Verwaltung von Softwarepaketen mit rpm, 2. Teil

Riedel, Wolfgang

26 March 1997

2. Teil des UNIX-Stammtischs vom 25.3.97 Arbeit mit src-Paketen, Erzeugung eigener Pakete, Syntax und Semantik des spec-Files, Problematik der verschiebbaren Pakete

Softwarepakete

Management

rpm

Linux

Redhat

ddc:004

Ubuntu, Debian, Fedora, RedHat och OpenSUSE : En jämförelse av CVE på Linux distributioner / Ubuntu, Debian, Fedora, RedHat and OpenSUSE : A comparison in CVE on Linux distributions

Janson, Fredrik

January 2018

Package management in Linux systems is a popular way to install and update software and the de facto standard on Ubuntu, Debian, Fedora, RedHat, CentOS and OpenSUSE. The software provided in the repositories can however differ when it comes to fixing vulnerabilities since package maintainers in some cases must implement some specific changes to the source used to build the software to make it compatible with the Linux system it is intended to be executed on. The Common Vulnerabilities and Exposures (CVE) standard provides a way to compare how fixes for vulnerabilities is handled on each Linux system where this work is aimed to examine if there exists different patterns when it comes to the time in days it took for a fix to emerge in the changelog for the software. This data is collected by using scripts in Linux to iterate through the National Vulnerability Database (NVD) which contains CVE entries, the severity score in terms of the impact of the vulnerability and references to which systems that the vulnerability affects. The dates are collected by using another script that iterates through the changelog of all available packages and saves the earliest date when the fix was issued. The results show that there is not enough statistical significance to reliably determine if a difference existed between the Linux distributions except when comparing OpenSUSE with Ubuntu, Debian and Fedora where significance was found which suggests that further study is needed. The comparison showed that Ubuntu, Debian and Fedora was slightly better than RedHat on average regarding the time windows between when a CVE was published to when a fix was mentioned in the changelog and OpenSUSE was slower than all other Linux distributions. / Att använda pakethanterare i Linux system är ett populärt sätt att installera och uppdatera mjukvara och är det främsta sättet som används av Ubuntu, Debian, Fedora, RedHat, CentOS och OpenSUSE. Mjukvaran som finns i Linux repositories kan dock skilja sig när det gäller att fixa sårbarheter eftersom package maintainers som är ansvariga för att bygga paketen ibland måste implementera specifika ändringar i källkoden för att mjukvaran skall vara kompatibel med den Linux distribution som den ämnad att köras på. Common Vulnerabilities and Exposures (CVE) standarden möjliggör att kunna jämföra hur en fix för sårbarheter i mjukvaran hanteras på varje Linux distribution där detta arbete ämnar att undersöka om det finns olika mönster när det gäller hur många dagar det tog för en fix att hittas i ändringsloggen för mjukvaran.     Den data som kommer användas samlas in genom att använda script i Linux som itererar genom National Vulnerability Database (NVD) som innehåller CVE poster, en poäng som innebär vilken allvarlighetsgrad sårbarheten har och referenser till systemen som sårbarheten påverkar. Datumen samlas in med ett annat script som itererar genom alla ändringsloggar för alla tillgängliga paket och sparar det tidigaste datumet då en matchande fix hittades. Resultatet visar att det inte finns tillräckligt med statistisk signifikans för att tillförlitligt fastställa om en skillnad existerade mellan Linux distributionerna förutom när OpenSUSE jämfördes med Ubuntu, Debian och Fedora där signifikans hittades vilket tyder på ett behov av ytterligare studier inom ämnet. Jämförelsen visade att Ubuntu, Debian och Fedora var lite bättre än RedHat i genomsnitt när det gäller tidsfönstret mellan när en CVE publicerades till när en fix nämndes i ändringsloggen och sist kom OpenSUSE som var långsammare än alla andra Linux distributioner.

Linux

CVE

Vulnerability

Ubuntu

Debian

Fedora

RedHat

CentOS

OpenSUSE

Linux

CVE

Sårbarhet

Ubuntu

Debian

Fedora

RedHat

CentOS

OpenSUSE

Computer and Information Sciences

Data- och informationsvetenskap

Gestion de l'incertitude et codage des politiques de sécurité dans les systèmes de contrôle d'accès / Managing uncertainty and encoding security policies in access control systems

Bouriche, Khalid

16 February 2013

La présente thèse s'intéresse à coder la politique de sécurité SELinux en OrBAC et à proposer une extension de ce modèle. Nous avons commencé par présenter l'état de l'art des différents modèles de contrôles d'accès présents dans la littérature en mettant en exergue les limites de chacun de ces modèles. Ensuite nous avons présenté le modèle OrBAC comme étant une extension du modèle RBAC, car d'une part il a apporté la notion de contexte et d'organisation et d'autre part il permet d'exprimer, en plus des permissions, des interdictions et des obligations. Ensuite, nous avons présenté la solution de sécurité SELinux qui utilise un ensemble de modèles de contrôle d'accès comme DAC, RBAC et MAC. Nous avons recensé plusieurs centaines, voire des milliers, de règles dans la politique de sécurité SELinux, ces règles peuvent concerner des décisions d'accès ou des décisions de transition. Nous avons ensuite pu coder lesdites règles en modèle OrBAC, et ce en passant par le remplissage ses tables d'entité, pour ensuite les transformer en relations OrBAC. Notre thèse a aussi rappelé les fondements de la logique possibiliste, et a ensuite apportée une amélioration importante du modèle OrBAC, il s'agit de l'introduction de l'entité priorité au niveau de chaque relation du modèle OrBAC. L'entité priorité quantifie la certitude pour qu'une entité concrète soit injectée dans l'entité abstraite correspondante, ou en cas général, le degré de certitude pour qu'une relation soit réalisée. Nous avons proposé trois modes de combinaison (pessimiste, optimiste et avancé) qui peuvent être adoptés pour déterminer la valeur de la priorité de chaque relation concrète à partir des priorités des relations abstraites correspondantes. Enfin, nous avons implémenté, via une application développé par DELPHI, le codage des règles concernant les décisions d'accès de la politique de sécurité SELinux, en modèle OrBAC tout en introduisant la notion de priorité. / This thesis focuses on encoding default-based SELinux security policy in OrBAC and propose an extension of this model. We presented the state of the art of different models of access controls present in the literature underlining the limitations of each of these models. Then we presented the model OrBAC as an extension of the RBAC model, firstly because he brought the notion of context and organization and secondly it allows expressing, in addition to permissions, prohibitions and obligation. Then we presented the SELinux security solution that uses a set of access control models such as DAC, RBAC and MAC. We identified several hundreds or even thousands of rules in SELinux security policy, these rules may be access decisions or decisions of transition. We could then encode these rules in OrBAC model, and via filling its tables of entities, then transform relations OrBAC. Our thesis also reviewed the foundations of possibilistic logic, and then made an important enlargement in OrBAC model; it's to introduce an entity called "priority" in each relationship model OrBAC. The entity "priority" quantifies the certainty for concrete entity injection into the corresponding abstract entity, in general, it's meaning the degree of certainty that a relationship is performed. We proposed three modes of combination (pessimistic, optimistic and advanced) that can be adopted to determine the concrete relations priority value from priorities values of each corresponding abstract relationship. Finally, we implement, via an application developed by DELPHI, coding access decisions rules of the SELinux policy in OrBAC model introducing the priority entity.

SELinux

Orbac

Fedora 14

RedHat 4

RBAC

DTE

TE

MLS

MCS

Incertitude

Possibility theory

Possibilistic logic

Verwaltung von Softwarepaketen mit rpm, 2. Teil

Riedel, Wolfgang

26 March 1997

2. Teil des UNIX-Stammtischs vom 25.3.97 Arbeit mit src-Paketen, Erzeugung eigener Pakete, Syntax und Semantik des spec-Files, Problematik der verschiebbaren Pakete

info:eu-repo/classification/ddc/004

ddc:004

Page connection representation: An object-oriented and dynamic language for complex web applications

Zhou, Yin

January 2001

No description available.

Page Connection Representation

Database-Backed Web Applications

3GL Language

4GL Language

C++ Objects

Linux Platform

Redhat 6.0

Apache Web Server

Optimizations In Storage Area Networks And Direct Attached Storage

Dharmadeep, M C

02 1900

The thesis consists of three parts. In the first part, we introduce the notion of device-cache-aware schedulers. Modern disk subsystems have many megabytes of memory for various purposes such as prefetching and caching. Current disk scheduling algorithms make decisions oblivious of the underlying device cache algorithms. In this thesis, we propose a scheduler architecture that is aware of underlying device cache. We also describe how the underlying device cache parameters can be automatically deduced and incorporated into the scheduling algorithm. In this thesis, we have only considered adaptive caching algorithms as modern high end disk subsystems are by default configured to use such algorithms. We implemented a prototype for Linux anticipatory scheduler, where we observed, compared with the anticipatory scheduler, upto 3 times improvement in query execution times with Benchw benchmark and upto 10 percent improvement with Postmark benchmark. The second part deals with implementing cooperative caching for the Redhat Global File System. The Redhat Global File System (GFS) is a clustered shared disk file system. The coordination between multiple accesses is through a lock manager. On a read, a lock on the inode is acquired in shared mode and the data is read from the disk. For a write, an exclusive lock on the inode is acquired and data is written to the disk; this requires all nodes holding the lock to write their dirty buffers/pages to disk and invalidate all the related buffers/pages. A DLM (Distributed Lock Manager) is a module that implements the functions of a lock manager. GFS’s DLM has some support for range locks, although it is not being used by GFS. While it is clear that a data sourced from a memory copy is likely to have lower latency, GFS currently reads from the shared disk after acquiring a lock (just as in other designs such as IBM’s GPFS) rather than from remote memory that just recently had the correct contents. The difficulties are mainly due to the circular relationships that can result between GFS and the generic DLM architecture while integrating DLM locking framework with cooperative caching. For example, the page/buffer cache should be accessible from DLM and yet DLM’s generality has to be preserved. The symmetric nature of DLM (including the SMP concurrency model) makes it even more difficult to understand and integrate cooperative caching into it (note that GPFS has an asymmetrical design). In this thesis, we describe the design of a cooperative caching scheme in GFS. To make it more effective, we also have introduced changes to the locking protocol and DLM to handle range locks more efficiently. Experiments with micro benchmarks on our prototype implementation reveal that, reading from a remote node over gigabit Ethernet can be upto 8 times faster than reading from a enterprise class SCSI disk for random disk reads. Our contributions are an integrated design for cooperative caching and lock manager for GFS, devising a novel method to do interval searches and determining when sequential reads from a remote memory perform better than sequential reads from a disk. The third part deals with selecting a primary network partition in a clustered shared disk system, when node/network failures occur. Clustered shared disk file systems like GFS, GPFS use methods that can fail in case of multiple network partitions and also in case of a 2 node cluster. In this thesis, we give an algorithm for fault-tolerant proactive leader election in asynchronous shared memory systems, and later its formal verification. Roughly speaking, a leader election algorithm is proactive if it can tolerate failure of nodes even after a leader is elected, and (stable) leader election happens periodically. This is needed in systems where a leader is required after every failure to ensure the availability of the system and there might be no explicit events such as messages in the (shared memory) system. Previous algorithms like DiskPaxos are not proactive. In our model, individual nodes can fail and reincarnate at any point in time. Each node has a counter which is incremented every period, which is same across all the nodes (modulo a maximum drift). Different nodes can be in different epochs at the same time. Our algorithm ensures that per epoch there can be at most one leader. So if the counter values of some set of nodes match, then there can be at most one leader among them. If the nodes satisfy certain timeliness constraints, then the leader for the epoch with highest counter also becomes the leader for the next epoch (stable property). Our algorithm uses shared memory proportional to the number of processes, the best possible. We also show how our protocol can be used in clustered shared disk systems to select a primary network partition. We have used the state machine approach to represent our protocol in Isabelle HOL logic system and have proved the safety property of the protocol.

Computer Storage

Computer Memory Devices

Adaptive Caching Algorithms

Cooperative Caching

Redhat Global File System - Caching

Device-Cache-Aware Schedulers

Clustered Shared Disk Systems

Scheduler Architecture

Storage Area Networks

Direct Attached Storage

Distributed Lock Manager (DLM)

Global File System (GFS)

Computer Science