USENIX Update

LISA 2009: Rik Farrow on Working with SELinux
By Matthew Sacks

Rik Farrow is a security trainer as well as the Chief Editor for USENIX’s ;login magazine. He is delivering training on SELinux at LISA 2009 and spoke with the USENIX Blog Team about his background and the upcoming SELinux training he will be delivering at LISA 2009; Working with SELinux
http://www.usenix.org/events/lisa09/training/tutonefile.html#m8

Q: Rik, please tell us a bit about your technical background.

Rik Farrow: I began working with UNIX systems in 1982, and became interested in UNIX security in 1984. In 1987, I began teaching UNIX Security classes and was doing so internationally by 1989. I focused on security training from 1994 to 2006, a business that involved way too much travel. In 1999, I created a course for internal use by the NSA.

While my major in college was psychology, I worked for my advisor as a lab tech and a programmer. I really got involved with computers a few years after graduation, as soon as microcomputers made it possible to own my own computer. By 1980, I was a self-employed computer consultant, doing some programming and manual writing at first. By the mid-80s, I was consulting in UNIX sysadmin and security.

I was also the technical editor of UNIXWorld Magazine from 1989-1994, and started editing special editions of USENIX ;login: in 1998. I have written hundreds of magazine articles, most about security, as well as two UNIX-related books.

Q: What inspired you to deliver training on SELinux at LISA?

Rik Farrow: I had a contract where I was building a Linux system for installation in a remote site. The system involved using XEN, and when something didn’t work, the first thing I did was disable SELinux. I did this based on advice I found on the ‘net.

I later found myself wondering why people considered disabling SELinux a useful first step. It didn’t help with my problem at all. So I began to investigate.

I also had some minor involvement in getting SELinux integrated into the Linux kernel. During the first Linux Kernel Developers Summit, I spent a lot of time with Peter Loscocco, one of the key developers of SELinux at the NSA. Loscocco wanted SELinux to become a part of the default Linux kernel, and Torvalds was not interested, but wanted a more flexible set of hooks instead proposed by Crispin Cowan. I encouraged Loscocco to go along with this scheme, which later became Linux Security Modules (LSM).

Q: Why is SELinux a good choice for securing Linux systems?
Rik Farrow: SELinux is one of three popular policy engines that work with LSM. There are others, such as AppArmor (in SuSe and Debian) and LIDS, but SELinux is the most widely used. Because of its ‘popularity’, there is a lot more support for SELinux.

SELinux provides strong isolation for many services and applications. The pre-packaged policy modules do this well out of the box But SELinux alone is not sufficient protection. You still need to practice good security practices, for example, use of strong passwords, proper file/directory ownership/permissions, and patching.

Q: Is SELinux difficult to implement properly?

Rik Farrow: SELinux works well if you stick with the default policy. The default policy is called the targeted policy and focuses on sandboxing services and troublesome applications. You can also download and use the strict policy, but doing so is a lot harder. The targeted policy allows logged in users a lot of flexibility, while the strict policy locks down users as well.

Q: What benefits does a system administrator get by using SELinux?

Rik Farrow: Exploitable bugs in applications are minimized. For example, suppose someone discovers a new bug in BIND’s named that allows shell execution. SELinux prevents named from executing /bin/sh, as well as prohibiting reading and writing any files outside of the few files required by normal named functioning. The same is true for sendmail and many other services.

SELinux also confines the Apache httpd, but the problems with Web servers most often have to do with bugs in applications that interface with Apache. For example, the recent exploits in the Wordpress blogging software would have been severely limited in scope by SELinux. But an attacker using an SQL injection attack would still be able to access a backend database, as this permission must be granted by SELinux so the Web server and database can work together. So there are limitations to what SELinux can do, limitations based on allowing an application to work without interference. SELinux can and does prevent applications from doing things they are not normally expected to do, such as execute shells, read or write files outside of the application, etc.

Q: What are some highlights of interest covered in your training?

Rik Farrow: The focus of the course is really making it easier to work with SELinux. Doing so relies largely on fixing problems with file context, something that can be done with chcon and semanage. I also show how audit2allow is used to patch policy in a safe manner. Getting to the point of being able to do these things involves understanding enough about how SELinux works, as well as a little bit of necessary terminology.

I’ve spent a long time working with UNIX security, some 25 years. This helped me understand both how SELinux works, as well as how best to explain how it works.

Fedora SELinux Home: http://fedoraproject.org/wiki/SELinux

Rik Farrow’s Web Site: http://rikfarrow.com/

Register For LISA 2009: http://www.usenix.org/events/lisa09/registration/

RRDtool Training at LISA 2009
http://www.usenix.org/events/lisa09/training/tutonefile.html#m6
http://www.usenix.org/events/lisa09/training/tutonefile.html#m9

Tobias Oetiker is the creator of RRDTool, an open source high performance data logging and graphing system for time series data. It is commonly used in such monitoring tools such as Groundwork, Cacti, and Zenoss, and other popular open source monitoring suites. Tobias Oetiker will be giving training at LISA 2009 this November. Tobias discusses his upcoming RRDTool training course and RRDtool on this USENIX Blog exclusive

Q: What will attendees be able to do with RRDTool after this training?

Tobias Oetiker: The class is structured into two half day classes. The morning class is more introductory in nature, while the afternoon class goes in deep with lots of sample code being discussed.

After the morning class I expect attendees to have a good grasp as to what RRDtool can do for them. Many monitoring applications depend on RRDtool for data storage and graphing services. When they get back home they will be motivated to try out twiddling the RRD related knobs of their favorite monitoring application to make it really shine.

The afternoon class will provide a better understanding of the way RRDtool works internally. They will know how data can be ‘massaged’ prior to displaying. They will also be getting a good look at the much talked about and little understood Holt Winters Aberrant Behavior Detection facility, which enables RRDtool to predict the future.

Q: What class should a RRDtool user attend, the Beginner or the Advanced course, or are they meant to be taken together?

Tobias Oetiker: The two classes are only related by topic. I have ordered them with the beginner’s class in the morning, and the more advanced one in the afternoon so that they can be taken one after the other. However, this is not required. Also in the morning class, I will put more emphasis on questions of design and politics associated with RRDtool and monitoring, while the afternoon class will be more detailed on a technical level.

Q: What is the coolest thing you have seen done with RRDtool?

Tobias Oetiker: Well there are the technical solutions, people come up with for raising the throughput of RRDtool to new heights, some of which we will see in the upcoming 1.4 release of RRDtool. And then I also keep marveling at cool color schemes and graphing compositions some users send me for the RRDtool gallery. Even though RRDtool does not have all that many options for influencing the layout of the graphs, the beauty and variety of the material I get, keeps taking my breath away. I will be talking about some of the tricks involved in both of my classes.

Q: Is RRDTool limited to only network monitoring or server monitoring applications?

Tobias Oetiker: No not at all. RRDtool is a generic time series data logger and graphing application. So whenever you have a device or a program giving you a continuous stream of numeric data values then RRDtool is ideal for you. Since it can be run from a simple shell script and uses very little system resources, it is quick and simple to deploy. The RRDtool data files have a constant size and will thus never swamp your disk, even when the tool is run for a long time. (Sounds impossible? Come to the class and learn how this works!)

Q: If a user wants to build a custom monitoring application, will they be able to do this as a result of taking this training?

Tobias Oetiker: If they have some scripting skills they certainly should be, especially after the second class. Time permitting I will conclude the second class by code-walking a tiny little monitoring application complete with data gathering script and on-line graphing capability.

Official RRDTool Training

RRDTool First Steps: http://www.usenix.org/event/lisa09/training/tutonefile.html#m6

RRDTool Advanced Topics: http://www.usenix.org/event/lisa09/training/tutonefile.html#m9

RRDTool Official Web Site: http://oss.oetiker.ch/rrdtool/