Administration, interoperability and integration

Centrify streamlines administrator tasks in mixed environments

On Oct. 21, Mountain View, Calif.based Centrify Corp. added DirectAuthorize to its suite of products for integrating Active Directory into mixed Linux and Windows environments. DirectAuthorize streamlines user access rights management so that administrators no longer have to configure rights separately on Windows servers and then on non-Windows servers. By consolidating information in a centralized location, DirectAuthorize eliminates redundant rework.   

DirectAuthorize arrives as the third member of a line of products created to ease the task of managing mixed environments with Active Directory. The other two products, DirectControl and DirectAudit, perform centralized authentication and auditing.  

“Typically we serve customers who are looking to introduce Linux, Hewlett-Packard, AIX, or Unix into their environments, and also often VMware.” Centrify CEO Tom Kemp said. “In terms of access rights and password management, that ends up being a lot of sticky notes next to your screen.” DirectAuthorize replaces non-Windows systems’ authorization infrastructure with that of Active Directory, which allows admins to move all user authorization information to a central location and to manage it from that location.

SE-Postgres tightens SQL security

This post was contributed by Joshua Kramer. For more information about Kramer, go to the EnterpriseLinuxLog About the Editors page.

In the theater of IT operations, security has moved to center stage. Attacks have become more complex, and legislative bodies have passed laws that require data protection. In just the past year, Nevada and Massachusetts introduced legislation requiring that consumer data be protected. 

 In 2006, Oracle introduced its Audit Vault, which purported to restrict access to data even from database management administrators. This kind of tool is extremely valuable in the fight against those trying to steal personal information.  

In early 2009, another player will offer a similar — and perhaps more secure — way to restrict data access As part of its yearly feature update, the PostgreSQL group plans to implement a module called SE-Postgres in the database core. This module inherits security rules and contexts from the SELinux rule set of the host OS to control access to tables, individual rows of data and even individual columns. Currently SE-Postgres is available as a patch to the Postgres 8.3 database (for those who don’t mind compiling source code). 

This inheritance of rules applies to all facets of SELinux and therefore gives you power beyond simply restricting access by role. When SE-Postgres is configured properly, a client’s SELinux context is propagated to all data it touches. For example, rows inserted by a subject with SystemHigh privileges will carry the Secret label. A query submitted by a subject with user_t privileges will not return rows that have such a label. For the most part, referential integrity is preserved; a table join will fail if one of the objects required in a table is disallowed by SELinux context. There are a few minor exceptions, but those will be closed as the project progresses.

Bush meets CodeWeavers’ challenge for free software

On Tuesday, Oct. 28, software company CodeWeavers will offer its products for no charge. CodeWeavers’ mission is to mission is “to transform Mac OS X and Linux into Windows-compatible operating systems.”  

Several months ago, CodeWeavers CEO Jeremy White promised that if President Bush achieved one of his five lame duck goals– to improve the state of the nation by the end of his second term — White would offer his company’s products nongratis for one day.  

This week, through a fluke of global economic equilibrium - or astute presidential leadership, ahem - Bush met one of the goals; gas prices fell below $2.79 in the Twin Cities. White’s lame duck challenge page now reads “Goal achieved. My bad!” He will offer a Pro version of either one Mac or one Linux CodeWeavers software product for 24 hours starting midnight CST tonight. A  product upgrade and support package renewal will be available in one year for $35.

Whirlwind Tech Tour explores remote administration tools

This week, SearchEnterpriseLinux.com launched its Whirlwind Tech Tour, a new site feature in which we ask Linux professionals a weekly question and post their answers side by side. This week we asked about remote server administration. Done correctly, remote server administration enables companies to distribute resources and prepare for disaster recovery. It also requires a strong toolset to perform these roles well.  

Which tool is best for remote server administration in a Linux environment, and why?

 Jay Lyman, an open source analyst at Boulder, Colo.-based 451 Group, recommends the General Public License-licensed Virtual Network Computing (VNC) system for its user-friendly general user interface. This tool works with Open Secure Shell (OpenSSH) to perform tunneling, a method to establish secure connections between local and remote networks.  OpenSSH itself received several mentions in our IT pros’ responses .

As Kristian Erik Hermansen noted, the tool does more than tunnel. Hermansen’s description of OpenSSH’s capabilities: It can “forward graphical applications to remote machines, create a series of tunnels, redirect traffic over a SOCKS proxy, and perform way too many other features to mention.”  

Serge Wroclawski expected SSH to be at the top of respondents’ lists but suggested they trade it in for more automated remote administration tools. He advises managing remote server configuration with tools such as bcfg2 and Puppet. 

“Remote server management is a multidimensional problem, and managing the Linux OS is only a part of it,” said Ideas International Inc.

CEO Tony Iams Iams outlined several considerations in approaching this problem, but concluded that  “perhaps the most important factor in choosing a remote Linux management tool…is to make sure it integrates smoothly into the dominant management tools and procedures that are already in place.” 

Do you have a question you’d like to see asked and answered? Email it to  editor at searchenterpriselinux.com class=”MsoCommentReference”> . To see the complete responses from our IT pros, go to the feature main page.

Mono 2.0 boosts Linux compatibility with Microsoft .Net

Mono 2.0 is now available for download. An open source project sponsored by Waltham, Mass.-based Novell Inc., Mono is a Unix-based tool that enables Microsoft .Net applications to run on Linux, Solaris or Macintosh platforms.

Mono 2.0 follows two previous versions of Mono, with the first released in 2004 and the second in 2006. The latter version was used to write Moonlight, an open source plug-in to Microsoft’s Silverlight for creating interactive applications.

The key advance in Mono 2.0, a spokesman said, is that it achieves full compatibility with .Net, where the previous versions only reached partial capability with .Net. Mono 2.0 also includes a debugger, a Language Integrated Query from .Net 3.5 and a Migration Analyzer.

Michael Cote, an analyst with Denver, Colo.-based Redmonk, said the new version of Mono helps the Linux platform by enabling .Net developers to work on Windows as well as open source platforms.

“It’s great to give companies the option of using the underlying OS of their choice,” Cote said.

Mono 2.0 may be downloaded from http://www.mono-project.com.

LinMin adds key API to its automated provisioning tool

LinMin Corp. beefed up automation of its cross-platform bare-metal provisioning tool. The new version 5.2 from the Redwood City, Calif., startup now includes an application programming interface (API) through which a business process can initiate the provisioning of additional servers or desktops. The tool works on physical or virtual servers running Red Hat, Novell, Ubuntu, CentOS, Fedora, Asianux and Microsoft Windows.

Steven Brasen, an IT analyst with Enterprise Management Associates in Boulder, Colo., said the new API makes LinMin more useful because it can link directly into interfaces for other functions such as ticketing.

For example, developers could use the new API to trigger provisioning of a new Web hosting machine directly from an invoice, or the provisioning of desktop for a new hire from a payroll system, said LinMin CEO Laurent Gharda.

LinMin’s technology derives from the now-defunct OpenCountry, the technology assets of which LinMin acquired shortly after its launch last March, said Gharda.

OpenCountry’s system management package won “outstanding reviews” and LinMin has taken its best component and created a standalone provisioning solution, Brasen said. Provisioning is typically available only as part of a high-end systems management package such as Tivoli Software or HP OpenView, compared with which LinMin is a “very inexpensive” alternative, he said.

Ultimately, LinMin will probably be acquired by complementary vendors such as Hyperic or by an original equipment manufacturer, Brasen said.

Until then, the new API will help LinMin users eliminate the need for human intervention in provisioning, Gharda said. Some LinMin customers are testing the product in cloud deployments, he added.

Surveillance tools beat hidden malware at its own game

Just as surveillance tools have flourished in the physical world because they can monitor systems in hiding – think nanny cam – such seemingly invisible monitoring systems have flourished in the digital domain.

Rootkits, a form of malware designed to take control of a system without the authorization or knowledge of an administrator, can wreak havoc on a system and compromise everything it does by infecting code, nestling within it and becoming the malevolent phantom of an OS.

If security plays second fiddle to other system administration duties, your system may be just as much at risk as if you didn’t monitor it at all. But a new crop of rootkit detection tools is designed to detect these malware breaches and, in some cases, beat malware at its own game.

Products such as F-Secure Blacklight and OSSEC help protect system information from being used against you by making it inaccessible to nonadministrators. Unlike traditional antivirus scanners, these tools examine the system at a deep level to detect active rootkits and rout them out. Tools like Blacklight also tout themselves as user-friendly and nontechnical .

The new security tool ProcL goes a step further by hiding information about which version of software a system uses. As a result, malware attempting to gain system access cannot tell whether the system has software from 2008 or 1988 and will likely move on to an easier target.

For more on ProcL, see the Scanit website. And to check out an advanced security “hiding” tactic involving virtualization, click here.

Varonis explains data governance, product DatAdvantage

During the week of LinuxWorld, Johnnie Konstantas, a marketing VP at Varonis Systems, a data governance software provider, talks about the company’s release of DatAdvantage and approaches to data governance within a company. 

What does DatAdvantage do?                                                                                                                     
Johnnie Konstantas: The focus … was to automate user-to-data mapping such that only the right users have access to only the data they need at all times. A sophisticated mathematical engine computes permissions revocations so that user access to data is always warranted by business need. DatAdvantage also ensures that data use is business warranted by providing the means to continuously monitor what users are doing with the permissions they have. DatAdvantage logs every user’s every “file touch” (i.e., open, delete, create, rename) and provides this information as part of a consolidated and searchable record. 

Why is data governance so important, even more so than it was five years ago?                               
Konstantas: IT managers are currently responsible for controlling access to business-critical and sensitive data — 80% of which takes an unstructured form (i.e., documents, spreadsheets, presentations, image and multimedia files, source code). A system of data governance that includes people, processes and technology for ensuring that access is warranted is the only way to implement access controls that are consistently applied and enforced through data growth and change. The rate at which unstructured data is created outpaces that of five years ago. Digital images from scanners and cameras, portable audio files, podcasting and Web content are being added to the scores of documents and spreadsheets that are produced for business communication. All of this now “business relevant” data must be protected, and access to it controlled as it is for documents and software code. In the next three years, the rate of data creation will increase still.  

What trends has Varonis seen in data access rights within a company?                                            
Konstantas: As a general trend, companies are seeing the need for unstructured data management become more acute as data growth explodes. IT operations are turning to Varonis to automate a process which is largely manual and quite costly. The steps taken for data management auditing and control for unstructured data are being rolled into the thinking, models and projects for overall data governance. 

How should a company think about data governance to make the most of DatAdvantage?   
Konstantas: Since most enterprises have not reviewed their data entitlement settings in some time (the process is almost impossible without Varonis which automates it), step one is to have IT review and clean up unwanted access controls. Then the data management shift from IT staff to data stewards can take place. A good governance environment has a specialized team in charge of entitlement management, but also involves IT in auditing the process.

How does data governance overlap with data security? How does DatAdvantage differ from data center security software?                                                                                                                   
Konstantas: Data governance as a model and framework includes the safeguarding of data that is business-sensitive. IT greatly reduces the risk of data loss and misuse by revoking unwarranted permissions and limiting control according to a business’s need-to-know. Data governance comprises much more than security, however; it ensures that data stewards rather than IT staff manage entitlements to data and determine which data is worthy of archiving, deleting, preserving and protecting. The two products in Varonis’ data governance suite provide the means to both manage entitlement to and determine treatment of data. DatAdvantage helps IT remove excess permissions and identify data business owners. Varonis DataPrivilege puts data stewards in charge of their data by giving them the means to manage all entitlement requests and to audit data use.

Ganglia 3.1 enables custom cluster, grid monitoring

Ganglia, community partner to GroundWork Open Source, releases cluster monitoring product Ganglia 3.1 at LinuxWorld Conference & Expo this week in San Francisco. Ganglia is a distributed monitoring system for high-performance computing systems such as clusters and grids. The central feature of Gangila 3.1 is that it allows administrators to create customized “metric modules.” Admins can create a module from metrics for CPU, network, disk and memory that they select à la carte, allowing for a tailored monitoring environment.

“I would hope that [Ganglia 3.1] changes business practices for the better, making clusters easier to use and more expandable,” said Ganglia developer Brad Nicholes. “We want to make sure that whoever needs to monitor data has the resources they need to do so.”

Previously, an administrator could create a metric module but could not integrate it into the Ganglia interface.Ganglia 3.1 allows an administrator to expand a cluster by adding custom metric modules on an as-needed basis. Ganglia 3.1 uses the round-robin scheduling algorithm, which enables admins to tailor the collected data to company’s needs.

Nicholes noted that it is important to upgrade all gmon agents, tools which allow a GUI to “talk” to the various components of a cluster, at the same time.

If you would like to use Ganglia with GroundWork Open Source’s GroundWork Monitor, GroundWork offers a Ganglia Integration Module that allows Monitor to provide multiple role status views, dashboards, reports, notifications and configuration tools.

Package managers: Downloaders beware

Package management—the process of determining which update packages should be installed on a host and then downloading and installing those package—invites a dilemma : OSes need to updated, but the process of updating them can invite security breaches.

A recent study at the University of Arizona explored nine feasible attacks on the popular package managers APT and YUM. As part of their research, the study’s conductors posed as a group of administrators from a nonexistent company and leased a server from a hosting provider. Thousands of clients, including government agencies, downloaded upgrades, which prompted their operating systems to endlessly replicate data, misidentify dependencies, and install unnecessary software. It also left these clients vulnerable to other attacks on their systems, including hackers gaining root access to OSes, system crashes and erased files . Researchers concluded that many public storage spaces for upgrade downloads are in fact maliciously established “mirrors,” or software repositories , that have become infected with sources of attack. You can prevent most of these issues by downloading from only signed metadata repositories, the study counseled. A signature verifies that the repository was created benevolently.

Protecting against mirror threats
In response, readers suggested a number of additional ways to protect a package manager from such threats.

• An OpenSUSE page suggested its internally developed tool, download redirector.
• One blogger wrote that the risks posed by infected repositories are not great enough to merit changes to package manager security.
• Another acknowledged the risk and argued that simply allowing the number of open source package manager products available to increase will maintain or improve current open source package manager security.
• A Gentoo administrator promoted rotating mirrors to ensure security.

Package manager security, as pointed out by this report, is crucial to the success of your operating system. With the present drive for continuous upgrades for your data center, you may feel pressure to download from the most accessible source available. Don’t: the risk of downloading insecure software is greater than the time it will take to check out the above links.

For more on package managers, check out these links: How to manage software on Ubuntu Server with “aptitude” and “apt-get”

Managing Software on Ubuntu Server Edition