Linux Blimp

It has been nearly two years since I tried Fedora, Manjaro and Ubuntu MATE on the Raspberry Pi 2 & 3, and there have been a lot of changes since then. Most for the better, such as the introduction of the Pi 3B+, but a few for the worse, such as the end of the Manjaro Pi development. So I think it’s time to take a fresh look at this.

But, first, why would anyone even want to do this, when Raspbian Linux is available, free, and supports all the special features, quirks and capabilities of the Raspberry Pi hardware?

Well; the most common reasons seem to be that users want to work with a “familiar” distribution, meaning one that they are already using on a PC, such as Ubuntu. Another common reason is that companies have “standardized” on a specific version of Linux for servers, desktops and laptops; this is frequently the case with SUSE and Fedora, for example. Yet another reason might be a specific use of the Raspberry Pi; for example, Kali Linux for penetration testing. Finally you might just be curious (or masochistic) like me, and want to see how (or if) all of this works together.

So, I have taken what I consider to be the four best-known or most popular Linux distributions which have Raspberry Pi ports available, and tried them out on a few of my Raspberry Pi systems. One thing that I am doing differently this time is that I have limited my testing to the Raspberry Pi 2 and 3 (including the 3B+). I learned the last time that even if you could get something running on a Pi Zero or 1, the performance was just too bad to be worthwhile.

Ubuntu MATE

Let’s get the bad news out of the way first. Ubuntu MATE seems to be stuck at version 16.04 LTS. That’s well over two years old now. When it first came out, I assumed (well, hoped) that it would be updated along with the regular Ubuntu releases every six months. That didn’t happen when 16.10 came out, so I then hoped that it would at least be updated to the next LTS release. Alas, that also didn’t happen when Ubuntu 18.04 LTS came out.

SEE: How to build a successful developer career (free PDF)

It has, at least, gotten the point-updates for 16.04, but even those have not been incorporated into new distribution images. So if you get the image from the Ubuntu MATE Downloads page now, what you actually install is 16.04.2, and you then have to try to update from there.

Oh, and before I forget to mention it, the Ubuntu MATE distribution images will not boot on a Pi 3B+. This is a “known problem”, because the boot code is different, and since the distribution images haven’t been updated, that’s not a big surprise.

Ubuntu MATE on Raspberry Pi 3B

Anyway, after booting the distribution image on a Pi 2 or 3B, you need to update it to at least get to the latest 16.04 version. Unfortunately even that is difficult, because the update process complains about not having enough space in the /boot partition, and there is no room to increase the size of that partition. Sigh. The simplest work-around that I could find was to move the start_*.efi files from /boot to /root, which frees up enough space; then run the update, which takes an hour or so, then move those files back to /boot. Yeah, I know, it’s pretty ugly.

By this time my patience was wearing pretty thin — I’m not a big Ubuntu fan anyway, and this was just turning into one problem after another, with a very limited payoff even if everything works. Which it didn’t. The Welcome screen crashes, for example. It finally came up, and I could confirm that it was running 16.04.5 LTS, which is at least the latest version of 16.04. Then I tried to run Firefox, and even that crashed. Grrrr. Ok, I’m ready to give up on this now.

One last bit of bad news… it still doesn’t boot in a Pi 3B+. Yes, I know that it might be possible to fix this but honestly, there’s just no point. If you absolutely, positively have to run Ubuntu on your Raspberry Pi 2 or 3B, it is still possible. Sort of.

Moving on to the good news…

Kali Linux

My original impetus in doing this was seeing an article about Secure Kali Pi 2018. I’m a huge fan of Kali Linux, so this really interested me. I wrote about Kali on the Raspberry Pi previously, and was quite pleased with it then, so I wanted to see how much they have improved it since that time. I was not disappointed.

The only thing that is a bit confusing about the Kali Pi distribution is figuring out exactly which version you want to download. You have to go through the Kali Linux Downloads page, then from there to the Kali Arm Images page, then expand the Raspberry Pi Foundation section. There are eight images there, and it’s not always easy to figure out which one is for what Pi model, what display, what other tools or configurations might be included… in my honest opinion, it’s a bit of a mess, and at least some explanation of what each download is for would be a tremendous help.

Anyway, after some significant head-scratching and tracking down various terms and references, I settled on the one called Kali Linux Raspberry Pi 2 and 3. That looks very obvious when I just write it here like that, but then you look around and see that there is also one called Kali Linux RaspberryPi 2 and 3 Hyperpixel, and another called Kali Linux RaspberryPi 2 or 3 without nexmon… well, hyperpixel is a specific touch-screen display for the Pi, and I don’t want to use that in this case, and nexmon has to do with monitoring and manipulating the Broadcom WiFi chip. I don’t really care about that either, but the “without” version looks like it might be a Pi 2 version, and I don’t want to have trouble booting on the 3B+, so that’s why I settled on the one I did. I hope.

The download is in xz compressed format, so to uncompress and dump it to an SD card you can use this (on a Linux system):

xzcat kali-linux-2018.3-rpi3-nexmon.img.xz |

dd bs=4M of=/dev/sdX iflag=fullblock oflag=direct status=progress

Kali Linux 2018.3 on Raspberry Pi 3B Plus

Image: J.A. Watson

Then I just popped the microSD card into my Pi 3B+, and it booted right up! Nice!

This is an Xfce desktop, which is a very good choice because it is lightweight so it doesn’t load the Pi CPU or memory too much, but it still looks good, and it is very flexible and easily configurable.

Performance is amazingly good, this is the first time I have tried a distribution that I thought performed at least as well as Raspbian.

I have booted the same microSD card in Pi 3B+, 3B and 2B systems and all three worked without problem, including wired and wireless networking and Bluetooth using the built-in adapters in the 3B and 3B+, and USB dongles on the 2B.

In fact, Bluetooth works even better than it does on Raspbian! I mentioned in a recent post that my Logitech m720 Triathlon mouse wouldn’t pair with Raspbian; it works perfectly with Kali Linux, on all three Pi models (that means with two different built-in bluetooth adapters and one USB adapter). I would suggest installing the Blueman package to get a GUI interface for Bluetooth management, but it can certainly be done from the CLI in the basic Kali installation.

What an excellent result this was, especially after the initial disappointment with Ubuntu MATE on the Raspberry Pi. In fact, I was so inspired by this that I decided to have another look at openSUSE on the Raspberry Pi too.

openSUSE Tumbleweed

The last time I tried openSUSE on a Raspberry Pi I had a lot of trouble with it. I managed to get Leap 42.2 working, but I couldn’t even get Tumbleweed to boot. This time the experience has been much better.

The information, instructions and download links are on the openSUSE Raspberry Pi 3 page. It’s still not all smooth sailing, because none of the direct links to downloads on that page work (sigh). The reason is simple enough — someone has removed “raw” from the Current image names, but not from the links. The solution is also simple, just click on the general download directory link, and find the version you want; or copy the specific link for the version you want, paste it and remove “raw” from the end, and it will work. It’s really (really) irritating when silly, careless mistakes like this make an otherwise good distribution look so bad.

SEE: Getting started with Python: A list of free resources

Anyway, I downloaded the LXQt version (in the interest of minimizing system load and resource use), which comes in at a rather svelte 800MB. It is also in xz compressed format, so it can be uncompressed and dumped to an SD card using the same command as for Kali above.

Pop the microSD card into a Pi 3B+ (or 3B, or 2B), and let it boot. It takes quite a while, and the boot process will look very strange to experienced Raspbian users, but after a minute or two it will be up and running.

openSUSE Tumbleweed on Raspberry Pi 3B Plus

The LXQt version has a rather ugly/boring desktop wallpaper, so I have replaced that with the standard openSUSE wallpaper.

Performance is once again surprisingly good, although a tad slower than Kali when starting apps and such. Wired and wireless networking are no problem, but I couldn’t get Bluetooth to work, no matter what I tried (and I tried a lot).

Installing updates was no problem, and even though the installation image was dated 20181018, there were a lot of them… well, this is Tumbleweed so no surprise there either.

Where Kali is a penetration-testing focused distribution, openSUSE is a general purpose Linux distribution, and it comes equipped accordingly. Both Firefox and Chromium are included, as is Thunderbird; GIMP and Shotwell, Pragha and Videos, and just about anything else I could think of. The only obvious thing not included was LibreOffice, and that’s more likely because I downloaded the LXQt version, not because of the Raspberry Pi target system.

openSUSE Leap 15.0

Although I was specifically looking for the Tumbleweed version, I found that the openSUSE Raspberry Pi 3 page also contained links for Leap 15.0 (the current Leap release) and Leap 42.3 (the previous Leap release). Please don’t ask me to explain about the version numbers, they don’t make much sense to me either.

I figured while I was there I would give it a whirl as well. The procedure started off the same; download, uncompress, dump to a microSD card, pop the card into the Pi 3B+, and… oops. It wouldn’t boot. It produced the classic “blinking LED” symptom which means that the boot files haven’t been updated for the 3B+. So I swapped the card over to a plain 3B, and it booted just fine.

openSUSE Leap 15.0 on Raspberry Pi 3B Plus

It continued normally from there, coming up to the LXQt desktop. I’ve left the ugly wallpaper on this one, for comparison. Once again, wired and wireless networking were just fine, and Bluetooth didn’t work. I installed all of the updates, then shut down and moved the card back to the 3B+, and it booted just fine. Yay!

Performance seemed the same as it was for Tumbleweed, so that was good. It doesn’t have nearly the assortment of applications and utilities in the base system, though. I only saw Firefox (no Chromium or Thunderbird), it has GIMP but not Shotwell, and no audio or video players at all that I could find. Again, this may be down to my choosing the LXQt version, and all of these applications and much more are available in the repositories.

My bottom line for openSUSE, either Tumbleweed or Leap, is that they are perfectly usable on the Raspberry Pi 3B or 3B+, and even tolerable on the 2B. So if you don’t care for Raspbian, and you don’t want to start with Kali and add the applications you need, or if you are in an organization that has standardized on SUSE or openSUSE, go for it. I don’t think you’ll regret it.

Fedora Workstation

While I was working on the Kali and openSUSE installations, I got an email from a reader who mentioned that he had just tried Fedora 28 on a Pi 3, and had been very pleasantly surprised by the ease of installation and performance.

The last time I tried Fedora on Raspberry Pi 2 and 3 systems, I was less than entirely successful or satisfied. That was with Fedora 25, and I found that on the Pi 3 it still didn’t support a lot of the hardware (WiFi, Bluetooth, Sound and more), and on the Pi 2 it was so slow that I wasn’t interested in trying to find out what worked and didn’t.

Since I have now been on such a hot streak with Kali, Tumbleweed and Leap on the Raspberry Pi, I decided to give Fedora another shot. There is an excellent discussion of Fedora on the Raspberry Pi in the Fedora Wiki, so I started there. I went to the Fedora 29 Beta downloads and got the Workstation armhfp image.

There are two ways to copy the distribution image to an SD card; because it is in xz compressed format, you can use the same commands as given above for Kali and openSUSE. But there is also a utility script available which does the same thing, and lets you specify a few additional parameters in the process. So I installed that utility on one of my Fedora systems, and did it that way.

When I put the SD card in the Pi 3B+, it booted and, uh, sort of struggled its way up. Slowly. Very slowly. It finally made it up to the desktop, and I realized that I had made a big mistake. I had downloaded the standard desktop version, which is Gnome 3. Not a good idea at all; for a variety of reasons, even the Pi 3B+ is not up to running Gnome 3. It took tremendous patience just to get it to shut back down, so I could start over.

Fedora 29 LXDE on Raspberry Pi 3B Plus

I went back to the Fedora 29 Beta distribution tree, and this time went to Spins instead of Workstation, and picked up the LXDE version (there are also LXQt, Xfce, MATE and KDE versions there). The same utility dumped it to the SD card, and this time it booted and came up reasonably well, although still noticeably slower than openSUSE (and much slower than Kali).

The first time you boot any of the Fedora images you are taken to the final screen of their anaconda installer, where you can configure the timezone, root password, user account and network info. Once that is done, the boot process continues to the normal login screen. One thing you don’t get to do during the initial boot is configure the keyboard layout, so if you have a non-U.S. keyboard you’ll have to configure that after you login. The easiest way I have found to do that with the LXDE desktop is to add the Keyboard Layout Manager to the LXDE panel, and then use that to add the appropriate layout and delete the default (U.S.) layout.

At this point I was ready to declare Fedora 29 on the Raspberry Pi 3B+ usable — but I still want to know a couple of other things. First, how does it do on the original Model 3B and on the 2B? That turned out to be easy enough to find out, and pretty much what you would expect. The 3B is noticeably slower than the 3B+, but still usable if you are determined and patient. The 2B is, in my opinion, just too slow. It really struggles, with long delays, when you try to do anything at all.

I was also interested in the other desktops, so I went back to the Fedora distribution tree; by this time, the final ISO images for Fedora 29 were up. The LXQt image seems to have disappeared, I don’t know if this is intentional or if it might still show up before release. I downloaded the Xfce spin, and tried that on the 3B+. Unfortunately it is much too slow, and it seems to have some pretty serious rendering problems (several icons in the panel were just blank boxes, for example).

My advice for Fedora on the Raspberry Pi is that if you really need/want/must use it, either due to strong personal preference (loyalty) or commercial requirements, it can be done — but make sure you’re using a Pi 3B+ to run it and only try to use the LXDE desktop.

Overall I’m pretty pleased with these results, the situation is certainly a lot better than it was the last time I looked at this. Let’s just hope things keep moving in the right direction.

RECENT AND RELATED COVERAGE

Raspberry Pi: Hands-on with the updated Raspbian Linux

I have installed the new Raspbian 2018-10-09 release from scratch on some systems, and upgraded existing installations on others.

Kali Linux for Vagrant: Hands-on

The developers at Kali Linux have released a Vagrant distribution of their latest version. Here is a look at that release – and at the Vagrant tool itself

Hands-on with MX Linux: A pleasant, easy-to-install Linux distribution

MX Linux is a descendant/spin-off from Antix and MEPIS Linux. I want to see what it is like to install and run on both UEFI and MBR laptops.

Hands-on with Linux Mint Debian Edition 3 Beta

The long-awaited LMDE update is finally (really) on the way!

Linux phone battery bug: Purism’s Librem 5 delayed until April 2019

Purism gave its Librem 5 phone an updated SoC, but found it has a battery-draining bug that’s delayed production.

A $10 Raspberry Pi alternative? La Frite packs Pi-like specs into low-cost Linux board (TechRepublic)

The $10 La Frite comes close to matching some key specs of the $35 Pi 3 B+, while trimming other features to slash the price.

How to start your smart home: Home automation, explained (CNET)

Starting a smart home doesn’t have to be scary. Here are the basics.

Source

Last updated October 24, 2018

It’s a confirmed news that Pine64 is considering a budget Linux smartphone running KDE Plasma.

Pine64 is a hardware vendor famous for its Linux-based Single Board Computers like Pine A64. These ARM boards are inexpensive and cost only $15-$20.

Pine64 also has an $89 Linux laptop called Pinebook. This laptop actually runs the Pine A64 underneath it.

Pine64 works with a few Linux distributions to provide a smooth running operating system for Pinebook. KDE Neon is one of those Linux distributions and it seems that this partnership will have some new and exciting ventures in future.

It’s FOSS is the official media partner of Open Source Summit, Europe edition. I am in Edinburgh these days to cover this event and this is where I met Jonathan Riddell at the KDE booth.

Jonathan Riddell at KDE Booth, OSSummit 2018, Edinburgh

Jonathan Riddell created KDE Neon a few years back when he wasn’t satisfied with the way Kubuntu was progressing with KDE.

KDE booth was displaying KDE Neon running on the high-end Slimbook and low-end Pinebook. When I asked why they don’t have a Librem5 smartphone running KDE Plasma, Riddell told me that Librem is more with GNOME than KDE.

And this is where he revealed that people from Pine64 have expressed their interest in creating inexpensive Linux-based tablets and smartphones that run KDE Plasma.

I contacted Pine64 team and TL Lim, founder of Pine64, confirmed the plans for a Linux-based smartphone and tablet. These devices are called PinePhone and PineTab.

PinePhone: Linux-based budget smartphone

Lime revealed some information about PinePhone development.

The first PinePhone developer kit will be given to selected developers for free on November 1. This is a combo kit of PINE A64 baseboard + SOPine module + 7″ Touch Screen Display + Camera + Wifi/BT + Playbox enclosure + Lithium-Ion battery case + LTE cat 4 USB dongle.

This combo kits will allow developers to jump starts PinePhone development. The PINE A64 platform already has mainline Linux OS build thanks to PINE64 community and support KDE neon.

The PinePhone all-in-one developer board with 5.45″ 1440×720 panel will be released before FOSDEM and targets to demo at FOSDEM.

The actual phone design has already started but will not be finalized until Q2, 2019 after getting inputs from developer board and also pending on open software progress.

Lim said that they are using this three steps approach to avoid other Linux Phone misstep failures. The PinePhone separate out SoC and LTE module due to mainline binary blobs and GPL concern.

The targets price should be in $100+ range for 2GB RAM and 16GB storage configuration.

What do you think of PinePhone?

If you have doubts that KDE, a desktop environment, will be able to run on mobile devices, I should let you know that KDE also has its mobile version called Plasma Mobile.

Pine64 has already created a budget laptop called Pinebook. Creating a Linux-based tablet running on ARM-board should not be a difficult task for them. In fact, PineTab will be released before PinePhone.

I completely understand that creating a working Linux-based smartphone is altogether a different thing. I have used the Ubuntu Phone in the past and the experience was below par.

Would you buy the PinePhone or PineTab when those are released? Is it really a good idea to go for a Linux smartphone?

Source

Chromium is an open source and portable web browser application that provides users with some of the latest and greatest web technologies and functionality. It is the project on which the well-known Google Chrome software is based on. It is a platform-independent application that has been successfully tested under Linux, Mac OS X and Microsoft Windows operating systems.

An open-source version of Google Chrome

By default, it runs on both 32-bit and 64-bit architectures, but it’s not distributed as binary packages like Google Chrome. Because of this, it is not so popular among novice users who tend to download and install the Google Chrome web browser instead. The truth is, that except for Google’s brand, click-through licensing terms, auto-update mechanism, usage-tracking, and bundling of the Adobe Flash Player plugin, they are the same application.

Google Chome is based on Chromium

It is also a known fact that most new computers users never heard of Chromium, not to mention the fact that Google Chrome, which they use and love so much, is based on this open source and actively developed project. Because of this, we want to remind everyone who wants to have the latest features and new functionality implemented in their Google Chrome web browser, that they should use Chromium instead.

Offers Google Chrome’s default functionality

Because we have already reviewed the Google Chrome web browser, we can’t describe here all the features of the Chromium application, as it provides almost the same functionality. For example, users will be able to search Google directly from the address bar, browser the web incognito, and access their most visited websites from the new tab page.

We recommend to use Mozilla Firefox

Just like Google Chrome, the Chromium web browser includes the sync service for backing up all of your passwords, bookmarks, browsing history, web apps, add-ons, themes, opened tabs and autofill data across multiple devices. Unfortunately, being exactly like the Google Chrome browser, Chromium also proved to be a poor product for our web needs, and we feel obliged to recommend Mozilla Firefox instead.

Source

Published: October 29, 2018

Source

Over the last few years the way you moved applications from your data center to the cloud was lift-and-shift, refactor, or migrate to containers. The latter has gotten a kick in the pants as cloud-native techniques such as serverless computing and microservices have joined forces with containers.

Still unsure what I’m talking about? Chris Aniszczyk, executive director of the Open Container Initiative (OCI) and the Cloud Native Computing Foundation (CNCF), explained: “Cloud-native computing uses an open-source software stack to deploy applications as microservices, [each part packaged] into its own container, and dynamically orchestrate those containers to optimize resource utilization.”

You can find proof this methodology is taking off in the latest CNCF survey. This survey of primarily enterprise or DevOps professionals found that “production usage of CNCF projects has grown more than 200 percent on average since December 2017, and evaluation has jumped 372 percent.”

Source

mod_auth_token is a apache module that can be used to sign URLs, using this it can create time based urls that expire after a certain amount of time. It will prevent hot linking as the URLs will expire. This is particularly useful with video and image sharing.

To get started you will need to have an Apache installation already present. If you need to set this up please set Compile Apache 2.4 From Source.

Install mod_auth_token:

First ssh into the server and get the required packages:

cd /usr/src; wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/mod-auth-token/mod_auth_token-1.0.5.tar.gz

Un-compress the archive:

tar xfvz mod_auth_token-1.0.5.tar.gz

Go into the directory

cd mod_auth_token-1.0.5

Configure it:

./buildconf && ./configure

Install It:

make && make install

Restart Apache to make sure it loads without a error:

service httpd restart

Make sure the module is loaded:

# httpd -M 2>&1|grep auth_token
auth_token_module (shared)

You should see auth_token_module in the results

Configure Apache for mod_auth_token

You will need to edit the apache configuration and add the following to the domain you want protected by mod_auth_token:

<Location /download/>
# Secret key, can be anything random
AuthTokenSecret “randomstring”
# directory to protect
AuthTokenPrefix /protected/
# Timeout length, this is in seconds
AuthTokenTimeout 300
# limit requsts by IP
AuthTokenLimitByIp off
</Location>

Restart Apache again:

service httpd restart

To test that it is working create a php file to generate a URL

<?PHP

$secret = “randomstring”; // AuthTokenSecret
$directory = “/[protected/”; // AuthTokenPrefix
$hexTime = dechex(time()); // Time in Hexadecimal
$url = “http://www.example.com”; // Replace this with the domain
$filename = “/$filename”; // Filename

$token = md5($secret . $filename. $hexTime);

$url = $domainname . $protectedPath . $token. “/” . $hexTime . $filename;
print $url;

?>

Go ahead and run that php script and it will output the URL, if you are able to access it. The module is working correctly. You can read more about mod_auth_token on code.google.com

Source

Last updated October 23, 2018

If you’ve been waiting for a stable (and longterm) Kernel release now, Kernel 4.19 is here. As mentioned on the Linux Kernel’s mailing list webpage, it is not a big Kernel release – but it is meant to be a longterm release. Which means that this release will be supported for a few years at least.

Probably you are aware of the changes in the Linux Code of Conduct and Linus Torvalds taking a break to work on his behavior towards other developers. We have some good news about it along with the new Kernel release as well.

Greg KH, who was handling the kernel maintenance indicated that Linus Torvalds is coming back to lead the Linux Kernel:

“And with that, Linus, I’m handing the kernel tree back to you. You can
have the joy of dealing with the merge window :)”

What Kernel 4.19 is all about?

He also mentioned about the Linux Kernel 4.19 changes as an overview of what it actually is:

“While it was not the largest kernel release every by number of commits, it was larger than the last 3 releases, which is a non-trivial thing to do. After the original -rc1 bumps, things settled down on the code side and it looks like stuff came nicely together to make a solid kernel for everyone to use for a while. And given that this is going to be one of the “Long Term” kernels I end up maintaining for a few years, that’s good news for everyone.

A small trickle of good bugfixes came in this week, showing that waiting an extra week was a wise choice. However odds are that linux-next is just bursting so the next -rc1 merge window is going to be bigger than “normal“, if there is such a thing as “normal” for our rate of development.”

Let’s list the major new features in this new release:

• Alternate mode driver for USB Type-C/DisplayPort Type-C support
• Support for Nintendo guitar and drum accessories
• Better support for Intel’s Low Power Subsystem (LPSS)
• Plenty of 64-bit ARM improvements
• Support for Qualcomm Adreno 600 series hardware
• Initial support for Intel Icelake graphics
• DRM improvements
• Improved power management
• Touchscreen improvement
• Initial support for the 802.11ax WLAN
• Various Filesystem improvements

For the complete changelog details, you should check out OMG Ubuntu or the official announcement.

Greg on the recent issues in the Linux community over the ‘Code of Conduct’

Greg also utilized the opportunity of this Kernel release to shed some light on the recent issue on Linux code of conduct – by explaining how we can improve the community:

“These past few months has been a tough one for our community, as it is our community that is fighting from within itself, with prodding from others outside of it. Don’t fall into the cycle of arguing about those “others” in the “Judean People’s Front” when we are the “We’re the People’s Front of Judea!” That is the trap that countless communities have fallen into over the centuries. We all share the same goal, let us neverloose sight of that.

So here is my plea to everyone out there. Let’s take a day or two off, rest, relax with friends by sharing a meal, recharge, and then get back to work, to help continue to create a system that the world has never seen the likes of, together.”

What do you think about the latest Linux Kernel release?

Source

ModSecurity is an open source monitoring system for web applications. It has powerful rule sets that allow you to protect applications from attacks. View the project for more details. It provides a ton of features such as:

More than 16,000 specific rules, broken out into the following attack categories:
* SQL injection
* Cross-site Scripting (XSS)
* Local File Include
* Remote File Include

User option for application specific rules, covering the same vulnerability classes for applications such as:
* WordPress
* cPanel
* osCommerce
* Joomla

Install ModSecurity

To get started you will need to have Apache installed. If you do not yet, please see Compile Apache 2.4 From Source

Install the required dependencies:

yum install -y libxml libxml-devel

Get the software package:

cd /usr/src; wget https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.1/modsecurity-2.9.1.tar.gz

Un-compress the archive:

tar xfvz modsecurity-2.9.1.tar.gz

Go in to the directory:

cd modsecurity-2.9.1

Configure it:

./configureInstall:make && make install

You will need to edit /etc/httpd/conf/httpd.conf and load the module:

LoadModule security2_module lib/apache/mod_security2.so

For each domain you want to enable it for add the following:

SecEngine On

Restart Apache to load it:

service httpd restart

Verify it is loading in Apache:

httpd -M 2>&1|grep security

You should see the following returned:

security2_module (shared)

Configure ModSecurity

Get a starting ruleset. View the github project for more details.

Download the ruleset:

cd /usr/src;wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz

Un-compress the archive:

tar xfvz v3.0.0.tar.gz

Make a configuration directory

mkdir /etc/httpd/conf/modsecurity.d

Enter the directory:

cd owasp-modsecurity-crs-3.0.0

Move the rules directory into place:

mv rules/ /etc/httpd/conf/modsecurity.d

Move and rename the main configuration:

mv crs-setup.conf.example /etc/httpd/conf/modsecurity.d/crs-setup.conf

Review crs-setup.conf and remove comments for any applicable lines.

Edit /etc/httpd/conf/httpd.conf once again and add the following:

<IfModule security2_module>
Include /etc/httpd/conf/modsecurity.d/crs-setup.conf
Include /etc/httpd/conf/modsecurity.d/rules/*.conf
</IfModule>

Restart Apache once more to load the base configuration. That is it for the base installation. There are numerous ways you can configure it to protect your server from web based attacks and proactively monitor your server.

May 4, 2017LinuxAdmin.io

Source

An “incorrect command-line parameter validation” vulnerability in X.Org server makes it possible to escalate privileges as well as overwrite files. The problem affects Linux and BSD distributions using the open source X Window System implementation.

The vulnerability has been present for a couple of years, but has been brought to light by security researcher Narendra Shinde. Unpatched system can be exploited by non-root users if X server is running with elevated privileges.

See also:

• Linux-friendly company System76 shares more open source Thelio computer details
• System76 releases Ubuntu-based Pop!_OS 18.10 Linux distribution
• Linus Torvalds is back in charge as Linux kernel 4.19 is released

A security advisory posted to the X.Org mailing list explains that: “Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user)”.

The vulnerability has been assigned CVE-2018-14665, and Bleeping Computer — saying it is “trivial to exploit” — explains how it works:

Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option.

Although the exploit is not a major security issue in itself, in combination with other exploits it could prove highly problematic. The X.Org mailing list post says:

The commit https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which first appeared in xorg-server 1.19.0 introduced a regression in the security checks performed for potentially dangerous options, enabling the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege elevation since it’s possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems.

A patch was added to the xserver repository on this week, but X.Org adds:

If a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the ‘startx’, ‘xinit’ commands or variations thereof.

X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid.

Source

Last updated October 28, 2018

IBM and Red Hat have inked the deal. IBM is acquiring Red Hat for approximately $34 billion in order to become the number one hybrid cloud provider in the world.

If you think open source projects doesn’t make money, it’s time to think again. A few months back Microsoft bought GitHub for $7.5 billion. SUSE Enterprise Linux was sold for $2.5 billion. Today IBM announced that it is buying Red Hat for approximately $34 billion.

Red Hat, the first billion dollar open source company is one of the strongest players in the containers and the cloud game. IBM has been lagging behind the likes of Microsoft and Google in the trillion dollar cloud market. So to strengthen their position in this field, IBM is acquiring Red Hat.

IBM will acquire all of the issued and outstanding common shares of Red Hat for $190.00 per share in cash, which is approximately $34 billion.

The deal was facilitated by JPMorgan from IBM side and Guggenheim Partners from Red Hat side.

Red Hat will join IBM’s Hybrid Cloud team as a distinct unit. It will continue to be led by Jim Whitehurst and the current Red Hat management team.

“The acquisition of Red Hat is a game-changer. It changes everything about the cloud market. IBM will become the world’s #1 hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses.”

Ginni Rometty, IBM Chairman, President and Chief Executive Officer

Red Hat is obviously excited about the deal:

Joining forces with IBM will provide us with a greater level of scale, resources and capabilities to accelerate the impact of open source as the basis for digital transformation and bring Red Hat to an even wider audience – all while preserving our unique culture and unwavering commitment to open source innovation

Jim Whitehurst, President and CEO, Red Hat

As per the announcement, “IBM will remain committed to Red Hat’s open governance, open source contributions, participation in the open source community and development model, and fostering its widespread developer ecosystem. In addition, IBM and Red Hat will remain committed to the continued freedom of open source, via such efforts as Patent Promise, GPL Cooperation Commitment, the Open Invention Network and the LOT Network.”

This deal makes IBM the number one player in the cloud market. It will be interesting to see if other players Microsoft and Google make similar moves.

SUSE has already been sold to EQT and Debian is a community owned project so that leaves Ubuntu. Can Ubuntu be the next acquisition target, perhaps by Microsoft? Only time will tell.

What are your views on IBM-Red Hat deal? Will it impact the open source projects by Red Hat? Do you see the recent trend of acquisition of Open Source companies as a ‘threat to the open source culture’? So share your views in the comment section.

Source