"Have You Driven an SELinux Lately? - An Update on the SELinux Project"
This was given at OLS (Ottawa Linux Symposium) in 2008.
The paper from the talk may be found at
http://namei.org/ols-2008-selinux-paper.pdf.
The document discusses directions for improving SELinux networking capabilities. It outlines ideas such as using Netfilter/iptables for IP packet controls instead of the current implementation, leveraging IPsec to label security associations rather than individual packets, extending SELinux policy to the distributed environment, and developing mechanisms for distributing and synchronizing policy across security realms. Long term trends toward high assurance distributed computing are also noted.
Adding Extended Attribute Support to NFSJames Morris
This document discusses adding extended attribute support to NFS. It provides background on extended attributes, describes different implementations among operating systems, and outlines a proposal to implement name/value extended attribute support in Linux NFSv3 through a side protocol. Prototype code has been developed and is undergoing review. The work could serve as a model for adding extended attribute support to NFSv4 to enable proper support on Linux and BSD systems.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:
* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
How Many Linux Security Layers Are Enough?Michael Boelen
Talk about Linux security and the related possibilities to secure your systems. Several areas are discussed, like what is possible, how to select the right security measures and tips to implement them.
Some subjects passing by in the presentation are file integrity (IMA/EVM), containers like Docker, virtualization.
The referenced tool Lynis can be downloaded freely from https://cisofy.com/downloads/
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
"Mandatory Access Control Networking Update", presentation given at Netconf 2006 in Tokyo, with an update on Labeled Networking and other MAC features.
The document discusses directions for improving SELinux networking capabilities. It outlines ideas such as using Netfilter/iptables for IP packet controls instead of the current implementation, leveraging IPsec to label security associations rather than individual packets, extending SELinux policy to the distributed environment, and developing mechanisms for distributing and synchronizing policy across security realms. Long term trends toward high assurance distributed computing are also noted.
Adding Extended Attribute Support to NFSJames Morris
This document discusses adding extended attribute support to NFS. It provides background on extended attributes, describes different implementations among operating systems, and outlines a proposal to implement name/value extended attribute support in Linux NFSv3 through a side protocol. Prototype code has been developed and is undergoing review. The work could serve as a model for adding extended attribute support to NFSv4 to enable proper support on Linux and BSD systems.
Linux Kernel Security Overview - KCA 2009James Morris
Overview of Linux Kernel Security presented at Kernel Conference Australia 2009, in Brisbane, QLD.
Provides historical context of Linux kernel security features and discusses their ongoing development in reference to the NSA's 1998 secure OS paper, "The Inevitability of Failure".
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:
* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
How Many Linux Security Layers Are Enough?Michael Boelen
Talk about Linux security and the related possibilities to secure your systems. Several areas are discussed, like what is possible, how to select the right security measures and tips to implement them.
Some subjects passing by in the presentation are file integrity (IMA/EVM), containers like Docker, virtualization.
The referenced tool Lynis can be downloaded freely from https://cisofy.com/downloads/
Mandatory Access Control Networking Update - Netonf 2006 TokyoJames Morris
"Mandatory Access Control Networking Update", presentation given at Netconf 2006 in Tokyo, with an update on Labeled Networking and other MAC features.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
Co-presented with Matt Jamison (Sr Architect, DoD Programs) at the IBM Teach the Teacher (IBM T3) conference. Discussed SELinux, Policy Enforcement, Discretionary Access Control, Multi-Level Security vs Multi-Category Security, Role-Based Access Control, usage of SELinux, Linux Audit Subsystem, and host hardening procedures.
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
The document summarizes a presentation on network security and Linux security. The presentation covered introduction to security, computer security, and network security. It discussed why security is needed, who is vulnerable, common security attacks like dictionary attacks, denial of service attacks, TCP attacks, and packet sniffing. It also covered Linux security topics like securing the Linux kernel, file and filesystem permissions, password security, and network security using firewalls, IPSEC, and intrusion detection systems. The presentation concluded with a reference to an ID-CERT cybercrime report and a call for questions.
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
The document discusses vulnerabilities in the Linux operating system and countermeasures to protect Linux systems from remote attacks. It describes how attackers can use tools like Nessus to discover vulnerabilities, deploy trojan programs, and create buffer overflows. It also provides recommendations for system administrators, including keeping systems updated with the latest patches, using rootkit detectors, and training users to avoid social engineering attacks.
This document discusses basic Linux system security. It recommends securing physical access to machines, using the principle of least privilege by limiting accounts, ports, and applications. It also recommends strong passwords, closing unnecessary ports, encrypting network connections, keeping software updated, using intrusion detection, and advanced techniques like auditing OSes and using virtual machines.
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
A fairly detailed overview on current state of security and hardening countermeasures being employed on a modern OS like Linux. With a focus on teaching the basics of BOF (Buffer OverFlow), so that one understands how these attacks work.
The document discusses improvements to the implementation of futexes (fast userspace mutexes) in the Linux kernel to improve scaling on multicore systems. Some key issues with the original futex implementation are a global hash table that does not scale well with NUMA, hash collisions, and contention on hash bucket locks. Improvements discussed include using per-process or per-thread hash tables to address NUMA issues, improving hashing to reduce collisions, releasing hash bucket locks before waking tasks to allow concurrent wakeups, and replacing spinlocks with queued/MCS locks to reduce cacheline bouncing under contention. These changes aim to improve futex performance and scalability as the number of cores in systems increases.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
File System Implementation & Linux SecurityGeo Marian
This document discusses file system implementation and Linux security. It begins by describing how file systems are typically stored on disks with partitions and sectors. It then explains how files are created, opened, read, written to, and deleted in a file system. Two common allocation methods are also summarized - contiguous allocation and linked allocation. Finally, it outlines some common security threats like intruders, malicious programs, and generic attacks and how TCP wrappers can be used to filter network access on Linux servers.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
The document introduces SELinux, which uses mandatory access control (MAC) in addition to traditional UNIX discretionary access control (DAC). SELinux labels processes and files with security contexts that define access permissions in the security policy. The policy controls access between labeled processes and files through type enforcement rules. System administrators can manage labels and policy using tools like semanage and restorecon.
This document discusses Linux network security and the xFirewall program. It provides an overview of Linux and its networking capabilities. It then describes iptables, the built-in Linux firewall, and xFirewall, a user-friendly frontend for iptables. xFirewall detects network attacks and logs unauthorized access based on allowed ports in its configuration file. The document shows nmap scan results for a system running xFirewall, demonstrating that it only allows connections to specified open ports and blocks other ports from being discovered.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.
This document provides an overview of security features in UNIX and Linux operating systems. It discusses permissions, access control lists, mandatory access control, password hashing, system patching, sandboxing users and services, and other security concepts. The document aims to educate readers on basic and advanced security techniques available in UNIX/Linux to protect systems from threats.
This document provides an overview of SELinux, including its introduction, access control mechanisms, policy, administration, and benefits. SELinux is a Linux security module that implements mandatory access controls to confine processes and restrict their access. It defines types for objects like files and directories, domains for processes, and roles to determine what access users and processes have. SELinux policy enforces these controls and can be configured through booleans and modified policy modules. It helps strengthen security by auditing access and confining services like web servers even if they are compromised by an attack.
This document provides an overview of Security Enhanced Linux (SELinux). It discusses what SELinux is, how it implements mandatory access control on Linux systems, and some basic SELinux concepts like types, users, roles, and the policy. It also covers installing SELinux on CentOS 7 and checking the mode.
Are you really sure the security of your Linux systems is done properly? Since 2002, Michael Boelen performs research in this field. The answer is short: there is too much to possible and to do. For this reason, he created several open source security tools, to help others saving time. We will look into how Lynis can help with technical security scans.
In this talk, we had a look on how Lynis helps with system hardening. We discussed the background of the tool, lessons learned after 13 years of open source software development, and what the future plans are.
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
"SELinux Project Overview" - presenation given at the Linux Foundation Japan Symposium 2008.
Video of the talk is available here:
http://video.linuxfoundation.org/video/1031
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
The document provides an overview and update on the State of Security Enhanced (SE) Linux project. It discusses that SE Linux is a security framework that uses type enforcement and mandatory access control to enforce confidentiality and integrity. It then summarizes that the project has expanded its policy tools, added dynamic policy loading, improved certification and protection, and continued extending its support beyond the Linux kernel. It closes by discussing ongoing work and how to get involved in helping the project.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
Co-presented with Matt Jamison (Sr Architect, DoD Programs) at the IBM Teach the Teacher (IBM T3) conference. Discussed SELinux, Policy Enforcement, Discretionary Access Control, Multi-Level Security vs Multi-Category Security, Role-Based Access Control, usage of SELinux, Linux Audit Subsystem, and host hardening procedures.
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
The document summarizes a presentation on network security and Linux security. The presentation covered introduction to security, computer security, and network security. It discussed why security is needed, who is vulnerable, common security attacks like dictionary attacks, denial of service attacks, TCP attacks, and packet sniffing. It also covered Linux security topics like securing the Linux kernel, file and filesystem permissions, password security, and network security using firewalls, IPSEC, and intrusion detection systems. The presentation concluded with a reference to an ID-CERT cybercrime report and a call for questions.
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
The document discusses vulnerabilities in the Linux operating system and countermeasures to protect Linux systems from remote attacks. It describes how attackers can use tools like Nessus to discover vulnerabilities, deploy trojan programs, and create buffer overflows. It also provides recommendations for system administrators, including keeping systems updated with the latest patches, using rootkit detectors, and training users to avoid social engineering attacks.
This document discusses basic Linux system security. It recommends securing physical access to machines, using the principle of least privilege by limiting accounts, ports, and applications. It also recommends strong passwords, closing unnecessary ports, encrypting network connections, keeping software updated, using intrusion detection, and advanced techniques like auditing OSes and using virtual machines.
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
A fairly detailed overview on current state of security and hardening countermeasures being employed on a modern OS like Linux. With a focus on teaching the basics of BOF (Buffer OverFlow), so that one understands how these attacks work.
The document discusses improvements to the implementation of futexes (fast userspace mutexes) in the Linux kernel to improve scaling on multicore systems. Some key issues with the original futex implementation are a global hash table that does not scale well with NUMA, hash collisions, and contention on hash bucket locks. Improvements discussed include using per-process or per-thread hash tables to address NUMA issues, improving hashing to reduce collisions, releasing hash bucket locks before waking tasks to allow concurrent wakeups, and replacing spinlocks with queued/MCS locks to reduce cacheline bouncing under contention. These changes aim to improve futex performance and scalability as the number of cores in systems increases.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
File System Implementation & Linux SecurityGeo Marian
This document discusses file system implementation and Linux security. It begins by describing how file systems are typically stored on disks with partitions and sectors. It then explains how files are created, opened, read, written to, and deleted in a file system. Two common allocation methods are also summarized - contiguous allocation and linked allocation. Finally, it outlines some common security threats like intruders, malicious programs, and generic attacks and how TCP wrappers can be used to filter network access on Linux servers.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
The document introduces SELinux, which uses mandatory access control (MAC) in addition to traditional UNIX discretionary access control (DAC). SELinux labels processes and files with security contexts that define access permissions in the security policy. The policy controls access between labeled processes and files through type enforcement rules. System administrators can manage labels and policy using tools like semanage and restorecon.
This document discusses Linux network security and the xFirewall program. It provides an overview of Linux and its networking capabilities. It then describes iptables, the built-in Linux firewall, and xFirewall, a user-friendly frontend for iptables. xFirewall detects network attacks and logs unauthorized access based on allowed ports in its configuration file. The document shows nmap scan results for a system running xFirewall, demonstrating that it only allows connections to specified open ports and blocks other ports from being discovered.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
This document summarizes Xen security framework (XSM) which enables fine-grained control over interactions between domains, hypervisor, and resources. XSM uses mandatory access control based on security labels rather than discretionary access control. Permissions for subjects (processes or VMs) to interact with objects (files, ports, devices, etc.) are defined in security policies. The architecture includes security policies, a policy controlling entity, security server, access vector cache, and policy database. The decision making process involves checking the access vector cache, consulting the security server and policy database if needed, and returning the access decision. Challenges include ensuring atomic policy changes and consistency between security policy and runtime policy database.
This document provides an overview of security features in UNIX and Linux operating systems. It discusses permissions, access control lists, mandatory access control, password hashing, system patching, sandboxing users and services, and other security concepts. The document aims to educate readers on basic and advanced security techniques available in UNIX/Linux to protect systems from threats.
This document provides an overview of SELinux, including its introduction, access control mechanisms, policy, administration, and benefits. SELinux is a Linux security module that implements mandatory access controls to confine processes and restrict their access. It defines types for objects like files and directories, domains for processes, and roles to determine what access users and processes have. SELinux policy enforces these controls and can be configured through booleans and modified policy modules. It helps strengthen security by auditing access and confining services like web servers even if they are compromised by an attack.
This document provides an overview of Security Enhanced Linux (SELinux). It discusses what SELinux is, how it implements mandatory access control on Linux systems, and some basic SELinux concepts like types, users, roles, and the policy. It also covers installing SELinux on CentOS 7 and checking the mode.
Are you really sure the security of your Linux systems is done properly? Since 2002, Michael Boelen performs research in this field. The answer is short: there is too much to possible and to do. For this reason, he created several open source security tools, to help others saving time. We will look into how Lynis can help with technical security scans.
In this talk, we had a look on how Lynis helps with system hardening. We discussed the background of the tool, lessons learned after 13 years of open source software development, and what the future plans are.
SELinux Project Overview - Linux Foundation Japan Symposium 2008James Morris
"SELinux Project Overview" - presenation given at the Linux Foundation Japan Symposium 2008.
Video of the talk is available here:
http://video.linuxfoundation.org/video/1031
The State of Security Enhanced Linux - FOSS.IN/2007James Morris
The document provides an overview and update on the State of Security Enhanced (SE) Linux project. It discusses that SE Linux is a security framework that uses type enforcement and mandatory access control to enforce confidentiality and integrity. It then summarizes that the project has expanded its policy tools, added dynamic policy loading, improved certification and protection, and continued extending its support beyond the Linux kernel. It closes by discussing ongoing work and how to get involved in helping the project.
West is a command line tool that manages Zephyr projects. It initializes workspaces, updates repositories, and provides commands for common development tasks like building, flashing, and debugging. West separates the core tool functionality from Zephyr-specific extensions, allowing it to manage multiple projects. When initializing a workspace, West clones the main Zephyr repository and any dependencies, creating a reproducible development environment.
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
The document provides best practices for preparing a UNIX server for deploying enterprise applications. It discusses tasks such as OS installation, hardening the server, configuring shared storage, setting up system accounts, enabling sudo privileges, and disabling security features like iptables and SELinux that could interfere with applications. The goal is to baseline the server, lock down access, and set it up securely according to industry standards before deploying enterprise software.
2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells
This document discusses SELinux and provides details about:
1) The three SELinux policy types - targeted, strict, and multi-level security (MLS). It explains the differences between these policy types.
2) How SELinux works using type enforcement to define security contexts for subjects and objects to enforce access controls.
3) Tools that system administrators can use to manage SELinux policies and troubleshoot issues like semanage, sealert, and audit2allow. It provides examples of using these tools.
4) A scenario where a corporate VPN update broke a user's configuration and how SELinux logs and tools could help fix the issue.
This document provides an introduction to SELinux, including a brief history of how it was created by the NSA and adopted in major Linux distributions. It explains the differences between Discretionary Access Control (DAC) and Mandatory Access Control (MAC) models. It also describes how SELinux works by enforcing security policies at the kernel level to confine processes and provide fine-grained access controls, and outlines some of the key benefits it provides like auditing and strengthening server security.
2008-01-22 Red Hat (Security) Roadmap PresentationShawn Wells
This document provides an agenda and overview for a Red Hat security seminar. The seminar will cover Red Hat emerging technologies like virtualization and security, Red Hat security features and certifications, SELinux enhancements in Red Hat Enterprise Linux 5, and high availability and clustering solutions. It will also discuss the Red Hat development model, JBoss enterprise services, and Red Hat identity management products.
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...NETWAYS
Kurt Garloff discusses the importance of open source software and digital sovereignty. He describes how open source is now ubiquitous but proprietary platforms still dominate IT. The Sovereign Cloud Stack (SCS) aims to address this by providing an open source reference implementation and standards for a modular, cloud infrastructure platform that can be operated by many entities. SCS will deliver certifiable standards, open source code, and knowledge sharing to enable more distributed control and choice in cloud infrastructure.
stackconf 2023 | SCS: Buildig Open Source Cloud and Container Infrastructure ...NETWAYS
Linux is everywhere. Open Source has won! It has not. While Open Source components are all over the place, the big IT players use them to build platforms that are not fully open but designed to lock their users in. The question to ask these days is not: “Are you building on top of open source?”, because everyone is. The question should be: “Do you allow others to rebuild your whole platform?” and “Do you allow others to contribute to it and shape its future?” Sounds utopian? Sovereign Cloud Stack (SCS) tries to do exactly this: Build a network of operators to define common standards together, implement them in a complete, openly developed and fully open source manner and then even collaborate on operating it well — which can be harder than building it. The speaker will discuss the vision behind the the SCS project, how it has build the community and the technology stack, what it has achieved so far and where it will go next.
Presentation delivered at LinuxCon China 2017.
Zephyr is an upstream open source project for places where Linux is too big to fit. This talk will overview the progress we've made in the first year towards the projects goals around incorporating best of breed technologies into the code base, and building up the community to support multiple architectures and development environments. We will share our roadmap, plans and the challenges ahead of the us and give an overview of the major technical challenges we want to tackle in 2017.
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVA
The document outlines the roadmap for Novell Open Enterprise Server (OES). Key points include:
- OES 11 SP1 was released in December 2012 with over 50 new features including single DVD install, virtualization improvements, and Linux user management enhancements.
- OES 11 SP2 will include integration with SLES 11 SP3, eDirectory 8.8 SP8, improved deployment tools, and management/monitoring enhancements.
- Future releases will focus on larger than 8TB storage support, improved file access protocols, Active Directory integration, and moving to a single update channel. The roadmap aims to address deployment issues and add support for new client platforms.
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
Presented at SHARE Conference, "SELinux: A Key Component in Secure Infrastructures"
Covers "what is SELinux?," Type Enforcement, SELinux Usage, and example scenarios.
OSMC 2010 | Insides SUSE Linux by Joachim WernerNETWAYS
SUSE Linux Enterprise is the most interoperable platform for mission-critical computing - both in traditional client-server and in virtual environments - from the desktop to the datacenter. In this talk some basic information about the data for the monitoring of SUSE LINUX and which opportunities for monitoring SUSE LINUX offers will be given.
This deck was used during Engage User Group to update people on recent Linux developments, as well as the changes coming with Kubernetes and Container based workloads. The target audience was Container newbies
A Summary about Hykes' Keynote on Dockercon 2015Henry Huang
The keynote discussed Docker's goals of reinventing the programmer's toolbox through tools like Docker runtime, distribution, composition, machine management, clustering, networking, and extensibility plugins. It also discussed building better infrastructure plumbing through projects like Notary for secure content distribution and runC as a portable container runtime. Finally, it covered promoting open standards through the Open Container Project to define a vendor-neutral container format and ensure support from a broad industry coalition.
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
This document provides an overview of NSA Security Enhanced Linux (SELinux). SELinux implements mandatory access control (MAC) to provide fine-grained access control and confinement of processes. It uses type enforcement (TE) and role-based access control (RBAC) models to define types for objects and domains for processes. TE rules in the SELinux policy specify which domains can access which object types. SELinux has been merged into the Linux kernel and adopted by several distributions to enhance security for network-facing services. Current development focuses on multi-level security and a reference policy, with future work on tools, policies, and additional applications.
TryStack.cn is a non-profit OpenStack testbed and community project in China that aims to promote OpenStack adoption. It operates the largest OpenStack testbed in China with hardware from various vendors. TryStack.cn provides reference architectures, best practices, and contributes code back to the community. It also organizes OpenStack meetups and training to help grow the OpenStack ecosystem in China.
The document summarizes Brian Stevens' presentation at the 2011 NASA Open Source Summit. The presentation discussed the history and evolution of open source, from UNIX in the 1980s to widespread Linux adoption today. Stevens emphasized the benefits of open source such as sharing, efficiency, agility, and collaboration over proprietary "islands." He highlighted SELinux as an example of an open source project that through community collaboration has become integrated into Linux and other operating systems. Stevens concluded by discussing Red Hat's Fedora distribution and emphasizing the importance of treating customers as partners in open source business models.
Kali Linux is an open-source, Debian-based Linux distribution designed for digital forensics and penetration testing. It contains hundreds of tools for security tasks like penetration testing, forensics, and vulnerability management. While offering advantages like customizability and security, Kali Linux is intended for security professionals and includes many hacking tools not needed for regular use.
Similar to Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008 (20)
The document provides an overview of the networking aspects of the One Laptop Per Child (OLPC) project. It describes the OLPC hardware as a $100 rugged laptop with limited specs. The software is a minimal Linux-based system with a Sugar GUI. Networking requirements include adapting to various scenarios from small village networks to large school networks. Key networking technologies utilized are 802.11s wireless mesh networking with AODV and OLSR routing, IPv6 autoconfiguration, and potential IPSec encryption. The envisioned topology has schools connected to "mesh portals" that link to other schools and the internet.
Kernel Security for 2.8 - Kernel Summit 2004James Morris
"Kernel Security for 2.8", presentation given at the Linux Kernel Summit in Ottawa in 2004.
Note that this was when we were still expecting to have versions 2.7/2.8.
Better IPSec Security Association Resolution - Netconf 2006 TokyoJames Morris
This document discusses improving IPsec security association resolution. It outlines problems with the current approach, where applications often get errors when no SA exists. The proposed solution is to have connect(), sendmsg(), and other calls return status to indicate resolution is in progress, and queue or retry packets as needed. Ongoing work includes handling all use cases and determining the full scope of the problem to address. Key challenges include different needs for opportunistic encryption versus large scale deployments.
SELinux Kernel Internals and Architecture - FOSS.IN/2005James Morris
SELinux is a Linux security module that provides mandatory access controls. It labels important system objects like processes, files, and network packets. These labels contain security context information used by SELinux policies to enforce access rules between subjects and objects. The SELinux policy is compiled and loaded into the kernel, where Linux Security Modules hooks mediate critical operations according to the policy.
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)James Morris
This document discusses the anatomy of Fedora Kiosk mode, which allows for anonymous desktop access through a confined user environment. It uses SELinux mandatory access control policies, Linux namespaces for filesystem isolation, and PAM for authentication configuration to protect the system and isolate the kiosk user. When the user logs out, their session and all desktop state are destroyed through the use of Sabayon and a fresh GNOME profile installed for each login. The combination of these technologies allows Fedora to provide a secure yet useful kiosk mode environment.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS 2008
1. Have You Driven an SELinux Lately?
An update on the Security Enhanced Linux Project
James Morris
Red Hat Asia Pacific Pte Ltd
Ottawa Linux Symposium 2008
4. User Experience
● Targeted Policy
– Initially confined only critical applications
– Now re-merged with hundreds of modules
● Targeted behavior selected via the unconfined module
● Setroubleshoot
– Inspired by GNOME bug buddy
11. Security Evaluation
● RHEL5 Common Criteria certifications
– LSPP, RBACPP, CAPP at EAL4+
– IBM, HP and SGI hardware
– Community effort
– Led to improved audit and other features
● Other Accreditation
– US Coast Guard Intelligence case study
12. Threat Mitigation
“A security framework originally published by the US National
Security Agency has begun to rack up an impressive list of
protections against security holes.”
– LinuxWorld, Feb 2008
● SELinux has mitigated several serious security
threats to everyday users of Fedora & RHEL.
● Tracked @ Tresys Mitigation News
13. SELinux Adoption
● Widely adopted in Fedora
– Smolt statistics show majority have SELinux
enabled.
● RHEL adoption by military, govt, finance:
– Factor in NYSE/Euronext adoption, handling over
$140 Billion/day in trades.
● Embedded / consumer electronics:
– Reduce risks and costs of vulnerabilities
– Simpler systems can have tighter policy
14. Kiosk Mode (xguest)
● Anonymous desktop sessions
● Innovative application of several security
technologies
● Useful for conferences, training, trade shows,
libraries, child-proofing...