On Friday, Aug. 22, openSUSE announced that its newest version, 11.1, will support Security Enhanced Linux, or SELinux. Novell’s security tools, AppArmor and SELinux, have traditionally been considered intense rivals. In this interview, openSUSE’s Andreas Jaeger, Roman Drahtmüller and Matthias Eckermann discuss openSUSE’s support of SELinux.

OpenSUSE now has basic enablement with SELinux. That’s great for SELinux users now, but will openSUSE be able to integrate new patches for SELinux?

Andreas Jaeger : OpenSUSE is developed with a community approach; We are proud to have opened the openSUSE build service to the community, with the option to develop and package open source software cross-distribution.

As SELinux is a cross-distribution effort, we encourage members of the SELinux community to participate in the openSUSE build service: to develop, test-drive and integrate new user land patches and tools into openSUSE and other distributions using our cross-distribution service. This way, all distributions running with SELinux enabled in the Linux kernel will benefit.

Is support of SELinux indicative of a larger industry trend toward interoperability?

Roman Drahtmüller: Novell observes a tendency in the industry to increase the security value of a system by introducing additional controls beyond the scope of the application. This means the application is exposed to these controls but cannot change them.

In moving from AppArmor to SELinux, does a company sacrifice compliance benefits?

Drahtmüller: AppArmor profiles for application containment and confinement are comparatively easy to manage throughout an infrastructure. Creating them is a distinct, low-pain checkmark item. The same applies to evaluating log messages that record possible violation attempts against protected system services.

For customers, the transition to SELinux may need a change in thinking and architecture, but also allows for the definition of a complete policy in a system. It helps to disallow actions that are not subject to a defined policy. There are environments that require such a functionality — regardless of the cost associated with it — for compliance reasons.

We anticipate that customers with these requirements will aim for a SUSE Linux Enterprise operating system, as it targets the special needs of customers working in compliance-bound environments.

Security tools have created a tradeoff between capability (SELinux) and usability (AppArmor). Is Novell’s approach to this tradeoff changing with its basic enablement of SELinux?

Matthias Eckermann: As in earlier releases of our product, openSUSE 11.1 reflects our belief in the value of additional security mechanisms in the operating system. The benefit of such mechanisms is maximized if the configuration and administration is as transparent, straightforward and as easy as possible for administrators.

Security needs that aim toward mandatory access control, mandatory integrity control or even multi-level security require a suitable architecture. With the basic SELinux enablement, we will allow our partners and customers to use such an architecture to implement solutions that fulfill their specific needs.

Nevertheless, we want our users to be able to choose their own priorities between administrative effort and functional benefit.

What do you think? Leave a comment below or contact chunter@techtarget.com.

The products, in providing fuller access to information about what and how your system is doing, promise to make system management more practical and security maintenance more immediate.

The products being released this week at LinuxWorld integrate log file management with a variety of other tasks. They can simultaneously manage log files and collect and manage messages, traps and alerts as well as statistics from all system areas.

As one administrator commented on the blog of Splunk CEO Michael Baum, “Log file management is DEAD.” It is becoming just one side of the larger task of system management. For help on configuring Splunk, check out this tip.

Called “lockdown profiles,” these features enable IT managers to quickly assess systems for security and compliance with four distinct sets of security standards: PCI DSS (credit card security standards), JAFAN (Joint Air Force Army Navy), DCID (Director of Central Intelligence Directive) 6/3, and CIP (Critical Infrastructure Protection). The four profiles are an addition to the company’s product Security Blanket Enterprise Edition.

They are also the most recent in a series of releases from TCS in the past year. The LinuxWorld release of Security Blanket Enterprise Edition will also be able to take snapshots of system security configuration and then provide those snapshots for simplified comparison to previous configurations.

Security Blanket Enterprise Edition supports Red Hat Enterprise Linux versions 4 and 5, CentOS versions 4 and 5 and Oracle Enterprise Linux versions 4 and 5.

The Subversion project, licensed as free and open software by CollabNet, began as a replacement for Concurrent Versions System (CVS). SVN has since grown beyond just fixing what was wrong with CVS and has come into its own as a great software configuration management tool. SVN 1.5 has upped the ante with support for tasks like the following:

• merge tracking;
• sparse checkouts;
• interactive conflict resolution;
• changelists, as well as
• WebDAV transparent write-through proxy; and
• several back-end improvements for speed and reliability.

Merge tracking is probably the most anticipated feature. During development, a developer sometimes creates a new branch in the code repository while creating a new feature. During this process, a developer merges code that gets added to the stable mainline while he continues the new feature work. When the new feature is complete, the feature branch is merged into the mainline.

Previously, the developer would have had to keep track of which revision he began the branch at – and which revisions were merged into the feature branch. With SVN 1.5.x, a server keeps track of this for you. You just issue the svn merge command with the source you want to merge from, and it records what has been done. When you want to bring your branch into the mainline, svn merge --reintegrate brings it in. To top it off, in the event of a conflict, interactive conflict resolution during a merge makes the process much easier.

The second biggest feature is the WebDAV transparent write-through proxy. Imagine that your SVN server is in the U.S., but there are developers working on the project in Asia as well. SVN operations done from that distance can be slow, especially with a large repository and a fresh checkout. With this feature, you can place a server in Asia for developers there to use. It will serve “read” requests like checkouts and updates locally, and write requests will be passed along to the “master” server back in the U.S. As an added bonus, this “proxy” server in Asia is a mirror of your “master” server in the U.S. in case disaster strikes.

Merge tracking and WebDAV transparent write-through proxy, as well as everything else that Subversion can do, make it a great enterprise software configuration management tool.

This blog post was written by Matt McDonough, assistant editor.

If the enthusiasm of Fedora Project leader Paul Frields and Red Hat software engineer Jesse Keating is any indication, Fedora 9 LiveUSB Creator will likely be the most popular new feature in the next release. As they discussed LiveUSB at the fourth annual Red Hat Summit in Boston last week, Frields and Keating almost glowed about the prospects for the new offering and provided some hints on new features for Fedora as well.

And the capabilities aren’t shoddy. A user, for example, can load Fedora 9 onto a USB drive in the form of a live image, enabling duplication of an entire OS as a live image, complete with an entire hard disk’s worth of files and applications. That’s impressive, because you can shrink down a complex infrastructure and place it on a USB drive as small as 2 GB. Of course, the more memory you have on your USB drive, the more operating systems you can carry around in your pocket or on your key chain. Another benefit of creating a live image of an OS is that a user can download and integrate software updates, applications and files whenever they are needed.

The best feature by far of LiveUSB is the ability to take the USB drive, plug it into any machine, and then boot that machine off of the USB drive so that users have their entire OS in front of them no matter where they are. As you can see in the video below, the USB key with the live image can boot on any machine with no difference in functionality.

Not surprisingly, this technology has received a lot of attention at Red Hat. “All of the things we’ve talked about today we’re looking to capitalize on in our next version of Red Hat Enterprise Linux (RHEL),” Keating said. “I can’t tell you exactly what will be in the next version because it’s not my responsibility to know, … but I can say there is a lot of interest in using this technology.”

While it’s questionable how useful the technology will be for enterprise-level IT professionals in its current form, Fedora 9 and LiveUSB could have broad capabilities if modified for enterprise purposes. IT professionals could transfer broad interfaces to a physical or virtual server with just a USB stick. But for IT novices, it’s a cool program that to take your home OS almost anywhere without lugging a tower around with you.

For more on LiveUSB and Fedora 9, check out the Fedora Project homepage. as well as this video, where Frields discusses Fedora 9 in greater depth and where Red Hat plans to take it.

[kml_flashembed movie="http://www.youtube.com/v/AyOGwgV4xyU" width="425" height="350" wmode="transparent" /]

As the VAR Guy noted in a recent blog post on the upcoming Red Hat Summit, Red Hat has some gumption. The Raleigh, N.C.-based company has crossed the Mason-Dixon line to hold its annual event in Boston, the territory of its rival, Waltham, Mass-based Novell: What chutzpah!

Not to be outshined, Novell has made its presence known, posting some conspicuous advertising in the Hynes Convention Center, the location for this year’s Red Hat Summit, the VAR Guy reported.

But whether Red Hat’s choice of venue is a real shot across the bow or not, there’s little doubt that that over the past several years, the Red Hat/Novell rivalry has gotten pretty heated. One could date the boiling tensions to 2006, when Novell signed an agreement with Microsoft to share product patents. In 2007, the two companies agreed to work toward interoperability and have even dedicated a lab to that purpose.

By joining forces, Microsoft and Novell aim to gain an even stronger foothold in the open source market, though some data indicates that both the Red Hat and Ubuntu distributions have made strides against Novell SUSE. A new survey on open source adoption may support these findings.

The VAR Guy also noted Cisco’s expected prominence at the Summit and wondered whether it might signal an upcoming Cisco/Red Hat partnership, much like Microsoft’s with Novell. Or maybe Cisco’s “cozying up,” as the VAR Guy characterized it, is more a case of “The enemy of my enemy is my friend.” Consider this user comment in response to the Var Guy’s musings:

“Cisco now views Microsoft as its #1 threat in unified communications and other areas,” the user wrote. “I think they are just solidly placing themselves on the other side to be honest. They see a cost/competitive advantage and want to help set the ‘other’ standard.”

Stay tuned from the frontlines for more Red Hat Summit coverage.

Building a Jabber Server

A jabber server builds from the jabberd2.x release, which is licensed under the GPL. Once running, a jabber server will provide support for your internal IM clients. Should you need to have external IM contacts that cannot connect to your internal IM server, some of the jabber clients can connect contacts from other Internet IM services.

The enterprise IM server can also take a big load off of your email server from a storage and message traffic perspective. Too many times, long threads of email traffic with one-line replies waste resources on your expensive email system. A (free) IM service on your network would be a better solution for messaging that is not important to store per long-term email retention policies for storage.

IM in the enterprise

The Jabber client offers more options for Windows, Linux and Mac operating systems, but IM over the Internet for business matters is not a good practice. Security rules can be violated in practice by sending passwords, sensitive files and personnel data because users may find it quicker and easier than correct mechanisms.