When you need to keep files on a remote system synchronized, you want to protect its contents should it end up in the wrong hands. You can use rsync to keep the contents up to date, but natively no encryption method is used. Rsyncrypto is an encryption package aimed at transferring the changed blocks of a file with encryption, making for a more efficient transfer during the synchronization operations when using rsync.

Installing is quite easy by downloading the tar file, then extracting and running the ./configure script. I used a C++ compiler and argtable2 on a CentOS 4.2 system during a test implementation.

Once you have installed rsyncrypto, you can set up encryption for files to be synchronized as they change, with the encryption on blocks of the file with a specified key. Please note, this encryption within rsyncrypto is not as robust as some of the newer PGP encryptions (like GnuPG) when using rsync for an entire file. Rsyncrypto is currently at version 1.06 and is currently available for download from SourceForge.

The Ubuntu repositories are lagging when it comes to keeping up with Openswan development. Currently, the latest package in the Feisty pool is 2.4.6 and 2.4.11 was just released (with several bug fixes — one that allows newer OS X clients to connect). The l2tpd package that provides an l2tp daemon is also old due to the fact that development on the l2tpd projects seems to have stalled. The maintainers of Openswan, xelerance have forked l2tpd, creating x2tpd.

Both pieces of software have already be Debianized, it is just a matter of running dpkg-buildpackage to create the binary package files. I have updated the changelogs for both Openswan and xl2tpd and created deb packages out of the latest source code:

Openswan 2.4.11

kernel-patch-openswan_2.4.11+dfsg.2-1.1_all.deb

openswan-modules-source_2.4.11+dfsg.2-1.1_all.deb

openswan_2.4.11+dfsg.2-1.1.dsc

openswan_2.4.11+dfsg.2-1.1.tar.gz

openswan_2.4.11+dfsg.2-1.1_amd64.changes

openswan_2.4.11+dfsg.2-1.1_amd64.deb

xl2tpd 1.1.12

l2tpd_1.1.12_all.deb

xl2tpd_1.1.12.dsc

xl2tpd_1.1.12.tar.gz

xl2tpd_1.1.12_amd64.changes

xl2tpd_1.1.12_amd64.deb

I will be writing an article on how to configure Ubuntu with Openswan and xl2tpd. Stay tuned!

Hope this helps!

SearchEnterpriseLinux.com wants to help our readers discover the best of the best in Linux products for the enterprise in our 2007 Products of the Year awards. Nominate a favorite product youve used, or nominate your companys new product. Our editorial teams will be accepting submissions online until 5 pm PST on Nov. 9, 2007 in a wide range of categories, including: Server Linux platform product (either a distribution release or a new, integrated server Linux offering) Security applications/tools for Linux on the server, Virtualization product for Linux on the server and Linux administration tool.

To qualify, new or significantly upgraded products must have been shipped after October 31, 2006, and before November 1, 2007. Submit your entry today and let us know what you think are the top data center products on the market.

I read a post this afternoon that surprised me a little, which is tough to do because I work on the Internet and I’ve basically seen everything humanity has to offer. Believe me, it’s not much.

What surprised me today is that the old axiom “SELinux is so difficult to use that most IT managers just switch it off” has bubbled to the surface again over at Kerneltrap.org.

The post at Kerneltrap is actually a snippet from a larger rant on the OpenBSD mailing list, which compares the security of SELinux to OpenBSD’s default security.

A thread on the OpenBSD-misc mailing list compared the security of SELinux in the 2.6 Linux kernel to what’s available in OpenBSD. The general opinion was that SELinux and its policy language are too complex, leading Damien Miller to note, “every medium to large Linux deployment that I am aware off has switched SELinux off. Once you stray from the default configurations that the system distributors ship with, the default policies no longer work and things start to break.” Ted Unangst summarized, “the problem with security by policy is that the policy is always wrong.”

I’ve written a few articles about SELinux over the past year and a half for this sole reason: complexity. I’m certainly no expert on the subject, but in 2006 and ‘07 I did get to hear from people at various Linux conferences and from interviews for other security stories that SELinux was a great piece of software — perhaps “too great.” As was argued above in the OpenBSD list, people were shutting it off because its NSA-powered muscles were breaking their systems. When that happens, you’ll find 9 times out of 10 an administrator will opt to shut the thing off and find another fix rather than invest the extra time and money, regardless of the features being promised him/her. So I started asking, “what’s being done? Who’s doing what?” and so on.

The folks at Red Hat were the most helpful, for obvious reasons (SELinux is baked into Red Hat Enterprise Linux), but I also interviewed a few SELinux experts for my research, including Karl MacMillan and Frank Mayer, co-authors of SELinux By Example. Mayer even wrote us a nice article on SELinux, called Five Ways SELinux may surprise you, that still does well traffic-wise on SearchEnterpriseLinux.com today. I also interviewed the guys in the trenches who had decided to shut the thing off and deal with it later.

What I discovered is that part of SELinux’s current dilemma is more easily fixable than the other, because it has nothing to do with technological chops and everything to do with public perception. Jim Klein, the director of information services and technology at the California-based Saugus Union School District, put it best: “The biggest problem for SELinux is mindshare,” Klein told me. “It developed a stigma early on due to the lack of tools for configuration and troubleshooting, which led people to simply turn it off.” Currently, Klein is one of the many IT guys who has the SELinux switch in the “off” position.

But Red Hat was ready for that, or so it seemed. At the Red Hat Summit in May their SELinux guru Dan Walsh was beating the setroubleshoot tool drum as proof that his developers were listening and SELinux was turning a corner towards simplicity. Also known as SELinux Troubleshooter, setroubleshoot is a tool that watches the audit log files for access vector cache (AVC) messages and send reports to the IT manager when things go wrong, right or whatever. Walsh said SELinux has a new GUI in RHEL 5 to assist in management, as well as a set of configurable Booleans (read: if, then statements) that allow IT managers to modify network ports, file labeling and event user mappings. That particular session was one of the more packed ones I attended in San Diego that week. Does that mean anything in particular? Not really, as security is always popular topic, but it was interesting given what’s still being debated today.

As Red Hat talks GUIs and tools and setroubleshoot (oh my!) those crafty OpenBSD guys are ready with a pithy retort (or is that snark?):

If the policy language was halfway sane then this wouldn’t be so bad - a skilled administrator could adjust the policy. Unfortunately:

1) skilled administrators are hard to come by, and their time is usually better spent *not* tweaking brittle mandatory access control policies

2) the SELinux policy language is nowhere near sane.

OpenBSD’s systrace suffers from #1 - it is a generic problem with these sorts of access control mechanisms, and it is one reason why it has never been enabled by default. The brittleness is a real problem - I use systrace for a few things and often need to update my policies because of software upgrades or libc changes. Oh, and “skilled administrator” means someone deeply familiar with the Unix system interface - not a just a graduate of certification course de jour.

The Linux solution to #2 seems to be to add various wizards and other abstraction between the administrator and the policy, rather than tossing the horrid mess and replacing it with something more comprehensible.

What this all means to me is if we can find similar thoughts being shared outside of an OpenBSD mailing list (where Linux or SELinux surely don’t have the home field advantage they’re used to in, say, Linus Torvalds’ backyard), we might be onto to something. That something? That SELinux should in fact be turned off indefinitely until this complexity issue is resolved.

Until then, however, I think we all should probably look into some advice I found in the Kerneltrap comment section:

If I wanted a fair comparison of OpenBSD and SELinux, the last place I would ask would be the openbsd-misc mailing list.

Could be good advice.

Related info: Our site expert James Turnbull has a brief comparison of SELinux and AppArmor (the latter being what Novell SUSE has to offer).

Occasionally throughout the summer I’ve been chatting and emailing with Saugatuck Technology analyst Charlie Burns about mainframes, IBM and Linux. Many people have argued over the past year that the mainframe is dying out (again), but Burns and some very telling market trends go against that grain with a 180 degree turn: the mainframe is surging, and it’s all thanks to Linux.

I’ll have an article up a bit later this week (or early next) detailing just exactly what is going on in this space, but for now I thought I’d include one of the recent emails Charlie sent me that covers some of the basic cost advantages of the mainframe.

Architecturally-based advantages in the hardware, the operating systems, and in the virtualization functionality enable mainframes to manage multiple diverse workloads based on business objectives and deliver exceptional cost reductions. If we compare the costs of using mainframes to those of conventional servers as noted earlier, we find the following:

• Technical support and maintenance costs. By consolidating and centralizing the capabilities of dozens of servers into a single platform, use of a mainframe drastically reduces the redundancies and differences that are de rigueur in server farm environments. If we accept conventional industry wisdom that states a minimum of 70 percent of IT costs are labor - and that the majority of labor costs are training and support - it’s easy to see how mainframes can quickly free up IT budgets for more strategic investment such as new application development.
• Software licensing and maintenance costs. Since most operating, middleware, and application software is licensed to each server it is used on, a mainframe offers substantial software savings. In a mainframe, the computing capacity applied to software can scale dramatically. Literally, hundreds of virtualized server images can operate in a single mainframe under a single license, thus, avoiding additional license and maintenance fees. In addition, the IBM System z has the capability of running specialized processors for Linux and for some application workloads. These processors are priced substantially lower than the base processors. Thus, the System z delivers both hardware and software saving on a broad scale when compared to individual x86 server platforms.
• User and IT training costs. Training costs tend to be driven by the number and complexities of multiple applications and operating systems. By enabling the use of all leading operating systems and applications within single platform, mainframes drastically reduce the need for training.
• Utility and environmental costs. Mainframes require substantially smaller amounts of power, UPS capacity, cooling, and floor space when compared to the environmental requirements of an x86 server farm with equivalent processing capacity. The mainframe’s advantage is even more substantial when one considers the reduced amount of storage and inter-connection equipment compared to an x86 server farm.
• Security costs. Mainframes enable centralization of software and application interfaces. Centralization of software enables vastly improved security management by reducing the number and types of access points. Additionally, because of its heritage, security is architected into the mainframe and is uniquely robust. For example the IBM System z family of mainframes provides security against information flow between virtual machines. The System z was first certified in mid-2003 as Evaluation Assurance Level 5 (EAL 5) by meeting the Common Criteria standard ISO 15408. Comparatively, virtualization on x86 server platforms require security to be added and layered as part of the operating system, applications, databases, and so on – further increasing both the complexity and cost of security, while adding more points of vulnerability due to incompatibilities between security systems and other software.

An Elementary Roadmap
Saugatuck recommends that every company with more that 20 x86 servers should perform a thorough evaluation of existing workloads and servers with the following steps in mind:

1. x86 servers yielding the largest savings should be migrated to the mainframe first (e.g., those with unique infrastructure support requirements)
2. x86 servers with the lowest utilization should be migrated early
3. Assets with an upcoming compelling event (e.g., need for capacity upgrade, lease expiration, etc.) should be migrated before incurring the expense
4. x86 servers/workloads should be aggregated by user department to leverage strong buy-in
5. Oldest technology x86 servers should be migrated early
6. Focus on real estate by freeing up contiguous raised floor space or eliminating sites as early as possible

We just put a Samba tip up the other day regarding bugs and bug fixes, so it’s kind of ironic that Jerry Carter, release manager for the Samba team, sent out a few bug updates today to the mailing list.

The first, complete with patch availability:

===========
Description
===========

The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user’s home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the “winbind nss info”smb.conf option to either “sfu” or “rfc2307″.

Both the Windows “Identity Management for Unix” and “Services for Unix” MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user’s Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.0.26 has been issued as a security release to correct the defect.

==========
Workaround
==========

Samba and Active Directory administrators may avoid this security issue by two methods:

(a) Ensure that all user’s stored in AD are properly assigned a Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 “winbind nss info” plugin until a patched version of the idmap_ad.so library can be installed.

Note that the problem is only evident on servers using the sfu or rfc2307 “winbind nss info” plugin and not those only making use of Winbind’s idmap_ad IDMap backend interface.

There is also version 3.0.26a available for download today, complete with bug fix (Memory leaks in Winbind’s IDMap manager).

The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from:

http://download.samba.org/samba/ftp/

The release notes are available online at:

http://www.samba.org/samba/history/samba-3.0.26a.html

Binary packages will be made available on a volunteer basis at

http://download.samba.org/samba/ftp/Binary_Packages/

Are people still terrified of SELinux? Of its complicated policy module creation and rules by the fist mentality over Linux systems? Oh right, they are. That’s why over the past year every conference I’ve attended had a session about SELinux and how much easier it is to use than it was last year.

Red Hat Magazine editor and SELinux guru Dan Walsh:

“Who’s afraid of SELinux? Well, if you are, you shouldn’t be! Thanks to the introduction of new GUI tools, customizing your system’s protection by creating new policy modules is easier than ever. In this article, Dan Walsh gently walks you through the policy module creation process.

A lot of people think that building a new SELinux policy is magic, but magic tricks never seem quite as difficult once you know how they’re done. This article explains how I build a policy module and gives you the step-by-step process for using the tools to build your own.”

Hmm, magic. Good one. I think when SELinux does work as advertised you’d be hard pressed to find a Linux administrator who doesn’t attribute some of that success to the Black Arts.

Does SELInux work? Is it really powerful? You bet it is, but maybe *too* powerful since users are routinely switching it off when it doesn’t allow them to do anything with their own systems.

Luckily for you RHEL users out there, Walsh goes beyond magic tricks and lays out a step-by-step explainer for SELinux policy module creation in his latest article at Red Hat Magazine. He advises users to start small, use new tools like polgengui, and then he just goes crazy with the steps (complete with screen grabs for the visual learners, like myself).

It’s a good read, and if my experience with Walsh is any indication (I’ve seen his presentation at the Red Hat Summit), there will be more to follow.

Now here’s a cool little technology that you may or may not have heard of: OpenID.

It’s like single sign on, but simpler. That’s the angle presented by the project’s leaders anyway, and it appears to be working. This little two-year-old technology currently has 5,000 web sites around the world supporting it, with 120 million individual users (or “OpenID’s” as they’re called by those in the know). That number is projected to grow to approximately 500 million by the end of the calendar year.

I learned a little more about OpenID at this month’s LinuxWorld Conference and Expo in between takes of our highly acclaimed video blogging efforts in the lobby of the Moscone Center. Our good friend and expert Bernard Golden happened to walk by at the right place in the right time, and close behind him was Scott Kveton, the chairman of the OpenID board.

Long story short, Scott and I set up a call last week to talk about OpenID.

First, let’s let the OpenID web site explain just what OpenID is, shall we?

For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photo stream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.

For individuals, OpenID means the elimination of multiple user names and passwords and a smoother, more secure, online experience. For businesses, this means a lower cost of password or account management, the opportunity for easier and higher numbers of new user registrations and the elimination of missed transactions because of user frustration with lost and forgotten passwords. OpenID allows for innovation in the authentication space beyond just using a password to “unlock” your OpenID identity, but the ability to strongly protect your OpenID and have that benefit move with you everywhere you go online.

Kveton bills OpenID as the antithesis of older technologies like Microsoft’s Passport and the Liberty Alliance Project, and with growth as big as he was projecting last week, I’d be hard pressed not to agree with him. “There’s just too many ways to ID users in too many places,” he said. “[OpenID] is super simple. Passport, Livery Alliance — these are too heavy and complicated.”

But what about security? Well, Kveton had an answer for that too, and again it came back to Microsoft Passport. OpenID is a decentralized system, meant to allow a user or a developer to spit out an application “in an afternoon,” Kveton said.

With applications like Passport all of the user information (ID, passwords, personal information) is owned by Microsoft. OpenID is not, a trait Kveton maintains was monumentally helpful in getting the millions of users on board since the projects inception in 2005. Ten times out of ten I’m going to guess a user wants total control over their private info, no?
That said, phishing could still be construed as a concern — as it could be for any ID/single sign on system. “A big concern is that OpenID could become a huge target for phishing; someone would could access your OpenID can get all the sites you visit.” However, even with this superficial concern OpenID has thrived because many users are already comfortable trusting a third party site for password management. Confused? Think of it this way: When you last forgot your Gmail password, how did you get it back? You trusted Google to send you a new one. To me this means the same due diligence required of today’s email passwords will be required in the OpenID era. Basically, don’t be stupid with your sensitive information and you’ll be just fine.

The ultimate goal for OpenID is an ambitious one: to create a unique ID for each individual user that works for the entire Internet. “OpenID by itself is a nice technology … the ability to move data and have a basic, portable social network is what will be the key driver however,” Kveton said. It’d be like a permanent, completely portable ID that woudl follow you to every site and simply work, no questions asked. Think of all the time you’d save — you’d have time to shop in your underwear for, like, an additional five minutes each day. Now that’s Web 2.0.

On the legal side of things, the OpenID Foundation formed in June 2007 to help manage intellectual property, marketing efforts and other activities related to the success of the OpenID community. The singular goal of the OpenID Foundation, its web site says, is to protect OpenID so that it may be used by any and all that want to.

“The goal [of the foundation] is not to drive technology or the community,” Kveton said. “It is to take care of the technology; to take care of trademarking hoops, IP, and provide a framework so the community can thrive around the technology.”

Half a billion users by 2008? Sounds like some serious thriving to me.

Novell today launched a few video/blog intensive sites billed as way to further promote Linux in the enterprise — so long as when you say “Linux” you’re actually talking about SUSE Enterprise Linux 10 (SLES 10). Entitled, “Your Linux Is Ready,” the site is Web 2.0 friendly and calms your eyes and frayed GPL nerves with a soothing SUSE gecko green.

I checked out the site this morning, and it’s a fairly slick collection of stuff that’s existed for a while (Dr. Jeff Jaffe’s CTO blog; press releases masquerading as case studies crying Novell’s Linux-savvy solutions from the rooftops), alongside brand new video “interviews” with folks like Nat Friedman, chief technology officer, open source; and Crispin Cowan, director of engineering, SUSE Enterprise Linux. These gentleman provide several multi-chapter looks at the technologies Novell is working on today. It’s interesting to note that Microsoft isn’t mentioned anywhere — at least in the few I viewed this morning.

The topics fall into the four main categories that Novell has pushed for the better part of the last year and a half: Desktop, Server, Xen in the enterprise, and AppArmor security. The Xen and AppArmor stuff is fairly interesting, and I imagine both will be getting their fair share of coverage at LinuxWorld next week (both technologies have sessions devoted to them).

There’s also a second site that tackles Unix to Linux migrations entitled “Your Linux is Ready,” that hosts a series of whitepapers, podcasts, blog posts and corporate announcements. There’s also a man in a suit riding a bike. No word yet on whether he’s chasing Red Hat or not (I kid the gecko, honestly).

Today HP execs wrote to tell us that their company has been awarded a top international Linux security certification. The certification, called the Evaluation Assurance Level 4 (EAL4+) Common Criteria security certification for Red Hat Enterprise Linux 5, applies to HP servers, workstations and notebooks.

In June, if you’ll remember, IBM was awarded the same EAL4+ certification for RHEL5 running on IBM System x, System p, System z, and BladeCenter servers.

This cert is part of the Common Criteria Evaluation and Validation Scheme (CCEVS), an internationally recognized standard used by governments and businesses worldwide to determine the level of security and assurance of IT products. CCEVS, undertaken by the National Information Assurance Partnership (NIAP), is part of a collaboration between the National Institute of Standards and Technology and the National Security Agency.

HP has been awarded EAL4+, the highest level of assurance for an unmodified, commercial operating system, for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile, and Role-Based Access Control Protection Profile for Red Hat Enterprise Linux 5 on HP Integrity, ProLiant and BladeSystem platforms as well as select workstations and desktops.

According to HP, the company worked with Red Hat and the Linux community to develop the features required for the EAL4+ certification. This included contributions to help customers integrate a Linux system into a mixed network with other trusted operating systems. As part of HP’s Secure Advantage product portfolio, this certified product offering helps companies protect data and resources across their entire IT infrastructure to achieve better business outcomes.

The LSPP profile enables HP and its partners to build applications with multiple levels of security. This capability allows government agencies and commercial businesses to collaborate securely by sharing applications with different security clearances on a single system and still have assurance that the system will enable only authorized access at the appropriate level.