Make temporary files non-executable

At DrupalCONCEPT operations, our intrusion detection system recently notified us that it found a rootkit in the directory /dev/shm on one of our servers. This directory is writeable by the Apache webserver, so attackers that find a vulnerability in the installed software are able put hostile content (aka rootkits) there.

Of course, the vulnerability shouldn’t be there in the first place. We’re doing security updates all the time, but only on the OS and hosting infrastructure level. Since the actual web applications running on our infrastructure (in our case, Drupal) are maintained by our customers, we don’t have the same kind of tight control here as we have on the OS level.

Okay, we may not be able to prevent attackers from deploying their scripts. But we can prevent those scripts from doing any harm. This is where the noexec filesystem option comes in handy. Files on filesystems that have this option enabled can’t be executed even if they have their execution permissions (“x” ) set.

We use a Chef recipe to modify /etc/fstab accordingly. The first execute resource does a remount of the /dev/shm filesystem, but only if triggered by another resource. Namely, the following bash resource that modifies /etc/fstab if it’s not already hardened:

Since we include this recipe in our base Chef role, it’s applied to every server we set up.

A great tutorial for creating Chef cookbooks

System administrators who are looking for a tool that helps them automating their maintenance tasks and have no or only little experience with Chef should really take a look at Joshua Timberman’s great tutorial “Guide to Writing Chef Cookbooks“.

In his article, Joshua describes all steps he takes to create a new Chef cookbook that installs and maintains smartmontools (a set of tools to monitor hard disk health). It’s a great example how straightforward it is to automate systems operations tasks with Chef.

Even with two years experience in using Chef, I learned one or two bits from this tutorial. And it just so happened this week that I needed a smartmontools cookbook. So, thanks twice for writing this up, Joshua!

Opscode erhält 11 Millionen Dollar Venture-Kapital

Opscode, Inc., a cloud infrastructure automation company, announced today that it has closed an $11 million Series B round of funding. The round was led by Battery Ventures and includes a follow-on investment from Draper Fisher Jurvetson, who led Opscodeʼs Series A round of funding of $2.5 million, bringing the total amount raised for the company to $13.5 million. As part of this investment, Sunil Dhaliwal, a general partner at Battery Ventures will join Opscodeʼs Board of Directors. Proceeds from the new funds will be used to expand the companyʼs engineering staff, fuel research and development initiatives, and drive sales and marketing efforts.

Nach Puppet steht jetzt auch Chef auf finanziell gesicherten Beinen.

Opscode Chef jetzt als gehostete Lösung erhältlich

Opscode, Inc., a cloud infrastructure automation company, today announced the limited beta release of the Opscode Platform, the world’s first hosted configuration management service.

Was ich noch nicht verstehe: Wieso sollte jemand, dessen Infrastruktur CM-Software wie Chef erfordert, ausgerechnet ihr Herzstück extern hosten lassen?