerable to Heartbleed or LogJam.

# ls /usr/lib64/libssl.so.*
/usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1e
# yum info openssl
Installed Packages
Name : openssl
Arch : x86_64
Epoch : 1
Version : 1.0.1e
Release : 42.el7_1.9
Size : 1.5 M
Repo : installed
From repo : rhel-7-server-rpms
Summary : Utilities from the general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
 : machines. OpenSSL includes a certificate management tool and shared
 : libraries which provide various cryptographic algorithms and
 : protocols.

Note “Version” is 1.0.1e. But that denotes what version Red Hat based the relesae. Since that release, Red Hat has backported many future bugfixes, security fixes, etc, exposed by the “Release” value 42.el7_1.9.
https://access.redhat.com/security/updates/backporting/

Using Heartbleed (CVE-2014-0160) as the example (https://access.redhat.com/solutions/781793)
“Red Hat Enterprise Linux 7 include OpenSSL version openssl-1.0.1e-34.el7 which includes a fix backported from openssl-1.0.1g”

Each specific CVE can be check directly on Red Hat’s site, https://access.redhat.com/security/cve/CVE-2014-0160

You can also check directly on the command line. For example, checking for Heartbleed you would use:

# yum updateinfo list installed --cve CVE-2014-0160

This will show any RPM packages installed that apply to Heartbleed. But note — nothing will return on a RHEL7 system, because the original RPM released with RHEL7 was not vulnerable, so no additiona package needed to be installed to fix it.

Logjam, though, is a little more interesting.

# yum updateinfo list installed --cve CVE-2015-4000
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:1.7.0.85-2.6.1.2.el7_1.x86_64
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6.x86_64
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-headless-1:1.7.0.85-2.6.1.2.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el7_1.x86_64
RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el6_6.x86_64
RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el7_1.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-1.0.1e-30.el6_6.9.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-1:1.0.1e-42.el7_1.6.x86_64
RHSA-2015:1072 Moderate/Sec. openssl-libs-1:1.0.1e-42.el7_1.6.x86_64

Each of those RHSA’s addressed Logjam. You can get a lot more information by using:

# yum updateinfo info installed --cve CVE-2015-4000

Note the use of “installed” in these commands. This shows information only about packages that are already installed. If you remove “installed”, you will see information only about packages that /could/ be installed.

Advertisements

Leave a comment

What a year!!

Two years at Red Hat have flown by at such a rapid pace; I’m even a couple months late in blogging about it! To top off another year full of great projects, awesome technology, and incredible people, I’ve had a couple exciting things happen that I wanted to share.

Last month I was chosen to be a “Red Hat Chairman’s Award” recipient, and last week (photo below) I was awarded “North American Account Solutions Architect” of the Year!

image

I am truly humbled by both of these awards, and was speechless when I heard my name called (those who know me well understand how rare that is). I am looking forward to see what this next year will bring!

Leave a comment

Yum Command Cheat Sheet for Red Hat Enterprise Linux

Great reference to keep at the desk!

https://access.redhat.com/articles/yum-cheat-sheet

Leave a comment

OpenLDAP: Bootstrapping a minimal cn=config

Here is how to bootstrap OpenLDAP’s slapd with an absolutely minimal configuration, without needing an intermediate slapd.conf, with one feature — the local root user (uid=0/gid=0) has “manage” access.  From this point, ldapmodify can be used via ldapi to continue making configuration changes.  This is a good way to start a new server configuration.

Bootstrap:

$> echo 'dn: cn=config
objectClass: olcGlobal
cn: config

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: to dn.subtree="cn=config" by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * none
' | slapadd -n0 -F slapd.d

Start slapd:

#> slapd -F slapd.d -h ldapi://foo

Make changes via ldapmodify:

#> ldapmodify -Y EXTERNAL -H ldapi://foo ...

,

Leave a comment

Need a quick proxy via SSH?

Need access to a web site, tucked behind a firewall?  Do you already have a public SSH server set up to allow access, but not sure how to tunnel your HTTP session?  It’s easy!

ssh -N -D 127.0.0.1:8000 <user>@<ssh server fqdn>

That command sets up a SOCKS4/SOCKS5 proxy.  Just configure your Browser/OS settings to use 127.0.0.1:8000 as a SOCKS proxy, and you can now access any site that your SSH server can reach.

Leave a comment

July 1 2012 Linux problems? High CPU/Load? Probably caused by the Leap Second!

(Update posted, see below)

As posted in multiple places around the web:

Debian

/etc/init.d/ntp stop
date `date +"%m%d%H%M%C%y.%S"`

Red Hat

/etc/init.d/ntpd stop
date `date +"%m%d%H%M%C%y.%S"`

Update:

This first manifested itself for us in our Java stacks — all of our (dual processor) Tomcat servers were running at a load of 30-40.  However, this is a known (and fixed) kernel bug:

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b43ae8a619d17c4935c3320d2ef9e92bdeed05d

Apparently, simply forcing a reset of the date is enough to fix the problem:

date -s "`date`"

,

2 Comments

Build a PaaS using Open Source Software

Discussion about OpenShift.  OpenShift has been fully open-sourced, available on GitHub for local deployment, or directly usable as a hosted solution.

Rule #1: IaaS != PaaS

Virtual machines : Application is not necessarily 1:1

Rule #2: PaaS is not a silver bullet

Great for Self-service deployment of applications, varied volatile workloads (development, testing, scale-up/out), with tightly constrained application rules — which implies standardized deployments from template.

Rule #3: PaaS is about developers — AND OPERATIONS!!!!

Operations becomes about capacity planning, not ticket-drive activities.

Rule #4: Be ready to learn

Developers want languages variety, scaling models, integration models — and they want it automagically

Operations want multi-tenancy, familiar installation, and sane configurations — all reproducible.

What is an application?

Runtime (OpenShift cartridges)

Code (One Git repository per application)

Creating an App

The rhc tools are used to create a namespace (domain), then an application space which includes a name and cartridge type, and push the code.

What do you get from public OpenShift?

A slice of the server, a private Git repository, deployment access.

The PaaS service is comprised of a Broker (director front-end, RESTful) and Nodes.  Each node has multiple “gears” (containers secured with SELinux, constrained with cgroups, and isolated with Kernel namespaces and Bind Mounts).

Extending OpenShift

Custom DNS plugins, auth plugs, security policies, and community cartridges.  Quick-start frameworks can be offered to community too.

LXC and SELinux are the future for isolating and securing OpenShift…

… but right now, there are a many moving parts being used to provide isolation and security.

PaaS demans a new security model

DAC just won’t cut-it, too complicated for PaaS.  MAC (SELinux!) is necessary.

Step 1 – Unlearn this (and embrace SELinux)!

setenforce 0

Step 2 – Learn the ‘Z’ (to see SELinux contexts)

ls -lZ
ps -efZ

(Review of SELinux contexts and syntax provided)

http://fedoraproject.org/wiki/SELinux

Demo – deployment of WordPress to OpenShift, in a VirtualBox LiveCD

The OpenShift QuickStart is available here: https://github.com/openshift/wordpress-example

, ,

Leave a comment

KVM Technology Review and Roadmap Update

  • KVM is a relatively small piece of code, leveraging Linux for much functionality.  This makes KVM easy to secure and very flexible in meeting future needs.
  • Leveraging Linux means that KVM automatically gains the power of Linux’s hardware support, memory management, network utilities, cgroups, SELinux, etc.
  • Features: RHEL6.3 KVM has all the features of modern hypervisors, without needing 3rd party tools: live snapshots, virtualized disk drivers (VIRTIO), live migration, live block migration, USB passthrough, guest power management, etc.
  • Performance: RHEL 6.3 + KVM holds the top 7 SPECvirt spots on HP and IBM hardware, with metrics showing ~20%+ better performance than VMWare.
  • Single Guest Scalability: Now supports 160 vCPUs and 2TB RAM per guest (with no additional licensing costs!)
  • RHEL 7.0 will include virtual PCI bridges and will have a new Virtio-SCSI block device, enabling thousands of devices per virtual machine.
  • RHEV scales up to 200 host nodes per cluster.
  • Compare the above numbers with VMWare
  • KVM has achieved World Record IOPS: 1,402,720 IOPS on a IBM x3850 X5 for 8KB request using 7 SCSI pass-through devices.. For 1 KB requests, can achieve 1.65M IOPS.
  • RHEV 7 will support Windows power virtualization
  • RHEL 6.3 brings vCPU and memory hotplug to guests
  • KVM has achieved CC-EAL4+ certification with RHEV 5, and is in process of certification with RHEV 6, with sVirt (SELinux wrapped around guests).
  • Decommissioned guest storage can be scrubbed, meeting PCI-DSS standards.
  • Open Virtualization Alliance promotes open source virtualization and KVM ecosystem.

Leave a comment

Campground: CloudForms + Splunk

Great co-hosted Red Hat & Splunk discussion about CloudForms-Splunk integration!

Goal: Measure CloudForms utilization by date/time, by user, by cloud povider, and totals.

Simple rsyslog config to send the right data over into Splunk, then just add the “Splunk for Red Hat CloudForms” app — the metrics stated in the above goal are there, right out of the box.  It really is (or at least seems to be) that easy!

And yes — the Splunk guys know Steve Maresca (and UConn) *very* well.

, ,

Leave a comment

Distributed File System Choices: Red Hat Storage, GFS2, & pNFS

Red Hat has several options for storage needs — GFS2, CIFS, (p)NFS, Gluster.  It’s all about right tool for the job.

http://www.redhat.com/summit/sessions/index.html#103

RHEL Resilient Storage – GFS2

Shared storage, scales up to 100TB per instance, supports 2-16 nodes in the cluster, x86_64 only.

Performance is directly related to server and storage class, and to access sets — best case is where each node generally access its own filesystem area, worst case is where nodes are fighting for locks of the same files/directories.

RHEL NFS Client

It’s an NFS client — what else needs to be said?

pNFS

Metadata server tells you where to go to get your data, and can even reference data across multiple-tiers — NFS or directly to the SAN.

Performance can be enhanced with large write caches, internally tiered storage, and is suitable for most workloads, even transactional DBs (using O_DIRECT).  Not so good for highly random read workloads.

Red Hat Storage (Gluster + utilities, support, and blueprint)

RHS is a standalone product.  RHS servers in supported config are RAID6+local storage, XFS filesystems, dedicated RHEL6.x and Gluster software, all deployed on commodity hardware (reducing cost).

Clients use Gluster for scalability; NFS or CIFS for simplicity.

Performance improved by scaling horizontally across servers.  But, there is no write cache, and Gluster is a user=space filesystem with some overhead from context switching.  Likely not suitable for big I/O (databases, mail servers), but great for big unstructured data.

Scales to 6PB (or 3PB mirrored), and can add capacity dynamically.

, ,

Leave a comment