Professional Documents
Culture Documents
Linux Journal - June 2014 PDF
Linux Journal - June 2014 PDF
com
E-MAIL ENCRYPTION
WITH MUTT
SIMPLE SCRIPTING
SKILLS IN ACTION
A LOOK AT HOW
URLs ARE CHANGING
Since 1994: The Original Magazine of the Linux Community WITH THE TIMES
NETWORKING
ANALYZE
ANDROID
TRAFFIC
WITH
+
WIRESHARK
HARDEN
YOUR
RHEL
SYSTEMS
WITH
ANSIBLE
HOW IS
MOBILE
CHANGING
THE WEB?
WATCH:
NETWORK NETWORK ISSUE OVERVIEW
0HFKDQLFVLVWUXO\VRIWZDUHGHÀQHGVWRUDJH
)URPPRGHVWGDWDVWRUDJHQHHGVWRDPXOWLWLHUHGSURGXFWLRQVWRUDJHHQYLURQPHQWWKHzStax StorCore
=)6XQLÀHGVWRUDJHDSSOLDQFHVKDYHWKHULJKWPL[RISHUIRUPDQFHFDSDFLW\DQGUHOLDELOLW\WRÀW\RXUQHHGV
7DONZLWKDQH[SHUWWRGD\ -‐ http://www.siliconmechanics.com
NETWORKING
FEATURES
56 Monitoring 68 OSSIM: a Careful, 84 Berkeley Packet
Android Traffic Free and Always Filters with Scapy
with Wireshark Available Guardian (and Friends)
Get a glimpse into the for Your Network Decide what should
Internet traffic coming OSSIM, the free and come from a socket
from your smartphone open-source SIEM. before the data
using some simple even reaches
Marco Alamanni
Linux tools. your application.
Brian Trapp Valentine Sinitsyn
COLUMNS
30 Reuven M. Lerner’s
At the Forge
URLs
36 Dave Taylor’s Work the Shell
Considering Legacy
UNIX/Linux Issues
42 Kyle Rankin’s Hack and /
Encrypt Your Dog (Mutt and GPG)
46 Shawn Powers’
The Open-Source Classroom
Being a Hack 19 2048
IN EVERY ISSUE
8 Current_Issue.tar.gz
10 Letters 56 WIRESHARK
16 UPFRONT
28 Editors’ Choice
52 New Products
113 Advertisers Index
ON THE COVER
,THPS,UJY`W[PVU^P[O4\[[W
:PTWSL:JYPW[PUN:RPSSZPU(J[PVUW
(3VVRH[/V^<93Z(YL*OHUNPUN^P[O[OL;PTLZW
(UHS`aL(UKYVPK;YHMMPJ^P[O>PYLZOHYRW
4VUP[VY@V\Y5L[^VYR:LJ\YP[`^P[O6::04W
;HRL@V\Y5L[^VYR-PS[LYPUN9\SLZ[VH5L^3L]LSW
/HYKLU@V\Y9/,3:`Z[LTZ^P[O(UZPISLW
/V^0Z4VIPSL*OHUNPUN[OL>LI&W
68 OSSIM
LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.
Contributing Editors
)BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE
0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN
Advertising
E-MAIL: ads@linuxjournal.com
URL: www.linuxjournal.com/advertising
PHONE: +1 713-344-1956 ext. 2
Subscriptions
E-MAIL: subs@linuxjournal.com
URL: www.linuxjournal.com/subscribe
MAIL: PO Box 980985, Houston, TX 77098 USA
the Room
I
tend to be a fairly funny guy. Well, URLs. That ubiquitous string of text
at least I think I’m funny. My kids that takes you to a location (usually a
might disagree. The thing is, it’s hard Web site) is something we often take
to find a group of people to understand for granted. As the Internet matures,
obscure networking jokes. At a non-tech however, an understanding of how
conference, for example, if I say to the URLs work is vital. Reuven teaches us
person next to me, “Jeez, that speaker everything from protocol designations
must have delivered his presentation to URL fragments. If you’ve ever
with UDP packets, because he never wondered about those seemingly out
stopped to see if any of us were getting of place # characters in a URL, you’ll
what he was talking about!”—exactly want to read his column. Dave Taylor
zero people laugh. In fact, I usually get follows with a great look at the
really weird looks. At a Linux conference, evolution of scripting. Just like we
however, the same comment usually gets no longer have to hand-crank our car
an eye-roll. (As a father of teenagers, engine to get it running (mine doesn’t
I consider an eye-roll the equivalent to even have a key anymore, just a button),
amusement.) That’s why I love Linux shell scripting has changed through the
Journal so much. This month, we’re years. Supporting legacy systems (or
talking about Networking, and everyone legacy code) is a problem we all need
in our little “room” understands what to deal with, as Dave shows us with
we’re talking about! So let’s peel this one of his real-world experiences.
issue apart one OSI layer at a time. Kyle Rankin continues his theme this
Reuven M. Lerner starts us out with month and teaches how to encrypt
our e-mail—specifically text-based
VIDEO: Mutt e-mail. Kyle remains true to his
V
describes how to use GPG with Mutt. familiar with firewalling tools. Most of
If you’re a Mutt user like Kyle, or just us, however, aren’t nearly as familiar
want to learn about implementing GPG, with Berkeley Packet Filters. Valentine
don’t miss his column. I follow Kyle with Sinitsyn walks through using BPF to do
a continuation on last month’s scripting some very low-level traffic filtering. This
basics article. Rather than leaving you powerful system can add an incredible
with a simple set of tools, I tried to come set of tools to your network filtering
up with some examples of using those needs. And finally, Mark Dotson gives
tools in real-world situations. My scripts us an in-depth tutorial on Ansible.
are basic and my techniques are simple, Managing multiple systems is becoming
but that’s the point. Don’t be intimidated more and more complex, but thankfully
by the command line. It’s powerful and with tools like Ansible, we can deploy
not terribly difficult to master. and configure countless machines
Sniffing network traffic is often a quickly and, most importantly, securely.
critical part of diagnosing a problem or Like every issue of Linux Journal, this
detecting a potential one. Brian Trapp one is chock full of tech tips, product
explains how to sniff the packets of announcements and recommendations.
our smartphones. That seems like a The networking issue touches on so
simple enough task, until you realize many disciplines and interest areas in
capturing traffic from a wireless device the Linux community, that it’s always
to the network can be challenging. one of our favorites. The large majority
(Using Firesheep will garner you tons of of folks still won’t understand our
Web information, but if you want every networking jokes, but that’s okay, they
packet, that gets a little rougher.) Brian can sit around as bored as a teenager
shows how to capture the traffic, and in a Faraday cage while we all enjoy
then how to dissect it with Wireshark. this issue. (Thank you, thank you, I’ll
Marco Alamanni follows Brian with an be here all night....) Q
in-depth article on OSSIM, a server-based
program for detecting problems on your Shawn Powers is the Associate Editor for Linux Journal .
local network. With its Web interface He’s also the Gadget Guy for LinuxJournal.com, and he has
and powerful collection of snooping an interesting collection of vintage Garfield coffee mugs.
tools, OSSIM can be incredibly useful for Don’t let his silly hairdo fool you, he’s a pretty ordinary guy
early detection of problems or threats. and can be reached via e-mail at shawn@linuxjournal.com.
Any network user or administrator is Or, swing by the #linuxjournal IRC channel on Freenode.net.
to assume that everyone will use the with the manufacturer Schlage is to
software the way you want them to. incorporate its own Web site into the
path from lock to PC or smartphone.
Harden Your SSH
Regarding Federico Kereki’s article Although the salesman offers glowing
“More Secure SSH” in the January prospects, he has no way to deal
2014 issue, using PAM, how can you with the contingencies I presented
lock a user to a directory? Would it to him that are important failures to
be better to use ChrootDirectory? I avert per my values. Doc Searls and
would think PAM would be better, but others have been writing about silos
I am lost at the moment. I have never for quite some time. Short of reverse-
configured PAM, but I am interested engineering, I see no way to avoid yet
in it because of this article. another one in my personal life.
—Tony Catalfamo
This touches many topics actually—for
Federico Kereki replies: I haven’t example, security, embedded systems,
actually used this, but there’s a service interruption, silos and the
PAM module you could try called “biggie”, Internet of Things. I have
pam_chroot. However, I’d also point regaled in some of Docs’ successes in
out that according to some accounts, beating the lock-in of vendors. While
there might be security problems my search for an alternative door-
with it, and jk_chrootsh should be lock vendor is not done, I wonder if
preferred. As I said, I haven’t tried this a “Silo Beaters Registry” might make
out, but I’ll give these two options a good reading? Like open source, it
whirl; good question, Tony! would carry those who are receptive
to providing open products of
Another Silo on the Security Topic non-software nature—like door locks.
Some years ago, I bought and installed
a couple door locks with the Z-Wave In any case, should Doc or others
interface feature, thinking that write more on the silo topic, I
someday I would integrate them into present this example to them
what we call The Internet of Things. through you for their use.
Today, I find that my only option —Skip
Basically, a couple main contributors With the “old” version of the app,
have forked from just before where I believe I could open downloaded
Bacula Enterprise code went proprietary. issues without having Internet access.
It is quite annoying at the moment,
It isn’t currently available via any because I’m abroad and thus only
of the distros other than Gentoo, connected to the Internet sporadically.
but the authors do have packaged
binaries for the majors. Will you consider bringing back
the functionality to start reading
It’s well worth a look, and I’d love to while off-line?
hear what you think! —Bo Romer
—Erich Newell
The app development isn’t done
Very cool! I’ll try to check it out, in-house, but I’ll be sure to get
but at the very least, it will appear your feedback to the right folks.
here for others to check out as Thank you for the input; the goal
well!—Shawn Powers is, of course, to have the most
The author begins his article by stating subscription inquiries can be done instantly
on-line: http://www.linuxjournal.com/subs.
processors have always been faster than E-mail us at subs@linuxjournal.com or reach
us via postal mail at Linux Journal, PO Box
memory. It’s just plain wrong; early CPUs 980985, Houston, TX 77098 USA. Please
remember to include your complete name
were slower than memory. Actually memory and address when contacting us.
(SDRAM) density has greatly improved (as ACCESSING THE DIGITAL ARCHIVE:
Go to http://drupalize.me and
get Drupalized today!
diff -u
WHAT’S NEW IN KERNEL DEVELOPMENT
David Herrmann wanted to really don’t want to waste my time
disable the virtual terminal pinging on feature-patches every
subsystem in order to save space 5 days to get any attention. If
on a kernel that didn’t need a someone outside of DRM wants to
VT. But, he still wanted to see use it, I’d be happy to discuss any
kernel oops output for debugging code-sharing. Until then, I’d like to
purposes. The problem was that keep it here as people are willing to
only the VT subsystem would take it through their tree.”
display oops output—and he’d That’s a fairly surprising
just disabled it. statement—a bit of an indictment
No problem. David posted a of existing kernel patch submission
patch to implement DRM-log, processes. There was no further
a separate console device that discussion on that particular point,
used the direct rendering manager but I would imagine it got some
and that could receive kernel folks thinking.
oops output. The rest of the current thread
Over the course of a discussion focused on some technical details
about the patch, Alan Cox about oops output, especially font
mentioned that there didn’t size. David’s code displayed oops
seem to be anything particularly output pixel by pixel, essentially
DRM-specific in David’s code. It defining its own font. But for
easily could exist at a yet more extremely high-resolution monitors,
generic layer of the kernel. And such as Apple’s Retina display,
although David agreed with this, as Bruno Prémont pointed out,
he said the DRM folks were more this could result in the oops output
amenable to taking his patch being too small for the user to see.
and that “I’ve spent enough time David’s answer to this was to
trying to get the attention of core implement integer scaling. His font
maintainers for simple fixes, I could be any integer multiple larger
than the default. This seemed fine migrating the looping thread to
to Bruno. other CPUs.
Eugene Shatokhin posted The big problem with that kind
some code to make use of of improvement is that it’s very
Google’s ThreadSanitizer tool context-dependent. What’s faster
(https://code.google.com/p/ to one user may be slower to
thread-sanitizer). ThreadSanitizer another, depending on one’s
detects a particular type of race particular usual load. Traditionally,
condition that occurs when one there has been no clean way to
thread tries to write to a variable resolve that issue, because there
while another thread either tries really is not any “standard” load
to read from or write to the under which to test the kernel.
same variable. The developers just have to wing it.
Eugene called his own But, they wing it pretty good,
code Kernel Strider and ultimately things like new
(https://code.google.com/p/ spinlock implementations do get
kernel-strider). It collected sufficient testing to determine
statistics on memory accesses, whether they’d be a real
function calls and other things, improvement. The problem with
and sent them along to be analyzed Waiman’s situation, as he said
by Thread Sanitizer. Eugene also on the list, is that the qspinlock
posted a link to a page describing implementation is actually slower
several race conditions that Kernel than the existing alternatives on
Strider had uncovered in the 3.10.x systems with only a few CPUs—in
kernel series. other words, for anyone using Linux
Waiman Long posted some at home.
code implementing qspinlock, However, as George Spelvin
a new type of spinlock that seemed pointed out, the most common
to improve speed on very large case is when a spinlock doesn’t
multiprocessor systems. The idea spin even once, but simply
behind the speed improvement requests and receives the resource
was that a CPU would disable in question. And in that case,
preemption when spinning for a qspinlocks seem to be just as fast
lock, so it would save the time that as the alternatives.
might otherwise have been used To qspinlock or not to qspinlock—
Non-Linux FOSS: My
Portable Windows Lab
when I get back home,
because Windows can
be a breeding ground
for nasty infections. In
order to build a USB
device quickly that I
can use to help my
Windows friends, I like
to use the awesome
open-source program at
http://portableapps.com.
The downloadable
program provides a
sort of “app store” for
downloading individual
portable apps. It makes
sure all of your apps
Portable apps aren’t anything new. There are up to date, and it’s a great way
are variations of “single executable to browse the different categories
apps” for most platforms, and some and look for apps that might be
people swear by keeping their own useful. Granted, many of the portable
applications with them for use when apps themselves aren’t open source,
away from home. I don’t usually do that, but the program that manages
as most of what I do is on-line, but there them for you is. If you ever need to
is one exception: security. help friends or acquaintances with
When I’m asked to help a Windows their infected systems, a USB drive
user figure out what is wrong with prepped with the Windows-based
his or her computer, I generally take portableapps.com application is a
a USB drive and nothing else. I also great way to start.
usually run dd on that Flash drive —SHAWN POWERS
Scientific Graphing
in Python
In my last few articles, I looked at matplotlib is broken down into several
several different Python modules that sub-modules. Let’s start with pyplot.
are useful for doing computations. This sub-module contains most of
But, what tools are available to help the functions you will want to use to
you analyze the results from those graph your data. Because of the long
computations? Although you could do names involved, you likely will want to
some statistical analysis, sometimes the import it as something shorter. In the
best tool is a graphical representation following examples, I’m using:
of the results. The human mind is
extremely good at spotting patterns import matplotlib.pyplot as plt
and seeing trends in visual information.
To this end, the standard Python The underlying design of matplotlib
module for this type of work is is modeled on the graphics module
matplotlib (http://matplotlib.org). for the R statistical software package.
With matplotlib, you can create The graphical functions are broken
complex graphics of your data to help down into two broad categories:
you discover relations. high-level functions and low-level
You always can install matplotlib functions. These functions don’t
from source; however, it’s easier work directly with your screen.
to install it from your distribution’s All of the graphic generation and
package manager. For example, in manipulation happens via an abstract
Debian-based distributions, you graphical display device. This means
would install it with this: the functions behave the same way,
and all of the display details are
sudo apt-get install python-matplotlib handled by the graphics device. These
graphics devices may represent display
The python-matplotlib-doc package screens, printers or even file storage
also includes extra documentation formats. The general work flow is
for matplotlib. to do all of your drawing in memory
Like other large Python modules, on the abstract graphics device. You
then push the final image out to the stored in the given list in a regular
physical device in one go. scatterplot. If you have a single list
The simplest example is to plot a of values, they are assumed to be the
series of numbers stored as a list. The y-values, with the list index giving the
code looks like this: x-values. Because you did not set up
a specific graphics device, matplotlib
plt.plot([1,2,3,4,3,2,1]) plt.show() assumes a default device mapped
to whatever physical display you
The first command plots the data are using. After executing the first
Figure 1. A basic scatterplot window includes controls on the bottom of the pane.
line, you won’t see anything on your also will notice that the graph you
display. To see something, you need to generated is rather plain. You can add
execute the second show() command. labels with these commands:
This pushes the graphics data out to
the physical display (Figure 1). You plt.xlabel('Index')
should notice that there are several plt.ylabel('Power Level')
control buttons along the bottom of
the window, allowing you to do things You then get a graph with a bit more
like save the image to a file. You context (Figure 2). You can add a title for
Figure 2. You can add labels with the xlabel and ylabel functions.
your plot with the title() command, you could plot squares and cubes on the
and the plot command is even more same plot with something like this:
versatile than that. You can change the
plot graphic being used, along with the t = [1.0,2.0,3.0,4.0]
3). If you import the numpy module input parameters. You even can add
and use arrays, you can simplify the in error bars with the xerr and yerr
plot command to: parameters. Similarly, you can draw a
horizontal bar plot with the barh()
plt.plot(t,t**2,'bo',t,t**3,'sr') command. Or, you can draw box and
whisker plots with the boxplot()
What if you want to add some more command. You can create plain contour
information to your plot, maybe a text plots with the contour() command.
box? You can do that with the text() If you want filled-in contour plots, use
command, and you can set the location contourf() . The hist() command
for your text box, along with its will draw a histogram, with options to
contents. For example, you could use: control items like the bin size. There is
even a command called xkcd() that
plt.text(3,3,'This is my plot') sets a number of parameters so all of
the subsequent drawings will be in the
This will put a text area at x=3, y=3. same style as the xkcd comics.
A specialized form of text box is an Sometimes, you may want to be
annotation. This is a text box linked to able to interact with your graphics.
a specific point of data. You can define matplotlib needs to interact with several
the location of the text box with the DIFFERENT TOOLKITS LIKE '4+ OR 1T "UT
xytext parameter and the location you don’t want to have to write code
of the point of interest with the xy for every possible toolkit. The pyplot
parameter. You even can set the details sub-module includes the ability to add
of the arrow connecting the two event handlers in a GUI-agnostic way.
with the arrowprops parameter. An The FigureCanvasBase class contains a
example may look like this: function called mpl_connect(), which
you can use to connect some callback
plt.annotate('Max value', xy=(2, 1), xytext=(3, 1.5), function to an event. For example, say
´arrowprops=dict(facecolor='black', shrink=0.05),) you have a function called onClick().
You can attach it to the button press
Several other high-level plotting event with this command:
commands are available. The bar()
command lets you draw a barplot fig = plt.figure()
Now when your plot gets a mouse other low-level functions are available
click, it will fire your callback function. to control creating, encoding and
It returns a connection ID, stored in writing movie files. You should have
the variable cid in this example, that all the control you require to generate
you can use to work with this callback any movie files you may need.
function. When you are done with the Now that you have matplotlib
interaction, disconnect the callback under your belt, you can generate
function with: some really stunning visuals for
your latest paper. Also, you will be
fig.canvas.mpl_disconnect(cid) able to find new and interesting
relationships by graphing them. So,
If you just need to do basic go check your data and see what
interaction, you can use the ginput() might be hidden there. —JOEY BERNARD
command. It will listen for a set
amount of time and return a list of all
of the clicks that happen on your plot.
You then can process those clicks and
do some kind of interactive work.
The last thing I want to cover here
LINUX JOURNAL
is animation. matplotlib includes a
sub-module called animation that
ARCHIVE DVD
provides all the functionality that you
need to generate MPEG videos of
your data. These movies can be made
up of frames of various file formats,
including PNG, JPEG or TIFF. There
is a base class, called Animation,
that you can subclass and add extra
functionality. If you aren’t interested
in doing too much work, there are
included subclasses. One of them,
FuncAnimation, can generate an
animation by repeatedly applying a
given function and generating the
NOW AVAILABLE
www.linux jour na l.c om/dv d
frames of your animation. Several
LINUX JOURNAL
now available
for the iPad and
iPhone at the
App Store.
linuxjournal.com/ios
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
URLs REUVEN M.
LERNER
How URLs, a technology that we take for granted,
are changing with the times.
leading contenders being Ember.js of the sort. This means that you now
and Angular.js. (I intend to write effectively have two URLs you need
about both of these quite a bit in the to think about: one that tells the
coming year.) server which application you want and
For me, at least, the most striking then a second that tells the client-
thing when I started to learn Ember side application which JavaScript
and Angular was their talk about the code to run. This new use of URLs
“router”. Now, in Rails, a router is the still looks somewhat strange to me,
part of the code that maps the URL as it’s making use of the fragment,
/users/101 and knows to invoke the which I had largely ignored for years.
appropriate code. And indeed, the However, it’s also exciting to see that
router in Ember does something very URLs continue to be flexible, adapting
similar, taking the URL and ensuring to new uses for the Web, and making
that the correct code is invoked. it possible to continue using browsers
But wait a second—I’m talking in new and interesting ways. Q
about a single-page app, right? If
you’re working with Ember, what is Reuven M. Lerner, a longtime Web developer, consultant and
your router doing worrying about trainer, is completing his PhD in learning sciences at Northwestern
what URL is being passed? The University. You can learn about his on-line programming courses,
answer, it turns out, is that the router subscribe to his newsletter or contact him at http://lerner.co.il.
in both Ember and Angular aren’t
looking at the main part of the URL,
but rather the fragment. The URL Send comments or feedback via
will not be /users/101 but rather http://www.linuxjournal.com/contact
myapp.html#/users/101 or something or to ljeditor@linuxjournal.com.
Resources
The ultimate reference for URLs, which doesn’t mean that it’s easy to read or understand, is
RFC 3986 at http://tools.ietf.org/html/rfc3986, published by the IETF, the body in charge of
many Internet standards.
If you are interested in looking at modern client-side frameworks, you can learn more about them at
http://backbonejs.org (for Backbone), http://emberjs.com (for Ember) and http://angularjs.org
(for Angular). All are popular open-source projects with large and active communities.
Legacy
UNIX/Linux Issues
Updating his shell script book, Dave bumps into a legacy
Solaris problem, which leads to all sorts of interesting
solution paths and discussion.
ago I wrote a rather popular # how many commands: count how many executable commands
G+ at http://profiles.google.com/ done
d1taylor) and asked those that had echo "$count commands, and $nonex entries that weren't \
Running Solaris to Test the Script along with various flavors of Linux,
The logical solution was to gain access offering the ability to install and run
to a system running Solaris (ideally a full Solaris installation (or just about
SunOS 5.8, aka Solaris 8), but who the any other OS you’re interested in
heck is running a Solaris system and testing) as an app.
can grant me external SSH access? If you’ve experimented with
The answer: no one I could find, VMware or Parallels, you’ve already
which is why it’s fortunate that bumped into this technology, and it’s
I found a far better path: VirtualBox. very slick. In fact, I run Windows 8 Pro
Free to download from Oracle on my MacBook Pro using VMware
(https://www.virtualbox.org/ Fusion, and it works astonishingly well
wiki/Downloads), VirtualBox is a in its own full-screen window. The
virtualization system, creating a down side is that VMware Fusion isn’t
system within a system. Even better, free. But, VirtualBox is—nice.
it runs on Mac or Windows systems Download and install it, then
you can grab a free copy of the VirtualBox config to share the
SunOS 5.11 (aka Solaris 11.1) at clipboard with the parent operating
http://www.oracle.com/technetwork/ system, and you simply can copy and
server-storage/solaris11/vmtemplates- paste it into a vi edit buffer and save it.
vmvirtualbox-1949721.html. An invocation:
Unpack the OS and double-
click. It’s automatically opened $ sh ./count-cmds.sh
by VirtualBox, and with another 2003 commands, and 15 entries that weren't marked executable
LINUX JOURNAL
on your
Android device
Download the app now
in the Android Marketplace
www.linuxjournal.com/android
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
The same year my book came out, and Solaris 8 and Wicked Cool Shell
I tested the scripts on Solaris 9 prior Scripts. The long and short of it: if
to publication. the script didn’t work properly in
This leads to the dilemma: the Solaris 11, I’d be concerned and
script apparently doesn’t work on a debug the problem, but because
ten-year-old version of Solaris UNIX it fails in a ten-year-old version
but works just fine on the latest of the OS, I’m going to ignore
release, Solaris 11. Should I care? the problem. If I could log in to a
This is all tied to the legacy Solaris 8 system, I might debug it
problem: how far back do you need anyway just to understand what’s
to go to ensure that your software going on, but is that a reason to
works? The previous OS release? slow down the revision of the book?
Five years back? Ten? Longer? I don’t think so.
Legacy support has been in the Legacy support—it’s a big
news for W indows users, that’s for challenge for every software
sure, as Microsoft just axed support developer, and although Bash and
for the ancient W indows XP version the Linux command-line world hasn’t
of the flagship operating system. changed that much in the past few
For the record, W inXP was released years, it’s still something to consider
in October 2001. Fourteen years before you ship your own software
later, Microsoft is saying “guys, (even if it’s free software).
we’ve had a lot of major releases So what’s your solution? Write
since then and can’t support it to us, and let us know how your
forever”, and people are howling. company deals with legacy
Apple seems to weather this sort Linux/UNIX issues! Q
of thing more gracefully. When
the company moved from MacOS Dave Taylor has been hacking shell scripts for more than 30 years.
to Mac OS X, it included “Classic Really. He’s the author of the popular Wicked Cool Shell Scripts
Mode” where old apps would and can be found on Twitter as @DaveTaylor and more generally
mostly run, but the writing was on at his tech site http://www.AskDaveTaylor.com.
the wall from the beginning of the
OS X era that Apple wasn’t going to
“do a Microsoft” and support the Send comments or feedback via
old OS for years and years. http://www.linuxjournal.com/contact
And, this brings me back to or to ljeditor@linuxjournal.com.
ICAC ’14
11th International Conference on Autonomic Computing
Wednesday–Friday, June 18–20 www.usenix.org/icac14
UCMS ’14
2014 USENIX Configuration Management Summit
Thursday, June 19 www.usenix.org/ucms14
URES ’14
2014 USENIX Release Engineering Summit
Friday, June 20 www.usenix.org/ures14
WiAC ’14
2014 USENIX Women in Advanced Computing Summit
Wednesday, June 18 www.usenix.org/wiac14
Your Dog
(Mutt and GPG)
Like most common things with Mutt, encryption and signing
of e-mail is fairly straightforward and customizable.
and where you press the y key to send send-hook '~t @linuxjournal.com' 'set pgp_autosign'
the message. The Security field on this send-hook '~t editor@linuxjournal.com' 'set pgp_autosign;
The ~t in a hook pattern matches that you won’t slip up and accidentally
the To header, but the Mutt reply to someone’s encrypted message
documentation details a number of in plain text. Plus, you can make sure
other flags you can use to match you always sign messages to your
From, BCC, the e-mail body or other PGP-using friends. Q
parts of the message. The final line
automatically will enable signing Kyle Rankin is a Sr. Systems Administrator in the San Francisco
and encryption to messages sent Bay Area and the author of a number of books, including The
to editor@linuxjournal.com: Official Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.
He is currently the president of the North Bay Linux Users’ Group.
send-hook '~t editor@linuxjournal.com' 'set pgp_autosign;
´set pgp_autoencrypt'
LINUX JOURNAL
on your
e-Reader
Customized e-Reader
editions
Kindle and Nook
editions FREE
for Subscribers
now available
LEARN MORE
get hacked on more and more, and # Create home directories on file server
duct tape isn’t appropriate.) echo "Unless you saw an error, everything is good."
directory. See if you can figure out so that it prints on the screen what it is
what this does: doing. A simple typo could cause you
to wipe out millions of user files, so it’s
#!/bin/bash best to test your script before using it
# on your live servers or personal system.
for x in `ls /home` This is especially true if you start
do running rm commands in a loop—that’s
mkdir /home/$x/public_html some powerful mojo, which you don’t
chown $x.nobody /home/$x/public_html want to use incorrectly.
chmod 755 /home/$x/public_html
done I Hate Typing Things More
Than Once
This script basically creates a set of Finally, I’m going to demonstrate
objects from the ls /home command another way I use quick Bash scripts
(because it’s in backticks), and then on a regular basis, and that is to
executes one loop iteration for each create configuration files. Basically,
object in the set. The beauty of this any time you see repetitious data in a
is that it will work whether you have configuration file, chances are you can
three users or 3,000 users. Each write a script that will save you lots of
iteration of the loop (the part between time. This script is fairly complex, but it
do and done ) creates a public_html uses lots of the tools I’ve been talking
folder inside the user’s folder and about. This configuration file is actually
gives it the correct ownership and part of a script I use to monitor Bitcoin
permissions. You can imagine how miners, for those who are curious:
much typing this saves for large
numbers of users! I use a variation #!/bin/bash
desktop, a for loop saves the day. # First part of config file
remind everyone that quick Bash hacks # This loop should run for all miners
like these aren’t foolproof. It’s best if for MINERLOOP in $(seq 0 $LOOP_NUMBER);
Oswald Campesato’s
Google Glass Development
(Mercury Learning)
Oswald Campesato’s new book Google Glass
Development adds to Mercury Learning & Information’s
newly developed Pocket Primer series. Campesato’s
book provides an overview of the major aspects, the
source code and tutorial videos to develop applications
for Google Glass. It also contains information for
developing Glassware using Android and HTML5
technologies, primarily for self-directed learners who
have some knowledge of Android and HTML5 graphics-
related technologies. Other topics include CSS3, HTML5
Canvas, D3 and SVG, as well as the Glass GDK and working with sensors.
http://www.merclearning.com
Envivio’s G5 Family
of Appliances
Envivio’s specialty is software-
based video processing and delivery
solutions. The company’s latest innovation is the Envivio G5 family of Intel-based
server appliances, featuring increased compression density, support for the latest
Ultra HD 4K resolution and HEVC (H.265) encoding, and a lowering of operating
expenses for service providers. Operators deploying Envivio Muse Live encoders on
the new G5 platform can deliver up to 100 high-quality SD or 20 HD channels in a
2RU configuration. In a typical IPTV or cable scenario, this represents a significant
cost savings. Rack space requirements can be reduced by nearly 40% and power
consumption by more than 30% compared to the previous generation of Envivio
appliances. Both 1RU and 2RU versions are available, with the latter featuring a
modular hot-swappable, multi-node architecture.
http://www.envivio.com
Elecsys e-Modem
Industrial equipment manufacturers that need a practical and
reliable solution for linking their products with data networks
will be pleased to learn about the novel Elecsys e-Modem
series of embedded cellular data modems. These are wireless
communication devices that are pre-certified to operate on the
Verizon Wireless network and are ready to integrate into industrial
products to add M2M connectivity into remote field applications
and rugged equipment. Key product features include multiple
cellular technologies (CDMA 1xRTT and EV-DO), Verizon Wireless
Open Development certification and a design for industrial
applications. Target applications include oil and gas wells,
energy distribution systems, agricultural facilities, transportation
infrastructure and many other industrial applications.
http://www.elecsyscorp.com
Verocel’s VeroTrace
The new commercial version of Verocel’s VeroTrace,
an advanced life-cycle management environment, features an enhanced architecture, an
Eclipse IDE and a wealth of other capabilities. The upshot is that software developers now
can automate the many tasks and processes required for their own large-scale, advanced
software development and verification efforts. VeroTrace provides not only full traceability,
review and workflow tracking but also monitors development and certification life-cycle
artifacts as well as their relationships and authorization statuses. It is the ideal environment
to facilitate the development, review, authorization and sign-off status of complex software
systems, and aid in their delivery. VeroTrace already has successfully delivered safety and
security projects and certification evidence to meet the DO-178B/C Avionic Software
standards, the EN 50128 rail certification and the IEC 61508 for the industrial sector.
http://www.verocel.com
Monitoring
Android
Traffic
with
Wireshark
Use some simple Linux tools and a laptop to get access to
the Internet traffic sent and received by your smartphone.
BRIAN TRAPP
FALSE STARTS
It may be tempting to try a shortcut Q If the WAP is using encryption,
for capturing this traffic. Here are the packets you capture also will
a few techniques I tried and be encrypted. Wireshark does
discarded before sticking with a have a facility to help decode the
hostapd/dnsmasq/iptables solution. packets, but you’ll need to enter
information about the security
UBUNTU’S BUILT-IN HOTSPOTS: scheme used by the WAP and
Ubuntu has a handy “Use as Hotspot” toggle a few sets of options until
feature tucked away in its networking the decoded packets look right.
settings. Unfortunately, it creates hotspots For a first-time user, it’s hard
in ad hoc mode, which isn’t compatible enough making sense out of
with most versions of Android. I didn’t Wireshark dumps without having
try Fedora’s implementation, but the to worry about toggling security
method I recommend instead will work options on and off.
on any distribution.
CAPTURING WITH THE
MONITOR MODE:
ANDROID EMULATOR:
It’s tempting just to put the wireless
Another approach would be to use
card in monitor mode and capture all
an Android emulator on your capture
wireless traffic, independent of SSID.
device, install and then run the target
This is pretty cool, but there are quite
application, and capture the traffic
a few “gotchas”:
from the emulator. It’s much harder
Q The drivers for your wireless than it sounds actually to get a
card must support monitor mode. banking app on the emulator though:
Many, but not all cards support
Q Due to recent Android licensing
this mode.
changes, the major Android VMs no
Q Your capture needs to include the longer include the Google Play store.
four WPA “handshake” packets. (I tried both the Android SDK and the
free product from Genymotion.)
Q You’ll probably have to compile
and use airmon-ng to start monitor Q If your phone isn’t rooted, it’s not
mode and then capture on the mon0 easy to get the application’s .apk
pseudo-device airmon creates. off your phone and onto the VM.
===[/etc/hostapd/hostapd.conf]====== ========[/etc/dnsmasq.conf]===============
interface=wlan0 interface=wlan0
driver=nl80211 dhcp-range=10.0.0.3,10.0.0.20,12h
ssid=WatchingU ========[/etc/dnsmasq.conf]===============
channel=1
===[/etc/hostapd/hostapd.conf]====== iptables
The final piece of your wireless access
I recommend not using Wi-Fi point is iptables, which will use IP
security for this test; it would be Masquerading to get the traffic from
overkill, as your access point will the wireless connection, send it over
responses to back to the correct iptables --append FORWARD --in-interface $DEV_IN -j ACCEPT
consumed when reassembled into blue. Here is where you can start
a full TCP stream. To get the full to see unencrypted information
stream, right-click on any row flowing back and forth from the
where the source or destination server. Since the server response’s
is www.linuxjournal.com, and “Content-Type” header indicates
choose “Follow TCP Stream”. This that the response is a JPEG image,
automatically will find all the related you can view that image with a
packets and group them together in little bit of extra manipulation.
an easier-to-read format. Press the “Save As” button to
In this example, you can see the save the stream to a temporary
HTTP GET request from my phone file (use RAW format), then use an
in red, and the HTTP response from editor like emacs or vi to trim out
the Linux Journal Web server in the header text from the image
binary contents. It takes a little bit with a .jpeg extension and view it.
of practice, but it’s usually pretty Continue browsing through
obvious where the HTTP header the dump manually and look for
stops and the binary bits begin. interesting TCP segments. You
Once you’ve removed the header also could take a more systematic
(and any stray footer or additional approach by using Wireshark’s
header sections), you can save the file filtering capabilities. Use a filter like
OSSIM
a Careful, Free and
Always Available
Guardian for
Your Network
Monitor your network’s security 24/7 with a free and
open-source solution that collects, analyzes and
reports logs of the events on your network.
MARCO ALAMANNI
its correlation (looking for patterns in You can install these components
the log files) can generate alerts when on a single physical machine (the
these types of events occur. default installation), on a single virtual
machine, on different virtual machines
Overview of a SIEM Open-Source and/or physical machines, depending
Solution: OSSIM on the size and configuration of the
OSSIM is a SIEM software platform, network to monitor.
free and open-source, developed by For a relatively small network,
AlienVault and based on a Debian installation on a single machine,
64-bit Linux distribution. OSSIM has which is the simplest configuration,
four major components: may be the right solution. For
larger networks, it is advisable to
1. Sensor. install the Sensor and the Database
separately. Figure 1 shows the
2. Server. OSSIM architecture.
Sensor: The Sensor has two
3. Framework. main components:
these abnormal situations that <rule type="detector" name="SSH Authentication failure (5 times)"
<rules>
Directives are located in the <rule type="detector" name="SSH Authentication failure (10 times)"
AlienVault Web site download page the Intel e1000 Ethernet driver.
at http://www.alienvault.com/
free-downloads-services. Of course, the hardware
The most recent version (February requirements will be directly
2014) is 4.3.4, only for 64-bit proportional to the size of the
architectures. You can choose the network (number of hosts and
Automatic or Custom installation. network devices connected) and
The automatic installation is fairly consequently to the amount of
simple, in graphical mode by default, logs produced and recorded.
and it installs all components of
OSSIM on the same machine. The Configuration and Management
custom installation allows you You can perform the system
to select the mode (graphical or configuration and administration
textual) and which components to through the console, a Linux shell
install. The custom installation is a or through a more convenient and
little more complex because it has intuitive Web interface.
more configuration options. For Configuration through the
instructions on how to install OSSIM, Console: To configure the system
refer to the Installation Guide: through the console, you need to
https://alienvault.bloomfire.com/ log in as root with the password
posts/525575-installation-guide/public. you set during the installation
The minimum hardware requirements process. The directory that contains
are: the system’s configuration files
is /etc/ossim.
Q 64-bit processor or virtualization The main configuration file is
software with support for /etc/ossim/ossim_setup.conf, which
64-bit operating systems (at contains the system’s main settings,
least a quad-core processor such as IP addresses and ports of
is recommended). the hosts on which components
are installed, the active plugins
Q 4GB of RAM. and the password used by the
ROOT USER OF -Y31, RANDOMLY
Q 500GB of free disk space. generated by the system during
the installation procedure.
Q Network adapter with support for For example, if you want to
Figure 10. This section manages the system logic: definition and management of
policies, directives and actions.
Resources
OSSIM Installation Guide: https://alienvault.bloomfire.com/posts/525575-installation-guide/public
Berkeley
Packet
Filters
with Scapy
(and Friends)
Get to know the language and tools that can take
your network filtering rules to a whole new level.
VALENTINE SINITSYN
idea to allow these forged packets you really want to. The attributes of
out from the local host, especially if these classes correspond to protocol
you are on the office network. So the fields (addresses, ports, flags and so
first step will be to create a virtual on). You can use raw numbers (say,
Ethernet interface. 20) or symbolic names ( ftp_data )
Linux already has a concept of for attribute values. To assemble the
“dummy” network interfaces, and packet, use the / Python operator:
the kernel module named dummy
implements them. Load it, and >>> Ether(src='08:60:6e:da:31:ae', dst='42:7f:79:88:de:3d') /
# modprobe dummy
# ip link set up dev dummy0 Protocol fields usually have
# ip addr add 192.168.2.1/24 dev dummy0 sensible default values (you can
check them with ls(IP) or similar),
Next, you’ll need something to craft so you need to specify only those
the packets and capture them subject you want to override.
to BPF filters. An obvious choice here To disassemble the packet and
is Scapy (http://www.secdev.org/ get a specific protocol layer, use
projects/scapy), a Python toolkit for the [] operator:
packet manipulation. Install it with
your package manager or from the >>> _[IP]
sources. Raw packet generation and <IP src=192.168.1.5 dst=192.168.2.1 |>
live traffic capture are considered
privileged operations in Linux, so A special _ variable contains the
you’ll need to run Scapy as root (for last expression’s value. Scapy makes
example, with sudo). it easy to generate a series of packets
Scapy provides an interactive shell that follow a specific pattern:
(which is naturally Python-based).
You create different protocol layers >>> packets = Ether(src='08:60:6e:da:31:ae',
Many network protocol fields also Ether / IP / UDP 192.168.1.5:domain > 192.168.2.1:epmap
accept bit flags. Scapy allows single Ether / IP / UDP 192.168.1.5:domain > 192.168.2.1:netbios_ns
>>> TCP().flags= 'S' # TCP SYN packet If you omit the iface= , Scapy will
Available mnemonics are in the listen on all network interfaces. You
field’s “names” attribute: also can add the count= argument
to capture only as many packets as
>>> TCP.flags.names specified; otherwise, you should stop
'FSRPAUEC'
the capture manually with Ctrl-C.
Without the filter= , sniff()
captures all packets. Internally,
Scapy uses libpcap to compile the
filter (either directly or via the
well, and the explicit precedence can ´IP(src=RandIP(), dst=RandIP()) / ICMP(), iface='dummy0')
>>> _.summary()
Unless you are very lucky, sniff() Ether / IP / TCP 127.0.0.1:57485 > 127.0.0.1:mysql S
will hang until you press Ctrl-C. Ether / IP / TCP 127.0.0.1:mysql > 127.0.0.1:57485 RA
>> ntp[0][NTP]
<NTP leap=nowarning version=4L mode=client stratum=2L 4HIS GENERATES FIVE 1 %THERNET
´poll=10L precision=233L delay=0.0422210693359 frames with arbitrary MAC addresses
´dispersion=0.0782623291016 id=194.190.168.1 ref=Tue, and VLAN tags in range 1–5 (note
´15 Apr 2014 10:00:26 +0000 orig=Tue, 15 Apr 2014 the syntax). Let’s not worry about
´10:15:20 +0000 recv=Tue, 15 Apr 2014 10:15:20 the payload now, so instead of IPv4
´+0000 sent=Tue, 15 Apr 2014 10:33:04 +0000 |> (or any other network-level) packet,
let’s just put raw bytes that form a
In fact, it works so well, you even 'Nothing to see here' string
can drop the udp proto 123 part inside the frame.
Figure 2. Capture, craft, dissect and do other funky things with network packets in Scapy.
permits. If this happens to you too, force ´type=n_802_1Q |<Dot1Q prio=0L id=0L vlan=1L
Scapy to use libpcap as an engine. First, ´type=0x0 |<Padding load='Nothing to see here' |>>>
Figure 3. BPF and LSF are not the same; however, you still can use BSD-originated
man pages.
as struct sock_fprog that has ´RAW 'tcp dst port telnet')" -j DROP
´&bpf, sizeof(bpf));
WEBCASTS
Learn the 5 Critical Success Factors to Accelerate
IT Service Delivery in a Cloud-Enabled Data Center
Today's organizations face an unparalleled rate of change. Cloud-enabled data centers are increasingly seen as a way to accelerate
IT service delivery and increase utilization of resources while reducing operating expenses. Building a cloud starts with virtualizing
your IT environment, but an end-to-end cloud orchestration solution is key to optimizing the cloud to drive real productivity gains.
> http://lnxjr.nl/IBM5factors
> http://lnxjr.nl/modsap
WHITE PAPERS
White Paper: JBoss Enterprise Application
Platform for OpenShift Enterprise
Sponsor: DLT Solutions
Red Hat’s® JBoss Enterprise Application Platform for OpenShift Enterprise offering provides IT organizations with a simple and
straightforward way to deploy and manage Java applications. This optional OpenShift Enterprise component further extends
the developer and manageability benefits inherent in JBoss Enterprise Application Platform for on-premise cloud environments.
Unlike other multi-product offerings, this is not a bundling of two separate products. JBoss Enterprise Middleware has been
hosted on the OpenShift public offering for more than 18 months. And many capabilities and features of JBoss Enterprise
Application Platform 6 and JBoss Developer Studio 5 (which is also included in this offering) are based upon that experience.
This real-world understanding of how application servers operate and function in cloud environments is now available in this
single on-premise offering, JBoss Enterprise Application Platform for OpenShift Enterprise, for enterprises looking for cloud
benefits within their own datacenters.
> http://lnxjr.nl/jbossapp
WHITE PAPERS
Linux Management with Red Hat Satellite:
Measuring Business Impact and ROI
Sponsor: Red Hat | Topic: Linux Management
Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to de-
ploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT
organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility
workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows
in importance in terms of value to the business, managing Linux environments to high standards of service quality —
availability, security, and performance — becomes an essential requirement for business success.
> http://lnxjr.nl/RHS-ROI
Benefits of an SOE:
SOE is a specification for a tested, standard selection of computer hardware, software, and their configuration for use
on computers within an organization. The modular nature of the Red Hat SOE lets you select the most appropriate
solutions to address your business' IT needs.
s 4HERE ARE MANY BENEFITS TO HAVING AN 3/% WITHIN LARGER ENVIRONMENTS SUCH AS
s 3TANDARDIZATION
> http://lnxjr.nl/RH-SOE
Figure 1. Example Playbook That Will Upgrade Apache to the Latest Version
Figure 2. Example of ad hoc Command Showing Uptime Output for All Targets
added to Ansible version 1.5 that will tool will be called ansible-vault .
enable the encrypting of various data It will be implemented by using the
within the configuration. The new new --ask-vault-pass option.
Figure 3. In this example, Ansible pings the target hosts using the ping module.
(by me) for the Red Hat Enterprise Linux change to your system if a change
5 (RHEL 5) Draft STIG, CIS Benchmarks, does not need to be made. In other
NISPOM, PCI”, but I have found RHEL6 words, it is safe to run these modules
bash scripts there as well. I combined repeatedly without worrying they will
these bash scripts to construct a very break things. For instance, running
basic Ansible playbook to simplify a playbook that sets permissions on
security hardening of RHEL6 systems. a certain file will, by default, update
I accomplished this by using the the permissions on that file only if its
included Ansible module called script. permissions differ from those specified
According to the Ansible in the playbook.
documentation, “The script module For my needs, the script module
takes the script name followed by a works perfectly. Each Aqueduct
list of space-delimited arguments. The bash script corresponds to a
local script at path will be transferred hardening recommendation given
to the remote node and then executed. in the STIG. The scripts are named
The given script will be processed according to the numbered sections
through the shell environment on the of the STIG document.
remote node. This module does not In my test environment, I have a small
require Python on the remote system, high-performance compute cluster
much like the raw module.” consisting of one management node
Ansible modules are tiny bits of code and ten compute nodes. For this test,
used for specific purposes by the API the SSH server dæmon is configured for
to carry out tasks. The documentation public-key authentication for the root
states, “Ansible modules are reusable user. To install Ansible on RHEL6, the
units of magic that can be used by EPEL repository must first be installed.
the Ansible API, or by the ansible Download the EPEL RPM from the EPEL
or ansible-playbook programs.” I site (see Resources).
view them as being very much like Then, install it on your
functions or subroutines. Ansible management node:
ships with many modules ready for
use. Administrators also can write # rpm -ivh epel-release-6-8.noarch.rpm
modules to fit specific needs using
any programming language. Many of Now, you are ready to install Ansible:
the Ansible modules are idempotent,
which means they will not make a # yum install ansible
the IP address of each node (the host need to be checked by either running
name also can be given if your DNS the scripts manually or reading the
is set up properly). With this tiny script and performing the required
bit of configuration, Ansible is now actions. These scripts are located in
functional. To test it, use Ansible in ad aqueduct/compliance/bash/stig/rhel-6/
hoc mode and execute the following manual-check. Copy these scripts to
command on your management node: /etc/ansible/manual-check.
Now that the scripts are in place, a
# ansible all -m ping playbook must be written to deploy
them on all target hosts. Copy the
If this results in a “success” playbook to /etc/ansible/plays. Make
message from each host, all is well. sure all scripts are executable. Figure
The Aqueduct scripts must be 5 shows the contents of my simple
downloaded using Git. If you do playbook called aqueduct.yml.
not have this on your management On a few of the STIG scripts, a few
node, then: edits were needed to get them to
execute correctly. Admittedly, a more
# yum install git eloquent solution would be to replace
the STIG scripts by translating them into
Git “is a distributed revision control customized Ansible modules. For now,
and source code management (SCM) however, I am taking the easier route
system with an emphasis on speed” by calling the STIG scripts as described
(Wikipedia). The command-line for from my custom Ansible playbook. The
acquiring the Aqueduct package of script module makes this possible. Next,
scripts and manifests goes like this: simply execute the playbook on the
management node with the command:
# git clone git://git.fedorahosted.org/git/aqueduct.git
# ansible-playbook aqueduct.yml
This will create a directory under the
current directory called aqueduct. The This operation takes about five
bash scripts for RHEL6 are located in minutes to run on my ten nodes, with
aqueduct/compliance/bash/stig/rhel-6/ the understanding that the plays run
prod. Now, copy all scripts therein to in parallel on the target hosts. Ansible
/etc/ansible/prod. There are some produces detailed output that shows the
other aspects of the STIG that will progress of each play and host. When
Ansible finishes running the plays, all of If you’ve ever worked as a system
the target machines should be identically administrator, you know how much
hardened, and a summary is displayed. time a tool like this can save. The more
In this case, everything ran successfully. I learn about Ansible, the more useful
For system security hardening, the it becomes. I am constantly thinking
combination of Ansible and Aqueduct of new ways to implement it. As my
is a powerfully productive force in system administration duties drift more
keeping systems safe from intruders. toward using virtual technologies, I
plan on using Ansible to provision will be responsible for more and more
and manage my virtual configurations systems. This is due to the automation
quickly. I am also looking for more wizardry of technologies like Ansible
avenues to explore in the way of that enable a single administrator to
managing high-performance computing manage hundreds or even thousands
systems, since this is my primary duty. of servers. These tools will only
Michael DeHaan has developed another improve, as they have continued
tool called Cobbler, which is excellent to do. As security continues to
for taking advantage of Red Hat’s become more and more crucial, their
installation method, Kickstart, to build importance will only increase. Q
systems quickly. Together, Cobbler and
Ansible create an impressive arsenal for Mark Dotson has been a system administrator for 15 years.
system management. He has worked in storage and high-performance computing.
As system administrators, we are His hobbies include writing and reading philosophy. He is
living in exciting times. Creative currently employed by Lockheed-Martin Corporation.
developers are inventing an amazing
array of tools that, not only make
our jobs easier, but also more fun. Send comments or feedback via
I can only imagine what the future http://www.linuxjournal.com/contact
may hold. One thing is certain: we or to ljeditor@linuxjournal.com.
Resources
Ansible’s Architecture: Beyond Configuration Management: http://blog.ansibleworks.com/
2013/11/29/ansibles-architecture-beyond-configuration-management
of Mobile,
Linux Is Zion
In mobile we are losing the free world called the Web and the
Net. How do we save it?
A
lready most of us spend more (http://blog.flurry.com/
time on mobile devices than we bid/109749/Apps-Solidify-
do on desktops and laptops, Leadership-Six-Years-into-the-
put together. We also can do a lot more Mobile-Revolution), the Web’s
stuff, in a lot more places, on mobile share of mobile use dropped from
devices than on computers. There were 20% in 2013 to 14% in 2014. In
more than a million iOS apps on the “The Decline of the Mobile Web”
shelves of Apple’s store in October 2013 (http://cdixon.org/2014/04/07/
(http://techcrunch.com/2013/06/10/ the-decline-of-the-mobile-web),
apples-app-store-hits-50-billion- Chris Dixon writes:
downloads-paid-out-10-billion-to-
developers), and I’m guessing there This is a worrisome trend for the
are at least that many Android apps web. Mobile is the future. What
on Google’s shelves by now. wins mobile, wins the Internet.
Meanwhile, app development Right now, apps are winning and
on computers is slacking off—so the web is losing.
is Web development, except as
required to accessorize mobile Moreover, there are signs that
apps. And on mobile devices, it will only get worse. Ask any
use of the Web is fading as well. web company and they will tell
According to Flurry Analytics you that they value app users
more than web users. This is why are also provided by mobile phone
you see so many popups and companies, whose own silos are
banners on mobile websites that walled by usage limits and by tariffs at
try to get you to download apps. national borders.
It is also why so many mobile Underneath it all, the Internet
websites are broken. Resources is getting harder and harder to
are going to app development see, understand and appreciate.
over web development. As Already mobile operators in India are
the mobile web UX further offering free or cheaper plans just for
deteriorates, the momentum Facebook, Whatsapp and Twitter
toward apps will only increase. (http://www.medianama.com/2013/
01/223-airtel-vodafone-idea-data-
The likely end state is the web internet-rates-increase). To those
becomes a niche product used operators, network neutrality means
for things like 1) trying a service nothing. In fact, it never did, to any
before you download the app, of the big operators. When he was
2) consuming long tail content Chief Scientist at BT, JP Rangaswami
(e.g., link to a niche blog from (http://confusedofcalcutta.com)
Twitter or Facebook feed). said the core competence of phone
companies is billing, not communications.
He sees an end state that “will “Winning the Internet” should
probably be like cable TV—a few be absurd on its face, like “winning”
dominant channels/apps that sit on sunlight or weather. But it isn’t
users’ home screens and everything else in mobile, which already has
relegated to lower tiers or irrelevance”. turned into a giant Truman Show
Those millions of apps are a forest (http://en.wikipedia.org/wiki/
of silos, growing on land that is The_Truman_Show). Inside that
privately owned or controlled by show, small app developers become
Apple, Google and Microsoft. Out suburbs of large ones—for example,
on the streets, plains and hills of the by requiring logins through Facebook
civilized world, network connections or Twitter, rather than using an identity
For example, right now at the top more information, please visit
http://www.linuxjournal.com/advertising.
of the stream of tweets I see on
Twitter is a “promoted” link—an
ad—from Sprinklr. The tweet says,
“FREE eBook: Without Infrastructure,
You Can’t Be Social”. The link goes
to a page about “The Rise of Social
Experience Management”, explained