Linux Journal - June 2014 PDF

™ JUNE 2014 | ISSUE 242 | www.linuxjournal.
com
E-MAIL ENCRYPTION
WITH MUTT
SIMPLE SCRIPTING
SKILLS IN ACTION
A LOOK AT HOW
URLs ARE CHANGING
Since 1994: The Original Magazine of the Linux Community WITH THE TIMES
NETWORKING
ANALYZE
ANDROID
TRAFFIC
WITH
+
WIRESHARK
HARDEN
YOUR
RHEL
SYSTEMS
WITH
ANSIBLE
HOW IS
MOBILE
CHANGING
THE WEB?
MONITOR YOUR TAKE YOUR

V
WATCH:
NETWORK NETWORK ISSUE OVERVIEW
SECURITY FILTERING RULES

WITH OSSIM TO A NEW LEVEL
LJ242-June2014.indd 1 5/22/14 12:36 PM
LJ242-June2014.indd 2 5/22/14 12:36 PM
$UH\RXFRQVLGHULQJVRIWZDUHGHÀQHGVWRUDJH"
zStax StorCore =)68QLÀHG6WRUDJH IURP6LOLFRQ ZFS Unified Storage
0HFKDQLFVLVWUXO\VRIWZDUHGHÀQHGVWRUDJH
)URPPRGHVWGDWDVWRUDJHQHHGVWRDPXOWLWLHUHGSURGXFWLRQVWRUDJHHQYLURQPHQWWKHzStax StorCore
=)6XQLÀHGVWRUDJHDSSOLDQFHVKDYHWKHULJKWPL[RISHUIRUPDQFHFDSDFLW\DQGUHOLDELOLW\WRÀW\RXUQHHGV
zStax StorCore 64 zStax StorCore 104
7KHzStax StorCore 64 LV\RXU7LHUDQG 7KHzStax StorCore 104LV\RXUV\VWHPIRU

VWRUDJHVROXWLRQ:KLOHVWLOOOHYHUDJLQJ KLJKO\DYDLODEOH7LHUVWRUDJHHQYLURQPHQWV
DOORIWKHIHDWXUHVLQKHUHQWWRWKH]6WD[ 2IIHULQJOHYHOVRIUHGXQGDQF\WKH6WRU&RUH
SODWIRUPWKH6WRU&RUHPRGHORIIHUVDQ NHHSV\RXUFULWLFDOGDWDDYDLODEOHZKHQ
HDVLO\GHSOR\DEOHDQGLQWXLWLYHO\PDQDJHG FRPSHWLWRUVZDLYHU)LQDOO\WKH6WRU&RUH
HQWHUSULVHVWRUDJHDSSOLDQFH)URPEDFNXS GHOLYHUVDPXOWLWLHUHGHQYLURQPHQWXQGHU
DQGDUFKLYDOWRGHSDUWPHQWDOÀOHVKDUHV RQHSDQHRIPDQDJHPHQWVR\RXFDQHOLPL
DQGVWUHDPLQJYLGHRWKH]6WD[6WRU&RUH QDWHWKHQHHGIRUPXOWLSOHYHQGRUVWRVDWLVI\
KDV\RXUQHHGVFRYHUHG \RXUWLHUHGGDWDUHTXLUHPHQWV
7DONZLWKDQH[SHUWWRGD\ -‐ http://www.siliconmechanics.com
LJ242-June2014.indd 3 5/22/14 12:36 PM

CONTENTS JUNE 2014
ISSUE 242
NETWORKING
Cover Image: © Can Stock Photo Inc. / animind
FEATURES
56 Monitoring 68 OSSIM: a Careful, 84 Berkeley Packet
Android Traffic Free and Always Filters with Scapy
with Wireshark Available Guardian (and Friends)
Get a glimpse into the for Your Network Decide what should
Internet traffic coming OSSIM, the free and come from a socket
from your smartphone open-source SIEM. before the data
using some simple even reaches
Marco Alamanni
Linux tools. your application.
Brian Trapp Valentine Sinitsyn
4 / JUNE 2014 / WWW.LINUXJOURNAL.COM
LJ242-June2014.indd 4 5/22/14 12:36 PM

INDEPTH
98 Security Hardening
with Ansible
How to secure RHEL6 with Ansible.
Mark Dotson
COLUMNS
30 Reuven M. Lerner’s
At the Forge
URLs
36 Dave Taylor’s Work the Shell
Considering Legacy
UNIX/Linux Issues
42 Kyle Rankin’s Hack and /
Encrypt Your Dog (Mutt and GPG)
46 Shawn Powers’
The Open-Source Classroom
Being a Hack 19 2048
110 Doc Searls’ EOF

In the Matrix of Mobile, Linux Is Zion
IN EVERY ISSUE
8 Current_Issue.tar.gz
10 Letters 56 WIRESHARK
16 UPFRONT
28 Editors’ Choice
52 New Products
113 Advertisers Index
ON THE COVER
,THPS,UJY`W[PVU^P[O4\[[W
:PTWSL:JYPW[PUN:RPSSZPU(J[PVUW
(3VVRH[/V^<93Z(YL*OHUNPUN^P[O[OL;PTLZW
(UHSàL(UKYVPK;YHMMPJ^P[O>PYLZOHYRW
4VUP[VY@V\Y5L[^VYR:LJ\YP[`^P[O6::04W
;HRL@V\Y5L[^VYR-PS[LYPUN9\SLZ[VH5L^3L]LSW
/HYKLU@V\Y9/,3:`Z[LTZ^P[O(UZPISLW
/V^0Z4VIPSL*OHUNPUN[OL>LI&W
68 OSSIM
LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.
WWW.LINUXJOURNAL.COM / JUNE 2014 / 5
LJ242-June2014.indd 5 5/22/14 12:36 PM

Executive Editor Jill Franklin
jill@linuxjournal.com
Senior Editor Doc Searls
doc@linuxjournal.com
Associate Editor Shawn Powers
shawn@linuxjournal.com
Art Director Garrick Antikajian
garrick@linuxjournal.com
Products Editor James Gray
newproducts@linuxjournal.com
Editor Emeritus Don Marti
dmarti@linuxjournal.com
Technical Editor Michael Baxter
mab@cruzio.com
Senior Columnist Reuven Lerner
reuven@lerner.co.il
Security Editor Mick Bauer
mick@visi.com
Hack Editor Kyle Rankin
lj@greenfly.net
Virtual Editor Bill Childers
bill.childers@linuxjournal.com
Contributing Editors
)BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE
0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN
Publisher Carlie Fairchild

publisher@linuxjournal.com
Director of Sales John Grogan

john@linuxjournal.com
Associate Publisher Mark Irgang

mark@linuxjournal.com
Webmistress Katherine Druckman

webmistress@linuxjournal.com
Accountant Candy Beauchamp

acct@linuxjournal.com
Linux Journal is published by, and is a registered trade name of,

Belltown Media, Inc.
PO Box 980985, Houston, TX 77098 USA
Editorial Advisory Panel

"RAD !BRAM "AILLIO s .ICK "ARONIAN s (ARI "OUKIS s 3TEVE #ASE
+ALYANA +RISHNA #HADALAVADA s "RIAN #ONNER s #ALEB 3 #ULLEN s +EIR $AVIS
-ICHAEL %AGER s .ICK &ALTYS s $ENNIS &RANKLIN &REY s !LICIA 'IBB
6ICTOR 'REGORIO s 0HILIP *ACOB s *AY +RUIZENGA s $AVID ! ,ANE
3TEVE -ARQUEZ s $AVE -C!LLISTER s #ARSON -C$ONALD s #RAIG /DA
*EFFREY $ 0ARENT s #HARNELL 0UGSLEY s 4HOMAS 1UINLAN s -IKE 2OBERTS
+RISTIN 3HOEMAKER s #HRIS $ 3TARK s 0ATRICK 3WARTZ s *AMES 7ALKER
Advertising
E-MAIL: ads@linuxjournal.com
URL: www.linuxjournal.com/advertising
PHONE: +1 713-344-1956 ext. 2
Subscriptions
E-MAIL: subs@linuxjournal.com
URL: www.linuxjournal.com/subscribe
MAIL: PO Box 980985, Houston, TX 77098 USA
LINUX is a registered trademark of Linus Torvalds.
LJ242-June2014.indd 6 5/22/14 12:36 PM

Have projects in development
that need help?
Have a great development
operation in place that
can ALWAYS be better?
Regardless of where you are in your
DevOps process, Linux Journal can help!
With deep focus on

DevOps for Dummies
Collaborative Development, Free eBook
Today’s fast-moving world makes DevOps
Continuous Testing and
essential for any business aspiring to be
Release & Deployment, agile and lean in order to respond rapidly
we offer here the DEFINITIVE to changing customer and marketplace
DevOps for Dummies, demands. This book helps you under-
stand DevOps and how your organization
a mobile Application
can gain real business benefits from it.
Development Primer You’ll also discover how a holistic view of
plus advice and help from DevOps that encompasses the entire software delivery life
expert sources like: cycle - from ideation and the conception of new business
capabilities to implementation in production - can bring
U Forrester competitive advantage in a continuous delivery world.
U Gartner
U IDC Service Virtualization for Dummies Book
U Linux Journal
Free eBook
Plus a host of other Discover service virtualization and how
it fits into the big picture of software
eBooks, videos, quality. In this book, Service Virtualization
podcasts and more. For Dummies, IBM Limited Edition, written
by industry analysts Marcia Kaufman
and Judith Hurwitz, learn how to deliver
higher quality software by increasing the
REGISTER NOW efficiency and effectiveness of your testing
and receive processes while reducing testing downtime and testing cost.
unlimited access to
all site content and
downloads, plus
alerts when new
assets are made
available. REGISTER NOW
http://devops.linuxjournal.com
LJ242-June2014.indd 7 5/22/14 12:36 PM

Current_Issue.tar.gz
(Net)working SHAWN POWERS
the Room
I
tend to be a fairly funny guy. Well, URLs. That ubiquitous string of text
at least I think I’m funny. My kids that takes you to a location (usually a
might disagree. The thing is, it’s hard Web site) is something we often take
to find a group of people to understand for granted. As the Internet matures,
obscure networking jokes. At a non-tech however, an understanding of how
conference, for example, if I say to the URLs work is vital. Reuven teaches us
person next to me, “Jeez, that speaker everything from protocol designations
must have delivered his presentation to URL fragments. If you’ve ever
with UDP packets, because he never wondered about those seemingly out
stopped to see if any of us were getting of place # characters in a URL, you’ll
what he was talking about!”—exactly want to read his column. Dave Taylor
zero people laugh. In fact, I usually get follows with a great look at the
really weird looks. At a Linux conference, evolution of scripting. Just like we
however, the same comment usually gets no longer have to hand-crank our car
an eye-roll. (As a father of teenagers, engine to get it running (mine doesn’t
I consider an eye-roll the equivalent to even have a key anymore, just a button),
amusement.) That’s why I love Linux shell scripting has changed through the
Journal so much. This month, we’re years. Supporting legacy systems (or
talking about Networking, and everyone legacy code) is a problem we all need
in our little “room” understands what to deal with, as Dave shows us with
we’re talking about! So let’s peel this one of his real-world experiences.
issue apart one OSI layer at a time. Kyle Rankin continues his theme this
Reuven M. Lerner starts us out with month and teaches how to encrypt
our e-mail—specifically text-based
VIDEO: Mutt e-mail. Kyle remains true to his
V
Shawn Powers runs command-line preferences, and rather

through the latest issue.
than switch to a GUI e-mail app, he
LJ242-June2014.indd 8 5/22/14 12:36 PM

CURRENT_ISSUE.TAR.GZ
describes how to use GPG with Mutt. familiar with firewalling tools. Most of
If you’re a Mutt user like Kyle, or just us, however, aren’t nearly as familiar
want to learn about implementing GPG, with Berkeley Packet Filters. Valentine
don’t miss his column. I follow Kyle with Sinitsyn walks through using BPF to do
a continuation on last month’s scripting some very low-level traffic filtering. This
basics article. Rather than leaving you powerful system can add an incredible
with a simple set of tools, I tried to come set of tools to your network filtering
up with some examples of using those needs. And finally, Mark Dotson gives
tools in real-world situations. My scripts us an in-depth tutorial on Ansible.
are basic and my techniques are simple, Managing multiple systems is becoming
but that’s the point. Don’t be intimidated more and more complex, but thankfully
by the command line. It’s powerful and with tools like Ansible, we can deploy
not terribly difficult to master. and configure countless machines
Sniffing network traffic is often a quickly and, most importantly, securely.
critical part of diagnosing a problem or Like every issue of Linux Journal, this
detecting a potential one. Brian Trapp one is chock full of tech tips, product
explains how to sniff the packets of announcements and recommendations.
our smartphones. That seems like a The networking issue touches on so
simple enough task, until you realize many disciplines and interest areas in
capturing traffic from a wireless device the Linux community, that it’s always
to the network can be challenging. one of our favorites. The large majority
(Using Firesheep will garner you tons of of folks still won’t understand our
Web information, but if you want every networking jokes, but that’s okay, they
packet, that gets a little rougher.) Brian can sit around as bored as a teenager
shows how to capture the traffic, and in a Faraday cage while we all enjoy
then how to dissect it with Wireshark. this issue. (Thank you, thank you, I’ll
Marco Alamanni follows Brian with an be here all night....) Q
in-depth article on OSSIM, a server-based
program for detecting problems on your Shawn Powers is the Associate Editor for Linux Journal .
local network. With its Web interface He’s also the Gadget Guy for LinuxJournal.com, and he has
and powerful collection of snooping an interesting collection of vintage Garfield coffee mugs.
tools, OSSIM can be incredibly useful for Don’t let his silly hairdo fool you, he’s a pretty ordinary guy
early detection of problems or threats. and can be reached via e-mail at shawn@linuxjournal.com.
Any network user or administrator is Or, swing by the #linuxjournal IRC channel on Freenode.net.
LJ242-June2014.indd 9 5/22/14 12:36 PM

letters
Try installing Kompozer—I challenge
you! The Internet has countless pages
of questions and answers representing
thousands of wasted hours by people
around the globe. After following the
step-by-step instructions, using copy
and paste so I didn’t make a mistake, I
still don’t have it running.
This is the very sort of thing that has

been holding Linux back from becoming
mainstream! It kept me and others that
I know from taking the plunge years
ago. All it would take is a few minutes
Software Usability from one person who knows what
Jim Hall’s article, “It’s about the they’re doing to package it properly and
User: Applying Usability in Open- save thousands of hours of frustration
Source Software” in the December for Linux users everywhere!
2013 issue, was right on the mark —Graig
and also applies to custom in-house
software used by large companies. Jim Hall replies: Thanks for your
I was going to cite a number of e-mail! You are correct that usability
examples but decided to keep this applies both to commercial/proprietary
“short and sweet”, or should I say software and to free/open-source
“short and sour”. There are plenty software. When you are intimately
of examples, but today, I’m picking involved with the development of
on just one, Kompozer. software, you become so familiar
with it and what it does that it’s easy
I used Kompozer on an XP machine, to forget that ordinary people with
and it did what I wanted to do. So, average knowledge need to use the
when I said good-bye to Windows, I software. Usability means focusing
wanted Kompozer or an equivalent on the users and what they need to
program on my new Ubuntu 13.1 box. do with the software. It’s dangerous
LJ242-June2014.indd 10 5/22/14 12:36 PM

[ LETTERS ]
to assume that everyone will use the with the manufacturer Schlage is to
software the way you want them to. incorporate its own Web site into the
path from lock to PC or smartphone.
Harden Your SSH
Regarding Federico Kereki’s article Although the salesman offers glowing
“More Secure SSH” in the January prospects, he has no way to deal
2014 issue, using PAM, how can you with the contingencies I presented
lock a user to a directory? Would it to him that are important failures to
be better to use ChrootDirectory? I avert per my values. Doc Searls and
would think PAM would be better, but others have been writing about silos
I am lost at the moment. I have never for quite some time. Short of reverse-
configured PAM, but I am interested engineering, I see no way to avoid yet
in it because of this article. another one in my personal life.
—Tony Catalfamo
This touches many topics actually—for
Federico Kereki replies: I haven’t example, security, embedded systems,
actually used this, but there’s a service interruption, silos and the
PAM module you could try called “biggie”, Internet of Things. I have
pam_chroot. However, I’d also point regaled in some of Docs’ successes in
out that according to some accounts, beating the lock-in of vendors. While
there might be security problems my search for an alternative door-
with it, and jk_chrootsh should be lock vendor is not done, I wonder if
preferred. As I said, I haven’t tried this a “Silo Beaters Registry” might make
out, but I’ll give these two options a good reading? Like open source, it
whirl; good question, Tony! would carry those who are receptive
to providing open products of
Another Silo on the Security Topic non-software nature—like door locks.
Some years ago, I bought and installed
a couple door locks with the Z-Wave In any case, should Doc or others
interface feature, thinking that write more on the silo topic, I
someday I would integrate them into present this example to them
what we call The Internet of Things. through you for their use.
Today, I find that my only option —Skip
LJ242-June2014.indd 11 5/22/14 12:36 PM

[ LETTERS ]
Doc Searls replies: Thanks, Skip. I New Android App

feel your pain—and I like the idea of Recently, a new Linux Journal app
a “Silo-Beater’s Registry”. was automatically downloaded to my
Android phone replacing the existing
I also would love to hear from Linux Journal app. The UI has been
other readers about what the improved. I really appreciate this. But
qualifications would be. Meanwhile, there are a few problems:
I’ll collect my own thoughts on the
matter. Thanks again. 1) The new app will start, but
then refuses to open a previously
Linux Backup: the New Bareos downloaded issue, unless it has
vs. Bacula Internet access. I don’t think going
It seems there is a new fork of off-line while reading prevents further
Bacula that deserves some attention, reading of the same issue.
and I’d love to see LJ do a review
if you have room in your queue 2) The new app crashes just after
(http://www.bareos.org). start once in a while.
Basically, a couple main contributors With the “old” version of the app,
have forked from just before where I believe I could open downloaded
Bacula Enterprise code went proprietary. issues without having Internet access.
It is quite annoying at the moment,
It isn’t currently available via any because I’m abroad and thus only
of the distros other than Gentoo, connected to the Internet sporadically.
but the authors do have packaged
binaries for the majors. Will you consider bringing back
the functionality to start reading
It’s well worth a look, and I’d love to while off-line?
hear what you think! —Bo Romer
—Erich Newell
The app development isn’t done
Very cool! I’ll try to check it out, in-house, but I’ll be sure to get
but at the very least, it will appear your feedback to the right folks.
here for others to check out as Thank you for the input; the goal
well!—Shawn Powers is, of course, to have the most
LJ242-June2014.indd 12 5/22/14 12:36 PM

[ LETTERS ]
usable, convenient app we can and refreshes my memory on others,

provide.—Shawn Powers and I haven’t seen this content in
your past issues. Feel free to reach
Linux Journal Content out to me if you like.
I am writing to your team to request —Ron
that you please provide more articles
regarding system administration of Sysadmin topics are usually pretty
Linux in future issues—for example, popular, and it’s one of the reasons we
useful commands, explaining the added my “Open-Source Classroom”
inet.d or .rc dirs, troubleshooting column. We will continue to have
tips, slow performance evaluations issues that focus specifically on system
and best practices configurations. I administration, but I’ll try to work
could go on, but I think you get the some of the topics you mention into
point. I enjoy reading these topics, my column if nothing else. Thanks for
as it keeps me abreast of new things the great ideas!—Shawn Powers
LJ242-June2014.indd 13 5/22/14 12:36 PM

[ LETTERS ]
Wrong Info in “Understanding Caching”

Article
I’m writing about the article “Understanding
At Your Service
Caching” published in January 2004, but still SUBSCRIPTIONS: Linux Journal is available
in a variety of digital formats, including PDF,
available on-line: http://www.linuxjournal.com/ .epub, .mobi and an on-line digital edition,
as well as apps for iOS and Android devices.
article/7105. Renewing your subscription, changing your
e-mail address for issue delivery, paying your
invoice, viewing your account details or other
The author begins his article by stating subscription inquiries can be done instantly
on-line: http://www.linuxjournal.com/subs.
processors have always been faster than E-mail us at subs@linuxjournal.com or reach
us via postal mail at Linux Journal, PO Box
memory. It’s just plain wrong; early CPUs 980985, Houston, TX 77098 USA. Please
remember to include your complete name
were slower than memory. Actually memory and address when contacting us.
(SDRAM) density has greatly improved (as ACCESSING THE DIGITAL ARCHIVE:
much as CPUs), not latencies as much. Your monthly download notifications

will have links to the various formats
and to the digital archive. To access the
digital archive at any time, log in at
Proofs: http://www.linuxjournal.com/digital.
LETTERS TO THE EDITOR: We welcome your

letters and encourage you to submit them
1) Princeton Physics Laboratory: at http://www.linuxjournal.com/contact or
http://w3.pppl.gov/~hammett/comp/bench/ mail them to Linux Journal, PO Box 980985,

Houston, TX 77098 USA. Letters may be
bandwidth.html. edited for space and clarity.
WRITING FOR US: We always are looking

for contributed articles, tutorials and
Figure 2 in this article: http://www.dba-oracle.com/ real-world stories for the magazine.
An author’s guide, a list of topics and
oracle_tips_hardware_oracle_performance.htm. due dates can be found on-line:
http://www.linuxjournal.com/author.
—Eric
FREE e-NEWSLETTERS: Linux Journal
editors publish newsletters on both
a weekly and monthly basis. Receive
late-breaking news, technical tips and
tricks, an inside look at upcoming issues
and links to in-depth stories featured on
WRITE LJ A LETTER http://www.linuxjournal.com. Subscribe
for free today: http://www.linuxjournal.com/
We love hearing from our readers. Please enewsletters.
send us your comments and feedback via ADVERTISING: Linux Journal is a great
http://www.linuxjournal.com/contact. resource for readers and advertisers alike.
Request a media kit, view our current
editorial calendar and advertising due dates,
or learn more about other advertising
and marketing opportunities by visiting
PHOTO OF THE MONTH us on-line: http://ww.linuxjournal.com/
advertising. Contact us directly for further
Remember, send your Linux-related photos to information: ads@linuxjournal.com or
ljeditor@linuxjournal.com! +1 713-344-1956 ext. 2.
LJ242-June2014.indd 14 5/22/14 12:36 PM

Instant Access to Premium
Online Drupal Training
Instant access to hundreds of hours of Drupal
training with new videos added every week!
Learn from industry experts with real world

H[SHULHQFHEXLOGLQJKLJKSURȴOHVLWHV
Learn on the go wherever you are with apps

for iOS, Android & Roku
We also offer group accounts. Give your

whole team access at a discounted rate!
Learn about our latest video releases and

RIIHUVȴUVWE\IROORZLQJXVRQ)DFHERRNDQG
7ZLWWHU#GUXSDOL]HPH
Go to http://drupalize.me and
get Drupalized today!
LJ242-June2014.indd 15 5/22/14 3:20 PM

UPFRONT NEWS + FUN
diff -u
WHAT’S NEW IN KERNEL DEVELOPMENT
David Herrmann wanted to really don’t want to waste my time
disable the virtual terminal pinging on feature-patches every
subsystem in order to save space 5 days to get any attention. If
on a kernel that didn’t need a someone outside of DRM wants to
VT. But, he still wanted to see use it, I’d be happy to discuss any
kernel oops output for debugging code-sharing. Until then, I’d like to
purposes. The problem was that keep it here as people are willing to
only the VT subsystem would take it through their tree.”
display oops output—and he’d That’s a fairly surprising
just disabled it. statement—a bit of an indictment
No problem. David posted a of existing kernel patch submission
patch to implement DRM-log, processes. There was no further
a separate console device that discussion on that particular point,
used the direct rendering manager but I would imagine it got some
and that could receive kernel folks thinking.
oops output. The rest of the current thread
Over the course of a discussion focused on some technical details
about the patch, Alan Cox about oops output, especially font
mentioned that there didn’t size. David’s code displayed oops
seem to be anything particularly output pixel by pixel, essentially
DRM-specific in David’s code. It defining its own font. But for
easily could exist at a yet more extremely high-resolution monitors,
generic layer of the kernel. And such as Apple’s Retina display,
although David agreed with this, as Bruno Prémont pointed out,
he said the DRM folks were more this could result in the oops output
amenable to taking his patch being too small for the user to see.
and that “I’ve spent enough time David’s answer to this was to
trying to get the attention of core implement integer scaling. His font
maintainers for simple fixes, I could be any integer multiple larger
LJ242-June2014.indd 16 5/22/14 12:36 PM

[ UPFRONT ]
than the default. This seemed fine migrating the looping thread to
to Bruno. other CPUs.
Eugene Shatokhin posted The big problem with that kind
some code to make use of of improvement is that it’s very
Google’s ThreadSanitizer tool context-dependent. What’s faster
(https://code.google.com/p/ to one user may be slower to
thread-sanitizer). ThreadSanitizer another, depending on one’s
detects a particular type of race particular usual load. Traditionally,
condition that occurs when one there has been no clean way to
thread tries to write to a variable resolve that issue, because there
while another thread either tries really is not any “standard” load
to read from or write to the under which to test the kernel.
same variable. The developers just have to wing it.
Eugene called his own But, they wing it pretty good,
code Kernel Strider and ultimately things like new
(https://code.google.com/p/ spinlock implementations do get
kernel-strider). It collected sufficient testing to determine
statistics on memory accesses, whether they’d be a real
function calls and other things, improvement. The problem with
and sent them along to be analyzed Waiman’s situation, as he said
by Thread Sanitizer. Eugene also on the list, is that the qspinlock
posted a link to a page describing implementation is actually slower
several race conditions that Kernel than the existing alternatives on
Strider had uncovered in the 3.10.x systems with only a few CPUs—in
kernel series. other words, for anyone using Linux
Waiman Long posted some at home.
code implementing qspinlock, However, as George Spelvin
a new type of spinlock that seemed pointed out, the most common
to improve speed on very large case is when a spinlock doesn’t
multiprocessor systems. The idea spin even once, but simply
behind the speed improvement requests and receives the resource
was that a CPU would disable in question. And in that case,
preemption when spinning for a qspinlocks seem to be just as fast
lock, so it would save the time that as the alternatives.
might otherwise have been used To qspinlock or not to qspinlock—
LJ242-June2014.indd 17 5/22/14 12:36 PM

[ UPFRONT ]
Rik van Riel knew his answer and sent out

his “Signed-Off-By” for Waiman’s patch. They Said It
Its merits undoubtedly will continue to be
tested and debated. But there are many, Work and acquire,
and thou hast
many locking implementations in the kernel.
chained the wheel
I’m sure this one will be used somewhere,
of Chance.
even if it’s not used everywhere.
—Ralph Waldo
Yuyang Du recently suggested separating
Emerson
the Linux scheduler into two independent
subsystems: one that performed load Our lives begin to
balancing between CPUs and the other end the day we
that actually scheduled processes on each become silent about
single CPU. things that matter.
The goal was lofty. W ith the scheduler —Martin Luther
performing both tasks, it becomes terribly King Jr.
complex. By splitting it into these two halves,
Millions long for
it might become possible to write alternative
immortality who
systems for one or the other half, without don’t know what to
messing up the other. do with themselves
But in fact, no. There was almost universal on a rainy Sunday
rejection of the idea. Peter Zijlstra said, afternoon.
“That’s not ever going to happen.” Morten —Susan Ertz
Rasmussen said the two halves couldn’t be
separated the way Yuyang wanted—they were People laugh at me
inextricably bound together. because I use big
You never know though. Once upon a words. But if you
time, someone said Linux never would support have big ideas you
have to use big
any architecture other than i386. Now it
words to express
runs on anything that contains silicon, and
them, haven’t you?
there’s undoubtedly an effort underway
—L. M. Montgomery
to port it to the human brain. Maybe the
schedule can be split into two independent Our patience will
halves as well. —ZACK BROWN achieve more than
our force.
—Edmund Burke
LJ242-June2014.indd 18 5/22/14 12:36 PM

[ UPFRONT ]
Android Candy: I’m Sorry

2048 Times
It seems like every day there’s
a new mobile game that takes
the world by storm. Whether
it’s Flappy Bird or Candy Crush,
there’s something about simple
games that appeals to our need
for quick, instant gratification.
I don’t normally recommend
games, unless they’re
particularly nostalgic or
something, but this month I
have to mention 2048. Maybe
it’s the math nerd in me that
loves powers of 2, or maybe
it’s that this game is just the
right amount of challenging and
infuriating. Whatever the secret
recipe for a great mobile game
is, 2048 has discovered it.
The basic premise is you keep
combining similarly numbered
blocks to get higher and higher says, I’m so, so sorry. Get your copy
numbered blocks. To win the game, today—just search for “2048” at the
you get the coveted 2048 block. I know Google Play store. (There are several
our own Linux Journal bookkeeper has similar games, I don’t want to favor one
gotten further than that, however, and over the other.)
has scored at least 4096, with rumors If you don’t want to play on your
of getting as high as 8192. Do you like phone, you can play on-line at
math? Do you hate sleep? This game http://gabrielecirulli.github.io/2048.
might be just for you. And like the title —SHAWN POWERS
LJ242-June2014.indd 19 5/22/14 12:36 PM

[ UPFRONT ]
Non-Linux FOSS: My
Portable Windows Lab
when I get back home,
because Windows can
be a breeding ground
for nasty infections. In
order to build a USB
device quickly that I
can use to help my
Windows friends, I like
to use the awesome
open-source program at
http://portableapps.com.
The downloadable
program provides a
sort of “app store” for
downloading individual
portable apps. It makes
sure all of your apps
Portable apps aren’t anything new. There are up to date, and it’s a great way
are variations of “single executable to browse the different categories
apps” for most platforms, and some and look for apps that might be
people swear by keeping their own useful. Granted, many of the portable
applications with them for use when apps themselves aren’t open source,
away from home. I don’t usually do that, but the program that manages
as most of what I do is on-line, but there them for you is. If you ever need to
is one exception: security. help friends or acquaintances with
When I’m asked to help a Windows their infected systems, a USB drive
user figure out what is wrong with prepped with the Windows-based
his or her computer, I generally take portableapps.com application is a
a USB drive and nothing else. I also great way to start.
usually run dd on that Flash drive —SHAWN POWERS
LJ242-June2014.indd 20 5/22/14 12:36 PM

[ UPFRONT ]
rc.local, Cron Style

Occasionally as seasoned Linux users,
we run across simple things we never
knew existed—and are amazed.
Whether it’s tab autocompletion,
sudo !! for when you forgot to type a command every hour on the hour:
sudo or even recursive file listing
with ls , the smallest tricks can be so @hourly /usr/bin/command
incredibly useful. Not long ago, I had
one of those moments. And, there are many more: @annually,
Most people know rc.local is the file @monthly, @daily, @midnight and
where you put commands you want to most interesting for this article, @reboot.
have start on system boot. Sometimes If you have a crontab entry like this:
the rc.local script is disabled, however,
and it doesn’t work. It also can be @reboot /usr/bin/command
difficult to remember the syntax for
starting a particular program as a it will execute when the system starts
specific user. Plus, having a long list of up, with the ownership and permission
programs in rc.local can just become of the person owning the crontab!
ugly. Little did I know, cron supports not I researched a lot to make sure it
only periodic execution of commands, wasn’t just on reboot, but also on
but it also can start programs when the a cold boot—and yes, the @reboot
system starts as well! terminology just means it runs once
A normal crontab entry looks like this: when the system first boots. I’ve been
using this as a quick hack to start
* * * * * /usr/bin/command programs, and it works amazingly well.
I know 99.9% of you already knew
That runs the command every this juicy bit of info, but for that .1%
minute. There are countless variations who have been living in the dark like
to get very specific intervals, but me, I present you with a sharp new
until recently, I didn’t know there arrow for your system administrator
were options to the five fields. The quiver. It’s a very simple trick, but all
following is a crontab entry that runs the best ones are! —SHAWN POWERS
LJ242-June2014.indd 21 5/22/14 12:36 PM

[ UPFRONT ]
Scientific Graphing
in Python
In my last few articles, I looked at matplotlib is broken down into several
several different Python modules that sub-modules. Let’s start with pyplot.
are useful for doing computations. This sub-module contains most of
But, what tools are available to help the functions you will want to use to
you analyze the results from those graph your data. Because of the long
computations? Although you could do names involved, you likely will want to
some statistical analysis, sometimes the import it as something shorter. In the
best tool is a graphical representation following examples, I’m using:
of the results. The human mind is
extremely good at spotting patterns import matplotlib.pyplot as plt
and seeing trends in visual information.
To this end, the standard Python The underlying design of matplotlib
module for this type of work is is modeled on the graphics module
matplotlib (http://matplotlib.org). for the R statistical software package.
With matplotlib, you can create The graphical functions are broken
complex graphics of your data to help down into two broad categories:
you discover relations. high-level functions and low-level
You always can install matplotlib functions. These functions don’t
from source; however, it’s easier work directly with your screen.
to install it from your distribution’s All of the graphic generation and
package manager. For example, in manipulation happens via an abstract
Debian-based distributions, you graphical display device. This means
would install it with this: the functions behave the same way,
and all of the display details are
sudo apt-get install python-matplotlib handled by the graphics device. These
graphics devices may represent display
The python-matplotlib-doc package screens, printers or even file storage
also includes extra documentation formats. The general work flow is
for matplotlib. to do all of your drawing in memory
Like other large Python modules, on the abstract graphics device. You
LJ242-June2014.indd 22 5/22/14 12:36 PM

[ UPFRONT ]
then push the final image out to the stored in the given list in a regular
physical device in one go. scatterplot. If you have a single list
The simplest example is to plot a of values, they are assumed to be the
series of numbers stored as a list. The y-values, with the list index giving the
code looks like this: x-values. Because you did not set up
a specific graphics device, matplotlib
plt.plot([1,2,3,4,3,2,1]) plt.show() assumes a default device mapped
to whatever physical display you
The first command plots the data are using. After executing the first
Figure 1. A basic scatterplot window includes controls on the bottom of the pane.
LJ242-June2014.indd 23 5/22/14 12:36 PM

[ UPFRONT ]
line, you won’t see anything on your also will notice that the graph you
display. To see something, you need to generated is rather plain. You can add
execute the second show() command. labels with these commands:
This pushes the graphics data out to
the physical display (Figure 1). You plt.xlabel('Index')
should notice that there are several plt.ylabel('Power Level')
control buttons along the bottom of
the window, allowing you to do things You then get a graph with a bit more
like save the image to a file. You context (Figure 2). You can add a title for
Figure 2. You can add labels with the xlabel and ylabel functions.
LJ242-June2014.indd 24 5/22/14 12:36 PM

[ UPFRONT ]
your plot with the title() command, you could plot squares and cubes on the
and the plot command is even more same plot with something like this:
versatile than that. You can change the
plot graphic being used, along with the t = [1.0,2.0,3.0,4.0]
color. For example, you can make green plt.plot(t,[1.0,4.0,9.0,16.0],'bo',t,[1.0,8.0,27.0,64.0],'sr')
triangles by adding g^ or blue circles plt.show()
with bo. If you want more than one

plot in a single window, you simply add Now you should see both sets of
them as extra options to plot(). So, data in the new plot window (Figure
Figure 3. You can draw multiple plots with a single command.
LJ242-June2014.indd 25 5/22/14 12:36 PM

[ UPFRONT ]
3). If you import the numpy module input parameters. You even can add
and use arrays, you can simplify the in error bars with the xerr and yerr
plot command to: parameters. Similarly, you can draw a
horizontal bar plot with the barh()
plt.plot(t,t**2,'bo',t,t**3,'sr') command. Or, you can draw box and
whisker plots with the boxplot()
What if you want to add some more command. You can create plain contour
information to your plot, maybe a text plots with the contour() command.
box? You can do that with the text() If you want filled-in contour plots, use
command, and you can set the location contourf() . The hist() command
for your text box, along with its will draw a histogram, with options to
contents. For example, you could use: control items like the bin size. There is
even a command called xkcd() that
plt.text(3,3,'This is my plot') sets a number of parameters so all of
the subsequent drawings will be in the
This will put a text area at x=3, y=3. same style as the xkcd comics.
A specialized form of text box is an Sometimes, you may want to be
annotation. This is a text box linked to able to interact with your graphics.
a specific point of data. You can define matplotlib needs to interact with several
the location of the text box with the DIFFERENT TOOLKITS LIKE '4+ OR 1T "UT
xytext parameter and the location you don’t want to have to write code
of the point of interest with the xy for every possible toolkit. The pyplot
parameter. You even can set the details sub-module includes the ability to add
of the arrow connecting the two event handlers in a GUI-agnostic way.
with the arrowprops parameter. An The FigureCanvasBase class contains a
example may look like this: function called mpl_connect(), which
you can use to connect some callback
plt.annotate('Max value', xy=(2, 1), xytext=(3, 1.5), function to an event. For example, say
árrowprops=dict(facecolor='black', shrink=0.05),) you have a function called onClick().
You can attach it to the button press
Several other high-level plotting event with this command:
commands are available. The bar()
command lets you draw a barplot fig = plt.figure()
of your data. You can change the ...
width, height and colors with various cid = fig.canvas.mpl_connect('button_press_event', onClick)
LJ242-June2014.indd 26 5/22/14 12:36 PM

[ UPFRONT ]
Now when your plot gets a mouse other low-level functions are available
click, it will fire your callback function. to control creating, encoding and
It returns a connection ID, stored in writing movie files. You should have
the variable cid in this example, that all the control you require to generate
you can use to work with this callback any movie files you may need.
function. When you are done with the Now that you have matplotlib
interaction, disconnect the callback under your belt, you can generate
function with: some really stunning visuals for
your latest paper. Also, you will be
fig.canvas.mpl_disconnect(cid) able to find new and interesting
relationships by graphing them. So,
If you just need to do basic go check your data and see what
interaction, you can use the ginput() might be hidden there. —JOEY BERNARD
command. It will listen for a set
amount of time and return a list of all
of the clicks that happen on your plot.
You then can process those clicks and
do some kind of interactive work.
The last thing I want to cover here
LINUX JOURNAL
is animation. matplotlib includes a
sub-module called animation that
ARCHIVE DVD
provides all the functionality that you
need to generate MPEG videos of
your data. These movies can be made
up of frames of various file formats,
including PNG, JPEG or TIFF. There
is a base class, called Animation,
that you can subclass and add extra
functionality. If you aren’t interested
in doing too much work, there are
included subclasses. One of them,
FuncAnimation, can generate an
animation by repeatedly applying a
given function and generating the
NOW AVAILABLE
www.linux jour na l.c om/dv d
frames of your animation. Several
LJ242-June2014.indd 27 5/22/14 12:36 PM

[ EDITORS' CHOICE ]
Sicker Than EDITORS’

CHOICE
Sickbeard? ★
When I wrote about Usenet and manage a local collection of television

Sickbeard a while back, I got many shows. It also has the capability
e-mails that I had broken the first rule of working with Usenet programs
of Usenet: don’t talk about Usenet. to automate the possibly illegal
I’m a sucker for freedom though, downloading of episodes, but that’s
and I can’t help but share when cool truly not all it’s good for. NZBDrone
programs are available. This month, I will take your TV show files and
switched from Sickbeard to NZBDrone organize them into folders, download
for managing my television shows. metadata and let you know if you’re
NZBDrone is a program designed to missing files. It also will show you
LJ242-June2014.indd 28 5/22/14 12:36 PM

when your favorite shows are going to it automatically performs most of its
be airing next. features if you allow it to do so. The
Although it hasn’t given me a interface is beautiful, and even with
problem, the fact that NZBDrone a large collection of television shows
runs on Mono makes me nervous. (I have more than 15TB of TV shows
The installation guide on the on my server), it’s very responsive.
http://www.nzbdrone.com Web Whether you record your TV episodes,
site makes setup simple enough, rip your television season DVDs or
but there will be a boatload of find your episodes in other ways,
dependencies that you might have to NZBDrone is a perfect way to manage
install due to its Mono infrastructure. your collection. It’s so intuitive and
NZBDrone will work with your user friendly, that it gets this month’s
existing Plex media server, XBMC Editors’ Choice award!
machines and SABNzb installs, and —SHAWN POWERS
LINUX JOURNAL
now available
for the iPad and
iPhone at the
App Store.
linuxjournal.com/ios
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
LJ242-June2014.indd 29 5/22/14 12:36 PM

COLUMNS
AT THE FORGE
URLs REUVEN M.
LERNER
How URLs, a technology that we take for granted,
are changing with the times.
The world Wide Web recently has undergone a number of changes

celebrated its 25th anniversary. As I to improve its efficiency through
have written in previous columns, the the years, and it would seem that
growth and ubiquity of the modern HTTP 2.0 eventually will be released,
Web never cease to amaze me. I get bringing with it considerably improved
my news, television and podcasts via performance and security.
the Web, not to mention my groceries The lowly URL, however, has
and airline tickets, and it allows me to remained largely unchanged—at least,
and communicate with my consulting until now. In this article, I want to
clients around the world. spend a bit of time talking about URLs
From my perspective, part of the (and their cousins, URIs and URNs)
genius of the Web, designed by and the changes that are happening
Tim Berners-Lee, was its simplicity. in the world of Web technologies. In
Numerous researchers had been particular, we’re seeing changes in
discussing hypertext for years before Web application technologies that
Berners-Lee appeared on the scene— have far-reaching implications for how
and when he did, it was with a set we use the Web and for the ways in
of technologies that remain with us: which our URLs function—especially
HTTP, HTML and URLs. as the Web becomes increasingly full
I wouldn’t claim that these of mobile and single-page apps.
technologies are unchanged after
25 years of usage, but it is pretty Uniform Resource X
amazing to see how much they The idea behind URLs (Uniform
resemble their original versions. HTML Resource Locators) is a simple one: it
has become, of course, far more identifies a document on the Internet.
sophisticated, thanks in no small If you’re reading this article, you
part to the HTML5 set of standards, presumably know that a URL can look
along with JavaScript and CSS. HTTP like this: http://example.com/foo.
LJ242-June2014.indd 30 5/22/14 12:36 PM

COLUMNS
AT THE FORGE
URLs are remarkably flexible, in that they can

specify any protocol—and then for each protocol,
a URL can specify a particular access method.
The first URLs were defined in fairly describing. Following that, you’ll
simple terms. There was a protocol, then have a unique identifier for that
followed by a colon, and then (in the resource. A URN should be unique;
case of HTTP, at least) a server name, many books may share the same title,
port number and pathname. but each book has a unique ISBN.
But soon after URLs first were With the creation of URNs, both
unveiled, people started to consider URNs and URLs then became specific
that other things deserved unique types of URIs, or Uniform Resource
identifiers. For example, let’s say you Identifiers. A URI can be a URL,
want to refer to a book. Each book identifying a particular on-line location.
has a unique ISBN, so shouldn’t it be Or a URI can be a URN, pointing to a
possible to refer uniquely to a book unique resource in the world.
via its ISBN? The IETF, which is in
charge of many Internet standards, Parts of a URL
certainly thought so, and thus Although URNs certainly are a great
created the idea of a URN, or Uniform idea, I haven’t ever used them in
Resource Name. Whereas a URL points my work. But I have used URLs
to a resource on the Internet, via a extensively, and I expect that all other
protocol, server name and pathname, Web developers have done so too.
URNs point to off-line resources via a URLs are remarkably flexible, in that
unique code. Thus, you can point to a they can specify any protocol—and
book with urn:isbn:0451450523. then for each protocol, a URL can
Where does this book reside on specify a particular access method. The
the network? That’s not the sort following URL, http://lerner.co.il/, thus
of question you’re supposed to ask indicates that the resource is available
about a URN. URNs uniquely identify via the HTTP protocol. HTTP URLs
resources, but they don’t tell you then have a hostname, followed by
where to find them on-line. A URN an optional port number that defaults
always begins with “urn:”, followed to 80 for HTTP and 443 for HTTPS
by the type of resource you’re (that is, HTTP with SSL encryption).
LJ242-June2014.indd 31 5/22/14 12:36 PM

COLUMNS
AT THE FORGE
To date, the fragment probably has been the

smallest and most easily ignored part of a URL.
But that is changing, and rapidly, thanks to the
rise of single-page applications.
So the previous URL also could be of an HTTP URL is handled internally

written as http://lerner.co.il:80/, but by the application and/or the browser.
there’s generally no need to do so. For years, the fragment was used to let
Following the slash that comes after you skip to a particular part of a page.
the hostname, there is a path. So, I can So if you went to http://example.com/
say: http://lerner.co.il/team. foo.html#section2, and if there was a
This is where things start to get a “name” link inside the page with the
bit interesting. The “/team” is passed value “section2”, the browser would
to the Web server at “lerner.co.il” and move you there.
describes...well, we don’t know what Another use for the fragment was
it describes. To the outside world, the to provide a URL for links that didn’t
“/team” path seems to indicate part exist for actual linking, but rather so
of a hierarchy, and probably even a that JavaScript could fire. That is, you
document. Inside the Web application, could create a link like:
it can be anything at all. In modern
Web applications, the “router” looks <a id="click-me" href="#">Click me</a>
at the URL and decides which object
and/or method should be activated If you were to click on such a link
based on the path. from a browser without JavaScript,
Now, in most cases, this is all you’re nothing would happen. But in a
going to need. But there are some browser with JavaScript, the page
additional, often ignored parts of presumably would set a callback, such
URLs that are becoming increasingly that clicking on the link would fire up
important. For example, the hash some JavaScript code.
character (#) can exist in the URL, To date, the fragment probably has
and it separates the main URL from been the smallest and most easily
the “fragment”. What is a fragment? ignored part of a URL. But that is
Whatever you want it to be—that part changing, and rapidly, thanks to
LJ242-June2014.indd 32 5/22/14 12:36 PM

COLUMNS
AT THE FORGE
the rise of single-page applications. browsers, of course.)

However, before I discuss those, let Now, I must admit that when REST
me first talk about REST and what it became a mainstream, and even
means for URLs. preferred, way to create URLs with
Ruby on Rails, I tended to resist it. But
REST over time, I have learned to appreciate
“REST” has nothing to do with sleep; the elegant simplicity of these URLs,
it is an acronym for Representational particularly in an age when a growing
State Transfer and was coined by number of HTTP verbs are supported
Apache cofounder Roy Fielding in his by browsers, or (as in the case of
PhD dissertation. The idea behind REST Rails) you can automatically provide a
is that you often see URLs as ways to parameter that indicates the request
access applications and documents method, overriding the POST that you
on the Web, including the things you always send.
want to do with those applications Rails has been particularly successful
and documents. So you might have a at pushing REST as a paradigm, in that
/register URL on your site, as well as controllers are assumed to provide
a /view_status or /see_book?id=100. seven different methods automatically,
The REST says that you should which are mapped in a standard way
stop creating such URLs, and that to combinations of HTTP request
you should instead see a URL as a methods and URL patterns. Now, just
unique way to describe an on-line because Rails does REST a certain way
resource. Thus, user 100 on your doesn’t mean that everyone needs to
system becomes /user/100. Wait, you do it in precisely that way, using the
want to do something with user 100? specific URL style and meaning that
That requires a verb, rather than a Rails has defined. But that style, or
noun. Instead of using the URL, or something very close to it, has become
part of it, for the verb, you instead quite popular, as you can see from
should use the verb that already is such packages as Grape API for Ruby
being used with the URL—namely, or Django REST Framework for Python.
one of the appropriate HTTP verbs. One of the interesting aspects of
Most of us are only familiar with the using URLs in a REST framework is
HTTP methods GET and POST, but that the URL now describes an object,
there are a bunch of others too. (Not which often is mapped not only to a
that they’re really supported by most router and/or controller, but also to
LJ242-June2014.indd 33 5/22/14 12:36 PM

COLUMNS
AT THE FORGE
More recently, Backbone and its ilk have given

way to a new and more thoroughly designed type
of framework, with the two leading contenders
being Ember.js and Angular.js.
an object in a database. Thus, the applications using a library such as

URL /users/1 effectively will allow me J1UERY BUT AS THINGS GET COMPLEX
to retrieve, via the Web, information it becomes somewhat difficult and
about user with ID 1. frustrating to do so. You end up
Although such information used to spending time developing solutions
be passed in XML or even in HTML, that handle the infrastructure of
it’s now fairly standard to transmit API such an application, rather than
data using JSON, which is standard, the application itself. If this sounds
easy to work with and implemented in familiar, that’s because the same
all modern languages. A RESTful API thing happened about a decade ago.
that uses JSON is increasingly common People were tired of writing the same
as the browser portion of applications code again and again for their Web
becomes more important and needs to applications. As a result, the notion of
load and save data using these APIs. a “framework” was born, with Rails
and Django being two of the most
Single-Page Apps prominent players in that space.
The most recent version of a Web Backbone.js was one of the first
application is the single-page client-side frameworks, but it wasn’t
application. From a user’s perspective, the only one. Indeed, there are dozens
you can call it a “single-page of frameworks, each claiming to be
application”, because it doesn’t ever some degree of MVC (model-view-
need to refresh the whole page, controller) that run in the browser
even when you click on a link or a and allow programmers to create rich,
button. Rather, JavaScript changes client-side applications in relatively
the page on the fly, modifying the short order. More recently, Backbone
DOM elements and reacting to events and its ilk have given way to a new
within the browser window. and more thoroughly designed
It’s possible to create single-page type of framework, with the two
LJ242-June2014.indd 34 5/22/14 12:36 PM

COLUMNS
AT THE FORGE
leading contenders being Ember.js of the sort. This means that you now
and Angular.js. (I intend to write effectively have two URLs you need
about both of these quite a bit in the to think about: one that tells the
coming year.) server which application you want and
For me, at least, the most striking then a second that tells the client-
thing when I started to learn Ember side application which JavaScript
and Angular was their talk about the code to run. This new use of URLs
“router”. Now, in Rails, a router is the still looks somewhat strange to me,
part of the code that maps the URL as it’s making use of the fragment,
/users/101 and knows to invoke the which I had largely ignored for years.
appropriate code. And indeed, the However, it’s also exciting to see that
router in Ember does something very URLs continue to be flexible, adapting
similar, taking the URL and ensuring to new uses for the Web, and making
that the correct code is invoked. it possible to continue using browsers
But wait a second—I’m talking in new and interesting ways. Q
about a single-page app, right? If
you’re working with Ember, what is Reuven M. Lerner, a longtime Web developer, consultant and
your router doing worrying about trainer, is completing his PhD in learning sciences at Northwestern
what URL is being passed? The University. You can learn about his on-line programming courses,
answer, it turns out, is that the router subscribe to his newsletter or contact him at http://lerner.co.il.
in both Ember and Angular aren’t
looking at the main part of the URL,
but rather the fragment. The URL Send comments or feedback via
will not be /users/101 but rather http://www.linuxjournal.com/contact
myapp.html#/users/101 or something or to ljeditor@linuxjournal.com.
Resources
The ultimate reference for URLs, which doesn’t mean that it’s easy to read or understand, is
RFC 3986 at http://tools.ietf.org/html/rfc3986, published by the IETF, the body in charge of
many Internet standards.
If you are interested in looking at modern client-side frameworks, you can learn more about them at
http://backbonejs.org (for Backbone), http://emberjs.com (for Ember) and http://angularjs.org
(for Angular). All are popular open-source projects with large and active communities.
LJ242-June2014.indd 35 5/22/14 12:36 PM

COLUMNS
WORK THE SHELL
Considering DAVE TAYLOR
Legacy
UNIX/Linux Issues
Updating his shell script book, Dave bumps into a legacy
Solaris problem, which leads to all sorts of interesting
solution paths and discussion.
Gah, so frustrating! Ten years #!/bin/sh
ago I wrote a rather popular # how many commands: count how many executable commands
book called Wicked Cool Shell # are in your current PATH.
Scripts, and I’m working on a

new edition—a Tenth Anniversary myPATH="$(echo $PATH | sed -e 's/ /~~/g' -e 's/:/ /g')"
release. There are lots of new count=0 ; nonex=0
scripts, entirely new chapters

and updates to the older stuff. for dirname in $myPATH ; do
Fortunately, Bash hasn’t evolved directory="$(echo $dirname | sed 's/~~/ /g')"
that much in the last decade, so just if [ -d "$directory" ] ; then
about everything still works fine for command in $(ls "$directory") ; do
(although there are some scripts I’m if [ -x "$directory/$command" ] ; then
now realizing can’t handle spaces in count="$(( $count + 1 ))"
filenames—something I talked about else
years ago in this very column). nonex="$(( $nonex + 1 ))"
But, there were problems when I fi
pushed out the following script to done
my Google Plus followers (find me on fi
G+ at http://profiles.google.com/ done
d1taylor) and asked those that had echo "$count commands, and $nonex entries that weren't \
access to a Linux or UNIX system to marked executable"
give it a quick run: exit 0
LJ242-June2014.indd 36 5/22/14 12:36 PM

COLUMNS
WORK THE SHELL
It’s simple enough really—using Sun OS 5.8 The line “for

sed to split the $PATH value into command...” gives me this
space-separated values, then the for error “syntax error at line 10:
loop to step through them one by ’$’ unexpected”.
one, counting how many entries are
marked as executable (the -x test). That’s this line in the script:
Of course, you have to take into
account that there might be spaces for dirname in $myPATH ; do
in directory names within the PATH
(like /User Applications/bin), so I Well, that’s puzzling, because
also convert spaces to ~~ and then there’s nothing particularly
later in the for loop convert them complicated in that statement.
back at the last possible moment. Perhaps it’s the ; in the middle of
But that’s not rocket science, just the line? Still, a classic—useless—
basic scripting. error message from the shell. A bit
Why test to see if the directory of digging, and it turns out that he
in the PATH is an actual directory had a different default login shell,
(the -d test), you may ask? Because and that /bin/sh in that version
when people can add their own apparently wasn’t linked to /bin/bash.
directories to the system PATH, it can Oops. We changed the first line to
get messy, and it’s entirely possible invoke the proper shell:
that there is an entry that’s not a
valid directory. So that’s just error #!/bin/bash
management really. Perhaps an else
echo "Error: Entry $directory And...it still didn’t work:
isn’t a directory?" would be a
good addition. The script ran but it came back
In any case, I posted this script, with this: “First RE may not be
and people ran it on various systems, null”. The second line read,
reporting answers ranging from “0 commands, and 0 entries that
1,100 to more than 3,000 executable weren’t marked executable”.
commands in their PATH (Ubuntu There are a lot of executable
13.10). More than 3,000 commands? files in my path.
Sheesh! Except then there was my
friend Chris who said: Well heck. Now what?
LJ242-June2014.indd 37 5/22/14 12:36 PM

COLUMNS
WORK THE SHELL
Running Solaris to Test the Script along with various flavors of Linux,
The logical solution was to gain access offering the ability to install and run
to a system running Solaris (ideally a full Solaris installation (or just about
SunOS 5.8, aka Solaris 8), but who the any other OS you’re interested in
heck is running a Solaris system and testing) as an app.
can grant me external SSH access? If you’ve experimented with
The answer: no one I could find, VMware or Parallels, you’ve already
which is why it’s fortunate that bumped into this technology, and it’s
I found a far better path: VirtualBox. very slick. In fact, I run Windows 8 Pro
Free to download from Oracle on my MacBook Pro using VMware
(https://www.virtualbox.org/ Fusion, and it works astonishingly well
wiki/Downloads), VirtualBox is a in its own full-screen window. The
virtualization system, creating a down side is that VMware Fusion isn’t
system within a system. Even better, free. But, VirtualBox is—nice.
it runs on Mac or Windows systems Download and install it, then
Figure 1. Solaris 11.1 Running within VirtualBox, within Mac OS X
LJ242-June2014.indd 38 5/22/14 12:36 PM

COLUMNS
WORK THE SHELL
you can grab a free copy of the VirtualBox config to share the
SunOS 5.11 (aka Solaris 11.1) at clipboard with the parent operating
http://www.oracle.com/technetwork/ system, and you simply can copy and
server-storage/solaris11/vmtemplates- paste it into a vi edit buffer and save it.
vmvirtualbox-1949721.html. An invocation:
Unpack the OS and double-
click. It’s automatically opened $ sh ./count-cmds.sh
by VirtualBox, and with another 2003 commands, and 15 entries that weren't marked executable
click or two, you’re running Solaris

11.1 and have the default window Ah great. So in fact, the script
manager, GNOME, front and center, works fine in the latest version of
as shown in Figure 1. SunOS/Solaris but fails in the older
Now finally, I can open up an xterm version that Chris is running. How old
and test the script within a Solaris is it? It turns out that Solaris 8 came
environment. The easiest path? Tweak out a while back, in February 2004.
LINUX JOURNAL
on your
Android device
Download the app now
in the Android Marketplace
www.linuxjournal.com/android
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
LJ242-June2014.indd 39 5/22/14 12:36 PM

COLUMNS
WORK THE SHELL
The same year my book came out, and Solaris 8 and Wicked Cool Shell
I tested the scripts on Solaris 9 prior Scripts. The long and short of it: if
to publication. the script didn’t work properly in
This leads to the dilemma: the Solaris 11, I’d be concerned and
script apparently doesn’t work on a debug the problem, but because
ten-year-old version of Solaris UNIX it fails in a ten-year-old version
but works just fine on the latest of the OS, I’m going to ignore
release, Solaris 11. Should I care? the problem. If I could log in to a
This is all tied to the legacy Solaris 8 system, I might debug it
problem: how far back do you need anyway just to understand what’s
to go to ensure that your software going on, but is that a reason to
works? The previous OS release? slow down the revision of the book?
Five years back? Ten? Longer? I don’t think so.
Legacy support has been in the Legacy support—it’s a big
news for W indows users, that’s for challenge for every software
sure, as Microsoft just axed support developer, and although Bash and
for the ancient W indows XP version the Linux command-line world hasn’t
of the flagship operating system. changed that much in the past few
For the record, W inXP was released years, it’s still something to consider
in October 2001. Fourteen years before you ship your own software
later, Microsoft is saying “guys, (even if it’s free software).
we’ve had a lot of major releases So what’s your solution? Write
since then and can’t support it to us, and let us know how your
forever”, and people are howling. company deals with legacy
Apple seems to weather this sort Linux/UNIX issues! Q
of thing more gracefully. When
the company moved from MacOS Dave Taylor has been hacking shell scripts for more than 30 years.
to Mac OS X, it included “Classic Really. He’s the author of the popular Wicked Cool Shell Scripts
Mode” where old apps would and can be found on Twitter as @DaveTaylor and more generally
mostly run, but the writing was on at his tech site http://www.AskDaveTaylor.com.
the wall from the beginning of the
OS X era that Apple wasn’t going to
“do a Microsoft” and support the Send comments or feedback via
old OS for years and years. http://www.linuxjournal.com/contact
And, this brings me back to or to ljeditor@linuxjournal.com.
LJ242-June2014.indd 40 5/22/14 12:36 PM

REGISTER TODAY!
2014 USENIX Federated Conferences Week
Cloud, Storage, Sysadmin, and More
June 17–20, 2014 Philadelphia, PA www.usenix.org/fcw14
Back for 2014, USENIX is combining established conferences and workshops into a week of
research, trends, and community interaction. Events include:
USENIX ATC ’14

2014 USENIX Annual Technical Conference
Thursday–Friday, June 19–20 www.usenix.org/atc14
ICAC ’14
11th International Conference on Autonomic Computing
Wednesday–Friday, June 18–20 www.usenix.org/icac14
Feedback Computing ’14

9th International Workshop on Feedback Computing Training Sessions
Tuesday, June 17 www.usenix.org/feedback14
are back!
Topics include:
HotCloud ’14 9!$../
6th USENIX Workshop on Hot Topics in Cloud Computing 9/!#(%+.3$12!#*
Tuesday–Wednesday, June 17–18 www.usenix.org/hotcloud14 9%-*)-1
9
HotStorage ’14 9%#30)27
6th USENIX Workshop on Hot Topics in Storage 932.-.,)##.,/32)-'
and File Systems
Tuesday–Wednesday, June 17–18 www.usenix.org/hotstorage14
UCMS ’14
2014 USENIX Configuration Management Summit
Thursday, June 19 www.usenix.org/ucms14
URES ’14
2014 USENIX Release Engineering Summit
Friday, June 20 www.usenix.org/ures14
WiAC ’14
2014 USENIX Women in Advanced Computing Summit
Wednesday, June 18 www.usenix.org/wiac14
www.twitter.com/usenix www.usenix.org/youtube www.usenix.org/gplus
www.usenix.org/facebook www.usenix.org/linkedin www.usenix.org/blog
LJ242-June2014.indd 41 5/22/14 12:36 PM

fcw14_ad_linux_journal.indd 1 5/21/14 12:09 PM
COLUMNS
HACK AND /
Encrypt KYLE RANKIN
Your Dog
(Mutt and GPG)
Like most common things with Mutt, encryption and signing
of e-mail is fairly straightforward and customizable.
I have been focusing a lot on out my article “Take Mutt for a

security and privacy issues in this Walk” from the October 2010 issue
year’s columns so far, but I realize (http://www.linuxjournal.com/
some of you may expect a different article/10858). I’ve written a lot about
kind of topic from me (or maybe are Mutt in the past, but I realized recently
just tired of all this security talk). that I never really discussed Mutt’s
Well, you are in luck. I’m going to PGP/GPG integration before now.
kill two birds with one stone and
describe security as applied to a Mutt PGP/GPG Settings
piece of software that has gotten The first step in the process is to
a lot of play in my column through configure Mutt’s PGP/GPG settings.
the years: Mutt. Those of you Actually, the first step probably
who are familiar with my column should be for you to create a GPG
know about my long history as a keypair if you haven’t already,
Mutt user. For those of you who but that is a topic for another
aren’t acquainted with it, Mutt is article and one that’s already been
a command-line mail client (some covered in Linux Journal. Mutt has
would say Mail User Agent or MUA) quite a few settings for PGP, but
that is highly configurable and in my experience, you need to be
uses vi key bindings that so many concerned about only a few. So, add
of us know and love. If you want the following lines to your ~/.muttrc
an initial primer on Mutt, check file, and I will discuss each of the
LJ242-June2014.indd 42 5/22/14 12:36 PM

COLUMNS
HACK AND /
Once your PGP settings are in place,

Mutt automatically should sign or encrypt
replies to encrypted or signed messages
in a common-sense way.
options in detail: curious), that probably isn’t practical

for most people. Instead, these
set pgp_replyencrypt # now crypt_replyencrypt pgp_reply settings configure how to
set pgp_replysign # now crypt_replysign behave when you reply to a message
set pgp_replysignencrypted # now crypt_replysignencrypted that has been signed or encrypted.
set pgp_show_unusable=no The pgp_replyencrypt setting
automatically will encrypt replies to
The first thing to notice (and encrypted messages, and pgp_replysign
something I didn’t realize until I was automatically will sign messages
writing this article) is that Mutt’s that have been signed. If a message
development release has changed the has been signed and encrypted, the
name of some of these settings. All setting pgp_replysignencrypted
of the encryption settings used to be takes care of automatically encrypting
prefaced by pgp_ , but now some of and signing replies. The final setting,
the settings have been abstracted out pgp_show_unusable=no , will hide
presumably to work with things other any PGP keys in your keychain that
than PGP and begin with crypt_ have expired, have been revoked or
instead. In my experience, the old are otherwise unusable.
setting names still work, and as that
has the widest compatibility, I refer to Use PGP/GPG inside Mutt
the settings by those names. Once your PGP settings are in place,
The first three settings enable Mutt automatically should sign or
what I consider to be sane defaults encrypt replies to encrypted or signed
for encrypted e-mail. Although Mutt messages in a common-sense way.
has a series of settings that let you Of course, that doesn’t help with
automatically sign and encrypt every conversations you want to start, or if
message you send (they all start with you want to encrypt or sign a reply to
pgp_auto or crypt_auto if you are a message that isn’t encrypted.
LJ242-June2014.indd 43 5/22/14 12:36 PM

COLUMNS
HACK AND /
Mutt makes it easy to change the messages I send to linuxjournal.com, but

security status of any message before I specifically wanted to sign and encrypt
you send it. After you compose and save messages sent to editor@linuxjournal.com.
a message, you will be on a screen that I would add the following settings to
shows you the To, CC, From and Subject my ~/.muttrc:
for the message. This is the same screen
where you would add any attachments send-hook . 'unset pgp_autosign; unset pgp_autoencrypt'
and where you press the y key to send send-hook '~t @linuxjournal.com' 'set pgp_autosign'
the message. The Security field on this send-hook '~t editor@linuxjournal.com' 'set pgp_autosign;
screen shows your current PGP settings ´set pgp_autoencrypt'
for the message. If you haven’t enabled

signing or encryption for the message, The send-hook setting allows you to
this field will be set to None. Otherwise, configure Mutt settings that apply right
it might be set to Sign or Encrypt before you send a message. The syntax
or Sign, Encrypt. To change your with Mutt hooks is send-hook followed
security settings, press p and then select by a pattern, then followed by one or
from encrypt (e key), sign (s key), sign as more settings. The initial line:
(a key), both sign and encrypt (b key) or
clear (c key), which disables any security send-hook . 'unset pgp_autosign; unset pgp_autoencrypt'
settings. If you choose to encrypt the

message, when you send it, Mutt will is set to match all messages (the .
present you with recipient encryption matches anything). It then unsets any
keys from which to choose. automatic signing or encryption. This acts
as your default setting, and it’s important
Mutt PGP/GPG Hooks that it appears before any other
Of course, you could enable PGP signing PGP-related send-hook lines. This default
or encryption manually on a per-message exists so that if you trigger any other
basis, but you might have a friend or send-hooks and enable automatic signing
colleague that you know uses e-mail or encryption when sending to a specific
encryption and to whom you always address, this hook will unset it before
want to sign or encrypt your messages. you send a message to someone else.
In that case, Mutt provides hooks to The next line will sign any messages
allow you to configure when to enable sent to linuxjournal.com automatically:
security settings automatically.
Let’s assume I wanted to sign all send-hook '~t @linuxjournal.com' 'set pgp_autosign'
LJ242-June2014.indd 44 5/22/14 12:36 PM

COLUMNS
HACK AND /
The ~t in a hook pattern matches that you won’t slip up and accidentally
the To header, but the Mutt reply to someone’s encrypted message
documentation details a number of in plain text. Plus, you can make sure
other flags you can use to match you always sign messages to your
From, BCC, the e-mail body or other PGP-using friends. Q
parts of the message. The final line
automatically will enable signing Kyle Rankin is a Sr. Systems Administrator in the San Francisco
and encryption to messages sent Bay Area and the author of a number of books, including The
to editor@linuxjournal.com: Official Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.
He is currently the president of the North Bay Linux Users’ Group.
send-hook '~t editor@linuxjournal.com' 'set pgp_autosign;
´set pgp_autoencrypt'
Send comments or feedback via

With these settings in place, you http://www.linuxjournal.com/contact
should be able to feel safe knowing or to ljeditor@linuxjournal.com.
LINUX JOURNAL
on your
e-Reader
Customized e-Reader
editions
Kindle and Nook
editions FREE
for Subscribers
now available
LEARN MORE
LJ242-June2014.indd 45 5/22/14 12:36 PM

COLUMNS
THE OPEN-SOURCE CLASSROOM
Being a Hack SHAWN POWERS
What’s better than chocolate and peanut butter?

Bash scripts and FOR loops!
If you think hacking is breaking into In my last article, I described a bunch

Pentagon computers to play “Global of simple skills that I now want to
Thermonuclear War” with Joshua, demonstrate in action. Basically, I’m
you have good taste in movies, but just going to think up a handful of
unfortunately, not a clear picture of things I’ve done through the years and
what hackers do. Yes, there is a subset show you an example script. Then I’ll
of folks who take advantage of system go through them. You probably won’t
vulnerabilities to compromise computer have the same needs I do, but hopefully
systems. There’s a much larger group the concepts will get you thinking. For
of people, however, who just use quick example, let’s start with a script I used
bits of code to get their jobs done. to use on my file server to create home
These “hacks” aren’t nefarious, but directories for newly added users. On a
are generally not well planned and standalone system, the home directories
executed code. Hacks are like digital are created when you add a user, but
duct tape, and although you probably on a large network, the processes are
can hold an airplane’s wing on with often separate. My users would get
duct tape, you wouldn’t want to fly it added to an LDAP database, and then
very far. The same is true with the hacks I’d run the following to create their
I talk about here. They’re generally home directories:
good for a quick fix, but not something
you want to build your infrastructure #!/bin/bash
on. (Unfortunately, simple hacks often #
get hacked on more and more, and # Create home directories on file server
become production systems, which

is not ideal, but nonetheless can cp -R /etc/skel /home/$1
happen. Use your hacking powers chown -R $1.$1 /home/$1
wisely and know when your digital chmod 751 /home/$1
duct tape isn’t appropriate.) echo "Unless you saw an error, everything is good."
LJ242-June2014.indd 46 5/22/14 12:36 PM

COLUMNS
If you remember from my last endless loop. Here’s an example:

article, the $1 variable is filled with
the first argument given to the #!/bin/bash
script. In this case, it’s a user name #
(like “spowers”). The script then # Restart program when it dies
copies the /etc/skel folder and all of while true
its contents to /home with the name do
of the new user. Then ownership is /usr/bin/crashy_program
changed to the user’s user name and sleep 10
group, and finally the permissions done
are set on the user’s folder. In my
case, it allows non-owners to enter If you start this script from rc.local
the directory so Apache can read or from crontab on boot (see my
the user’s public Web folder. This article in the UpFront section of this
is a real-world example of how to issue on using cron to start programs
use the $1 variable. If you had a at boot), it will run crashy_program
separate group, you could use $2 until it crashes, wait 10 seconds,
to specify. Building on this example, and then the loop starts over, which
you can come up with elaborate launches the program again. You
variations to suit your needs. do have to be careful, because if
“crashy_program” is something that
Programs Never Die launches itself into the background,
The next script is far smaller, but in dæmon mode, the script will
it serves an interesting purpose. just keep starting new instances
If you’re running a program that of the program until your RAM
is known to crash occasionally fills up. You could add a pkill
(Mono programs are notorious for crashy_program line inside the
this, at least in my experience), it’s loop if you want to clean up any
helpful to have them automatically remaining processes before starting
restart. It’s possible to create an the loop over, but this method
init script or upstart configuration of keeping a script running will
that will respawn dead processes, work well only if the program
but it’s often challenging to get the doesn’t release control of the shell
configuration just right. A quick while it’s running. Hopefully that
hack is to put the program in an makes sense.
LJ242-June2014.indd 47 5/22/14 12:36 PM

COLUMNS
Can You Hear Me Now? system doesn’t actually see the \

From here out, the scripts I show you character, it sees the entire line.
will be more and more complex. There So above, the wget command is a
might even be some stuff thrown in one-liner that ends with /dev/null.
that I didn’t cover in my last article, The script itself uses wget to
but that’s okay, it should be pretty download the Google search page to
easy to figure out what’s going on. /tmp/google.idx. I use an IP address
Take this script for example, which I because often when my modem is
use to check my Internet connection off-line, DNS lookups fail, so that IP
at home: address is one of Google’s. Anyway,
wget tries to download the Google
#!/bin/bash page, allowing for three failed
# attempts with a five-second timeout.
# Test Google by IP Then the “if” statement checks to see
wget -q --tries=3 --timeout=5 \ if it failed at downloading the file.
http://173.194.46.49 -O /tmp/google.idx &> /dev/null (That’s what the ! does, it negates
the test command.) If it failed, it
if [ ! -s /tmp/google.idx ] issues a reboot command to my
then serial-port-connected power-cycling
/usr/local/bin/powercontrol reboot machine, waits three minutes for the
sleep 180 connection to come back up, and
echo "Charter sucks." | mail -s \ then e-mails me a notification of the
"DANGER WILL ROBINSON: Rebooted Home Router" me@example.com failure. If wget successfully downloads
fi the file, which it usually does, the if
statement is skipped, the downloaded
rm -rf /tmp/google.idx file is erased and the script ends. I
run this via cron every 15 minutes or
This is literally the code I use to so, and it works well to keep my flaky
check my Internet connection and connection stable.
power cycle my modem if need be.
First things first, the backslash in a Everyone Gets a Web
script is just a way of making the The next script goes back to the
commands more readable. All the home directory situation. This time,
\ character does is break a single however, I use a “for” loop to affect
command into multiple lines. The change to all the folders in the /home
LJ242-June2014.indd 48 5/22/14 12:36 PM

COLUMNS
directory. See if you can figure out so that it prints on the screen what it is
what this does: doing. A simple typo could cause you
to wipe out millions of user files, so it’s
#!/bin/bash best to test your script before using it
# on your live servers or personal system.
for x in `ls /home` This is especially true if you start
do running rm commands in a loop—that’s
mkdir /home/$x/public_html some powerful mojo, which you don’t
chown $x.nobody /home/$x/public_html want to use incorrectly.
chmod 755 /home/$x/public_html
done I Hate Typing Things More
Than Once
This script basically creates a set of Finally, I’m going to demonstrate
objects from the ls /home command another way I use quick Bash scripts
(because it’s in backticks), and then on a regular basis, and that is to
executes one loop iteration for each create configuration files. Basically,
object in the set. The beauty of this any time you see repetitious data in a
is that it will work whether you have configuration file, chances are you can
three users or 3,000 users. Each write a script that will save you lots of
iteration of the loop (the part between time. This script is fairly complex, but it
do and done ) creates a public_html uses lots of the tools I’ve been talking
folder inside the user’s folder and about. This configuration file is actually
gives it the correct ownership and part of a script I use to monitor Bitcoin
permissions. You can imagine how miners, for those who are curious:
much typing this saves for large
numbers of users! I use a variation #!/bin/bash
on this type of loop for lots of #
maintenance issues on user files. If I BASE_ADDRESS="172.20.1."
need to copy a single file to everyone’s LOOP_NUMBER=$(($2 - $1))
desktop, a for loop saves the day. # First part of config file
This is probably a good time to echo "<?php"
remind everyone that quick Bash hacks # This loop should run for all miners
like these aren’t foolproof. It’s best if for MINERLOOP in $(seq 0 $LOOP_NUMBER);
you first have your script do something do
innocent like echo instead of mkdir , echo "\$r[$MINERLOOP]['name'] = 'MINER$(($1 + $MINERLOOP))';"
LJ242-June2014.indd 49 5/22/14 12:36 PM

COLUMNS
echo "\$r[$MINERLOOP]['ip'] = '$BASE_ADDRESS$(($1 + $MINERLOOP))';" If you follow the logic of the

echo "\$r[$MINERLOOP]['port'] = '4028';" script, you’ll see it starts by figuring
echo "\$r[$MINERLOOP]['sick'] = 'FALSE';" out the number of loops needed by
echo " " subtracting the beginning IP octet
done from the ending one—in this case,
# And finish off the file 102-100=2. You’ll notice there
echo "?>" are actually three iterations of the
loop, and that’s because I’m a little
To make this program run, it needs sneaky. I start the loop iterations
two arguments. The last octet of at zero, so there are three total
the IP addresses of the miners I’m loops done. Little quirks like this are
configuring must be entered, so I’d figured out as you test your scripts
type something like: and are the reason you must test
your scripts before depending on
./myscript 100 102 them, even if they’re for something
simple like this.
And the output is: Anyway, there are some confusing
things in this script that I had to learn
<?php how to do while I was debugging it
$r[0]['name'] = 'MINER100'; originally. The $(seq 0 $LOOP_NUMBER)
$r[0]['ip'] = '172.20.1.100'; statement, for example, is really
$r[0]['port'] = '4028'; confusing looking. The reason it’s
$r[0]['sick'] = 'FALSE'; required, however, is because it’s not
possible to put a variable in a standard
$r[1]['name'] = 'MINER101'; range statement for creating a for
$r[1]['ip'] = '172.20.1.101'; loop. My first instinct was to say for
$r[1]['port'] = '4028'; MINERLOOP in {0..$LOOP_NUMBER} ,
$r[1]['sick'] = 'FALSE'; but that just doesn’t work. My brain
thinks it should work, but alas, it
$r[2]['name'] = 'MINER102'; doesn’t. So, using the seq command
$r[2]['ip'] = '172.20.1.102'; along with the $() structure
$r[2]['port'] = '4028'; provides the same effect, only with
$r[2]['sick'] = 'FALSE'; seq , it works.
There might be some confusion
?> with the echo statements too,
LJ242-June2014.indd 50 5/22/14 12:36 PM

COLUMNS
because since I needed the $ administrator, or just a skilled end

character in my final output, I user, doesn’t have to be some mystical
needed to use a backslash to dark art. Being a system administrator
“escape” the next character. The is more about thinking differently
same thing with the + symbol inside and problem-solving than anything
the echo statement. I included else. It’s great to have an arsenal of
the output so you can see what knowledge and know-how under your
actually happens with the syntax. belt, but just having the right attitude
Please don’t think I wrote this often is more valuable than having all
script without pulling my hair the answers. If all we needed were
out in frustration several times. answers, Google would manage all of
Trying to get an exact format can our servers. Coming up with the right
be incredibly frustrating. In this questions and knowing what tools to
instance, however, all the script use—that’s the real value.
does is print to the screen. That I know some of these scripting
means it’s fairly safe to run just examples seem absurdly simple.
to see if the output is what you Some of the most useful scripts
expected. Once it looks correct, you are! The idea with this article was
simply can redirect the output of to get you thinking about how to
the script into a file like this: combine the various scripting basics
into something powerful, something
./myscript 100 102 > config.php useful and ultimately something that
saves you time. Q
And, you end up with a configuration
file completely created with minimal Shawn Powers is the Associate Editor for Linux Journal.
input required by the user. It’s He’s also the Gadget Guy for LinuxJournal.com, and he has an
important to check that file to make interesting collection of vintage Garfield coffee mugs. Don’t let
sure it looks like you expect, but his silly hairdo fool you, he’s a pretty ordinary guy and can be
generally, you’ll see exactly what reached via e-mail at shawn@linuxjournal.com. Or, swing by
printed on the screen when you ran the #linuxjournal IRC channel on Freenode.net.
the script in the first place.
You’ve Ruined My Mental Image Send comments or feedback via

of Sysadmins http://www.linuxjournal.com/contact
Well, I’m glad. Being a system or to ljeditor@linuxjournal.com.
LJ242-June2014.indd 51 5/22/14 12:36 PM

NEW PRODUCTS
IGEL Thin and Zero Clients

Those working in the clinical field will want
to take note of innovations to the IGEL Thin
and Zero Client solutions. IGEL Technology
recently announced that all Linux x86-
based hardware and software thin clients
now integrate Imprivata OneSign ProveID
Embedded, providing the health-care
industry with secure clinical authentication.
The addition of OneSign ProveID Embedded allows high-performance, user
authentication for rapid, secure access to clinical applications and critical patient
information. Instead of having to enter passwords manually, users log on to virtual
desktops and/or communicate through virtual channels to core medical applications
using a contactless RF-enabled smart card. The resulting improvement of work
processes ensures that staff members have more time to spend with patients.
http://www.igel.com
ElasticHosts’ Elastic Containers

In a test analysis with its largest customers, ElasticHosts found that
switching to the company’s new Elastic Containers—cloud servers
that are based purely on consumption, rather than capacity—
would result in a 50% or more cost savings. The secret sauce is
a breakthrough auto-scaling container technology that elastically
expands and contracts to meet customer demands, entirely
eliminating the need for manual provisioning. Because each container
automatically can scale up to 64GB RAM, companies can handle
usage peaks and valleys more effectively. Aside from disrupting the
cloud market, ElasticHosts adds that Elastic Containers also will
eliminate load balancers and reduce disaster recovery costs.
http://www.elastichosts.com
LJ242-June2014.indd 52 5/22/14 12:36 PM

NEW PRODUCTS
Mark Edward Soper’s

Building and Repairing PCs
(Que Video)
We Linuxers are a roll-your-own kind of crew.
Even for us though, keeping track of all the
latest technologies can be overwhelming. A
solution with our tribe in mind is Mark Edward
Soper’s Building and Repairing PCs, a hands-on
tutorial dedicated to building and repairing
desktop and laptop PCs. The product consists
of three hours of professionally edited,
downloadable videos that cover topics like
selection of parts, building a system, tweaking
the BIOS, overclocking, installing the latest components (such as hard disks),
configuring a PC for game performance and more.
http://www.informit.com
Oswald Campesato’s
Google Glass Development
(Mercury Learning)
Oswald Campesato’s new book Google Glass
Development adds to Mercury Learning & Information’s
newly developed Pocket Primer series. Campesato’s
book provides an overview of the major aspects, the
source code and tutorial videos to develop applications
for Google Glass. It also contains information for
developing Glassware using Android and HTML5
technologies, primarily for self-directed learners who
have some knowledge of Android and HTML5 graphics-
related technologies. Other topics include CSS3, HTML5
Canvas, D3 and SVG, as well as the Glass GDK and working with sensors.
http://www.merclearning.com
LJ242-June2014.indd 53 5/22/14 12:36 PM

NEW PRODUCTS
Envivio’s G5 Family
of Appliances
Envivio’s specialty is software-
based video processing and delivery
solutions. The company’s latest innovation is the Envivio G5 family of Intel-based
server appliances, featuring increased compression density, support for the latest
Ultra HD 4K resolution and HEVC (H.265) encoding, and a lowering of operating
expenses for service providers. Operators deploying Envivio Muse Live encoders on
the new G5 platform can deliver up to 100 high-quality SD or 20 HD channels in a
2RU configuration. In a typical IPTV or cable scenario, this represents a significant
cost savings. Rack space requirements can be reduced by nearly 40% and power
consumption by more than 30% compared to the previous generation of Envivio
appliances. Both 1RU and 2RU versions are available, with the latter featuring a
modular hot-swappable, multi-node architecture.
http://www.envivio.com
Elecsys e-Modem
Industrial equipment manufacturers that need a practical and
reliable solution for linking their products with data networks
will be pleased to learn about the novel Elecsys e-Modem
series of embedded cellular data modems. These are wireless
communication devices that are pre-certified to operate on the
Verizon Wireless network and are ready to integrate into industrial
products to add M2M connectivity into remote field applications
and rugged equipment. Key product features include multiple
cellular technologies (CDMA 1xRTT and EV-DO), Verizon Wireless
Open Development certification and a design for industrial
applications. Target applications include oil and gas wells,
energy distribution systems, agricultural facilities, transportation
infrastructure and many other industrial applications.
http://www.elecsyscorp.com
LJ242-June2014.indd 54 5/22/14 12:36 PM

NEW PRODUCTS
Red Hat Enterprise Linux

Thanks to collaboration with Google, users
of Red Hat Enterprise Linux now have a
new “bring-your-own-subscription” benefit that enables them to move their on-
site subscription to the Google Compute Engine. The benefit is part of the Red Hat
Cloud Access program, which enables Red Hat customers to take advantage of the
benefits of the Google Cloud Platform with the confidence that the consistency
and quality on a public cloud matches the on-site version. Red Hat states that Red
Hat Cloud Access also enables customers to maintain a direct relationship with
the company—including the ability to receive full support from Red Hat’s Global
Support Services organization—on Google Compute Engine. This enables its
customers to maintain a consistent level of service and support across all certified
deployment infrastructures with consistent and predictable pricing.
http://www.redhat.com
Verocel’s VeroTrace
The new commercial version of Verocel’s VeroTrace,
an advanced life-cycle management environment, features an enhanced architecture, an
Eclipse IDE and a wealth of other capabilities. The upshot is that software developers now
can automate the many tasks and processes required for their own large-scale, advanced
software development and verification efforts. VeroTrace provides not only full traceability,
review and workflow tracking but also monitors development and certification life-cycle
artifacts as well as their relationships and authorization statuses. It is the ideal environment
to facilitate the development, review, authorization and sign-off status of complex software
systems, and aid in their delivery. VeroTrace already has successfully delivered safety and
security projects and certification evidence to meet the DO-178B/C Avionic Software
standards, the EN 50128 rail certification and the IEC 61508 for the industrial sector.
http://www.verocel.com
Please send information about releases of Linux-related products to newproducts@linuxjournal.com or

New Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.
LJ242-June2014.indd 55 5/22/14 12:36 PM

FEATURE Monitoring Android Traffic with Wireshark
Monitoring
Android
Traffic
with
Wireshark
Use some simple Linux tools and a laptop to get access to
the Internet traffic sent and received by your smartphone.
BRIAN TRAPP
LJ242-June2014.indd 56 5/22/14 12:36 PM

T
he ubiquity and convenience any network monitoring or tracing
of smartphones has been a real software directly on the phone—so
boon for getting information how can a curious user get access to
on the go. I love being able to jump that phone traffic?
on a Wi-Fi hotspot, catch up on my Fortunately, with just a little
mail, check my banking balance bit of work, you can use Linux to
or read the latest tech news—all transform almost any laptop into a
without having to bring along or secret-sharing wireless access point
boot up a laptop. Now that mobile (WAP), connect your phone and
development is mainstream, most view the data flowing to and from
of this access is done via specialized the phone with relative ease. All
apps, instead of via a Web browser. you really need is a laptop running
This migration away from direct Linux with one wireless and one
Web access in favor of dedicated Ethernet connection.
smartphone apps has made for a
richer user experience, but it also Intercepting Traffic
has made knowing exactly what is The first step is to set up your own
going on “under the hood” a lot “naughty” WAP where you can
harder. On our Linux boxes, there capture and log all the Internet
are many tools to help user peer traffic passing through it—
into the internals of what’s going to simulating the kind of information
and from the machine. Our browsers that a rogue employee could be
have simple HTTP versus HTTPS obtaining from a coffee-shop
checks to see if there’s encryption, W i-Fi hotspot. Let’s do this in
and there are simple but easy-to-use a distribution-independent way
browser plugins like Firebug that let that doesn’t mess around with
us view exactly what’s being sent your existing router (no need to
and retrieved over the Web. At the change security settings) and
operating system level, powerful doesn’t require rooting or installing
tools like Wireshark let us drill down anything unseemly on your phone.
even further, capturing all traffic To turn a laptop into a WAP, you’ll
flowing through a network interface. first use hostapd to use the wireless
Smartphones usually are locked card as an access point mode
up to a point where it’s almost (broadcasting an SSID, authenticating
impossible for a regular user to run with security and so on). Next, you’ll
LJ242-June2014.indd 57 5/22/14 12:36 PM

FALSE STARTS
It may be tempting to try a shortcut Q If the WAP is using encryption,
for capturing this traffic. Here are the packets you capture also will
a few techniques I tried and be encrypted. Wireshark does
discarded before sticking with a have a facility to help decode the
hostapd/dnsmasq/iptables solution. packets, but you’ll need to enter
information about the security
UBUNTU’S BUILT-IN HOTSPOTS: scheme used by the WAP and
Ubuntu has a handy “Use as Hotspot” toggle a few sets of options until
feature tucked away in its networking the decoded packets look right.
settings. Unfortunately, it creates hotspots For a first-time user, it’s hard
in ad hoc mode, which isn’t compatible enough making sense out of
with most versions of Android. I didn’t Wireshark dumps without having
try Fedora’s implementation, but the to worry about toggling security
method I recommend instead will work options on and off.
on any distribution.
CAPTURING WITH THE
MONITOR MODE:
ANDROID EMULATOR:
It’s tempting just to put the wireless
Another approach would be to use
card in monitor mode and capture all
an Android emulator on your capture
wireless traffic, independent of SSID.
device, install and then run the target
This is pretty cool, but there are quite
application, and capture the traffic
a few “gotchas”:
from the emulator. It’s much harder
Q The drivers for your wireless than it sounds actually to get a
card must support monitor mode. banking app on the emulator though:
Many, but not all cards support
Q Due to recent Android licensing
this mode.
changes, the major Android VMs no
Q Your capture needs to include the longer include the Google Play store.
four WPA “handshake” packets. (I tried both the Android SDK and the
free product from Genymotion.)
Q You’ll probably have to compile
and use airmon-ng to start monitor Q If your phone isn’t rooted, it’s not
mode and then capture on the mon0 easy to get the application’s .apk
pseudo-device airmon creates. off your phone and onto the VM.
LJ242-June2014.indd 58 5/22/14 12:36 PM

use dnsmasq to provide DNS and only be temporary. Should you
DHCP services for clients connecting desire a more permanent solution,
on the wireless connection. Finally, hostapd supports many different
iptables’ masquerading features authentication options.
will be used to direct IP traffic from
clients on the wireless connection dnsmasq
to the Internet (via your Ethernet Now that hostapd is ready to start
connection), and then rout responses letting clients connect to your wireless
back to the correct client on the connection, you need dnsmasq to
wireless side. serve DCHP and provide DNS for your
access point. Fortunately, dnsmasq is
hostapd also very easy to install and configure.
hostapd is a small utility that lets The example below is the minimum
you create your own wireless access required. Make sure the dhcp-range
point. Installation is straightforward, you specify will not conflict with
and configuration is just as easy. anything already on your network.
Most wireless cards and modern By default, dnsmasq will read
kernels will be using the mac80211 your existing /etc/resolv.conf and
driver. Check yours via lsmod|grep propagate the DNS settings listed
mac80211 . If that’s your driver, find there to its clients. That’s a pretty
your wireless device via ifconfig , sane default configuration, but if
and set up the SSID of your choice you need something else, use the
as shown below for an unsecured, no-resolv option and specify the
totally open access point: DNS servers manually:
===[/etc/hostapd/hostapd.conf]====== ========[/etc/dnsmasq.conf]===============
interface=wlan0 interface=wlan0
driver=nl80211 dhcp-range=10.0.0.3,10.0.0.20,12h
ssid=WatchingU ========[/etc/dnsmasq.conf]===============
channel=1
===[/etc/hostapd/hostapd.conf]====== iptables
The final piece of your wireless access
I recommend not using Wi-Fi point is iptables, which will use IP
security for this test; it would be Masquerading to get the traffic from
overkill, as your access point will the wireless connection, send it over
LJ242-June2014.indd 59 5/22/14 12:36 PM

the wired connection and route any ´$DEV_OUT -j MASQUERADE
responses to back to the correct iptables --append FORWARD --in-interface $DEV_IN -j ACCEPT
source on the wireless side. There ´sysctl -w net.ipv4.ip_forward=1
are many distribution-specific ways

to save and script iptables rules, but echo "Starting hostapd"
it’s simpler to create a distribution- hostapd /etc/hostapd/hostapd.conf 1> /dev/null
independent shell script to enable =======[makeWAP.sh]==============
iptables and network address

translation (NAT). A script for iptables To test everything, connect your
that ties in hostapd and dnsmasq capture laptop to a wired connection
would look like the following (modify with Internet access and disconnect
the wlan0 and eth0 entries to match any existing wireless connections.
your system): Run the makeWAP.sh script ( sudo
./makeWAP.sh ) to start up the WAP.
=======[makeWAP.sh]============== On the phone, turn off mobile
#!/bin/bash data (for Android 4.3, this is done
export DEV_IN=wlan0; via SettingsAData UsageAMobile
export DEV_OUT=eth0; dataAOff), turn on Wi-Fi, and
connect to the new WAP (in the
echo "Bringing up $DEV_IN" example above the SSID would be
#This address/mask should match how you configured dnsmasq “WatchingU”). Once connected, test
ifconfig $DEV_IN up 10.0.0.1 netmask 255.255.255.0 a few sites to make sure you can
access data from the Internet.
echo "Starting dnsmasq" If everything works, congratulations,
dnsmasq you have transformed your laptop
into the world’s most ridiculously
echo "Configuring iptables" overqualified wireless router!
#Clear everything in iptables
iptables -Z; Wireshark

iptables -F; Wireshark is a network packet
iptables -X; analyzer that you’ll use to capture
and make sense of the data flowing
#Turn on iptables NAT, forwarding, and enable on your newly created access point.
#forwarding in the kernel You’ll be merely scratching the
iptables --table nat --append POSTROUTING --out-interface surface of its capabilities, as it is an
LJ242-June2014.indd 60 5/22/14 12:36 PM

extremely powerful tool with abilities Capturing Unencrypted Web Traffic
stretching well beyond “poke at a Before you start looking for sensitive
few packets” as used in this project. data, let’s first get familiar with
Install Wireshark for your version what unencrypted traffic looks like
of Linux. If at all possible, get in Wireshark.
version 1.10 or higher, as 1.10 adds
support for decoding gzip’ed HTTP Q From the Wireshark starting screen,
data on the fly (and there’s a lot of select the wireless device (wlan0)
that). Prior to 1.10, you’d have to and then the “Start” icon to start
save the TCP stream to a file, edit a new capture.
out the header and then gunzip it
to view the raw data. This becomes Q On the phone, use a browser to go
tedious quickly, so having Wireshark to http://www.linuxjournal.com.
do all that for you behind the scenes
is awesome. Q Once the page finished loading
When running Wireshark for the on the phone, press the “Stop”
first time, if it complains that there icon in W ireshark, and save
are no devices available for capture, the capture file somewhere
you have to give your ID permissions safe, called something like
for the various devices and “Capture_LJ.pcapnp”.
applications used by Wireshark. For
Ubuntu, run sudo dpkg-reconfigure Now, let’s take a look at this
wireshark-common , and select dump. With the dump file open
the option to let nonroot users in Wireshark, go to ViewAName
capture packets, and make sure Resolution and make sure “Enable
your ID is in the “Wireshark” group. for Network Layer” is checked.
For other distributions, search for This will improve readability
which devices and scripts need to be by translating IP addresses to
owned by which groups. hostnames. The initial view (Figure
Before moving on to capturing 1) can be sort of intimidating, but
traffic, shut down every non-essential there are some simple tips to make
app and service on the phone to decoding this data easier.
make it easier to find the traffic of As shown in Figure 1, Wireshark’s
interest. The fewer packets you have dump screen has one row per TCP
to sort through, the better. packet, but the data is more easily
LJ242-June2014.indd 61 5/22/14 12:36 PM

Figure 1. Wireshark Output
consumed when reassembled into blue. Here is where you can start
a full TCP stream. To get the full to see unencrypted information
stream, right-click on any row flowing back and forth from the
where the source or destination server. Since the server response’s
is www.linuxjournal.com, and “Content-Type” header indicates
choose “Follow TCP Stream”. This that the response is a JPEG image,
automatically will find all the related you can view that image with a
packets and group them together in little bit of extra manipulation.
an easier-to-read format. Press the “Save As” button to
In this example, you can see the save the stream to a temporary
HTTP GET request from my phone file (use RAW format), then use an
in red, and the HTTP response from editor like emacs or vi to trim out
the Linux Journal Web server in the header text from the image
LJ242-June2014.indd 62 5/22/14 12:36 PM

Figure 2. Follow TCP Stream
binary contents. It takes a little bit with a .jpeg extension and view it.
of practice, but it’s usually pretty Continue browsing through
obvious where the HTTP header the dump manually and look for
stops and the binary bits begin. interesting TCP segments. You
Once you’ve removed the header also could take a more systematic
(and any stray footer or additional approach by using Wireshark’s
header sections), you can save the file filtering capabilities. Use a filter like
LJ242-June2014.indd 63 5/22/14 12:36 PM

Figure 3. Raw TCP Dump
Figure 4. Filtering to a Single TCP Stream
LJ242-June2014.indd 64 5/22/14 12:36 PM

tcp.stream eq 1 (Figure 4), and and exercise the app from the phone,
keep iterating the stream ID until then stop Wireshark and save the
you’ve seen all the streams, drilling capture file.
down with “Follow Stream” if the Figure 5 shows an example TCP
packets look promising. stream from “reddit is fun”.
Again, the request from the app
Capturing Low-Sensitivity is in red, and the response from the
Application Traffic reddit server is in blue. Note that
Now that you’re getting a little more since the request is not encoded,
comfortable with capturing and anyone monitoring the WAP would
viewing dumps with Wireshark, let’s be able to detect your interest in
try peeking at the information coming “Raspberry Pi” data. The content-type
to and from an Android application. of the response is JSON, and even
For this next test, I used the app though the Content-Encoding is set
“reddit is fun” since it sends and to “gzip”, Wireshark is letting you
receives non-sensitive data that is view the content body as pure JSON.
probably not encrypted. If the data in your TCP Stream page
Capture an app search or query looks garbled, you may have an older
using the same technique as before: version of Wireshark that doesn’t
start Wireshark on the laptop, launch support on-the-fly gzip decoding.
Figure 5. Gzip-Encoded JSON
LJ242-June2014.indd 65 5/22/14 12:36 PM

Either save the contents to a file and pretty straightforward. Let’s

gunzip on your own, or upgrade your try running a banking or high-
version of Wireshark. sensitivity app and use the tricks
Note: look at that hilarious described earlier to see if you can
“Server” header in the response—is detect the application sending any
some clever reddit engineer sending information in the clear that it
AN 31, INJECTION ATTACK TO SOME shouldn’t. To be perfectly honest,
script kiddies? the odds of finding such a
low-level (and easily avoidable)
Capturing High-Sensitivity App Data flaw are going to be very, very low.
By now, the process to capture Android application development
traffic from an app should be is pretty mature now, and the
Figure 6. Encrpyted Traffic
LJ242-June2014.indd 66 5/22/14 12:36 PM

Android libraries make using SSL just see what tries to connect.
encryption pretty easy. It feels Maybe there’s a device using
good to double-check though, so W i-Fi that you didn’t even
follow the same steps as before, know about?
but log on to a banking application
of your choice. Q Get the SSL certificate for a
Now, as you step through the server you support, and try out
TCP streams, you should note a Wireshark’s SSL decoding.
few major differences. Most of
the traffic will be HTTPS instead Q Reverse the wlan0 and eth0
of HTTP, and the protocol will be designations in the scripts and
TLS instead of TCP or HTTP. In set up the system backwards
addition, the TCP stream no (connect the laptop’s W i-Fi to
longer will contain human-readable your existing WAP, and plug
content, even after trying the a device in to the laptop’s
standard gunzip tricks (Figure 6). Ethernet port) to monitor the
Step through the TCP streams, output of wired-only devices.
following each one, and verify that My “smart” Blu-ray player
there’s no plain text or unencrypted was communicating with all
communications that are exposing sorts of unexpected places
anything scary. at startup! Q
Next Steps Brian Trapp serves up a spicy gumbo of Web-based yield

Now that you’ve almost certainly reporting and analysis tools for hungry semiconductor
not found anything scary, where engineers at one of the leading semiconductor research and
else can these network monitoring development consortiums. His signature dish has a Java base
skills be applied? Here are some with a dash of JavaScript, Perl, Bash and R, and his kitchen
fun ideas: has been powered by Linux ever since 1998. He works from
home in Buffalo, New York, which is a shame only because
Q Attach a console like a Wii or PS3 that doesn’t really fit the whole chef metaphor.
and see what kind of information
it sends at startup and logon.
Q Create a WAP that doesn’t http://www.linuxjournal.com/contact
actually go anywhere and or to ljeditor@linuxjournal.com.
LJ242-June2014.indd 67 5/22/14 12:36 PM

FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network
OSSIM
a Careful, Free and
Always Available
Guardian for
Your Network
Monitor your network’s security 24/7 with a free and
open-source solution that collects, analyzes and
reports logs of the events on your network.
MARCO ALAMANNI
LJ242-June2014.indd 68 5/22/14 12:36 PM

N
etworks and information check them all, one by one, to obtain
systems are increasingly meaningful information.
exposed to attacks that A further difficulty is that there is
are becoming more sophisticated no single standard used to record the
and sustained over time, such as logs and often, depending on the type
the so-called APT (Advanced and size, they are not immediate or
Persistent Threats). easy to understand.
Information security experts agree It is even more difficult to relate
on the fact that no organization, other logs produced by many
even the best equipped to protect different systems to each other
itself from these attacks, can be manually, to highlight anomalies
considered immune, and that the in the network that would not be
issue is not whether its systems will detectable by analyzing the logs of
be compromised, but rather when each machine separately.
and how it will happen. SIEM (Security Information and
It is essential to be able to Event Management) software,
detect attacks in a timely manner therefore, is not limited to
and implement the relative being a centralized solution for
countermeasures, following log management, but also (and
appropriate procedures to respond especially) it has the ability to
to incidents, thus minimizing the standardize logs in a single format,
effects and the damages they can analyze the recorded events,
cause. In order to detect intrusions highlight the most important
and attacks, system administrators information and relate the logs to
and information security analysts each other (correlation), allowing
make use of tools, such as IDS/IPS analysts to detect anomalies and
(Intrusion Detection/Prevention attacks more easily.
System) and analysis of logs (event For example, for log management
records) of servers and network software, three failed attempts to log
devices, looking for any significant in to the same user account from three
events from a security point of view. different clients will be only three
A network of an organization of lines in your log file and not obviously
average size produces, as a whole, related to each other. For an analyst,
such a quantity of logs that it is very instead, it may be a sequence of
difficult (and still very expensive) to events worthy of further analysis, and
LJ242-June2014.indd 69 5/22/14 12:36 PM

its correlation (looking for patterns in You can install these components
the log files) can generate alerts when on a single physical machine (the
these types of events occur. default installation), on a single virtual
machine, on different virtual machines
Overview of a SIEM Open-Source and/or physical machines, depending
Solution: OSSIM on the size and configuration of the
OSSIM is a SIEM software platform, network to monitor.
free and open-source, developed by For a relatively small network,
AlienVault and based on a Debian installation on a single machine,
64-bit Linux distribution. OSSIM has which is the simplest configuration,
four major components: may be the right solution. For
larger networks, it is advisable to
1. Sensor. install the Sensor and the Database
separately. Figure 1 shows the
2. Server. OSSIM architecture.
Sensor: The Sensor has two
3. Framework. main components:
4. Database. 1. The rsyslog service, which listens
Figure 1. OSSIM Architecture
LJ242-June2014.indd 70 5/22/14 12:36 PM

on TCP/UDP port 514, receives Database: The Database is a
the logs from network devices -Y31, SERVER INSTANCE THAT STORES
and stores them locally, according events and system configuration data.
to the configuration.
Functionalities
2. The Ossim-agent, using a Following is a brief description
series of modules called of OSSIM’s main features and
plugins, one for each type of functionalities concerning the
log, performs log analysis and collection, analysis and correlation
normalization, and sends that of logs and the primary tools
to the Server component. included in the system for network
security monitoring.
Plugins are of two types: Collection and Normalization of
detectors, which detect anomalies Logs: You can collect logs from the
and possible attacks (such as Snort, devices on your network in two ways:
P0f, Arpwatch), and monitors to
monitor the network status (like 1. Install a software agent (like
Ntop and Nagios). Snare or SysLogAgent) in the
Server: The Server performs source machine and configure
the essential SIEM functions: it to read certain types of
aggregation, risk assessment and logs and send them to the
correlation of events that are received Sensor component.
from the sensor through TCP port
40001. The server also sends the 2. Configure the source machine
information concerning the events to send the logs upon request
to the Database for storage. of the appropriate Sensor
Framework: The Framework plugins (for example, via WMI
connects and manages the OSSIM for Windows machines). Once
components and security tools the Sensor records the logs,
included, and it provides the system the OSSIM Agent performs the
administration Web interface. It analysis and converts them to
is the component that needs the a single format (normalization).
least hardware resources and is Each log represents an event
usually installed together with the that will be sent to the server
Server component. for analysis (Figure 2).
LJ242-June2014.indd 71 5/22/14 12:36 PM

Figure 2. Log Collection and Normalization
Prioritization of Events and calculated in real time and is based on

Risk Assessment: The prioritization three main factors:
process involves assigning priority
values to the recorded events, which 1. The value or level of importance of the
is done by the Server component. machine that generated the event.
It depends on the structure of
the network and it needs, as 2. The type of threat posed by the event.
prerequisites, the definition of
security policies and the inventory of 3. The probability that this event occurs.
information assets on the network,
which can be managed in the Web The formula used for calculating
administration panel. It sets the risk is the following (Figure 3):
priority of an event based on the Risk = value * (reliability * Priority / 25).
machine that generated it and the Analysis and Correlation of
type of event to which it belongs. Events: The correlation of events
The risk assessment of events is essentially relates events to each other
LJ242-June2014.indd 72 5/22/14 12:36 PM

Figure 3. How to Calculate the Risk Associated with an Event
Figure 4. Example of Analysis and Correlation of Events
to achieve a comprehensive view events, using directives, consisting of

of network security and to detect rules that relate events to patterns of
possible attacks or anomalies. known attacks. This method is similar
The correlation process is performed to using Snort for intrusion detection
via two methods: (signature-based detection).
1. Correlation using sequence of 2. Correlation using heuristic
LJ242-June2014.indd 73 5/22/14 12:36 PM

algorithms can be detected by <rules>
these abnormal situations that <rule type="detector" name="SSH Authentication failure (5 times)"
do not detect the preceding rules ´reliability="+2" occurrence="5" from="1:SRC_IP" to="ANY"
and may or may not be attacks ´port_from="ANY" time_out="20" port_to="ANY"
(abnormality detection). ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true">
<rules>
Directives are located in the <rule type="detector" name="SSH Authentication failure (10 times)"
/etc/ossim/server/directives.xml file. ´reliability="+2" occurrence="10" from="1:SRC_IP" to="ANY"
Directives are specified in XML ´port_from="ANY" time_out="30" port_to="ANY"
using tags like Id, Name, Priority, ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true">
Type, Reliability, Occurrence, </rule>
T imeout, Source, Destination, </rules>
Source port, destination port, </rule>
protocol, PluginSid and Sensor. </rules>
Reliability is a measure of the </rule>
probability that the considered </rules>
event truly represents the attack </rule>
referred to by the directive and is </directive>
generally based on the number of

occurrences of the event. The directive assigns a value of
For example, consider the reliability equal to 3 (30% probability)
following directive to detect when the number of occurrences of
brute-force SSH attacks: the event detected by the sensor
(SSH authentication error) is equal to
<directive id="20" name="Possible SSH brute force login 1, then increments it by 1 at the third
áttempt against DST_IP" priority="5"> occurrence of the event, by 2 at the
<rule type="detector" name="SSH Authentication failure" fifth occurrence and by an additional
´reliability="3" occurrence="1" from="ANY" to="ANY" 2 at the tenth, thereby achieving a
´port_from="ANY" port_to="ANY" time_out="10" reliability of 8 (80% of probability)
´plugin_id="4003" plugin_sid="1,2,3,4,5,6"> when the incorrect authentication
<rules> attempts are 10.
<rule type="detector" name="SSH Authentication failure (3 times)" OSSIM also has the ability to
´reliability="+1" occurrence="3" from="1:SRC_IP" to="ANY" correlate different types of logs,
´port_from="ANY" time_out="15" port_to="ANY" generated by various plugins (cross-
´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> correlation). The cross-correlation
LJ242-June2014.indd 74 5/22/14 12:36 PM

allows you to change the event Q P0f: used for operating system
reliability and risk assessment. For identification and analysis.
example, suppose that Nessus or
OpenVAS has identified a vulnerability Q Pads: used for detecting anomalies
in a server. If Snort detects an event of the services running on a host.
that indicates a possible attack on
that server, the correlation engine Q Nessus and OpenVAS: the
increases the level of risk associated most widely used and popular
with the event. vulnerability scanners.
Generation of Alarms and
Response Actions: The directives Q Nmap: the most famous and
can create alarms, which either powerful network scanner.
are generated by a single event or
by a specific sequence of events Q Snort: the most popular
under certain conditions. The intrusion detection system (IDS).
alarms can be displayed in the Web
administration panel, under the Q Tcptrack: used for TCP
menu item IncidentsAAlarms. connection monitoring.
Furthermore, alarms can activate
response actions, such as sending Q Nagios and Ntop: used to monitor
an alert by e-mail to the system the status of the network, the hosts
administrator and/or the execution and the availability of services.
of appropriate scripts.
Vulnerability Analysis, Q Osiris and OSSEC: intrusion
Intrusion Detection and Network detection software for individual
Monitoring: OSSIM includes hosts (HIDS—Host-Based IDS).
many valuable tools, which also are
open-source, that are among the Q Snare: a software agent for
most known and used for intrusion collecting logs on W indows
detection, vulnerability analysis and systems.
network management and monitoring:
Installation and Hardware
Q Arpwatch: used for monitoring ARP Requirements
traffic on the LAN and for related You can download the ISO file
attack detection. for the installation from the
LJ242-June2014.indd 75 5/22/14 12:36 PM

AlienVault Web site download page the Intel e1000 Ethernet driver.
at http://www.alienvault.com/
free-downloads-services. Of course, the hardware
The most recent version (February requirements will be directly
2014) is 4.3.4, only for 64-bit proportional to the size of the
architectures. You can choose the network (number of hosts and
Automatic or Custom installation. network devices connected) and
The automatic installation is fairly consequently to the amount of
simple, in graphical mode by default, logs produced and recorded.
and it installs all components of
OSSIM on the same machine. The Configuration and Management
custom installation allows you You can perform the system
to select the mode (graphical or configuration and administration
textual) and which components to through the console, a Linux shell
install. The custom installation is a or through a more convenient and
little more complex because it has intuitive Web interface.
more configuration options. For Configuration through the
instructions on how to install OSSIM, Console: To configure the system
refer to the Installation Guide: through the console, you need to
https://alienvault.bloomfire.com/ log in as root with the password
posts/525575-installation-guide/public. you set during the installation
The minimum hardware requirements process. The directory that contains
are: the system’s configuration files
is /etc/ossim.
Q 64-bit processor or virtualization The main configuration file is
software with support for /etc/ossim/ossim_setup.conf, which
64-bit operating systems (at contains the system’s main settings,
least a quad-core processor such as IP addresses and ports of
is recommended). the hosts on which components
are installed, the active plugins
Q 4GB of RAM. and the password used by the
ROOT USER OF -Y31, RANDOMLY
Q 500GB of free disk space. generated by the system during
the installation procedure.
Q Network adapter with support for For example, if you want to
LJ242-June2014.indd 76 5/22/14 12:36 PM

Figure 5. Configuration with the ossim_setup Tool
change your password or other parameters of the previously shown

data, you need to edit the file with configuration file, such as enabling
the command: or disabling plugins. To get a list
of plugins that can be turned on
# vi /etc/ossim/ossim_setup.conf or off, select the option Change
sensor settingsASelect detector
Then run the following command: plugins (Figure 6).
The OSSIM agent runs as a
# ossim-reconfig background service (dæmon), and
you can start it with this command:
To change the main configuration
file more easily, there is also a # /etc/init.d/ossim-agent start
command called ossim_setup ,
which presents a graphical interface, Its configuration file is /etc/ossim/
shown in Figure 5. agent/config.cfg. The plugins’
Configuring the Sensor and configuration files also are text files
Plugins: W ith the ossim_setup with the .cfg extension and are in the
command, you can set the /etc/ossim/agent/plugins/ directory.
LJ242-June2014.indd 77 5/22/14 12:36 PM

Figure 6. List of Plugins in ossim_setup
When you activate new plugins, you # cd /usr/share/ossim/scripts ;

must restart the server: # plugin_wizard.pl -s "oracle"
# /etc/init.d/ossim-server restart and you will get the plugins that

contain the word “Oracle” in the name.
More than 2,000 plugins are With the command:
available (http://www.alienvault.com/
docs/AlienVault%20Plugin%20 # ./plugin_wizard.pl -g -s "oracle"
List%20-%20Jun-20-2010.pdf),
which you can download and install these plugins will be extracted to a
via the Plugin W izard. For example, directory called win_plugins.
run the following commands: Next, you have to move them
LJ242-June2014.indd 78 5/22/14 12:36 PM

Figure 7. New Directives Specified in the user.xml File
to the default directory /etc/ossim/ which specifies the configuration

agent/plugins/: file directives, grouped by type of
attack, such as malware, brute force
# mv win_plugins/*.cfg /etc/ossim/agent/plugins/ and so on.
When you create new guidelines,
Files with the .sql extension must they should be specified in user.xml
BE ADDED TO THE -Y31, DATABASE WITH rather than in the file containing
the following command: the default directives (Figure 7).
rsyslog’s Dæmon Configuration
# ossim-db < ./win_plugins/*.sql and Log Rotation: The /var/log/
ossim directory contains the log
If the database server is not files of OSSIM’s components. The
installed on the same machine, you dæmon that keeps track of the
need to copy the files on the server: logs is, as already mentioned,
rsyslog, whose configuration file is
# scp win_plugins/*.sql root@<IP Database>:/root/ /etc/rsyslog.conf.
During the installation process,
and run the ossim-db command from you configure rsyslog to accept
the database server. logs from remote machines and
Server Configuration: The store them in different log files,
configuration directory for the Server depending on the type and the host
component is /etc/ossim/server. that created them.
The main file is directives.xml, To achieve this, rsyslog uses filters
LJ242-June2014.indd 79 5/22/14 12:36 PM

based on expressions, which are

.conf files usually placed in the
/etc/rsyslog.d/ directory. For example,
to save the logs from a Fortinet firewall
in the file /var/log/ossim/fortinet.log,
the expression would be:
if ($source == '192.168.1.100' and $msg contains 'fortinet ')
ánd $severity <= '6' then /var/log/ossim/fortinet.log
Adding new hosts that send the

logs to rsyslog, you quickly can run
out of disk space. Therefore, it is Figure 8. Web Administration Interface
important to define a policy for log Login Screen
rotation in /etc/logrotate.conf. This
involves the regular archiving, at
predefined intervals, of the existing update, backups and so on).
log files. After a predefined period,
the archived log files are deleted or Q Creation and configuration of
stored on external devices for backup. directives, policies and actions.
Administration through the
Web Interface: OSSIM also can be Q Real-time monitoring of network
configured and managed through a security.
nice Web interface, connecting with the
browser to the IP address of the machine Q Report generation.
on which you installed the Server/
Framework component (Figure 8). Q Ticketing system.
The default user and password are
admin/admin. When you log in for Q Vulnerability management and
the first time, you are prompted to incident response.
change your password.
Through the Web interface, you can Q Management and optimization of
perform the following tasks: network traffic.
Q System configuration (users, The Web interface includes
LJ242-June2014.indd 80 5/22/14 12:36 PM

several sections: and a brief history of the actions
taken by system administrators.
Q Dashboard: provides an overview
of detected security events. Q Analysis: shows a table with the
Displays the visual counters and latest events detected, the type,
statistics of the most important date, origin, destination, the
security events (Figure 9). OSSIM node that detected it and
the risk. From here, the user can
Q Incidents: shows the list of search for patterns in the events
security events and generated according to different criteria (for
alarms with specific information, example, the source IP address).
such as date, priority, risk, status This includes a real-time list of
Figure 9. Dashboard with Statistics and Diagrams about Security Events
LJ242-June2014.indd 81 5/22/14 12:36 PM

Figure 10. This section manages the system logic: definition and management of
policies, directives and actions.
Figure 11. Configuration Panel
LJ242-June2014.indd 82 5/22/14 12:36 PM

detected events that is updated solution and a free alternative
every two seconds. to other commercial SIEM
products (including AlienVault
Q Report: allows you to generate USM, the commercial version of
reports about security events and OSSIM), which are much more
network status. expensive, and it is supported by
a community of developers
Q Activities: this interface allows you to and users through forums and
run and manage network inventory, documentation available on the
identify and add new machines from AlienVault’s Web site. Q
which to record the logs.
Marco Alamanni has professional experience working as
Q Intelligence: this section handles a Linux system administrator and information security
the system logic—definition and administrator in banks and financial institutions in Italy
management of policies/actions, and Peru. He holds a BSc in Computer Science and an MSc
directives, event correlation and in Information Security, and his interests in information
statistics of the network and of the technology include ethical hacking, digital forensics, malware
OSSIM nodes. analysis, Linux and programming. He also collaborates with IT
magazines writing articles about Linux and IT security.
Q Configuration: this section allows
you to manage all the system
configurations (Figure 10).
Conclusion http://www.linuxjournal.com/contact
OSSIM is a viable open-source SIEM or to ljeditor@linuxjournal.com.
Resources
OSSIM Installation Guide: https://alienvault.bloomfire.com/posts/525575-installation-guide/public
AlienVault User Manual: http://www.alienvault.com/wiki/doku.php?id=user_manual:introduction
The Alienvault Repository of Knowledge: https://alienvault.bloomfire.com
AlienVault OSSIM Forum: http://forums.alienvault.com
Service Level SIEM—User and Programmer Guide: http://forge.fi-ware.org/plugins/mediawiki/wiki/

fiware/index.php/Security_Monitoring_/Service_Level_SIEM_-_User_and_Programmers_Guide
LJ242-June2014.indd 83 5/22/14 12:36 PM

FEATURE Berkeley Packet Filters with Scapy (and Friends)
Berkeley
Packet
Filters
with Scapy
(and Friends)
Get to know the language and tools that can take
your network filtering rules to a whole new level.
VALENTINE SINITSYN
LJ242-June2014.indd 84 5/22/14 12:36 PM

N
etwork filtering is probably as However, user-mode BPF interpreters
old as networks themselves. (useful for debugging purposes or
If you exchange data with as fallbacks) are available as well—
the outside world, it’s natural to for instance, the one provided
control what’s going in and out. If, with the ubiquitous libpcap library
however, you capture packets for a (http://www.tcpdump.org), the
good reason (like traffic analysis or main workhorse behind tcpdump,
intrusion detection), filtering those Wireshark and other popular
you are not interested in as early as network tools.
possible is crucial for performance. All of this may sound like you need
The first type of filtering is typically to delve into registers and opcodes
done with a firewall. Berkeley Packet just to say you are interested in the
Filter (BPF) is what comes to the packets coming to host 192.168.1.1.
rescue in the second case. Luckily, that’s not the case. Of
Originally, BPF referred to both the course, if you want (or need) to,
capturing technology and its high- you can, but libpcap provides its
performance filtering capabilities. For own high-level filter language that
some Unices (for instance, FreeBSD), compiles directly to BPF. Largely, this
this still holds true, and there is a syntax is synonymous with BPF (they
/dev/bpf device from which you can are tightly related albeit different
read captured packets. For others, BPF things), so I use these terms
means what it says (the filter), and in interchangeably here.
this reincarnation, you can find it in In this article, you’ll learn the basics
various operating systems, including of BPF syntax and also see how it
Linux, and with WinPcap and even works under the hood.
Microsoft Windows.
BPF filters are programs written The Testbed
in a low-level language similar to To get a better idea of what BPF
assembler (I take a look at that in really is, let’s go through a set of
the last section of this article). These examples, generating series of
programs are executed by a BPF packets each time and filtering them
virtual machine. Most often, this as needed. Sometimes these packets
virtual machine resides in the kernel will come from a real network
and uses Just-In-Time compilation application, but other times you will
(JIT) to boost filtering performance. craft them manually. It’s not the best
LJ242-June2014.indd 85 5/22/14 12:36 PM

idea to allow these forged packets you really want to. The attributes of
out from the local host, especially if these classes correspond to protocol
you are on the office network. So the fields (addresses, ports, flags and so
first step will be to create a virtual on). You can use raw numbers (say,
Ethernet interface. 20) or symbolic names ( ftp_data )
Linux already has a concept of for attribute values. To assemble the
“dummy” network interfaces, and packet, use the / Python operator:
the kernel module named dummy
implements them. Load it, and >>> Ether(src='08:60:6e:da:31:ae', dst='42:7f:79:88:de:3d') /
assign the dummy0 interface a ÍP(src='192.168.1.5', dst='192.168.2.1')
unique IP address: <Ether dst=42:7f:79:88:de:3d src=08:60:6e:da:31:ae type=IPv4
´|<IP src=192.168.1.5 dst=192.168.2.1 |>>
# modprobe dummy
# ip link set up dev dummy0 Protocol fields usually have
# ip addr add 192.168.2.1/24 dev dummy0 sensible default values (you can
check them with ls(IP) or similar),
Next, you’ll need something to craft so you need to specify only those
the packets and capture them subject you want to override.
to BPF filters. An obvious choice here To disassemble the packet and
is Scapy (http://www.secdev.org/ get a specific protocol layer, use
projects/scapy), a Python toolkit for the [] operator:
packet manipulation. Install it with
your package manager or from the >>> _[IP]
sources. Raw packet generation and <IP src=192.168.1.5 dst=192.168.2.1 |>
live traffic capture are considered
privileged operations in Linux, so A special _ variable contains the
you’ll need to run Scapy as root (for last expression’s value. Scapy makes
example, with sudo). it easy to generate a series of packets
Scapy provides an interactive shell that follow a specific pattern:
(which is naturally Python-based).
You create different protocol layers >>> packets = Ether(src='08:60:6e:da:31:ae',
as instances of the classes like ´dst='42:7f:79:88:de:3d') / IP(src='192.168.1.5',
TCP, IP or Ether. A complete list is ´dst='192.168.2.1-3') / UDP(dport=[135,(137,139)])
available with the ls() command, and >>> len(list(packets))
you can add your own protocol if 12
LJ242-June2014.indd 86 5/22/14 12:36 PM

Figure 1. Scapy is a real Swiss army knife. It even can dump packets to PS or PDF.
Here, Scapy crafts 12 packets whole subnets with CIDR notation

targeting UDP ports 135, 137, ( dst='192.168.2.0/24' ).
138 and 139 (common Windows Several functions send packets
stuff) on three hosts. You can over the wire, but here, let’s deal
define address ranges with an with send() and sendp() . The
asterisk ( dst='192.168.*.2' ) or main difference is that sendp()
LJ242-June2014.indd 87 5/22/14 12:36 PM

Some Scapy Tips works on Layer 2, so the packet

you pass it must have an Ethernet
You easily can convert between header. send() is for Layer 3, and it
symbolic names and their numeric looks up the host’s routing table to
values using the s2i and i2s
decide what to do with the packet
attributes defined on the protocol
you gave it:
fields. Both are dictionaries, which
you can use to look up the mapping:
>>> sendp(packets, iface='dummy0')
>>> TCP.sport.s2i['www'], TCP.sport.i2s[21] ............
(80, 'ftp') Sent 12 packets.
Note that I’ve used a class attribute

This way, you push crafted packets
here (not the instance one):
into the dummy0 interface.
>>> TCP().sport To capture packets, use the
20 sniff() function. It has many
different options, but on these pages,
This is the default value for the
TCP source port in Scapy: you’ll mainly call it like this:
>>> ls(TCP) >>> sniff(iface='dummy0', filter='udp')
sport : ShortEnumField = (20) ^C<Sniffed: TCP:0 UDP:12 ICMP:0 Other:0>
... >>> _.summary()
Many network protocol fields also Ether / IP / UDP 192.168.1.5:domain > 192.168.2.1:epmap
accept bit flags. Scapy allows single Ether / IP / UDP 192.168.1.5:domain > 192.168.2.1:netbios_ns
letter mnemonics for them: ... 10 lines skipped ...
>>> TCP().flags= 'S' # TCP SYN packet If you omit the iface= , Scapy will
Available mnemonics are in the listen on all network interfaces. You
field’s “names” attribute: also can add the count= argument
to capture only as many packets as
>>> TCP.flags.names specified; otherwise, you should stop
'FSRPAUEC'
the capture manually with Ctrl-C.
Without the filter= , sniff()
captures all packets. Internally,
Scapy uses libpcap to compile the
filter (either directly or via the
LJ242-June2014.indd 88 5/22/14 12:36 PM

tcpdump -ddd command), so the tcp or udp , to name a few), direction
syntax is just what you want. ( src , dst , src or dst, and src
This was a quick tour of Scapy; and dst; it is always a single token,
however, this tool can do much so or and and aren’t operators) and
more than you’ve seen so far. type ( host, net, port or portrange).
Consult the official documentation If some of these are missing, all
(http://www.secdev.org/projects/ protocols match; host is assumed
scapy/doc) for more information. Or, for the type, and src or dst for
have a look at Security Power Tools the direction (this means either
published by O’Reilly (2007), which has direction is okay).
a complete chapter (number 6) on Scapy The following are valid primitives:
written by its author, Philippe Biondi. udp (no ID here), port 80 (TCP or
UDP port 80), ip host pluto (all
Let’s Filter IP packets for the host “pluto”;
Now with the tools to experiment the name must be resolvable), dst
with in place, it’s time to learn tcp portrange 0-1023 (packets
some actual high-level BPF. The targeting all privileged TCP ports).
most authoritative (and complete) That’s enough theory—now let’s
reference documentation is the play. Arguably the most common case
tcpdump(1) man page. Let’s do a is to filter packets by their source or
quick summary: filter expressions destination IP addresses. Let’s use one
contain one or more primitives Scapy instance to generate empty
combined with the “and”, “or” and IP datagrams for random (and even
“not” keywords (equivalently written nonexistent) hosts:
as &&, || and !). All basic arithmetic
and bit operations are supported as >>> while True: sendp(Ether(src=RandMAC(), dst=RandMAC()) /
well, and the explicit precedence can ÍP(src=RandIP(), dst=RandIP()) / ICMP(), iface='dummy0')
be set using parentheses. If you omit

parentheses, && and || are of the There are many Rand*() functions
same precedence, and ! is applied in Scapy; two of them are used here.
first. Arithmetic and bit operations A second Scapy instance will
follow common rules. capture the datagrams that happen
Each primitive consists of the ID to be for host 192.168.1.1 or
(either name or number) preceded 192.168.1.2 (note that for the second
with an optional protocol ( ether , ip , operand in the expression, the host
LJ242-June2014.indd 89 5/22/14 12:36 PM

keyword is implicit): it doesn’t, you’ll catch a pair of TCP

SYN and RST-ACK indicating the port
>>> sniff(iface='dummy0', filter='host 192.168.1.1 or is unavailable:
´192.168.1.2', count=1)
>>> _.summary()
Unless you are very lucky, sniff() Ether / IP / TCP 127.0.0.1:57485 > 127.0.0.1:mysql S
will hang until you press Ctrl-C. Ether / IP / TCP 127.0.0.1:mysql > 127.0.0.1:57485 RA
That’s because the probability for a

given two addresses to occur in a Detecting services by the port numbers
randomly generated packet series is they use isn’t really accurate. Let’s
around 0.0000001%. Let’s increase do a deeper packet analysis. Imagine
your chances and look for a whole you need to collect data pertaining
A-class subnet: to NTP activity on the local network.
NTP messages are sent to (or from, or
>>> sniff(iface='dummy0', filter='net 1.0.0.0/8', count=1) both) UDP port 123. Moreover, they are
48 bytes in size and have the status of
Equivalently, you can rewrite a local clock, which can’t be greater
the filter as net 1.0.0.0 mask than 4, encoded in bits 2–7 of the first
255.0.0.0 . This time, sniff() octet (see Appendix B in RFC 958 at
should catch a packet much sooner: http://tools.ietf.org/html/rfc958).
Given all of that, the filter you
>>> _.summary() construct will consist of three
Ether / 185.0.19.206 > 1.205.135.116 hopopt primitives: udp port 123 (for the
first two conditions), and the other
It’s equally easy to filter traffic on two checking the UDP payload
ports. For instance, this is a very simple length and the clock status value.
FILTER FOR -Y31, CLIENT SERVER SESSIONS To implement them, let’s peek
inside a protocol payload. BPF
>>> sniff(iface='lo', filter='tcp port 3306') uses the [offset:size] operator
for this purpose. Offset is measured
4RY TO CONNECT TO THE -Y31, SERVER from byte 0, so for instance,
with the mysql -h 127.0.0.1 -P tcp[0] gives the first byte of the
3306 command, and you’ll see some TCP header (not a payload). The
packets captured. It doesn’t matter UDP datagram Length field is at
if the server is actually running—if offset 4 and is 16 bits wide. Thus,
LJ242-June2014.indd 90 5/22/14 12:36 PM

to check the packet length, you without introducing too much
can use the following primitive: error (my quick tests show about
udp[4:2] == 48+8 (UDP header a 1% rate).
length 8 is bytes, and they Another way to get the packet
are included in the Length length is to use the len operator.
field as well). The clock status However, it accounts for all
check is a bit more convoluted, protocols used down to Layer
but the combined filter looks 2. So, assuming UDP datagrams
like this: are encapsulated in IPv4 with no
options and untagged Ethernet
>>> ntp = sniff(filter='proto udp and port 123 frames, you can rewrite udp[4:2]
ánd udp[4:2] == 48+8 and ((udp[8] & 0x38) >> 3) <= 4') == 48+8 as len == 14+20+8+48 .
By the way, you also can select
Note the operators and hex numbers packets longer (or shorter) than
used—BPF is much like C in this sense. a specific threshold with the
Leave this alone for some minutes, greater and less keywords.
and on a modern Linux distribution Now you’ve seen that Scapy
you’ll sooner or later spot the NTP can decode (and encode) some
requests the system sends (and the application-level protocols like NTP
replies it receives): (or DNS). But it can dig even deeper,
so for the next example, let’s use it
>> ntp.summary() to forge VLAN-tagged traffic:
Ether / IP / UDP / NTP v4, client
Ether / IP / UDP / NTP v4, server >>> sendp(Ether(src=RandMAC(), dst=RandMAC()) /
... ´Dot1Q(vlan=[(1,5)]) / 'Nothing to see here', iface='dummy0')
>> ntp[0][NTP]
<NTP leap=nowarning version=4L mode=client stratum=2L 4HIS GENERATES FIVE 1 %THERNET
´poll=10L precision=233L delay=0.0422210693359 frames with arbitrary MAC addresses
´dispersion=0.0782623291016 id=194.190.168.1 ref=Tue, and VLAN tags in range 1–5 (note
´15 Apr 2014 10:00:26 +0000 orig=Tue, 15 Apr 2014 the syntax). Let’s not worry about
´10:15:20 +0000 recv=Tue, 15 Apr 2014 10:15:20 the payload now, so instead of IPv4
´+0000 sent=Tue, 15 Apr 2014 10:33:04 +0000 |> (or any other network-level) packet,
let’s just put raw bytes that form a
In fact, it works so well, you even 'Nothing to see here' string
can drop the udp proto 123 part inside the frame.
LJ242-June2014.indd 91 5/22/14 12:36 PM

Figure 2. Capture, craft, dissect and do other funky things with network packets in Scapy.
This is how you can filter traffic

When the with specific VLAN tags in BPF:
Engine Matters
>>> sniff(iface='dummy0', filter='vlan 1', count=1)
In Linux, Scapy defaults to PF_PACKET <Sniffed: TCP:0 UDP:0 ICMP:0 Other:1>
sockets internally. And, to my experience, >>> _
sometimes it grabs more than the filter <Ether dst=29:a0:ea:e9:df:ce src=c3:33:a3:9c:63:9c
permits. If this happens to you too, force ´type=n_802_1Q |<Dot1Q prio=0L id=0L vlan=1L
Scapy to use libpcap as an engine. First, ´type=0x0 |<Padding load='Nothing to see here' |>>>
install the pypcap library (it is usually

named python-pypcap or something If you just want to filter out
similar in your package manager). Then, untagged traffic, use filter='vlan' .
edit scapy/config.py (depending on how
you installed Scapy, it may be under Under the Hood
/usr/lib/python2.7 or somewhere else), As you already know, BPF filters are
and set Conf.use_pcap to True. actually expressed in a low-level
assembler-like language. It targets
LJ242-June2014.indd 92 5/22/14 12:36 PM

a register-based virtual machine packet should be dropped, and 0xffff
that has an accumulator register (the maximum possible length) means
and an index register, along with to accept it entirely.
some memory store. This machine Linux’s own implementation of
has access to the packet buffer BPF design is known as Linux Socket
and supports several dozens of Filtering (LSF). It differs from the
instructions that store and load original BPF slightly (mainly in areas
values to the registers or memory, I haven’t mentioned in this article),
perform arithmetic or logical but largely what I’ve said here about
operations and do flow control. I BPF applies to LSF.
won’t discuss them in detail, but Given that the virtual machine
if you want a taste of what they is register-based, it comes as no
look like, here is the equivalent of a surprise that its bytecode easily can be
libpcap-compiled simple filter, ip : compiled to real machine instructions.
It is exactly what a BPF JIT compiler
ldh [12] (introduced in Linux 3.0) does. On
jeq #0x800, Keep, Drop my x86_64 system, the code above
Keep: ret #0xffff compiles into:
Drop: ret #0x0000
0: push %rbp
Opcode mnemonics come from the 1: mov %rsp,%rbp
original BPF USENIX paper (Steven 4: sub $0x60,%rsp
McCanne and Van Jacobson’s “The BSD 8: mov %rbx,-0x8(%rbp)
Packet Filter: A New Architecture for c: mov 0x68(%rdi),%r9d
User-level Packet Capture” available 10: sub 0x6c(%rdi),%r9d
at https://www.usenix.org/legacy/ 14: mov 0xd8(%rdi),%r8
publications/library/proceedings/ 1b: mov $0xc,%esi
sd93/mccanne.pdf). This program 20: callq 0xffffffffe104b2b3
loads 16-bit (short) integer (“h” stands 25: cmp $0x800,%eax
for “half-word”) at the fixed offset 2a: jne 0x0000000000000033
in the packet buffer (12, the Ethernet 2c: mov $0xffff,%eax
Type field) and compares it to 0x800 31: jmp 0x0000000000000035
(the IPv4 protocol number). The filter 33: xor %eax,%eax
returns the number of bytes in the 35: leaveq
packet to allow. Thus, zero means the 36: retq
LJ242-June2014.indd 93 5/22/14 12:36 PM

Figure 3. BPF and LSF are not the same; however, you still can use BSD-originated
man pages.
This is a small function. By at https://lwn.net/Articles/437981).

convention, the return value is stored A value of 1 means to enable JIT, and
in %eax register. Everything up to a value of 2 means to enable tracing.
offset 0x1b is the utility stuff, but you When tracing is enabled, JIT code for
easily can spot loading 0xc (12) to the filter is printed to the kernel log
%esi (x86 source index register) and buffer (that’s what dmesg reads). With
compare the result to 0x800. A few this in place, you can use the bpf_disasm
dozens of machine-level instructions tool (it comes with the Linux kernel
are needed to check the filter against sources) to print a disassembly.
a packet, and since BPF was designed With the neat high-level language
to execute filters on the original libpcap provides, it is unlikely you will
packet and not a copy of it, this need to program in BPF “assembler”
should really be a fast process. directly. But if you ever want some
To control BPF JIT in the Linux BPF feature that libpcap doesn’t
kernel, you write to /proc/sys/net/ provide (maybe filtering by Netfilter
core/bpf_jit_enable (or use the mark value or something else Linux-
corresponding sysctl—see Jonathan specific), take a look at netsniff-ng
Corbet’s “A JIT for packet filters” (http://netsniff-ng.org). This toolkit
LJ242-June2014.indd 94 5/22/14 12:36 PM

contains a fully functional BPF BPF for Non-Sockets
compiler, bpfc. So far, I’ve spoken of BPF (and LSF) as
Finally, what if you want to a socket-level facility. To conclude this
integrate BPF filtering capabilities into article, let’s look at it from a different
your own code? If it isn’t possible (or angle. Starting with Linux 3.9, there is
feasible) to link against libpcap (or an xt_bpf module that allows you to
use one of its bindings), you can call use BPF in xtables rules:
the native kernel interface directly.
BPF filter programs are represented iptables -A INPUT -m bpf --bytecode "$(nfbpf_compile
as struct sock_fprog that has ´RAW 'tcp dst port telnet')" -j DROP
a pointer to the array of opcodes

( struct sock_filter * ) and a The nfbpf_compile utility comes
program length field. A sock_filter with iptables, provided those were built
structure is what tcpdump -dd with the --enable-bpf-compiler
(or bpfc) prints for you: flag to the configure script.
Some tests show that xt_bpf
# tcpdump -i dummy0 -dd ip performs even faster than the u32
{ 0x28, 0, 0, 0x0000000c }, xtables module, so it’s worth considering
{ 0x15, 0, 1, 0x00000800 }, when you optimize your firewall rules.
{ 0x6, 0, 0, 0x0000ffff }, Berkeley Packet Filters and their
{ 0x6, 0, 0, 0x00000000 }, OS-specific implementations are no
substitute for conventional firewalling
Sometimes (for example, in a script) code (like Netfilter in Linux). However,
you even can execute this command in they may become indispensable when
the runtime (it is exactly what Scapy a fast application or system-level
does when conf.use_pcap is False). traffic filtering is the requirement. Q
Filters are attached to (and
detached from) the socket with the Valentine Sinitsyn spent years developing easy-to-use
setsockopt(2) system call: Linux-based network solutions for a local SMB market.
In his spare time, he teaches Physics.
setsockopt(sockfd, SOL_SOCKET, SO_ATTACH_FILTER,
´&bpf, sizeof(bpf));

Here, sockfd is the socket descriptor http://www.linuxjournal.com/contact
and bpf is the struct sock_fprog . or to ljeditor@linuxjournal.com.
LJ242-June2014.indd 95 5/22/14 12:36 PM

KNOWLEDGE HUB
WEBCASTS
Learn the 5 Critical Success Factors to Accelerate
IT Service Delivery in a Cloud-Enabled Data Center
Today's organizations face an unparalleled rate of change. Cloud-enabled data centers are increasingly seen as a way to accelerate
IT service delivery and increase utilization of resources while reducing operating expenses. Building a cloud starts with virtualizing
your IT environment, but an end-to-end cloud orchestration solution is key to optimizing the cloud to drive real productivity gains.
> http://lnxjr.nl/IBM5factors
Modernizing SAP Environments with Minimum

Risk—a Path to Big Data
Sponsor: SAP | Topic: Big Data
Is the data explosion in today’s world a liability or a competitive advantage for your business? Exploiting massive amounts
of data to make sound business decisions is a business imperative for success and a high priority for many firms. With rapid
advances in x86 processing power and storage, enterprise application and database workloads are increasingly being moved
from UNIX to Linux as part of IT modernization efforts. Modernizing application environments has numerous TCO and ROI
benefits but the transformation needs to be managed carefully and performed with minimal downtime. Join this webinar to
hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the
benefits of turning data into actionable insights with exciting x86 technology.
> http://lnxjr.nl/modsap
WHITE PAPERS
White Paper: JBoss Enterprise Application
Platform for OpenShift Enterprise
Sponsor: DLT Solutions
Red Hat’s® JBoss Enterprise Application Platform for OpenShift Enterprise offering provides IT organizations with a simple and
straightforward way to deploy and manage Java applications. This optional OpenShift Enterprise component further extends
the developer and manageability benefits inherent in JBoss Enterprise Application Platform for on-premise cloud environments.
Unlike other multi-product offerings, this is not a bundling of two separate products. JBoss Enterprise Middleware has been
hosted on the OpenShift public offering for more than 18 months. And many capabilities and features of JBoss Enterprise
Application Platform 6 and JBoss Developer Studio 5 (which is also included in this offering) are based upon that experience.
This real-world understanding of how application servers operate and function in cloud environments is now available in this
single on-premise offering, JBoss Enterprise Application Platform for OpenShift Enterprise, for enterprises looking for cloud
benefits within their own datacenters.
> http://lnxjr.nl/jbossapp
LJ242-June2014.indd 96 5/22/14 12:36 PM

KNOWLEDGE HUB
WHITE PAPERS
Linux Management with Red Hat Satellite:
Measuring Business Impact and ROI
Sponsor: Red Hat | Topic: Linux Management
Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to de-
ploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT
organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility
workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows
in importance in terms of value to the business, managing Linux environments to high standards of service quality —
availability, security, and performance — becomes an essential requirement for business success.
> http://lnxjr.nl/RHS-ROI
Standardized Operating Environments

for IT Efficiency
Sponsor: Red Hat
The Red Hat® Standard Operating Environment SOE helps you define, deploy, and maintain Red Hat Enterprise Linux®
and third-party applications as an SOE. The SOE is fully aligned with your requirements as an effective and managed
process, and fully integrated with your IT environment and processes.
Benefits of an SOE:
SOE is a specification for a tested, standard selection of computer hardware, software, and their configuration for use
on computers within an organization. The modular nature of the Red Hat SOE lets you select the most appropriate
solutions to address your business' IT needs.
SOE leads to:
s $RAMATICALLY REDUCED DEPLOYMENT TIME
s 3OFTWARE DEPLOYED AND CONFIGURED IN A STANDARDIZED MANNER
s 3IMPLIFIED MAINTENANCE DUE TO STANDARDIZATION
s )NCREASED STABILITY AND REDUCED SUPPORT AND MANAGEMENT COSTS
s 4HERE ARE MANY BENEFITS TO HAVING AN 3/% WITHIN LARGER ENVIRONMENTS SUCH AS
s ,ESS TOTAL COST OF OWNERSHIP 4#/ FOR THE )4 ENVIRONMENT
s -ORE EFFECTIVE SUPPORT
s &ASTER DEPLOYMENT TIMES
s 3TANDARDIZATION
> http://lnxjr.nl/RH-SOE
LJ242-June2014.indd 97 5/22/14 12:36 PM

INDEPTH
Security Hardening
with Ansible
Learn how you can harden your RHEL6 systems quickly
and efficiently.
MARK DOTSON
Ansible is an open-source Ansible can be used to deploy and

automation tool developed and configure multiple Linux servers (Red
released by Michael DeHaan and Hat, Debian, CentOS, OS X, any of the
others in 2012. DeHaan calls it BSDs and others) using secure shell
a “general-purpose automation (SSH) instead of the more common
pipeline” (see Resources for a link to client-server methodologies used by
the article “Ansible’s Architecture: other configuration management
Beyond Configuration Management”). packages, such as Puppet and Chef
Not only can it be used for automated (Chef does have a solo version that
configuration management, but it also does not require a server, per se).
excels at orchestration, provisioning Utilizing SSH is a more secure method
of systems, zero-time rolling updates because the traffic is encrypted.
and application deployment. Ansible The secure shell transport layer
can be used to keep all your systems protocol is used for communications
configured exactly the way you between the Ansible server and
want them, and if you have many the target hosts. Authentication is
identical systems, Ansible will accomplished using Kerberos, public-key
ensure they stay identical. For authentication or passwords.
Linux system administrators, When I began working in system
Ansible is an indispensable tool administration some years ago, a
in implementing and maintaining senior colleague gave me a simple
a strong security posture. formula for success. He said, “Just
LJ242-June2014.indd 98 5/22/14 12:36 PM

INDEPTH
Figure 1. Example Playbook That Will Upgrade Apache to the Latest Version
remember, automate, automate, markup language that gives the user

automate.” If this is true, and fine granularity when setting up
I believe it is, then Ansible can configuration schemes. It is installed,
be a crucial tool in making any along with Ansible, as a dependency.
administrator’s career successful. If Ansible uses YAML because it is
you do not have a few really good much easier to write than common
automation tools, every task must be data formats, like JSON and XML.
accomplished manually. That wastes The learning curve for YAML is very
a lot of time, and time is precious. low, hence proficiency can be gained
Ansible makes it possible to manage very quickly. For example, the simple
many servers almost effortlessly. playbook shown in Figure 1 keeps the
Ansible uses a very simple method Apache RPM on targeted Web servers
called playbooks to orchestrate up to date and current.
configurations. A playbook is a set of From the Ansible management
instructions written in YAML that tells server, you can create a cron job
the Ansible server what “plays” to to push the playbook to the target
carry out on the target hosts. YAML hosts on a regular basis, thus
is a very simple, human-readable ensuring you always will have the
LJ242-June2014.indd 99 5/22/14 12:36 PM

INDEPTH
latest-and-greatest version of the hoc commands to contact all your

Apache Web server. target hosts simultaneously. Ad hoc
Using YAML, you can instruct commands can be performed on
Ansible to target a specific group of the command line. It is a very quick
servers, the remote user you want method to use when you want to see
to run as, tasks to assign and many a specific type of output from all your
other details. You can name each task, target machines, or just a subset of
which makes for easier reading of the them. For example, if you want to
playbook. You can set variables, and see the uptime for all the hosts in a
use loops and conditional statements. group called dbservers, you would
If you have updated a configuration type, as user root:
file that requires restarting a service,
Ansible uses tasks called handlers to # ansible dbservers -a /usr/bin/uptime
notify the system that a service restart
is necessary. Handlers also can be The output will look like Figure 2.
used for other things, but this is the If you want to specify a particular
most common. user, use the command in this way:
The ability to reuse certain tasks
from previously written playbooks # ansible dbservers -a /usr/bin/uptime -u username
is another great feature. Ansible

uses a mechanism called roles If you are running the command
to accomplish this. Roles are as a particular user, but want to
organizational units that are used to act as root, you can run it through
implement a specific configuration sudo and have Ansible ask for the
on a group of hosts. A role can root password:
include a set of variable values,
handlers and tasks that can be # ansible dbservers -a /usr/bin/uptime -u username
assigned to a host group, or hosts ´--sudo [ask-sudo-pass]
corresponding to specific patterns.

For instance, you could create a role You also can switch to a different
FOR INSTALLING AND CONFIGURING -Y31, user by using the -U option:
on a group of targeted servers. Roles
make this a very simple task. # ansible dbservers -a /usr/bin/uptime -u username
Besides intelligent automation, ´-U otheruser --sudo
you also can use Ansible for ad # [ask-sudo-pass]
LJ242-June2014.indd 100 5/22/14 12:36 PM

INDEPTH
Figure 2. Example of ad hoc Command Showing Uptime Output for All Targets
Occasionally, you may want to run is located in /etc/ansible/ansible.cfg.

the command with 12 parallel forks, It also is possible to use Ansible
or processes: modules in ad hoc mode by using
the -m option. In this example,
# ansible dbservers -a /usr/bin/uptime -f 12 Ansible pings the target hosts using
the ping module:
This will get the job done faster
by using 12 simultaneous processes, # ansible dbservers -m ping
instead of the default value of 5. If you
would like to set a permanent default As I write this, Michael DeHaan
for the number of forks, you can set it has announced that, in a few weeks,
in the Ansible configuration file, which a new command-line tool will be
LJ242-June2014.indd 101 5/22/14 12:36 PM

INDEPTH
added to Ansible version 1.5 that will tool will be called ansible-vault .
enable the encrypting of various data It will be implemented by using the
within the configuration. The new new --ask-vault-pass option.
Figure 3. In this example, Ansible pings the target hosts using the ping module.
LJ242-June2014.indd 102 5/22/14 12:36 PM

INDEPTH
According to DeHaan, anything you administrators. For my purposes, SSH

write in YAML for your configuration is strongly preferred. Typically, there
can be encrypted with ansible-vault by is a greater risk in using proprietary
using a password. client-server dæmons than using
Server security hardening is crucial SSH. They may be relatively new and
to any IT enterprise. We must face could be compromised by malevolent
the fact that we are protecting assets individuals using buffer-overflow
in what has become an informational attack strategies or denial-of-service
war-zone. Almost daily, we hear of attacks. Any time we can reduce the
enterprise systems that have fallen total number of services running on a
prey to malevolent individuals. Ansible server, it will be more secure.
can help us, as administrators, protect To install the current version of
our systems. I have developed a very Ansible (1.4.3 at the time of this
simple way to use Ansible, along writing), you will need Python 2.4
with an open-source project called or later and the Extra Packages for
Aqueduct, to harden RHEL6 Linux Enterprise Linux (EPEL) repository
servers. These machines are secured RPM. For the purposes of this article,
according to the standards formulated I use Ansible along with another set
by the Defense Information Systems of scripts from an open-source project
Agency (DISA). DISA publishes Security called Aqueduct. This is not, however,
Technical Implementation Guides a requirement for Ansible. You also
(STIGs) for various operating systems will need to install Git, if you are not
that provide administrators with solid already using it. Git will be used to pull
guidelines for securing systems. down the Aqueduct package.
In a typical client-server setup, the Vincent Passaro, Senior Security
remote client dæmon communicates Architect at Fotis Networks, pilots the
with a server dæmon. Usually, this Aqueduct project, which consists of the
communication is in the clear (not development of both bash scripts and
encrypted), although Puppet and Puppet manifests. These are written
Chef have their own proprietary to deploy the hardening guidelines
mechanisms to encrypt traffic. provided in the STIGs. Also included
The implementation of public-key are CIS (Center for Internet Security)
authentication (PKI) in SSH has benchmarks and several others. On the
been well vetted for many years by Aqueduct home page, Passaro says,
security professionals and system “Content is currently being developed
LJ242-June2014.indd 103 5/22/14 12:36 PM

INDEPTH
(by me) for the Red Hat Enterprise Linux change to your system if a change
5 (RHEL 5) Draft STIG, CIS Benchmarks, does not need to be made. In other
NISPOM, PCI”, but I have found RHEL6 words, it is safe to run these modules
bash scripts there as well. I combined repeatedly without worrying they will
these bash scripts to construct a very break things. For instance, running
basic Ansible playbook to simplify a playbook that sets permissions on
security hardening of RHEL6 systems. a certain file will, by default, update
I accomplished this by using the the permissions on that file only if its
included Ansible module called script. permissions differ from those specified
According to the Ansible in the playbook.
documentation, “The script module For my needs, the script module
takes the script name followed by a works perfectly. Each Aqueduct
list of space-delimited arguments. The bash script corresponds to a
local script at path will be transferred hardening recommendation given
to the remote node and then executed. in the STIG. The scripts are named
The given script will be processed according to the numbered sections
through the shell environment on the of the STIG document.
remote node. This module does not In my test environment, I have a small
require Python on the remote system, high-performance compute cluster
much like the raw module.” consisting of one management node
Ansible modules are tiny bits of code and ten compute nodes. For this test,
used for specific purposes by the API the SSH server dæmon is configured for
to carry out tasks. The documentation public-key authentication for the root
states, “Ansible modules are reusable user. To install Ansible on RHEL6, the
units of magic that can be used by EPEL repository must first be installed.
the Ansible API, or by the ansible Download the EPEL RPM from the EPEL
or ansible-playbook programs.” I site (see Resources).
view them as being very much like Then, install it on your
functions or subroutines. Ansible management node:
ships with many modules ready for
use. Administrators also can write # rpm -ivh epel-release-6-8.noarch.rpm
modules to fit specific needs using
any programming language. Many of Now, you are ready to install Ansible:
the Ansible modules are idempotent,
which means they will not make a # yum install ansible
LJ242-June2014.indd 104 5/22/14 12:36 PM

INDEPTH
Figure 4. The /etc/hosts File for My Test Cluster
Ansible’s main configuration file directory called manual-check. This

is located in /etc/ansible/ansible.cfg. will hold scripts with information
Unless you want to add your own that must be checked manually.
customizations, you can configure it Next, a hosts file must be created in
with the default settings. /etc/ansible. It is simply called hosts.
Now, create a directory in /etc/ansible Figure 4 shows how I configured mine
called prod. This is where you will for the ten compute nodes.
copy the Aqueduct STIG bash scripts. Eight of the compute nodes are
Also, create a directory in /etc/ansible typical nodes, but two are equipped
called plays, where you will keep your with GPGPUs, so there are two
Ansible playbooks. Create another groups: “hosts” and “gpus”. Provide
LJ242-June2014.indd 105 5/22/14 12:36 PM

INDEPTH
the IP address of each node (the host need to be checked by either running
name also can be given if your DNS the scripts manually or reading the
is set up properly). With this tiny script and performing the required
bit of configuration, Ansible is now actions. These scripts are located in
functional. To test it, use Ansible in ad aqueduct/compliance/bash/stig/rhel-6/
hoc mode and execute the following manual-check. Copy these scripts to
command on your management node: /etc/ansible/manual-check.
Now that the scripts are in place, a
# ansible all -m ping playbook must be written to deploy
them on all target hosts. Copy the
If this results in a “success” playbook to /etc/ansible/plays. Make
message from each host, all is well. sure all scripts are executable. Figure
The Aqueduct scripts must be 5 shows the contents of my simple
downloaded using Git. If you do playbook called aqueduct.yml.
not have this on your management On a few of the STIG scripts, a few
node, then: edits were needed to get them to
execute correctly. Admittedly, a more
# yum install git eloquent solution would be to replace
the STIG scripts by translating them into
Git “is a distributed revision control customized Ansible modules. For now,
and source code management (SCM) however, I am taking the easier route
system with an emphasis on speed” by calling the STIG scripts as described
(Wikipedia). The command-line for from my custom Ansible playbook. The
acquiring the Aqueduct package of script module makes this possible. Next,
scripts and manifests goes like this: simply execute the playbook on the
management node with the command:
# git clone git://git.fedorahosted.org/git/aqueduct.git
# ansible-playbook aqueduct.yml
This will create a directory under the
current directory called aqueduct. The This operation takes about five
bash scripts for RHEL6 are located in minutes to run on my ten nodes, with
aqueduct/compliance/bash/stig/rhel-6/ the understanding that the plays run
prod. Now, copy all scripts therein to in parallel on the target hosts. Ansible
/etc/ansible/prod. There are some produces detailed output that shows the
other aspects of the STIG that will progress of each play and host. When
LJ242-June2014.indd 106 5/22/14 12:36 PM

INDEPTH
Figure 5. My Simple Playbook to Execute STIG Scripts on All Targets
Figure 6. Output Showing a Successful STIG Playbook Execution
Ansible finishes running the plays, all of If you’ve ever worked as a system
the target machines should be identically administrator, you know how much
hardened, and a summary is displayed. time a tool like this can save. The more
In this case, everything ran successfully. I learn about Ansible, the more useful
For system security hardening, the it becomes. I am constantly thinking
combination of Ansible and Aqueduct of new ways to implement it. As my
is a powerfully productive force in system administration duties drift more
keeping systems safe from intruders. toward using virtual technologies, I
LJ242-June2014.indd 107 5/22/14 12:36 PM

INDEPTH
plan on using Ansible to provision will be responsible for more and more
and manage my virtual configurations systems. This is due to the automation
quickly. I am also looking for more wizardry of technologies like Ansible
avenues to explore in the way of that enable a single administrator to
managing high-performance computing manage hundreds or even thousands
systems, since this is my primary duty. of servers. These tools will only
Michael DeHaan has developed another improve, as they have continued
tool called Cobbler, which is excellent to do. As security continues to
for taking advantage of Red Hat’s become more and more crucial, their
installation method, Kickstart, to build importance will only increase. Q
systems quickly. Together, Cobbler and
Ansible create an impressive arsenal for Mark Dotson has been a system administrator for 15 years.
system management. He has worked in storage and high-performance computing.
As system administrators, we are His hobbies include writing and reading philosophy. He is
living in exciting times. Creative currently employed by Lockheed-Martin Corporation.
developers are inventing an amazing
array of tools that, not only make
our jobs easier, but also more fun. Send comments or feedback via
I can only imagine what the future http://www.linuxjournal.com/contact
may hold. One thing is certain: we or to ljeditor@linuxjournal.com.
Resources
Ansible’s Architecture: Beyond Configuration Management: http://blog.ansibleworks.com/
2013/11/29/ansibles-architecture-beyond-configuration-management
Michael DeHaan’s Blog: http://michaeldehaan.net
Git Home: http://git-scm.com
Aqueduct Home: http://www.vincentpassaro.com/open-source-projects/aqueduct-red-hat-

enterprise-linux-security-development
Ansible Documentation: http://docs.ansible.com/index.html
EPEL Repository Home: https://fedoraproject.org/wiki/EPEL
DISA RHEL6 STIG: http://iase.disa.mil/stigs/os/unix/red_hat.html
LJ242-June2014.indd 108 5/22/14 12:36 PM

Have projects in development
that need help?
Have a great development
operation in place that
can ALWAYS be better?
Regardless of where you are in your
DevOps process, Linux Journal can help!
With deep focus on

DevOps for Dummies
Collaborative Development, Free eBook
Today’s fast-moving world makes DevOps
Continuous Testing and
essential for any business aspiring to be
Release & Deployment, agile and lean in order to respond rapidly
we offer here the DEFINITIVE to changing customer and marketplace
DevOps for Dummies, demands. This book helps you under-
stand DevOps and how your organization
a mobile Application
can gain real business benefits from it.
Development Primer You’ll also discover how a holistic view of
plus advice and help from DevOps that encompasses the entire software delivery life
expert sources like: cycle - from ideation and the conception of new business
capabilities to implementation in production - can bring
U Forrester competitive advantage in a continuous delivery world.
U Gartner
U IDC Service Virtualization for Dummies Book
U Linux Journal
Free eBook
Plus a host of other Discover service virtualization and how
it fits into the big picture of software
eBooks, videos, quality. In this book, Service Virtualization
podcasts and more. For Dummies, IBM Limited Edition, written
by industry analysts Marcia Kaufman
and Judith Hurwitz, learn how to deliver
higher quality software by increasing the
REGISTER NOW efficiency and effectiveness of your testing
and receive processes while reducing testing downtime and testing cost.
unlimited access to
all site content and
downloads, plus
alerts when new
assets are made
available. REGISTER NOW
http://devops.linuxjournal.com
LJ242-June2014.indd 109 5/22/14 3:19 PM

EOF
In the Matrix DOC SEARLS
of Mobile,
Linux Is Zion
In mobile we are losing the free world called the Web and the
Net. How do we save it?
A
lready most of us spend more (http://blog.flurry.com/
time on mobile devices than we bid/109749/Apps-Solidify-
do on desktops and laptops, Leadership-Six-Years-into-the-
put together. We also can do a lot more Mobile-Revolution), the Web’s
stuff, in a lot more places, on mobile share of mobile use dropped from
devices than on computers. There were 20% in 2013 to 14% in 2014. In
more than a million iOS apps on the “The Decline of the Mobile Web”
shelves of Apple’s store in October 2013 (http://cdixon.org/2014/04/07/
(http://techcrunch.com/2013/06/10/ the-decline-of-the-mobile-web),
apples-app-store-hits-50-billion- Chris Dixon writes:
downloads-paid-out-10-billion-to-
developers), and I’m guessing there This is a worrisome trend for the
are at least that many Android apps web. Mobile is the future. What
on Google’s shelves by now. wins mobile, wins the Internet.
Meanwhile, app development Right now, apps are winning and
on computers is slacking off—so the web is losing.
is Web development, except as
required to accessorize mobile Moreover, there are signs that
apps. And on mobile devices, it will only get worse. Ask any
use of the Web is fading as well. web company and they will tell
According to Flurry Analytics you that they value app users
LJ242-June2014.indd 110 5/22/14 12:37 PM

EOF
Underneath it all, the Internet is getting harder

and harder to see, understand and appreciate.
more than web users. This is why are also provided by mobile phone
you see so many popups and companies, whose own silos are
banners on mobile websites that walled by usage limits and by tariffs at
try to get you to download apps. national borders.
It is also why so many mobile Underneath it all, the Internet
websites are broken. Resources is getting harder and harder to
are going to app development see, understand and appreciate.
over web development. As Already mobile operators in India are
the mobile web UX further offering free or cheaper plans just for
deteriorates, the momentum Facebook, Whatsapp and Twitter
toward apps will only increase. (http://www.medianama.com/2013/
01/223-airtel-vodafone-idea-data-
The likely end state is the web internet-rates-increase). To those
becomes a niche product used operators, network neutrality means
for things like 1) trying a service nothing. In fact, it never did, to any
before you download the app, of the big operators. When he was
2) consuming long tail content Chief Scientist at BT, JP Rangaswami
(e.g., link to a niche blog from (http://confusedofcalcutta.com)
Twitter or Facebook feed). said the core competence of phone
companies is billing, not communications.
He sees an end state that “will “Winning the Internet” should
probably be like cable TV—a few be absurd on its face, like “winning”
dominant channels/apps that sit on sunlight or weather. But it isn’t
users’ home screens and everything else in mobile, which already has
relegated to lower tiers or irrelevance”. turned into a giant Truman Show
Those millions of apps are a forest (http://en.wikipedia.org/wiki/
of silos, growing on land that is The_Truman_Show). Inside that
privately owned or controlled by show, small app developers become
Apple, Google and Microsoft. Out suburbs of large ones—for example,
on the streets, plains and hills of the by requiring logins through Facebook
civilized world, network connections or Twitter, rather than using an identity
LJ242-June2014.indd 111 5/22/14 12:37 PM

EOF
Many ordinary activities that are open in the

physical world are now silo’d in the virtual one.
from the open world, such as an e-mail produces an “activity diary” of

address. That’s the case with Shazam your walking, running, cycling and
(http://www.shazam.com), a handy riding around in the world. Its Web
mobile app you can use to identify site kindly provides data exports in
the music you hear. But if you want CSV, GEOSON, GEORSS, GPX, ICAL,
to see the music you’ve “tagged” JSONKML and KML_GE. Within those
with Shazam on the company’s Web are Activities, Places and Storyline.
site, the only way to log in is through The only loophole in its otherwise
Facebook. As for getting that data respectful privacy policy is one that
back out, good luck. lets your data go to a third party
Even apps that do let you have if that party buys the company
your data back also make the process (http://www.moves-app.com/
costly or difficult. Fitbit will give you privacy). Still, privacy laws are much
XLS and CSV data, but only with a stronger in Europe than in most other
“premium” subscription of $49.99/ places, especially the US.
year. To get personal data gathered by Many ordinary activities that are
Nike+ devices and apps, you’ll need open in the physical world are now
an external hack, such as fuel_dump silo’d in the virtual one. Take reading
(https://github.com/edrabbit/ books, for example. Buy a hardcover
fuel_dump). Integrating that data or paperback book, and it’s yours. You
is also a steep challenge. Some app can pull it off your shelf and read it
developers will partner with other without any company intermediating
companies or open their APIs to the process or telling you what you
allow data to flow between apps, but can and can’t do. This is not the case
integrating personal data gathered by with most electronic books, which can
mobile apps on a personal computer be read only on proprietary machines
requires real wizardry. The Muggles using proprietary software, both of
won’t bother. which are mostly Amazon’s. My wife
There are exceptions though. My just got a new Kindle Fire, as a gift
favorite is Moves (http://moves-app.com), from the airline she’s flown for more
a $2.99 app from Finland that than two million miles. It’s a nice gift,
LJ242-June2014.indd 112 5/22/14 12:37 PM

but using it feels like you’re on an
Amazon cruise ship with portholes Advertiser Index
looking out to the open world. Thank you as always for supporting our
Even listening to radio on-line is advertisers by buying their products!
an ordeal compared to what we had
when stations could be found on radio
dials. Although there are apps—TuneIn ADVERTISER URL PAGE #
(http://tunein.com) and Wunderadio

Drupalize.me http://www.drupalize.me 15
(http://www.wunderradio.com)—
EmperorLinux http://www.emperorlinux.com 13
that try to replicate the dials of old
(and it’s not easy, given the vast Linux Journal
DevOps
http://devops.linuxjournal.com 7, 109
numbers of stations streaming in

Silicon Mechanics http://www.siliconmechanics.com 3
the world), station owners feel the
need to create an app for their own Texas Linux Fest http://texaslinuxfest.org 2
stations, or for fleets of them, to the USENIX Federated https://www.usenix.org/ 41

Conferences Week conference/fcw14
exclusion of others. This is what Clear
Channel (http://www.clearchannel.com/
Pages/Home.aspx) does with iHeartRadio
(http://www.iheart.com). It’s a “dial”
ATTENTION ADVERTISERS
mostly of its own stations. To it, as
to other large operators in the virtual The Linux Journal brand’s following has
world, the infrastructure that matters grown to a monthly readership nearly
isn’t the public stuff that’s open and one million strong. Encompassing the
ownerless—such as the Net, the Web magazine, Web site, newsletters and
and e-mail—but what’s private and much more, Linux Journal offers the
controlled by companies with which ideal content environment to help you
deals can be done. reach your marketing objectives. For
For example, right now at the top more information, please visit
http://www.linuxjournal.com/advertising.
of the stream of tweets I see on
Twitter is a “promoted” link—an
ad—from Sprinklr. The tweet says,
“FREE eBook: Without Infrastructure,
You Can’t Be Social”. The link goes
to a page about “The Rise of Social
Experience Management”, explained
LJ242-June2014.indd 113 5/22/14 3:19 PM

EOF
These completely private marketplaces are

monopolies to mobile customers and monopsonies
to app companies.
in a free eBook that requires giving and managing data and services—
up a bunch of personal data so you and better ways to exercise their
can become a qualified lead for autonomy, independence, freedom
whatever it is that Sprinklr sells. and agency in the world. I don’t see
Note that the “infrastructure” is any other way to break out of the
theirs. Not the Net’s. Not the Web’s. Matrix (http://en.wikipedia.org/wiki/
Not any space we all share. Just their The_Matrix) that the mobile world
space, which they own and charge is becoming.
rent to use. We need to start with general-
Nowhere is mobile infrastru c t u re purpose devices on which we can
more locked down and contro l l e d run anything we want. We still
t han with the app stores. Th e s e have that with some computers,
completely private marketpla c e s but we don’t with our mobile
are monopolies to mobile devices. There, with no meaningful
customers and monopsonies t o a p p exceptions, we are still vassals of
companies. As sole intermed i a r i e s , Apple, Google and Microsoft.
t he stores get to charge wha t Fortunately, Android is a breed
t hey want, which is a lot. Ap p l e of Linux. In the Matrix of mobile,
and Google both take 30% o f Linux is Zion.
what you pay for an app. So d o e s Wake up, Neo. Q
Microsoft, but it drops its cu t t o
20% after sales of an app re a c h Doc Searls is Senior Editor of Linux Journal. He is also a
$25k. These are monopoly re n t s . fellow with the Berkman Center for Internet and Society at
Ask your shoe or grocery sto re Harvard University and the Center for Information Technology
what kind of margins it gets — o r and Society at UC Santa Barbara.
hell, even Amazon.
I believe the only answer is to
equip ordinary individuals (Muggles, Send comments or feedback via
not just wizards like us) with http://www.linuxjournal.com/contact
independent tools for integrating or to ljeditor@linuxjournal.com.
LJ242-June2014.indd 114 5/22/14 12:37 PM

Linux Journal - June 2014 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux Journal - June 2014 PDF

Uploaded by

Copyright:

Available Formats

™ JUNE 2014 | ISSUE 242 | www.linuxjournal.

MONITOR YOUR TAKE YOUR

SECURITY FILTERING RULES

zStax StorCore =)68QLÀHG6WRUDJH IURP6LOLFRQ ZFS Unified Storage

zStax StorCore 64 zStax StorCore 104

7KHzStax StorCore 64 LV\RXU7LHUDQG 7KHzStax StorCore 104LV\RXUV\VWHPIRU

LJ242-June2014.indd 3 5/22/14 12:36 PM

Cover Image: © Can Stock Photo Inc. / animind

4 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 4 5/22/14 12:36 PM

110 Doc Searls’ EOF

WWW.LINUXJOURNAL.COM / JUNE 2014 / 5

LJ242-June2014.indd 5 5/22/14 12:36 PM

Publisher Carlie Fairchild

Director of Sales John Grogan

Associate Publisher Mark Irgang

Webmistress Katherine Druckman

Accountant Candy Beauchamp

Linux Journal is published by, and is a registered trade name of,

Editorial Advisory Panel

LINUX is a registered trademark of Linus Torvalds.

LJ242-June2014.indd 6 5/22/14 12:36 PM

With deep focus on

LJ242-June2014.indd 7 5/22/14 12:36 PM

(Net)working SHAWN POWERS

Shawn Powers runs command-line preferences, and rather

8 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 8 5/22/14 12:36 PM

WWW.LINUXJOURNAL.COM / JUNE 2014 / 9

LJ242-June2014.indd 9 5/22/14 12:36 PM

This is the very sort of thing that has

10 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 10 5/22/14 12:36 PM

WWW.LINUXJOURNAL.COM / JUNE 2014 / 11

LJ242-June2014.indd 11 5/22/14 12:36 PM

Doc Searls replies: Thanks, Skip. I New Android App

12 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 12 5/22/14 12:36 PM

usable, convenient app we can and refreshes my memory on others,

LJ242-June2014.indd 13 5/22/14 12:36 PM

Wrong Info in “Understanding Caching”

much as CPUs), not latencies as much. Your monthly download notifications

LETTERS TO THE EDITOR: We welcome your

http://w3.pppl.gov/~hammett/comp/bench/ mail them to Linux Journal, PO Box 980985,

WRITING FOR US: We always are looking

14 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 14 5/22/14 12:36 PM

Learn from industry experts with real world

Learn on the go wherever you are with apps

We also offer group accounts. Give your

Learn about our latest video releases and

LJ242-June2014.indd 15 5/22/14 3:20 PM

16 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 16 5/22/14 12:36 PM

WWW.LINUXJOURNAL.COM / JUNE 2014 / 17

LJ242-June2014.indd 17 5/22/14 12:36 PM

Rik van Riel knew his answer and sent out

18 / JUNE 2014 / WWW.LINUXJOURNAL.COM

LJ242-June2014.indd 18 5/22/14 12:36 PM

Android Candy: I’m Sorry

WWW.LINUXJOURNAL.COM / JUNE 2014 / 19

LJ242-June2014.indd 19 5/22/14 12:36 PM

20 / JUNE 2014 / WWW.LINUXJOURNAL.COM

7KHzStax StorCore 64 LV\RXU7LHUDQG 7KHzStax StorCore 104LV\RXUV\VWHPIRU