darren_moffat@blog$ cat /dev/mem | grep /dev/urandom

All | General | Security | Solaris
« Previous page | Main | Next page »

20080724 Thursday July 24, 2008

Enabling OpenSolaris Auditing without Device Allocation

Today I needed to enable auditing on my OpenSolaris system to check some audit behaviour. However I didn't want device allocation enabled, I do want mass storage devices to still be automatically mounted particularly since I was doing this on my laptop, and also because I wasn't interested in anything other than the events in the 'lo' or 'ss' class (login/logout and system state change).

When bsmconv is run it turns on auditing (on next reboot) and disables the automatic mounting of mass storage devices. The later it does by updating the HAL configuration. I creates /etc/hal/fdi/policy/30user/90-solaris-device-allocation.fdi, this is an XML format file that HAL reads when it starts up.

So the simple fix to have auditing but not device allocation is this: 

islay$ pfexec bsmconv   # Answer y
islay$ pfexec rm etc/hal/fdi/policy/30user/90-solaris-device-allocation.fdi

We really should split these things a part like we have been planning to do for quite some time.

( Jul 24 2008, 02:49:35 PM BST ) Permalink Comments [2]

20080626 Thursday June 26, 2008

A TX window without a label ? Opps ?

What is going on here ?

Surely that editor window on the right hand side is a problem it doesn't have a sensitivity label on it ?

Answer is in the next picture:

This was a screenshot of Trusted Extensions running in VirtualBox with Seamless Windows mode turned on.The host was OpenSolaris 2008.05 (snv_91). Where I'm going next is to do it other other way around, so that the host is TX and the guest is also TX but with different label encodings.

What this does show is that even when TX is running as a virtualised guest the MLS enforcement for cut and paste still applies. The host was treated as "Trusted Path", which makes perfect sense in this case because it is the "hardware".

( Jun 26 2008, 05:37:12 PM BST ) Permalink

20080523 Friday May 23, 2008

VNC as OpenSolaris 2008.05 console

Changing OpenSolaris 2008.05 to use Xvnc for the default X server rather than Xorg is really simple. OpenSolaris 2008.05 uses GDM as the graphical login manager. GDM starts the X server using /usr/X11/bin/X (a symlink to Xserver). The Xserver program in /usr/X11/bin uses SMF to store its configuration properties. This includes the location of the "real" (or "virtual" in our case) X server program.

To switch to Xnvc: 

$ pfexec svccfg -s x11-server 
svc:/application/x11/x11-server> setprop options/server = "/usr/X11/bin/Xvnc"
svc:/application/x11/x11-server> setprop options/server_args = astring: ("-SecurityTypes" "None")
svc:/application/x11/x11-server> setprop options/tcp_listen = true
svc:/application/x11/x11-server> end
$ pfexec svcadm restart gdm

Now use your VNC client to connect using the IP address of your OpenSolaris machine. You will get the OpenSolaris login screen. Note that we disabled VNC level security above, so lets now change things so that VNC only works over SSH port forwarding. We do this by telling the Xvnc server to only listen locally. 

$ pfexec svccfg -s x11-server
svc:/application/x11/x11-server> setprop options/server_args = astring: ("-SecurityTypes" "None" "-localhost")
svc:/application/x11/x11-server> end
$ pfexec svcadm restart gdm

Now to connect we need to do somethink like this: 

remotehost$ ssh -n -f -L5900:localhost:5900 opensolarishost sleep 100
remotehost$ vncviewer localhost

To switch back to a local X server: 

$ pfexec svccfg -s x11-server 
svc:/application/x11/x11-server> setprop options/server = "/usr/X11/bin/Xorg"
svc:/application/x11/x11-server>setprop options/server_args= ""
svc:/application/x11/x11-server> setprop options/tcp_listen = false
svc:/application/x11/x11-server>end
$ pfexec svcadm restart gdm
( May 23 2008, 05:46:10 PM BST ) Permalink Comments [2]

20080509 Friday May 09, 2008

Worst (and Best) keyboards

Seems like for some reason I didn't actually post this when I wrote it on Jan 10th 2008, so I'll post it now

I've just read over the PC World "10 Worst Keyboards of all time" article. Out of the 10 there was only 3 I hadn't actually used (the IBM PCjr, the original PET, and the Atari 400. All the others I've actually used at least once. I found it interesting on the selection of the Sinclair keyboards, the ZX Spectrum one suffered all the same problems as the Timex 1000 but the metal "cover" also came off over time. I replaced the key membrane on my speccy at least once and upgraded the heat sink to try and stop it failing again (didn't really help in the long run)).

My current vote for the worst keyboard of all time is actually the iPhone/iTouch - yes it doesn't have a real keyboard but an on screen touch one instead, and the later lacks Bluetooth for connection of a "real" keyboard. I don't own an iPhone/iTouch just played with friends so maybe it gets better over time.

My favourite keyboard - Sun Microsystems Type 7 (USB) US UNIX layout. The layout is critical despite being a Brit I hate the UK keyboard layout with a passion it sucks for writing C or shell code because " and # get moved! The UNIX layout is also important so that Control is on the same row as return - caps lock has no use since I stopped writting COBOL code.

( May 09 2008, 09:11:58 PM BST ) Permalink Comments [7]

Missing Apple Mac hardware

My current home machine is a first generation (ordered the day after the announcement) PPC Mac Mini. I initially ordered it with 512Mb RAM and no WiFi or Bluetooth. It has since been upgraded to 1G (the max this machine can take) and had the WiFi/Bluetooth added (and it now lives in the UK rather than California where it was bought). When I first bought it it was as a secondary machine to learn where MacOS was, I hadn't used MacOS since System 7 at that time. It soon became my our primary home desktop and got given gifts of a (wired) Mac keyboard and 20" Cinema screen in addition to its upgraded memory and wireless capabilities.

It has been serving us well but I feel like a new machine. While I love OpenSolaris and spend a huge number of hours developing for it and using it MacOS is what I want to continue using for my personal stuff for now (I like iTunes, iPhoto, Safari and more importantly so does my wife). So if the current PPC Mac Mini is to be repurposed it needs to be Apple hardware.

I titled this "Missing Apple Mac hardware", why ? I can't find a non laptop Mac that actually fits what I want in terms of computing resources and cost. Disk space isn't an issue I'd buy the machine in the lowest possible disk configuration because all my data is stored on a ZFS on a separate system running OpenSolaris and mounted on the Mac using NFS.

The best CPU/RAM combination I get buy on a current Intel Mac Mini is 2GHz and 2G RAM for £558. The next option is a Mac Pro and that starts at a wallet breaking £1,749, it is a nice workstation but out of budget for my desktop machine. There is Mac hardware in between that price range but with, for me, a fundamental problem because it has an integrated LCD and comes with a keyboard. Now integrated systems are great I remember fondly using the Sun ELC workstations at University and my current Sun machine at home (and the office) is a Sun Ray 270 (ultra thin client with integrated LCD). However I like my 20" Apple Cinema display and I want to keep using and it doesn't need to be replaced, same for the keyboard/mouse.

The Apple Mac I want to buy would have a CPU around 2.4 to 3GHz and 4G RAM, a single disk and a reasonable graphics card - this isn't a games machine (I use consoles or my phone for games these days) - for helping with photo processing. Of course it should be "green" in that it should allow me to reuse my existing LCD monitor and keyboard (both Apple products!). Pretty much something like a Sun Ultra 20M2but capable of legally running MacOS X 10.5 and for about that price

So Apple where is my missing Mac ?

Update: I know I can do dual monitor on with an iMac (first saw that on a mono SE30 with an external colour display and putting windows "across" the boundary it was done perfectly!) but I already have two monitors on the desk (the Sun Ray 270 mentioned above) and I don't really have space for another one. The big issue with the top end Mac Mini is the memory only goes to 2G according to Apple and some of that will be taken away by the Intel GMA graphics. One of the reasons I need at least 4G RAM is that there is always two users logged in (with fast user switching) to this machine. A bit of space to upgrade beyond 4G of RAM would be nice.

( May 09 2008, 09:10:25 PM BST ) Permalink Comments [6]

20080430 Wednesday April 30, 2008

Simple CLI based CA on Solaris

With the recently added ability to sign PKCS#10 certificate request files the pktool(1) command of OpenSolaris can be used as a very simple Certificate Authority, similar to what can be done with the openssl(1) command but in my opinion in a much clearer way and actually providing stronger security. I'll outline the basic commands below but some external "database" will be needed to keep the serial number count and some other state needed to be a useful CA.

First Generate root CA - this is by definition self-signed

admin$ pktool gencert keystore=file outcert=myCA \
  subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1 outkey=myCA.key

Generate a user CSR in PKCS#10 format

user$ pktool gencsr keystore=file outcsr=sample.p10 \
  subject="CN=darren,OU=people,DC=EXAMPLE,DC=COM" outkey=sample.key
The user then sends the PKCS#10 certificate request to the administrator for signing.

Sign the PKCS#10 CSR with the root CA

admin$ pktool signcsr keystore=file signkey=myCA.key csr=sample.p10 \
  outcert=sample.cert format=pem serial=0x1001
  issuer="CN=small-CA,DC=EXAMPLE,DC=COM"

Increasing the CA security

The above example stores the master CA key in a file but we can do better than that and store it in a PKCS#11 accessible hardware keystore. It would looks something like this: 
admin$ pktool gencert keystore=pkcs11 label=myCA \
  subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1
Enter PIN for Sun Software PKCS#11 softtoken  :

We now have the key in a PKCS#11 accessible keystore that is PIN protected, the sign operation is almost the same: 

admin$ pktool signcsr keystore=pkcs11 signkey=myCA  csr=sample.p10 \
  outcert=sample.cert format=pem serial=0x1001 \
  issuer="CN=small-CA,DC=EXAMPLE,DC=COM"
Enter PIN for Sun Software PKCS#11 softtoken  :

Note that we didn't explicitly specify the PKCS#11 token to use but pktool(1) allows us to do so.

Similarly the user can use a PKCS#11 keystore when they run gencert.

( Apr 30 2008, 03:25:00 PM BST ) Permalink

20080219 Tuesday February 19, 2008

Mercurial Links

A few hopefully helpful links for OpenSolaris/JDK developers in the transition to mercurial (hg).

( Feb 19 2008, 03:21:38 PM GMT ) Permalink

20080204 Monday February 04, 2008

isaexec(1) as a shell script

/usr/lib/isaexecis often used to provide automatic selection of a 32 vs 64 bit binary, however it can actually do much more than that it can pick between sparcv8+vis and sparcv8 for example. What it can't do in its distributed form is pick between SPARC and x86 variants because it is a 32 bit binary.

I wanted a single ~/bin in my home dir that could cope with 32 vs 64 and SPARC vs x86 and also allow me to have CPU capability variants as well, ie sparcv9+vis2 and a generic sparcv8 variant. So I rewrote isaexec as a simple shell script, I don't know how long ago I did this but it was probably some time during Solaris 7 development (which is when isaexec first appeared), anyway below is the shell script. I have subdirs in ~/bin for each cpu/architecture and all the binaries are links to ~/bin/isaexec.sh 

#!/bin/ksh

fname=`basename $0`
pathname=`dirname $0`

if [ ! -x /usr/bin/isalist ]; then
        arch=`arch`
        if [ ! -x $pathname/$arch/$fname ]; then
                echo "$0: cannot find the ISA list";
        else
                exec $pathname/$arch/$fname
                echo "$0: cannon find/execute $fname in ISA subdirectories"
        fi
fi


for isa in `/usr/bin/isalist` ; do
        execpath="${pathname}/${isa}/${fname}"
        
        if [ -x $execpath ]; then
                exec $execpath "$@"
                echo "$0 exec $execpath failed"
        fi
done

echo "$0: cannon find/execute $fname in ISA subdirectories"
exit 1;

This far from perfect shell script from a performance view point and could probably use much more shell builtin functionality if ksh (or ksh93) was used instead.

( Feb 04 2008, 01:08:22 PM GMT ) Permalink Comments [1]

20080115 Tuesday January 15, 2008

War on Terror: ENOENT Via CRYPTO-GRAM I found this brief article from last month on how the UK government is changing the language it uses to describe terrorism. About bloody time, and IMO the UK government should have known better than to abuse the English language like this in the first place. I particularly like the "London is not a battlefield" quote from Sir Ken Macdonald (DPP), exactly because without a battlefield there never could have been a war (or even a conflict - I never understood why it was often referred to as the Falklands Conflict rather than war). ( Jan 15 2008, 01:23:12 PM GMT ) Permalink Comments [1]

20080104 Friday January 04, 2008

Migrating a Teamware workspace to OpenSolaris.org hosted Mercurial

Casper just asked me: "How do you put your own project workspace on opensolaris.org?. So I wrote up email describing how I do it. Since I thought it might be useful I've included a slightly reworded version of it here.

It has to be in either Mercurial or SubVersion. If it is a project targeting the ONNV consolidation then Mercurial is the choice.

First create a local clone of the Mercurial onnv-gate like this: 

    $ hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate myproject

Make sure your Teamware gate is at the same point. Now do a 'wx backup' of your teamware workspace.

Untar the ??.clear.tar file from the wx backup directory into the myproject directory.

Check this still builds - it should but you will need to get the closed-bins tar file that match your clone of onnv-gate since you don't have usr/closed.

If it all built find commit this to your local repository 

$ hg commit

You now need to create a repository on opensolaris.org to host this. In your project page there is an "SCM Management" link that is shown only to project leads. Click that. On the left hand nav-column there will then be a link "Add Repository". Fill in the form.

The Anonymous here means allow anyone to pull from the repository, if you don't tick that then only people with an opensolaris.org account with loaded ssh keys can do a pull (I generally allow it as do most projects I believe). Project leads can always do a push, and you can delegate that to people who are listed as observers too.

The name you give is tagged on the end of your project URL. So if you say "gate" you will end up with: 

    "ssh://hg.opensolaris.org/hg/fgap/gate"

The notification email gets every push message, so choose wisely what you set this too. Some projects use a dedicated -notify@ alias others just use their -discuss@ alias.

You are now ready to push your changes so lets configure your local copy of your Mercurial repository with the paths. Add the following to the .hg/hgrc file in your myproject dir: 

[paths]
default=ssh://username@hg.opensolaris.org/hg/myproject/gate
default-push=ssh://username@hg.opensolaris.org/hg/myproject/gate
onnv-gate=ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate

Now lets do the push: 

$ hg push

You now have a populated repository on opensolaris.org. To do a resync with onnv-gate you do something like this: 

# Make sure you are in sync with the fgap project gate
$ hg pull
# Merge if needed
$ hg merge

# Now pull in the onnv-gate changes
# if you want a specific build you can say -r onnv_80 after the pull
# Note this uses the path alias we defined above to avoid using the full URL
$ hg pull onnv-gate
$ hg merge
$ hg commit
$ hg push

Hope this helps.

Note that for all this push/pull to work as your user you need to have your ssh pubkey uploaded for opensolaris.org. If you have ever voted you have done that already.

( Jan 04 2008, 03:47:00 PM GMT ) Permalink Comments [2]

20071214 Friday December 14, 2007

Back to School

While on a trip back to Scotland to visit my parents I visited the school I attended, Auchenharvie Academy in Stevenston. This wasn't pre-planned; my Mum & Dad are foster parents and one of the boys they foster is due to move up to secondary school (high school, grade 8+, what ever you call it where you come from) and they had recently visited my old secondary school on open night. My parents got talking to Mrs Anderson one of the Computing teachers and my Mum mentioned that I worked for Sun and was an ex pupil, he up shot was an open invitation for me to go an talk to the students taking the computing classes.

I spoke to the higher (grade 12) computing class (about 10 students) about how I got in to computing as a career and what it is like working for Sun. I hope the students found it interesting, I certainly found it very interesting how much they are learning (some of what they cover wasn't covered until the 2nd year of my degree course) and it was fun to talk with them and the teachers.

I left them with an open invitation to contact me on my work email address if they have any follow questions about anything, I hope to hear from both the teachers and students.

( Dec 14 2007, 06:47:41 PM GMT ) Permalink

20071208 Saturday December 08, 2007

strip(1) for OpenDocument (StarOffice / OpenOffice.org plugin)

Via several other Sun blogs I've found about about the new Presentation Minimizer for StarOffice/OpenOffice. Feels like strip(1) to me :-) From a security point of view this is really good. Templates are great but so many presentations get created out of other presentations rather than from scratch with the current "corporate" template. This means there is lots of potential "cruft" left lying around in the history, even more so if you have change tracking turned on (which I often do).

I hope this becomes a core feature in a future release. It might also be useful to extend it to warn about certain words in the presentation (eg Proprietary/Confidential being left in the master slide).

( Dec 08 2007, 09:53:37 AM GMT ) Permalink

20070803 Friday August 03, 2007

Welcome back xterm all is forgiven

Until about a year ago I had been using good old xterm, (I used it under at least olwm,olvwm,twm,tvtwm,ctwm,fvwm,CDE,GNOME). I switch to using gnome-terminal since it appeared to be good enough, it was the default under GNOME (by current desktop of choice) and it had a few features I really liked (though some I sorely missed from xterm too).

So why is it welcome back xterm ? Basically it is the performance. I use Sun Ray most of the time now, and Sun Ray at home over a 1Mbps ADSL line is perfectly usable providing I use xterm and not gnome-terminal.

I should also say that my xterm config isn't default and it is customised so that the Sun keyboard Copy/Paste keys work

The only think I'm really missing from gnome-terminal now I've switched back to xterm is the ability to change which profile (colour basically) a given window is in while it is running

( Aug 03 2007, 03:13:28 PM BST ) Permalink Comments [9]

New Linux scheduler old Solaris one(s)

I find it interesting and slightly sad, given how low level a topic this really is, how much is being written about the new CFS scheduler being introduced into Linux. The sad part is how much flamage is flying around as a result of this from people not in the slightest bit involved in the desgin and development - this sadly is the ugly side of many open source groups.

OpenSolaris has multiple scheduling classes as well, actually Solaris had this and OpenSolaris inherited it when the source was opened up - but there is active work in this area going on, and the ability to realtively easily add more. You can also change the dispatch tables of the existing ones - even on a live running system (see dispadmin(1M) and ts_dptbl(4)

For some more info on how OpenSolaris does scheduling and how it is integrated into the rest of the resouce management system see this excellent intro to the topic by Eric Saxe.

As you hopefully see from Eric's presentation the scheduler is only a small part of the over all resource management issue and ensuring fairness. OpenSolaris builds on the scheduler by using things like processor pools. I particularly like the Fair Share Scheduler (FSS) class. The Sun Ray server that I use at work (and at home via VPN) uses FSS so that users can't dominate the server cpu resources.

I find it very cool that you can even use different scheduling classes for zones (actually you can do it per process but mixing FSS with TS/IA in a given processor pool isn't recommended). If all that wasn't cool enough all the policy for FSS (and much other projects stuff related to resource management) can be stored in LDAP so it is easy to implement a network wide policy.

( Aug 03 2007, 02:48:15 PM BST ) Permalink Comments [2]

20070702 Monday July 02, 2007

ZFS Crypto Design Review

The design review for phase one of the OpenSolaris ZFS Crypto Project starts now, details on how to participate are here.

 

( Jul 02 2007, 05:16:59 PM BST ) Permalink


Valid HTML! Valid CSS!


follow darrenmoffat at http://twitter.com
Get OpenSolaris Use OpenOffice.org

This is a personal weblog, I do not speak for my employer.