DOCSLIB.ORG

Security Guide Opensuse Leap 42.3 Security Guide Opensuse Leap 42.3

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Security Guide openSUSE Leap 42.3 Security Guide openSUSE Leap 42.3 Introduces basic concepts of system security, covering both local and network secu- rity aspects. Shows how to use the product inherent security software like AppAr- mor or the auditing system that reliably collects information about any security-rel- evant events. Publication Date: November 05, 2018 SUSE LLC 10 Canal Park Drive Suite 200 Cambridge MA 02141 USA https://www.suse.com/documentation Copyright © 2006– 2018 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Docu- mentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trademarks are the prop- erty of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xv 1 Security and Confidentiality 1 1.1 Local Security and Network Security 1 Local Security 3 • Network Security 6 1.2 Some General Security Tips and Tricks 10 1.3 Using the Central Security Reporting Address 12 I AUTHENTICATION 13 2 Authentication with PAM 14 2.1 What is PAM? 14 2.2 Structure of a PAM Configuration File 15 2.3 The PAM Configuration of sshd 17 2.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 2.5 Configuring PAM Using pam-config 21 2.6 Manually Configuring PAM 22 2.7 For More Information 23 3 Using NIS 24 3.1 Configuring NIS Servers 24 Configuring a NIS Master Server 25 • Configuring a NIS Slave Server 29 3.2 Configuring NIS Clients 30 iii Security Guide 4 Setting Up Authentication Servers and Clients Using YaST 32 4.1 Configuring an Authentication Server with YaST 32 Initial Configuration of an Authentication Server 32 • Editing an Authentication Server Configuration with YaST 36 • Editing LDAP Users and Groups 41 4.2 Configuring an Authentication Client with YaST 41 4.3 SSSD 42 Checking the Status 42 • Caching 42 • For More Information 43 5 LDAP—A Directory Service 44 5.1 LDAP versus NIS 45 5.2 Structure of an LDAP Directory Tree 45 5.3 Configuring an LDAP Client with YaST 48 5.4 Configuring LDAP Users and Groups in YaST 50 5.5 Manually Configuring an LDAP Server 51 5.6 Manually Administering LDAP Data 52 Inserting Data into an LDAP Directory 52 • Modifying Data in the LDAP Directory 54 • Searching or Reading Data from an LDAP Directory 55 • Deleting Data from an LDAP Directory 56 5.7 For More Information 56 6 Network Authentication with Kerberos 58 6.1 Kerberos Terminology 58 6.2 How Kerberos Works 60 First Contact 60 • Requesting a Service 61 • Mutual Authentication 61 • Ticket Granting—Contacting All Servers 62 6.3 User View of Kerberos 63 iv Security Guide 6.4 Installing and Administering Kerberos 64 Kerberos Network Topology 65 • Choosing the Kerberos Realms 66 • Setting Up the KDC Hardware 66 • Configuring Time Synchronization 67 • Configuring the KDC 68 • Configuring Kerberos Clients 71 • Configuring Remote Kerberos Administration 74 • Creating Kerberos Service Principals 75 • Enabling PAM Support for Kerberos 77 • Configuring SSH for Kerberos Authentication 78 • Using LDAP and Kerberos 79 6.5 Setting up Kerberos using LDAP and Kerberos Client 81 6.6 For More Information 84 7 Active Directory Support 85 7.1 Integrating Linux and Active Directory Environments 85 7.2 Background Information for Linux Active Directory Support 86 Domain Join 88 • Domain Login and User Homes 89 • Offline Service and Policy Support 90 7.3 Configuring a Linux Client for Active Directory 91 Choosing Which YaST Module to Use for Connecting to Active Directory 92 • Joining Active Directory Using User Logon Management 93 • Joining Active Directory Using Windows Domain Membership 97 • Checking Active Directory Connection Status 99 7.4 Logging In to an Active Directory Domain 100 GDM 100 • Console Login 100 7.5 Changing Passwords 101 II LOCAL SECURITY 103 8 Configuring Security Settings with YaST 104 8.1 Security Overview 104 8.2 Predefined Security Configurations 105 8.3 Password Settings 106 v Security Guide 8.4 Boot Settings 106 8.5 Login Settings 107 8.6 User Addition 107 8.7 Miscellaneous Settings 107 9 Authorization with PolKit 109 9.1 Conceptual Overview 109 Available Authentication Agents 109 • Structure of PolKit 109 • Available Commands 110 • Available Policies and Supported Applications 110 9.2 Authorization Types 112 Implicit Privileges 112 • Explicit Privileges 113 • Default Privileges 113 9.3 Querying Privileges 113 9.4 Modifying Configuration Files 114 Adding Action Rules 114 • Adding Authorization Rules 116 • Modifying Configuration Files for Implicit Privileges 116 9.5 Restoring the Default Privileges 117 10 Access Control Lists in Linux 119 10.1 Traditional File Permissions 119 The setuid Bit 119 • The setgid Bit 120 • The Sticky Bit 120 10.2 Advantages of ACLs 120 10.3 Definitions 121 10.4 Handling ACLs 122 ACL Entries and File Mode Permission Bits 123 • A Directory with an ACL 124 • A Directory with a Default ACL 126 • The ACL Check Algorithm 129 10.5 ACL Support in Applications 130 10.6 For More Information 130 vi Security Guide 11 Encrypting Partitions and Files 131 11.1 Setting Up an Encrypted File System with YaST 132 Creating an Encrypted Partition during Installation 132 • Creating an Encrypted Partition on a Running System 133 • Creating an Encrypted Virtual Disk 134 • Encrypting the Content of Removable Media 134 11.2 Using Encrypted Home Directories 135 11.3 Encrypting Files with GPG 136 12 Certificate Store 137 12.1 Activating Certificate Store 137 12.2 Importing Certificates 137 13 Intrusion Detection with AIDE 139 13.1 Why Use AIDE? 139 13.2 Setting Up an AIDE Database 139 13.3 Local AIDE Checks 142 13.4 System Independent Checking 143 13.5 For More Information 144 III NETWORK SECURITY 145 14 SSH: Secure Network Operations 146 14.1 ssh—Secure Shell 146 Starting X Applications on a Remote Host 147 • Agent Forwarding 147 14.2 scp—Secure Copy 147 14.3 sftp—Secure File Transfer 148 Using sftp 148 • Setting Permissions for File Uploads 149 14.4 The SSH Daemon (sshd) 150 Maintaining SSH Keys 151 • Rotating Host Keys 151 vii Security Guide 14.5 SSH Authentication Mechanisms 152 Generating an SSH Key 153 • Copying an SSH Key 153 • Using the ssh- agent 154 14.6 Port Forwarding 155 14.7 For More Information 155 15 Masquerading and Firewalls 157 15.1 Packet Filtering with iptables 157 15.2 Masquerading Basics 160 15.3 Firewalling Basics 161 15.4 SuSEFirewall2 162 Configuring the Firewall with YaST 163 • Configuring Manually 166 15.5 For More Information 169 16 Configuring a VPN Server 170 16.1 Conceptual Overview 170 Terminology 170 • VPN Scenarios 171 16.2 Setting Up a Simple Test Scenario 174 Configuring the VPN Server 175 • Configuring the VPN Clients 176 • Testing the VPN Example Scenario 177 16.3 Setting Up Your VPN Server Using a Certificate Authority 177 Creating Certificates 178 • Configuring the VPN Server 181 • Configuring the VPN Clients 183 16.4 Setting Up a VPN Server or Client Using YaST 184 16.5 For More Information 185 17 Managing X.509 Certification 187 17.1 The Principles of Digital Certification 187 Key Authenticity 188 • X.509 Certificates 188 • Blocking X.509 Certificates 189 • Repository for Certificates and CRLs 190 • Proprietary PKI 191 viii Security Guide 17.2 YaST Modules for CA Management 191 Creating a Root CA 191 • Changing Password 193 • Creating or Revoking a Sub-CA 194 • Creating or Revoking User Certificates 196 • Changing Default Values 197 • Creating Certificate Revocation Lists (CRLs) 198 • Exporting CA Objects to LDAP 199 • Exporting CA Objects as a File 200 • Importing Common Server Certificates 201 IV CONFINING PRIVILEGES WITH APPARMOR 202 18 Introducing AppArmor 203 18.1 AppArmor Components 203 18.2 Background Information on AppArmor Profiling 204 19 Getting Started 205 19.1 Installing AppArmor 205 19.2 Enabling and Disabling AppArmor 206 19.3 Choosing Applications to Profile 207 19.4 Building and Modifying Profiles 207 19.5 Updating Your Profiles 209 20 Immunizing Programs 210 20.1 Introducing the AppArmor Framework 211 20.2 Determining Programs to Immunize 213 20.3 Immunizing cron Jobs 214 20.4 Immunizing Network Applications 214 Immunizing Web Applications 216 • Immunizing Network Agents 218 21 Profile Components and Syntax 219 21.1 Breaking an AppArmor Profile into Its Parts 220 ix Security Guide 21.2 Profile Types 222 Standard Profiles 222 • Unattached Profiles 223 • Local Profiles 223 • Hats 224 • Change rules 224 21.3 Include Statements 225 Abstractions 227 • Program Chunks 227 • Tunables 227 21.4 Capability Entries (POSIX.1e) 227 21.5 Network Access Control 228 21.6 Profile Names, Flags, Paths, and Globbing 229 Profile Flags 230 • Using Variables in Profiles 231 • Pattern Matching 232 • Namespaces 233 • Profile Naming and Attachment Specification 233 • Alias Rules 234 21.7 File Permission Access Modes 234 Read Mode (r) 235 • Write Mode (w) 235 • Append Mode (a) 235 • File Locking Mode (k) 235 •
Recommended publications
  • An User & Developer Perspective on Immutable Oses

    An User & Developer Perspective on Immutable Oses

    An User & Developer Perspective on Dario Faggioli Virtualization SW. Eng. @ SUSE Immutable OSes [email protected] dariof @DarioFaggioli https://dariofaggioli.wordpress.com/ https://about.me/dario.faggioli About Me What I do ● Virtualization Specialist Sw. Eng. @ SUSE since 2018, working on Xen, KVM, QEMU, mostly about performance related stuff ● Daily activities ⇒ how and what for I use my workstation ○ Read and send emails (Evolution, git-send-email, stg mail, ...) ○ Write, build & test code (Xen, KVM, Libvirt, QEMU) ○ Work with the Open Build Service (OBS) ○ Browse Web ○ Test OSes in VMs ○ Meetings / Video calls / Online conferences ○ Chat, work and personal ○ Some 3D Printing ○ Occasionally play games ○ Occasional video-editing ○ Maybe scan / print some document 2 ● Can all of the above be done with an immutable OS ? Immutable OS: What ? Either: ● An OS that you cannot modify Or, at least: ● An OS that you will have an hard time modifying What do you mean “modify” ? ● E.g., installing packages ● ⇒ An OS on which you cannot install packages ● ⇒ An OS on which you will have an hard time installing packages 3 Immutable OS: What ? Seriously? 4 Immutable OS: Why ? Because it will stay clean and hard to break ● Does this sound familiar? ○ Let’s install foo, and it’s dependency, libfoobar_1 ○ Let’s install bar (depends from libfoobar_1, we have it already) ○ Actually, let’s add an external repo. It has libfoobar_2 that makes foo work better! ○ Oh no... libfoobar_2 would break bar!! ● Yeah. It happens. Even in the best families distros
  • The BIG Change for Opensuse Leap 15.3 About Me

    The BIG Change for Opensuse Leap 15.3 About Me

    The BIG Change for openSUSE Leap 15.3 About Me openSUSE Manager Hobbies ● Marketing/PR ● Fantasy Sports ● Event Organizer ● Mining ● Coordinate Event ● Series Binge Watcher Sponsorship Interesting Fact Education Christopher Reeve was ● MBA - Business to blame for me breaking my arm ● BA - Education Douglas DeMaio (Superman 1978) V International GNU Health Conference - Nov. 20 - 21, online event - #GHCon2020 The Way to openSUSE Leap 15.3 bout Me !losing the Leap Gap What is it & why does it matter. Jump 15.&.1 Leap 15.3 The efforts to change What to expect with in how a distribution is coming releases of this built openSUSE distribution What is openSUSE Leap Leap is trying to bridge “Community and Enterprise” the distribution is based on the latest version of SUSE Linux Enterprise available to the date, typically with a 12 months release cycle. Leap 15.2 Retrospective told us that users value most the installer, stability, seamless migrations, and YaST. These would be then our strengths according to users! The distribution is often profiled as the more stable one and easy to use as there should be no radical or disruptive changes in between minor updates. Some users say It’s the KDE distribution. Box says “The Linux Distribution for Beginners and Pros” !"osing the Leap Gap ● CtLG is a SUSE driven effort to bring Leap closer to SUSE Linux Enterprise than ever before. This brings quite some challenges but also open some new opportunities. ● Unification of openSUSE Leap and SUSE Linux Enterprise 15 code streams and feature set. ● Concept of building a community distribution by combining rpms from openSUSE Backports (community part) and SUSE signed SLE rpms (Enterprise part).
  • Zypper Cheat Sheet Or Type M an Zypper on a Terminal

    Zypper Cheat Sheet Or Type M an Zypper on a Terminal

    More Information: Page 1 Zypper Cheat Sheet https://en.opensuse.org/SDB:Zypper_usage or type m an zypper on a terminal For Zypper version 1.0.9 Package Management Source Packages and Build Dependencies Basic Help Selecting Packages zypper source-install or zypper si Examples: zypper #list the available global options and commands By capability name: zypper si zypper zypper help [command] #Print help for a specific command zypper in 'perl(Log::Log4perl)' Install only the source package zypper shell or zypper sh #Open a zypper shell session zypper in qt zypper in -D zypper By capability name and/or architecture and/or version Install only the build dependencies zypper in 'zypper<0.12.10' Repository Management zypper in -d zypper zypper in zypper.i586=0.12.11 Listing Defined Repositories By exact package name (--name) Updating Packages zypper in -n ftp zypper repos or zypper lr By exact package name and repository (implies --name) zypper update or zypper up Examples: zypper in factory:zypper Examples: zypper lr -u #include repo URI on the table By package name using wildcards zypper up #update all installed packages zypper lr -P #include repo priority and sort by it zypper in yast*ftp* with newer version as far as possible By specifying a .rpm file to install zypper up libzypp zypper #update libzypp Refreshing Repositories zypper in skype-2.0.0.72-suse.i586.rpm and zypper zypper refresh or zypper ref zypper in sqlite3 #update sqlite3 or install Installing Packages Examples: if not yet installed zypper ref packman main #specify repos to be
  • Snort 2.9.9.X on Opensuse Leap 42.2

    Snort 2.9.9.X on Opensuse Leap 42.2

    Snort Installation on openSUSE Leap 42.2 64 bits Boris A. Gómez Universidad Tecnológica de Panamá July 2017 About This Guide This guide has been tested on openSUSE Leap 42.2, 64 bits, using DAQ 2.0.6 and Snort 2.9.9.0. Software was installed in a virtual machine: Virtual Machine Manager: VirtualBox 5.1.22 or KVM 1.4.0 HOST operating system: Windows 7 or openSUSE Leap 42.2 GUEST operating system: openSUSE Leap 42.2 (Snort will be installed here) For clarity, the following color code was used: Orange – commands that the user types at the shell prompt. Blue – text inside of configuration files. Purple – text to focus your attention on. This guide is based on the document "Snort 2.9.8.x on OpenSuSE 13x" by William Parker. Network Card Configuration Run VirtualBox | KVM manager and configure the network section of the guest machine to bridge mode. KVM Manager: VirtualBox Manager: Guest Machine Start your guest machine and set its network interface card to a static IP, for example 192.168.99.10, then check settings: ifconfig eth0 Link encap:Ethernet HWaddr 08:00:27:50:CA:99 inet addr: 192.168.99.10 Bcast:192.168.99.255 Mask:255.255.255.0 Verify that you can access Internet by accessing a web page, for example: https://snort.org Before proceeding, it is advisable to update the system. Required Packages Use YAST to install the following packages: gcc version 4.8.x (including libraries: libgcc_s1 (5.3.1), libgcc_s1-32bit(5.3.1)) flex (2.5.37) bison (2.7) php5-zlib (5.5.14 including zlib-devel 1.2.8) libpcap1 (1.8.1 including libpcap-devel 1.8.1) (versions must match) libpcre1 (8.39 including pcre-devel 8.39 and libpcre1-32bit 8.39) (versions must match) libdnet1 (1.12 including libdnet-devel 1.12) (versions must match) tcpdump (4.5.1).
  • (Un)Smashing the Stack

    (Un)Smashing the Stack

    Hello, Interwebs Hi, and thanks for reading this. As I mentioned a number of times during the talk this was one long, hard slog of a topic for me. My intent was not to duplicate existing research (Johnson and Silberman @ BHUS05, others), but to try to make this topic comprehensible for the typical security professional, who (GASP! SHOCK! HORROR!) may not necessarily grasp all the hairy internals of exploit development, but still is tasked with protecting systems. For the other 90% of us out there, our job is not to be leet, but rather not to get owned, something I hope to get a little bit better at every day. Since exploit mitigation is something that might bring us all a little bit closer to that, I wanted to explore the topic. Thanks much to BH for giving me the opportunity to do so, and to all of you for listening. Thanks also to all the amazing people working on these technologies, especially the PaX team and Hiroaki Etoh of IBM. -- shawn P.S. It’s actually Thompson that had the Phil Collins hair, not Ritchie. Sorry, Dennis. 28 75 6e 29 53 6d 61 73 68 69 6e 67 20 74 68 65 20 53 74 61 63 6b 0d 0a (un)Smashing the Stack 4f 76 65 72 66 6c 6f 77 73 2c 20 43 6f 75 6e 74 65 72 6d 65 61 73 75 72 65 73 20 61 6e 64 20 74 68 65 20 52 65 61 6c 20 57 6f 72 6c 64 Overflows, Countermeasures and the Real World Shawn Moyer :: Chief Researcher ---- SpearTip Technologies ---> blackhat [at] cipherpunx [dot] org Hey, who is this guy? ShawnM: InfoSec consultant, (quasi-) developer, husband, father, and raging paranoid with obsessive tendencies Chief Researcher at SpearTip Technologies Security Consultancy in Saint Louis, MO Forensics, Assessment, MSSP, network analysis Weddings, Funerals, Bar Mitzvahs I like unsolvable problems, so I’m mostly interested in defense.
  • Integrating New Major Components on Fast and Slow Moving Distributions

    Integrating New Major Components on Fast and Slow Moving Distributions

    IntegratingIntegrating newnew majormajor componentscomponents onon fastfast andand slowslow movingmoving distributionsdistributions How latest GNOME desktop was integrated into latest SUSE / openSUSE releases Frédéric Crozat <[email protected]> SUSE Linux Enterprise Release Manager What we don’t do What we do DistributionDistribution deliverydelivery stylesstyles 4 Three distributions styles ● Rolling: – Bleeding edge – Release as soon as possible – Example: openSUSE Tumbleweed, ArchLinux, Gentoo ● Regular: – Release one to twice a year – Update their entire stack for each release – Example: Ubuntu, Fedora, Debian ● LTS / Enterprise: – Slow cadence (yearly or even less than that) – Very few things move between sub-releases – Example: openSUSE Leap, Ubuntu LTS, SLES/SLED, RHEL 5 openSUSE/SUSE terminology ● OBS = OpenBuildService ● SLE = SUSE Linux Enterprise (Server / Desktop) – Enterprise distribution, developed by SUSE ● openSUSE Tumbleweed: – openSUSE Rolling release, by openSUSE, using only Factory packages, tested by openQA ● openSUSE Factory: – Development repository for Tumbleweed ● openSUSE Leap: – openSUSE Stable release, based on SLE common code + Packages from Factory (or specific repository) 6 IntegrationIntegration processprocess 7 OBS and Devel project ● On OBS, every source package is handled in a project which can build several packages together ● openSUSE Tumbleweed uses devel project per “topic” (KDE, GNOME, X11, …) ● Changes (patch, version update) are done in Devel projects and then, pushed to “main” distribution for
  • Debian \ Amber \ Arco-Debian \ Arc-Live \ Aslinux \ Beatrix

    Debian \ Amber \ Arco-Debian \ Arc-Live \ Aslinux \ Beatrix

    Debian \ Amber \ Arco-Debian \ Arc-Live \ ASLinux \ BeatriX \ BlackRhino \ BlankON \ Bluewall \ BOSS \ Canaima \ Clonezilla Live \ Conducit \ Corel \ Xandros \ DeadCD \ Olive \ DeMuDi \ \ 64Studio (64 Studio) \ DoudouLinux \ DRBL \ Elive \ Epidemic \ Estrella Roja \ Euronode \ GALPon MiniNo \ Gibraltar \ GNUGuitarINUX \ gnuLiNex \ \ Lihuen \ grml \ Guadalinex \ Impi \ Inquisitor \ Linux Mint Debian \ LliureX \ K-DEMar \ kademar \ Knoppix \ \ B2D \ \ Bioknoppix \ \ Damn Small Linux \ \ \ Hikarunix \ \ \ DSL-N \ \ \ Damn Vulnerable Linux \ \ Danix \ \ Feather \ \ INSERT \ \ Joatha \ \ Kaella \ \ Kanotix \ \ \ Auditor Security Linux \ \ \ Backtrack \ \ \ Parsix \ \ Kurumin \ \ \ Dizinha \ \ \ \ NeoDizinha \ \ \ \ Patinho Faminto \ \ \ Kalango \ \ \ Poseidon \ \ MAX \ \ Medialinux \ \ Mediainlinux \ \ ArtistX \ \ Morphix \ \ \ Aquamorph \ \ \ Dreamlinux \ \ \ Hiwix \ \ \ Hiweed \ \ \ \ Deepin \ \ \ ZoneCD \ \ Musix \ \ ParallelKnoppix \ \ Quantian \ \ Shabdix \ \ Symphony OS \ \ Whoppix \ \ WHAX \ LEAF \ Libranet \ Librassoc \ Lindows \ Linspire \ \ Freespire \ Liquid Lemur \ Matriux \ MEPIS \ SimplyMEPIS \ \ antiX \ \ \ Swift \ Metamorphose \ miniwoody \ Bonzai \ MoLinux \ \ Tirwal \ NepaLinux \ Nova \ Omoikane (Arma) \ OpenMediaVault \ OS2005 \ Maemo \ Meego Harmattan \ PelicanHPC \ Progeny \ Progress \ Proxmox \ PureOS \ Red Ribbon \ Resulinux \ Rxart \ SalineOS \ Semplice \ sidux \ aptosid \ \ siduction \ Skolelinux \ Snowlinux \ srvRX live \ Storm \ Tails \ ThinClientOS \ Trisquel \ Tuquito \ Ubuntu \ \ A/V \ \ AV \ \ Airinux \ \ Arabian
  • Configuration Challenges in Linux and Ecos: a Survey

    Configuration Challenges in Linux and Ecos: a Survey

    GSDLAB TECHNICAL REPORT Configuration Challenges in Linux and eCos: A Survey Arnaud Hubaux, Yingfei Xiong, Krzysztof Czarnecki GSDLAB{TR 2011{09{29 September 2011 Generative Software Development Laboratory University of Waterloo 200 University Avenue West, Waterloo, Ontario, Canada N2L 3G1 WWW page: http://gsd.uwaterloo.ca/ The GSDLAB technical reports are published as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder. Configuration Challenges in Linux and eCos: A Survey Arnaud Hubaux, Yingfei Xiong, Krzysztof Czarnecki September 29, 2011 Abstract Operating systems expose sophisticated configurability to handle vari- ations in hardware platforms like desktops, servers, and mobile devices. The configuration of an operating system like Linux contains thousands of options guarded by hundreds of complex constraints. To guide users throughout the configuration activity, configurators implement various mechanisms to produce correct configurations. However, configuration still remains a difficult and challenging process. To better understand the challenges faced by users during configuration, we conducted surveys among Linux and eCos users to answer the two following questions: • What challenges do users most frequently face? • How significant is the conflict resolution problem? In this paper, we report on the results of these two surveys. 1 Linux This section focuses on the configuration tools used for the Linux kernel.
  • The Growth of Android in Embedded Systems

    The Growth of Android in Embedded Systems

    THE GROWTH OF ANDROID IN EMBEDDED SYstEMS THE LINUX FOUNDATION TRAINING PUBLICATION Written by Benjamin Zores OVERVIEW Linux has continuously grown in the embedded systems market for over a decade, gaining market share from proprietary operating systems. The proliferation of embedded devices, the explosion of open source development, the inherent hardware support, the incredible networking capabilities and the royalty-free economic model have all helped propel use of the Linux kernel into one of the best choices for the design of new embedded systems. While the success of Linux in the embedded market can not be denied, its notoriety was once confined to mostly technical professionals. That changed in 2008 with Google’s release of the Android mobile phone operating system, based on the Linux kernel. Thus began the tremendous growth of Linux in the consumer world, with over one million Android devices being activated every day in 2012 and predictions of total Android devices shipped reaching one billion in 2013. THE GROWTH OF ANDROID 1 IN EMBEDDED SYstEMS of Android in THE GROWTH Embedded Systems In a recent The Android Operating System survey, 34% Android’s success was no accident and was the result of a long-term strategy and loads of investment from Google. The early development of the OS came from within Android Inc. of embedded in the early 2000’s; it was purchased by Google in 2005. The original system relied on a Java framework for its application layer and was not based on the Linux kernel. Only after engineers are several years of development at Google labs, and after an architecture revamping, the first Android-based smart-phone (the HTC G1) was released and based on the very first version considering of the Android software development kit (SDK).
  • Nvidia Cuda Installation Guide for Linux

    Nvidia Cuda Installation Guide for Linux

    NVIDIA CUDA INSTALLATION GUIDE FOR LINUX DU-05347-001_v9.1 | April 2018 Installation and Verification on Linux Systems TABLE OF CONTENTS Chapter 1. Introduction.........................................................................................1 1.1. System Requirements.................................................................................... 1 1.2. About This Document.................................................................................... 2 Chapter 2. Pre-installation Actions...........................................................................3 2.1. Verify You Have a CUDA-Capable GPU................................................................ 3 2.2. Verify You Have a Supported Version of Linux.......................................................4 2.3. Verify the System Has gcc Installed................................................................... 4 2.4. Verify the System has the Correct Kernel Headers and Development Packages Installed.... 4 2.5. Choose an Installation Method......................................................................... 6 2.6. Download the NVIDIA CUDA Toolkit....................................................................6 2.7. Handle Conflicting Installation Methods.............................................................. 6 Chapter 3. Package Manager Installation....................................................................8 3.1. Overview................................................................................................... 8 3.2. Redhat/CentOS...........................................................................................
  • On the Quality of Exploit Code

    On the Quality of Exploit Code

    On the Quality of Exploit Code An Evaluation of Publicly Available Exploit Code, Hackers & Threats II, February 17, 2:00 PM, San Francisco, CA Ivan Arce, Core Security Technologies OUTLINE • Prologue: Context and definitions • Why exploit code? • Quality metrics • Examples • Epilogue: Future work PROLOGUE VULNERABILITIES & EXPLOITS Lets start by defining a common language • Vulnerability (noun) — “A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system” — Also: security bug, security flaw, security hole • Exploit (verb) — “To use or manipulate to one’s advantage” (Webster) — “A security hole or an instance of taking advantage of a security hole” EXPLOIT CODE Exploit code is not just “proof of concept” • Proof of Concept exploit - PoC (noun) — A software program or tool that exploits a vulnerability with the sole purpose of proving its existence. • Exploit Code (noun) — A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal. — Possible goals: denial of service, arbitrary execution of code, etc An emerging role in the information security practice WHY TALK ABOUT EXPLOIT CODE? ANATOMY OF A REAL WORLD ATTACK The classic attack uses exploit code... ATTACKER Base Camp A target server is attacked and compromised The acquired server is used as vantage point to penetrate the corporate net Further attacks are performed as an internal user EXPLOIT CODE FUNCTIONALITY Exploit code becomes more sophisticated • Add a simple “listen shell” echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &" • Add an account to the compromised system: echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >> /etc/shadow • Execute a “bind-shell” • Execute a “reverse shell” • Deploy and execute a multi-purpose agent Command shell, FTP, TFTP, IRC, “zombies”, snifers, rootkits..
  • Opensuse Leap to SLES: More Than the Sum of Its Parts

    Opensuse Leap to SLES: More Than the Sum of Its Parts

    openSUSE Leap to SLES: More Than The Sum Of Its Parts... Session TUT-1418 Udo Seidel Jeff Lindholm Tech-Writer and Enterprise Architect Sales Engineering Manager Amadeus SUSE [email protected] [email protected] 1 • Udo Seidel • Jeff Lindholm – SUSE • Teacher for Math and Physics • Detroit, MI USA • Linux and Open Source since 1996 • SUSE Evangelist since 2004 • Linux • Sales Engineering Manager • Software Defined Storage • OpenSUSE Community supporter • Openstack • Technology Focus • Container • Cloud Native Infrastructure • Raspberry Pi and Co • Application Transformation • … • Enterprise Linux • Enterprise Architect and Tech-Writer 2 Agenda 1. DevOPS Experience – Developer Use Case 2. OpenSUSE Community – Flexible Developer Platform 1. OpenSUSE Tumbleweed – Rolling Release 2. OpenSUSE Leap 15 – Stable Release 3. SUSE Linux Enterprise Server 15 4. LEAP SLE Interoperability and Supported Migration Use Cases 5. Demonstration – Leap Migration 6. Questions and Answers 3 4 SUSE Solutions For DevOps A suite of flexible, modular open source solutions CODE PLAN DEPLOY OBS, PackageHub, SUSE SUSE Linux Enterprise SUSE Application Delivery, Manager, Portus, GitHub openSUSE SUSE Public Cloud, SUSE Manager, Salt, Kubernetes BUILD OBS, SUSE Studio, SUSE Manager, KIWI, Docker open source project OPERATE & MONITOR SUSE Manager, SUSE Enterprise Storage, SUSE Application Delivery, TEST & RELEASE Kubernetes openQA, Jenkins 5 SUSE & openSUSE – Working Together Stable code and contributions Mutual collaboration Upstream innovations 6 These common elements are core to all openSUSE and SUSE distributions • YaST • openSUSE Build Service • Stability and testing - openQA 7 The openSUSE Distributions 8 openSUSE Tumbleweed • The Tumbleweed distribution is a pure rolling release version of openSUSE containing the latest stable versions of all software instead of relying on rigid periodic release cycles.