Friday October 06, 2006
Friday October 06, 2006 I am getting annoyed by comment spam.
It had been a problem, then everything was working well again, now it appears that the spambots are able to recognize our challenge and do simple math.
I also know that the spam is not personal...but really. Spamming a post about my wife's brother being shot by a sniper in Iraq, so not cool.
It had been a problem, then everything was working well again, now it appears that the spambots are able to recognize our challenge and do simple math.
I also know that the spam is not personal...but really. Spamming a post about my wife's brother being shot by a sniper in Iraq, so not cool.
Technorati Tags: spam
CEC: RBAC Demystified
Brian Bianquart and Darren Moffat
Role Based Access Control
What is a Role: An account on the system
Cannot directly login
Could be root (or any user)
Could be root (or any user)
What is a Privilege: An attribute of a process
Checked by Kernel
Authorization: given to users directly or through profile
...Cutting back on following/outlineing until I see something that I am less sure is readily available online and in docs...
One exec_attr table can be used across Solaris 8 and 9, Trusted Solaris (8) and Solaris 10
Here we have a
graphic I have never seen
before...took a picture but it will probably be lame.
I think maybe hand drawings scanned and added to the slides.
Q:
Can we make it such that user and role profiles can be modified while
the user is logged in or the role is in use.
A: Yes, that
is a bug fixed in update 3...changes may not take effect until next
login, but you will be able to make the change.
Standard RBAC
example:
Execute with elevated
privileges...Start Apache as a regular user on port 80
(As opposed to start as root and drop privs)
(As opposed to start as root and drop privs)
I think I was hoping for more in depth technical details, still time yet we will see
/usr/bin/pfexec is the closest thing to sudo only without authentication (yet)
pfexec will use the first profile found....that is the ALL role should be last, otherwise don't bother to define other profiles.
SMF demo: Allow a user to
change the running state of a service but not the boot state
e.g.
ALLOWED: svcadm enable/disable -t
DISALOWED: svcadm enable/disable (no -t)
DO NOT MODIFY SYSTEM
SUPPLIED PROFILES
File a bug if you think it should be changed
OR
Create your own profiles
Privileges
Kernel no longer only
checks for UID==0
48+ privileges checked instead
48+ privileges checked instead
Now privilege sets, next how the privileges flow not really going to note that down...I know it is well documented I have read it.
Note: Dark Red on black...hard to see, shouldn't do colors that evaluate to black
Use ppriv -D to debug
privilege access. (Yes this is commonly known)
ACLs
Solaris 10 NFSv4/ZFS ACLs
now match those as implemented in Windows NT/XP=
More info
There is a RBAC and SUDO
comparison slide
Strengths and weaknesses
on both sides the most common requested deltas are being addressed.
Authentication and Netgroups are on/near the top of the list.
Authentication and Netgroups are on/near the top of the list.
security-discuss@opensloaris.org and Sun blueprints
CEC: Dtrace Approaches to Real-World Problems
Jim Fiori
Apparently the presentation
is normally a 3+ hour presentation and Jim requested 3 hours, but all
the slots are 60min.
This is a presentation on approach not learning D.
This entry is a horrible hack job on content, too much and I am
learning more than I
can easily condense/digest usefully on the fly.
INTRO
Everyone needs
dtrace...but it is not the first thing to run.
Identify a possible issue use Dtrace to figure out what is going on.
Advice: Practice, Practice, Practice
Identify a possible issue use Dtrace to figure out what is going on.
Advice: Practice, Practice, Practice
Approach
use the manual all
examples are in /usr/demo/dtrace
use quantize(), min()/max()/avg() can hide data
Be careful using the PID provider it can impose load on a highly active process.
Normal system tools still have their place.
use quantize(), min()/max()/avg() can hide data
Be careful using the PID provider it can impose load on a highly active process.
Normal system tools still have their place.
New tools: intrstat (some
others I haven't used)
Privs -- Root level or RBAC...
Zero Probe Effect -- via instruction replacement
Scenarios
High User Time
hotuser.sh dtrace toolkit
C++ Apps
Watch for small
allocations and short allocations
High System Calls
(>100s)
use aggregation
use pfiles to determine target of File descriptor
use pfiles to determine target of File descriptor
System time (>10%
or user:sys near 2:1)
Threaded App.
Oracle
prsatst to
find it, dtrace to examine it
Threaded App.
prstat to find it
plockstat ... to see it, single process
Javaplockstat ... to see it, single process
use jstack
Java 1.6 has static dtrace providers
Java 1.6 has static dtrace providers
Oracle
Look at I/O and File
systems first
ONLY after regular investigation by DBA (statspack etc)
ONLY after regular investigation by DBA (statspack etc)
Sybase
Watch for TCP Nagle
(buffering requests before sending)
Try TCP no delay on client and server
Try TCP no delay on client and server
File system
Watch for periodic pauses check autoup in large memory (>8G) systems
Hints and Tools
- Use a sample rate at not quite 1000, to help keep the Dtrace
probe func from running with kernel actions
- Dtrace is running in kernel context...you can't just dump
the memory location, you need to dump the user memory space
- .mul() and .div() are SPARC V7...the application should be
recompiled
- -c flag...use pid$target ... woot
- look for system call errors, when things are not working as
expected
- see atomic_ops(3c) on mutex_lock/unlock for simple variable
updates
- High ctx...look at FX scheduler (good for some apps)
- High Migrations...look at binding to a specific processor
- libumem for memory leaks
- Chime (GUI...uses Sparklines!!!...I like sparklines) OpenSolaris
Coming
- RFE 6311947 svn_43...fun/mod/ufunc/umod
- Dtrace in a zone
- aggregation printing