It's a pivotal challenge to update the software in embedded systems due to many restrictions such as unreliable network and power supply, limited bandwidth, harsh environment, etc. This slide aims to provide the background knowledge and the open source tool to achieve the software update in embedded systems.
Introduction to Civil Infrastructure PlatformSZ Lin
CIP is target to establish an open source base layer of industrial grade software to enable the use and implementation of software. This slide will introduce the current status and road map in CIP
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
Using open source software to build an embedded Linux platform from scratch.
Building an embedded Linux platform is like a puzzle; placing the suitable software components in the right positions will constitute an optimal platform. However, selecting suitable components is difficult since it depends on different application scenarios. The essential components of an embedded Linux platform include the bootloader, Linux kernel, toolchain, root filesystem; it also needs the tools for image generation, upgrades, and testing. There are abundant resources in the Linux ecosystem with these components and tools; however, selecting the suitable modules and tools is still a key challenge for system designers.
We talked about the Sysdig open source projects (Sysdig and Falco), as well as the Sysdig Container Intelligence Platform, Sysdig Monitor and Sysdig Secure.
It's a pivotal challenge to update the software in embedded systems due to many restrictions such as unreliable network and power supply, limited bandwidth, harsh environment, etc. This slide aims to provide the background knowledge and the open source tool to achieve the software update in embedded systems.
Introduction to Civil Infrastructure PlatformSZ Lin
CIP is target to establish an open source base layer of industrial grade software to enable the use and implementation of software. This slide will introduce the current status and road map in CIP
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
Using open source software to build an embedded Linux platform from scratch.
Building an embedded Linux platform is like a puzzle; placing the suitable software components in the right positions will constitute an optimal platform. However, selecting suitable components is difficult since it depends on different application scenarios. The essential components of an embedded Linux platform include the bootloader, Linux kernel, toolchain, root filesystem; it also needs the tools for image generation, upgrades, and testing. There are abundant resources in the Linux ecosystem with these components and tools; however, selecting the suitable modules and tools is still a key challenge for system designers.
We talked about the Sysdig open source projects (Sysdig and Falco), as well as the Sysdig Container Intelligence Platform, Sysdig Monitor and Sysdig Secure.
Presentation delivered at LinuxCon China 2017 by Greg Kroah-Hartman.
The Linux kernel is the largest collaborative software development projects ever. This talk will discuss exactly how Linux is developed, how fast it is happening, who is doing the work, and how we all stay sane keeping up with it. It will discuss the development model used, and how it differs from almost all "traditional" models of software development.
Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM.
In this talk, we will:
* explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications,
* discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation.
* describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK.
* discuss how it is possible for the OS to manage secure memory without having access to it.
* explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations.
Ofir Weisse is a Researcher PhD Student at University of Michigan.
Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17.
To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk.
Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as:
1. Network security
2. Access control
3. Tamper management and trust
4. Denial of service and SLAs
5. Vulnerabilities
Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats.
Watch the webinar on BrightTalk: http://bit.ly/2bpdswg
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1Linaro
This presentation provides a current view of the Security work performed in LHG. The focus is on hardware protected DRM integrated with OP TEE, creation of a Secure Data Path coupled with the Open Content Decryption Module, and the lessons learned from integrating third party libraries into trusted applications.
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
Cilium is open source software for providing and transparently securing network connectivity and load balancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. The foundation of Cilium is the new Linux kernel technology BPF which supports the dynamic insertion of BPF bytecode into the Linux kernel at various integration points. This presentation reveals the secrets of Kubernetes networking and gives you a deep dive into Cilium and why it is awesome!
About the authors: Jerome Tollet is Distinguished Engineer working in the Cisco Chief Technical and Architecture Office (CTAO) with a specific focus on Datacenter / Container Networking, Policy and Security. Jerome is an active member of FD.io. He is leading networking-vpp project as well as other VPP related projects.
Ed Warnicke is a Distinguished Consulting Engineer in the Chief Technology and Architecture Office (CTAO) office at Cisco Systems. He has been working for over a decade in many areas of networking and Open Source. He has been a member of the OpenDaylight TSC since its inception and currently serves as a committer elected member of the OpenDaylight TSC. He is a founding TSC member at ONAP.
Cilium is an open source project which provides networking, security and load balancing for containers by using eBPF and XDP technologies in the Linux kernel. It provides eBPF and XDP features to CRI-O, Docker and Kubernetes. This presentation shows an overview on Cilium, explains the concepts behind it and then provide the project update, as it reached the 1.0 milestone last year.
The video from talk at FOSDEM 2019:
https://video.fosdem.org/2019/H.2214/cilium_overview_and_updates.webm
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
A fairly detailed overview on current state of security and hardening countermeasures being employed on a modern OS like Linux. With a focus on teaching the basics of BOF (Buffer OverFlow), so that one understands how these attacks work.
Presentation delivered at LinuxCon China 2017 by Greg Kroah-Hartman.
The Linux kernel is the largest collaborative software development projects ever. This talk will discuss exactly how Linux is developed, how fast it is happening, who is doing the work, and how we all stay sane keeping up with it. It will discuss the development model used, and how it differs from almost all "traditional" models of software development.
Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM.
In this talk, we will:
* explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications,
* discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation.
* describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK.
* discuss how it is possible for the OS to manage secure memory without having access to it.
* explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations.
Ofir Weisse is a Researcher PhD Student at University of Michigan.
Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17.
To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk.
Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as:
1. Network security
2. Access control
3. Tamper management and trust
4. Denial of service and SLAs
5. Vulnerabilities
Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats.
Watch the webinar on BrightTalk: http://bit.ly/2bpdswg
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1Linaro
This presentation provides a current view of the Security work performed in LHG. The focus is on hardware protected DRM integrated with OP TEE, creation of a Secure Data Path coupled with the Open Content Decryption Module, and the lessons learned from integrating third party libraries into trusted applications.
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
Cilium is open source software for providing and transparently securing network connectivity and load balancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. The foundation of Cilium is the new Linux kernel technology BPF which supports the dynamic insertion of BPF bytecode into the Linux kernel at various integration points. This presentation reveals the secrets of Kubernetes networking and gives you a deep dive into Cilium and why it is awesome!
About the authors: Jerome Tollet is Distinguished Engineer working in the Cisco Chief Technical and Architecture Office (CTAO) with a specific focus on Datacenter / Container Networking, Policy and Security. Jerome is an active member of FD.io. He is leading networking-vpp project as well as other VPP related projects.
Ed Warnicke is a Distinguished Consulting Engineer in the Chief Technology and Architecture Office (CTAO) office at Cisco Systems. He has been working for over a decade in many areas of networking and Open Source. He has been a member of the OpenDaylight TSC since its inception and currently serves as a committer elected member of the OpenDaylight TSC. He is a founding TSC member at ONAP.
Cilium is an open source project which provides networking, security and load balancing for containers by using eBPF and XDP technologies in the Linux kernel. It provides eBPF and XDP features to CRI-O, Docker and Kubernetes. This presentation shows an overview on Cilium, explains the concepts behind it and then provide the project update, as it reached the 1.0 milestone last year.
The video from talk at FOSDEM 2019:
https://video.fosdem.org/2019/H.2214/cilium_overview_and_updates.webm
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
A fairly detailed overview on current state of security and hardening countermeasures being employed on a modern OS like Linux. With a focus on teaching the basics of BOF (Buffer OverFlow), so that one understands how these attacks work.
Implementing PaaS with Red Hat OpenShift - review, reference and conceptsorenre
Implementing PaaS with Red Hat OpenShift - review, reference and concepts.
By Amir Zipory and Oren Reuveni
*Note that some slides are written in Hebrew.
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
Red Hat Update at IBM Teach the Teacher (IBM T3) Conference in Endicott, NY. Covering Red Hat's community development model, System z announcements, SELinux, SCAP, and Red Hat Network Satellite for Systems Management.
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...Shawn Wells
Briefed the National Security Agency's Open Source User Group on Red Hat's System z capabilities. Joined by Jim Stann (Solution Architect, Intelligence Programs). Briefed RHEL5 roadmap for System z/s390x.
2008-11-13 CAVMEN RHEL for System z Deep DiveShawn Wells
Audience was technical Linux on System z practitioners. Steps through the Linux on System z development process, what is included in RHEL for System z (now + future), provisioning and patch management, and broad security updates (SELinux, Auditing, Crypto).
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
Presented at IBM z/Expo 2008, Session ID zLS01. Talks through what SELinux is, introduces principal concepts of Type Enforcement, SELinux policies, and user/admin perspectives of managing a system with SELinux enabled.
Linux Containers and Docker SHARE.ORG Seattle 2015Filipe Miranda
This slide deck shows us an introduction to Linux Containers (LXC) and Docker for Linux on IBM z Systems.
One example of a commercial use of Linux Containers (and Docker) is Red Hat Openshift, which is is also covered at the end.
2009-09-24 Get the Hype on System z Webinar with IBM, Current & Future Linux ...Shawn Wells
Joint webinar series with Hans Picht (Linux on System z Lead, IBM). Covered recent release of Red Hat Enterprise Linux 5.4, which had the inclusion of Named Saved Segments (NSS), updated fiber channel, and rebasing of s390utils. Stepped through roadmap for RHEL on System z and gave update on CMM2 development activities.
SUSE Webinar - Introduction to SQL Server on LinuxTravis Wright
Introduction to SQL Server on Linux for SUSE customers. Talks about scope of the first release of SQL Server on Linux, schedule, Early Adoption Program. Recording is available here:
https://www.brighttalk.com/webcast/11477/243417
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...Shawn Wells
Microsoft and Red Hat have certified OpenShift Container Platform to run on Microsoft Azure. This talk steps through the reference architecture and ongoing work to accelerate government ATOs.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
3. 3
Headquarters: Raleigh, NC
Founded 1993
Public 1999 (NYSE: RHT)
Operating in 27 countries
Over 2800 Employees worldwide
Over 50% are engineers
85% Government/Commercial
Linux Market Share
40+% Year over Year Growth
(For 24 straight quarters)
Red Hat, Inc
5. 5
Red Hat Development Model
Community
Development with “upstream” communities
Kernel, glibc, etc
Collaboration with partners, IBM,
open source contributors
6. 6
Red Hat Development Model
Fedora
Rapid innovation
Latest technologies
Community Supported
Released ~6mo cycles
7. 7
Red Hat Development Model
Red Hat Enterprise Linux
Stable, mature, commercial product
Extensive Q&A, performance testing
Hardware & Software Certifications
7yr maintenance
Core ABI compatibility
guarantee
Major releases 2-3yr cycle
9. 9
Support Cycle
Extended Product Lifecycle
Years 1 - 4 Yr 6,7Yr 5
Production 1
Production 2
Production 3
Security Patches
Bug Fixes
Hardware Enablement
Software Enhancements
X
X
X
Full
X
X
Partial
X
X
None
12. 12
High resolution timers (2.6.16)
● Provide fine resolution and accuracy depending on system
configuration and capabilities - used for precise in-kernel timing
Modular, on-the-fly switchable I/O schedulers (2.6.10)
● Only provided as a boot option in RHEL4
● Improved algorithms (esp. for CFQ)
● Per-Queue selectable (previously system-wide)
New Pipe implementation (2.6.11)
● 30-90% perf improvement in pipe bandwidth
● Circular buffer allow more buffering rather than blocking writers
RHEL Kernel Updates
13. 13
Monitoring Features
Inotify (2.6.13)
● New file system event monitoring mechanism (replaces dnotify)
● Ideal for security and performance monitoring
Process Events Connector (2.6.15)
● Reports fork, exec, id change, and exit events for all processes to
userspace
● Useful for accounting/auditing (e.g. ELSA), system activity
monitoring, security, and resource management
Blktrace
● Block queue IO tracing – monitor block device queue traffic (2.6.17)
14. 14
File System Features
EXT3
● Ext3 block reservation & on-line growth (2.6.10 & RHEL4)
● Extended Attributes in the body of large inode
● Saves space and improves performance (2.6.11)
● Increases maximum ext3 file-system size from 8TB to 16TB (2.6.18)
ACL support for NFSv3 and NFSv4 (2.6.13)
NFS
● Support large reads and writes on the wire (2.6.16)
● Linux NFS client supports transfer sizes up to 1MB
Device mapper multipath support
15. 15
Device Mapper Multipath IO (MPIO)
Connects & manages multiple paths through SAN to storage array
Upon component failure, MPIO redirects traffic via redundant pathing
Active/Active array support
Bundled into RHEL
16. 16
Security Features
Address space randomization:
● Address randomization of multiple entities – including stack &
mmap() region (used by shared libraries) (2.6.12; more complete
implementation than in RHEL4)
● Greatly complicates and slows down hacker attacks
Multilevel security (MLS) implementation for SELinux (2.6.12)
● Third policy scheme for SELinux, with RBAC & TE
Audit subsytem
● Support for process-context based filtering (2.6.17)
● More filter rule comparators (2.6.17)
TCP/UDP getpeersec
● Enable a security-aware application to retrieve the security context
of an IPSec security association a particular TCP or UDP socket in
using (2.6.17)
17. 17
Networking
Add nf_conntrack subsystem: (2.6.15)
● Common IPv4/IPv6 generic connection tracking subsystem
● Allows IPv6 to have a stateful firewall capability (not previously
possible)
● Enables analysis of whole streams of packets, rather than only
checking the headers of individual packets
SELinux per-packet access controls
● Replaces old packet controls
● Add Secmark support to core networking
● Allows security subsystems to place security markings
on network packets (2.6.18)
IPv6
● RFC 3484 compliant source address selection (2.6.15)
● Add support for Router Preference (RFC4191) (2.6.17)
● Add Router Reachability Probing (RFC4191) (2.6.17
20. 20
Introduction to libvirt API
Hypervisor agnostic
Stable API for tool/app development
CIM providers; Python, C bindings, scriptable
Allows authenticated/encrypted
sessions to remote hypervisors
Current support for
Xen Hypervisor
KVM Hypervisor
QEMU Hypervisor
22. 22
Introduction to oVirt
Currently in development
Utilizes libvirt
Web-Based GUI
Automate clustering,
load balancing,
and SLA maintenance
Designed for enterprise
management
Built on Ruby on Rails
Performance tools built-in
24. 24
Red Hat Security Certifications
● NIAP/Common Criteria: The most evaluated operating system platform
● Red Hat Enterprise Linux 2.1 – EAL 2 (Completed: February 2004)
● Red Hat Enterprise Linux 3 EAL 3+/CAPP (Completed: August 2004)
● Red Hat Enterprise Linux 4 EAL 4+/CAPP (Completed: February 2006)
● Red Hat Enterprise Linux 5 EAL4+/CAPP/LSPP/RBAC (Completed: June
2007)
● DII-COE
● Red Hat Enterprise Linux 3 (Self-Certification Completed: October 2004)
● Red Hat Enterprise Linux: First Linux platform certified by DISA
● DCID 6/3
● Currently PL3 & PL4: ask about kickstarts.
● Often a component in PL5 systems
● DISA SRRs / STIGs
● Ask about kickstarts.
● FIPS 140-2
● Red Hat / NSS Cryptography Libraries certified Level 2
25. 25
RHEL5 Security: NIST Standards Work
Extensible Configuration Checklist Description Format (XCCDF)
Enumeration for configuration requirements
DISA FSO committed to deploying STIG as XCCDF
Others working with NIST
Security policy becomes one file
26. 26
Red Hat Tomorrow: Here comes XCCDF
XCCFD Format
Language for
describing policy
“your password will be...”
27. 27
Red Hat Tomorrow: Here comes XCCDF
XCCFD Format
OVAL Format
Language for
defining compliance
“prove that your password is...”
Language for
describing policy
“your password will be...”
28. 28
Red Hat Tomorrow: Here comes XCCDF
XCCFD Format
OVAL Format
CVE Dictionary Standard vulnerability
& exposure names
Language for
defining compliance
“prove that your password is...”
Language for
describing policy
“your password will be...”
33. 33
RHEL5 SELinux Enhancements
Policy creation now a two-step
process
1) system-config-selinux
- Creates template policy
(network,filesystem read/write,
etc)
2) audit2allow
- Traces application, ensuring
proper accesses
34. 34
RHEL5 SELinux Enhancements
Loadable Policy Modules
● In the past, all policy changes had to be made to the policy source
● Required the entire policy re-compiled
● Requiring a full set of policy development tools on production systems.
● Modules allow for the creation of self-contained policy modules
● Safely linked together to create system policies
● Add policy on the fly
● Remove policy on the fly
● Framework to allow ISV/OEM partners to ship their own modular SELinux
policy
Further Information
● http://sepolicy-server.sourceforge.net/index.php?page=module-
overview
38. 38
Red Hat Today: RHEL Security Status
SELinux Use Case
Apache should not be allowed to overwrite content
Therefore, Apache – and any program started by Apache – is not given write
access to the data
SELinux constrains the program, regardless of the user running executable
The content is protected, even if the Apache PHP/CGI user owns the files
When attacker uses the same exploit, with SELinux turned on:
Mar 3 23:02:04 rhel4-u4-as kernel: audit(1170820924.171:108):
avc: denied { write } for pid=26760 comm="sh"
name="phpbb" dev=dm-0 ino=1114119
scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
40. 40
Red Hat Today: Announcements
Red Hat / IBM Alliance
Technical Perspective
Dedicated Partner Managers
IBM on-site kernel engineers at Red Hat
Weekly calls with IBM System z Product Mgmt
Emphasis on IBM access to code (making it easier to work
together)
Weekly reviews of open bugs & feature requests
Proof of Concept Support
Marketing & Sales Perspective
Joint World-Wide Tour
Marist, zNTP, T3, SHARE, zExpo, etc
Business Perspective
Dedicated staff from helpdesk to executive
42. 42
Red Hat Today: RHEL Status
Upstream of Code
DASD Drive Updates
zFCP Driver Updates
zFCP multipathing support in RHEL5 installer
Crypto2 Express Support
Hugetblfs
Layer-2 IPv6 support for Hipersockets
Marketing Perspective
Joint World-Wide Tour
Marist, zNTP, T3, SHARE, zExpo, etc
Sales Perspective
Joint sales calls
43. 43
Red Hat Today: RHEL Status
RHEL 5.1
● Improved z/VM scheduling
● Improved performance with key recompiled libraries
RHEL 5.2
● Support for new IBM z10
● Improved IBM Director support to support fast connection to z/VM
● Improved Virtual Server Management
● Implementation of SCSI dump infrastructure
● Support for Dynamic CHPID reconfiguration
● Better network configuration tool support for System z network adapters
● Improved install experience with support for “ssh -X” with VNC
● Better network performance with skb scatter-gather support
● Implemented device-multipath support for xDR/GDPS
RHEL 5.3
● NSS, CPU Affinity, ETR support planned
● Suggestions? swells@redhat.com
44. 44
Red Hat Today: RHEL Security Status
Hardware Enablement
In kernel crypto
S/390 implementation of SHA-384 and SHA-512 digests
Improved encryption performance (i.e. encrypted filesystems)
libica library
Support for updated OpenSSL, PKCS#11, GSKit, and kernel
crypto APIs
Device driver performance updates
Crypto2 Express Support