Skip to content

meetup - attraktor - selinux

Just arrived at home from back to hack selinux. I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.

Big thanks to the presenter. I turned my fear into anticipation for using it!

History

  • 1976 LaPadula paper released
  • DTMach as construction idea released
  • Based on FLASK, first patches to linux kernel
  • 2002 implemented as linux security module (LSM)
  • Since 2003 part of the mainline kernel
  • Fedora core was first distribution (shipped with policy)
  • Since 2007 shipped with RHEL5 EAL4+

Bell LaPadula

  • MAC
  • TE
  • RBAC
  • No read up, no write down

Features

  • Extends DAC (directory access control)
  • mode at runtime changeable (enforcing vs permissive)
  • flexible policy
  • AVC (access vector cache)
  • root is not god anymore
  • process running in own security domain

Discretionary Access Control

  • classical security concept
  • object based access control
  • unflexible
  • rights per user
  • user can ship rights
  • uid can be changed by using suid

MAC

  • access control by using policy

TE - Type Enforcement

  • all resources have a typ/domain
  • whitelisting ruleset

Security Context

  • securityarea
  • object (user:role:domain:level)
  • subject

Policy

  • heart of selinux
  • common policis are targeted, strict and MLS
  • defines rules for access from subject of object
  • defines domain transition of a subject (when can a subject change its domain)

Policies

Targeted

  • default policy
  • contains a understandable complexity
  • well choosen processes running in own domain
  • you can tweak the policy by using booleans
  • this policy should be enough for daily work
  • if you use the filesystem hirachy standard you are quite save
  • Unknown software is stored in context "unconfined"

Multi Level Security (mls)

  • everything is running under selinux policies
  • tweakable by booleans
  • only for high risk security aspects

Booleans

  • enables tweaking the policy without reload
  • no knowledge about policy needed
  • booleans can set permanent
  • semanage boolean -l lists a lot of informations

Userlandtools

  • -Z is selinux switch (ls -Z, netstat -Z)
  • cp, mkdir and so on are linked against selinux to support setting needed bytes
  • getenforec/setenforce - switching selinux mode
  • restorecon/fixfiles/chcon - changing context of subjects
  • sestatus - status
  • avcstat - status about avc
  • libselinux - the selinux
  • libsepol - all binaries linked against

Policy Management

  • setsebool/getsebool - show and set of selinux booleans
  • semanage - policy management
  • semodule -

Policy Development

  • audit2allow - builds selinux rules based on audit log
  • checkmodule - transforms rulse into binary
  • semodule_package -
  • audit2why - analyse selinux

Linux Audit Framework (LAF)

  • should be used for logging

Backup

  • you are loosing the context if your backup software does
  • tar and rsync supports :-)
Translate to de es fr it pt ja

usergroup - meetup - phpug - hamburg - 130409

betahaus hamburg Ruben Explains what betahaus is about - betahaus can be your office if you have none or if you want to have a second one - betahaus could be used for freelancer as well as for persons in the it area - it is more then a mackerspace

Ole Michaelis What is wrong with php - by github charts, php is the sixth most used language (why not number one? :-D) - global players like "the fruit company", flickr, yahoo or "the other big blue" are using php - search for "php sample codes" and investigate the first results, can you see whats wrong (why they are the "best fitting" results :-()? can we fix it? - yes we can! - join the community - fix core bugs - create usefull tools or use them (like behat, mink, composer, phpspec, symfony, phpphp or php the right way) - tell "them" that php is not php3 anymore

Judith Andresen money value of test driven (php) development why we should test - no manager can motivate with money only - you can only motivate by surrounding

additional informations - use atam to transform developer language into non technical (product owner) language - use risc management (bot team but company based to remove interface problems) - try tu use timeboxing to reduce switch times

books - Drive: The Surprising Truth About What Motivates Us by Daniel H. Pink - Softwarequalität in PHP-Projekten by Sebastian Bergmann and Stefan Priebsch

Translate to de es fr it pt ja

usergroup - meetup - phpug - hamburg - 130320

Grunar+Jahr Condition driven quality management / Test Pattern Nils Langner and Torsten Franz - three developers to one qa - what is quality? Reaching defined goals - Balanced score card - define threshold of errors (with which bugs is it still releasable) - also check ISO/IEC 9126 - differ between technical qa and functional qa - tools: jmeter, phpunit, bamboo, phplint, phpcs - reviews/analyse: code, architecture, flow of data - explore with teams how to test the application (try to break it) - github: livetests

couchDB jan lehnardt - example by using node.js proxy and two couchDB's with replication. - changes stream can be used to implement event based jobs, pull services - PouchDB is couchDB for mobils, based on javascript ->stores data in client as long as couchDB backend is not available - TouchDB for smartphones (ios, android) - BigCouch implements googles dynamo implementation - You can restrict document types after implementation (add/cover with a schema) - Queries in couchDB are json queries named views ->map functions are equals to selects ->reduce functions are calculating stuff like sum, count, stats or own functions. Can be extended (e.g. lucene) - CouchDB is written in ERLANG

Pretty cool talks. Especially Jan lights my fire to play with couchDb :-D.

Translate to de es fr it pt ja

usergroup - meetup - webPerformance - hamburg 130220

Attraktor e.v. mexikoring 21, hamburg

Soundcloud - Arbo Von Monkiewitsch

html5 audio playback widget - measuring for velocity

measure first

how to?

  • synthetic user monitoring (by phantom.js)
    • repeaable
    • doesn't show real user experience
    • good for benchmarking
  • real user monitoring (google analytics)
    • shows real user experience
    • change of user behavior impacts repeateability (e.g. side slow in asia but fast in euro)
    • impact of embedding site

what?

  • http ping
  • fully page load
  • include all transactions
  • follow K.I.S.S., just render the page

define your goals

  • what is fast
  • don't define random goals on yourself
  • public benchmarks are good as orientation (for e.g. set up a benchmark for youtube or similar)
  • response time
  • don't simple trust your metrics

best practices

  • httparchive, pagespeed, yslow (100 - 200 ms as full page loading speed is good enough)
  • compress each connection (use varnishs or something similar for uncompressable content)
  • availability fallback -> dc
  • performance - put api in cdn (also for http or https handshake)
  • consitency - load balanced cdns

rap it up

  • measure first
  • keep it simple
  • team autonomy

phantomJs - Raj Dudi

http://rajdudi.com

what it is - created by ariya hidayat

  • can be integrated into jenkins
  • automation and headless testing
  • can be used for metrics measurement
  • render and dump client side html
  • current version is 1.8
  • headless (Qt)Webkit/Browser
  • javascript driven
  • ideal for
    • headless website testing -> but it is not a test framework
    • screen capture
    • page automation
    • network monitoring
  • projects
    • casperjs
    • ghostbusters
    • poltergeist

code evaluation

  • evaluate(function, arg1, arg2, ...) {object}
  • returns simple objects but no functions and closures
  • execution is sandboxed
  • dom scripting and css selector works
  • use onConsoleMessage callback to receive the console messages

get it from

  • phantomjs.org
  • github.com/ariya/phantomjs
  • https://aur.archlinux.org/packages/phantomjs/

examples

https://github.com/ariya/phantomjs/tree/master/examples

hello world

console.log("Hello world"); phantom.exit();

screen capture

  • Page.render to render a screenshot
  • supports ong, jpeg, gif and pdf
  • options
    • page.clipRect = { top: 14, left: 3, width: 400, height: 300 };
    • page.paperSize = { width: '200px', height: '300px' } //for pdf output e.g., also supports borders and much more
    • page.zoomFactor = 0.25 // 1 is default
  • projects based on phantomjs
    • screenr
    • mediaqueri
    • chromanope
  • webpage api
    • var page = require('webpage').create();
    • page.open(url, callback) {void}
    • page.close() {void}
    • goBack(), goForward(), title, url
    • settings{object} //enable javascript, load images, username or password, websecurity
    • page.includeJs(url, callback) {void}
    • page.injectJs(filename) {boolean}
  • webpage callbacks
    • onLoadStarted
    • onLoadFinished
    • onAlert
    • onCallback //experimental
    • onClosing
    • onConfirm
    • onConsoleMessage
    • onError
  • system API
    • var system = require('system');
    • ...
  • filesstem api
    • var fs = require('fs);
    • separator {string}
    • workingDirectory
    • ...

troubleshooting

  • allows network sniffing
    • onResourceRequested
    • onResoureceReceived
    • TLS and SSL required for encrypted data - are they enabled?
  • error handling

cons

  • uses qtWebKit (not used by chrome, safari and so one)
  • asynchronous api - difficult to handle for many
  • not supported
    • plugins
    • webGL
    • video and audio
    • css 3-D
    • xpath

What could i add? Thanks to the talks, yes very much. Also thanks to the attraktor, you are doing it right!

Translate to de es fr it pt ja