passwd.org

mod_fastcgi SRPM for Fedora, CentOS, RHEL

admin — Wed, 22 Feb 2012 23:15:56 +0000

This is an SRPM package of Apache's mod_fastcgi module. It was built for Fedora 15 but should work equally well with later Fedora releases, CentOS and Red Hat Enterprise Linux.

Although the base mod_fastcgi license is open source, it is not compatible with the GPL/BSD/MIT so it is not directly distributed with most Linux distributions. In my case, it was created to follow a personal policy requiring all production software to be packaged and rolled out via RPM.

I am including both the SRPM and RPM file. I strongly suggest that you rebuild the RPM for your system using the software downloaded from the mod_fastcgi folks. I am not PGP signing my packages and it's a bad practice to trust compiled software downloaded from untrusted sources.

Here is what I am suggesting in more specific terms:

wget http://passwd.org/sites/default/files/mod_fastcgi-2.4.6-1.src_.rpm

rpm -Uvh mod_fastcgi-2.4.6-1.src.rpm

cd rpmbuild/SOURCES

rm mod_fastcgi-2.4.6.tar.gz

wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz

cd ../SPECS

rpmbuild -ba mod_fastcgi.spec

That should leave you with a built-from-scratch RPM in your rpmbuild/RPMS directory. You can then install that package and follow the documentation on the mod_fastcgi website. Bonus tip: if you have most of your Apache modules off by default (and you should), in most cases you will also have to re-enable mod_actions to configure fastcgi to support the "Action" configuration directive.

I do not have plans to create a public yum repository of packages. If you want them, this is the only place to find them.

File:

mod_fastcgi-2.4.6-1.x86_64.rpm

mod_fastcgi-2.4.6-1.src_.rpm

Tags:

fedora

srpm

spec

mod_fastcgi

apache

httpd

Presentation: NewRelic RPM and Drupal

admin — Thu, 16 Feb 2012 23:29:51 +0000

I was invited to give a talk on the NewRelic application monitoring platform by the Los Angeles High Performance Drupal group on Feb 7th. The general idea was to describe how NewRelic can provide targeted debug and performance details on a running Drupal site. The video is linked below, and I followed it up with additional details both in the linked thread on the Drupal groups site and below.

1) How does the NewRelic PHP extension communicate?"

There is a system daemon called newrelic-daemon that is installed. This daemon, which is started as root on my system from the standard system startup scripts, looks in /etc/newrelic/newrelic.cfg. The config file specifies the license key, collector host, whether or not the traffic sent to NewRelic should be SSL encrypted or not (default: no), and an optional location for the socket. By default, when the newrelic-daemon is started it creates a socket in /tmp/.newrelic.sock. The purpose of this daemon and socket is to receive information from the PHP extension and forward it along to the NewRelic servers.

The NewRelic extension is loaded into the php interpreter in the same manner as your other extensions (apc, curl, pdo, mysqli, etc.) The newrelic.ini file that controls the loading of the extension and configuration options supports a setting "newrelic.daemon" which specifies the socket location (again by default it knows to look in /tmp/.newrelic.sock.) So that's the answer as to how it all fits together - the daemon starts and creates a socket, the php extension sends information to the socket, which is picked up by the daemon and sent via port 80 back to the NewRelic collector server.

2) Why can't I easily configure NewRelic for multiple sites when using Nginx with PHP+FCGI?

There is a configuration page detailing how this should work here. After following the instructions, I had properly configured daemons, with one NewRelic socket per site /tmp/.newrelic_site1.sock and so forth. So far so good.

Next I moved on to the per-directory INI settings documentation page here. Using nginx, I changed the fastcgi_param PHP_VALUE "newrelic.appname=My Blog" and that worked fine. However, when I went in to have a look at phpinfo(), I saw this:

newrelic.daemon /tmp/.newrelic.sock /tmp/.newrelic.sock

... and I saw failure messages in the log. I thought "gee that should be easy enough to fix, I'll just do this":

fastcgi_param PHP_VALUE "newrelic.daemon=/tmp/.newrelic_site1.sock"

BZZT, nope. That doesn't work. I can restart Nginx and the php-cgi process but no soup for me. The setting does not change. Why? Because the php newrelic.daemon setting falls under the SYSTEM scope per this documentation page. And you can't override SYSTEM settings at runtime, only via the php ini file.

I opened a ticket with NewRelic about this. My goal was to configure one daemon+socket per website, but I can't do a runtime configuration specifying where to point the socket (either in the nginx config file or via ini_set()).

The other answer may be to use per-directory settings for php-cgi, or run one php-cgi per site with different php.ini files. I mention this here because the online documentation was not clear about this and was somewhat misleading. It may have been updated by now after my ticket, but just changing newrelic.appname is not all that you might need to do.

3) How can I integrate Drupal with NewRelic?

There is a NewRelic Drupal module that builds some additional integration with the service. One of the other things you can do with NewRelic is to mark a point in time when you deploy. So for example, let's say you update a module on your site. You can report that deployment to NewRelic and it will draw a line on all of your charts. This is very helpful when trying to determine the impact of a change you made to the site. The Drupal module allows you to very easily create and push a deployment note. You could do this with cURL and the command line but the module makes it quite easy. I recommend it if you are going to roll out NewRelic.

4) Where else can I learn about NewRelic?

Lewis Cirne, CEO of NewRelic, did an interview in December at the CloudBeat conference. Here's the video. It's worth watching if you are interested in learning about NewRelic from a non-technical viewpoint. He outlines quite a bit about their vision for building the company and their philosophy.

Last but not least - if you have additional questions feel free to post a comment or send me a tweet. I'd be happy to reply with more details if I missed something.

Managing Eucalyptus

rjb — Thu, 22 Apr 2010 07:19:16 +0000

So far so good with Eucalyptus. I like the base system and can now move images back and forth between Amazon and my local Eucalyptus deployment. Works quite well - the only real limit is my bandwidth. That will resolve itself with FIOS in a few weeks.

The best interface for managing Eucalyptus that I have found is Hybridfox. It's a re-roll of Elasticfox that supports EC2 and Eucalyptus from the same plugin. Unfortunately S3Fox doesn't seem to extend to Eucalyptus. The best I have managed so far for a Walrus (Eucalyptus S3) interface is an older re-rolled version of s3cmd. It's workable, but not even in the same ballpark as S3Fox for ease of use.

I also chimed in on one of the Eucalyptus forums with a few details on migrating images back and forth between Amazon and EC2. They do need to be re-rolled with a different encryption key which may not be obvious.

Tags:

eucalyptus

cloud

amazon

Xen 3.4.3-2 for Fedora Core 12

rjb — Wed, 07 Apr 2010 06:57:11 +0000

I was interested in running Fedora Core 12 amd64 as dom0. Since the default kernel has no dom0 support, I wanted to use the myoung dom0 kernels. Unfortunately, they won't work with Xen 3.4.2 which is the latest included build in Fedora Core 12 and even Rawhide. I took the latest 3.4.3 build, rolled them into RPMs, and installed it. This works with the myoung kernels. Hopefully it will be of use to some of you. If there is interest, I'll stand up a yum repo for this. Chime in with a comment if you are in need of this.

File:

xen-3.4.3-2.fc12.x86_64.rpm

xen-devel-3.4.3-2.fc12.x86_64.rpm

xen-doc-3.4.3-2.fc12.x86_64.rpm

xen-hypervisor-3.4.3-2.fc12.x86_64.rpm

xen-libs-3.4.3-2.fc12.x86_64.rpm

xen-runtime-3.4.3-2.fc12.x86_64.rpm

Tags:

xen

virtualization

cloud

Eucalyptus 1.6.2 for Fedora 12 x86_64

rjb — Wed, 07 Apr 2010 06:30:17 +0000

I'm quite interested in the Eucalyptus Cloud platform. I wanted to run it on a Fedora Core 12 amd64 platform, yet they only make RPMs available for CentOS. I corrected a bunch of things in the spec files and rolled binary RPMs for Fedora. I hope they are useful. If there is demand I'll stand up a yum repo for them as well. Please chime in with comments if you are interested in this.

Thanks to Randy Son of Robert for the photo.

File:

euca-axis2c-1.6.0-1.x86_64.rpm

eucalyptus-1.6.2-1.x86_64.rpm

eucalyptus-cc-1.6.2-1.x86_64.rpm

eucalyptus-cloud-1.6.2-1.x86_64.rpm

eucalyptus-common-java-1.6.2-1.x86_64.rpm

eucalyptus-gl-1.6.2-1.x86_64.rpm

eucalyptus-nc-1.6.2-1.x86_64.rpm

eucalyptus-sc-1.6.2-1.x86_64.rpm

eucalyptus-walrus-1.6.2-1.x86_64.rpm

euca-rampartc-1.3.0-1.x86_64.rpm

Tags:

virtualization

cloud

xen

Economic Incentives and Security

rjb — Thu, 25 Feb 2010 00:00:00 +0000

As I write this, there is a massive recall and public outcry against Toyota for a faulty accelerator that could cause unintended acceleration. This presents a risk of accident or death in a number of cases and has been taken very seriously by the government, public, and media. My first reaction was this: they should put their CIO/CISO in charge of the recall because they deal with ‘recalls’ multiple times a week in the form of vulnerable software.

Are software vulnerabilities any less risky than a faulty accelerator? Does software not control every major facet of our critical infrastructure, transportation, financial, and personal health and well being? Imagine the highway was filled with cars that have the same number of ‘severity 5’ defects that our software and applications have. How safe would you feel driving home? Would you be willing to take your car in monthly on “Recall Tuesday” to have it fixed?

If we have established that software defects and vulnerabilities (which could be misconfigurations, programming errors, and the like) are critical to our well being and economic viability, why do we continue to make choices to purchase new software and develop new applications that are not secured to the level of risk we wish to accept? It seems that we would want to consider security and reliability as one of the cornerstones of our decision-making process, yet we rarely do.

My personal conclusion to that question is because we have the economics wrong. The risk reduction incentives of safer software aren’t aligned with the business decisions when choices are being made. This includes choice of what vendor to work with, what software to purchase, how to develop your own application, how to configure your server, and all of the other factors that contribute to our technical vulnerabilities.

It doesn’t have to be this way. There are models that have been effective in realigning choice and incentives to achieve a goal. Let’s take one specific example as a case study in redefining the incentives to realize a desired outcome.

The Kyoto Protocol – Market-based Pollution Reduction

The Kyoto Protocol is a treaty established on an international scale and enforced as of 2005. This legally-binding agreement requires the current 183 participant countries to a ‘cap and trade’ system to combat the emission of greenhouse gases. The Kyoto Protocol leverages economic incentives to control pollution on a global scale. To summarize:

The scope of what pollutants to reduce was established to include four greenhouse gases and two groups of gases.
The scope of what countries should participate in the reduction was established based on the United Nations Framework Convention on Climate Change. This generally included the industrialized nations and was expanded to include the current 183 participants.
The measurement of the baseline level of pollution was taken based on emission information from 1990. This measurement is calculated based on each individual country and their emission level for the gases.
The amount of greenhouse gas reduction against the 1990 baseline was set to 5.2% for each country measured over the years 2008-2012. Accounting for continued economic and pollutant growth as compared to expected levels in 2010 without the treaty, this represents a 29% reduction from the 1990 level.
A uniform measurement standard was agreed upon and centralized regulators were created to accept the ongoing measurements provided by each country. The organizations are designed to only oversee the measurement and reporting standards and do not participate or take political positions on climate issues.
Participating countries are able to reduce their meet their agreed upon limitations by directly reducing emissions, purchasing emission reductions credits from elsewhere, or by initiating projects that reduce emissions in non-Annex I participants.
In Europe, the European Union Emission Trading Scheme was established. Under the EU ETS, large emitters of gases within the EU must monitor and annually report their CO2 emissions, and they are obliged every year to return an amount of emission allowances to the government that is equivalent to their CO2 emissions in that year.
There are five international exchanges allowing for the sale and purchase of emission credits - Chicago Climate Exchange, European Climate Exchange, Nord Pool, PowerNext and the European Energy Exchange.

The net result of the described Kyoto protocol is to create economic incentives for countries and their industrialized companies to reduce emissions. This is achieved without specific global regulations which may help or harm some of the participants, but rather by taking a free market approach to the problem. Polluters are still able to pollute, however it may become more expensive over time if carbon credits are necessary. Buyers of the credits are penalized for polluting while sellers are rewarded for having reduced emissions.

The impact is to influence current and future behavior and choices to align them with the overall goal of reducing pollution.

The New Protocol

How could the Kyoto Protocol and cap-and-trade relate to information security? It may take a leap of thinking but here’s the idea:

I propose that software vulnerabilities are similar in nature to pollutants – unwanted side effects of bad choices that threaten our environment.

In the same manner that industrial companies wish to quickly launch their factory to begin recognizing revenue at the cost of polluting the environment, the goal of many software development efforts is to release the product or application to market and begin to recognize value – be it revenue or business process enhancements. In many cases, security is an afterthought in this process and something that is deemed to be revisited in a later release or isn’t properly considered up-front.

Despite our best efforts to embed security into the planning and quality assurance process through initiatives like threat modeling, in many organizations we have failed to achieve true secure development practices due to competitive and market pressures. The same is true of our server and workstation configurations. To the recipient of bad software design or implementation, it results in a permanent state of identifying vulnerabilities, quantifying them in a rational manner, fixing/patching them, or accepting the risk of not fixing the issues. Information Security professionals are consistently fighting this losing battle.

Perhaps it doesn’t need to be that way. With a bit of smart regulation and cooperation, an information security policy and standard could be adopted to change behaviors and align them towards vulnerability management. Using the Kyoto framework as described above, here’s how it might work for information security:

The scope of what vulnerabilities to reduce would be established. This could be defined by anything from severity to industry type. They could be class-based according to CVE identifiers as published by Homeland Security.
The scope of what countries should participate would be established in a similar collaborative manner to Kyoto. I would propose all first-world economies and major contributors to critical infrastructure components across the world.
The measurement of the baseline level of vulnerability could be established based again on CVE or criticality for the most recent year. Numerous security vendors also have significant data that could be used as input to this process (from McAfee/Symantec to Google and their Safe Search.)
The amount of vulnerability reduction against the baseline would be set to a specific percentage for each country/industry and measured over a period of time.
A uniform measurement standard would be agreed upon and centralized regulators/service providers would be established or engaged to perform or accept the measurements provided by each country. These organizations would be designed only to oversee the measurement and reporting standards and would not otherwise participate or take political positions on security issues.
Participating countries would be able to reduce their meet their agreed upon limitations by directly reducing vulnerabilities, purchasing vulnerability reduction credits from elsewhere, or by initiating projects that reduce vulnerabilities in participating locales.

Similar to Kyoto, there are no global regulations on vulnerabilities that could help or harm organizations. Everyone is still able to deploy vulnerable software or applications, however those choices may become more expensive over time if it requires going to the market to purchase credits. Buyers are penalized for their aggregate vulnerabilities while sellers are rewarded for their improved security posture and lower risk profile. The impact is to influence current and future behavior and choices to align them with the overall goal of reducing pollution.

What might happen with a system like this? Companies would start taking a much closer look at their software/application/development/implementation choices. Vendors would start to align against a standard and quantify their vulnerability metrics and security of their offerings. Finally, the global number of vulnerabilities would likely start to decline (factoring in technology growth.) This solution is agnostic to internally-developed applications vs. purchased applications and it works locally or in a cloud. It just means that whatever new technology you come up with, it is evaluated against the baseline criteria and recorded as part of your overall vulnerability total. Measurement becomes a key metric with negative economic impacts being the driver for behavioral change.

Before the arguments start, and there are many, I acknowledge this won’t solve every security problem, it won’t be 100% accurate, it won’t discover every vulnerability, and it does not take into account that a severity 5 vulnerability on a test system may not present the same level of risk as one on a critical production system. It also may not be fair and equitable to a larger organization that has a harder time with security and vulnerability management than a smaller company. I agree with those assertions, but that’s not the point. The goal is realignment of business decisions to risk with a focus on vulnerability reduction. Just like the reduction in pollution from climate change, a reduction in vulnerabilities means we have reduced, but not eliminated, risk.

The key concept underlying this idea also relies upon the belief that organizations would report in aggregate their number of vulnerabilities to an outside source. But let’s be realistic: there is no organization today that doesn’t have vulnerabilities in their environment. Hiding aggregate security information doesn’t help to solve the problem and it doesn’t make you any more or less vulnerable to attack or compromise.

Would this work to move security and vulnerabilities to the forefront of the business decision-making process? I think it would. How difficult would it be to implement? It would take a lot of coordination, but it could happen with the right level of support from business and government alike. Regulations and international treaties would be an ideal approach to implementing an idea such as this.

In conclusion, this is simply a starting point for a discussion about economics, choice, and its impact on our ability to manage vulnerability and risk. I’m now going to walk outside, get into my Toyota, and hopefully make it home safely.

File:

economic_incentives_and_security.pdf

Tags:

economics

security

Social Media Privacy

rjb — Tue, 23 Feb 2010 02:22:13 +0000

I shared the following text with my organization recently for security awareness purposes. I thought it was worth posting as well.

There's a fairly new website called Foursquare. It is a free site that allows people to publish their physical location via twitter. The idea is you can tell the world you are at the movies and perhaps catch up with friends who are also in the area. Do you see where this is going yet?

An enterprising soul set up a website that correlates a realtime feed of these Foursquare twitter updates. Here is his website:

http://pleaserobme.com

It's a realtime feed of people who are NOT at home and would be ripe targets for a burglar, taken directly from their Foursquare updates.

His website isn't designed to promote burglary - it's a privacy lesson in modern social media on the Internet. His point is that people should be more aware of the type of information they are sharing with the world and to think about it before telling the planet where you are at all times.

Something to think about as you use Linkedin, Facebook, Twitter, and the like. Feel free to share with others and perhaps your families (and kids!)

Tags:

security

CUISPA 2010 - Virtualization Workshop Slides

rjb — Tue, 23 Feb 2010 00:00:00 +0000

This is the slide deck that I used for the virtualization workshop. The actual discussion was much more open-ended in terms of audience participation. The slides are good references for a few things that were talked about. Other topics included the benefits of virtualizing a 'one of' where the ratio is one hypervisor to one guest. We also went over the order of what systems to virtualize when, both from a production support and security standpoint.

File:

cuispa_2010_-_virtualization_workshop_slides.pdf

Tags:

CUISPA 2010 - Top Threats Forum Slides

rjb — Tue, 23 Feb 2010 00:00:00 +0000

The following slide deck was presented during the CUISPA 2010 security conference. The talk included a broad overview of information security trends for this year, both from the perspective of threats as well as regulation. This session included significant audience participation, especially around e-mail archiving and eDiscovery.

File:

cuispa_2010_-_top_threats_forum_slides.pdf

Tags:

CUISPA

security

CUISPA 2010 Agenda

rjb — Tue, 26 Jan 2010 02:18:12 +0000

I'll be one of the speakers at the 2010 Credit Union Information Security Professional Association (CUISPA) conference next month in Austin, TX. The topic is "Top Issues for 2010" and is intended as an open forum and disucssion around some of our current security challenges. This post will host a placeholder for topics I plan to talk about during my session. Feel free to e-mail me or contact me with more ideas.

'Consumerization' technologies - Smartphones, Web 2.0, Facebook, social technologies
Custom workstation-targeted Malware
Browser plug-in security: Adobe Acrobat/Flash/Java/Quicktime
Workstation security - why both preventive AND detective controls matter
Phishing, SPF, and DKIM. Why haven't more CUs adopted at least SPF?
DNSSEC and the signing of the .org top level domain - plan to sign your zones!
Cloud computing opportunities and risks
Server/desktop virtualization

We may not have time to get to all of these in-depth, but I'd like to touch on many of them depending on real-time audience feedback as to your 2010 initiatives.

Tags:

CUISPA

security

WesCorp