Monday Dec 19, 2016

MONDAY SPOTLIGHT: Patching User Space with Oracle Ksplice

Oracle Ksplice is a powerful tool that allows administrators to increase the speed of deployment of critical patches and helps eliminate downtime.

The Ksplice enhanced client extends the ability of Ksplice to enable in-memory patching of critical user space libraries in Oracle Linux. The ability to patch these libraries in-memory without rebooting not only increases system security but also reduces costly system downtime. Recent exploits such as Heartbleed can be patched automatically without administrator intervention, maintenance windows or downtime. 

Before you enable Ksplice, you need to disable any prelinking of binaries that may have occurred. Oracle Linux 6 systems come with the prelink tool installed by default which must be removed to prevent conflicts with the Ksplice enhanced client.  Oracle Linux 7 systems do not have prelink installed by default.

# prelink –au
# yum remove prelink

Installation of the Ksplice enhanced client is simple for Oracle Linux servers that are registered to the Unbreakable Linux Network (ULN).

Login to the ULN web interface, select the system you want to enable Ksplice on, then click on Manage Subscriptions.  Next, enable the Ksplice-aware user space packages channel for that server.

After enabling the Ksplice-aware user space packages channel, use yum to install the Ksplice enhanced client on the server:

# yum install –y ksplice

Once the Ksplice client is installed, retrieve your access key for Ksplice from ULN and add it to the Ksplice configuration by editing /etc/uptrack/uptrack.conf.

Next, use yum to install the Ksplice aware versions of the user space packages installed on your server, without updating any other packages on the system, by running following command:

# yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update

A single reboot is required to activate the newly installed Ksplice aware libraries. After you reboot the system once, you will then be able to apply any future patches to both the kernel and critical user space libraries without rebooting. 

In addition to patching both kernel and critical user space packages, Ksplice can also be used as a diagnostic tool by Oracle Support to load diagnostic kernels without rebooting the system. 

The following white paper provides the workflow of using Ksplice as a diagnostic tool with Oracle Support: 


The full Ksplice User Guide can be found here: 


Are you ready to take back your weekends and increase the security of your systems with Ksplice?

Monday Dec 12, 2016

MONDAY SPOTLIGHT: Updated Docker images for Oracle Linux

Docker is becoming even more popular for customers and users to optimise their deployment processes, particularly when integrated into a Continuous Integration (CI) and Continuous Delivery (CD) pipeline. Docker forms the basis of several Oracle Cloud products, including the Oracle Developer Cloud, Oracle Application Container Cloud and Oracle Container Cloud.

As part of Oracle's ongoing commitment to security, we regularly release updates to the official Oracle Linux base images hosted on the Docker Hub and in the official Oracle GitHub repository. In the past month, we have released 5 updates across the Oracle Linux 5, 6 and 7 images to cover several CVEs that have been fixed.

Learn more about ensuring your Docker images are built using the latest images provided by Oracle. 

[Read More]

Wednesday Oct 26, 2016

Take Action on Dirty COW

I am sure you have heard about "Dirty COW" by now and may be trying to figure out if you need a patch or how to patch your Linux systems.

Dirty COW is a concurrency vulnerability in the Linux kernel’s memory subsystem that allows uncontrolled access to shared data. Specifically, this is a copy-on-write (COW) breakage that could allow an unprivileged user to gain write access to otherwise read-only memory mappings and potentially increase their privileges on the system.

This vulnerability was reported last week and it is recommended that you promptly implement fixes/patches to address it, to help ensure the rights/privileges you have in place to contain users’ read/write access are not altered.

Oracle has released updates to Oracle Linux to address Dirty COW. For those customers with an Oracle Premier Support subscription, this is a good time to use the Ksplice service – which enables you to access and apply these patches with zero downtime. Read more about it in Ksplice blog.

For customers without a Premier Support subscription, you will need to schedule downtime, apply the patches and restart your system. If you need to update your Oracle Linux kernel, you can find Oracle Support Document 2117117.1 (Master Note for Reference Index of CVE IDs and Errata: Oracle Linux and Oracle VM)  at this site.

PC: Dirty Cow Logo from https://upload.wikimedia.org/wikipedia/commons/1/1b/DirtyCow.svg

Friday Sep 09, 2016

OOW16: Showcase Partner Spotlight - amitego AG

In this Friday spotlight we are all about Oracle OpenWorld happening on September 18-22nd at the beautiful city of San Francisco.

This year we are very excited to have 8 partners showcasing their solutions at the Oracle Linux, Virtualization and OpenStack Showcase at Oracle Openworld.  Our showcase area will feature partner and Oracle pods as well as Mini theatre where partners will present their solutions. We have exciting demos and giveaways which should be an incentive to come by.

Our showcase partner in this spotlight blog is amitego AG.

amitego AG’s VISULOX (based on Oracle Secure Global Desktop) offers rule-based control and management of privileged users accessing the data center. It includes device-less two-factor-authentication, software-based recording of user sessions, and controlled data transfer up to the limit of command and script usage, all without any changes to servers and clients. It integrates information from LDAP or Active Directories and supports a variety of application servers and clients.

amitego AG Sessions:

Monday, Sep 19, 2:00-2:20pm  - Showcase Mini Theatre

Controlled Cloud Access with Oracle Secure Global Desktop and VISULOX 

Wednesday, Sep 21, 3:00 p.m. | Park Central - Concordia 

[CON7431] Secure Cloud Access with Oracle Secure Global Desktop and VISULOX 

Please visit amitego AG @kiosk SLX-007 at the Oracle Linux, Virtualization, and OpenStack Showcase(booth 1901) in Moscone South.

For more information about amitego AG and VISULOX visit this site

Monday Apr 04, 2016

Announcing New Features for Ksplice

Offline Support for userspace patching is now available in Ksplice.

For customers hosting their own yum repositories, or those with restricted access to outside update channels, you can now integrate Ksplice userspace patches into your existing offline Ksplice patching procedures.  This expands the initial support with online patching capabilities and provides the maximum flexibility and choice for customers managing critical updates.

If you have wanted to use Ksplice for userspace but were restricted by the online service, you are now able to take full advantage of all the services and features available.

 Let us know what you think. 

Friday Feb 19, 2016

FRIDAY SPOTLIGHT: CVE-2015-7547 - Ksplice solves glibc flaw with zero-downtime and no disruptions

This week we have seen a new vulnerability making the rounds involving glibc. The issue at hand involves a couple of libraries (libresolv and libnss_dns), which are used commonly with tasks like DNS lookups. Using the function getaddrinfo() could generate a stack buffer overflow with larger replies, which in turn could be used maliciously to trigger an exploit through attacker-controlled domain names, attacker-controlled DNS servers or man-in-the-middle attacks.

The glibc upstream project released a patch for this issue and most distributions (including Oracle Linux) have released updated glibc packages containing this fix.  Since glibc is a core system library that is used by almost every application on a system, updates to the package typically require restarting applications and best practices would suggest a system reboot.  

Oracle Linux customers with premier support have the advantage of our Ksplice services, which makes it possible to install both kernel and user space updates without the need to restart applications or reboot the system.  If you would like more information about Ksplice and Oracle Linux, please visit our website.

Friday Jan 29, 2016

FRIDAY SPOTLIGHT: Running OpenSCAP Compliance Checks on Oracle Linux

This Friday we would like to highlight a great new OTN article: Running OpenSCAP compliance checks on Oracle Linux.

Many of you may have heard OpenSCAP, if not here are some details. SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST). SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. 

As a part of IT security management, organizations usually define a security policy that standardizes optimal internal practices, processes, and configurations. When a company stores or processes sensitive data (including personal identity, financial data, or healthcare records), the security policy must also reflect relevant government and regulatory standards such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). Standards often specify hardening guidelines and IT system requirements as well as required security practices. Many standards also mandate formal security reviews that must be performed by certified auditors on a regular schedule. In addition to these formal compliance assessments, IT departments typically conduct informal security reviews to detect and remedy vulnerabilities that might otherwise result in system or data compromise.

The diversity of data center systems adds to the challenge of developing effective and efficient strategies for IT security management. To help organizations automate compliance checks and implement security policy more universally across heterogeneous data centers, the US National Institute of Standards and Technology (NIST) developed the Security Content Automation Protocol (SCAP) standard. NIST created SCAP to provide a standardized approach for implementing enterprise system security and baseline profiles for compliance audits. Based on the SCAP standard, the OpenSCAP project supplies open source tools and policies to automate compliance checking and consistently apply security policy across different system types.

To automate compliance checking on Oracle Linux servers, the operating system includes packages containing an OpenSCAP framework and an implementation of the OpenSCAP interpreter, oscap. In addition, Oracle makes SCAP content files available to evaluate Oracle Linux system configurations against a defined security policy, industry-accepted hardening guidelines, and known vulnerabilities. This article can help administrators get started using the OpenSCAP functionality in Oracle Linux. It describes the various SCAP content files available to automate compliance checks, as well as how to obtain and use security advisory content that Oracle regularly publishes. It also discusses how to use Spacewalk, a tool for Linux systems management, to run OpenSCAP audits on Spacewalk-managed Oracle Linux client systems.

Read more in this full article: Running OpenSCAP Compliance Checks on Oracle Linux

Friday Jan 22, 2016

FRIDAY SPOTLIGHT: Announcing User Space Support for Ksplice on Oracle Linux 6

During Oracle OpenWorld 2015 Oracle released new features for Oracle Ksplice which introduced groundbreaking capabilities to patch user space libraries in Oracle Linux 7 without rebooting. This new feature, plus the extensive zero-downtime kernel patching capabilities already included in Oracle Ksplice, make it an ideal choice for keeping your Oracle Linux infrastructure up to date and secure.

Today, Oracle is pleased to announce user space patching with Oracle Ksplice is now available for Oracle Linux Premier Support customers using Oracle Linux 6. Now you can take advantage of this cutting edge technology to keep key user space libraries up to date on Oracle Linux 6 or Oracle Linux 7. And, of course, Oracle Ksplice continues to provide critical kernel patches so you can patch both kernel and user space without ever needing to reboot.

Read about the user space patching capabilities of Oracle Ksplice in the updated documentation, and get the latest Oracle Ksplice packages with your Oracle Linux Premier Support agreement from the Unbreakable Linux Network.

Monday Nov 02, 2015

New Userspace Patching with Oracle Ksplice!

Last week, Larry Ellison introduced userspace patching with Oracle Ksplice. This is a groundbreaking addition to the already extensive capabilities of Ksplice, giving administrators the tools they need to cope with security threats and other issues without impacting running systems.

If you're unfamiliar with Ksplice, it provides zero-downtime patching (also known as “live patching") for Linux. With Ksplice, updates and errata (CVEs, etc.) can be applied to running systems without restarting applications or rebooting. This is a boon for organizations since scheduling downtime across a server farm is a significant event, and many companies using a variety of operating systems only perform patches periodically in a regular cycle. But being able to apply critical updates immediately–or remove them, if necessary–without impacting servers even under heavy load allows administrators to reduce the window of vulnerability for security issues to the bare minimum, making systems more secure. A fantastic primer on Ksplice can be found in Wim Coekaerts' blog post The Magic of Ksplice.

While Ksplice has been a great tool for applying patches without downtime, it has been focused exclusively on kernel patches. That is, until last week with the announcement of userspace patching for Ksplice.

Why is userspace patching important? Well, patching the kernel as Ksplice has done for years solves a number of issues. It lets you patch security vulnerabilities at the kernel level, it allows you to apply patches to do diagnostics, and so on. But applications rely on services available above the kernel (in “userspace”) to do many of their tasks. For example, glibc, the GNU C Library, is the standard C and C++ library used by applications on Linux. And OpenSSL provides secure networking services for applications so applications don’t have to implement these features from scratch. But patching the kernel doesn’t help with changes that need to be made in these system wide libraries.

These standard libraries are very useful because they allow the community to optimize and standardize on how common tasks are accomplished. But since they are used by so many applications, a flaw in one of these libraries creates widespread exposure. Just such an exposure happened with the Heartbleed Bug, where an issue with OpenSSL left thousands of servers at risk.

With userspace patching in Ksplice, Oracle can now provide you with the tools to patch these userspace libraries without downtime. At Oracle OpenWorld last week, we were showing attendees in the Oracle Linux, Oracle VM, and OpenStack Showcase how we can apply userspace patches for the Ghost and Heartbleed vulnerabilities, check that the systems were indeed secured, and then roll those patches back to their unsecured state, all in a couple of minutes and without stopping running applications. This is the power of the new userspace feature of Ksplice. In this first release of userspace patching, the focus is on glibc and OpenSSL since this will cover many of the security related issues customers will run into. 

With the addition of userspace patching, a great tool just got even better. Ksplice can now patch the running Linux kernel and also patch userspace glibc and OpenSSL without downtime. Userspace patching is a huge development in zero-downtime patching, and another tool in the toolbox for administrators needing to cope with critical updates. This brings the magic of Ksplice from the kernel up to userspace, making your systems safer.

Userspace patching for Ksplice is available now in the enhanced Ksplice client for customers with Oracle Linux Premier Support. You can read about it in the latest Ksplice documentation and when you’re ready to try it out, you can enable it on the Unbreakable Linux Network and install it on your systems.

Friday Oct 24, 2014

Friday Spotlight: Boost Your IT Security for the Holiday Season - BeyondTrust and Oracle Webinar

Oracle and BeyondTrust presents Live Webinar:

Boost Your IT Security for the Holiday Season

When: Nov 6, 9am PT, 12pm EST

Register

The holidays are generally a time for family, friends and cheer, but with all of this cheer comes something lurking in the dark; security breaches. As we prepare for the upcoming holiday season, it is imperative for organizations to understand the importance of implementing a security and compliance strategy. The most important components to address are least privilege, auditing, password management, and compliance.

Join this engaging webinar, hosted by Oracle and BeyondTrust, to learn how you can best protect your organization during the upcoming holiday season. By attending this webcast, you'll learn:

  • Why it's important to implement a least privilege strategy this holiday season
  • Understanding your organization’s data security compliance efforts
  • Managing and implementing least privilege with BeyondTrust PowerBroker & Oracle Linux
  • What you can do NOW to beef up your organization’s security & compliance program

Speakers:

Paul Harper Product Manager for Server & Vulnerability Products BeyondTrust

Michele Casey Director of Product Management, Oracle Linux Oracle

Register today

Friday Jun 20, 2014

Friday Spotlight: A Wealth of Information on Oracle Linux

Happy Friday!

Our spotlight this week is on the large library of in-depth information about Oracle Linux on the Oracle documentation site. There is, of course, an administrator's guide, as you would expect. But there are also extremely comprehensive guides on Ksplice, DTrace, Spacewalk, security, and more. Check out the whole set for some Friday afternoon reading.

See you next week! 

-Chris

Friday Mar 21, 2014

Friday Spotlight: Tips for Hardening an Oracle Linux Server

Happy Friday!

One of the things I like about our Friday Spotlight is not only do we talk about new things, it also gives us an opportunity to highlight older material that is still valuable. That's the case with this week's spotlight, which is about an article from 2012 that covers tips for hardening an Oracle Linux server. If you've come to Oracle Linux in the last couple of years, you might not have seen this, and it's just as a relevant today as it was then.

This in-depth article covers minimizing active services, locking down network services, managing users and authentication, and much more. If you're a Linux administrator, you might want to consider adding this article to your Reading List, saving to Pocket or Evernote, or whatever mechanism you use to hold on to good resources.

Read: Tips for Hardening an Oracle Linux Server

We'll see you next week!

-Chris 

Friday Dec 06, 2013

Oracle Linux Friday Spotlight - December 6, 2013

Happy Friday!

By now, you've probably heard about the release of Oracle Linux 6.5. One really cool thing about this release is that Unbreakable Enterprise Kernel Release 3 is installed by default, meaning you get to use all the great features of UEK R3 without needing to do a separate installation. And are there a lot of great features in UEK R3! So, our spotlight this week is on the release notes for the latest version of Oracle's Unbreakable Enteprise Kernel.

Unbreakable Enterprise Kernel Release 3 release notes

You'll learn about Control Groups, Linux Containers, DTrace, additional crypto options, improved diagnostics, the updated btrfs, better memory management, more networking options, improvements for performance, security, storage, and much more.

See you next Friday!

-Chris 

Friday Sep 07, 2012

New Article on OTN: Tips for Securing an Oracle Linux Environment

Some time ago, we published Tips for Hardening an Oracle Linux Server on the Oracle Technology Network. This article focused on hardening an Oracle Linux system right after the initial installation, exploring administrative approaches that help to minimize vulnerabilities.

This week we issued a second part,Tips for Securing an Oracle Linux Environment, which focuses on the operational part: detecting intrusion attempts, auditing and keeping systems up-to date and protected.

If you manage Oracle Linux systems in your environment, check out these articles for some invaluable hints and suggestions on how to improve and maintain security of these servers!

Tuesday Jul 24, 2012

Don't miss the Latest Technical Articles about Btrfs and Linux Security

We have two new Oracle Linux technical articles that you should not miss! They go into details about installation, best practices and key commands that will help you speed up your configurations.

1. How I Got Started with the Btrfs File System for Oracle Linux

by Margaret Bierman with Lenz Grimmer

This article describes the basic capabilities that writers discovered while becoming familiar with the Btrfs file system in Oracle Linux, plus the instructions she used to create a file system, verify its size, create subdirectories, and perform other basic administrative tasks.

Read more 

2. Tips for Hardening an Oracle Linux Server

by Lenz Grimmer and James Morris

Oracle Linux provides a complete security stack, from network firewall control to access control security policies. While Oracle Linux is designed "secure by default," this article explores a variety of those defaults and administrative approaches that help to minimize vulnerabilities.

Read more 

And don't forget to bookmark the Oracle Linux Technogy Center for future technical articles.

Happy reading. 


About

Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected

Twitter


Facebook

Search


Archives
« February 2017
SunMonTueWedThuFriSat
   
1
3
4
5
7
8
11
12
14
15
17
18
19
20
21
22
23
24
25
26
27
28
    
       
Today