DistroStuff

pHi folks .. just to confirm that some members of the CentOS crew will be present for the next a target=_blank href=http://www.fosdem.orgFosdem/a event in Belgium. We#8217;ll (as usual) have a dedicated booth and share the DevRoom with our friends of Fedora. If you want to come and talk, feel free to drop at the booth and/or attend one of the presentations. If you want to participate (at the booth and/or Devroom) feel free to add your name to the list on the CentOS Wiki : a target=_blank href=http://wiki.centos.org/Events/Fosdem2009http://wiki.centos.org/Events/Fosdem2009 /a. More details on that wiki page in the following weeks./ppimg src=http://www.fosdem.org/2009/promo/fosdem/square/static //p

Mon, 1 Dec 2008

Yes, many people seem to have that, so you are not alone. When first confronted with that rather large and underdocumented framework, it also took me a while to not give up and then a bit more time to understand most of the basics. And with thelack of documentation it doesn#8217;t really get easier.pLooks like someone at Red Hat had the same feeling and funded Murray McAlliser to write a href=http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/The Security-Enhanced Linux User Guide/a. After skimming over it it looks like it builds upon the SELinux policy which is in Fedora 9 and 10, which is a good step forward from the policy set in CentOS 5 (and let us not talk about CentOS 4). So not everything mentioned in that guide can be used directly on CentOS 5, but the basics are explained somewhat better than in the Deployment Guide./ppSo if you want to or have to work with SELinux for the first time a href=http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/this guide/a definitely is worth a read./ppI just stumbled over this on a href=http://danwalsh.livejournal.com/25656.htmlDan Walsh#8217;s SELinux blog/aand thought I#8217;d share it. This also has a plethora of SELinux knowledge in it./p

Thu, 27 Nov 2008

pI just discovered a small #8220;homepage uptime benchmark#8221; done by a target=_blank href=http://www.pingdom.comPingdom/a. They compared Corporate Linux and Community Linux distros homepage uptime versus Apple and Microsoft .. what are the results ?/ppimg src=http://farm4.static.flickr.com/3237/3043010077_d0a7509eb5_o.jpg //ppMore informations on a target=_blank href=http://royal.pingdom.com/2008/11/19/linux-distros-and-apple-beat-microsofts-homepage-uptime/their analysis page/a/p

Thu, 20 Nov 2008

pBrowsing through the top500 supercomputers list, I noticed that in the a href=http://www.top500.org/stats/list/32/osOS listing/a, 5 supercomputers are running specifically CentOS (1%) while 389 are running some sort of Linux (not specified)./ppFrom the Linux list undoubtedly more are using CentOS, but the remarkable fact is that this emknown/em 1% CentOS is the same amount as a href=http://www.top500.org/stats/list/32/osfamthe 5 Windows supercomputers/a./ppSo if we assume from the 389 Linux supercomputers, more are using CentOS, CentOS outnumbers Windows for supercomputers. We simply don't know by what factor./ppIf only more organisations would be more specific to what exactly they are running./p

Tue, 18 Nov 2008

pIt#8217;s a given that the world population is growing. It#8217;s also a given that the world economy is currently slowing.  This overall slowing of the economy is triggering job cuts across many levels of industry, and IT is at the heart of many such trimmings. When IT itself is not being cut, the IT professionals are often tasked with finding ways to make things more efficient or to automate various processes so that other positions can be cut. Just how deep should these cuts go, and should IT professionals get any say in the matter? A speaker from Cisco once said that Linux was the lens through which he found the flaws in his networks.  I believe this metaphor can be carried further, and that IT as a whole exposes more about humanity than we realize.  With this in mind, just how far should we carry our automation endeavors?/ppIs it acceptable to script system management such that 3 admins are needed instead of 4? Should we automate a line of factory jobs to save the company some money, or increase shareholder profits?  Is making a product cheaper an acceptable reason to eliminate jobs?/ppHow much responsibility does IT have in these actions, and how much responsibility should we take for them? Should we seek out ways to trim down the company and take a #8217;survival of the fittest#8217; mentality, or do we seek out a way to preserve the jobs of those around us? Should we question the corporate officers who direct the action, or is our job simply to follow orders and let the company#8217;s leadership decide what#8217;s best?/ppFrom automotive plants and wall street offices to the California budget there are examples on both sides of the issue. Where do you stand, and do your actions correspond to your beliefs? I#8217;m genuinely interested in how people feel about this one, so please take a moment and let me know what you think./p

Tue, 18 Nov 2008

a href=http://www.herrold.com/images/blog/blue-eyes.jpg target=_blankimg src=http://www.herrold.com/images/blog/blue-eyes-small.jpg border=0 alt=Behind Blue Eyes -- The Who //abr /Dateline: U.S. Department of Laborbr /blockquoteThe largest increases in initial claims for the week ending Nov. 1 were in Ohio (+3,885), Michigan (+2,619), Pennsylvania (+2,155), Wisconsin(+2,119) ...br / -- a href=http://www.dol.gov/opa/media/press/eta/ui/eta20081641.htm target=_blankUNEMPLOYMENT INSURANCE WEEKLY CLAIMS REPORT (week ending Nov. 8 2008)/a/blockquotebr /A friend wrote:br /blockquoteAll this proves is that when someone crosses a state line to register to vote it is just as easy to register for unemployment while you're at it./blockquotebr /I think it is probably much worse than thatbr /br /It is easy enough for anyone to set up a (several!) new 'employers' and then walk away from them 8 weeks later with no individual financial responsibility for the 'tail' -- after all, we encourages formation of 'small business, the engine of economic growth' and barriers to entry should be small, right?br /br /Unemployment benefits may be had at full rate for 6 months after 6 weeks employment at a given 'employer' if one is otherwise qualified; when an 'employer' goes out of business, the employees are eligible for benefits Several telephone poles in central Ohio had signs, with differing phone numbers, for what appeared to be short term 'jobs' working to elect Obama and 'make Change'. I snapped a picture with my mobile device, and will see if I can find it for the exact text; I recall thinking at the time:br /blockquote-- Don't the 'employee candidates' KNOW they will be let go the day after the election/blockquotebr /Now, I think the answer is:br /blockquote-- Sure -- indeed they were TOLD by the recruiter at the other end of the phone, that this was a way to get rid of a pesky 'termination for cause' {disqualifying} black mark which was keeping them from what they were 'entitled to'/blockquotebr /As the One won, and 'We can do it!' if the system is properly 'gamed', I think there will be no investigations after Jan 20 to 'connect the dots', and the Lame One will just snooze out his term. 'No law will prevent it'a href=http://www.herrold.com/images/blog/factory-floor.jpg target=_blankimg src=http://www.herrold.com/images/blog/factory-floor-thumb.jpg border=0 alt= //abr /br /And so the Republic was lost. Meet the new boss; same as the old boss

Thu, 13 Nov 2008

pI was interested in testing a target=_blank href=http://www.redhat.com/spacewalkSpacewalk/a on CentOS 5.2 .. in fact it was on my (already too long) TODO list . So i followed the instructions from the a target=_blank href=https://fedorahosted.org/spacewalk/wiki/HowToInstallSpacewalk Wiki/a but it failed during the yum process : #8220;Public key for asm-1.5.3-1jpp.ep1.1.el5.2.noarch.rpm is not installed#8221;/ppHmm, i imported both EPEL and Spacewalk rpm signing keys so i had a look on the key used to sign that package : #8220;asm-1.5.3-1jpp.ep1.1.el5.2.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#37017186)#8221;/ppHey, that#8217;s the Red Hat security team signing key ! Why was it used to sign a package in the Spacewalk repo ? I guess that it#8217;s imported by default on RHEL5 but you have of course to import it (and first verify it of course) : see the key 37017186 on the a target=_blank href=http://www.redhat.com/security/team/key/http://www.redhat.com/security/team/key//a/ppAnd now the fun begins .. img src=http://www.arrfab.net/blog/wp-includes/images/smilies/icon_wink.gif alt=;-) class=wp-smiley //p

Thu, 13 Nov 2008

pimg src=http://assets1.twitter.com/images/twitter_logo_s.png alt= title=twitter /I might be the last person on this planet to join twitter, but sign up I have. And my username there is *drumroll* CentOS *drumroll*. And since people who read my blog might actually want to follow whats on there, here is a link to the feed a href=http://twitter.com/CentOSCentOS on twitter/a./ppFirst question though, how do I follow a search ? eg. I want to follow what everyone is saying about 'kung fu dancing' ? I hate to need to now *also* look at a rss reader to keep track of stuff on a href=http://search.twitter.com/http://search.twitter.com//a/pp- KB/pdiv class=item_footerpsmalla href=http://www.karan.org/blog/index.php/2008/11/12/now-twitteringOriginal post/a./small/p/div

Thu, 13 Nov 2008

a href=http://www.herrold.com/images/blog/rphjr-thumb.jpgimg src=http://www.herrold.com/images/blog/rphjr-thumb.jpg border=0 alt=Dbacks at the BOB //abr /a href=http://www.herrold.com/images/blog/phx-bb-sm.jpgimg src=http://www.herrold.com/images/blog/phx-bb-sm.jpg border=0 alt=Color commentary guy //abr /br /Okay, I guess I covered too much too fast a href=http://orcorc.blogspot.com/2008/09/adding-signing-key-to-rpm.html target=_blanklast time/a I discussed adding a signing key to RPM. Let's do it again with more annotation and color commentary.br /br /The RPM package manager (see: a href=http://www.oldrpm.org target=_blankthe old RPM.ORG website, which I maintained as 'rpm.org' for several years/a; a href=http://www.rpm5.org target=_blankJBJ's 'way forward' for RPM development site/a; and the rather sparse, intentionally stale, and to me useless a href=http://www.rpm.org target=_blanksite controlled by and populated to suit the Red Hat corporate agenda/a -- details of the fork in RPM are out of scope here) has the capability to verify through strong cryptography that a package is intact, and is counter-signed by a person in possession both halves of an asymmetric public and private keypair. Assuming that reasonable care (where 'reasonable' is a very large and paranoid number) is used to protect the confidential nature of the private half, the chances of a successful substitution are vanishingly small.br /br /Anyone can examine and inventory the keys in RPM's trusted keystore. The process of additions, changes, and deletions of keys is an operation requiring root level privileges, and so assuming a machine can be trusted (both network level and local physical level attacks need to be considered)br /br /Enumerate the keys present:br /br /code$ rpm -qa gpg\*/codebr /br /Examine a specific key:br /br /code$ rpm -qi gpg-pubkey-e8562897-459f07a4/codebr /br /If we know or can determine the 'fingerprint' of the public half of a signing key, and if that key has been placed at a public keyserver, we can retrieve it, examine it, or even directly import it. For the sake of this example, we again consider the Raw Hide SRPM signing key (with the re-organizations over time, Red Hat presently signs Raw Hide content with key: 0x4F2A6FD2 which the MIT keyserver identifies a href=http://pgp.mit.edu:11371/pks/lookup?search=0x4f2a6fd2amp;op=index target=_blankthus/a)br /br /The CGI query on the link above used the 'op=index' modifier; the next uses the 'op=get' -- one assumes 'op' is shorthand for the type of query operation made -- terse, or key-bearing. In any event, we retrieve the key into a local file thus:br /br /code$ wget -O fedora-key http://pgp.mit.edu:11371/pks/lookup?op=getamp;search=0x4F2A6FD2/codebr /br /and then may examine it with the conventional 'nix tools:br /br /code$ less fedora-keybr /lt;titlegt;Public Key Server -- Get ``0x4F2A6FD2br /''lt;/titlegt;lt;pgt;br /lt;h1gt;Public Key Server -- Get ``0x4F2A6FD2br /''lt;/h1gt;lt;pgt;br /lt;pregt;br /-----BEGIN PGP PUBLIC KEY BLOCK-----br /Version: PGP Key Server 0.9.6br /br /mQGiBD+dnTsRBACwnlz4AhctOLlVBAsq+RaU82nb5P3bD1YJJpsAce1Ckd2sBUOJbr /D11NUCqH8c7EctOquOZ5zTcWxHiWWbLyKQwUw2SUvnWa5SSbi8kI8q9MTPsPvhwtbr / ... snip ...br /r/T7zLrJeiljDxvX+6TyawyWQngF6v1Hq6FRV0O0bOp9Npt5zqCbDGs/iE4EGBECbr /AAYFAj+dnTwAEgkQtEJp0E8qb9IHZUdQRwABAf/+AJwNVicN6A0I7EOfWx50PDHDbr /7SHw5wCfUJkeh/XlCrGdPASe/AXZB44jl2c=br /=aXEwbr /-----END PGP PUBLIC KEY BLOCK-----br /lt;/pregt;/codebr /br /The important thing to notice, amid the HTML markup, is that the key is 'armoured text' well set off with start and end markers, so that GnuPG (and also RPM) may pick the key out of the chaff.br /br /We discussed previously the chain of steps we used to decide that the key was authentic, and worthy of trust; as such we do not repeat them here.br /br /Then, using the 'sudo' command to temporarily attain 'root' rights for the importation step, we can insert (import into the RPM database) the locally checked key:br /br /code$ sudo rpm -import fedora-key/codebr /br /Or, assuming that we will do a post-insertion check, we can do the import directly from the keyserver: br /br /code$ sudo rpm -import http://pgp.mit.edu:11371/pks/lookup?op=getamp;search=0x4F2A6FD2/codebr /br /Then we can re-inventory keys, and see the new one present, and the full name under which it may be found; part of the name is, conveniently, the 'fingerprint' of that key.br /br /code$ rpm -qa gpg\*br /$ rpm -qi gpg-pubkey-4f2a6fd2-3fcdf8c9/codebr /br /Hopefully this clears things up a bit.

Mon, 10 Nov 2008

pWhile most shops keep their nagios installs protected, folks with a publicly available nagios instance should update as soon as possible. There#8217;s an interesting pair of security vulnerabilities which admins should be aware of. The first allows for users to submit commands to cmd.cgi that they would not ordinarily have permission to submit. This is basically a priviledge escalation issue and its severity depends on who has access to your nagios instance, and just how disgruntled they are./ppThe second is the more serious of the issues, and was described best by Andreas Ericsson, a major nagios contributor.  Quoting from Andreas:/pblockquotepreNagios CGI's are vulnerable to a Cross Site Request Forgery attack (csrf).A CSRF attack requires a couple of things for it to work, and it relieson the webs abilities (or rather, the browser's abilities) of postingform-data to a site which is other than that of the site presenting theform.Here's how it works:Unsuspecting Nagios Admin (UNA from now on) logs on to the Nagios serverand checks the status of his/her network. Since everything's ok, UNAdecides to leisurely browse evilsite.com, controlled by Dr Evil.On evilsite.com, there's a page containing a bog-standard web form, butwith some hidden variables and an 'action' tag that points to UNA'scmd.cgi on UNA's Nagios server. When UNA submits the form, Dr Evil hasall of a sudden sent data of his/her choice to the responding pageon UNA's site. It's important to note that UNA's browser is being used,as it leads to a couple of interesting things:* UNA sees the output from cmd.cgi. It's never sent to evilsite.com, which can only guess if the attack was successful or not.* Firewalls can not be used to defend against this, as UNA requires access to the Nagios server in order to work.* Cookies can't be used either, as they are helpfully sent to the Nagios server whenever the browser loads a page from it.Why is this bad, then? Well, it's not so evil in itself, and the mosthorrible thing that it should have lead to was Dr Evil being able toenable / disable notifications or stuff like that, but in Nagios 3we gained the ability to change checkcommand arguments and suchlike,which, combined with the csrf above, ultimately led to Dr Evil beingable to run any command of his/her (who says girl's can't be evil?)choice on UNA's preacious Nagios server as the Nagios user.So what's the remedy?Well, a proper remedy is to implement in-form session tokens, whichmakes sure that the form submitted by the user came from the site wewould like it to have come from (namely our humble selves). I'mworking on that right now, and hope to have it done by this afternoon.It's been loads of fun implementing that in super-paranoid C, by theway. img src=http://news.gmane.org/img/smilies/smile.png alt=:-) /In the mean-time, we've blocked use of the CHANGE_ commands from theCGI's, and also made sure that multiple commands can't be submittedas one (fe by using comments with newlines). This interim remedybrings the worst-case scenario down from remote command execution toa more prank-like level (acknowledging problems, adding or deletingcomments, etc, etc).A couple of things to note:* Information disclosure is not possible. No remote user can see anything from your authentication-protected Nagios servers.* Invalid commands read from the FIFO are always dropped flat by Nagios.* Since commands must be valid, it's not very easy to submit a command that has all the information required. Social engineering is required.* You strong*will*/strong notice if this happens to you, since you all of a sudden will end up with cmd.cgi (not in a frame either) saying Command submitted successfully or some such./pre/blockquotepFor the full details of this,  you can follow the thread a title=nagios-devel list href=http://article.gmane.org/gmane.network.nagios.devel/5708here/a.  Mostly, If you#8217;re currently using nagios 3, you should update./p

Sun, 9 Nov 2008