Although its features and terminology may seem strange if you’re used to more traditional Linux filesystems, ZFS offers a great deal of flexibility.
[From ZFS on FUSE]
Browsing Posts in Linux
LinucksGirl writes “Journaling file systems used to be an oddity primarily for research purposes, but today it’s the default in Linux. Discover the ideas behind journaling file systems, and learn how they provide better integrity in the face of a power failure or system crash. Learn about the various journaling file systems in use today, and peek into the next generation of journaling file systems.”
[From Anatomy of Linux Journaling File Systems ]
IBM Developerworks’ recent analysis of how the NSA built SELinux to withstand attacks. The article shows us some of the relevant kernel architecture and compares SELinux to a few other approaches. We’ve discussed SELinux in the past. Quoting: “If you have a program that responds to socket requests but doesn’t need to access the file system, then that program should be able to listen on a given socket but not have access to the file system. That way, if the program is exploited in some way, its access is explicitly minimized. This type of control is called mandatory access control (MAC). Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform. SELinux adds both MAC and RBAC to the GNU/Linux operating system.”
Can the Linux community get over its “not invented here” ideology which has often hindered its ability to adopt technological improvements from outside sources? I keep saying myself, I hope so. But recent events have shown me that we have a long way to go until we become a culture of inclusion and not of [...]
[From Unixfication II]
Role-based access control (RBAC) is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. Learn how RBAC in SELinux acts as a layer of abstraction between the user and the underlying TE model, and how the three pieces of an SELinux context (policy, kernel, and userspace) work together to enforce the RBAC and tie Linux users into the TE policy.
bsdphx writes “OpenSSH developers Damien Miller and Markus Friedl have recently added a nifty feature to make life easier for admins. Now you can easily lock an SSH session into a chroot directory, restrict them to a built-in sftp server and apply these settings per user. And it’s dead simple to do. If you need to allow semi-trusted people on your computers, then you want this bad!”
PolishLinux.org has an unconventional review of SLAX 6. RC6 which focuses on exploring the nature of LiveCDs and the power of technologies like mounting devices, SquashFS and Union File System in regards to SLAX LiveCD distribution. [From SLAX 6.0: How does it work? ]
Are you using SSH in the best way possible? Have you configured it to be as limited and secure as possible? The goal of this document is to kick in the new year with some best practices for SSH: why you should use them, how to set them up, and how to verify that they are in place. All of the examples below assume that you are using EnGarde Secure Linux but any modern Linux distribution will do just fine since, as far as I know, everybody ships OpenSSH.
[From SSH: Best Practices ]
Cluster SSH opens terminal windows with connections to specified hosts and an administration console. Any text typed into the administration console is replicated to all other connected and active windows. This tool is intended for, but not limited to, cluster administration where the same configuration or commands must be run on each node within the cluster.Performing these commands all at once via this tool ensures all nodes are kept in sync. Full Story [From ssh on multiple servers Using cluster ssh]
No royalties to pay in interop deal?
The Samba team has reached an agreement with Microsoft, with the software giant agreeing to disclose technical and legal information to the software libre project. Samba is by far the most widely-used software stack that allows non-Microsoft computer to talk to Windows machines, and use proprietary Microsoft network services.…
OSes like OpenBSD, FreeBSD, and major Linux distributions are all well within the range of popularity where obscurity does not provide security, particularly considering the similarities between these systems, the commonality of software between them, and their ubiquity as Internet-connected server systems. Couple this with the fact that — in the case of open source projects like Linux distributions and open source BSD Unix systems — the matter of security through visibility is a significant factor, and the accidental security through obscurity argument starts looking pretty thin. … Why does it matter if that’s the reason something like NetBSD suffers fewer security breaches per system in play than MS Windows, or even MacOS X? Isn’t the important factor, for security purposes, that a system is less likely to be breached? [From The value of accidental security through obscurity]
“How do I test Snort?” is one of the most popular questions asked on the snort-users mailing list. While a seemingly simple question, the answer depends on your intent. Value-added resellers (VARs) and systems integrators (SIs) may need to provide customers with validation that the network intrusion detection system (IDS) is working as expected. This edition of Snort Report explains what it means to test Snort. I reveal some common misperceptions and offer alternatives to satisfy the majority of readers. A stateless approach for triggering Snort alerts is to generate traffic that should trigger Snort rules, but doesn’t rely on parsing Snort rule sets. IDSWakeup is a stateless packet generation tool. The following shows how IDSWakeup performs against Snort 2.6.1.5. I used the Debian package net/idswakeup on Ubuntu Linux against a FreeBSD sensor running Snort 2.6.1.5 and Sguil 0.6.1.
If you’re a Fedora user the end of May means one thing…time for a new release! This year was no different as the Fedora project continued its aggressive six month release schedule. Fedora 7, code named “Moonshine”, is the latest version of the Red Hat influenced Linux distribution. Fedora regulars will note the absence of the word “Core” in the new name. This isn’t the only change with this release. We’ll delve into what’s new in 7 as well as review Fedora from a desktop standpoint.
Nice article about ssh.”SSH (secure shell) is a program enabling secure access to remote file systems. Not everyone is aware of other powerful SSH capabilities, such as passwordless login, automatic execution of commands on a remote system or even mounting a remote folder using SSH! In this article we’ll cover these features and much more.” polishlinux.org: SSH tricks
Linux Gains Two New Virtualization Solutions
The upcoming 2.6.23 kernel has gained two new virtualization solutions. According to KernelTrap, both Xen and lguest have been merged into the mainline kernel. These two virtualization solutions join the already merged KVM, offering Linux multiple ways to run multiple virtual machines each running their own OS.
