Posts Tagged ‘ci’

CIS Security Metrics Available

June 27th, 2009

The CIS has released a collection of metrics – CIS Security Metrics Guide (v. 1.0.0).  The project goal is to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and to “utilize data commonly available in most enterprises.”

The following metrics are proposed and documented:

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management
    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instance”

Download the metrics here or via direct PDF link.

No comments »

Posted in Blog

Tags:

Hudson and Amazon EC2

June 8th, 2009

So my biggest gripe with Hudson is slave nodes. In Puppet land we need to run our tests on a wide variety of platforms – it’s a system/configuration management tool that runs on just about every flavour of *nix (and soon to be Windows) around: Linux (a bucket load of distros), *BSD, OSX, AIX, Solaris, HP-UX, amongst others. We need to ensure it builds, runs and configures things on these platforms and that new features and functions don’t break things. To do this there is a huge management overhead – especially as build/test is generally two or three people – mostly Luke and I.

In this I’ve had many struggles with getting people to submit slaves and with managing my own slave node network for Hudson. It’s bloody annoying to have to fight RUBYLIB issues, Gem versions, installed versions of Puppet and Facter and a dozen other issues with running tests on slaves before you can even identify and fix a failed test.

I finally threw in the towel and decided to look at some other engines – perhaps my initial look and selection of Hudson had been premature.  But another review and installation of a wide variety of tools suggested to me that Hudson was the right choice. So an impasse.

Then along came the Hudson Amazon EC2 plug-in.  It allows Hudson to run up Amazon instances when required as slaves.  This means with a few judicious choices of AMIs I can quickly run up a test farm that covers all my requirements – Linux, Solaris, even Windows when we merge in the new Windows code (0.25.0beta2 I hope).  It’s not quite working yet – for reasons that aren’t 100% clear to me yet. :)   But it’s on the right path and I hope it’s going to make life much easier.  More on how it all works … when it all works..

UPDATE:  It now works – mostly a PEBCAK issue – the plug-in requires that the Security Group is configured to allow a connection on port 22 from the Hudson master.  Next steps some proper implementation… :P

1 comment »

Posted in Blog, hudson, open source, puppet

Tags:

WordPress migration

February 25th, 2009

I migrated away from Drupal earlier in the week and installed WordPress. Turned out Drupal – whilst full of lots of cool stuff- was too much engine for what I need.

The migration went reasonably well – some SQL intervention required in places – especially titles – for some reason the post_name field was a little stuffed. I also took the time to do some regex find and replaces of old EE mark-up that was still floating around. This should make a bunch of older links work again.

Of course, there is now a whole new bunch of permalinks and probably a bunch of borked and broken links too.

Mostly for my reference – Kartar.Net blog engine History:

1. Blogger

2. pMachine

3. ExpressionEngine

4. Drupal

5. WordPress

No comments »

Posted in Blog

Tags:

About Me

February 21st, 2009

I’m a late twenty early mid-thirty something guy who lives in Portland, Oregon.  I’m originally from Melbourne, Australia via and a few other places.

I work in computing – specifically as Director of Operations for Puppet Labs – and I write technical books of which I have four published and another on the way.

My interests include cooking, wine, political theory, photojournalism, philosophy, poetry. I enjoy good conversation, laughter, reading, music, and my cats. Things that piss me off are jingoism, bad grammar, violence and cucumber.

P.S. I also have a sister who has complained about not being mentioned here – she lives in Melbourne, makes things with metal, curates and shops. Usually for shoes.

No comments »

Posted in

Tags:

No Clean Feed

October 23rd, 2008

I sent this via snail mail and email to Stephen Conroy reagrding the idiotic plan to “clean feed” Internet connections.


Minister Conroy,

It is with extreme disappointment that I write you. After years of government who did not understand the Internet I had hoped the incoming Labour government would be more forward thinking.

The plan to introduce a “clean feed” is technologically backward, short-sighted and has the potential for enormous abuse. In many ways it is little better than the censorship undertaken by countries such as China, Iran and similar totalitarian regimes.

The content being targeted is already illegal in this country. These ham-fisted attempts to block it, at enormous expense and with such huge potential for false positives, would appear to actually detract from efforts to stop the heinous trade in child pornography.

Rather than crudely censoring the web I feel money and efforts would be better directed at enhancing our law enforcement capabilities. I am sure the AFP and other agencies could put the proposed investment to
good use and target actual offenders rather than have to sift through a mountain of false positives.

See http://nocleanfeed.com/ for further information.

No comments »

Posted in censorship, clean feed

Tags:

Little Brother by Cory Doctorow

September 30th, 2008

Everyone should go out now and download or buy a copy of Cory Doctorow’s Little Brother and give it to a teenager. I don’t know a lot of teenagers (the court mandates that :P ) but I am going to seed a few copies about.

It’s not the world’s greatest novel – not even close – but it is an important novel. It’s also a little heavy on the rhetoric and I don’t know a lot of teenagers who talk like the main character (more’s the pity).

Much like the Max Headroom’s tagline of “20 minutes into the future”, Little Brother is set in a RSN San Francisco. A San Francisco that has a little of the smell of Big Brother. The same smell a lot of Americans, British and Australians can sense as our civil liberties are slowly eroded in the name of “national security”.

The main character, Marcus, is a 17 year old high school student interested in computers, gadgets, role-playing and girls. Shortly after the opening of the a major terrorist incident occurs: the bombing of the BART and the Bay Bridge. In the aftermath of the incident Marcus and three of his friends are detained and interrogated as suspected terrorists. After a week of detention all but one of them is freed but warned that the government is watching them and told to tell no one they were detained.

Marcus decides to take action and possibly revenge for his missing friend and that’s where the story starts getting interesting.

The main aspect of the that appealed to me is the first rate introduction to the whys and hows of privacy and security. An introduction that even paranoids like me can appreciate. Doctorow explains PKI, RFID hacking and a bunch of other security mechanisms, counter-measures. Most importantly, Little Brother teaches the reader how to THINK about privacy and security.

This is the key thing missing from a lot of actual “grown-up” security books – thought leadership. A lot of these security books provide mechanisms and systems to measure risk and apply controls. Less often do they teach people how to think about threats, how to distil threats into risks and how to apply controls to mitigate those risks. Very rarely, if ever, do they teach you how to think like the attacker.

Little Brother is like a distilled HOWTO on being a sneaky bastard. It teaches you that paranoia, properly applied, is not only healthy but logical given the threats to our privacy and security.

Little Brother also demonstrates that sometimes attacking the control is almost as effective as attacking a target. Rendering the control inoperative not only lowers the protection of the target but can result in the target’s defenders being tied up trying to protect the control instead of the target.

Overall, an excellent that offers some really useful insights for both adults and teenagers. Go give it to a teenager and hopefully they’ll trust someone over 25 long enough to read it.

You can download the for free at:

http://craphound.com/littlebrother/download/

Or you can buy it via your store or Amazon.

1 comment »

Posted in Books, doctorow

Tags:

Google Chrome

September 13th, 2008

I downloaded Google’s new Chrome browser (http://www.google.com/chrome) this morning. I installed it and I played with it for about an hour. I read the notes and watched several of Google’s videos. Overall, it looks cool, seemed to be snappy and quick to respond. I was particularly taken with the focus on tabs. I also thought the multi-, multi-tab sandbox idea is a really interesting idea – initially from a useability perspective but potentially also from a security perspective. Though there isn’t anywhere near enough information yet to make a proper assessment. I did try to break some tabs and see how effective the sand-boxing was (it seems to hold up from a very brief look but it’ll take some code review from someone with more code-fu than me to determine actually how secure the concept is – see below).

A few things didn’t inspire me – the border decoration was a little … unintegrated. And I am always loath to pass judgement on an application that by its very nature needs to be examined in a cross-platform context and I would want to see running on all of Microsoft Windows, OSX, and Linux. This is particularly true of OSX where the graphical environment can make an enormous difference to how an application engages you.

But after my play I closed Chrome down with a big sigh to get on with my actual day job. Why the sigh? Did I think the new Chrome browser wasn’t very good? Nope. But my first thought was “I wonder how many people in my enterprise have downloaded and installed Chrome over the last few days”. This was quickly followed by me asking two questions:

1. What is the change in the enterprise’s risk profile of adding this new application?

2. What’s the operational impact of some, many or all of my users downloading and installing this application?

Obviously (and hopefully) it is only an incremental change in risk profile and not much at that. The browser will probably only be downloaded by power users and innovators in the enterprise, initially at least. On the threat landscape in most enterprises however browsers punch well above their weight in terms of attack surface, are a common source of malware infection and browser exploits are a popular target for hackers. Indeed a (the first?) Chrome vulnerability has already been discovered AND exploited (see http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php) literally hours after Chrome was released. So Chrome’s potential as a source of compromise and attacks needs to be carefully considered.

The answer to the second question is also ambiguous but finding out can add a lot of work for a security team. With any new application, but especially ones like browsers that are such rich sources of malware attack, there is now a potential need to:

• Track bugs and vulnerabilities for the application;
• Add it to software profiles for vulnerability scanning;
• Investigate its behaviour for network behaviour and IDS/IPS;
• Profile it for our Security Event and Incident Management ; and
• Specifically for this application ascertain if its Incognito “stealth” browsing capability impacts our ability to investigate and gather evidence in incidents.

So most important to me right now is not whether Chrome will outshine Firefox or IE or whether it represents the future of the browser. But rather how much work is this new browser going to create for me… :)

P.S. If you’re interested in look at it you can find Chrome’s source code at http://code.google.com/chromium/. There are also build instructions (for which you will probably need to have some developer skills) for OSX and Linux.

No comments »

Posted in chrome, google, security

Tags:

Puppet’s BuildBot

August 24th, 2008

So rather than doing the work I actually should be I’ve been playing with BuildBot. I had intended to get around to setting up BuildBot sometime in the next couple of months but I got hooked.

The reason I wanted to have a look at BuildBot was that Puppet has reached a stage where we simply can’t test every platform it runs on. We are also starting to get patches from a wider variety of sources. Buildbot will allow us to execute our tests on a wider variety of platforms. Hopefully with the cooperation of the community we can gather a really big collection of build platforms to test on.

Here’s the blurb for BuildBot

The BuildBot is a system to automate the compile/test cycle required by most software projects to validate code changes. By automatically rebuilding and testing the tree each time something has changed, build problems are pinpointed quickly, before other developers are inconvenienced by the failure. The guilty developer can be identified and harassed without human intervention. By running the builds on a variety of platforms, developers who do not have the facilities to test their changes everywhere before checkin will at least know shortly afterwards whether they have broken the build or not. Warning counts, lint checks, image size, compile time, and other build parameters can be tracked over time, are more visible, and are therefore easier to improve.

The overall goal is to reduce tree breakage and provide a platform to run tests or code-quality checks that are too annoying or pedantic for any human to waste their time with. Developers get immediate (and potentially public) feedback about their changes, encouraging them to be more careful about testing before checkin.

It’s a very easy tool to deploy. The hardest part has been the slightly broken source handling and the assumption that any repository is local. I need to have a local repository to allow BuildBot to submit the right commits references to the PBChangeSource function.

But I designed a basic for handling new commits:

1. Commit pushed to .
2. Commit bot at picks up commit and sends it to BuildBot Master.
3. BuildBot uses the git_buildbot.py script to calculate the before/after commit and branch references and tell BuildBot about them.
4. BuildBot executes the build and tells each slave to retrieve the commit and runs the tests. Currently we’re running:

a. All the Unit tests
b. All the RSpec tests

5. We then get the results of the tests on the website and in an email to the new Puppet Builds mailing list.

In addition I’ve also enabled BuildBot’s IRC bot and added a new bot, called pinocchio, to the #puppet channel that reports on build status.

At this stage it’s all in test mode and when I’ve ironed out a few issues we should be in a position to do a production installation at ReductiveLabs and start canvassing for build slaves.

UPDATE

After mucking around with Buildbot I just couldn’t get a whole bunch of issues with resolved so we changed to Hudson as our – which works much better.  The message overall is – and : still a young pair.  I’ve included our configuration below for edification:

# -*- python -*-
# ex: set syntax=python:

# This is a sample buildmaster config file. It must be installed as
# ‘master.cfg’ in your buildmaster’s base directory (although the filename
# can be changed with the –basedir option to ‘mktap buildbot master’).

# It has one job: define a dictionary named BuildmasterConfig. This
# dictionary has a variety of keys to control different aspects of the
# buildmaster. They are documented in docs/config.xhtml .

# This is the dictionary that the buildmaster pays attention to. We also use
# a shorter alias to save typing.
c = BuildmasterConfig = {}

####### BUILDSLAVES

# the ‘slaves’ list defines the set of allowable buildslaves. Each element is
# a tuple of bot-name and bot-password. These correspond to values given to
# the buildslave’s mktap invocation.
from buildbot.buildslave import BuildSlave

c['slaves'] = [BuildSlave("debian", "debian"),
BuildSlave("freebsd", "freebsd"),
BuildSlave("redhat", "redhat")
]

# ‘slavePortnum’ defines the TCP port to listen on. This must match the value
# configured into the buildslaves (with their –master option)

c['slavePortnum'] = 9989

####### CHANGESOURCES

# the ‘change_source’ setting tells the buildmaster how it should find out
# about source code changes. Any class which implements IChangeSource can be
# put here: there are several in buildbot/changes/*.py to choose from.

from buildbot.changes.pb import PBChangeSource
c['change_source'] = PBChangeSource()

####### SCHEDULERS

## configure the Schedulers

from buildbot import scheduler

stable = scheduler.Scheduler(name=”stable”, builderNames=["debian_stable", "freebsd_stable", "redhat_stable"], treeStableTimer=60, branch=”0.24.x”)
dev = scheduler.Scheduler(name=”dev”, builderNames=["debian_dev", "freebsd_dev", "redhat_dev"], treeStableTimer=60, branch=”master”)

c['schedulers'] = [stable, dev]

####### BUILDERS

# the ‘builders’ list defines the Builders. Each one is configured with a
# dictionary, using the following keys:
#  name (required): the name used to describe this bilder
#  slavename (required): which slave to use, must appear in c['bots']
#  builddir (required): which subdirectory to run the builder in
#  factory (required): a BuildFactory to define how the build is run
#  periodicBuildTime (optional): if set, force a build every N seconds

# buildbot//factory.py provides several BuildFactory classes you can
# start with, which implement build processes for common targets (GNU
# autoconf projects, CPAN perl modules, etc). The factory.BuildFactory is the
# base class, and is configured with a series of BuildSteps. When the build
# is run, the appropriate buildslave is told to execute each Step in turn.

# the first BuildStep is typically responsible for obtaining a copy of the
# sources. There are source-obtaining Steps in buildbot/steps/source.py for
# CVS, , and others.

from buildbot. import factory
from buildbot.steps import source, shell

pstable = factory.BuildFactory()
pstable.addStep(source.(repourl=’://.com/jamtur01/puppet.’, branch=’0.24.x’))
pstable.addStep(shell.ShellCommand(command=’rake spec’, name=’Spec Tests’))
pstable.addStep(shell.ShellCommand(command=’rake unit’, name=’Unit Tests’))

pdev = factory.BuildFactory()
pdev.addStep(source.(repourl=’://reductivelabs.com/puppet’, branch=’master’))
pdev.addStep(shell.ShellCommand(command=’rake spec’, name=’Spec Tests’))
pdev.addStep(shell.ShellCommand(command=’rake unit’, name=’Unit Tests’))

debian_stable = {‘name’: “debian_stable”,
‘slavename’: “debian”,
‘builddir’: “debian_stable”,
‘factory’: pstable,
}

debian_dev = { ‘name’: “debian_dev”,
‘slavename’: “debian”,
‘builddir’: “debian_dev”,
‘factory’: pdev,
}

redhat_stable = {‘name’: “redhat_stable”,
‘slavename’: “redhat”,
‘builddir’: “redhat_stable”,
‘factory’: pstable,
}

redhat_dev = { ‘name’: “redhat_dev”,
‘slavename’: “redhat”,
‘builddir’: “redhat_dev”,
‘factory’: pdev,
}

freebsd_stable = {‘name’: “freebsd_stable”,
‘slavename’: “freebsd”,
‘builddir’: “freebsd_stable”,
‘factory’: pstable,
}

freebsd_dev = { ‘name’: “freebsd_dev”,
‘slavename’: “freebsd”,
‘builddir’: “freebsd_dev”,
‘factory’: pdev,
}

c['builders'] = [debian_stable, debian_dev, freebsd_stable, freebsd_dev, redhat_stable, redhat_dev]

####### STATUS TARGETS

# ‘status’ is a list of Status Targets. The results of each build will be
# pushed to these targets. buildbot/status/*.py has a variety to choose from,
# including web pages, email senders, and IRC bots.

c['status'] = []

from buildbot.status import html
c['status'].append(html.WebStatus(http_port=8010))

from buildbot.status import mail
c['status'].append(mail.MailNotifier(fromaddr=”buildbot@reductivelabs.com”,
extraRecipients=["puppet-build@googlegroups.com"],
sendToInterestedUsers=False))

from buildbot.status import words
c['status'].append(words.IRC(host=”irc.freenode.net”, nick=”pinocchio”,
channels=["#puppet"],
password=”password”))

# from buildbot.status import client
# c['status'].append(client.PBListener(9988))

####### DEBUGGING OPTIONS

# if you set ‘debugPassword’, then you can connect to the buildmaster with
# the diagnostic tool in contrib/debugclient.py . From this tool, you can
# manually force builds and inject changes, which may be useful for testing
# your buildmaster without actually commiting changes to your repository (or
# before you have a functioning ‘sources’ set up). The debug tool uses the
# same port number as the slaves do: ‘slavePortnum’.

#c['debugPassword'] = “debugpassword”

# if you set ‘manhole’, you can ssh into the buildmaster and get an
# interactive python shell, which may be useful for debugging buildbot
# internals. It is probably only useful for buildbot developers. You can also
# use an authorized_keys file, or plain telnet.
#from buildbot import manhole
#c['manhole'] = manhole.PasswordManhole(“tcp:9999:interface=127.0.0.1″,
#                                       “admin”, “password”)

####### PROJECT IDENTITY

# the ‘projectName’ string will be used to describe the project that this
# buildbot is working on. For example, it is used as the title of the
# waterfall HTML page. The ‘projectURL’ string will be used to provide a link
# from buildbot HTML pages to your project’s home page.

c['projectName'] = “Puppet”
c['projectURL'] = “http://reductivelabs.com/trac/puppet/”

# the ‘buildbotURL’ string should point to the location where the buildbot’s
# internal web server (usually the html.Waterfall page) is visible. This
# typically uses the port number set in the Waterfall ‘status’ entry, but
# with an externally-visible host name which the buildbot cannot figure out
# without some .

#c['buildbotURL'] = “http://10.0.0.x:8010/”

3 comments »

Posted in buildbot, puppet

Tags:

Flight of the Conchords

June 22nd, 2008

Oh dog. Still laughing. The Flight of the Conchords outside the Australian consulate in New York flipping the bird. I thought the racism against Kiwi’s was a bit predictable but very funny. Needed more Kristen Schaal though.

No comments »

Posted in Blog

Tags:

In Our Name

June 22nd, 2008


“To articulate what is past does not mean to recognize “how it really was.” It means to take control of a memory, as it flashes in a moment of danger. For historical materialism it is a question of holding fast to a picture of the past, just as if it had unexpectedly thrust itself, in a moment of danger, on the historical subject. The danger threatens the stock of tradition as much as its recipients. For both it is one and the same: handing itself over as the tool of the ruling classes. In every epoch, the attempt must be made to deliver tradition anew from the conformism which is on the point of overwhelming it. For the Messiah arrives not merely as the Redeemer; he also arrives as the vanquisher of the Anti-christ. The only writer of history with the gift of setting alight the sparks of hope in the past, is the one who is convinced of this: that not even the dead will be safe from the enemy, if he is victorious. And this enemy has not ceased to be victorious.” – Walter Benjamin, On the Concept of History.

I have had a long and bitter argument with a colleague about the justifications for the use of torture. There was an excellent episode of Compass about the issue. Particularly worth listening closely to are Raimond Gaita‘s discussions on moral philosophy.

The episode should be compulsory viewing for those idiots who claim there is some justification for torture and abuse. There are no grounds, no “ticking bomb” scenario, under which we can condone the use of torture for any purposes.

No comments »

Posted in Uncategorized

Tags: