The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a co-ordinated effort, and patches for all distribution are available January 27, 2015.
What is glibc?
The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.
What is the vulnerability?
During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.
What is the risk?
There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.
Is the risk real?
During our testing, we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine. This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems.
What can be done to mitigate the risk?
The best way to mitigate the risk is to apply a patch from your Linux vendor. Qualys has worked closely with Linux distribution vendors and patches are available as of today January 27, 2015.
Why is it called the GHOST vulnerability?
It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions.
Is this a design flaw?
No. This is an implementation problem in the affected versions of the software.
What versions and operating systems are affected?
The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.
Where can I download the exploit?
We want to give everyone enough time to patch. According to our data once the vulnerability has reached its half-life we will release the exploit. Half-life is the time interval measuring a reduction of a vulnerability’s occurrence by half. Over time, this metric shows how successful efforts have been to eradicate vulnerability. A shorter half-life indicates faster remediation. Half-life was originally coined by Qualys in the Laws of Vulnerability.
Qualys customers can detect GHOST by scanning with the Qualys Vulnerability Management (VM) cloud solution as QID 123191. This means that Qualys customers can get reports detailing their enterprise-wide exposure during their next scanning cycle, which allows them to get visibility into the impact within their organization and efficiently track the remediation progress of this serious vulnerability.
If you are Linux Administrator you must know what SAR is, sar is a very useful utility for Linux Administrators to get the report of CPU Usage and You can monitor I/O, CPU Usage, Idle system state using sar utility. This article will help you to read / export sar reports in Graphical mode.
In this HowTo, I will show you how you can export sar reports as PDF / JPG / PNG using kSar tool.
In RHEL / CentOS you will find sar reports under /var/log/sa
In Ubuntu / Debian based Linux you will find sar reports under /var/log/sysstat
Perform following steps to export sar report:
1. Make Sure Java is installed on your system to open kSar Utility.
As we all know Red Hat Enterprise Linux 7 and CentOS 7 Linux is out now, Recently I have posted How to enter into Single User Mode / Rescue / Emergency Mode on RHEL 7 / CentOS 7.
This post is to Secure Single User Mode / Rescue Mode / Emergency mode on RHEL 7 / CentOS 7 in Grub2, By performing this Article you will able to secure your Grub2 Edits with Username and Password, It is always a good idea to protect your Grub2.
In This Howto, We will protect Grub2 with Encrypted Password and Plain Password.
To Follow this how to make sure you have root password to make changes in Grub2, Please make sure you are doing exact as per instructions and going through notes.
Do this on your own risk, You will be the only responsible if anything goes wrong in any case 🙂
Protect Grub2 with Plain Password Method
1. Login as a root user or user with rights to edit grub2 configuration file (sudo).
[tejas-barot@rhel-centos7-tejas-barot-linux ~]$ su -
2. Make a backup of existing grub.cfg and default /etc/grub.d/10_linux so if anything goes wrong we can always restore it.
3. Let’s Generate Encrypted password with “grub2-mkpasswd-pbkdf2”, Once you will execute below command it will ask you for the password, Please enter password twice, It will generate password string which you need to add to 10_linux file. ( Shortened version of string, You will have to paste complete string )
[root@rhel-centos7-tejas-barot-linux ~]# grub2-mkpasswd-pbkdf2
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F1C4CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
4. Now, Adding Entries to protect Grub2 with username and password:
Note1: Replace Username and Password from below lines and Add below lines at last in file /etc/grub.d/10_linux
Note2: Make sure you don’t insert following entries multiple time.
Note3: Here I have added Short String for example, you will have to add full string to make it work.
[root@rhel-centos7-tejas-barot-linux ~]# vi /etc/grub.d/10_linux
cat << EOF
set superusers="tejasbarot" password_pbkdf2 tejasbarot grub.pbkdf2.sha512.10000.F1C4CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
5. Now let us Generate New grub.cfg, Execute following command.
Setting up the root password is a mandatory part of the Red Hat Enterprise Linux 7 / CentOS 7installation.
If you forget or lose your password, it is possible to reset it. Now it is known as Rescue Mode / Emergency mode in CentOS / RHEL 7, Previously in RHEL / CentOS 5/6 It was “Single User Mode”.
Note: In GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Red Hat Enterprise Linux 6. The root password is now required to operate in single-user mode as well as in emergency mode.
Process: Resetting the Root Password
Please follow this procedure carefully, any mistake can make your system / Linux unstable, Perform this own your on risk.
Start the system and, on the GRUB 2 boot screen, press the e key for edit.
Add the following parameter at the end of the linux line, or linuxefi on UEFI systems (In case of VMWare like KVM or VirtualBox use rb.break instead of init=/bin/sh):
The Linux kernel will run the /bin/sh shell rather than the system init daemon. Therefore, some functions may be limited or missing.
The rhgb and quiet parameters must be disables in order to enable system messages.
Press Ctrl+x to boot the system with the parameter.
The shell prompt appears.
The file system is mounted read-only. You will not be allowed to change the password if the file system is not writable.
To remount the file system as writable, run the mount -o remount, rw / command.
Run the passwd command and follow the instructions displayed on the command line to change the root password.
Note that if the system is not writable, the passwd tool fails with the following error:
Authentication token manipulation error
To make sure that SELinux context of the files that were modified is restored properly after boot, run
Run the exec /sbin/init command to resume the initialization and finish the system boot.
Running the exec command with another command specified replaces the shell and creates a new process; init in this case.
Alternatively, if you wish to reboot the system, run the exec /sbin/reboot command instead.
Enjoy RHEL 7 🙂 Enjoy CentOS 7 🙂 Enjoy Linux 🙂 Enjoy Open Source 🙂
Today I was trying to learn and know about Systemd. I have found one of the great Article about firewalld, Sharing with you guys, It will help you to understand this biggest and major change in RHEL and CentOS 7.
This article is not mine, I found on internet and felt that this is wonderful Article so Sharing with you all, Thanks to Original author, Given credit to him at the end of article.
Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.
To know if Firewalld is running, type:
# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago
# firewall-cmd --state
Note: If Firewalld is not running, the command displays not running.
If you’ve got several network interfaces in IPv4, you will have to activate ip_forwarding.
To do that, paste the following line in the /etc/sysctl.conf file:
Note1: Type –remove-service=http to deny the http service.
Note2: The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.
To get the list of services in the default zone, type:
# firewall-cmd --list-services
Note: To get the list of the services in a particular zone, add the –zone= option.
Service firewall configuration
With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.
For example, it is the case of the HAProxy service. There is no firewall configuration associated.
Create the /etc/firewalld/services/haproxy.xml and paste the following lines:
If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.
To set up masquerading on the external zone, type:
# firewall-cmd --zone=external --add-masquerade
Note1: To remove masquerading, use the –remove-masquerade option.
Note2: To know if masquerading is active in a zone, use the –query-masquerade option.
In addition to the masquerading, you can want to use port forwarding.
If you want all packets intended for port 22 to be now forwarded to port 3753, type:
Note1: To remove port forwarding, use the –remove-forward-port option.
Note2: To know if port forwarding is active in a zone, use the –query-forward-port option.
Also, if you want to define the destination ip address, type:
Just installed CentOS 7 on my Virtual machine and realized that, Firewalld is bit complicated as I am using iptables firewall from many years. So decided not to use firewalld at least as of now and wanted to continue with iptables commands as I was using in RHEL / CentOS 5 and 6.
I thought iptables will not be there and I will have to deal with firewalld but a little small trick in RHEL7 takes me to the solution which I wanted and I found that I can still use the iptables by disabling firewalld service.
So, If you are in same condition as mine and you want to use iptables on CentOS / RHEL 7 instead of firewalld, Please follow this howto.
As we all know that, CentOS / RHEL 7 both are completely systemd based, So We will have to use few systemd related commands to disable firewalld and enable iptables service.
Firewalld Service is now disabled and stop, You can use iptables.
Now, You will be able to use iptables as your firewall, You can add / remove rules as you were doing in previous releases of Red Hat / CentOS 5 and 6, You can configure firewall with iptables in same manner as previous.
RHEL 7 is released, I am getting constant calls / emails / messages from many friends from different different places regarding their doubts on RHEL 5 to 6 or 6 to 7 up-gradation.
Sharing this to clear confusion / doubts.
Clear your doubts Regarding Up-gradation :-
1. Yes, RHEL 7 is out, but There is no compulsion or Mandatory from Red Hat to Upgrade your certificate from RHEL 5 to 6 or RHEL 6 to 7. Its not mandatory at all, It is all up to you.
2. Whether its RHEL 6 release or RHEL 7 release, If you are RHCE then Do not worry, Your Certificate is not going to expire. There is nothing like “expiry” in RHCE certificate, You will be still known as “Red Hat Certified Engineer” but the only difference is you will be known as “RHCE from non-current Version”.
3. RHCE Certificate / exam is not mandatory for Red Hat Enterprise Virtualization. You can give direct exam of RHEV.
4. Same in this case, RHCE Certificate / exam is not mandatory for RedHat OpenStack exam. You can give direct exam of Red Hat OpenStack.
I was getting lots of calls / emails / messages regarding these queries to help them out, I have shared this here so even if some friends from here are having same queries/doubts/confusion, So it will get cleared.