Just arrived at home from back to hack selinux. I tried my best to keep up the speed of slides. Nevertheless, there are some gaps in between.

Big thanks to the presenter. I turned my fear into anticipation for using it!

History

• 1976 LaPadula paper released
• DTMach as construction idea released
• Based on FLASK, first patches to linux kernel
• 2002 implemented as linux security module (LSM)
• Since 2003 part of the mainline kernel
• Fedora core was first distribution (shipped with policy)
• Since 2007 shipped with RHEL5 EAL4+

Bell LaPadula

• MAC
• TE
• RBAC
• No read up, no write down

Features

• Extends DAC (directory access control)
• mode at runtime changeable (enforcing vs permissive)
• flexible policy
• AVC (access vector cache)
• root is not god anymore
• process running in own security domain

Discretionary Access Control

• classical security concept
• object based access control
• unflexible
• rights per user
• user can ship rights
• uid can be changed by using suid

MAC

• access control by using policy

TE - Type Enforcement

• all resources have a typ/domain
• whitelisting ruleset

Security Context

• securityarea
• object (user:role:domain:level)
• subject

Policy

• heart of selinux
• common policis are targeted, strict and MLS
• defines rules for access from subject of object
• defines domain transition of a subject (when can a subject change its domain)

Policies

Targeted

• default policy
• contains a understandable complexity
• well choosen processes running in own domain
• you can tweak the policy by using booleans
• this policy should be enough for daily work
• if you use the filesystem hirachy standard you are quite save
• Unknown software is stored in context "unconfined"

Multi Level Security (mls)

• everything is running under selinux policies
• tweakable by booleans
• only for high risk security aspects

Booleans

• enables tweaking the policy without reload
• no knowledge about policy needed
• booleans can set permanent
• semanage boolean -l lists a lot of informations

Userlandtools

• -Z is selinux switch (ls -Z, netstat -Z)
• cp, mkdir and so on are linked against selinux to support setting needed bytes
• getenforec/setenforce - switching selinux mode
• restorecon/fixfiles/chcon - changing context of subjects
• sestatus - status
• avcstat - status about avc
• libselinux - the selinux
• libsepol - all binaries linked against

Policy Management

• setsebool/getsebool - show and set of selinux booleans
• semanage - policy management
• semodule -

Policy Development

• audit2allow - builds selinux rules based on audit log
• checkmodule - transforms rulse into binary
• semodule_package -
• audit2why - analyse selinux

Linux Audit Framework (LAF)

• should be used for logging

Backup

• you are loosing the context if your backup software does
• tar and rsync supports

betahaus hamburg Ruben Explains what betahaus is about - betahaus can be your office if you have none or if you want to have a second one - betahaus could be used for freelancer as well as for persons in the it area - it is more then a mackerspace

Ole Michaelis What is wrong with php - by github charts, php is the sixth most used language (why not number one? ) - global players like "the fruit company", flickr, yahoo or "the other big blue" are using php - search for "php sample codes" and investigate the first results, can you see whats wrong (why they are the "best fitting" results )? can we fix it? - yes we can! - join the community - fix core bugs - create usefull tools or use them (like behat, mink, composer, phpspec, symfony, phpphp or php the right way) - tell "them" that php is not php3 anymore

Judith Andresen money value of test driven (php) development why we should test - no manager can motivate with money only - you can only motivate by surrounding

additional informations - use atam to transform developer language into non technical (product owner) language - use risc management (bot team but company based to remove interface problems) - try tu use timeboxing to reduce switch times

books - Drive: The Surprising Truth About What Motivates Us by Daniel H. Pink - Softwarequalität in PHP-Projekten by Sebastian Bergmann and Stefan Priebsch

Grunar+Jahr Condition driven quality management / Test Pattern Nils Langner and Torsten Franz - three developers to one qa - what is quality? Reaching defined goals - Balanced score card - define threshold of errors (with which bugs is it still releasable) - also check ISO/IEC 9126 - differ between technical qa and functional qa - tools: jmeter, phpunit, bamboo, phplint, phpcs - reviews/analyse: code, architecture, flow of data - explore with teams how to test the application (try to break it) - github: livetests

couchDB jan lehnardt - example by using node.js proxy and two couchDB's with replication. - changes stream can be used to implement event based jobs, pull services - PouchDB is couchDB for mobils, based on javascript ->stores data in client as long as couchDB backend is not available - TouchDB for smartphones (ios, android) - BigCouch implements googles dynamo implementation - You can restrict document types after implementation (add/cover with a schema) - Queries in couchDB are json queries named views ->map functions are equals to selects ->reduce functions are calculating stuff like sum, count, stats or own functions. Can be extended (e.g. lucene) - CouchDB is written in ERLANG

Pretty cool talks. Especially Jan lights my fire to play with couchDb .

Attraktor e.v. mexikoring 21, hamburg

Soundcloud - Arbo Von Monkiewitsch

html5 audio playback widget - measuring for velocity

measure first

how to?

• synthetic user monitoring (by phantom.js)
  • repeaable
  • doesn't show real user experience
  • good for benchmarking
• real user monitoring (google analytics)
  • shows real user experience
  • change of user behavior impacts repeateability (e.g. side slow in asia but fast in euro)
  • impact of embedding site

what?

• http ping
• fully page load
• include all transactions
• follow K.I.S.S., just render the page

define your goals

• what is fast
• don't define random goals on yourself
• public benchmarks are good as orientation (for e.g. set up a benchmark for youtube or similar)
• response time
• don't simple trust your metrics

best practices

• httparchive, pagespeed, yslow (100 - 200 ms as full page loading speed is good enough)
• compress each connection (use varnishs or something similar for uncompressable content)
• availability fallback -> dc
• performance - put api in cdn (also for http or https handshake)
• consitency - load balanced cdns

rap it up

• measure first
• keep it simple
• team autonomy

phantomJs - Raj Dudi

http://rajdudi.com

what it is - created by ariya hidayat

• can be integrated into jenkins
• automation and headless testing
• can be used for metrics measurement
• render and dump client side html
• current version is 1.8
• headless (Qt)Webkit/Browser
• javascript driven
• ideal for
  • headless website testing -> but it is not a test framework
  • screen capture
  • page automation
  • network monitoring
• projects
  • casperjs
  • ghostbusters
  • poltergeist

code evaluation

• evaluate(function, arg1, arg2, ...) {object}
• returns simple objects but no functions and closures
• execution is sandboxed
• dom scripting and css selector works
• use onConsoleMessage callback to receive the console messages

get it from

• phantomjs.org
• github.com/ariya/phantomjs
• https://aur.archlinux.org/packages/phantomjs/

examples

https://github.com/ariya/phantomjs/tree/master/examples

hello world

console.log("Hello world"); phantom.exit();

screen capture

• Page.render to render a screenshot
• supports ong, jpeg, gif and pdf
• options
  • page.clipRect = { top: 14, left: 3, width: 400, height: 300 };
  • page.paperSize = { width: '200px', height: '300px' } //for pdf output e.g., also supports borders and much more
  • page.zoomFactor = 0.25 // 1 is default
• projects based on phantomjs
  • screenr
  • mediaqueri
  • chromanope
• webpage api
  • var page = require('webpage').create();
  • page.open(url, callback) {void}
  • page.close() {void}
  • goBack(), goForward(), title, url
  • settings{object} //enable javascript, load images, username or password, websecurity
  • page.includeJs(url, callback) {void}
  • page.injectJs(filename) {boolean}
• webpage callbacks
  • onLoadStarted
  • onLoadFinished
  • onAlert
  • onCallback //experimental
  • onClosing
  • onConfirm
  • onConsoleMessage
  • onError
• system API
  • var system = require('system');
  • ...
• filesstem api
  • var fs = require('fs);
  • separator {string}
  • workingDirectory
  • ...

troubleshooting

• allows network sniffing
  • onResourceRequested
  • onResoureceReceived
  • TLS and SSL required for encrypted data - are they enabled?
• error handling

cons

• uses qtWebKit (not used by chrome, safari and so one)
• asynchronous api - difficult to handle for many
• not supported
  • plugins
  • webGL
  • video and audio
  • css 3-D
  • xpath

What could i add? Thanks to the talks, yes very much. Also thanks to the attraktor, you are doing it right!