Posts

Here is the point: you have a git repository a random guy forked your repo and made a pull request You want to rework his contribution locally before merging it On your local repo, add the random guy forked repository address and name it random-guy: git remote add random-guy git@github.com:random-guy/your-project.git You can see the remote repo you added with this command: git remote show Add the remote branch where the random guy did the pull request and name this branch pr-rework (for Pull Request rework)....

Hey ! You inherited the maintenance of a Debian or Ubuntu server and you wonder if the previous admin has modified some sensitive files ? Is your system safe ? Can you trust it ? debsums to the rescue ! TL;DR sudo apt install debsums sudo debsums -as --no-prelink --no-locale-purge Explain me how it works As you may know, when you install a Debian package, you can find their postinst, postrm, preinst or prerm scripts on /var/lib/dpkg/info folder....

Simple and easy: $ nmap --script ssl-enum-ciphers -p 443 www.google.com Will returns: Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-03 15:48 UTC Nmap scan report for www.google.com (142.251.39.100) Host is up (0.020s latency). Other addresses for www.google.com (not scanned): 2a00:1450:400e:811::2004 rDNS record for 142.251.39.100: ams15s48-in-f4.1e100.net PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1....

CPU vulnerabilities and mitigations Yesterday, a co-worker pointed out to me than lscpu reported CPU vulnerabilities. $ lscpu (...) Vulnerability Itlb multihit: Not affected Vulnerability L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled Vulnerability Mds: Mitigation; Clear CPU buffers; SMT Host state unknown Vulnerability Meltdown: Mitigation; PTI Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Vulnerability Spectre v2: Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP disabled, RSB filling Vulnerability Srbds: Unknown: Dependent on hypervisor status Vulnerability Tsx async abort: Not affected No problem, all these vulnerabilities are mitigated by my Linux kernel....

TL;DR If you don’t care about distroless bla-bla and just want to know how to create distroless alpine images, click here Distroless ? In a distroless docker image, you won’t find any shell, package manager or utilities such as grep, sed, awk, … It runs only your application and nothing else. Don’t expect to launch commands like docker run -it my-distroless-image something, it will fail with a message like this one:...