Blog

Preventing modification of /etc/ld.so.preload with SELinux

The /etc/ld.so.preload is an environment variable in Linux that specifies a list of dynamic shared object (DSO) libraries to be preloaded before any others when a program is executed. These libraries can override functions and behaviors of other libraries, allowing for interception and modification of system calls and program behavior. This feature is often exploited by rootkits, malicious software designed to stay hidden with unauthorized access and control over a system.

Read now

In the ever-evolving landscape of cybersecurity, the importance of Linux detection and Digital Forensics and Incident Response (DFIR) cannot be overstated. In this post, we delve into the profound significance of these aspects, particularly from a low-level understanding of Linux internals, subsystems, and the /sys and /proc paths.

Read now

Since I was 18 years old, Linux was my preferred OS for desktops, servers, virtualization, storage, VPN, metrics, for Quake3 as well. For offensive operations and defensive research and hardening. After 20 years that did not change. What's most interesting, each project that I was commercially working on needed more or less advanced knowledge of Linux, understanding the internals, and the behavior of mechanisms such as SELinux, AppArmor, iptables, tcpdump to name just a few. No GUI of course!

Read now

Linux systems as well as Open Source solutions are the backbone of the modern Internet, critical services, and services. Kubernetes clusters, containers, complex business applications and APIs, corporate firewalls, gateways, load balancers and jump hosts, proxy and WAF servers, NIDS, and NIPS systems. CI/CD. C2 servers and redirectors as well. When referring to the above solutions and services, I always automatically see Linux. Linux for defense and attack.

Awareness of threats in the above context suggests that their low-level monitoring, tracing, configuration hardening, periodic examination of behavior profiles including the RAM memory forensics process, or proactive hunting for threats are areas that are worth developing in order to minimize the risk and impact of a potential attack. Such an approach increases the chances of an attack being prevented or detected early in the chain, thus gaining contextual insight into post-exploitation activities at multiple layers. In the above context, we will refer to the eBPF technology in the offensive-defensive approach.

Read now

Every SecOps / SecDevOps / Linux Expert needs to know more than just a little about Linux, so if you always wanted to know

Read now

Blog

Preventing modification of /etc/ld.so.preload with SELinux

The Crucial Significance of Modern Linux Detection and DFIR

Advancing your Cyber/Linux skills - things connect together!

Linux eBPF as a double-edged sword

You need to know more than just a little about Linux #3 - SecOps perspective