Saturday, October 25, 2014

Installing Group of Packages from DVD or ISO

Using the yum utility, one can install groups of packages.
In this case, the Development Tools is the group of interest, but it can apply to any other group of packages.
The ISO image, whether virtually or physically present on disk, needs to be set up to be accessed as a repository.
  1. Create a mountpoint to which the ISO image will be mounted:
    # mkdir /mnt/iso
  2. Mount the ISO image:
    REMARQUE : In this case /dev/scd0 points to an iLO virtual media device mapped to an ISO image. But it easily could be a physical DVD or other standalone ISO.
    # mount -o loop,ro /dev/scd0 /mnt/iso
  3. Verify the contents of the mount point:
    [root@dl380g7h08u06 yum.repos.d]# ls /mnt/isoCluster         README-mr.html         RELEASE-NOTES-kn.html     RELEASE-NOTES-U6-ja.htmlClusterStorage  README-or.html         RELEASE-NOTES-ko.html     RELEASE-NOTES-U6-kn.html...README-ja.html  RELEASE-NOTES-gu.html  RELEASE-NOTES-U6-fr.html  RPM-GPG-KEY-redhat-releaseREADME-kn.html  RELEASE-NOTES-hi.html  RELEASE-NOTES-U6-gu.html  ServerREADME-ko.html  RELEASE-NOTES-it.html  RELEASE-NOTES-U6-hi.html  TRANS.TBLREADME-ml.html  RELEASE-NOTES-ja.html  RELEASE-NOTES-U6-it.html  VT
  4. Edit the file /etc/yum.repos.d/file.repo to point to the newly mounted ISO and specific Server and/or VT directory on the ISO.
    This file will be read whenever yum is invoked and should have contents similar to the following:
    # cat file.repo[RHEL_5_ISO_Server_Repository]name=RHEL 5 ISO Repositorybaseurl=file:///mnt/iso/Serverenabled=1
  5. Check the repository list using yum repolist and verify the new ISO repository is listed:
    [root@dl380g7h08u06 yum.repos.d]# yum repolistLoaded plugins: rhnplugin, securityRHEL_5_ISO_Server_Repository                    | 1.3 kB     00:00RHEL_5_ISO_Server_Repository/primary            | 905 kB     00:00RHEL_5_ISO_Server_Repository                    3229/3229repo id                               repo name                repo statusRHEL_5_ISO_Server_Repository          RHEL 5 ISO Repository    enabled:  3,229...
  6. Check the available groups in the repository to confirm the desired package group is listed:
    # yum grouplistLoaded plugins: rhnplugin, securitySetting up Group ProcessRHEL_5_ISO_Server_Repository/group               | 1.0 MB     00:00Installed Groups:   Administration Tools   Authoring and Publishing...Available Groups:   Development Tools   DNS Name Server...Done
  7. Finally, use the command yum groupinstall to install the desired package group:
    # yum groupinstall "Development Tools"

Posted by at No comments:

Tuesday, October 7, 2014

How to Protect your Server Against the Shellshock Bash Vulnerability

Introduction

On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash's ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.
The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:
  • Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
  • Certain DHCP clients
  • OpenSSH servers that use the ForceCommand capability
  • Various network-exposed services that use Bash
A detailed description of the bug can be found at CVE-2014-6271CVE-2014-7169CVE-2014-7186, and CVE-2014-7187.
Because the Shellshock vulnerability is very widespread--even more so than the OpenSSL Heartbleed bug--and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible. We will show you how to test if your machines are vulnerable and, if they are, how to update Bash to remove the vulnerability.

Check System Vulnerability

On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:
env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:
Bash is vulnerable!
Bash Test
If your output does not include the simulated attacker's payload, i.e. "Bash is vulnerable" is not printed as output, you are protected against at least the first vulnerability (CVE-2014-6271), but you may be vulnerable to the other CVEs that were discovered later. If there are any bash warnings or errors in the output, you should update Bash to its latest version; this process is described in the next section.
If the only thing that is output from the test command is the following, your Bash is safe from Shellshock:
Bash Test

Test Remote Sites

If you simply want to test if websites or specific CGI scripts are vulnerable, use this link:'ShellShock' Bash Vulnerability CVE-2014-6271 Test Tool.
Simply enter the URL of the website or CGI script you want to test in the appropriate form and submit.

Fix Vulnerability: Update Bash

The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update Bash to the latest version available via apt-get:
sudo apt-get update && sudo apt-get install --only-upgrade bash
Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).

End of Life Ubuntu / Debian Releases

If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):
sudo do-release-upgrade
After the upgrade is complete, ensure that you update Bash.

YUM: CentOS / Red Hat / Fedora

Update Bash to the latest version available via yum:
sudo yum update bash
Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).

End of Life CentOS / Red Hat / Fedora Releases

If you are running a release of CentOS / Red Hat / Fedora that is considered end of lifestatus, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):
sudo yum update
After the upgrade is complete, ensure that you update Bash.

Conclusion

Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep your servers up to date with the latest security updates!
Posted by at No comments:
Subscribe to: Posts (Atom)