Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

Stay Ahead With Linux Security Features

Siem Architecture Hero Esm H350
Price Tag 1threat detection scalability

Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
1 min read
Http2 Bomb Hero 2026 Esm H350
Price Tag 1security advisory apache

A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
3 - 5 min read
Supply Chain Risk Starts At The Workstation Hero Esm H350
Price Tag 1security advisory important

The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
3 - 5 min read
Persistence Tricks Hero Esm H350
Price Tag 1security advisory open-source

You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
4 - 7 min read
Red Hat Npm Hero Esm H350
Price Tag 1security advisory Red Hat

Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
3 - 6 min read
Filter Icon Refine features
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":545,"type":"x","order":1,"pct":78.42,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.32,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.89,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.37,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security features

We found -3 articles for you...
102
7.Locks HexConnections Esm H240
Price Tag 1cybersecurity threatsidentity managementLinux admin

Evolving Linux Malware Threats: A Guide for Admins in Cloud-Native Contexts

For a long time, Linux malware followed a familiar pattern. A compromised host. A binary written to disk. Persistence through cron, systemd, or a quiet modification that survived reboots. If you hardened the system and watched for changes, you felt reasonably in control. That model no longer matches how Linux is actually run. Modern Linux malware increasingly assumes it is landing in environments where hosts are disposable, workloads are short-lived, and the real authority sits somewhere above the operating system.. Most Linux infrastructure today lives inside cloud and container platforms that are ephemeral and API-driven by design. Containers, Kubernetes, managed services. Linux is still there, but it is no longer the primary unit of control. That shift changes what attackers optimize for. Persistence on a single machine matters less when you can influence what gets deployed next. Early 2026 research from Check Point describes a framework called VoidLink that reflects this reality. It is not notable because it is noisy or flashy, but because it fits cloud-native environments almost too well. VoidLink signals a broader transition in Linux malware away from host-centric techniques toward control planes, identities, and orchestration logic. It assumes images will be rebuilt and nodes will disappear. Control comes from understanding how workloads are created, scheduled, and authenticated, often through mechanisms that look legitimate on the surface. Traditional defenses still have value, but on their own, they are no longer sufficient. Understanding this shift is now part of the job for Linux administrators, because risk, visibility, and policy all move with it. The Evolution of Linux Malware Frameworks If you look back at older Linux malware , the assumptions are easy to spot. The host mattered. Machines stayed up for months or years. Persistence was the goal, and success meant surviving reboots, package upgrades, and the occasional admin poking around. Root access was the prize, because once youhad it, you could stay. Most defensive guidance grew out of that world, and for a long time, it worked well enough. Cloud and container environments quietly broke those assumptions. Hosts are no longer stable assets. Containers may exist for minutes. Images are rebuilt automatically. In that context, traditional persistence loses much of its value. You start to see Linux malware adapt by shifting its focus away from the filesystem and toward the systems that decide what runs in the first place. Control moves up the stack, toward orchestration platforms, cloud APIs, and identity systems that sit above any single node. Modern Linux malware frameworks reflect that change in how they are built. They are modular, often split into loaders, plugins, and optional components that can be deployed only when needed. That structure looks familiar to anyone who works with microservices or cloud-native applications, and it is not an accident. Attackers now assume that orchestration layers are the real terrain. Instead of clinging to a host, they aim to influence deployment, scheduling, or identity in ways that let access reappear even as infrastructure churns. As a result, today’s Linux malware is often more flexible and quieter than what came before. For Linux administrators, this means threat modeling can no longer stop at host hardening. Cloud APIs and control planes are now part of the attack surface, whether they were designed that way or not. Why Cloud and Container Environments Are Attractive to Attackers Cloud and container platforms change more than how applications are deployed. They change what is visible, what is durable, and what feels normal. Containers deliberately abstract away much of the operating system, and in doing so, they also blur traditional security boundaries. Processes come and go. Filesystems reset. From the outside, it can be difficult to tell whether something unusual happened or whether the platform simply behaved as designed. That ambiguity creates room for abuse. Centralization plays an equally important role. Kubernetes and cloud APIs concentrate enormous control behind a relatively small number of interfaces. A single service account, role, or token can influence scheduling, networking, storage, and identity across large parts of an environment. When those identities are misconfigured, lateral movement often requires no exploit at all. Access is granted by policy, not by vulnerability, and that access tends to look legitimate in logs. From an attacker’s perspective, this is far more efficient than breaking out of individual containers one by one. Ephemeral infrastructure further tilts the balance. Workloads disappear before artifacts can be examined. Network policies are frequently permissive during early adoption and rarely revisited. CI/CD systems extend execution well beyond runtime, pulling code, building images, and deploying workloads automatically. Once you start to see how these pieces connect, the appeal becomes obvious. Container security is not just about runtime protection. It is about protecting the orchestration, identity, and control layers that decide what runs at all. For Linux administrators, that is where attention has to shift, even if the hosts themselves look quiet. VoidLink as a Case Study in Cloud-Native Linux Malware VoidLink is useful to study because it does not behave like a one-off Linux payload. It is a framework, built as a collection of components that can be deployed selectively depending on the environment. Researchers describe loaders, implants, rootkit-style capabilities, and extensible plugins, all designed to work together rather than as a single artifact. That structure matters. It suggests a system meant to be operated, updated, and reused, not simply dropped onto a compromised machine and forgotten. The design choices behind VoidLink line up closely with how modern infrastructure actually runs. It is built to function across cloud providers and container platforms, including Kubernetes, Docker, and major publicclouds. The codebase spans languages such as Zig, Go, and C, which points to developers comfortable with both low-level systems work and cloud-native tooling. Debug symbols left in some components indicate active development, not a finished campaign frozen in time. That detail alone changes how you think about lifecycle and intent. This is not something thrown together quickly to exploit a single weakness. Attribution is more complicated. Analysis published so far points toward Chinese-affiliated developers, based on language artifacts and development patterns, but stops short of tying the framework to a specific organization or state actor. Intent is equally unclear. Some analysts have noted that the level of documentation, modularity, and interface design resembles a product more than a bespoke intrusion tool. That does not mean it is commercial malware in the traditional sense, but it does suggest a mindset closer to software engineering than opportunistic compromise. For Linux administrators, the lesson is not about who wrote VoidLink, but how it was written. Malware at this level is designed, maintained, and evolved by skilled teams who understand cloud platforms as well as operators do. These are not random scripts scraped from forums. They are frameworks that assume churn, abstraction, and centralized control, and they grow more capable over time. That reality should change how risk is assessed, because it raises the baseline for what a modern Linux threat looks like. What VoidLink Reveals About Modern Linux Attack Chains When malware is built for cloud and container environments, the attack chain looks different from the start. Initial access often does not come from a memory corruption bug or a kernel exploit. It comes from the configuration. An exposed API, an over-permissive role, a service account that was meant to be temporary and never revisited. In cloud-native environments, access is frequently granted by design, which makes the first step of an intrusion both quieter and harder toclassify as malicious. Execution also shifts away from the idea of a single compromised host. Workloads run inside containers, scheduled jobs, or serverless tasks that are expected to appear and disappear. From the platform’s perspective, something started, did its work, and exited. Malware that operates in this space does not need to linger. What used to be called persistence is often replaced by the ability to trigger redeployment, reuse credentials, or influence orchestration so that access returns naturally as part of normal operations. Command-and-control follows the same pattern. Instead of unusual outbound connections, communication blends into cloud service traffic and API calls that administrators expect to see. Privilege escalation targets identity rather than the kernel, focusing on IAM roles, service accounts, and tokens that can unlock broader access. When the workload is gone, so are many of the artifacts you would normally investigate. For Linux administrators, this changes what detection looks like. Files and processes still matter, but identity, behavior, and control-plane activity increasingly tell the real story. Monitoring Gaps Linux Admins Commonly Have Today Many Linux environments appear quiet, not because nothing is happening, but because the right things are not being observed. Host-based monitoring still plays an important role, yet it stops at the boundary of the operating system. Control-plane actions do not show up as processes. API calls do not look like system calls. When activity shifts upward into orchestration and cloud services, traditional tools simply have nothing to say about it. Kubernetes audit logs are a good example. They are often disabled, sampled, or retained briefly due to volume and cost. Even when they are collected, they tend to live apart from runtime telemetry, which makes it difficult to connect an API request to the workload it created. Cloud API logs suffer from the same problem. They describe what was requested, not how that requesttranslated into execution inside a container or a node. Container lifecycle events are frequently treated as background noise because environments are already noisy by design. Network monitoring adds another layer of false confidence. Many tools still assume relatively static endpoints and predictable traffic patterns, assumptions that do not hold in dynamic clusters. When alerts do not fire, it can feel reassuring. In practice, it often means visibility does not extend into the layers attackers now prefer. For Linux administrators, this gap matters. It is not just about missing alerts. It is about missing entire classes of activity that never touch the host in ways older tools were built to see. How Linux Admins Should Adapt Their Security Approach Adapting to cloud-native Linux malware does not start with adding more agents to hosts. It starts with recognizing where control actually lives. In containerized environments, the Kubernetes control plane and cloud APIs are not just management layers. They are security-critical surfaces. Decisions about what runs, under which identity, and with what network access are made there, often long before a process ever starts on a node. That shift changes what monitoring needs to focus on. Workload creation events, scheduling decisions, and orchestration actions become as important as process execution. Cloud audit logs begin to matter more when they are correlated with what actually ran and under which service account. Least privilege takes on a more concrete meaning because overbroad roles and service accounts effectively become persistence mechanisms. Container security , in this sense, is less about catching something after it runs and more about understanding how it was allowed to run in the first place. There is also an operational adjustment that is easy to overlook. When compromise happens at the service or identity level, it does not map cleanly to a single host or team. Detection and response require coordination between platform, operations, andsecurity functions that may not have been tightly aligned before. Policies need to reflect that reality. They have to account for how Linux workloads are created, authorized, and redeployed, not just how they behave once they are running. For many administrators, that is the real change this new class of malware forces. Our Final Thoughts: Decision Points for Linux Admins and Platform Teams Once you accept that Linux malware now operates comfortably above the host, a different set of questions starts to matter. Visibility becomes an ownership problem as much as a technical one. Someone has to decide who is responsible for seeing control-plane activity and responding to it. In many organizations, Kubernetes, cloud infrastructure, and Linux operations sit with different teams, each assuming the others are watching closely. That gap is where problems tend to settle. Logging decisions follow quickly. Not every log can be kept forever, but some logs are no longer optional. Kubernetes audit events, cloud API calls, and identity changes start to carry the same weight that syslogs and authentication logs once did. Where detection lives also becomes less obvious. Host-based tooling still has value, but it cannot see everything. Cluster-level signals and cloud-level context often need to be part of the same picture, even if that complicates tooling and workflows. There are tradeoffs here that cannot be avoided. More visibility can slow teams down. Tighter controls can frustrate developers and operators who are used to moving quickly. Linux administrators increasingly find themselves at the center of those discussions, translating risk into practical constraints. These are not decisions about installing another tool. They are architectural and organizational choices that shape how much control and how much uncertainty an environment is willing to live with. . Explore how cloud-native environments alter Linux malware strategies, and what administrators must change to secure systems.. Linux Malware, CloudSecurity, Container Risks, Cybersecurity Strategies, Identity Management. . Brittany Day

Calendar 2 Jan 22, 2026 User Avatar Brittany Day
102
1.Penguin Landscape Esm H240
Price Tag 1security advisorysystem stabilitySELinux

RHEL 9.4 Security Enhancements: Leading Cybersecurity Innovations

In the evolving cybersecurity landscape, staying ahead of threats while ensuring system stability and compliance is paramount for businesses and developers. Red Hat Enterprise Linux (RHEL) version 9.4 emerges as a beacon of innovation and security, encapsulating the best open-source technology to meet these challenges head-on. . As a cornerstone of enterprise environments, RHEL's latest release brings forth myriad enhancements and features designed to bolster the security and compliance posture of Linux systems. This article delves into the critical security advancements in RHEL 9.4, demonstrating how they contribute to creating a more secure, efficient, and compliant Linux operating environment for enterprises and developers. How Is RHEL 9.4 Leading the Charge in Cybersecurity and Technological Innovations? RHEL 9.4 marks a significant leap in cybersecurity enhancements, signaling Red Hat's commitment to staying at the forefront of security and technological advancements. With updates spanning from SELinux policy customization capabilities to cryptographic standards enhancements and container security improvements, this release is poised to address the pressing security concerns faced by today's enterprises. Notably, the inclusion of deny rules in SELinux, advancements in cryptographic protocols through OpenSSL and libkcapi, and bolstering container security via Keylime for trusted computing underscore Red Hat's focus on delivering a secure and robust platform. Introducing customizable TLS/SSL encryption settings for Rsyslog and passwordless authentication configurations heralds a new era of secure system administration and identity management. In embracing these enhancements, RHEL 9.4 offers businesses and developers a secure, stable foundation for deploying critical applications, ensuring compliance, and safeguarding against the evolving landscape of cyber threats. This release exemplifies how open-source technology continues to drive innovation in cybersecurity, offering the Linuxcommunity a platform that is not only technologically advanced but also rigorously secured against future vulnerabilities. Whether managing enterprise infrastructure, developing applications, or ensuring compliance, the security-focused improvements in RHEL 9.4 underscore its value as an essential tool in your cybersecurity arsenal. As we explore the depths of these enhancements, it becomes evident that RHEL 9.4 is not just an update but a substantial stepping stone towards a more secure and compliant future in the open-source ecosystem. SELinux Enhancements In the security realm, RHEL 9.4 introduces SELinux userspace release 3.6, which stands out for adding deny rules . This feature opens up new avenues for tailoring SELinux policies with greater precision, allowing users to refine access controls and enhance their systems' overall security posture. Cryptographic Upgrades The Red Hat Enterprise Linux (RHEL) 9.4 release bolsters its security posture with several cryptographic upgrades to improve security across network communications and data encryption processes. One critical area where these upgrades manifest is in the control over Message Authentication Codes (MACs) within Secure Shell (SSH) policies. Understanding MACs in SSH Message Authentication Codes are essential components of secure communications. They act like seals on an envelope, ensuring the data inside hasn't been tampered with during transit. In the context of SSH, widely used for secure remote access to Linux systems, MACs help confirm the integrity and authenticity of the data exchanged between the client and server. Cryptographic Policy Enhancements In RHEL 9.4, cryptographic policies have been fine-tuned to give users more detailed control over these MACs. Security-conscious administrators can now define their systems' MAC algorithms when establishing SSH connections. With varying degrees of strength and performance across different MAC algorithms, administrators can tailor their SSH configurations to balancesecurity needs with system efficiency. Imagine cryptographic policies as rules that guide how your system approaches encryption and security protocols. These policies might have been broader in the past, adhering to preset security levels (e.g., DEFAULT, LEGACY, FUTURE). With the updates in RHEL 9.4, the policies become more granular, allowing an admin to specify the exact MACs acceptable for use, thereby fine-tuning the system’s security by enabling or disabling certain algorithms as needed. Additional Cryptographic Upgrades in RHEL 9.4 The text provided outlines advancements beyond SSH MAC control: OpenSSL TLS Toolkit : OpenSSL now supports a drop-in directory for provider-specific configuration. This means customized security settings, including new encryption algorithms or security protocols, can be integrated into OpenSSL's configuration without altering the core configuration files, facilitating a more modular and manageable approach to custom cryptographic setups. stunnel TLS/SSL Tunneling Service : With version 5.71, stunnel provides enhanced support for modern PostgreSQL clients and modifies how it operates when RHEL is in Federal Information Processing Standards (FIPS) mode. FIPS mode enforces stricter cryptographic standards and algorithms in compliance with government security guidelines. The behavior changes in stunnel ensure that it remains compliant in these high-security environments. libkcapi 1.4.0 : This update introduces new tools and options, like specifying target filenames when calculating hash sums with a new -T option. Such features add to the toolkit for managing cryptographic operations adhering to improved and updated standards. The RHEL 9.4 release brings about a significant leap in cryptographic control for the average Linux user concerned with security. From establishing airtight SSH sessions with precise MAC algorithm settings to leveraging updated cryptographic tools compliant with modern standards, RHEL 9.4 offers the community a platform wheresecurity is at the forefront and customization is key. Users can be confident their systems are equipped to handle the evolving threats in the cyber landscape while maintaining compliance with stringent security regulations. Container Security Security within containers also sees a boost, including Keylime server components (the verifier and registrar) as containerized entities, facilitating their deployment more securely and isolatedly. Keylime is an open-source project that provides highly scalable remote attestation and automated remediation for cloud and edge computing environments. The aim is to enhance these infrastructures' security by ensuring that remote machines' hardware and software configurations meet certain trustworthiness criteria before they are allowed to perform specific functions or access certain data. Integrating Keylime in RHEL 9.4 helps organizations meet stringent hardware and software integrity verification compliance requirements. By automating the attestation process, organizations can ensure continuous oversight and control over the security state of their infrastructures, essential in industries subject to heavy regulations like finance, healthcare, and government sectors. Rsyslog Enhancements The update to the Rsyslog system is also significant. It introduces customizable TLS/SSL encryption settings and additional options for capability dropping, contributing to logger security enhancements. Identity Management For Identity Management, RHEL 9.4 offers the capacity to enable and configure passwordless authentication in SSSD using biometric devices compatible with the FIDO2 specification, such as YubiKeys, thereby promoting usability and security. Red Hat Enterprise Linux (RHEL) 9.4 introduces several enhancements and new features to its Identity Management (IdM) capabilities. One notable development is the improved integration with external identity providers (IdPs) through support for the OAuth2 device authorization flow. This enhancement enablesIdM users to be associated with external IdPs more seamlessly, facilitating a more integrated and secure authentication experience across different platforms and services. Additionally, the update to RHEL 9.4 includes significant improvements in managing identities and system configurations, aiming to streamline administrative tasks and bolster security. While the specific details of all the identity management features in RHEL 9.4 are vast, emphasizing the OAuth2 integration highlights Red Hat's focus on modernizing authentication mechanisms and enhancing security frameworks to support contemporary cloud-native applications and services. General Security Stability While the release notes focus on feature introductions and updates, it's essential to recognize that each version of RHEL undergoes rigorous security testing and hardening. In RHEL 9.4, users can expect a secure, stable, and robust platform for deploying and running essential applications. These highlights represent Red Hat's continued focus on delivering a secure, enterprise-ready operating system that addresses modern businesses' evolving threats and compliance requirements. The updated security features in RHEL 9.4 will help users fortify their systems against unauthorized access and protect sensitive data while modernizing and streamlining security management tasks. Our Final Thoughts on RHEL 9.4 The RHEL 9.4 release brings about a significant leap in cryptographic control for the average Linux user concerned with security. From establishing airtight SSH sessions with precise MAC algorithm settings to leveraging updated cryptographic tools compliant with modern standards, RHEL 9.4 offers the community a platform where security is at the forefront and customization is key. Users can be confident their systems are equipped to handle the evolving threats in the cyber landscape while maintaining compliance with stringent security regulations. . RHEL 9.4 strengthens organizational safety through innovative capabilities,emphasizing encryption, SELinux enhancements, and user identity governance.. RHEL 9.4 Features, Enhanced Security in RHEL, SELinux Improvements, Cryptographic Security Upgrades. . Dave Wreski

Calendar 2 May 09, 2024 User Avatar Dave Wreski
Banner 2 1028x280 1708121730 1 1771599631
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":545,"type":"x","order":1,"pct":78.42,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.32,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.89,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.37,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200

Search Topics

Your message here