This document provides an overview of NSA Security Enhanced Linux (SELinux). SELinux implements mandatory access control (MAC) to provide fine-grained access control and confinement of processes. It uses type enforcement (TE) and role-based access control (RBAC) models to define types for objects and domains for processes. TE rules in the SELinux policy specify which domains can access which object types. SELinux has been merged into the Linux kernel and adopted by several distributions to enhance security for network-facing services. Current development focuses on multi-level security and a reference policy, with future work on tools, policies, and additional applications.
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
SELinux presentation given at the Jozi Lug in March. If you are in Johannesburg, South Africa and want to join us see our page on meetup.com. Search for JLug.
http://www.meetup.com/Jozi-Linux-User-Group-JLUG/
Intruders and Intrusion detection in CryptosystemsVelanSalis
A presentation Involving Intrusion and Intrusion detection in Cryptosystems. An Intruder is a person who attempts to gain unauthorized access to a system, to damage that system, or to disturb data on that system. In summary, this person attempts to violate Security by interfering with system Availability, data Integrity or data Confidentiality.
SELinux Johannesburg Linux User Group (JoziJUg)Jumping Bean
SELinux presentation given at the Jozi Lug in March. If you are in Johannesburg, South Africa and want to join us see our page on meetup.com. Search for JLug.
http://www.meetup.com/Jozi-Linux-User-Group-JLUG/
Intruders and Intrusion detection in CryptosystemsVelanSalis
A presentation Involving Intrusion and Intrusion detection in Cryptosystems. An Intruder is a person who attempts to gain unauthorized access to a system, to damage that system, or to disturb data on that system. In summary, this person attempts to violate Security by interfering with system Availability, data Integrity or data Confidentiality.
Incident handlers manage security incidents by understanding common attack techniques, vectors and tools as well as defending against and/or responding to such attacks when they occur. In this talk we will discuss modern attacks, techniques, how to defend & respond to those threats.
CNIT 125 6. Identity and Access ManagementSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
We constantly see how IoT security is bypassed and abused, creating the biggest Botnet in history or the biggest DDoS attack ever recorded. But what happens when we used common devices like routers as a weapon? and/or use IoT development platforms such as Raspberry Pi, Arduino, ESP8266 and other to create cyber-weapons? Let find out!
IWMW 1998: Server Management (3) Controlling accessIWMW
Slides for the "Server Management" workshop session on “Controlling Access to Web Pages (3)” (session A3) facilitated by Helen Sargan and Andrew Cormack at the IWMW 1998 event held at Newcastle University on 15-17 September 1998.
See http://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-sep1998/materials/
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Slides for a CISSP prep course at City College San Francisco. Instructor: Sam Bowne
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_S18.shtml
BackStabber Special: Supply chain attacksKnoldus Inc.
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
Incident handlers manage security incidents by understanding common attack techniques, vectors and tools as well as defending against and/or responding to such attacks when they occur. In this talk we will discuss modern attacks, techniques, how to defend & respond to those threats.
CNIT 125 6. Identity and Access ManagementSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
We constantly see how IoT security is bypassed and abused, creating the biggest Botnet in history or the biggest DDoS attack ever recorded. But what happens when we used common devices like routers as a weapon? and/or use IoT development platforms such as Raspberry Pi, Arduino, ESP8266 and other to create cyber-weapons? Let find out!
IWMW 1998: Server Management (3) Controlling accessIWMW
Slides for the "Server Management" workshop session on “Controlling Access to Web Pages (3)” (session A3) facilitated by Helen Sargan and Andrew Cormack at the IWMW 1998 event held at Newcastle University on 15-17 September 1998.
See http://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-sep1998/materials/
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Slides for a CISSP prep course at City College San Francisco. Instructor: Sam Bowne
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_S18.shtml
BackStabber Special: Supply chain attacksKnoldus Inc.
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
Presented at SHARE Conference, "SELinux: A Key Component in Secure Infrastructures"
Covers "what is SELinux?," Type Enforcement, SELinux Usage, and example scenarios.
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
Presented at IBM z/Expo 2008, Session ID zLS01. Talks through what SELinux is, introduces principal concepts of Type Enforcement, SELinux policies, and user/admin perspectives of managing a system with SELinux enabled.
• Each SELinux access control model is simple, but actually
access control is more complex
• Red Hat puts a lot of effort into SELinux, policy and utils for
SELinux usability
– Enlarging default policy modules
– Encouraging Policy module system
– Analyzing and generating policies from access violation log
Defensive information warfare on open platformsBen Tullis
An examination of some of the freely available tools and techniques, which can help in the task of building highly secure computer networks and systems.
Topics include:
* Increasing network visibility - e.g. Network intrusion detection, NetFlow
* Increasing host visibility - e.g. Host-based intrusion detection, Auditing tools
* Wireless network security monitoring
* Rigorous log file management
* Security information and event management (SIEM) options
The presentation was delivered at LinuxCon Europe 2013 in Edinburgh.
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...James Morris
"Have You Driven an SELinux Lately? - An Update on the SELinux Project"
This was given at OLS (Ottawa Linux Symposium) in 2008.
The paper from the talk may be found at
http://namei.org/ols-2008-selinux-paper.pdf.
Creating HAGRAT, A Remote Access Tool (RAT) and the related Command and Control (C2) infrastructure for Penetration Testing exercises that simlate persistent, targeted attacks.
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
Co-presented with Matt Jamison (Sr Architect, DoD Programs) at the IBM Teach the Teacher (IBM T3) conference. Discussed SELinux, Policy Enforcement, Discretionary Access Control, Multi-Level Security vs Multi-Category Security, Role-Based Access Control, usage of SELinux, Linux Audit Subsystem, and host hardening procedures.
In Cassandra Lunch #90, CEO of Anant, Rahul Singh, will discuss the different ways to secure Apache Cassandra. This is going to be an overview of the built-in features as well as other options that can be used
Accompanying Blog: Coming Soon!
Accompanying SlideShare: https://youtu.be/VK3sqh7XxIU
Sign Up For Our Newsletter: http://eepurl.com/grdMkn
Join Cassandra Lunch Weekly at 12 PM EST Every Wednesday: https://www.meetup.com/Cassandra-DataStax-DC/events/
Cassandra.Link:
https://cassandra.link/
Follow Us and Reach Us At:
Anant:
https://www.anant.us/
Awesome Cassandra:
https://github.com/Anant/awesome-cassandra
Cassandra.Lunch:
https://github.com/Anant/Cassandra.Lunch
Email:
solutions@anant.us
LinkedIn:
https://www.linkedin.com/company/anant/
Twitter:
https://twitter.com/anantcorp
Eventbrite:
https://www.eventbrite.com/o/anant-1072927283
Facebook:
https://www.facebook.com/AnantCorp/
Join The Anant Team:
https://www.careers.anant.us
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:
* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
"SELinux Project Overview" - presenation given at the Linux Foundation Japan Symposium 2008.
Video of the talk is available here:
http://video.linuxfoundation.org/video/1031
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
"Mandatory Access Control Networking Update", presentation given at Netconf 2006 in Tokyo, with an update on Labeled Networking and other MAC features.
Kernel Security for 2.8 - Kernel Summit 2004James Morris
"Kernel Security for 2.8", presentation given at the Linux Kernel Summit in Ottawa in 2004.
Note that this was when we were still expecting to have versions 2.7/2.8.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Essentials of Automations: Optimizing FME Workflows with Parameters
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
1. Overview of NSA Security
Enhanced Linux
James Morris
jmorris@namei.org
FOSS.IN/2005
Bangalore, India
2. What is SELinux?
●
Finegrained Mandatory Access Control (MAC)
●
Strongly separated domains
●
Provides confinement of:
●
malicious code
●
flawed code
●
user error/intention
●
Enforces least privilege
●
Protects integrity
●
Flexible policy
3. Discretionary Access Control (DAC)
●
Traditional Unix security model
●
DAC is inadequate:
– Decisions only based on user identity and ownership
– No protection against malicious or flawed software
– Each user has complete discretion over own objects
– Only two major categories of users: admin and other
– Coarsegrained and too much privilege
– Unbounded privilege escalation
4. Mandatory Access Control (MAC)
●
“Missing link” of security in general OSs
●
Primary features:
– Administrativelyset security policy
– Control over all processes and objects
– Decisions based on all securityrelevant information
5. MAC Implementation
●
Traditionally inflexible, maps poorly to general case
●
More than just Multilevel Security (MLS):
– Enforce integrity, least privilege
●
Generalized MAC via Type Enforcement (TE)
●
Transparent to applications
●
Decompose administrator role
●
Policy flexibility
6. SELinux Framework
●
Composition of several security models
– RoleBased Access Control (RBAC)
– Type Enforcement (TE)
– Optional Multilevel Security (MLS)
●
Separation of mechanism and policy
●
Can support further models as required
7. Type Enforcement (TE)
●
Domains for processes, types for objects
●
Control access to objects by domains
●
Control interactions between domains
●
Control entry into domains
●
Bind domains to code
8. Types
●
Attributes assigned to objects and domains
●
Things of the same type are securityequivalent
●
Examples:
– httpd_t (apache execution domain)
– httpd_log_t (apache log files)
– httpd_config_t (apache configuration files)
– httpd_sys_content_t (web content)
9. Type Enforcement Rules
●
TE rules defined in policy
●
Include object labeling, and access control rules
●
Examples:
•
allow httpd_t httpd_log_t:file { create ioctl read getattr lock append };
•
allow httpd_t httpd_config_t:file { read getattr lock ioctl };
•
allow httpd_t httpd_sys_content_t:file { read getattr lock ioctl };
10. Role Based Access Control (RBAC)
●
Roles are attributes assigned to domains, e.g.
– sysadm_r
– system_r
– user_r
●
Specifies domains that can be entered by each role
●
Specifies roles that are authorized for each user
●
Initial domain associated with each user role
11. Current Status
●
Merged into upstream kernel during 2.5 series
●
Adopted by several distributions
●
Targeted policy for network facing services
●
Possibly millions of users
●
Basic tools
12. Current Development
●
MLS for production use
●
Certifications: LSPP, RBACPP at EAL4+
●
Multicategory Security (MCS)
●
Reference policy
●
Modular policy
13. Future Developments & Participation
●
Better tools
– Policy development and analysis
●
High level policy language
●
Distributed security management
– User management, policy distribution, logging
●
Desktop
●
Applicationlevel
16. Acknowledgments
●
Much of the source material for these slides was
derived from existing NSA presentations:
– http://www.nsa.gov/selinux/info/docs.cfm
