Stay Ahead With Linux Security Features
security advisory risk management If more than 12 million enterprise systems can be exposed by flaws in a security control designed to harden Linux, it's probably worth asking whether Linux gives people a false sense of security. That's a question that has come up repeatedly throughout 2026. . This year alone, researchers have disclosed privilege-escalation vulnerabilities, root-level kernel flaws, and multiple supply-chain compromises affecting Linux environments. That doesn't mean Linux suddenly became insecure. It means...
Jun 15, 2026 
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026 
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026 
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026 
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026 
Refine features
X Clear Filters Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
security testingvulnerability managementruntime protectionEffective Docker Security Techniques: Manage, Test, and Automate
In the dynamic landscape of contemporary software development, Docker containerization has emerged as a cornerstone, facilitating the efficient deployment and scaling of applications. However, fortifying their security measures becomes paramount as organizations increasingly embrace Docker containers. . This necessitates a comprehensive approach to Docker Container Security Vulnerability Management and Testing, incorporating industry best practices. Since security is not a universal concept, container security best practices offer a comprehensive framework that spans the entire software development lifecycle, from creating secure container images to runtime protection. Below is a complete guide on Docker container security vulnerability management and testing. Container Security and The Importance of Integrating Security Testing and Automated Deployment Container security refers to measures to secure the entire containerized application development and deployment process. This includes securing the container runtime, orchestration tools, and images. Integrating security testing and automated deployment into the container lifecycle is crucial to identify and mitigate vulnerabilities early in development. Security testing involves assessing the security posture of containerized applications through vulnerability scanning, penetration testing, and static code analysis. Automated deployment ensures a streamlined and consistent process for deploying containerized applications across different environments. Understanding Container Security Testing and Deployment Automation Container orchestrators, exemplified by prominent platforms such as Kubernetes, play a pivotal role in shaping the security landscape of containerized environments. These orchestrators are the backbone, providing a robust framework for managing, scaling, and orchestrating containerized applications. In the security realm, container orchestrators contribute significantly by offering advanced features and tools that bolster theoverall protection of containerized ecosystems. One fundamental security feature container orchestrators provide is Role-Based Access Control (RBAC). Kubernetes, for instance, offers a sophisticated RBAC system that enables organizations to define fine-grained access policies. By implementing RBAC best practices, organizations can ensure that users and processes within the container orchestration platform adhere to the principle of least privilege. This not only enhances security but also fosters a structured and controlled environment. Container orchestrators also offer comprehensive hardening guides and security checklists. Kubernetes, for instance, provides a detailed hardening guide that outlines best practices for securing various components of the orchestrator. This includes securing the control plane, worker nodes, and associated components. Security checklists offered by orchestrators act as practical guides for administrators, helping them configure and manage the environment with security in mind. In addition to RBAC, container orchestrators implement network policies to enhance security. These policies dictate communication rules between containers, ensuring only authorized interactions occur. By segmenting the network, orchestrators reduce the attack surface, limiting the potential impact of security breaches. Container orchestrators are designed with security in mind, providing an array of features to safeguard the deployment and runtime of containerized applications. They facilitate the implementation of security standards and best practices, guiding organizations in fortifying their container environments against potential threats. As container orchestrators manage the deployment and scaling of applications, they inherently contribute to security testing and deployment automation. Integration with CI/CD pipelines ensures that security testing becomes integral to the application delivery process. Security checks can be automated at different stages, from the creation of containerimages to their deployment in a production environment. What Is The Role of Container Orchestrator in Security Testing and Deployment Automation? Container orchestrators play a crucial role in managing and scaling containerized applications. These orchestrators also contribute to security testing and deployment automation by providing features that enhance the overall security posture of containerized environments. One key security feature provided by container orchestrators is network segmentation. By isolating containers into separate network segments, orchestrators prevent unauthorized container communication, reducing the attack surface. Additionally, orchestrators often include features for secrets management, allowing developers to securely store and manage sensitive information, such as API keys and passwords. This helps prevent security breaches arising from the exposure of sensitive data within containerized applications. Linux Container Vulnerability Management Linux container vulnerability management is a critical aspect of securing containerized environments. As containers share the host operating system's kernel, keeping the underlying Linux system secure is paramount. Regularly updating the host operating system and its components is fundamental to mitigating known vulnerabilities and maintaining a robust security posture. Vulnerability management tools , including OpenSCAP and Nessus, scan the Linux host for potential security risks. Proactive measures involve monitoring security advisories, subscribing to relevant mailing lists, and staying informed about the latest patches. By addressing vulnerabilities at the operating system level, organizations bolster the overall security of their containerized applications, creating a foundation for a resilient and protected container environment. Docker Container Security Testing Docker, a widely used containerization platform, requires specific attention to security testing. Docker container security testing involves examiningvarious aspects of the Docker ecosystem, including the Docker daemon, container images, and the Docker API. One crucial aspect of Docker security testing is ensuring the integrity of container images. Developers should verify the authenticity and origin of container images to prevent the deployment of compromised or malicious images. Implementing image signing and verification mechanisms, such as Docker Content Trust (DCT), adds more security to container images. In addition to image integrity, Docker security testing should focus on securing the Docker daemon. Access controls, network policies, and secure configuration settings are essential to prevent unauthorized access and potential exploitation of vulnerabilities in the Docker daemon. What Is The Role of Automation in Container Security? Automation is integral to adequate container security, allowing organizations to scale security processes, reduce human error, and respond swiftly to emerging threats. Automated security processes can be incorporated at various stages of the container lifecycle, from image build to deployment and runtime monitoring. Automated vulnerability scanning ensures that container images are regularly scanned for known vulnerabilities, and security teams receive immediate feedback on potential risks. This proactive approach enables developers to address vulnerabilities early in development, minimizing the exposure window. Access control and permission management automation help enforce the principle of least privilege, reducing the risk of unauthorized access and potential security breaches. Role-based access control (RBAC) mechanisms provided by container orchestration platforms enable fine-grained control over user permissions. Continuous monitoring and automated threat detection contribute to runtime security. Tools that monitor container behavior and detect anomalous activities help organizations identify and respond to security incidents in real-time. Practical Approaches to Integrate Security Testingand Automate Deployment Integrating security testing and automating deployment requires a strategic and collaborative approach within development and operations teams. Here are practical approaches to seamlessly embed security into the container development and deployment lifecycle: Incorporate security into CI/CD pipelines: Integrate security testing tools into CI/CD pipelines to automatically scan container images for vulnerabilities during the build process. This ensures that security checks are part of the automated deployment workflow. Automate compliance checks: Implement automated tools to check and enforce compliance with security policies and industry regulations. This includes scanning container images for compliance with security benchmarks and standards. Implement infrastructure as code (IaC): Use IaC tools like Terraform or Ansible to define and provision infrastructure in a repeatable and consistent manner. This ensures that security configurations are applied consistently across different environments. Security training for development teams: Provide security training to development teams to raise awareness about secure coding practices and potential security risks in containerized environments. Empowering developers with security knowledge enhances their ability to write secure code from the outset. Use secure base images: Start with secure images with minimal attack surfaces. Regularly update these base images to include the latest security patches. Tools like Docker Bench for Security can be used to check the security configuration of Docker hosts. Implement image scanning in registries: Utilize container image registries that support image scanning for vulnerabilities. This adds an extra layer of security by automatically scanning images before they are deployed, preventing the use of compromised images. Container runtime security: Implement runtime security measures, such as container network policies and runtime monitoring, to detect andrespond to security incidents during the execution of containerized applications . Collaborate across teams: Foster collaboration between development, operations, and security teams to ensure a holistic approach to container security. Regular communication and knowledge sharing help address security concerns at every stage of development. Future Trends in Container Security Testing and Deployment Automation As technology evolves, so do the challenges and solutions in container security. Several trends are likely to shape the future of container security testing and deployment automation: Shift left security: The trend of shifting security left in the development lifecycle will continue to gain prominence. Embedding security testing early in the development process allows for identifying and remedying vulnerabilities before they reach production. Enhanced orchestration security: Container orchestrators will continue to enhance their built-in security features, providing more robust tools for network segmentation , access controls, and secrets management. This will contribute to a more secure and manageable container environment. Integration of artificial intelligence (AI) and machine learning (ML): AI and ML technologies will significantly improve threat detection and response in containerized environments. Automated anomaly detection and intelligent security analytics will become crucial for identifying sophisticated attacks. DevSecOps adoption: The DevSecOps paradigm integrates security into the DevOps workflow and will become more mainstream. Collaboration between development, operations, and security teams will be further strengthened to ensure a holistic and continuous approach to security. Immutable infrastructure: The concept of immutable infrastructure, which is treated as code and cannot be modified after deployment, will continue gaining traction. This approach reduces the attack surface and ensures consistency in the environment. Zero trustsecurity model: Adopting a Zero Trust security model, where no entity, whether inside or outside the network, is trusted by default, will become more prevalent. This model aligns with the dynamic and distributed nature of containerized applications. Compliance as code: Compliance requirements will be increasingly addressed through code, using tools and frameworks that enable organizations to define, enforce, and audit compliance as part of their automated workflows. Container-native security solutions: Security solutions designed explicitly for containerized environments will continue to emerge. These solutions will provide specialized features to address containers' unique security challenges. Final Thoughts on the Importance of Docker Container Security Testing In an era where software development is becoming faster and more dynamic, the importance of robust security measures cannot be overstated. Docker container security testing is not merely a compliance checkbox but a critical aspect of building and deploying resilient applications. By integrating security testing and automation into the container development lifecycle, organizations can identify and remediate vulnerabilities early, reducing the risk of security breaches. The collaboration between development, operations, and security teams is pivotal in establishing a culture of security that permeates every stage of the containerized application lifecycle. As container technologies evolve, staying informed about emerging security trends and adopting best practices will be essential for organizations aiming to build and maintain secure container environments . The future of container security lies in proactive, automated, and collaborative approaches that prioritize the protection of applications and data in an increasingly complex digital landscape. . Uncover vital security tactics for Docker to protect against threats and guarantee safe application rollout.. Docker Security, Container Vulnerability Management, AutomatedDeployment, Security Testing Framework, Container Orchestration. . Duane Dunston
Dec 12, 2023 •
102
security toolkernel exploitLinux kernelBlackHat USA 2022: eBPF Kernel Exploitation Detection and Prevention
Let's take a brief look at what Guillaume Fournier from Datadog presented at Blackhat USA 2022: “One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF (extended Berkeley Packet Filter)." . He elaborates, "Although eBPF initially targeted network monitoring and filtering use cases, its capabilities have been broadened over time. With each new kernel version, the capabilities of eBPF are getting closer to that of a kernel module with additional benefits: system safety and stability. Like any other kernel features, eBPF has introduced its fair share of kernel bugs and vulnerabilities, questioning the maturity of a solution that introduces a rich feature set but considerably increases the kernel attack surface. On the other hand, eBPF is now powering an increasing amount of endpoint protection solutions, showcasing original ideas to detect threats at runtime. Unlike many projects that aim at detecting malicious behaviors in user space, this talk focuses on how eBPF can be leveraged to detect and prevent various kernel exploitation strategies.” Now I know you may be wondering: what exactly is eBPF? Well, let's go through it together! Given the linux kernel's unrestricted ability to monitor and manage the entire operating system, it has always been the ideal location to incorporate observability, security, and networking features. At the same time, because of its key function and high requirements for stability and security, the kernel is difficult to use when it comes to applications. Berkeley Packet Filter, or BPF for short, introduced a new interface for programs to make kernel requests alongside syscalls, making a significant modification to the old kernel model. Big name companies such as Netflix and Facebook run many BPF applications due to its capability of running new types of user-defined and kernel-mode applications. BPF is essentially a kernel and user-space observability mechanism for executing code in kernel or user space that reacts to events such asfunction calls, function returns, and trace points. BPF programs offer both rapid and extremely powerful and flexible ways of deep observability of what is happening in the Linux kernel or user space. Understanding the Linux Kernel Architecture When it comes to the Linux Kernel, there are roughly three parts to it: the user space, the linux kernel itself or the OS, and then finally we have the actual hardware. Essentially, this all works together and is wrapped in a process. Anything that is not a kernel process, such as normal apps, operates in the user space. Any code that runs within the user space has restricted hardware access and relies on kernel space code for privileged activities, such as reading and writing on the disk, or even network interaction such as sending data via a BSD or TCP socket. The Kernel space, on the other hand, contains the operating system's core. It has complete and unlimited access to all hardware, including RAM, storage, and the CPU. As we stated earlier, the kernel space is secured and only permits the most trusted programs to execute, including the kernel itself and numerous device drivers, which means code within the user space has limited access. In the image below, it basically sums up the this entire process: While the system call interface might be enough in some cases, developers may require complete flexibility to handle new hardware, create new programs, etc, and this requires expanding the underlying kernel without directly modifying the kernel source code. This is where eBPF comes into play. How eBPF Works What eBPF allows users to do is quite incredible; it allows users to take a system call and run a program that takes over on its behalf. With this in mind, it can be used to create programs for networking, debugging, tracing, firewalls, and more. eBPF was inspired by dtrace, a dynamic tracing tool available primarily for the Solaris and BSD operating systems, since there was a need for better Linux tracing capabilities. Unlike dtrace, linux at thetime could not provide a layout of systems that were running hence the need to improve eBPF, giving a similar set of functionalities as dtrace. To avoid hazards such as limitless loops, eBPF applications are evaluated within the kernel. As a result, as compared to an arbitrary Linux loadable kernel module, eBPF applications represent less risk. There is an eBPF Runtime within the kernel, and the runtime ensures that these programs guarantee and meet all programmability standards. Additionally, programs are written and executed in bytecode when using eBPF. As a result, eBPF allows programmers to securely run custom bytecode within the Linux kernel without altering or adding to kernel source code, allowing applications with custom code to interact with protected hardware resources while putting the kernel at little risk. Benefits of eBPF eBPF can be adapted to do a variety of things, and its benefits are highlighted below: Performance : eBPF allows packet processing to be moved from the kernel to the user space. eBPF is also a just-in-time (JIT) compiler. eBPF is invoked after the bytecode is compiled, rather than a fresh interpretation of the bytecode for each method. Invasiveness is minimal: When used as a debugger, eBPF does not require the application to be stopped in order to examine its status. Security: Programs are essentially sandboxed, as shown in the image below, which means that kernel source code stays safe and unmodified. The verification phase guarantees that resources are not overburdened by programs that perform infinite loops. Moreover, eBPF provides a unified, robust, and user-friendly framework for tracing processes which improves both visibility and security. Convenience: It takes less effort to write code that hooks into kernel functions than it does to construct and maintain kernel modules. There are many reasons why people should use eBPF as listed above, but here are some reasons why you shouldn’t: Detecting post compromission isfighting a lost battle There are dozens of ways to disable an eBPF program eBPF can have a significant in kernel performance impact Known Issues within the Linux Kernel Critical CVEs are regularly discovered within the Linux Kernel. As of now, there are a recorded 3349 CVE Records for the linux kernel alone. This causes security administrators and daily users to worry about: Keeping up with security updates Deploying security patches Monitoring & protecting vulnerable hosts As of now, we already have 2 vulnerabilities for the month of August with regards to the linux kernel. Firstly, we have CVE-2022-1012 , which consists of a memory leak problem that was found in the TCP source port generation algorithm in the net/ipv4/tcp.c file due to the small table perturb size. This flaw could allow an attacker to leak information and can give them free rein to cause a denial of service problem or carry out a full-fledged DoS attack. The second vulnerability would be CVE-2022-1973 , which consists of a use-after-free flaw that was found in the Linux kernel in the log_replay in fs/ntfs3/fslog.c file in the NTFS journal. Essentially, this flaw allows a local attacker to crash the system and leads to a kernel information leak problem. With the implementation and modification of eBPF, we can monitor kernel activity and patch zero-day attacks and vulnerabilities before they are found. For the sake of what was presented at Blackhat USA 2022, we will be discussing how to prevent the following 3 vulnerabilities with eBPF: Execution flow redirection Logic bugs Post compromise kernel runtime alteration DataDogs Solution: KRIe Kernel Runtime Integrity with eBPF is an Open-Source, Compile Once Run Everywhere tool that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker willeventually be able to bypass it. That being said, the goal of the project is to make attackers' lives harder and ultimately prevent out-of-the-box exploits from working on a vulnerable kernel. Requirements This project was developed on Ubuntu Focal 20.04 (Linux Kernel 5.15) and has been tested on older releases down to Ubuntu Bionic 18.04 (Linux Kernel 4.15). golang 1.18+ (optional) Kernel headers are expected to be installed in lib/modules/$(uname -r), update the Makefile with their location otherwise. (optional) clang & llvm 14.0.6+ To best show how this tool works, the developers created two scenarios for us users: Scenario 1: the attacker controls the address of the next instruction executed by the kernel Scenario 2: the attacker is root on the machine and wants to persist its access by modifying the kernel runtime In scenario 1, machines with SMEP & SMAP can prevent an attacker from carrying out the instruction executed in the user space, however, what about machines without SMEP & SMAP? KRIe places a kprobe and checks if the Stack pointer / Frame pointer / Instruction pointer registers point to user space memory. Remember earlier we said that KRIe is not bulletproof and attackers can find a way around the kprobe by disabling it using the commands echo 0 > /sys/kernel/debug/kprobes/enabled Or sysctl kernel.ftrace_enabled=0 An attacker can also disable a kprobe by killing the user space process that loaded it to begin with. KRIe combats this by setting up what they call booby traps, essentially setting the Return Object Programming or ROP chain to set the instruction the attacker is trying to take over to null. In scenario 2, the attacker could: Insert a rogue kernel module Hook syscalls to hide their tracks Using kprobes By hooking the syscall table directly Use BPF filters to silently capture network traffic Use eBPF programs to implement rootkits KRIe combats thisby: Monitoring All bpf() operations and insertion of BPF filters Kernel module load / deletion events K(ret)probe registration / deletion / enable / disable / disarm events Ptrace events Sysctl commands Execution of hooked syscalls All syscall tables are checked periodically and KRIE is also able to detect and report when a process executes a hooked syscall whilst also locking down the execution flows in the kernel by controlling call sites at runtime. Moreover, every detection is configurable whether it be Log, Block, Kill, or Paranoid which are different detection definements. Our Thoughts Powerful defensive tools can be implemented with eBPF as shown with the KRIe tool however, eBPF is not really the ideal technology to detect kernel exploits. KRIe is realistically a last resort and not a bulletproof strategy but why not put that to the test! Follow along with us in our next article as we put this open-source tool through various test-environments. . Uncover the ways eBPF elevates the monitoring and protection of the Linux kernel by detecting vulnerabilities and reinforcing the overall integrity of system operations.. Kernel Exploitation, eBPF Monitoring, Security Tools, Linux Kernel, Runtime Protection. . Brian Gomez
Aug 29, 2022 • 
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More