Posts

Showing posts from 2023

Common Git Tips

Image
Obtain list of commits git reflog --oneline git log --oneline These commands will also print commit ID - a.k.a. commit hash. Obtain list of branches created by a user git for-each-ref --format=' %(authorname) %09 %(refname)' --sort=authorname | grep <username> Obtain branch hash git show-ref branch_name Delete a local/remote branch Assume that a branch "bugfix/114355" is created to fix a bug. To delete the local branch: git branch -d bugfix/114355 git branch -D bugfix/114355 '-D' is same as specifying "--delete --force" . To remove the remote branch as well: git push origin --delete bugfix/114355 Undo last commit git reset --soft HEAD~1 Roll back repo to a commit To roll-back the repository to a particular commit, follow these steps. find the hash corresponding to the particular commit by checking the commit logs: git log --oneline roll back the repository by resetting the HEAD pointer: git reset --hard <commit_hash> Remove the latest co...

Linux Kernel Security: Protecting the Heart of Your Operating System

Image
The Linux kernel is the core component of the Linux operating system, responsible for managing system resources and providing a secure environment for applications to run. As the heart of the operating system, it is crucial to ensure the security of the Linux kernel to protect against potential vulnerabilities and attacks. In this blog post, we will explore some of the key security features and mechanisms implemented in the Linux kernel. 1. Secure Boot Secure Boot is a feature that ensures only trusted software is loaded during the boot process. It uses cryptographic signatures to verify the integrity of the bootloader and kernel, preventing the execution of malicious code. The Linux kernel supports Secure Boot through technologies like UEFI (Unified Extensible Firmware Interface) and TPM (Trusted Platform Module), providing a secure foundation for the entire system. 2. Address Space Layout Randomization (ASLR) ASLR is a technique that randomizes the memory layout of processes, making ...

Security in Linux Kernel - Part 3

Image
  In this short post we will explore a Linux system call facilitating secure computing. In earlier parts of this series we saw how LSMs protect the kernel. However, LSMs occupy a much deeper position in the call hierarchy and do not offer protection at process level. Additional mechanism is required to provide protection at process level. Need for a system call In Linux, applications programs use a number of system calls, in fact a large number of system calls are available to applications programmer. These processes using system calls expose a large area of the kernel to malicious attacks. Linux offers a mechanism to limit this capability using seccomp system call, thereby reducing the attack surface. seccomp is enabled using prctl() system call with appropriate operation mode. seccomp Modes The seccomp system call works in two modes - strict mode (SECCOMP_SET_MODE_STRICT) and filter mode (SECCOMP_SET_MODE_FILTER). When seccomp is set to first mode, i.e. strict mode , process has ...

Security in Linux Kernel - Part 2

Image
  In the previous part of this series, we saw role of LSMs in kernel security. As mentioned earlier, there are eight LSMs available today in the modern Linux kernel. In this part, let's have a look at different main stream LSMs. SMACK Simplified Mandatory Access Control Kernel ( SMACK ) is designed primarily for embedded linux systems with an intention to make it easier for administrators. This was the second LSM (after SELinux) to be accepted in the linux kernel. It appeared in the 2.6.25 kernel release. This is an attribute (label) based simple LSM, and is the default for Linux implementations tuned for Automotive industry. Yama Yama collects system-wide DAC security restrictions that are not handled by the core kernel itself. It offers control over scope of ptrace() system call to control ptrace attachment by processes. Build time configuration option CONFIG_SECURITY_YAMA and runtime option through sysctls can be used to enable this LSM. The ptrace restrictions can be controll...

Security in Linux Kernel - Part 1

Image
  User-land security in Linux is pretty robust and finely ingrained into the design philosophy of the OS and inherited from the UNIX legacy. Beating at the centre of this robust OS is the equally robust heart of the OS - the Kernel. Linux User has various tools and types of security at her disposal - such as enforcement of different roles and groups with varying levels of privileges, authorisations, access control using authentications, policy enforcement and logging, secure memory and process management techniques, secure protocols and of course, trust-worthy kernel. Roughly these techniques can also be described as DACs (Discretionary Access Controls) and MACs (Mandatory Access Controls). Example of DACs is the file and directory permissions in Linux (rwx for ugo) using which access to user data can be controlled. What is the need? But how does Linux Kernel ensures and enforces security in the Kernel-land? The Kernel relies on different MAC techniques like security modules, secur...