Anchore – Container Security Analysis

Anchore provides you with insight and control over the contents of your containers from the start of development all the way to production. Anchore delivers container security solutions for developers, operations, and security teams to deliver insight and control over the contents, security and compliance of containers from the start of development all the way to production. By allowing the creation of policies for security and compliance that are evaluated by Anchore at each stage of the build pipeline, Anchore ensures that only images containers that adhere to an organisation’s policies are deployed.

What’s Inside Your Container Images?
With Docker and containers it’s never been easier to deploy and run any application. Developers now have access to thousands of applications ready to run right “off the shelf” and the ability to quickly build and publish their own images.

In addition to the application, the container image may contain hundreds of packages and thousands of files including binaries, shared libraries, configuration files, and 3rd party modules. Any one of these components may contain a security vulnerability, an outdated software module, a misconfigured configuration file or simply fail to comply with your operational or security best practices.

For more details and to download/install:

Solve sudo sending useless emails “problem with defaults entries”

Whenever a user (whether sssd-ad authenticated user, or local user, or root) uses sudo, it works. But it also sends the administrator a useless email. This problem is caused by sudo looking for directives in a place it cannot find them: sss.
Check the /etc/nsswitch.conf file and modify the sudoers entry.

 sudoers: files sss 

The sss should not be there. The sssd-ad package adds itself there, but very few environments store sudoers directives in sss. It’s far more likely your directives are local, so you should have a /etc/nsswitch file entry like the following:

 sudoers: files 

Thanks to this post for pointing the above out:

snap –

Package any app for every Linux desktop, server, cloud or device, and deliver updates directly. Snap packages are a great way of running apps in an isolated state without using VMs or Containerisation. The website has more details and examples such as this to get going:

A snap is a fancy zip file containing an application together with its dependencies, and a description of how it should safely be run on your system, especially the different ways it should talk to other software. Most importantly snaps are designed to be secure, sandboxed, containerised applications isolated from the underlying system and from other applications. Snaps allow the safe installation of apps from any vendor on mission critical devices and desktops.

Try this (you may need to install snapd)

 $ sudo snap install hello-world 

Now you have installed a snap. You can take a look inside the snap very easily, it shows up as a new directory on your system:

$ cd /snap/hello-world/current/

$ tree
├── bin ← this directory structure is just for convenience
│ ├── echo there is no hardcoded structure requirement other
│ ├── env than meta/snap.yaml
│ ├── evil
│ ├── sh
│ ├── showdev
│ └── usehw
└── meta ← your snap must have this directory
├── icon.png ← no prizes for guessing what this is
└── snap.yaml ← this is the required metadata


How do I stop and start EC2 instances at regular intervals using AWS Lambda?

I want to reduce my Amazon EC2 usage by stopping and starting instances at predefined times or utilization thresholds. Can I configure AWS Lambda and AWS CloudWatch to help me do that automatically?

Short Description:
You can use a CloudWatch Event to trigger a Lambda function to start and stop your EC2 instances at scheduled intervals.

See AWS Web Page for more: 


LXD Update Script

Simple shell script wrapper to update all lxd container hypervisor images running Debian or Ubuntu Linux. Run the below script on the host of your lxd server to update all the lxd containers running Ubuntu or Debian. Could be modified to suit CentOS/RedHat OS and/or you container OS of choice.


# A simple shell script to update all lxd container hypervisor
# URL:
# Tested on : Ubuntu 16.04 LTS lxd server
# Tested on : Ubuntu/Debian lxd container hypervisor only
# ----------------------------------------------------------------------------
# Author: nixCraft
# Copyright: 2016 nixCraft under GNU GPL v2.0+
# ----------------------------------------------------------------------------
# Last updated 14 Aug 2016
# ----------------------------------------------------------------------------
# Set full path to bins
# Get containers list
clist="$(${_lxc} list -c ns | ${_awk} '!/NAME/{ if ( $4 == "RUNNING" ) print $2}')"
# Use bash for loop and update all container hypervisor powered by Debian or Ubuntu
# NOTE: for CentOS use yum command instead of apt-get
for c in $clist
echo "Updating Debian/Ubuntu container hypervisor \"$c\"..."
${_lxc} exec $c ${_apt} -- -qq update
${_lxc} exec $c ${_apt} -- -qq -y upgrade
${_lxc} exec $c ${_apt} -- -qq -y clean
${_lxc} exec $c ${_apt} -- -qq -y autoclean



The detox utility

The detox utility renames files to make them easier to work with. It removes spaces and other such annoyances. It’ll also translate or cleanup Latin-1 (ISO 8859-1) characters encoded in 8-bit ASCII, Unicode characters encoded in UTF-8, and CGI escaped characters.

detox is driven by a configurable series of filters, called a sequence. Sequences are covered in more detail in detoxrc(5) and are discoverable with the -L option. Some examples of default sequences are iso8859_1 and utf_8.


The main options:

-f configfile
Use configfile instead of the default configuration files for loading translation sequences. No other config file will be parsed.
-h –help
Display helpful information.

-L’ List the currently available sequences. When paired with -v this option shows what filters are used in each sequence and any properties applied to the filters.

-n –dry-run
Doesn’t actually change anything. This implies the -v option.

-r’ Recurse into subdirectories.

-s sequence
Use sequence instead of default.

Works on special files (including links). Normally detox ignores these files.

-v’ Be verbose about which files are being renamed.

-V’ Show the current version of detox.



LSOF Utility and Commands

The lsof command is very handy and all Linux/Unix sysadmins should know abouyt it and make more use of it, here are some further details and examples.

(From Wikipedia) – lsof is a command meaning “list open files”, which is used in many Unix-like systems to report a list of all open files and the processes that opened them. This open source utility was developed and supported by Victor A. Abell, the retired Associate Director of the Purdue University Computing Center. It works in and supports several Unix flavors.

Useful Commands:

List all network connections:

 sudo lsof -i 


sudo lsof -i:22
sudo lsof -c ssh

List all network files in use by a specific process:

 sudo lsof -i -a -p 1278 

List processes which are listening on a particular port:

 sudo lsof -i :25 

List all TCP or UDP connections:

 sudo lsof -i tcp; lsof -i udp; 

List processes which opened a specific file:

 lsof /var/log/syslog 

List opened files under a directory:

 lsof +D /var/log/ 

List opened files based on process names starting with:

 lsof -c ssh -c init 

List processes using a mount point:

 sudo lsof /home 

List files opened by a specific user:

 lsof -u keith 

What commands is user Keith using:

 sudo lsof -i -u keith 

List all open files by a specific process:

 lsof -p 1278 

Kill all process that belongs to a particular user:

 kill -9 `lsof -t -u keith` 


SSL Server Test

Qualys SSL Server Test is free online service that performs a deep analysis of the configuration of any SSL web server on the public Internet.

To configure Apache and Nginx with acceptable protocols TLS settings follow these guides, they will provide a better score on the above Qualys rating and make your SSL site more secure.



Package any app for any Linux desktop, server, cloud or device.

A ‘snap’ is a universal Linux package

Snaps work on any distribution or device. Snaps are faster to install, easier to create, safer to run, and they update automatically and transactionally so your app is always fresh and never broken.

The public collection of snaps includes the latest and best apps from GitHub and beyond, so you have the whole world of Linux apps at your fingertips. Take the tour below to experience ‘hello world’ as a snap, or jump to the developer guide to create your own snaps.


netdata real-time performance monitoring for Linux

Netdata is a real-time performance monitoring solution.

Unlike other solutions that are only capable of presenting statistics of past performance, netdata is designed to be perfect for real-time performance troubleshooting.

Netdata is a linux daemon you run, which collects data in realtime (per second) and presents a web site to view and analyze them. The presentation is also real-time and full of interactive charts that precisely render all collected values.

Netdata has been designed to be installed on every system, without disrupting the applications running on it:

  • It will just use some spare CPU cycles (check Performance).
  • It will use the memory you want it have (check Memory Requirements).
  • Once started and while running, it does not use any disk I/O, apart its logging (check Log Files). Of course it saves its DB to disk when it exits and loads it back when it starts.
  • You can use it to monitor all your systems and applications. It will run on Linux PCs, servers or embedded devices.

Out of the box, it comes with plugins that collect key system metrics and metrics of popular applications.

Available here: