Red vs. Green: Penguins, Geckos and Duct Tape

Ok, so my title is a little misleading, there’s not any rivalry between the different areas of Novell and SUSE, other than the usual desire to see your business unit succeed just a little more “betterly” than the other units do. It’s all about friendly competition.

What’s Red vs. Green?

What I’m referring to (with Red vs. Green) is the necessary dividing line between the traditional Novell business units like Workgroup (Netware, Open Enterprise Server, Groupwise etc.) which I think of as “Red”, and the newer and Open Source-centric business unit called Open Platform Solutions (SLES, SLED, SLERT, SLEPOS etc.), which I think of as “Green”. (Get it? SUSE Green, like the Gecko?)

I have come up with the analogy and strategy of Red vs. Green as a way of helping partners, customers and the casual passerby understand that depending on which Novell/SUSE products they have, they will likely benefit most from a particular set of products and growth options.

“I See Red”

My experience has been that if a customer is “Red”, they’re almost always firmly ensconced in and using the Novell services throughout the enterprise, with some confusion as to how and why they might make use of Linux. The first order of business is to determine how much they know about Linux in general, and in particular Novell’s use of SUSE Linux Enterprise in it’s product lines. After hundreds of these discussions, we can get everyone on the same page with a little discussion, some Q&A and a handy whiteboard in short order.

How Does This Work?

For example, in a conversation with faux customer Air America, I find they have a long-standing Netware infrastructure for File and Print, do a little clustering for Groupwise and use iPrint for printing with all account management taking place through an Identity management setup and eDirectory. They have Windows workstations that make full use of the Netware Client and it’s services. I’d already lean toward “Red” strategy with them, but they might be toying with the idea of going “over to Linux”, so I go a little further.

The questions I ask them are very simple and straightforward:

• Do you have any data on NSS volumes?
• Do you use any of the advanced features of NSS?
• Do you have Novell Clustering Services or Business Continuity Clustering set up?
• Do you have a very large number of printers?
• Do your people have Novell Client software on their computers for access to the network?

A “yes” answer to any of these questions points to the Open Enterprise Server (with Version 2, OES = Linux base, Novell’s standard services converted to run great on Linux layered on top). Novell has spent a lot of time and effort to make it as effortless as possible to have this type of organization migrate up to OES, there is a very complete and clear path for this customer to begin to use Linux-based Novell services with the least disruption possible and often at a considerable cost-savings.

I will try if possible to help them see where “Green” might fit in, either for hosting Groupwise or other services, such as Mono (Dot Net compatible server), Virtualization (Xen) or any of a host of other possibilities. Usually this type of customer will stay “Red” and for good reason.

“It’s Easy Being Green”

On the other side of this equation, I will find customers who don’t have a lick of “Red” in their environment, and these are usually standard UNIX shops on the server side, usually either a Solaris or AIX flavor, some HP-UX, but they’ll be using mostly Windows on the client side. Usually if they say “No” to my “Got any Novell products or Netware around?”, they will go “Green” easily.

The discussion with this client is much easier, they’re a classic “Green” customer, all the services and tools they are used to using have an analog (equivalent) in the SUSE Linux Enterprise Server/Desktop product line. Once I determine they have no Netware products in the organization, we don’t even talk about “Red vs. Green”, it’s not relevant, they can even run eDirectory and Zenworks Linux Management on SLES, no “Red” needed.

I additionally will probe to see if they have any Terminal Server or Citrix/Ericom deployed for application security and updateability, if they do, it makes the Linux Desktop play much more likely, especially if they make use of TS/Citrix as a desktop solution. How compelling is $50 or less a seat for the presentation OS on the desktop versus $239 or so for the oddly-shaped box o’ Vista?

Got any changes or suggestions to this whole Red vs. Green thing? I’m constantly getting feedback and changing it, let me know and I’ll credit you and update it.

Enjoy,

RossB

 

Vendor Spotlight: ThinFusion Inc.

Starting off our new series called Vendor Spotlight is a company that I think is doing some very cool things, ThinFusion Inc. The interview was conducted by phone and included Brandon and Rick Vancleeve

What is ThinFusion?

ThinFusion is the combination of a Linux OS platform running in a thin client environment, while providing access to the majority of Windows-based applications. ThinFusion uses either a thin client OS local, paired to a session on a ThinFusion server, or alternatively allows the use of cross-platform client software to provide secure and very speedy access to the ThinFusion Server session literally from anywhere.

ThinFusion provides a single access point to all the Linux and Windows applications that a user needs. The administrative interface allows for simple drag and drop granting and revoking, in realtime, of access to applications on a group or individual level.

What applications can I run on ThinFusion?

This part is easy…
Since it accesses a Windows Terminal Server for Windows apps you can go to Microsoft’s site and find every supported program out there. You don’t have to go through a giant bug list of “quirks” when running Windows apps in a Linux shell. If it runs in a Terminal Server environment, it runs on ThinFusion.

On the Linux side, since you are in essence just accessing a Linux Desktop you can run all your Linux applications.

Who is ThinFusion Inc?

ThinFusion Inc, is a small company in the Mountains of Montana that have developed ThinFusion to meet the needs of K-12 Schools, Higher Ed, and Small to Medium Businesses. ThinFusion mission statement: Access your classroom from anyplace anytime.

What is a typical customer for ThinFusion?

The typical customer would be a school or business that has a need to control access to applications, reduce administrative and technical support costs and increase the quality of service for its users while maintaining the necessary security and controls.

What is a sample use case of ThinFusion?

A school district with a Laptop lab is an excellent use case for ThinFusion. Typically in this environment the Laptops would be running Windows with most applications installed locally. Often the students are issued the laptops and are responsible for physical security and transport, often including off school property and for all purposes becoming the students main machine for home and school. Such an environment has multiple risks and costs associated with it, including re-imaging regularly due to misconfigurations, virus and spy-ware issues and either malicious or inadvertent deletions and changes to the software.

Particularly if the laptops are issued and kept by the students does the risk of virus infection or inadvertent misconfiguration crop up, the possibility of infection and transport of the viruses and spyware becomes a virtual certainty, with some school environments literally being taken down for periods of time from such infections.

ThinFusion in this environment would remove most or all of the issues discussed. Two choices are possible:

1. Install a very slim Desktop Linux with NX Client software on the student laptop, all application access requires dialup or better Internet access to the ThinFusion Server, thus all applications are run in a very secure and less virus-prone environment.
2. Install Windows or keep the current Desktop OS, adding lockdown software and the NX Client software, requiring dialup or better Internet acccess to the ThinFusion Server etc.

Both of the above examples allow students and staff to securely access their school network just as if they were sitting at a desk in class, from anywhere/anytime. It extends the learning environment beyond the walls of the school, and it allows for collaboration beyond the bus bell. This is the mode that we see businesses transitioning to at record pace, as we see more and more workers using home offices and accessing data through secure remote scenarios.

This environment is effective for students and teachers, with teachers mostly falling into the category of # 2, they having the most need to run 3rd party applications that are typically Windows-based.

What are the support options?

A ThinFusion subscription comes with a full support, training and installation package. Higher levels of support packages are available.

What should you not use ThinFusion for?

ThinFusion is not a great solution for high end multimedia, neither for creation nor viewing. A class of 50 users running a very graphically oriented courseware would be fairly choppy.

How do I learn more about ThinFusion?
Please visit their website (www.thinfusion.com), to experience demonstrations, tutorials, case studies and more. You can also reach them by phone at 1-800-432-0346.

==========

If you can think of an example of a vendor that is going something you can really appreciate and is good for the community, put a comment in or email me: rbrunson[at]novell.com

Enjoy,

RossB

 

Can Your Machine Be Hacked?

Laura over at the awesome VirtualHosting.com blog has 12 great tips for pre-hacking your own machine.

Your wifi is encrypted and a trial version of McAfee came with that new HP the kid at Best Buy sold you, so no need to worry about computer security, right? Unfortunately, security is a whole lot more complex than your average computer user might imagine.

There are literally hundreds of ways that malware and hackers can compromise your system security, most of which you’ve never heard of. Thankfully, however, there are a number of online tools available which will help you identify (and sometimes fix) the vulnerabilities in your system. In this article we’ve selected 12 basic tests you can run on your machine to identify its weaknesses.

More from the article.

 

Hard Disk Encryption Support for SUSE Linux (updated)

Most IT shops would agree… stolen laptops are a security risk. To combat this problem, many organizations are turning to hard disk encryption as a way to prevent loss of sensitive information. Apparently the US Federal government has even mandated that disk encryption be used on laptops with sensitive data.

SUSE Linux Enterprise Desktop 10 includes some support for disk encryption natively – look here for more info. But if that does not fit your needs; or perhaps you’re looking for a cross-platform solution; or something that does “whole disk encryption”….

At least one commercial offering is also available: WinMagic, purveyor of hard disk encryption, recently announced that their product SecureDoc will be supporting hard disk encryption on Novell’s SUSE Linux Enterprise Desktop – their first official support of Linux (traditionally, they’ve been a Windows only vendor). The product is expected to be generally available by September 2007.

According to their press announcement…

“In recognition of the increased demand for Linux, WinMagic has developed an end-point encryption solution which will make it simple for Linux users to protect data at rest no matter where it may reside,” said Thi Nguyen-Huu, CEO of WinMagic Inc. “In developing and testing SecureDoc for the Linux environment, WinMagic’s main focus was to provide the marketplace with an encryption product that will not yield on performance, functionality, or ease of use,” Nguyen-Huu continued. “Our support for Linux is yet another sign of WinMagic’s dedication to open system standards and to furthering those standards for the data encryption market place.”

(Updated) Found another commercial offering for Linux hard disk encryption… CheckPoint’s Pointsec Hard Drive Encryption. Supports SUSE and Red Hat.

(Updated, Oct 9) Here’s a non-commercial “free” product for entire hard disk encryption… TrueCrypt. Although it does not do “whole disk encryption” it does do partition-level encryption. According to the website it supports openSUSE and Ubuntu.

What’s been your experience with hard drive encryption thus far?? Any other vendors in this space you might be aware of?

 

Untangle Your Network

While investigating spyware and virus blocking options for Open Source customers, I discovered the Untangle product, from untangle.com.  Untangle’s Open Source Network Gateway is a combination of OSS projects, custom Untangle scanning engines and lots of enhancements to the interfaces to the products.  While a commercial company, they have a OSS version that’s to download and evaluate, and if you want a throat to choke, there is the Professional option, which includes support, directory support, policy management etc.

Untangle is intended to be a lower or no-cost alternative to SonicWALL and/or Watchguard, and looking at the product and site, they have attracted quite a community of users and developers, so keep an eye on them, maybe they’ll get bought by someone with deep pockets and really take off.

Untangle includes the following products:

• Virus/Spyware Blockers – ClamAV and Global Hauri
• Web Filter –  Untangle scanning engine + URLBlacklist.com
• Protocol Control – Untangle scanning engine + Layer 7 Netfilters
• SPAM Blocker – Customized SpamAssassin with additional rules
• Phish Blocker – ClamAV + phish signature databases
• Intrusion Detection – Untangle scanning engine + Snort signatures
• Attack Blocker – Proprietary Untangle DDOS and DOS application
• Firewall – Proprietary Untangle rules-based firewall application
• Remote Access Portal – Local LDAP and tun/tap servers + rules and SSL
• OpenVPN – OpenVPN + tools to configure access
• Custom Reports – Various OSS and Untangle custom components
• Router – Uses OSS router code and Untangle enhancements

You can download a copy of the Untangle OSS version without any registration or delay, or you can visit the Untangle site, the Untangle Wiki or their Forums for more information.  Also check out their pre-configured VMWare appliance, modesty and being a XEN guy prohibits me from just linking to it, but it’s hard to miss it on the Wiki site.

I’m running it now in a VM to see how well it works for my purposes, let me know if you try this product, and your experiences.

Enjoy,

RossB

 

Restricting certain SLES services from certain networks (updated)

A customer asked me how they might be able to restrict the use of certain apps to only be from certain networks. For example, say you want to only allow SSH access from a management network (192.168.2.0), but not from the general user network (192.168.1.0). How is this done in SUSE Linux Enterprise Server? In short, use a TCP Wrapper which is configured in the /etc/hosts.allow and /etc/hosts.deny files. You can simply use any text editor, such as VI to edit them…

The best documentation of the answer I found was here at Puschitz.com. Thanks go to Werner Puschitz for the insight!

If you know of other helpful sites or documentation on this topic, please post a comment so we can all benefit.

(Update 8/31/07) Some additional suggestions I received. Thanks Edward Clay and Peter Albrecht.

(Response #1) You could do this with iptables or The YaST firewall app.

I found the following example on the following website.

http://www.cyberciti.biz/faq/restrict-ssh-access-use-iptable/

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

 

(Response #2) To use TCPwrapper for this, the application must be built with TCPwrapper
support. There are some daemons listed at the top of /etc/hosts.allow
which do support TCPwrapper.

If the application does not support TCPwrapper, I see two options:

1) Use iptables rules for limiting access. For an introduction to packet
filters, have a look at our course 3075: SLES 10 Security.

2) If the server is connected to the respective network (192.168.2.0 in
your example), you can configure sshd to listen only to that interface. The directive is ListenAddress in /etc/ssh/sshd_config. Several other
applications also provide such a configuration.

 

How and Why to Secure Your Virtual Servers

Overview

We know that over 50% of IT organizations currently use or are doing pilot programs using Virtualization, thanks to Forrester Research’s recent surveys, what we should know know more about is both the security benefits of virtualization and the best practices of how to secure those virtual servers.

Note: In this article a Virtualization Server (VS) is the machine that Virtual Machines (VM) are virtualized on. A VM can be anything that runs in a virtual container, desktop, server, appliances etc.

Security Benefits of Virtualization

The security benefits of running VSes are many, including:

• Isolation – Running an OS in a VM helps secure it from other apps, you can have each application in it’s own OS container, keeps bad things that happen to the individual VM from spreading to others
• Rollback – Experienced sysadmins know how important it is to be able to rollback changes that don’t work, getting the system to a previous stable state is paramount for production machines, and VM’s are much easier to rollback, being software only
• Abstraction – The VM’s have limited access to the physical hardware, the drivers are easier to manage and there is less chance of physical issues with the VM’s than with an OS that runs directly on the hardware
• Portability – The ease of which you can take the running VM and either migrate it to a new VS or get that VM up and running on another server can make the difference for disaster recovery. With the ability to virtualize the OS and data, it’s much easier to swap out to replacement machines, making patch testing and upgrading much easier too
• Deployment – Deploying instances of individual servers is 10x easier with VM technologies, physical machine deployments are much more dependent on the physical hardware. Individual machine and OS security settings on the VS are important and the ability to surround the VM’s with appropriate security from the VS is also important (such as using AppArmor to wrap a VM, allowing only a set number of functions) to the security of each VM instance

Security Drawbacks of Virtualization

The chief security drawback of Virtualization is anything that could affect the functioning of the VS, which include any applications, services or activities that might negatively affect the VS’s ability to provide services to and properly host it’s VMs. You would not believe the things we have seen running on VS hardware, everything from BitTorrent to MP3 Shoutcast Radio Stations to very intensive file and print sharing.

It’s important to pare down the VS’s processes to the bare minimum, remove or disable all daemons that might be running, using chkconfig or the YaST Runlevel Editor. The typical VS might have up to 100 running daemons in runlevels 3 and 5, most of which are not necessary. Running the VS in runlevel 3 (no X started by default) will save a number of MB or RAM used, and decrease the load on the CPU for graphical tasks.

Wrapup

SearchServerVirtualization has a set of articles (some of which “inspired” this article) by Anil Desai which are excellent and right to the point in helping you secure your VS’s and VM’s. In particular, his tip articles “Virtualization Security Benefits” and “Improving VM Security” are both good overviews and contain valuable drill-down explanations to help you secure your VS/VM environments.

Enjoy,

RossB

 

Using GNOME to Manage SLED Desktops

I just found Sander van Vugt’s comprehensive article on TechTarget about how to configure and manage SLED desktops using just GNOME’s management features, it’s a good read and helps demystify some features of GNOME, such as:

• Changing the Desktop Settings
• Using the Desktop Profile Editor
• Locking Down the Desktop

Enjoy,

RossB

 

Deep Freeze for Linux, only on SLED

Are you using Faronics Deep Freeze product to prevent users from adding to your IT helpdesk calls?  The product “freezes” the OS such that any changes (good or bad) being made to that computer (from say curious users or viruses) can easily be wiped out, and a clean OS state can be easily restored.  Used in places such as classrooms, labs, kiosks, or any other location with “at risk” devices.  Learn more about Deep Freeze here and here.

Formerly only available on Windows, the company announced that its Deep Freeze Linux product is now available.  It is currently only supported on SUSE Linux Enterprise Desktop.  Read the press release here (pdf).

 

Free Migrating from Red Hat to SUSE Linux Enterprise Course

The Novell Courseware Team has released Course 3068, Migrating to SUSE Linux Enterprise Server 10 for free.  You can download the kit and print the manuals out, but it’s not for reselling or further distribution.  This outstanding offering covers how to migrate from Red Hat Enterprise Linux to SUSE Linux Enterprise 10, and incorporates not only that team’s materials, but a lot of feedback from us in the field, all of which was taken into account, the result being a great course.

This is no puff piece that’s just out there so they could claim it existed, this is seriously useful material for the sysadmin in the trenches doing these tasks.  The list of topics the course covers are:

• Installing SUSE Linux Enterprise Server 10
• Using YaST
• Configuring the Network
• Managing the Linux File System
• Managing System Initialization
• Configuring Mail and Web Services
• Using AppArmor
• Managing Virtualization with Xen
• Configuring iSCSI
• Understanding Cluster File Systems

The course is available either as a free download, or you can use the course finder to locate an Instructor-Led version of the course.  If you are like me, you can study the download version and if you can make it to a class, then do so, but this is essentially a class-in-a-can, some assembly needed.  You can download the courseware kit, it includes:

• Migrating from RedHat to Suse Linux Enterprise Sever 10 Student Manual
• Migrating from RedHat to Suse Linux Enterprise Sever 10 Student Workbook
• Course materials ISO file (for burning to a DVD)

The team thoughtfully includes a number of items on the DVD iso, including the manuals, Acrobat Reader for Windows and Linux, various setup instructions for a bare-metal lab system and two VMWare virtual machines for use with a virtualized lab system (ie: your spouse will shoot you if you blow away the kid’s Windows PC and install SLES 10 on it).

As a surprise bonus, they included a slightly older whitepaper by yours truly and a few team-mates as Appendix C.  It’s a whitepaper that I came up with as a way to show people how to do what this course now does, and includes some very useful tables and other side-by-side comparisons that will help you accomplish the migration.

Enjoy,

RossB

 

Is that a USB Key or a Linux PC? Yes.

WOW, I want one of these. A company from France by the name of Calao Systems has come up with a complete Linux PC that fits into a slightly bulky USB Key form factor. Measuring 3.3×1.4 inches and sporting an ARM Processor, 256MB RAM, an Ethernet port and 2 USB ports, it also has a 50 pin expansion port.

Talk about your awesome Cyber-cafe security tool, you’d know no one was snooping on you if you booted their computer with your own version of Linux (SUSE, of course!) from a USB key that looks like this one:

Of course there are distributions of Linux that will FIT on a USB Key, but so far this is the smallest Linux PC I have seen.

RossB

 

SLED/GNOME Desktop Lockdown

Novell has done a lot of work to expand the the use cases for SUSE Linux Enterprise Desktop. Today SLED can be deployed in a number of ways from a fully locked down kiosk to a full blown laptop for general knowledge workers. Locked down environments are particularly useful in thinclient computing models.

One of the most compelling reasons to deploy SLED over a proprietary desktop is the ability to lock it down at a very granular level. This means that you have the ability to lock down desktops so that EVERYTHING is locked down, or just a few things.

There are a number of tools included in SLED to lockdown the desktop. In this article we’ll discuss how to manually lockdown the desktop using:

• Gconf
• Permissions and groups
• Removal of programs and modules
• Configuring files/settings

GConf is a system used by the GNOME desktop environment for storing configuration settings for the desktop and applications. Each user has a .gconf directory stored in their home directory that stores their individual settings. There is also a global gconf directory located in /etc/opt/gnome/gconf/. Administrators can mark settings as “default” or prevent users from changing the settings by marking them as “mandatory”.

There are several lockdown options stored in GConf. There are two great tools to configure GConf keys, gconf-editor and gconftool-2.

• gconf-editor (/opt/gnome/bin/gconf-editor) is a graphical tool that allows you to change local gconf keys or set global mandatory/default keys.
  • To set a key as mandatory or default, open gconf-editor as root, navigate to the key you want to set, right click on it and choose to set as mandatory or default.
  • You can search for gconf keys by going to the edit menu and choosing “find”.
• gconftool-2 (/opt/gnome/bin/gconftool-2) is a command line tool which allows you to modify gconf settings. It be used in creating a script to lockdown desktops as part of an automated/scripted deployment.  Gconftool-2 is also very useful when writing scripts to build and lockdown KIWI based images.  Listed below is an example of the syntax for changing a key which has a boolean key:
  • gconftool-2 –direct –config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory –type bool –set /apps/metacity/general/reduced_resources true
  • Here is the syntax for setting a string gconf key:
  • gconftool-2 –direct –config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory –type string –set /apps/metacity/window_keybindings/begin_resize disabled
  • Note how both keys being modified are in the gconf.xml.mandatory directory. To make a key default rather than mandatory switch gconf.xml.mandatory to gconf.xml.defaults.

GConf Schema is broken down into 5 main categories: apps, desktop, schema, schemas, and system. As far as lockdown is concerned the main categories of interest are apps and desktop. Listed below are some important gconf keys which you can modify to customize and lockdown your desktops. Remember that these keys can be set as default or mandatory for users.

• /apps/gnome-screensaver/idle_activation_enabled –This will force the screen saver to come on when the session is idle
• /apps/gnome-screensaver/idle_delay –The number of minutes of inactivity before the session is considered idle.
• /apps/gnome-screensaver/lock_enabled –Set this to TRUE to lock the screen when the screensaver goes active.
• /apps/nautilus/preferences/show_desktop –If set to true, then Nautilus will draw the icons on the desktop. If false the user will not be able to interact with the file system through the Desktop.
• /apps/panel/global/locked_down –If true, the panel will not allow any changes to the configuration of the panel. Individual applets may need to be locked down separately however. The panel must be restarted for this to take effect.
• /desktop/gnome/applications/main-menu/lock-down/search_area_visible –set to true if the search area should be visible and active.
• /desktop/gnome/applications/main-menu/lock-down/user_modifiable_apps –set to true if the user is allowed to modify the list of user-specified or “Favorite” applications.
• /desktop/gnome/background/picture_filename –File to use for the background image
• /desktop/gnome/lockdown/disable_command_line –Prevent the user from accessing the terminal or specifying a command line to be executed. For example, this would disable access to the panel’s “Run Application” dialog.
• /desktop/gnome/lockdown/disable_printing –Prevent the user from printing. For example, this would disable access to all applications’ “Print” dialogs.
• /desktop/gnome/lockdown/disable_print_setup –Prevent the user from modifying print settings. For example, this would disable access to all applications’ “Print Setup” dialogs.
• /desktop/gnome/lockdown/disable_save_to_disk –Prevent the user from saving files to disk. For example, this would disable access to all applications’ “Save as” dialogs.
• /desktop/gnome/remote_access/ –There are a number of settings in this directory for configuring remote access through vnc.

There are many other useful keys and some new ones we have introduced in SLED 10 SP1. I suggest that you spend some time browsing through gconf with gconf-editor. Each key has a “description” associated with it that will give you some info on what it does.

Permissions and Groups is another useful way of locking down Desktops. You can modify permissions on particular applications so that only users who are in a specific group can have access to it. In the example Below I show you how to change permissions on Firefox and GnomeTerminal so that user1 can use firefox and gnome-terminal, but user2 can only use gnome-terminal.

#Here I create two groups
groupadd gnometerminal -g 203
groupadd firefox -g 204

#Here I assign local users to the appropriate group or groups
usermod user1 -A gnometerminal,firefox
usermod user2 -G gnometerminal

#Here I change the ownership of the applications to lock out others from accessing it and changing it.
chown root:firefox /usr/bin/firefox
chown root:gnometerminal /opt/gnome/bin/gnome-terminal

#Here I change the permissions of the applications to lock out others from accessing it and changing it.
chmod 754 /usr/bin/firefox
chmod 754 /opt/gnome/bin/gnome-terminal

Another way to lock down the system is by removing components. The easiest way to prevent users from using certain applications is by not installing them in the first place. You can remove applications by using the YaST software management module or by using the rpm -e command.

You can further lockdown the system by removing certain kernel modules. By removing the following module you can prevent the system from recognizing USB mass storage devices (like flash drives, usb drives, iPods etc.), but still use USB keyboards and mice.

/lib/modules/2.6.16.46-0.12-smp/kernel/drivers/usb/storage/usb-storage.ko (you can use the uname -r command to determine which version of the kernel you’re using).

While you can use gconf to prevent users from getting to terminals installed on the system you need to configure /etc/X11/xorg.conf to prevent access to virtual terminals. In the “ServerLayout” section add the following lines to prevent users from switching to a virtual terminal and to prevent them from killing X by typing ctrl-alt-backspace:

Option DontVTSwitch True
Option DontZap Yes

This article only shows a small subset of the lockdown functionality of SUSE Linux Enterprise Desktop, but it should get you well on your way. Have a lot of fun!

 

Report: Windows Vista, XP Equally Perilous

CRN recently conducted weeks of testing to compare Windows Vista and Windows XP for security features, and found interesting results.  Researchers found Vista had “marginal security advantages over XP”, and “Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools.”

The tests included vulnerability comparisons for:

• Viruses
• Spyware/Malware
• Trojans
• Remote Data Exploits
• Flaws in Images
• Spoofing
• Scripting

While sometimes the CRN report is a tad harsh, it does strip bare the lofty claims of Vista’s much-improved security through wizards, check-boxes and agents.   Too bad we couldn’t get a SLED ad on those pages, to give everyone hope!

The report concludes: “… both the Vista and the XP test notebooks were almost equally damaged by viruses, trojans and other malware.  And because most of the Web sites in the test were able to exploit Vista’s weaknesses, Internet users are just about equally vulnerable with both OSes”.

The CRN report can  be found here.

RossB

 

Paranoid about Security? You Should Be…

In a world where even SSH seems like it’s not enough, enter SBD. Yeah, it’s the same initials as something that we all said as kids, but it really refers to System Back Door.

SBD is an ultra-secure service that relies on the SBD protocol, one-time pad’s and the HMAC authentication routine to verify what you’re sending to it.

Effectively, it allows you to encrypt a single command that is sent to the server based on completely random and identical files on both systems, making it easy to send a wake-up call to an SSH server or other service with an almost-unbreakable one-time encrypted command.

After using the service on demand, you can then disable it with another SBD-secured command, or have the service disable itself automatically via scripting.

Linux.com has a great article about this, including make instructions for those who find they will need this additional security measure. The SourceForge project page, while, ahem, somewhat terse, is helpful too.

Enjoy,

RossB

 

BadBunny Virus for OpenOffice.org? Nope, just BadCode

Yesterday the news of a supposed StarBasic (the scripting macro language inside OpenOffice.org and StarOffice) broke, with the press trumpeting the news that a virus had been discovered that put OpenOffice.org users at risk. The ArsTechnica article (an example of the slightly alarmist press coverage) concluded that OpenOffice was as vulnerable as any other Office suite. The OpenOffice.org team released a statement that firmly assigns this situation to the oddity/curiosity/publicity stunt category.

Several customers have asked me if this is indeed an issue, and while we at Novell take security very seriously, this seems to be simply an attempt at gaining some notoriety, rather than an actual threat to OpenOffice.org users. In fact the authors of the supposed virus actually didn’t let the OpenOffice.org team know about it until after they send the virus code to the Sophos.com security team, a move considered extremely rude in security circles, the defending team needs to be told first in order to react properly and in a timely manner.

The Sophos.com team has commented on this situation in some detail, and the Director of SophosLabs puts all this into perspective by making light of the virus developer’s skills, the motivations behind the virus and puts in doubt that all of this is in good taste.

You can be certain that we are watching this situation, and as the 2nd most active contributor to OpenOffice.org next to Sun, we have engineers who understand the situation and any necessary actions will be pursued with alacrity.

If you have further questions about this, either leave a comment or email one of us, we’re listed on the contact page, or just click on my name below.

RossB

 

Example of Open Source apps in the enterprise – Asterisk

When you think of “open source” do you only think of Linux?  The fact is, there are thousands of software packages which are “open source”, and Linux is just one example. Another example is Asterisk – a completely free and open source PBX which runs on SUSE Linux Enterprise Server as well as many other flavors of Linux and Unix – even Mac OS X.

So if you’re in the market for an IP-based PBX, you might consider Asterisk as an option.  Here’s an article from IT Manager’s Journal about how a car dealership in the mid-West US is using Asterisk for it’s enterprise.

It’s also worth mentioning  that there is even a way to integrate Asterisk with Novell Identity Manager.  A Novell partner has even produced a new open source project called VoiceRD (with available commercial support) that’s based on Asterisk.  It includes Asterisk, SLES 10, and AppArmor security.  They also offer some short, narrated screen cams of basic setup and administration to give you a flavor for what it’s like.

 

Before You Hook That Server to the Net…

Take a few minutes and look at the following list to see what’s advisable before you just plunk that box down and hook up the cable to the outside subnet.

1. Determine It’s Purpose
2. Do the Installation Right
3. Setup an Adequate Firewall
4. Configure TCP Wrappers
5. Turn Off Non-Essential Services
6. Secure Your Required Services
7. Tune Kernel and Networking
8. Connect to a Router
9. Update the OS and Apps
10. Additional Hardening

Additionally, you might want to look at the Tripwire, AppArmor, Bastille and Smoothwall (turns it into a router/firewall) projects for step 10, there are a lot of good ways to increase your security for not much more trouble.  The inspiration for this list came from this article, which goes further in to the explanations for all of these.

 

Is AppArmor suitable as an alternative to SE Linux?

In response to questions from readers, security expert James Tumbull answers some security related questions about Linux and Linux distros in this article from SearchEnterpriseLinux.  The very first question was about AppArmor – an included feature of SUSE Linux Enterprise (both Server and Desktop).  His answer…

“AppArmor is perfectly suitable as an alternative to SELinux.”

We have to agree, but we also think AppArmor is FAR easier to use.  If you’d like to learn more about AppArmor go here and to see Novell’s comparison of AppArmor vs SELinux, go here.

Did I mention, that it’s included in SUSE Linux Enterprise — including the easy to use tools!?!?

 

Can a Virtualized OS tell it’s been Virtualized?

Suddenly there are many layers to copy protection and anti-piracy, not only does Microsoft have to try and stamp out piracy from people installing Windows versions on real hardware, now they have to try and make an OS be able to detect if it’s been virtualized.

Of course, all this is a moot point if you use Linux and particularly SUSE Linux Enterprise Linux 10, where a single subscription covers the physical machine, and allows as many virtualized instances of SLE 10 as you can fit on the box, for the same subscription and cost.

Morale of the story, rather than spend massive development cycles treating your customers like potential theives, spend that instead making the OS inexpensive, easy to register and easy to manage.

 

Bolstering Your Privacy at Work

Interesting article about how to increase your privacy at work in this day and age of corporate monitoring and compliance.