This document provides an introduction to securing Linux systems. It begins by explaining the types of exploits that can compromise Linux systems and gain root access. It then discusses how traditional Linux security methods like discretionary access controls (DAC) and firewalls are insufficient to prevent exploits. The document introduces mandatory access controls (MAC) as an enhancement that can restrict what programs are allowed to do even with root privileges. It emphasizes that MAC systems require security policies to define which accesses should be allowed or denied to provide protection while maintaining usability. The goal of secure Linux extensions is to grant necessary access according to policies while rejecting all other access attempts.
Mackenzie Morgan gave a presentation at Ohio LinuxFest 2010 about the Linux security myth. They discussed that while Linux is less vulnerable to viruses than Windows, it can still be affected by malware through email trojans, untrusted software from third-party repositories, and browser-based attacks. However, users can protect themselves by only installing software from trusted software sources, being cautious of launchers from unknown origins, and using browser plugins like NoScript to block malicious scripts.
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
THIS IS A PRESENTATION JUST THANKING THOSE WHO HAVE ALREADY LOOKED AT SOME OF MY PREVIOUS PRESENTATIONS. PLEASE LEAVE COMMENTS EXPLAINING ANY SUBJECTS THAT YOU WANT COVERING.
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
Say No Thank You to the PowerPoint Thank You Slide24Slides
This document provides tips for concluding a presentation effectively. It recommends ending with an impactful last slide like a summary, discussion starter, call to action, or story rather than just saying "thank you." The last slide and words should leave the audience wanting more and reinforce the main message. Ending with energy and enthusiasm is also important even if the presenter is tired. The conclusion is the last impression and only chance to impact the audience so it merits careful consideration.
I've uploaded my own Japanese translation of Jos's speech at Stanford University at http://www.slideshare.net/haradats/youve-got-to-find-what-you-love-jobs-says.
If you treasure the original speech like I do, why don't you make and share your version in your language?
This kit is a LaTeX template including the speech text. All you need is replace "*Your*" with translations and compile.
Enjoy.
Hint:
To adjust the horizontal positions of paragraphs, \baselineskip is handy.
Note:
The original text which has been published at the Stanford University is slightly different from the spoken words. My guess is that Stanford text is based on Job's memo received from Jobs.
My own Japanese translation of the legendary Steven Jobs's speech at the Stanford university.
Browser version available in http://slides.com/haradats/deck#/
この翻訳および文書の作成は、2015年10月23日に芝浦工業大学で行った講義、「人生をより良く生きるためのプレゼンーション入門」の資料として作成したものです。
PDFファイルは下記でダウンロードできます。
http://www11.plala.or.jp/tsh/stanford.pdf
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
This document discusses the advantages and disadvantages of label-based access control versus pathname-based access control. It notes that while label-based access control is robust against changes to pathnames and namespaces, the location and name of a file still have meaning in terms of how the system behaves and provides services. The document argues that restricting pathname changes is important for preventing unintended system behavior and maintaining system availability. It suggests that both label-based and pathname-based access controls are needed and that the LSM should support both.
TOMOYO Linux is an extension of the Linux kernel that adds process tracing capabilities. It automatically stores the "process invocation history" which shows how each process was created. This allows users to browse the entire process tree and see the relationships between running processes. The TOMOYO Linux policy editor provides a command line interface to view the stored process histories on a system and monitor actions caused by each process. TOMOYO Linux can help provide visibility into process activity and is maintained as an open source project with repositories of patched kernels and tools.
This document summarizes the key differences between SELinux and TOMOYO Linux access control systems. SELinux focuses on restricting programs based on security labels, while TOMOYO Linux focuses on restricting programs based on their process invocation history and parameters. The document argues that while label-based access control has limitations in guaranteeing information flow, TOMOYO Linux can help reinforce access control by restricting programs' actions and parameters within the kernel.
This document discusses the TOMOYO Linux access control system. It describes two versions of TOMOYO - version 1.6 which does not use Linux Security Modules (LSM) and version 2.2 which modifies TOMOYO to use LSM. The document then provides examples of how TOMOYO can provide access control based on file/directory names and parameters to address scenarios like restricting file uploads and executions. It argues that while label-based access control controls permissions, name-based controls like TOMOYO can address additional factors around how file contents are processed once in userspace.
The document proposes a method called "login authentication multiplexing" to strengthen login authentication security by enforcing multiple authentications rather than a single authentication. It involves placing extra authentication programs after the initial login that must be passed before accessing protected resources. This approach reduces vulnerabilities, allows flexible policies, and prevents damage until all authentications are passed. Practical issues like restricting shell access and remote access programs are also discussed.
This document provides an introduction to securing Linux systems. It begins by explaining the types of exploits that can compromise Linux systems and gain root access. It then discusses how traditional Linux security methods like discretionary access controls (DAC) and firewalls are insufficient to prevent exploits. The document introduces mandatory access controls (MAC) as an enhancement that can restrict what programs are allowed to do even with root privileges. It emphasizes that MAC systems require security policies to define which accesses should be allowed or denied to provide protection while maintaining usability. The goal of secure Linux extensions is to grant necessary access according to policies while rejecting all other access attempts.
Mackenzie Morgan gave a presentation at Ohio LinuxFest 2010 about the Linux security myth. They discussed that while Linux is less vulnerable to viruses than Windows, it can still be affected by malware through email trojans, untrusted software from third-party repositories, and browser-based attacks. However, users can protect themselves by only installing software from trusted software sources, being cautious of launchers from unknown origins, and using browser plugins like NoScript to block malicious scripts.
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
THIS IS A PRESENTATION JUST THANKING THOSE WHO HAVE ALREADY LOOKED AT SOME OF MY PREVIOUS PRESENTATIONS. PLEASE LEAVE COMMENTS EXPLAINING ANY SUBJECTS THAT YOU WANT COVERING.
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
Say No Thank You to the PowerPoint Thank You Slide24Slides
This document provides tips for concluding a presentation effectively. It recommends ending with an impactful last slide like a summary, discussion starter, call to action, or story rather than just saying "thank you." The last slide and words should leave the audience wanting more and reinforce the main message. Ending with energy and enthusiasm is also important even if the presenter is tired. The conclusion is the last impression and only chance to impact the audience so it merits careful consideration.
I've uploaded my own Japanese translation of Jos's speech at Stanford University at http://www.slideshare.net/haradats/youve-got-to-find-what-you-love-jobs-says.
If you treasure the original speech like I do, why don't you make and share your version in your language?
This kit is a LaTeX template including the speech text. All you need is replace "*Your*" with translations and compile.
Enjoy.
Hint:
To adjust the horizontal positions of paragraphs, \baselineskip is handy.
Note:
The original text which has been published at the Stanford University is slightly different from the spoken words. My guess is that Stanford text is based on Job's memo received from Jobs.
My own Japanese translation of the legendary Steven Jobs's speech at the Stanford university.
Browser version available in http://slides.com/haradats/deck#/
この翻訳および文書の作成は、2015年10月23日に芝浦工業大学で行った講義、「人生をより良く生きるためのプレゼンーション入門」の資料として作成したものです。
PDFファイルは下記でダウンロードできます。
http://www11.plala.or.jp/tsh/stanford.pdf
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
This document discusses the advantages and disadvantages of label-based access control versus pathname-based access control. It notes that while label-based access control is robust against changes to pathnames and namespaces, the location and name of a file still have meaning in terms of how the system behaves and provides services. The document argues that restricting pathname changes is important for preventing unintended system behavior and maintaining system availability. It suggests that both label-based and pathname-based access controls are needed and that the LSM should support both.
TOMOYO Linux is an extension of the Linux kernel that adds process tracing capabilities. It automatically stores the "process invocation history" which shows how each process was created. This allows users to browse the entire process tree and see the relationships between running processes. The TOMOYO Linux policy editor provides a command line interface to view the stored process histories on a system and monitor actions caused by each process. TOMOYO Linux can help provide visibility into process activity and is maintained as an open source project with repositories of patched kernels and tools.
This document summarizes the key differences between SELinux and TOMOYO Linux access control systems. SELinux focuses on restricting programs based on security labels, while TOMOYO Linux focuses on restricting programs based on their process invocation history and parameters. The document argues that while label-based access control has limitations in guaranteeing information flow, TOMOYO Linux can help reinforce access control by restricting programs' actions and parameters within the kernel.
This document discusses the TOMOYO Linux access control system. It describes two versions of TOMOYO - version 1.6 which does not use Linux Security Modules (LSM) and version 2.2 which modifies TOMOYO to use LSM. The document then provides examples of how TOMOYO can provide access control based on file/directory names and parameters to address scenarios like restricting file uploads and executions. It argues that while label-based access control controls permissions, name-based controls like TOMOYO can address additional factors around how file contents are processed once in userspace.
The document proposes a method called "login authentication multiplexing" to strengthen login authentication security by enforcing multiple authentications rather than a single authentication. It involves placing extra authentication programs after the initial login that must be passed before accessing protected resources. This approach reduces vulnerabilities, allows flexible policies, and prevents damage until all authentications are passed. Practical issues like restricting shell access and remote access programs are also discussed.