Monday Apr 04, 2016

Announcing New Features for Ksplice

Offline Support for userspace patching is now available in Ksplice.

For customers hosting their own yum repositories, or those with restricted access to outside update channels, you can now integrate Ksplice userspace patches into your existing offline Ksplice patching procedures.  This expands the initial support with online patching capabilities and provides the maximum flexibility and choice for customers managing critical updates.

If you have wanted to use Ksplice for userspace but were restricted by the online service, you are now able to take full advantage of all the services and features available.

 Let us know what you think. 

Friday Feb 19, 2016

FRIDAY SPOTLIGHT: CVE-2015-7547 - Ksplice solves glibc flaw with zero-downtime and no disruptions

This week we have seen a new vulnerability making the rounds involving glibc. The issue at hand involves a couple of libraries (libresolv and libnss_dns), which are used commonly with tasks like DNS lookups. Using the function getaddrinfo() could generate a stack buffer overflow with larger replies, which in turn could be used maliciously to trigger an exploit through attacker-controlled domain names, attacker-controlled DNS servers or man-in-the-middle attacks.

The glibc upstream project released a patch for this issue and most distributions (including Oracle Linux) have released updated glibc packages containing this fix.  Since glibc is a core system library that is used by almost every application on a system, updates to the package typically require restarting applications and best practices would suggest a system reboot.  

Oracle Linux customers with premier support have the advantage of our Ksplice services, which makes it possible to install both kernel and user space updates without the need to restart applications or reboot the system.  If you would like more information about Ksplice and Oracle Linux, please visit our website.

Friday Jan 29, 2016

FRIDAY SPOTLIGHT: Running OpenSCAP Compliance Checks on Oracle Linux

This Friday we would like to highlight a great new OTN article: Running OpenSCAP compliance checks on Oracle Linux.

Many of you may have heard OpenSCAP, if not here are some details. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. 

As a part of IT security management, organizations usually define a security policy that standardizes optimal internal practices, processes, and configurations. When a company stores or processes sensitive data (including personal identity, financial data, or healthcare records), the security policy must also reflect relevant government and regulatory standards such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). Standards often specify hardening guidelines and IT system requirements as well as required security practices. Many standards also mandate formal security reviews that must be performed by certified auditors on a regular schedule. In addition to these formal compliance assessments, IT departments typically conduct informal security reviews to detect and remedy vulnerabilities that might otherwise result in system or data compromise.

The diversity of data center systems adds to the challenge of developing effective and efficient strategies for IT security management. To help organizations automate compliance checks and implement security policy more universally across heterogeneous data centers, the US National Institute of Standards and Technology (NIST) developed the Security Content Automation Protocol (SCAP) standard. NIST created SCAP to provide a standardized approach for implementing enterprise system security and baseline profiles for compliance audits. Based on the SCAP standard, the OpenSCAP project supplies open source tools and policies to automate compliance checking and consistently apply security policy across different system types.

To automate compliance checking on Oracle Linux servers, the operating system includes packages containing an OpenSCAP framework and an implementation of the OpenSCAP interpreter, oscap. In addition, Oracle makes SCAP content files available to evaluate Oracle Linux system configurations against a defined security policy, industry-accepted hardening guidelines, and known vulnerabilities. This article can help administrators get started using the OpenSCAP functionality in Oracle Linux. It describes the various SCAP content files available to automate compliance checks, as well as how to obtain and use security advisory content that Oracle regularly publishes. It also discusses how to use Spacewalk, a tool for Linux systems management, to run OpenSCAP audits on Spacewalk-managed Oracle Linux client systems.

Read more in this full article: Running OpenSCAP Compliance Checks on Oracle Linux

Friday Jan 22, 2016

FRIDAY SPOTLIGHT: Announcing User Space Support for Ksplice on Oracle Linux 6

During Oracle OpenWorld 2015 Oracle released new features for Oracle Ksplice which introduced groundbreaking capabilities to patch user space libraries in Oracle Linux 7 without rebooting. This new feature, plus the extensive zero-downtime kernel patching capabilities already included in Oracle Ksplice, make it an ideal choice for keeping your Oracle Linux infrastructure up to date and secure.

Today, Oracle is pleased to announce user space patching with Oracle Ksplice is now available for Oracle Linux Premier Support customers using Oracle Linux 6. Now you can take advantage of this cutting edge technology to keep key user space libraries up to date on Oracle Linux 6 or Oracle Linux 7. And, of course, Oracle Ksplice continues to provide critical kernel patches so you can patch both kernel and user space without ever needing to reboot.

Read about the user space patching capabilities of Oracle Ksplice in the updated documentation, and get the latest Oracle Ksplice packages with your Oracle Linux Premier Support agreement from the Unbreakable Linux Network.

Monday Nov 02, 2015

New Userspace Patching with Oracle Ksplice!

Last week, Larry Ellison introduced userspace patching with Oracle Ksplice. This is a groundbreaking addition to the already extensive capabilities of Ksplice, giving administrators the tools they need to cope with security threats and other issues without impacting running systems.

If you're unfamiliar with Ksplice, it provides zero-downtime patching (also known as “live patching") for Linux. With Ksplice, updates and errata (CVEs, etc.) can be applied to running systems without restarting applications or rebooting. This is a boon for organizations since scheduling downtime across a server farm is a significant event, and many companies using a variety of operating systems only perform patches periodically in a regular cycle. But being able to apply critical updates immediately–or remove them, if necessary–without impacting servers even under heavy load allows administrators to reduce the window of vulnerability for security issues to the bare minimum, making systems more secure. A fantastic primer on Ksplice can be found in Wim Coekaerts' blog post The Magic of Ksplice.

While Ksplice has been a great tool for applying patches without downtime, it has been focused exclusively on kernel patches. That is, until last week with the announcement of userspace patching for Ksplice.

Why is userspace patching important? Well, patching the kernel as Ksplice has done for years solves a number of issues. It lets you patch security vulnerabilities at the kernel level, it allows you to apply patches to do diagnostics, and so on. But applications rely on services available above the kernel (in “userspace”) to do many of their tasks. For example, glibc, the GNU C Library, is the standard C and C++ library used by applications on Linux. And OpenSSL provides secure networking services for applications so applications don’t have to implement these features from scratch. But patching the kernel doesn’t help with changes that need to be made in these system wide libraries.

These standard libraries are very useful because they allow the community to optimize and standardize on how common tasks are accomplished. But since they are used by so many applications, a flaw in one of these libraries creates widespread exposure. Just such an exposure happened with the Heartbleed Bug, where an issue with OpenSSL left thousands of servers at risk.

With userspace patching in Ksplice, Oracle can now provide you with the tools to patch these userspace libraries without downtime. At Oracle OpenWorld last week, we were showing attendees in the Oracle Linux, Oracle VM, and OpenStack Showcase how we can apply userspace patches for the Ghost and Heartbleed vulnerabilities, check that the systems were indeed secured, and then roll those patches back to their unsecured state, all in a couple of minutes and without stopping running applications. This is the power of the new userspace feature of Ksplice. In this first release of userspace patching, the focus is on glibc and OpenSSL since this will cover many of the security related issues customers will run into. 

With the addition of userspace patching, a great tool just got even better. Ksplice can now patch the running Linux kernel and also patch userspace glibc and OpenSSL without downtime. Userspace patching is a huge development in zero-downtime patching, and another tool in the toolbox for administrators needing to cope with critical updates. This brings the magic of Ksplice from the kernel up to userspace, making your systems safer.

Userspace patching for Ksplice is available now in the enhanced Ksplice client for customers with Oracle Linux Premier Support. You can read about it in the latest Ksplice documentation and when you’re ready to try it out, you can enable it on the Unbreakable Linux Network and install it on your systems.

Friday Oct 24, 2014

Friday Spotlight: Boost Your IT Security for the Holiday Season - BeyondTrust and Oracle Webinar

Oracle and BeyondTrust presents Live Webinar:

Boost Your IT Security for the Holiday Season

When: Nov 6, 9am PT, 12pm EST

Register

The holidays are generally a time for family, friends and cheer, but with all of this cheer comes something lurking in the dark; security breaches. As we prepare for the upcoming holiday season, it is imperative for organizations to understand the importance of implementing a security and compliance strategy. The most important components to address are least privilege, auditing, password management, and compliance.

Join this engaging webinar, hosted by Oracle and BeyondTrust, to learn how you can best protect your organization during the upcoming holiday season. By attending this webcast, you'll learn:

  • Why it's important to implement a least privilege strategy this holiday season
  • Understanding your organization’s data security compliance efforts
  • Managing and implementing least privilege with BeyondTrust PowerBroker & Oracle Linux
  • What you can do NOW to beef up your organization’s security & compliance program

Speakers:

Paul Harper Product Manager for Server & Vulnerability Products BeyondTrust

Michele Casey Director of Product Management, Oracle Linux Oracle

Register today

Friday Jun 20, 2014

Friday Spotlight: A Wealth of Information on Oracle Linux

Happy Friday!

Our spotlight this week is on the large library of in-depth information about Oracle Linux on the Oracle documentation site. There is, of course, an administrator's guide, as you would expect. But there are also extremely comprehensive guides on Ksplice, DTrace, Spacewalk, security, and more. Check out the whole set for some Friday afternoon reading.

See you next week! 

-Chris

Friday Mar 21, 2014

Friday Spotlight: Tips for Hardening an Oracle Linux Server

Happy Friday!

One of the things I like about our Friday Spotlight is not only do we talk about new things, it also gives us an opportunity to highlight older material that is still valuable. That's the case with this week's spotlight, which is about an article from 2012 that covers tips for hardening an Oracle Linux server. If you've come to Oracle Linux in the last couple of years, you might not have seen this, and it's just as a relevant today as it was then.

This in-depth article covers minimizing active services, locking down network services, managing users and authentication, and much more. If you're a Linux administrator, you might want to consider adding this article to your Reading List, saving to Pocket or Evernote, or whatever mechanism you use to hold on to good resources.

Read: Tips for Hardening an Oracle Linux Server

We'll see you next week!

-Chris 

Friday Dec 06, 2013

Oracle Linux Friday Spotlight - December 6, 2013

Happy Friday!

By now, you've probably heard about the release of Oracle Linux 6.5. One really cool thing about this release is that Unbreakable Enterprise Kernel Release 3 is installed by default, meaning you get to use all the great features of UEK R3 without needing to do a separate installation. And are there a lot of great features in UEK R3! So, our spotlight this week is on the release notes for the latest version of Oracle's Unbreakable Enteprise Kernel.

Unbreakable Enterprise Kernel Release 3 release notes

You'll learn about Control Groups, Linux Containers, DTrace, additional crypto options, improved diagnostics, the updated btrfs, better memory management, more networking options, improvements for performance, security, storage, and much more.

See you next Friday!

-Chris 

Friday Sep 07, 2012

New Article on OTN: Tips for Securing an Oracle Linux Environment

Some time ago, we published Tips for Hardening an Oracle Linux Server on the Oracle Technology Network. This article focused on hardening an Oracle Linux system right after the initial installation, exploring administrative approaches that help to minimize vulnerabilities.

This week we issued a second part,Tips for Securing an Oracle Linux Environment, which focuses on the operational part: detecting intrusion attempts, auditing and keeping systems up-to date and protected.

If you manage Oracle Linux systems in your environment, check out these articles for some invaluable hints and suggestions on how to improve and maintain security of these servers!

Tuesday Jul 24, 2012

Don't miss the Latest Technical Articles about Btrfs and Linux Security

We have two new Oracle Linux technical articles that you should not miss! They go into details about installation, best practices and key commands that will help you speed up your configurations.

1. How I Got Started with the Btrfs File System for Oracle Linux

by Margaret Bierman with Lenz Grimmer

This article describes the basic capabilities that writers discovered while becoming familiar with the Btrfs file system in Oracle Linux, plus the instructions she used to create a file system, verify its size, create subdirectories, and perform other basic administrative tasks.

Read more 

2. Tips for Hardening an Oracle Linux Server

by Lenz Grimmer and James Morris

Oracle Linux provides a complete security stack, from network firewall control to access control security policies. While Oracle Linux is designed "secure by default," this article explores a variety of those defaults and administrative approaches that help to minimize vulnerabilities.

Read more 

And don't forget to bookmark the Oracle Linux Technogy Center for future technical articles.

Happy reading. 


About

Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected

Twitter


Facebook

Search

Archives
« May 2016
SunMonTueWedThuFriSat
1
2
3
4
5
7
8
9
10
11
14
15
16
17
18
21
22
23
24
25
26
27
28
29
30
31
    
       
Today