This data is now safely stored in your server’s configuration file. This change was made to reduce the risk of installing keylime on a production server. You can now safely configure keylime and deploy it on your production server.
You should ensure that your server’s security is up to standard. You can review the following resources for more information on securing your server: - Reducing the Risks of Installing Software on a Production Server - How to Secure Your Server’s Configuration File - Put KeyLime on Your “Do Not Install” List - Put KeyLime on Your “Do Not Install” List
How to upgrade from Keylime version 5.x to 6.x When upgrading from Keylime version 5.x to 6.x, you may experience a few compatibility issues. You can resolve these issues by following the steps below: - Ensure that your server’s keylime.conf is world-readable. - Ensure that you have upgraded to PHP 7.0. - Ensure that you have upgraded to the latest version of keylime (currently 6.3.0). - Ensure that you have removed any previous versions of keylime.
Risks associated with installing insecure packages¶ When you install a package from a third party on your server, you should verify the package’s integrity and authenticity. You can verify the package’s integrity by checking the package’s signature and its
Verify the package’s signature and authenticity package’s authenticity with the package’s origin’s certificate. You can do this by using the following command:
$ openssl s_client -host example.com -port 443 -ca file
-showcerts
The output should be similar to:
Certificate: Data: Version: 3 (0x2) Serial Number: d1:7d:13:6b:e8:d4 Signature Algorithm: sha1WithRSAEncryption Issuer Name: C=US, ST=TX, L=Houston, O=Keylime Inc., CN=example.com/emailAddress=admin@example.com Validity Not Before: Sep 24 18:14 Not After : Oct 24 18:14 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus (1024 bit): 00:e9:-3c:-24:-f7:-e6:-3f:-00:-fb:-40 39 b9 01 f5 96 4d 1c 8e 6a df 2f 03 91 e8 b5 2b 47 a1 92 cd 45 74 b9 eb 80 d2 1b 9a 28 14 f6 4c 90 7c c5 1e 50 68 83 e7 78 2c d7 a0 fe 40 44 db 0f 76 da a2 3e 05 09 97 ce 8c 6d 08
What to do if you find an insecure package?
If you find an insecure package on your server, you should remove the package. You can remove the package by running the following command:
rm -rf /usr/share/keylime-5.x/lib*
The risks associated with installing packages from third party servers are outlined in the following sections: - Installing Packages from Third Party Servers - Installing Packages from Third Party Servers
Renaming a column in a relational database
We need to rename Column 1 to Column 2 in the table TEST_TABLE. We don't want to delete and recreate the table. The file is called testtbl.sql, and it's located at /path/to/dbname/.sql directory.
Step 1: Check the package’s signature and authenticity
- Make sure the package is signed by the vendor.
- Make sure the package has not been tampered with.
- If you have any doubt, do not install the package.
Step 2: Update your server’s configuration file
How to check the integrity and authenticity of a package?
- Ensure that the package’s signature matches that of the sha256sum. - Ensure that the package’s sha256sum is not changed from what is listed in its signature file.
- If the sha256sum does not match, verify that you are installing the correct package and the package has not been modified from its original state.
- If you cannot locate the package’s signature, ensure that you have obtained a copy of it from your vendor and verified it for accuracy before proceeding with your installation.
Timeline
Published on: 09/21/2022 19:15:00 UTC
Last modified on: 09/22/2022 16:18:00 UTC