Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you may not be able to execute some actions.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

How to keep packages updated and keep in pace with security updates

C
Cleofas last edited by

In a project with multiple vms that run various applications from Wordpress to Django and various other things.

Is there a way or a tool to keep track of the packages that require updates or have security problems not on an app level but on a vm level. Do I have to ssh into each machine and keep track of the packages or is there a smarter way to do that, could a tool like ansible be used for this job?
Reply Quote 0
1 Reply Last reply
T
Trenton last edited by

You could use pre-made roles like https://galaxy.ansible.com/oefenweb/apt or https://galaxy.ansible.com/geerlingguy/security or https://galaxy.ansible.com/weareinteractive/apt to manage apt for system related security upgrades.
Reply Quote 0
1 Reply Last reply

2
Posts

0
Views

Suggested Topics

S

Keeping AWS RDS Instances up to date
Continuous Integration and Delivery (CI, CD) • amazon rds • • shizuka

2

0
Votes

2
Posts

1
Views

F

Your assumption is correct: you will not need to perform patching on an RDS instance, AWS handles that for you. There is a caveat, though: the majority of updates are not forced by AWS, but require an automated maintenance window to execute. Periodically, Amazon RDS performs maintenance on Amazon RDS resources. Maintenance most often involves updates to the DB instance's underlying hardware, underlying operating system (OS), or database engine version. Updates to the operating system most often occur for security issues and should be done as soon as possible. Some maintenance items require that Amazon RDS take your DB instance offline for a short time. Maintenance items that require a resource to be offline include required operating system or database patching. Required patching is automatically scheduled only for patches that are related to security and instance reliability. Such patching occurs infrequently (typically once every few months) and seldom requires more than a fraction of your maintenance window. Source: Maintaining a DB Instance That document has a lot of useful information about the types of maintenance, the maintenance windows, and the manual actions you can take. Database engines need patching, too, and AWS refers to this as a minor engine upgrade. When necessary, these upgrades happen during the aforementioned maintenance windows, but you need to ensure your RDS instance has Auto Minor Version Upgrade enabled to take advantage of this feature. Source: Automatically Upgrading a Minor Engine Version
P

Removal of folders over 3 days with 10 last folders retained by ansible
Software Programming • linux ansible • • Pearlaqua

2

0
Votes

2
Posts

0
Views

M

I've been able to solve the task of an English-speaking stackoverflow user with the help of the Powershell:Get-ChildItem -Path D:\Downloads_D -Directory | Sort-Object -Property CreationTime | Select-Object -SkipLast 3 | Remove-Item -Force -Recurse The code removes all the files except the last three.
What is the difference between the user `dbo` and the owner of the database stored in sys.databases
SQL, Database Testing • sql server security • • jeanid

2

0
Votes

2
Posts

0
Views

C

I had always thought the user dbo was the actual owner of the database. That is (or at least should be) correct. The name "dbo" of that User never changes, yet the underlying SID does depending on who created the database, or who it was set to be via sp_changedbowner (up though, and including, SQL Server 2005) or ALTER AUTHORIZATION (starting with SQL Server 2008). In all three of those cases, the record in sys.databases is also changed so that they are kept in sync. However, when restoring a Database, either from another system or from the same Instance but from a DB that was backed-up / detached prior to one of those 2 SQL commands being executed to change the owner, then upon RESTORE or attach, there will be a mismatch between the owner_sid column in sys.databases and the "dbo" sid in sys.database_principals in that DB. As far as I am aware of, the record in sys.database_principals in each DB is the real owner, and the owner_sid column in sys.databases is a matter of record-keeping / convenience (similar to denormalization; without sys.databases the system would need to make separate queries across all DBs to get that info, each time requested!) and security. One thing it is used for is to identify a potentially harmful / invalid restored / attached DB is those records do not match. Attempting to access SQLCLR Assemblies marked as either EXTERNAL_ACCESS or UNSAFE won't load if one has chosen to go the less secure route of enabling TRUSTWORTHY as that relies upon the "dbo" SID as it needs to match a Login that has either the EXTERNAL ACCESS ASSEMBLY or UNSAFE ASSEMBLY permission. And when there is a mismatch in the SID between those two system catalog views, it can't be determined which one to use, and used as a red-flag for there being a potential security issue. In fact, I test for this condition in the installation script for SQL# to alert someone to make the appropriate change, just so that they don't have to waste time hunting it down in case SQL Server complains about it at some point.
J

How to list security groups for the specific instance via CLI?
Continuous Integration and Delivery (CI, CD) • security aws cli • • jonetta

2

0
Votes

2
Posts

1
Views

D

You can use aws ec2 describe-instances instead, you can specify the id --instance-ids ``` and it will output the security group.
K

How to handle updating binary files on a dev server with git
Continuous Integration and Delivery (CI, CD) • git • • Kadir

2

0
Votes

2
Posts

1
Views

Git doesn't consider the untracked files for making decisions about accepting or rejecting a git pull operation, so you should have no worry about it. If still in doubt you can easily verify it: just pull another copy of the same git repo in some other location - for test only - mess with untracked files in it and pull again.
J

Common permissions for EC2 usage and VPC Security Groups in enterprise use
Continuous Integration and Delivery (CI, CD) • security amazon web services amazon ec2 aws vpc aws security group • • jonetta

2

0
Votes

2
Posts

1
Views

O

Not technically, I understand your need to create and destroy EC2 instances, whether it's done via automation or not. About having permissions at the security group level, this can often be limited to viewing only the resource, as it is a networking firewall resource, usually who manages these objects are SDN or NaaS
C

How to update frontend servers behind a load balancer
Continuous Integration and Delivery (CI, CD) • deployment load balance • • charlenef

2

0
Votes

2
Posts

1
Views

What you have above seems like a reasonable update procedure, however you can also use persistence or a sticky session so that when a user goes to a web server, they will be routed to the same web server for the life of their browser session (or for the next hour, or whatever you decide to configure). This also allows for some A/B testing if you need to get user feedback on a new feature or just allow for the possibility of a bug (just pull server group B from the pool if an issue is discovered during A/B testing with that group). There are some concerns you should be aware of with sticky sessions: Eg, source address persistence can be problematic if you have a thousand users behind a firewall - then you have a huge group that always goes to a single web node. Maybe you really don't want a cookie to do persistence, etc. But, there really is no agreed "best practice" on this - the best practice is going to the the one that meets your business need in this case. You should just collect all of your options and choose the workflow that best meets your needs.
G

How do I use my Google account when I have a FIDO U2F Key attached?
Mobile Testing • security google ac languagec langu gmail password • • guilherme

2

0
Votes

2
Posts

0
Views

C

Use a application token: If familiar with Two Factor Auth. /Multi. Factor Auth. on Github or Bitbucket and use a ssh token essentially the exact same thing. May I recommend using google authenticator ---which by default creates 10 OTPs (one time passwords) that can be used if the FIDO is not pre registered.
R

How to update Docker Swarm services all at once?
Continuous Integration and Delivery (CI, CD) • docker docker swarm • • rielyn

2

0
Votes

2
Posts

0
Views

N

To ensure a stack is in a consistent state after an upgrade, see the documentation on https://docs.docker.com/compose/compose-file/compose-file-v3/#update_config . failure_action defaults to pause so you need to set it to continue to ensure docker updates the services regardless. services: proxy: deploy: update_config: on_failure: continue backend: deploy: update_config: on_failure: continue That said - docker does not support green/blue deployments - but it is possible to use network aliases to ensure proxy:2 does not route to backend:1. Something like this for e.g.: services: proxy: image: proxy:${VER} environment: BACKEND_HOST: backend-${VER} backend: image: backend:${VER} networks: default: aliases: ["backend-${VER}"] To achieve your final requirement, you need to set the update_config parallelism to 1, and ensure that the order is set to start-first. A naive deployment would have a race condition if "proxy:2" is available before "backend:2" is available, but as long as there is a healthcheck, "proxy:2" can prevent itself receiving traffic until it has a successful connection test to "backend-2" services: proxy: image: proxy:${VER} environment: BACKEND_HOST: backend-${VER} healthcheck: ["CMD", "/bin/sh","-c","test_backend.sh"] Of course, you can run into problems if "proxy:2" finishes deploying, but "backend:2" errors out - you could eventually have a situation where you have no proxy:1 running, only proxy:2, but only backend:1 running and no backend:2. So you want to ensure the update_config delays updating the next task until the current one is health - or pause if that never happens. PS. It seems potentially much less hassle to just design and code around the principal that backwards compatibility of +-1 version is expected.
Local Storage or Cookie, where is it best to store a authorization token?
Software Programming • security cookies token loc languagealstorage • • emmalee

2

0
Votes

2
Posts

0
Views

T

It depends!With cookies, you don't have to worry about sending the token to each request, because the browser takes care of this and other things, such as:send the cookie only to the domain in which it was allowed;control of expiration time;you may have different cookies sent by path, within the same domain;Cookie has size limitations (4 KB) when compared to localStorage (5MB), but to store tokens this will not be a problem.But if you are working with OAuth, for example, which will commonly require you to control two tokens (the authorization token and renewal token) and Cookie's advantages are not relevant in your context, it is best to focus both on localStorage, for an organization issue.This would be my position thinking about implementation. There https://stackoverflow.com/a/35059874/2387977 that should also be taken into account, as both solutions are vulnerable to some types of attack (XSRF, XSF and XSS).
D

Serverless framework: how to specify a c++ lambda function with provided deployment package
Continuous Integration and Delivery (CI, CD) • aws lambda serverless • • Duquan

2

0
Votes

2
Posts

1
Views

D

I don't see any documentation from serverless.com that they support C and C++ (while AWS Lambda might do), I have asked about it now so that we can know: https://forum.serverless.com/t/c-and-c-support/8045 ("Supports Node.js, Python, Java, Go, C#, Ruby, Swift, Kotlin, PHP, Scala, & F#") but if you want to try then I think that you should try some other name than "function" for your function. I did not try this at home but all examples use some other name than "function" because that word might be reserved. https://serverless.com/framework/docs/providers/aws/guide/resources/ If that still won't work, check your path to your code and maybe you also want to set up everything up with a CI/CD pipeline with GitLab for example. That's how I do it.
Cross Database with Application Role
SQL, Database Testing • security t sql • • Laycee

2

0
Votes

2
Posts

0
Views

T

Just found the answer: Create SQL login with minimal privileges Execute function from source database under that user (WITH EXECUTE AS) Module sign object GRANT AUTHENTICATE to user created from certificate (this is the one I missed)
J

Notify when database is accessed in any manner
SQL, Database Testing • sql server 2012 security audit event notific languageati • • juvenalb

2

0
Votes

2
Posts

0
Views

D

To clarify, it's actually one particular table I'd like to monitor You should use SQL Database Audit. Below is an example that you are looking for (based on your comments) (Modify as per your criteria and needs) CREATE DATABASE AUDIT SPECIFICATION [AW_Audit_HR_Employee_DML] FOR SERVER AUDIT [Server_Audit_AW] ADD(SELECT,INSERT,UPDATE,DELETE,EXECUTE ON HumanResources.Employee BY sys) WITH (STATE =ON) More info at : SQL 2012 Security Audit 2 (Database Audit)
J

How do you get meta change from Linux?
Software Programming • linux security • • juvenalb

2

0
Votes

2
Posts

0
Views

How do you get the metadata file?Get metadata one file: mat -d Example.jpg ♪ sudo apt-get install matCheck the metadata. All files in the file: mat -c Название_папки How do we remove the metadata file?Disposal of metadata one file: mat leakedmegatrack.mp3Metadata removal for of All files in the file: mat Название_папки Pro mat I learned from these sources: https://www.youtube.com/watch?v=5J_tA65cNbI http://rus-linux.net/MyLDP/sec/How-to-remove-file-metadata-on-Linux.html https://zalinux.ru/?p=96
P

About security of my device
Mobile Testing • security 5.0 lollipop gmail ac languagec languageount google ac languagec langu • • Pearlaqua

2

0
Votes

2
Posts

0
Views

The best way to keep yourself from being in such a situation is you should never let somebody else login to your device. They can't use their account to wipe your phone if you don't let them login. Also, if you are going to let somebody login to your device(which you shouldn't do for security reasons), do it via incognito in the browser. If they wiped your phone then you should be fine to login with your google account and get a backup(hopefully). Just like the only way to make sure your computer can never get malware is to make sure it never interacts with the outside world, the only way to make sure others can't use their google accounts to wipe your phone is to make sure their accounts don't have access to your phone.

How to keep packages updated and keep in pace with security updates

Suggested Topics

Keeping AWS RDS Instances up to date Continuous Integration and Delivery (CI, CD) • amazon rds • • shizuka

Removal of folders over 3 days with 10 last folders retained by ansible Software Programming • linux ansible • • Pearlaqua

What is the difference between the user `dbo` and the owner of the database stored in sys.databases SQL, Database Testing • sql server security • • jeanid

How to list security groups for the specific instance via CLI? Continuous Integration and Delivery (CI, CD) • security aws cli • • jonetta

How to handle updating binary files on a dev server with git Continuous Integration and Delivery (CI, CD) • git • • Kadir

Common permissions for EC2 usage and VPC Security Groups in enterprise use Continuous Integration and Delivery (CI, CD) • security amazon web services amazon ec2 aws vpc aws security group • • jonetta

How to update frontend servers behind a load balancer Continuous Integration and Delivery (CI, CD) • deployment load balance • • charlenef

How do I use my Google account when I have a FIDO U2F Key attached? Mobile Testing • security google ac languagec langu gmail password • • guilherme

How to update Docker Swarm services all at once? Continuous Integration and Delivery (CI, CD) • docker docker swarm • • rielyn

Local Storage or Cookie, where is it best to store a authorization token? Software Programming • security cookies token loc languagealstorage • • emmalee

Serverless framework: how to specify a c++ lambda function with provided deployment package Continuous Integration and Delivery (CI, CD) • aws lambda serverless • • Duquan

Cross Database with Application Role SQL, Database Testing • security t sql • • Laycee

Notify when database is accessed in any manner SQL, Database Testing • sql server 2012 security audit event notific languageati • • juvenalb

How do you get meta change from Linux? Software Programming • linux security • • juvenalb

About security of my device Mobile Testing • security 5.0 lollipop gmail ac languagec languageount google ac languagec langu • • Pearlaqua

Keeping AWS RDS Instances up to date
Continuous Integration and Delivery (CI, CD) • amazon rds • • shizuka

Removal of folders over 3 days with 10 last folders retained by ansible
Software Programming • linux ansible • • Pearlaqua

What is the difference between the user `dbo` and the owner of the database stored in sys.databases
SQL, Database Testing • sql server security • • jeanid

How to list security groups for the specific instance via CLI?
Continuous Integration and Delivery (CI, CD) • security aws cli • • jonetta

How to handle updating binary files on a dev server with git
Continuous Integration and Delivery (CI, CD) • git • • Kadir

Common permissions for EC2 usage and VPC Security Groups in enterprise use
Continuous Integration and Delivery (CI, CD) • security amazon web services amazon ec2 aws vpc aws security group • • jonetta

How to update frontend servers behind a load balancer
Continuous Integration and Delivery (CI, CD) • deployment load balance • • charlenef

How do I use my Google account when I have a FIDO U2F Key attached?
Mobile Testing • security google ac languagec langu gmail password • • guilherme

How to update Docker Swarm services all at once?
Continuous Integration and Delivery (CI, CD) • docker docker swarm • • rielyn

Local Storage or Cookie, where is it best to store a authorization token?
Software Programming • security cookies token loc languagealstorage • • emmalee

Serverless framework: how to specify a c++ lambda function with provided deployment package
Continuous Integration and Delivery (CI, CD) • aws lambda serverless • • Duquan

Cross Database with Application Role
SQL, Database Testing • security t sql • • Laycee

Notify when database is accessed in any manner
SQL, Database Testing • sql server 2012 security audit event notific languageati • • juvenalb

How do you get meta change from Linux?
Software Programming • linux security • • juvenalb

About security of my device
Mobile Testing • security 5.0 lollipop gmail ac languagec languageount google ac languagec langu • • Pearlaqua