SELinux provides mandatory access control to containers and isolates privileged containers to prevent container breakouts and attacks between containers. Udica is a tool that generates customized SELinux security profiles for containers to allow necessary access while still providing isolation between the container and host and between containers. It does this by combining rules from template policy blocks based on the container configuration to produce a new targeted policy type.
This document discusses potential stages and tasks for a recruitment challenge system for the OWASP organization. It proposes 3 stages:
Stage 1 involves basic tasks using telnet/SMTP to test technical skills. Stage 2 involves a social engineering challenge to test security awareness. Stage 3 involves securing a virtualized network using techniques like restricted shells, SSH tunnels, control groups, and firewalls. The goal is to optimize the recruitment process while minimizing risk of rejecting qualified candidates.
0507 057 01 98 * Adana Klima Servisleri, Adana Klima Servisi, Adana Klima Servisleri, Arçelik Klima Servisleri Adana, Beko Klima Servisleri Adana, Demirdöküm Klima Servisleri Adana, Vestel Klima Servisleri Adana, Aeg Klima Servisleri Adana, Bosch Klima Servisleri Adana, Ariston Klima Servisleri Adana, Samsung Klima Servisleri Adana, Siemens Klima Servisleri Adana, Profilo Klima Servisleri Adana, Fujitsu Klima Servisleri Adana, Baymak Klima Servisleri Adana, Sharp Klima Servisleri Adana, Mitsubishi Klima Servisleri Adana, Alaska Klima Servisleri Adana, Aura Klima Servisleri Adana, Adana Çukurova Klima Servisleri, Adana Yüreğir Klima Servisleri, Adana Seyhan Klima Servisleri
This document discusses recruitment processes and requirements for a secure system to optimize recruitment time and minimize risk of rejecting good candidates. It proposes a multi-stage challenge system beginning with basic tasks in telnet/SMTP and progressing to more advanced stages involving social engineering, virtualization, and network security scenarios. Restricted shells, control groups, and data security measures are also discussed to help ensure the system fulfills security requirements.
Because this system is web application (partially)
Because we based (100%) on FOSS (open-source)
Because security matters
Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
Kata Container & gVisor provide approaches to securely isolate containers by keeping them out of the direct kernel space. Kata Container uses virtual machines with lightweight kernels to isolate containers, while gVisor uses a userspace kernel implemented in Go to provide isolation. Both aim to protect the host kernel by preventing containers from accessing kernel resources directly. Kata Container has a larger memory footprint than gVisor due to its use of virtual machines, but provides stronger isolation of containers.
Containing the Gear: Deep Dive on SELinux, Multi-tenancy, Containers & Security with Dan Walsh
Presenter: Dan Walsh
In this talk, Dan will do a deep dive into the Origin PaaS use of SELinux and containerization. He will discuss how SELinux being utilized to ensure that Origin is the the most secure PAAS available today. He will address some of his ideas for the future of Origin and SELinux.
From 2013-04-14 OpenShift Origin Community Day in Portland, Oregon
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
This document discusses potential stages and tasks for a recruitment challenge system for the OWASP organization. It proposes 3 stages:
Stage 1 involves basic tasks using telnet/SMTP to test technical skills. Stage 2 involves a social engineering challenge to test security awareness. Stage 3 involves securing a virtualized network using techniques like restricted shells, SSH tunnels, control groups, and firewalls. The goal is to optimize the recruitment process while minimizing risk of rejecting qualified candidates.
0507 057 01 98 * Adana Klima Servisleri, Adana Klima Servisi, Adana Klima Servisleri, Arçelik Klima Servisleri Adana, Beko Klima Servisleri Adana, Demirdöküm Klima Servisleri Adana, Vestel Klima Servisleri Adana, Aeg Klima Servisleri Adana, Bosch Klima Servisleri Adana, Ariston Klima Servisleri Adana, Samsung Klima Servisleri Adana, Siemens Klima Servisleri Adana, Profilo Klima Servisleri Adana, Fujitsu Klima Servisleri Adana, Baymak Klima Servisleri Adana, Sharp Klima Servisleri Adana, Mitsubishi Klima Servisleri Adana, Alaska Klima Servisleri Adana, Aura Klima Servisleri Adana, Adana Çukurova Klima Servisleri, Adana Yüreğir Klima Servisleri, Adana Seyhan Klima Servisleri
This document discusses recruitment processes and requirements for a secure system to optimize recruitment time and minimize risk of rejecting good candidates. It proposes a multi-stage challenge system beginning with basic tasks in telnet/SMTP and progressing to more advanced stages involving social engineering, virtualization, and network security scenarios. Restricted shells, control groups, and data security measures are also discussed to help ensure the system fulfills security requirements.
Because this system is web application (partially)
Because we based (100%) on FOSS (open-source)
Because security matters
Because OWASP people cares about security and can affect recruitment processes (hopefully) ;)
Kata Container & gVisor provide approaches to securely isolate containers by keeping them out of the direct kernel space. Kata Container uses virtual machines with lightweight kernels to isolate containers, while gVisor uses a userspace kernel implemented in Go to provide isolation. Both aim to protect the host kernel by preventing containers from accessing kernel resources directly. Kata Container has a larger memory footprint than gVisor due to its use of virtual machines, but provides stronger isolation of containers.
Containing the Gear: Deep Dive on SELinux, Multi-tenancy, Containers & Security with Dan Walsh
Presenter: Dan Walsh
In this talk, Dan will do a deep dive into the Origin PaaS use of SELinux and containerization. He will discuss how SELinux being utilized to ensure that Origin is the the most secure PAAS available today. He will address some of his ideas for the future of Origin and SELinux.
From 2013-04-14 OpenShift Origin Community Day in Portland, Oregon
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
Linux container (LXC) seems to be preferred technology for deployment of Platform as a service (PaaS) in cloud. Partly because it's easy to install on top of existing visualization platforms (KVM, VMware, VirtualBox), partly because it is lightweight solution to provide separation and process allocations between separate containers running under single kernel.
In this talk we will take a look at LXC and try to explain how to combine it with mandatory access control (MAC) mechanisms within Linux kernel to provide secure separation between different users of applications.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
The document discusses OpenShift security context constraints (SCCs) and how to configure them to allow running a WordPress container. It begins with an overview of SCCs and their purpose in OpenShift for controlling permissions for pods. It then describes issues running the WordPress container under the default "restricted" SCC due to permission errors. The document explores editing the "restricted" SCC and removing capabilities and user restrictions to address the errors. Alternatively, it notes the "anyuid" SCC can be used which is more permissive and standard for allowing the WordPress container to run successfully.
Securing Applications and Pipelines on a Container PlatformAll Things Open
The document discusses securing applications on a container platform. It covers considerations for security at the host operating system level, during container builds, and at runtime. Specific techniques discussed include Linux namespaces and cgroups for isolation, SELinux and MCS labels for access control between containers, capability dropping to restrict privileges, and read-only mounts. Container scanning and signing images are also covered.
Rootless Containers & Unresolved issuesAkihiro Suda
Rootless containers allow users to run containers without root privileges by leveraging user and namespace isolation techniques. While rootless containers mitigate some security risks, there are still unresolved issues around sub-user management, networking, and adoption by runtimes and image builders. Rootless containers also cannot prevent all attacks if a container is broken out of. Container runtimes are working to improve support for rootless containers to further enhance security.
Continuous Security: From tins to containers - now what!Michael Man
The document discusses securing containers throughout their lifecycle from selection of base images and configuration to runtime. It emphasizes applying security controls at each stage including static analysis of Dockerfiles, scanning of images for vulnerabilities, and using admission controllers in Kubernetes to enforce policies for privileges, network access, and resource usage. The document demonstrates potential security risks if containers are not secured properly and provides examples of admission controllers and best practices to mitigate those risks in Kubernetes.
This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.
Pluggable Infrastructure with CI/CD and DockerBob Killen
The docker cluster ecosystem is still young, and highly modular. This presentation covers some of the challenges we faced deciding on what infrastructure to deploy, and a few tips and tricks in making both applications and infrastructure easily adaptable.
This talk will focus on a brief overview of Kubernetes, with a brief demo, and then more of an in-depth focus on issues we've faced moving PHP projects into Docker and Kubernetes like signal propagation, init systems, and logging.
Talk from Cape Town PHP meetup on Feb. 7, 2016:
https://www.meetup.com/Cape-Town-PHP-Group/events/237226310/
Code: https://github.com/zoidbergwill/kubernetes-php-examples
Slides as markdown: http://www.zoidbergwill.com/presentations/2017/kubernetes-php/index.md
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
This document provides an overview of lightweight virtualization using Linux containers and Docker. It begins by explaining the problems of deploying applications across different environments and targets, and how containers can help solve this issue similarly to how shipping containers standardized cargo transportation. It then discusses what Linux containers are, how they provide isolation using namespaces and cgroups. It introduces Docker and how it builds on containers to further simplify deployment by allowing images to be easily built, shared, and run anywhere through standard formats and tools.
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
Docker provides a standardized way to build, ship, and run Linux containers. It uses Linux kernel features like namespaces and cgroups to isolate containers and make them lightweight. Docker allows building container images using Dockerfiles and sharing them via public or private registries. Images can be pulled and run anywhere. Docker aims to make containers easy to use and commoditize the container technology provided by Linux containers (LXC).
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Docker orchestration voxxed days berlin 2016Grzegorz Duda
The document provides an overview of Docker orchestration and various orchestration solutions. It discusses why Docker orchestration is needed when using containers, particularly for microservices architectures. It describes some early approaches like Docker linking and building your own network, as well as built-in solutions like Docker Swarm and Docker Machine. It then covers additional orchestration tools like Docker Compose, Kubernetes, Spotify Helios, Apache Mesos, and others. It concludes that Docker Swarm together with Docker Compose provides a lightweight solution for smaller setups, while Kubernetes is better suited for large scenarios.
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
LinuxLabs 2017 talk: Container monitoring challengesXavier Vello
A technical talk about some challenges we had to solve with our containerized agent:
- handling memory limits
- retrieving host network metrics
- enabling easier discovery via unix domain sockets
- securing our access to the Docker socket
Linux container (LXC) seems to be preferred technology for deployment of Platform as a service (PaaS) in cloud. Partly because it's easy to install on top of existing visualization platforms (KVM, VMware, VirtualBox), partly because it is lightweight solution to provide separation and process allocations between separate containers running under single kernel.
In this talk we will take a look at LXC and try to explain how to combine it with mandatory access control (MAC) mechanisms within Linux kernel to provide secure separation between different users of applications.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
The document discusses OpenShift security context constraints (SCCs) and how to configure them to allow running a WordPress container. It begins with an overview of SCCs and their purpose in OpenShift for controlling permissions for pods. It then describes issues running the WordPress container under the default "restricted" SCC due to permission errors. The document explores editing the "restricted" SCC and removing capabilities and user restrictions to address the errors. Alternatively, it notes the "anyuid" SCC can be used which is more permissive and standard for allowing the WordPress container to run successfully.
Securing Applications and Pipelines on a Container PlatformAll Things Open
The document discusses securing applications on a container platform. It covers considerations for security at the host operating system level, during container builds, and at runtime. Specific techniques discussed include Linux namespaces and cgroups for isolation, SELinux and MCS labels for access control between containers, capability dropping to restrict privileges, and read-only mounts. Container scanning and signing images are also covered.
Rootless Containers & Unresolved issuesAkihiro Suda
Rootless containers allow users to run containers without root privileges by leveraging user and namespace isolation techniques. While rootless containers mitigate some security risks, there are still unresolved issues around sub-user management, networking, and adoption by runtimes and image builders. Rootless containers also cannot prevent all attacks if a container is broken out of. Container runtimes are working to improve support for rootless containers to further enhance security.
Continuous Security: From tins to containers - now what!Michael Man
The document discusses securing containers throughout their lifecycle from selection of base images and configuration to runtime. It emphasizes applying security controls at each stage including static analysis of Dockerfiles, scanning of images for vulnerabilities, and using admission controllers in Kubernetes to enforce policies for privileges, network access, and resource usage. The document demonstrates potential security risks if containers are not secured properly and provides examples of admission controllers and best practices to mitigate those risks in Kubernetes.
This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.
Pluggable Infrastructure with CI/CD and DockerBob Killen
The docker cluster ecosystem is still young, and highly modular. This presentation covers some of the challenges we faced deciding on what infrastructure to deploy, and a few tips and tricks in making both applications and infrastructure easily adaptable.
This talk will focus on a brief overview of Kubernetes, with a brief demo, and then more of an in-depth focus on issues we've faced moving PHP projects into Docker and Kubernetes like signal propagation, init systems, and logging.
Talk from Cape Town PHP meetup on Feb. 7, 2016:
https://www.meetup.com/Cape-Town-PHP-Group/events/237226310/
Code: https://github.com/zoidbergwill/kubernetes-php-examples
Slides as markdown: http://www.zoidbergwill.com/presentations/2017/kubernetes-php/index.md
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
This document provides an overview of lightweight virtualization using Linux containers and Docker. It begins by explaining the problems of deploying applications across different environments and targets, and how containers can help solve this issue similarly to how shipping containers standardized cargo transportation. It then discusses what Linux containers are, how they provide isolation using namespaces and cgroups. It introduces Docker and how it builds on containers to further simplify deployment by allowing images to be easily built, shared, and run anywhere through standard formats and tools.
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
Docker provides a standardized way to build, ship, and run Linux containers. It uses Linux kernel features like namespaces and cgroups to isolate containers and make them lightweight. Docker allows building container images using Dockerfiles and sharing them via public or private registries. Images can be pulled and run anywhere. Docker aims to make containers easy to use and commoditize the container technology provided by Linux containers (LXC).
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
Docker orchestration voxxed days berlin 2016Grzegorz Duda
The document provides an overview of Docker orchestration and various orchestration solutions. It discusses why Docker orchestration is needed when using containers, particularly for microservices architectures. It describes some early approaches like Docker linking and building your own network, as well as built-in solutions like Docker Swarm and Docker Machine. It then covers additional orchestration tools like Docker Compose, Kubernetes, Spotify Helios, Apache Mesos, and others. It concludes that Docker Swarm together with Docker Compose provides a lightweight solution for smaller setups, while Kubernetes is better suited for large scenarios.
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
LinuxLabs 2017 talk: Container monitoring challengesXavier Vello
A technical talk about some challenges we had to solve with our containerized agent:
- handling memory limits
- retrieving host network metrics
- enabling easier discovery via unix domain sockets
- securing our access to the Docker socket
Similar to Fosdem_Using_SELinux_with_container_runtimes.pdf (20)
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Essentials of Automations: The Art of Triggers and Actions in FME
Fosdem_Using_SELinux_with_container_runtimes.pdf
1. Because privileged containers are scary
Using SELinux with
container runtimes
Lukas Vrabec
Senior Software Engineer
Security Technologies
1
2. ● Lukas Vrabec
● SELinux Evangelist
● Member of Security Technologies team at Red Hat
● RHEL & Fedora Contributor (selinux-policy, xguest, udica, netlabel_tools)
● lukas.selinux@redhat.com
● https://lukas-vrabec.com
● https://github.com/wrabcak
● https://twitter.com/mynamewrabcak
Who am I ?
26. Protects the host system from container processes
Container processes can only read/execute /usr files
27. Protects the host system from container processes
Container processes can only read/execute /usr files
Container processes only write to container files.
28. Protects the host system from container processes
Container processes can only read/execute /usr files
Container processes only write to container files.
process type - container_t
file type -container_file_t
29. Every Container Runtime CVE container breakout was a
file system breakout.
CVE-2019-5736 Execution of malicious containers allows for container escape and access to host filesystem
SELinux Blocked
CVE-2015-3627 Insecure opening of file-descriptor 1 leading to privilege escalation
SELinux Blocked
CVE-2015-3630 Read/write proc paths allow host modification & information disclosure
SELinux Blocked
CVE-2015-3631 Volume mounts allow LSM profile escalation
SELinux Blocked
CVE-2016-9962 RunC Exec Vulnerability
SELinux Blocked
40. Default Container Type (container_t) too strict for certain use cases, e.g:
● Fedora SilverBlue project needs containers to read/write home
directory
41. Default Container Type (container_t) too strict for certain use cases, e.g:
● Fedora SilverBlue project needs containers to read/write home
directory
● Fluentd project needs containers to be able to read logs in /var/log
directory
43. Default Container Type (container_t) too loose for certain use cases, e.g:
● No SELinux Network Controls
○ All container processes can bind to any network port
44. Default Container Type (container_t) too loose for certain use cases, e.g:
● No SELinux Network Controls
○ All container processes can bind to any network port
● No SELinux control on Linux Capabilities
○ All container processes can use all linux capabilities
46. # podman run -d -v /var/log:/var/log:Z fluentd
● BAD: Tells podman to set labels on /var/log directory to be container
specific.
● Other confined tools will no longer be able to write their logs
47. # podman run -d -v /var/log:/var/log:Z fluentd
● BAD: Tells podman to set labels on /var/log directory to be container
specific.
● Other confined tools will no longer be able to write their logs
# podman run -ti -v /home:/home --security-opt label:disabled fedora sh
● Turn off SELinux container separation for these use cases
48.
49. ● Solutions
○ Write completely new SELinux policy for custom container
■ Best solution
■ Too difficult for system administrators
● SELinux expertise required
50. ● Solutions
○ Write completely new SELinux policy for custom container
■ Best solution
■ Too difficult for system administrators
● SELinux expertise required
○ Add additional rules for container_t type
■ Not ideal still difficult for system administrators
■ Rules apply to all containers, not just specific container.
61. ● Concept based on "block inheritance" SELinux CIL language
● Udica creates policy combining rules from specified CIL
blocks(templates)
○ Inspecting container JSON file
■ Mounts
■ Ports
■ Capabilities
62. ● Concept based on "block inheritance" SELinux CIL language
● Udica creates policy combining rules from specified CIL
blocks(templates)
○ Inspecting container JSON file
■ Mounts
■ Ports
■ Capabilities
○ Combines with default container template file
■ /usr/share/udica/templates/base_container.cil
63. base home
net
Allows read/exec /usr & read /etc Allows network access Allows access homedirs
Required for every container + Allowing bind on
ftp_port_t (21)
+ Add only read/write perms
65. my_container
● No block for /var/spool
● Udica will detect all labels what could be inside
/var/spool and create allow rules in my_container
policy.
spool
my_container