DSI: Secure Carrier-Class Linux
So far, a secure boot mechanism for diskless Linux servers has been implemented. Using secure boot with digital signatures, a distributed trusted computing base (DTCB) will be available at the boot of the cluster nodes. The kernel at secure boot is small enough to be thoroughly tested for vulnerabilities. Furthermore, the use of digital signatures for binaries and a local certification authority will prevent malicious modifications to the DTCB.
We also implemented a security module based on the Linux Security Module (LSM), which enforces the security policy as part of the DSI access control service. This module is integrated with SCC to implement distributed access control mechanisms. DSI currently supports preemptive and dynamic security policy at the process level throughout the whole cluster.
To ease administration and maintenance of the distributed security policy, we are completing a study to devise methods of reusing information already contained in package management systems (such as RPM) in order to generate part of the security policy or to push such information to the package (if that is where it would be best specified). This effort also aims to use the policy to provide clearly different privileges during software installation, configuration, activation and execution. Specification of the exact language used to express the policy and of the compilation and loading mechanisms remain to be completed.
We have partly implemented a secure communication channel based on OmniORB, an open-source implementation of CORBA. SCC logics are implemented on top of a portability layer, making the implementation independent of any communication middleware used. The choice of CORBA as communication middleware for SCC was motivated by many factors, such as the support for distributed real-time and embedded systems and interoperability.
Our goal for DSI is to make the framework open source and to get people from different organizations and open-source initiatives involved in the design and development of the various components.
Figure 2 presents the various components of DSI. All components with a question mark are open to design and development contribution. Currently at Ericsson Research we are working toward implementing the core DSI, which includes the following: secure communication channel, security server, security manager, access control service (including LSM), security policy generation, security session manager and distributed tracing of events (as part of the auditing service).
The DSI team from Ericsson Research will be available at the Ottawa Linux Symposium for three allocated presentations on DSI. We will also be available at the IEEE Cluster Conference 2002 in Chicago. In addition, Ericsson Research will be hosting the annual Open Cluster Group meetings June 24-25, in Montréal, which will give us the opportunity to address the members of the group and get them involved with the DSI Project.
A web site for the project is available as of June 2002. It provides DSI technical reports, presentations, source code and links to web sites of other contributors. Due to space limitations, we were not able to go into the details of DSI in this article. However, feel free to contact any of the DSI team members (listed below) to receive detailed papers on the DSI architecture, strategy and source code or to discuss collaboration opportunities.
Marc Chatel (Marc.Chatel@lmc.Ericsson.se), Michel R. Dagenais (Michel.Dagenais@polymtl.ca), David Gordon (David.Gordon@Ericsson.ca), Bruno J. M. Hivert (Bruno.Hivert@Ericsson.com) and Dominic Pellerin (Dominic.Pellerin@Ericsson.ca).
Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report
August 27, 2015
12:00 PM CDT
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
Free to Linux Journal readers.Register Now!
- Django Models and Migrations
- Hacking a Safe with Bash
- Secure Server Deployments in Hostile Territory, Part II
- Huge Package Overhaul for Debian and Ubuntu
- The Controversy Behind Canonical's Intellectual Property Policy
- Home Automation with Raspberry Pi
- Shashlik - a Tasty New Android Simulator
- Embed Linux in Monitoring and Control Systems
- KDE Reveals Plasma Mobile
- diff -u: What's New in Kernel Development