Linux is more secure than Windows. We all know that. But that doesn’t mean it has perfect security. Nothing does. CloudLinux is helping to improve Linux’s operational security with the release of UChecker. The company is best known for its Red Hat Enterprise Linux (RHEL)/CentOSserver clone, CloudLinux, and its CentOS fork.
This newly open-sourced program, part of the company’s TuxCare security services, scans Linux servers for out-of-date libraries both on disk and in memory. Unlike other such tools, it can also find false negatives by reporting on vulnerable libraries running in memory that might be missed by other scanners. It works with all modern Linux server distros and is licensed under the GPLv2.
UChecker, which is an abbreviation for “userspace checker,” works with all modern Linux distributions, not just the RHEL family. It provides detailed actionable information on which application is using which vulnerable library. The program will also present you with the relevant process ID and process name. Armed with this information you can see which libraries need to be updated.
This program can be integrated with tools like Nagios or other monitoring, logging, and management tools to provide better security defences for your servers.
UChecker got its start at kernelcare.com. This set of programs provides live patching for Linux kernels and its common shared libraries such as Glibc and OpenSSL. The program works with all modern Linux distributions under the GNU General Public License and can be downloaded here.
After running UChecker from the shell, you have two options for updating your libraries. First, there’s the old-school way. In this, you’ll update your libraries with your packaging system and reboot the servers. Or, you can just restart all the processes since even with UCherker you can’t be sure which processes may still use the outdated libraries.
Or you can use TuxCare LibraryCare service’s live patching capability to apply security patches to OpenSSL and Glibc libraries without having to reboot the server. TuxCare services are CloudLinux’s umbrella security and support offering. It includes live patching for Linux stack critical components from the kernel all the way to widely-used shared libraries. It eliminates the need for lengthy and costly service disruptions while servers or services are restarted to install the latest security patches, and no longer requires a disruptive maintenance window.
TuxCare LibraryCare, of course, isn’t the only Linux program that enables you to patch your Linux kernel or other important files. These include Oracle Ksplice; Red Hat and CentOS Kpatch; Canonical Livepatch; and SUSE Kgraft. All of these, however, only work with their vendor’s Linux distro. So, for example, you can’t use Livepatch on RHEL nor Kpatch on Ubuntu. CloudLinux’s programs, however, support CentOS, Red Hat, Oracle, Debian, Ubuntu, and others. You can run this Python/shell program to see if it will work with your favourite Linux.
CloudLinux also promises that TuxCare Linux Support Services provides regular patches and updates for all components of enterprise Linux systems, as well as 24/7 incident support, even when systems are past their End-of-Life (EOL). So, if you run a variety of Linux distros and some of them are old, this service is well worth looking into.
After all, as Jim Jackson, CloudLinux’s president, said ordinarily “some patches require reconfigurations and reboots of servers that are difficult to take offline for very long. Time is critical because hackers look to exploit vulnerabilities so it’s always a race for IT teams to apply security patches.” Anything that can help you spot and patch potentially insecure libraries as fast as possible is always a good thing.