Thursday, September 25, 2014

Shell Shock Vulnerability: How to test and patch your Debian and Ubuntu machines from the "Shell Shock" vulnerability

'Shell Shock' is a very new vulnerability that has just come to light and it seems like it might be a pretty bad.  One of my co-workers just told me about this.

Luckily the fix is pretty start forward:


$  sudo apt-get update;sudo apt-get install bash
If your system is vulnerable, the following command will print out 'vulnerable'

$  env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
After you have patched your system, the same test will provide different output:

$ env var='() { ignore this;}; echo vulnerable' bash -c /bin/true
bash: warning: var: ignoring function definition attempt
bash: error importing function definition for `var'


Happy patching!



http://ubuntuforums.org/showthread.php?t=2245631

http://seclists.org/oss-sec/2014/q3/650

Friday, September 5, 2014

GRUB Options to change on your Ubuntu 12.04 Servers

A recent set of policy changes from Canonical (the maintainers of the Ubuntu distribution) have changed the default way that the GRUB boot loader behaves.  The changes make the boot loader hidden by default during the boot process and they have changed the default

I think that their motivations make perfect sense on the average users desktop PC or the tablet market but in my not so humble opinion, it's the wrong direction for a server.  I want the GRUB menu to come up by default and and wait for a few seconds.  I want to see all the kernel messages as it boots.  This is absolutely critical for troubleshooting problems during the boot process. If you are using a remote KVM the a longer delay can really help with latency issues and bringing up the menu automatically helps with many problems I've run into with the KVM keyboards and slow video mode changes that can occur with some remote KVM models.

On the servers I'm responsible for I use the following settings to make sure that GRUB runs in text mode, always brings up the menu and waits for 10 seconds before booting the default option:


/etc/default/grub
GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=10
GRUB_HIDDEN_TIMEOUT_QUIET=false
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""
GRUB_TERMINAL=console
GRUB_INIT_TUNE="480 440 1"
GRUB_GFXPAYLOAD_LINUX=text