Posted by artodeto on Saturday, November 8. 2014
Am kommenden Samstag den 08.11.2014 möchten wir euch zum Attraktor-Cinema einladen, von 20:00 bis 23:00 Uhr zeigen wir den DDR-Hackerfilm “Zwei schräge Vögel” aus dem Jahre 1989. Es kann jeder kommen, seine Freunde und was zum knabbern mitbringen und sich mit uns über dieses nostalgische Stück Hackerkultur amüsieren. Der Eintritt ist kostenfrei.
[...]
Quelle
meetup
Der Film wird bei vielen Bewertungsportalen überdurchschnittlich gut bewertet. Sehen wir uns dort?
Posted by artodeto on Tuesday, August 20. 2013
Just arrived at home from back to hack selinux . I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.
Big thanks to the presenter. I turned my fear into anticipation for using it!
History
1976 LaPadula paper released
DTMach as construction idea released
Based on FLASK, first patches to linux kernel
2002 implemented as linux security module (LSM)
Since 2003 part of the mainline kernel
Fedora core was first distribution (shipped with policy)
Since 2007 shipped with RHEL5 EAL4+
Bell LaPadula
MAC
TE
RBAC
No read up, no write down
Features
Extends DAC (directory access control)
mode at runtime changeable (enforcing vs permissive)
flexible policy
AVC (access vector cache)
root is not god anymore
process running in own security domain
Discretionary Access Control
classical security concept
object based access control
unflexible
rights per user
user can ship rights
uid can be changed by using suid
MAC
access control by using policy
TE - Type Enforcement
all resources have a typ/domain
whitelisting ruleset
Security Context
securityarea
object (user:role:domain:level)
subject
Policy
heart of selinux
common policis are targeted, strict and MLS
defines rules for access from subject of object
defines domain transition of a subject (when can a subject change its domain)
Policies
Targeted
default policy
contains a understandable complexity
well choosen processes running in own domain
you can tweak the policy by using booleans
this policy should be enough for daily work
if you use the filesystem hirachy standard you are quite save
Unknown software is stored in context "unconfined"
Multi Level Security (mls)
everything is running under selinux policies
tweakable by booleans
only for high risk security aspects
Booleans
enables tweaking the policy without reload
no knowledge about policy needed
booleans can set permanent
semanage boolean -l lists a lot of informations
Userlandtools
-Z is selinux switch (ls -Z, netstat -Z)
cp, mkdir and so on are linked against selinux to support setting needed bytes
getenforec/setenforce - switching selinux mode
restorecon/fixfiles/chcon - changing context of subjects
sestatus - status
avcstat - status about avc
libselinux - the selinux
libsepol - all binaries linked against
Policy Management
setsebool/getsebool - show and set of selinux booleans
semanage - policy management
semodule -
Policy Development
audit2allow - builds selinux rules based on audit log
checkmodule - transforms rulse into binary
semodule_package -
audit2why - analyse selinux
Linux Audit Framework (LAF)
should be used for logging
Backup
you are loosing the context if your backup software does
tar and rsync supports :)
Posted by artodeto on Thursday, March 21. 2013
Attraktor e.v.
mexikoring 21, hamburg
Soundcloud - Arbo Von Monkiewitsch
html5 audio playback widget - measuring for velocity
measure first
how to?
synthetic user monitoring (by phantom.js)
repeaable
doesn't show real user experience
good for benchmarking
real user monitoring (google analytics)
shows real user experience
change of user behavior impacts repeateability (e.g. side slow in asia but fast in euro)
impact of embedding site
what?
http ping
fully page load
include all transactions
follow K.I.S.S., just render the page
define your goals
what is fast
don't define random goals on yourself
public benchmarks are good as orientation (for e.g. set up a benchmark for youtube or similar)
response time
don't simple trust your metrics
best practices
httparchive, pagespeed, yslow (100 - 200 ms as full page loading speed is good enough)
compress each connection (use varnishs or something similar for uncompressable content)
availability fallback -> dc
performance - put api in cdn (also for http or https handshake)
consitency - load balanced cdns
rap it up
measure first
keep it simple
team autonomy
phantomJs - Raj Dudi
what it is - created by ariya hidayat
can be integrated into jenkins
automation and headless testing
can be used for metrics measurement
render and dump client side html
current version is 1.8
headless (Qt)Webkit/Browser
javascript driven
ideal for
headless website testing -> but it is not a test framework
screen capture
page automation
network monitoring
projects
casperjs
ghostbusters
poltergeist
code evaluation
evaluate(function, arg1, arg2, ...) {object}
returns simple objects but no functions and closures
execution is sandboxed
dom scripting and css selector works
use onConsoleMessage callback to receive the console messages
get it from
phantomjs.org
github.com/ariya/phantomjs
https://aur.archlinux.org/packages/phantomjs/
examples
https://github.com/ariya/phantomjs/tree/master/examples
hello world
console.log("Hello world");
phantom.exit();
screen capture
Page.render to render a screenshot
supports ong, jpeg, gif and pdf
options
page.clipRect = { top: 14, left: 3, width: 400, height: 300 };
page.paperSize = { width: '200px', height: '300px' } //for pdf output e.g., also supports borders and much more
page.zoomFactor = 0.25 // 1 is default
projects based on phantomjs
screenr
mediaqueri
chromanope
webpage api
var page = require('webpage').create();
page.open(url, callback) {void}
page.close() {void}
goBack(), goForward(), title, url
settings{object} //enable javascript, load images, username or password, websecurity
page.includeJs(url, callback) {void}
page.injectJs(filename) {boolean}
webpage callbacks
onLoadStarted
onLoadFinished
onAlert
onCallback //experimental
onClosing
onConfirm
onConsoleMessage
onError
system API
var system = require('system');
...
filesstem api
var fs = require('fs);
separator {string}
workingDirectory
...
troubleshooting
allows network sniffing
onResourceRequested
onResoureceReceived
TLS and SSL required for encrypted data - are they enabled?
error handling
cons
uses qtWebKit (not used by chrome, safari and so one)
asynchronous api - difficult to handle for many
not supported
plugins
webGL
video and audio
css 3-D
xpath
What could i add? Thanks to the talks, yes very much. Also thanks to the attraktor, you are doing it right!