Monday Dec 19, 2016
Monday Dec 12, 2016
By Avi Miller-Oracle on Dec 12, 2016
Docker is becoming even more popular for customers and users to optimise their deployment processes, particularly when integrated into a Continuous Integration (CI) and Continuous Delivery (CD) pipeline. Docker forms the basis of several Oracle Cloud products, including the Oracle Developer Cloud, Oracle Application Container Cloud and Oracle Container Cloud.
As part of Oracle's ongoing commitment to security, we regularly release updates to the official Oracle Linux base images hosted on the Docker Hub and in the official Oracle GitHub repository. In the past month, we have released 5 updates across the Oracle Linux 5, 6 and 7 images to cover several CVEs that have been fixed.
Learn more about ensuring your Docker images are built using the latest images provided by Oracle.[Read More]
Wednesday Oct 26, 2016
By Zeynep Koch-Oracle on Oct 26, 2016
I am sure you have heard about "Dirty COW" by now and may be trying to figure out if you need a patch or how to patch your Linux systems.
Dirty COW is a concurrency vulnerability in the Linux kernel’s memory subsystem that allows uncontrolled access to shared data. Specifically, this is a copy-on-write (COW) breakage that could allow an unprivileged user to gain write access to otherwise read-only memory mappings and potentially increase their privileges on the system.
This vulnerability was reported last week and it is recommended that you promptly implement fixes/patches to address it, to help ensure the rights/privileges you have in place to contain users’ read/write access are not altered.
Oracle has released updates to Oracle Linux to address Dirty COW. For those customers with an Oracle Premier Support subscription, this is a good time to use the Ksplice service – which enables you to access and apply these patches with zero downtime. Read more about it in Ksplice blog.
For customers without a Premier Support subscription, you will need to schedule downtime, apply the patches and restart your system. If you need to update your Oracle Linux kernel, you can find Oracle Support Document 2117117.1 (Master Note for Reference Index of CVE IDs and Errata: Oracle Linux and Oracle VM) at this site.
PC: Dirty Cow Logo from https://upload.wikimedia.org/wikipedia/commons/1/1b/DirtyCow.svg
Friday Sep 09, 2016
By Zeynep Koch-Oracle on Sep 09, 2016
In this Friday spotlight we are all about Oracle OpenWorld happening on September 18-22nd at the beautiful city of San Francisco.
This year we are very excited to have 8 partners showcasing their solutions at the Oracle Linux, Virtualization and OpenStack Showcase at Oracle Openworld. Our showcase area will feature partner and Oracle pods as well as Mini theatre where partners will present their solutions. We have exciting demos and giveaways which should be an incentive to come by.
Our showcase partner in this spotlight blog is amitego AG.
amitego AG’s VISULOX (based on Oracle Secure Global Desktop) offers rule-based control and management of privileged users accessing the data center. It includes device-less two-factor-authentication, software-based recording of user sessions, and controlled data transfer up to the limit of command and script usage, all without any changes to servers and clients. It integrates information from LDAP or Active Directories and supports a variety of application servers and clients.
amitego AG Sessions:
Monday, Sep 19, 2:00-2:20pm - Showcase Mini Theatre
Controlled Cloud Access with Oracle Secure Global Desktop and VISULOX
Wednesday, Sep 21, 3:00 p.m. | Park Central - Concordia
[CON7431] Secure Cloud Access with Oracle Secure Global Desktop and VISULOX
Please visit amitego AG @kiosk SLX-007 at the Oracle Linux, Virtualization, and OpenStack Showcase(booth 1901) in Moscone South.
For more information about amitego AG and VISULOX visit this site.
Monday Apr 04, 2016
By Michele Casey on Apr 04, 2016
Offline Support for userspace patching is now available in Ksplice.
For customers hosting their own yum repositories, or those with restricted access to outside update channels, you can now integrate Ksplice userspace patches into your existing offline Ksplice patching procedures. This expands the initial support with online patching capabilities and provides the maximum flexibility and choice for customers managing critical updates.
If you have wanted to use Ksplice for userspace but were restricted by the online service, you are now able to take full advantage of all the services and features available.
Let us know what you think.
Friday Feb 19, 2016
By Michele Casey on Feb 19, 2016
This week we have seen a new vulnerability making the rounds involving glibc. The issue at hand involves a couple of libraries (libresolv and libnss_dns), which are used commonly with tasks like DNS lookups. Using the function getaddrinfo() could generate a stack buffer overflow with larger replies, which in turn could be used maliciously to trigger an exploit through attacker-controlled domain names, attacker-controlled DNS servers or man-in-the-middle attacks.
The glibc upstream project released a patch for this issue and most distributions (including Oracle Linux) have released updated glibc packages containing this fix. Since glibc is a core system library that is used by almost every application on a system, updates to the package typically require restarting applications and best practices would suggest a system reboot.
Oracle Linux customers with premier support have the advantage of our Ksplice services, which makes it possible to install both kernel and user space updates without the need to restart applications or reboot the system. If you would like more information about Ksplice and Oracle Linux, please visit our website.
Friday Jan 29, 2016
By Zeynep Koch-Oracle on Jan 29, 2016
This Friday we would like to highlight a great new OTN article: Running OpenSCAP compliance checks on Oracle Linux.
Many of you may have heard OpenSCAP, if not here are some details. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
As a part of IT security management, organizations usually define a security policy that standardizes optimal internal practices, processes, and configurations. When a company stores or processes sensitive data (including personal identity, financial data, or healthcare records), the security policy must also reflect relevant government and regulatory standards such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). Standards often specify hardening guidelines and IT system requirements as well as required security practices. Many standards also mandate formal security reviews that must be performed by certified auditors on a regular schedule. In addition to these formal compliance assessments, IT departments typically conduct informal security reviews to detect and remedy vulnerabilities that might otherwise result in system or data compromise.
The diversity of data center systems adds to the challenge of developing effective and efficient strategies for IT security management. To help organizations automate compliance checks and implement security policy more universally across heterogeneous data centers, the US National Institute of Standards and Technology (NIST) developed the Security Content Automation Protocol (SCAP) standard. NIST created SCAP to provide a standardized approach for implementing enterprise system security and baseline profiles for compliance audits. Based on the SCAP standard, the OpenSCAP project supplies open source tools and policies to automate compliance checking and consistently apply security policy across different system types.
To automate compliance checking on Oracle Linux servers, the operating system includes packages containing an OpenSCAP framework and an implementation of the OpenSCAP interpreter, oscap. In addition, Oracle makes SCAP content files available to evaluate Oracle Linux system configurations against a defined security policy, industry-accepted hardening guidelines, and known vulnerabilities. This article can help administrators get started using the OpenSCAP functionality in Oracle Linux. It describes the various SCAP content files available to automate compliance checks, as well as how to obtain and use security advisory content that Oracle regularly publishes. It also discusses how to use Spacewalk, a tool for Linux systems management, to run OpenSCAP audits on Spacewalk-managed Oracle Linux client systems.
Read more in this full article: Running OpenSCAP Compliance Checks on Oracle Linux
Friday Jan 22, 2016
By Chris Kawalek-Oracle on Jan 22, 2016
During Oracle OpenWorld 2015 Oracle released new features for Oracle Ksplice which introduced groundbreaking capabilities to patch user space libraries in Oracle Linux 7 without rebooting. This new feature, plus the extensive zero-downtime kernel patching capabilities already included in Oracle Ksplice, make it an ideal choice for keeping your Oracle Linux infrastructure up to date and secure.
Monday Nov 02, 2015
By Chris Kawalek-Oracle on Nov 02, 2015
If you're unfamiliar with Ksplice, it provides zero-downtime patching (also known as “live patching") for Linux. With Ksplice, updates and errata (CVEs, etc.) can be applied to running systems without restarting applications or rebooting. This is a boon for organizations since scheduling downtime across a server farm is a significant event, and many companies using a variety of operating systems only perform patches periodically in a regular cycle. But being able to apply critical updates immediately–or remove them, if necessary–without impacting servers even under heavy load allows administrators to reduce the window of vulnerability for security issues to the bare minimum, making systems more secure. A fantastic primer on Ksplice can be found in Wim Coekaerts' blog post The Magic of Ksplice.
While Ksplice has been a great tool for applying patches without downtime, it has been focused exclusively on kernel patches. That is, until last week with the announcement of userspace patching for Ksplice.
Why is userspace patching important? Well, patching the kernel as Ksplice has done for years solves a number of issues. It lets you patch security vulnerabilities at the kernel level, it allows you to apply patches to do diagnostics, and so on. But applications rely on services available above the kernel (in “userspace”) to do many of their tasks. For example, glibc, the GNU C Library, is the standard C and C++ library used by applications on Linux. And OpenSSL provides secure networking services for applications so applications don’t have to implement these features from scratch. But patching the kernel doesn’t help with changes that need to be made in these system wide libraries.
These standard libraries are very useful because they allow the community to optimize and standardize on how common tasks are accomplished. But since they are used by so many applications, a flaw in one of these libraries creates widespread exposure. Just such an exposure happened with the Heartbleed Bug, where an issue with OpenSSL left thousands of servers at risk.
With userspace patching in Ksplice, Oracle can now provide you with the tools to patch these userspace libraries without downtime. At Oracle OpenWorld last week, we were showing attendees in the Oracle Linux, Oracle VM, and OpenStack Showcase how we can apply userspace patches for the Ghost and Heartbleed vulnerabilities, check that the systems were indeed secured, and then roll those patches back to their unsecured state, all in a couple of minutes and without stopping running applications. This is the power of the new userspace feature of Ksplice. In this first release of userspace patching, the focus is on glibc and OpenSSL since this will cover many of the security related issues customers will run into.
Friday Oct 24, 2014
By Zeynep Koch-Oracle on Oct 24, 2014
Oracle and BeyondTrust presents Live Webinar:
Boost Your IT Security for the Holiday Season
When: Nov 6, 9am PT, 12pm EST
The holidays are generally a time for family, friends and cheer, but with all of this cheer comes something lurking in the dark; security breaches. As we prepare for the upcoming holiday season, it is imperative for organizations to understand the importance of implementing a security and compliance strategy. The most important components to address are least privilege, auditing, password management, and compliance.
Join this engaging webinar, hosted by Oracle and BeyondTrust, to learn how you can best protect your organization during the upcoming holiday season. By attending this webcast, you'll learn:
- Why it's important to implement a least privilege strategy this holiday season
- Understanding your organization’s data security compliance efforts
- Managing and implementing least privilege with BeyondTrust PowerBroker & Oracle Linux
- What you can do NOW to beef up your organization’s security & compliance program
Paul Harper Product Manager for Server & Vulnerability Products BeyondTrust
Michele Casey Director of Product Management, Oracle Linux Oracle
Friday Jun 20, 2014
By Chris Kawalek-Oracle on Jun 20, 2014
Our spotlight this week is on the large library of in-depth information about Oracle Linux on the Oracle documentation site. There is, of course, an administrator's guide, as you would expect. But there are also extremely comprehensive guides on Ksplice, DTrace, Spacewalk, security, and more. Check out the whole set for some Friday afternoon reading.
See you next week!
Friday Mar 21, 2014
By Chris Kawalek-Oracle on Mar 21, 2014
One of the things I like about our Friday Spotlight is not only do we talk about new things, it also gives us an opportunity to highlight older material that is still valuable. That's the case with this week's spotlight, which is about an article from 2012 that covers tips for hardening an Oracle Linux server. If you've come to Oracle Linux in the last couple of years, you might not have seen this, and it's just as a relevant today as it was then.
This in-depth article covers minimizing active services, locking down network services, managing users and authentication, and much more. If you're a Linux administrator, you might want to consider adding this article to your Reading List, saving to Pocket or Evernote, or whatever mechanism you use to hold on to good resources.
We'll see you next week!
Friday Dec 06, 2013
By Chris Kawalek-Oracle on Dec 06, 2013
By now, you've probably heard about the release of Oracle Linux 6.5. One really cool thing about this release is that Unbreakable Enterprise Kernel Release 3 is installed by default, meaning you get to use all the great features of UEK R3 without needing to do a separate installation. And are there a lot of great features in UEK R3! So, our spotlight this week is on the release notes for the latest version of Oracle's Unbreakable Enteprise Kernel.
You'll learn about Control Groups, Linux Containers, DTrace, additional crypto options, improved diagnostics, the updated btrfs, better memory management, more networking options, improvements for performance, security, storage, and much more.
See you next Friday!
Friday Sep 07, 2012
By Lenz Grimmer on Sep 07, 2012
Some time ago, we published Tips for Hardening an Oracle Linux Server on the Oracle Technology Network. This article focused on hardening an Oracle Linux system right after the initial installation, exploring administrative approaches that help to minimize vulnerabilities.
This week we issued a second part,Tips for Securing an Oracle Linux Environment, which focuses on the operational part: detecting intrusion attempts, auditing and keeping systems up-to date and protected.
If you manage Oracle Linux systems in your environment, check out these articles for some invaluable hints and suggestions on how to improve and maintain security of these servers!
Tuesday Jul 24, 2012
By Zeynep Koch-Oracle on Jul 24, 2012
We have two new Oracle Linux technical articles that you should not miss! They go into details about installation, best practices and key commands that will help you speed up your configurations.
1. How I Got Started with the Btrfs File System for Oracle Linux
by Margaret Bierman with Lenz Grimmer
This article describes the basic capabilities that writers discovered while becoming familiar with the Btrfs file system in Oracle Linux, plus the instructions she used to create a file system, verify its size, create subdirectories, and perform other basic administrative tasks.
2. Tips for Hardening an Oracle Linux Server
by Lenz Grimmer and James Morris
Oracle Linux provides a complete security stack, from network firewall control to access control security policies. While Oracle Linux is designed "secure by default," this article explores a variety of those defaults and administrative approaches that help to minimize vulnerabilities.
And don't forget to bookmark the Oracle Linux Technogy Center for future technical articles.
Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.
- Training Thursdays: DTrace for Comprehensive Tracing and Diagnostics
- Monday Spotlight: It's About Security - Oracle Exadata SL6
- Announcing Software Collections 2.3
- Training Thursdays: Oracle Linux, Same On the Cloud as On-Premise
- Monday Spotlight: Oracle Secure Global Desktop adds Oracle Linux 7 Support and Oracle VM Integration
- Training Thursdays: Oracle Linux and Cloud Computing
- MONDAY SPOTLIGHT:Announcing the Oracle Container Registry
- Training Thursdays: Installing Oracle Linux as First Step
- MONDAY SPOTLIGHT: Whitepaper-Optimizing Deployment Flexibility and Increasing ROI
- Training Thursdays: Stability and Performance with Oracle OpenStack