May 2008 Archives

Ryan Naraine of ZDNet's Zero Day reports today about a serious flaw in Apple's Safari web browser.  It is yet one more example that should make these questions stand out:

"Will these security issues ever end and is there any way to have worry-free internet browsing? "

The answers respectively are: No and Yes!

Thankfully, the good Folks at Novell have taken steps to fulfill the 'Yes' by including AppArmor in openSUSE.  AppArmor effectively puts any application you desire into a secure 'sandbox', for example, your internet browser.

Even if there is a zero-day security flaw that can be exploited in your browser to gain privilege escalation, AppArmor will stop it cold before that happens.  In such an event, it may become necessary to restart your browser session or other application, but that's all.

So, if you're feeling like you've just about reached your security issues tolerance limit and would like to make a major change that will make a real difference, then please follow along in a multi-part series entitled Is It Safe?, where I provide the essentials on what you can do to ensure the best possible safe computing experience using openSUSE.

Thanks and Be Safe.

--dietrich

This article is a continuation of Is It Safe? - Part 1.  We pick up where we left off in the YaST control center's Novell AppArmor page.

Probably, the first thing you'll want to consider doing in a new openSUSE install is fortifying your internet browser application by profiling it with AppArmor.  Making use of the AppArmor 'Add Profile Wizard' makes creating a profile relatively easy.



The actual path to the location of Firefox on your system may be different from that shown above (click picture to enlarge).  A version of Firefox typically is found on openSUSE 10.3 in /usr/lib/firefox (with a symbolic link from /usr/lib/firefox/firefox.sh to /usr/bin/firefox), or, if you have manually downloaded from Mozilla, you may have installed into a different subdirectory, i.e., below your home directory, such as /$HOME/$USER/firefox/.  If all else fails, you can open KMenu->Find Files/Folders to determine the exact location.  Alternatively, open a Konsole window and type:

$which firefox <enter>

or

$sudo which firefox <enter>
(give root password)
to return to your screen the exact location.

Once you've selected the application, press the create button.

"Is It Safe?" is a line I borrow from the 1976 classic movie thriller "Marathon Man", starring Dustin Hoffman and Lawrence Olivier. If you haven't seen it, I recommend you do.  It should definitely make an impression on you.

That's what I hope to do here--make an impression on you.

Not to scare you or anything, but the answer to this entry's title, where the Internet is concerned, is an emphatic No.

Since I am a Linux advocate and the Distro of my choice is openSUSE I thought it would be appropriate to begin with a series of topics regarding configuring your Linux system.

Perhaps the most important aspect you should be aware of regarding your operating system is Security.  Let me be clear on this: 

"No system, be it Linux, Mac OSX, FreeBSD, Windows, is 100% safe." 

Security as they say is a process, not an application.

You need to be vigilant and take steps in configuring your system to provide the best possible security at all times.

What can you do?  Well, begin by considering use of an operating system which has good core security features.  Arguably, openSUSE, currently version 10.3, of all the Linux distributions, is the most secure system you can use in its default configuration.

There are many things to consider that can improve on basic security.

GNU/Linux emulates, to a large extent, many of the core features of Unix.  If you come with a Unix background, all the better.  You should feel right at home.  If not, and you are perhaps a Windows IT professional, that is to your advantage.  In fact, I would submit, when you live with Linux, you'll gradually over time begin to comprehend and appreciate the breadth of features at your disposal and reach a comfort level in day-to-day use.  If you are a total 'neophyte', my advice to you is: "hang in there", and don't be afraid.  If anything, openSUSE 'hides' most every part of the finer 'inner-workings' of Linux behind a graphical user interface (GUI).  If you come with BSD or Mac OSX experience, you should be fine as well--there are many similarities and concepts that their GUIs and kernels share in common that are akin to UNIX.

What makes GNU/Linux great, but not unique, is that it completely it 'decouples' the GUI from the Linux kernel.  This 'partitioning', if you will, of various blocks of operating system functionality is central to Linux's 'Modularity' and flexibility.  Modularity is a topic I will delve into further on another day.  The GUI that I am going to reference here today is KDE.  Most of what is discussed here will pertain in GNOME as Novell saw fit to replicate the same functionality in both GUIs so as to achieve uniformity (not 100% because of the limits imposed by GUI design philosophies and differences).

With FreeBSD or OpenBSD you can also choose your GUI just like with Linux.  In fact, Linux and the aforementioned BSDs can be run without a GUI entirely, in 'headless' character-based mode.  In fact, many internet websites are configured intentionally to run in headless mode to conserve memory. Administration is then done over a Secure Shell (ssh) command line interface with no GUI.  Those 'modules' simply aren't installed and not needed.

OK, lets get into it a bit deeper.  Let's talk about YaST.  When it comes to doing most configuration via the KDE or GNOME GUIs on openSUSE, the first place you visit is YaST.  Occasionally you will find yourself opening a Bash Terminal Window to a command shell to do certain things, but alot can be done entirely from the GUI in YaST.  Readers who are coming from Windows can make an analogy to Windows Control Center. YaST, stands for 'Y'et 'a'nother 'S'etup 'T'ool. 

Click on KMenu->System->Configuration->YaST (Administrator Settings)

My first encounter with Linux came one day in 2003 at Barnes & Noble as I began thumbing through a new book on RedHat's Linux Fedora Core 1 (CD enclosed).  Curiosity got the best of me. I bought the book and decided to give installing Fedora Core a try.

I didn't want to give up Microsoft Windows XP Professional at the time, so I went about setting up a dual-boot system with a GRUB boot loader menu. 

There were some initial issues in resizing the primary partition to make room for Fedora like deleting the MBR (yikes).  Some of my issues, were solved by searching for answers with Google.  For example, ndiswrapper was needed to get my wireless card working.  Others required posting questions to forums like LinuxQuestions.org.  Ultimately I was able to create a dual-boot Windows XP Pro and Fedora Core system.

Looking back, I do wonder if I might have given up entirely had it not been for my background in IT using IBM's AIX and Sun's Solaris.  It certainly didn't hurt to have that kind of experience especially being quite comfortable with working from a UNIX shell command line interface.  For sure, in 2003, Linux was not ready for prime time and it would not have been well-received in the corporate world, much less by 'Joe Average' user.

I continued using using Fedora with GNOME UI for about a year until I replaced it with SuSE 9.3 Professional, while still keeping the Windows XP partition.  During the installation, I also chose to switch from GNOME to KDE.

KDE, as far as I am concerned, is better than GNOME. It is closer in certain respects to the Windows UI in terms of behavior and features, yet more powerful and capable of doing things that in GNOME and Windows Explorer aren't possible.  SuSE was acquired by Novell who open sourced the code under the name openSUSE and merge select branches of the open source development tree to their enhanced 'Enterprise' Server and Desktop subscription-based Linux products.  openSUSE, at this writing, is in revision 10.3. Version 11.0 is due out in a June 2008 time frame. 

Some time ago, I removed the Windows XP partition entirely and instead installed Windows XP into a VMware virtual machine running on the openSUSE Linux desktop.  Using VMware Server works well and the only complaint I have at this point is the lack of USB 2.0 support.  Sun's xVM VirtualBox might be an easier route to go for first time VM users. 

As for openSUSE 11.0, I am going to upgrade to the AMD64 version this time around and see how things go--a review will follow.

--dietrich

Welcome to Linux IT Consultant.

My goal is to foster interest in and promote use of Linux in Information Technology.

So, to that end, this blog will try to hold to that theme, with occasional departures to discuss topics that are somewhat related, but perhaps less so at times, so as to reach readers who might not yet have come into contact with Linux.

It's really that simple.  No other agenda.  I hope to enlist the participation of additional authors here who are willing to share their unique perspectives and experiences using Linux in a way that benefits you, the reader, with genuinely useful information.  In that regard, if you have an interest in becoming a blogger with Linux IT Consultant, please email me.

While this is meant to be a blog for Linux IT professionals, no less important are those who may find Linux does not meet their expectations or have not as yet come to terms with it by virtue of being new users or totally uninitiated.  Don't hesitate to join in--I would most certainly appreciate having your sincere constructive feedback as well.

New Ideas put forward here need not only be promoted, but as important, ideas should be prodded, considered carefully with a generous amount of skepticism until consensus is reached on whether they have merit.

I don't care if you disagree.  That is your right.  However, probably more than anything else I do care how you tender your viewpoint. So, if you would, I will take this opportunity to extend a "thank you" in advance for the special consideration you give when making replies to me and other blog participants. 

Generally speaking, being nice and courteous to others and having fun with the process of exchanging ideas and information is encouraged and anticipated!

Those who wish to add comments, please be advised that login/authentication is required before any post can be made.  Your choices are:

1) Add an account to my website through Movable Type (which will ask you to confirm registration from your e-mail account), and

2) Login with an existing Typekey account.

Should you experience any difficulty creating your account or using this website in any way, please let me know.

Thank you!

Sincerely yours,
Dietrich