Standard Linux Tuning

Hello Bloggers, Majority of the applications these days are deployed on (Debian / Redhat) Linux Operating System as the Base OS. I Would like to share some generic tuning that can be done before deploying any application on it. Index Component Question / Test / Reason   Network   These are some checks to validate the network setup. [ Network Are the switches redundant? Unplug one switch. Fault-tolerance.     Network Is the cabling redundant? Pull cables. Fault-tolerance.     Network Is the network full-duplex? Double check setup. Performance.           Network adapter (NIC) Tuning   It is recommended to consult with the network adapter provider on recommended Linux TCP/IP settings for optimal performance and stability on Linux. There are also quite a few TCP/IP tuning source on the Internet such as   NIC Are the NIC fault-tolerant (aka. auto-port negotiation)? Pull cables and/or disable network adapter. Fault-tolerance.     NIC Set the transmission queue depth

read more Standard Linux Tuning

How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 [ 19/June/2017 ]

Avery serious security problem has been found in the Linux kernel called “The Stack Clash.” It can be exploited by attackers to corrupt memory and execute arbitrary code. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative/root account privileges. How do I fix this problem on Linux? The Qualys Research Labs discovered various problems in the dynamic linker of the GNU C Library (CVE-2017-1000366) which allow local privilege escalation by clashing the stack including Linux kernel. This bug affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code. What is CVE-2017-1000364 bug? From RHN: A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap,

read more How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364 [ 19/June/2017 ]

Cpustat – Monitors CPU Utilization by Running Processes in Linux

Cpustat is a powerful system performance measure program for Linux, written using Go programming language. It attempts to reveal CPU utilization and saturation in an effective way, using The Utilization Saturation and Errors (USE) Method (a methodology for analyzing the performance of any system). It extracts higher frequency samples of every process being executed on the system and then summarizes these samples at a lower frequency. For instance, it can measure every process every 200ms and summarize these samples every 5 seconds, including min/average/max values for certain metrics. Cpustat outputs data in two possible ways: a pure text list of the summary interval and a colorful scrolling dashboard of each sample. How to Install Cpustat in Linux You must have Go (GoLang) installed on your Linux system in order to use cpustat, click on the link below to follow the GoLang installation steps that is if you do not have it installed: Install GoLang (Go Programming Language) in Linux Once

read more Cpustat – Monitors CPU Utilization by Running Processes in Linux

Linux security alert: Bug in sudo’s get_process_ttyname() [ CVE-2017-1000367 ]

Skip to contCa There is a serious vulnerability in sudo command that grants root access to anyone with a shell account. It works on SELinux enabled systems such as CentOS/RHEL and others too. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. Patch your system as soon as possible.It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions or gain root shell.From the description We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux:this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) cancontain spaces (CVE-2017-1000367). For example, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname()

read more Linux security alert: Bug in sudo’s get_process_ttyname() [ CVE-2017-1000367 ]

Impermanence in Linux – Exclusive (By Hari Iyer)

Impermanence, also called Anicca or Anitya, is one of the essential doctrines and a part of three marks of existence in Buddhism The doctrine asserts that all of conditioned existence, without exception, is “transient, evanescent, inconstant” On Linux, the root of all randomness is something called the kernel entropy pool. This is a large (4,096 bit) number kept privately in the kernel’s memory. There are 24096 possibilities for this number so it can contain up to 4,096 bits of entropy. There is one caveat – the kernel needs to be able to fill that memory from a source with 4,096 bits of entropy. And that’s the hard part: finding that much randomness. The entropy pool is used in two ways: random numbers are generated from it and it is replenished with entropy by the kernel. When random numbers are generated from the pool the entropy of the pool is diminished (because the person receiving the random number has some information about the

read more Impermanence in Linux – Exclusive (By Hari Iyer)

/etc/security/limits.conf file – In A Nutshell

The /etc/security/limits.conf file contains a list line where each line describes a limit for a user in the form of: <Domain> <type> <item> <shell limit value> Where: <domain> can be: an user name a group name, with @group syntax the wildcard *, for default entry the wildcard %, can be also used with %group syntax, for maxlogin limit <type> can have the two values: “soft” for enforcing the soft limits (soft is like warning) “hard” for enforcing hard limits (hard is a real max limit) <item> can be one of the following: core – limits the core file size (KB) <shell limit value> can be one of the following: core – limits the core file size (KB) data – max data size (KB) fsize – maximum file size (KB) memlock – max locked-in-memory address space (KB) nofile – Maximum number of open file descriptors rss – max resident set size (KB) stack – max stack size (KB) – Maximum size of the stack

read more /etc/security/limits.conf file – In A Nutshell

Linux KVM: Disable virbr0 NAT Interface

The virtual network (virbr0) used for Network address translation (NAT) which allows guests to access to network services. However, NAT slows down things and only recommended for desktop installations. To disable Network address translation (NAT) forwarding type the following commands: Display Current Setup Type the following command: # ifconfig Sample outputs: virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr: Bcast: Mask: inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:39 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:7921 (7.7 KiB) Or use the following command: # virsh net-list Sample outputs: Name State Autostart —————————————– default active yes To disable virbr0, enter: # virsh net-destroy default # virsh net-undefine default # service libvirtd restart # ifconfig

TIBCO Administrator – Error (Core Dump Error)

Sometimes the administrator process in UNIX Platform Stops intermittently and then in the following location, $TIBCO_HOME/administrator/<version>/tomcat/hs_err_pid<pid_of_admin>.log file you will see a core dump error something like this # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007efcdb723df8, pid=12496, tid=139624169486080 # # JRE version: Java(TM) SE Runtime Environment (8.0_51-b16) (build 1.8.0_51-b16) # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.51-b03 mixed mode linux-amd64 compressed oops) # Problematic frame: # V [] PhaseChaitin::gather_lrg_masks(bool)+0x208 # # Failed to write core dump. Core dumps have been disabled. To enable core dumping, try “ulimit -c unlimited” before starting Java again # # If you would like to submit a bug report, please visit: # # ————— T H R E A D ————— Current thread (0x00000000023a8800): JavaThread “C2 CompilerThread1” daemon [_thread_in_native, id=12508, stack(0x00007efcc8f63000,0x00007efcc9064000)] siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x0000000000000000 Registers: RAX=0x0000000000000000, RBX=0x00007efc901723e0, RCX=0x00007efc9016e890, RDX=0x0000000000000041 RSP=0x00007efcc905f650, RBP=0x00007efcc905f6c0, RSI=0x00007efcc9060f50, RDI=0x00007efc90b937a0 R8 =0x000000000000009a, R9 =0x0000000000000003,

read more TIBCO Administrator – Error (Core Dump Error)

/dev/random vs /dev/urandom

If you want random data in a Linux/Unix type OS, the standard way to do so is to use /dev/random or /dev/urandom. These devices are special files. They can be read like normal files and the read data is generated via multiple sources of entropy in the system which provide the randomness. /dev/random will block after the entropy pool is exhausted. It will remain blocked until additional data has been collected from the sources of entropy that are available. This can slow down random data generation. /dev/urandom will not block. Instead it will reuse the internal pool to produce more pseudo-random bits. /dev/urandom is best used when: You just want a large file with random data for some kind of testing. You are using the dd command to wipe data off a disk by replacing it with random data. Almost everywhere else where you don’t have a really good reason to use /dev/random instead. /dev/random is likely to be the

read more /dev/random vs /dev/urandom