Domain: puschitz.com
Stories and comments across the archive that link to puschitz.com.
Comments · 18
-
U didn't answer a question (ANDROID sec. guides)
No OS is as secure as possible out-of-the-box oem stock. Even Apple has guides for further security hardening -> http://www.apple.com/support/security/guides/ , as does Linux also -> http://www.puschitz.com/SecuringLinux.shtml
* That "all said & aside"? See my subject-line & my last post... you didn't answer the question on IF there are guides for securing ANDROID better than oem stock?
APK
P.S.=> I'll be waiting on that answer... lol!
... apk
-
Same methods exist 4 Linux &/or MacOS X
Other Operating Systems have, in principle, the same general features & guides for them also that implement "layered security" methods as well, as seen here:
---
Apple's MacOS X Security Guide:
http://www.apple.com/support/security/guides/
---
&
---
Securing Linux:
http://www.puschitz.com/SecuringLinux.shtml
(Linux in particular has a WEALTH of information here in fact in the topic of securing it far, Far, FAR BETTER than the "default" shipping setup, & the above link is only a tiny sampling thereof too, mind you!)
AND?
Linux distros (many to most), also have SeLinux!
(Which the NSA themselves "bolted onto" std. Linux making it possible to have MAC (analog to Windows NT-based OS ACL's &/or an analog to Windows NT-based OS "Group Policies" (gpedit.msc) + "Security Policies" (secpol.msc)).
---
* So yes, OS' can be SECURED, & far better than they ship to "end users" by default... but, YOU have to take the time to do it yourself largely is all!
(There are tools that help, for Linux &/or Windows, there exists the CIS Tool which is multiplatform & does help guide "the novice" somewhat, & makes it almost "fun-to-do", like running a benchmark of system speed, albeit in CIS Tools' case, for security (based on security std.s/"best-practices", for the OS @ hand tested))
APK
P.S.=> However, THE MAIN PROBLEMS TODAY IMO? End users themselves being ignorant or uncaring about it, allowing for "spreading the disease" for one thing (ignorance IS excusable though, they're NOT "expert" @ computing etc. - but not helping them out on the part of those who ARE in fact, "expert", is imo, inexcusable by the same token)
AND, of course/as well:
The malware makers/hacker-crackers out online, in general, also... but - these types @ least do "1 good thing" imo @ least & that's POINTING OUT WHAT NEEDS TO BE FIXED!
So, "all that said & aside":
MS is doing the right thing, so are folks like GOOGLE on this account as another example thereof as well, & so far folks like Norton DNS, OpenDNS, & ScrubIT DNS also (they employ filtering DNS servers that are FREE TO USE, vs. malware, phishing, bogus DNS servers, botnet C&C Servers, known maliciously scripted sites, or sites KNOWN to serve up malware too!).
So, security's (especially "layered security", the best thing we as end users currently have going in fact in our favor) IS DOABLE, but you have to know what to look for, sometimes a guide too (because it's a WEE bit complex, but not really as opposed to harder things in the art & science of computing such as programming imo)
... apk
-
Re:need special hardware?
One here and another here. Both are for older versions (3&4) of RHEL but the same principles apply.
As someone who works with Oracle RAC and RHEL regularly, I'd recommend skipping the shared physical disk completely and using NFS instead. You could (and we do in testing) run the NFS server virtualised as well.
-
Re:Well
The linked PDF contains pre-CFS kernel benchmarks.
Prior to 2.6.23, the 2.6 kernel used the Completely Fair Queuing (CFQ) scheduler, which was also bad for database workloads. Please see this note by Werner Puschitz:The Completely Fair Queuing (CFQ) scheduler is the default algorithm in RHEL4 which is suitable for a wide variety of applications and provides a good compromise between throughput and latency. In comparison to the CFQ algorithm, the Deadline scheduler caps maximum latency per request and maintains a good disk throughput which is best for disk-intensive database applications. Hence, the Deadline scheduler is recommended for database systems.
Also note that RHEL4 (RedHat Enterprise Linux 4) uses kernel 2.6.9, which was pre 2.6.23 and CFS. -
Re:WellTo be honest, when using Linux for database applications, you shouldn't use the Completely Fair Scheduler. I build and tune Oracle database servers for a living, and I've researched this very thoroughly. Take it from the master himself, Mr. Werner Puschitz:
The Completely Fair Queuing (CFQ) scheduler is the default algorithm in RHEL4 which is suitable for a wide variety of applications and provides a good compromise between throughput and latency. In comparison to the CFQ algorithm, the Deadline scheduler caps maximum latency per request and maintains a good disk throughput which is best for disk-intensive database applications. Hence, the Deadline scheduler is recommended for database systems.
Granted, this is for Oracle database, which may be different than Postgres or MySQL, but I'd be willing to bet that database workloads are very similar between Oracle and the other databases.
Also, this is a common tactic of people producing benchmarks when they want to make one system or OS look better: Tune the one they want to win so that it is optimally configured for the benchmark, and leave the one they want to lose at the default setting, or worse, just tune it so that it's performance suffers. In this case, leaving Linux at the default setting of CFQ scheduling is not good for database applications. -
Re:Definitely has uses but..
I've done numerous Oracle installs on both RHEL and SLES, both clustered (RAC) and non-clustered. Storage has spanned the whole gamut of h/w and s/w options (SAN/NAS/LOCAL/iSCSI/RAW/OCFS/ASM). The Oracle installation docs are hundreds of pages long. There are lots of things to watch out for, and some rather crazy package dependencies. True, you can gloss over some of this stuff, and then YMMV. Installations of Oracle on Solaris (x86 or Sparc) are just as complex, perhaps even more so on Solaris 10, given the change in kernel parameters. Some people have turned installation of Oracle on different flavors of Linux into an art form. So IMO it would definitely make sense for Oracle to develop their own Linux distro and develop a simplified installation method for that distro.
-
Re:Sorry, but this is true
Did you point your DBA to this guy's site ? Sorry. But that's number two on Google, and it made my countless oracle 9 and 10 installs a breeze on any system that I've decided to throw it on - Gentoo, Fedora, RedHat AS etc. If you couldn't find that or work with it, I feel for you. Otherwise, maybe it's time to look at other factors; hardware setup etc. Not necessarily Linux's fault.
-
As someone who makes these decisions ...
I'd say they're right, but also this article is a tad late to the party. This has been going on for at LEAST 5 years, since 8.0 was first released for, I believe, Redhat 7. Consequently, this is not some huge rush for Redhat, and I actually have found tighter distros to run 10g better (I like gentoo, but it's a pain in the ass to get tuned right for this particular task). Anyway, what I found interesting is that our linux oracle systems absolutely STOMPED the 8 way v880/16GB Solaris boxes in archive testing involving 4+TB databases (this to us was a real shock btw... I'm currently buying v40z class servers from Sun that are 4x dual core opteron boxes for like a 10th of the price of a true solaris (Sparc) platform. Thus I would say IBM's problem is Sun's problem in this case as far as selling big iron anymore).
I think Oracle is winning because Oracle is honest to god better than their competition. I was (am?) a DBA for 10 years on Sybase (AIX), SQL Server 6x 7x 2kx, Informix 8x 9x, and Oracle 8x 9x 10x at various times, and though I've moved on to a database architecture role with the company I'm with, I'm still making the call on systems purchases. We use mostly SQL Server 2005, for cost, in the smaller 4-6TB systems and they run great, but I wouldn't even consider DB2 for any production role anymore with Oracle out there making it happen in so many better ways.
I'm not a fanboy of Ellison, I'm just realistic about who's driving the market today.
--chitlenz
PS - Oh yeah, as mentioned we're running Sun 40z's with Windows Server 2003 and SQL Server 2005 on Netapp arrays AND it is VERY MUCH worth noting that the lower end Sun/Opteron line not only runs windows, but runs windows VERY well (driver support for their servers is very very good, which was like ... well weird... 'Sun support? Can I get a download link to your windows drivers?'). Try it and be shocked ....just a tip.
--chitlenz
PPS - for anyone who is curious about this topic in any real way, use an isntall guide other than Oracle's, since it's usually wrong for awhile ... use something like http://www.puschitz.com/InstallingOracle10g.shtml
instead. -
Re:Oracle Installer Sucks
Installing Oracle on Linux is a non trivial process, but it is well documented by both Oracle and Werner Puschitz. I would recommend installing Oracle 10G-R2 rather than 9i on either CentOS 4.3 or RedHat AS4.
-
Securing Linux Production Systems
This article is also good. Deals with PAM a lot.
http://www.puschitz.com/SecuringLinux.shtml -
The Difference, in my eyes
I work in a world where I am responsible for about 100 servers, most of which run Windows 2000/2003, but a handful of which run CentOS 4 (RHEL4).
I have to say that either operating system is secure in the hands of a knowledgeable administrator. The key difference is simply that Linux can be made more secure by someone with ample experience, whereas Windows can be made moderately secure much more easily.
Let me explain. In the Linux world, because everything is open source, a very knowledgeable person can strip away `features` from the operating system, leaving fewer areas which could possibility contain security holes. In doesn't matter whether the NFS server has a security hole, if the NFS server isn't running, or even installed. To be more specific, a very knowledgeable person could even recompile their kernel, etc, such that the only things that will run on the box is that which is intended. A box configured for single use is easy to secure because then there are only a handful of areas which can be exploited. Because of this limited number, there are then only a handful of lists/newsgroups that need to be monitored for security updates.
Windows on the other hand posseses the advantage that Microsoft stands behind their product, and says apply these patches, and your secure. Therefore, to make a `relatively` secure machine is very easy. Just run auto-update regularly, and your secure. On the other hand, taking security to the next level. The level described above is almost imposible. You can't eliminate features from the Windows kernel by recompiling. Nor is it easy to pick and choose which DLL's get installed with the operating system. The result is a bigger window of opertunity for an exploit to be discovered which can then be used on your system. Now it is still possible to disable services, etc, but that is a more difficult task in Windows because of the interconnectivity. In the Linux world, because most components are developed by different people, they have few dependancies. This isn't true in the Windows world, and that makes it more difficult to lock down.
My point is that if there are three security levels, secure, very secure, and air tight. It is easier to get to the first level with Windows, but easier to get past the first level, to the second level and third levels with Linux. Granted large corporations can afford to modify Windows to get the other levels of security, but its more difficult because Windows is such a closed environment.
I've rambled enough. A good article on locking down a Linux box can be found here :
http://www.puschitz.com/SecuringLinux.shtml -
Re:CentOS
I completely agree on the Oracle aspect. Im in charge of a R&D lab for developers that generally work in Oracle 9i & 10g (DB & app server)on AIX in production. They all prefer Oracle on linux, becuse it seems to work so much better. Installing on AIX can really suck if it doesnt work right the first time too.
I came to CentOS the last time I built a WBEL3.1 box for a quick Oracle test. When I went to get it up to date, it seemed like it hadnt been updated in a while and was taking forever to pull the packages. I found that a lot of the people that were working on it had moved over to CentOS.
You can install Oracle on about any linux you want, but they work very closely with RedHat (SuSE too) to make RHEL work exactly how they need it for Oracle, and CentOS brings all that with it.
Yes, buy the RH support for production, but for dev/test/stress, CentOS works great.
this guy has great how-to's for installing:
http://www.puschitz.com/OracleOnLinux.shtml -
Re:Gentoo and Debian the only serious contenders
Oracle only runs on RedHat and maybe SuSE
Oracle runs great on Debian. I have two Oracle 9 production boxes running Debian Sarge and a third machine with Debian and Oracle 10 for some development and testing work. In addition to that I have lots of Debian (and RedHat) boxes that have the Oracle client software installed. We use Oracle for some internal company web sites and several bioinformatics databases because it's the "approved company standard" so we're not dealing with large scale installation stuff like clusters. That being said everything that we use it for works great including Intermedia which in the past has always been problematic, no matter what platform Oracle is on.There's a lot of resources online for installing Oracle on Debian and the notes on Oracle for Redhat are useful for Debian admins too.
-
Re:How does it compare to Oracle?
so pickup a cygwin CD and run the xserver on your win32 laptop. I've installed 9.2 and 10.1 on RHEL 3.0 ES via the Cygwin Xserver on the WinXP boot on me ole laptop. Its covered at sites like: http://www.puschitz.com/
-
Firewall?Funny how Werner added the following after reading our comments here:
I will not cover iptables in this paper. The reason is because most companies use hardware based firewalls to protect the servers in their production network. And this is usually being taken care of by another team and not by Linux systems administrators. If you are interested in a Linux Stateful Firewall using iptables, you might want to check out my instructions at Linux Stateful Firewall & IP Masquerading.
Werner made somewhat incorrect assumptions in that little paragraph.
iptables is an extra security measure I highly recommend - even on networks with hardware firewalls.
It is unwise to lock the security screen door but leave the front door unlocked when you are not home.
It's also intersting to note the following at the bottom of the page:
Copyright © Notice
This article may not be published, sold, reproduced or copied in whole or in part without obtaining permission first. But you are welcome to put links from your site to the article.If Werner is going to claim copyright, he should state his sources - there is very little chance that he wrote every word. --Mike
-
Some kind of cluster
According to the artcle, they built a cluster using Oracle Real Application Cluster, (I guess Beowulf is just for toy apps
:P) which allowed them to spread the core DB over multiple machines (!). -
Re:That's great news
I'm not a DBA, and I've installed both the DB and the app server (which is a real pain in the ass to install) many times, and I've found that USUALLY if you follow the pre-instalation (on the same CD) it tends to work 9.5 out of 10 times.
Well, 7 out of 10 for the App server, but those docs are getting better lately too :)
Btw, I digged some notes for those bored that wants to install on nonsupported platforms:
Installing Oracle 9i on RedHat Linux 7.1, 7.2, 7.3, 8.0, 9, Red Hat Advanced Server 2.1, and on Red Hat Enterprise Linux Advanced Server 3 (RHEL AS 3). Fedora core is around there too. -
Good Oracle/Linux Website
I had some problems installing Oracle on Linux until I found following website which shows you how to do it step by step for database and RAC:
http://www.puschitz.com/OracleOnLinux.shtml"