Re: Removal of old projects from fedorahosted.
On Tue, 2008-09-09 at 22:44 -0500, Mike McGrath wrote: So it seems I'm alone here, if we have to keep everything forever, thats what it'll be. I'll just have to see to it we have the resources and backup materials in the future when that time comes. I have a question and a suggestion for people. 1) What do we do with projects to which no owner or responsible party can be found? This caused major headaches during the elvis move... headaches we still have today. What would you have us do? I think the idea of making them read-only/owned by an admin type group seems reasonable at first blush. It doesn't get rid of all of the problems, but it does help with a number of them 2) Right before we start removing projects is _not_ the time to discuss the policy. When the policy is put in place... thats the time to discuss it. I don't disagree at all. I must have missed the initial discussion in my sea of mail or I would have chimed in then :-/ Jeremy ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Removal of old projects from fedorahosted.
On Wed, 10 Sep 2008, Jeremy Katz wrote: On Tue, 2008-09-09 at 22:44 -0500, Mike McGrath wrote: So it seems I'm alone here, if we have to keep everything forever, thats what it'll be. I'll just have to see to it we have the resources and backup materials in the future when that time comes. I have a question and a suggestion for people. 1) What do we do with projects to which no owner or responsible party can be found? This caused major headaches during the elvis move... headaches we still have today. What would you have us do? I think the idea of making them read-only/owned by an admin type group seems reasonable at first blush. It doesn't get rid of all of the problems, but it does help with a number of them 2) Right before we start removing projects is _not_ the time to discuss the policy. When the policy is put in place... thats the time to discuss it. I don't disagree at all. I must have missed the initial discussion in my sea of mail or I would have chimed in then :-/ no worries, I can admit to blowing my top last night, long day. We'll figure something out. Taking a step back my core concerns are code to which no one is responsible and what to do about that code. _especially_ if its still in use somewhere. It actually complicated the move away from elvis quite a bit and I want to make sure that doesn't happen again. We can look at that philosophically and practically. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Removal of old projects from fedorahosted.
On Wed, 2008-09-10 at 09:57 -0500, Mike McGrath wrote: On Wed, 10 Sep 2008, Jeremy Katz wrote: On Tue, 2008-09-09 at 22:44 -0500, Mike McGrath wrote: So it seems I'm alone here, if we have to keep everything forever, thats what it'll be. I'll just have to see to it we have the resources and backup materials in the future when that time comes. I have a question and a suggestion for people. 1) What do we do with projects to which no owner or responsible party can be found? This caused major headaches during the elvis move... headaches we still have today. What would you have us do? I think the idea of making them read-only/owned by an admin type group seems reasonable at first blush. It doesn't get rid of all of the problems, but it does help with a number of them 2) Right before we start removing projects is _not_ the time to discuss the policy. When the policy is put in place... thats the time to discuss it. I don't disagree at all. I must have missed the initial discussion in my sea of mail or I would have chimed in then :-/ no worries, I can admit to blowing my top last night, long day. We'll figure something out. Taking a step back my core concerns are code to which no one is responsible and what to do about that code. _especially_ if its still in use somewhere. It actually complicated the move away from elvis quite a bit and I want to make sure that doesn't happen again. We can look at that philosophically and practically. I think your concerns are really rational and well-placed. Hope we didn't get too irksome, and thanks for deconfusifying (a favorite made-up word) the scenarios about how FI would approach de-listing. -- Paul W. Frields gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://paul.frields.org/ - - http://pfrields.fedorapeople.org/ irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Outage Notification - 2008-09-13 01:00 UTC
There will be an outage starting at Y2008-09-13 01:00 UTC, which will last approximately 1 hour. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run: date -d '2008-09-13 01:00 UTC' Affected Services: Buildsystem Unaffected Services: Websites Database CVS / Source Control DNS Mail Torrent Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/830 Reason for Outage: update koji to 1.2.6. it will enable us to turn garbage collection back on. Contact Information: Please join #fedora-admin in irc.freenode.net or respond to this email to track the status of this outage. signature.asc Description: This is a digitally signed message part. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Orientation page
Hey guys I threw together a standard orientation page for new members. Take a look and let me know what pieces you think are missing and fix whatever problems you find. http://fedoraproject.org/wiki/Infrastructure/SOP/Orientation -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Orientation page
Take a look and let me know what pieces you think are missing and fix whatever problems you find. mailing list address is not mentioned :) -- Regards, Susmit. = ssh 0x86DD170A http://www.fedoraproject.org/wiki/user:susmit = ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Orientation page
Perhaps the standard meeting day/time could be included? Tj On Wed, Sep 10, 2008 at 12:37 PM, Mike McGrath [EMAIL PROTECTED] wrote: Hey guys I threw together a standard orientation page for new members. Take a look and let me know what pieces you think are missing and fix whatever problems you find. http://fedoraproject.org/wiki/Infrastructure/SOP/Orientation -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
SELinux status update
Over the past few months, I've been working closley with Dan Walsh and
Mike McGrath to solidify our SELinux deployment. We're not yet to the
point where we can flip every system into enforcing mode, but we're
getting close.
We're at the point now where we can pretty much do everything we need to
do via our puppet configuration, and we've created a handful of
constructs that can be used to configure various aspects of SELinux, for
example:
== Setting custom context
semanage_fcontext { '/var/tmp/l10n-data(/.*)?':
type = 'httpd_sys_content_t'
}
== Toggling booleans
selinux_bool { 'httpd_can_network_connect_db': bool = 'on' }
== Allowing ports
semanage_port { '8081-8089': type = 'http_port_t', proto = 'tcp' }
== Deploying custom policy
semodule { 'fedora': }
I created a custom 'fedora' selinux module that is loaded on all systems
(that are configured with 'include selinux'). This module exists to fix
various issues custom to our environment, and to cover up minor
annoyances such as leaky file descriptors.
So, now it's just a matter of hunting down the existing issues, and
fixing them in puppet or in the SELinux policy. I've been keeping our
infrastructure ahead of the RHEL5 selinux-policy, as Dan has fixed a lot
of our issues in his rpms.
I threw together a basic SOP for our SELinux configuration here:
https://fedoraproject.org/wiki/Infrastructure/SOP/SELinux
You can keep up to date on our SELinux deployment status here:
https://fedorahosted.org/fedora-infrastructure/ticket/230
Cheers,
luke
pgp0ocs37c3m2.pgp
Description: PGP signature
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Intrusion Detection System
Hey all, A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka). I created a new 'prelude' puppet module that contains the configuration for audit, auditsp-plugins, libprelude, prelude-manager, prewikka, prelude-correlator, and prelude-lml. Turning a node/servergroup into a sensor entails adding the following to your class definition: 'include prelude::sensor::audisp' My initial deployment entailed setting up the prelude-manager and correlator on a single box, and hooking up a single sensor (bastion). So, we're now at the point where we can fine tune our audit rules before we further deploy this infrastructure. Some things we want to consider: - Creating specific security policies for each servergroup - Define what files/directories/activities we want to monitor on which machines. - What events to we want to escalate ? I opened an infrastructure ticket to track this deployment here: https://fedorahosted.org/fedora-infrastructure/ticket/833 Suggestions, comments, and ideas are welcome. Cheers, luke pgpvvOxYzWF8G.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: SELinux status update
2008/9/10 Luke Macken [EMAIL PROTECTED]: Over the past few months, I've been working closley with Dan Walsh and Mike McGrath to solidify our SELinux deployment. We're not yet to the point where we can flip every system into enforcing mode, but we're getting close. Very very very cool. I look forward to reading through all the puppet side of things. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Intrusion Detection System
2008/9/10 Luke Macken [EMAIL PROTECTED]: Hey all, A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka). for the EL-5 systems.. did you need to update audit from what is provided by RHEL-5.2? It looked like it would be needed when I talked with Steve Grubb because it required stuff that had not been ported to EL-5. I would be interested in helping you test/document this? Where can I start? -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Intrusion Detection System
2008/9/10 Luke Macken [EMAIL PROTECTED]: Hey all, A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka). for the EL-5 systems.. did you need to update audit from what is provided by RHEL-5.2? It looked like it would be needed when I talked with Steve Grubb because it required stuff that had not been ported to EL-5. I would be interested in helping you test/document this? Where can I start? -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Intrusion Detection System
On Wed, Sep 10, 2008 at 06:29:38PM -0600, Stephen John Smoogen wrote: 2008/9/10 Luke Macken [EMAIL PROTECTED]: Hey all, A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka). for the EL-5 systems.. did you need to update audit from what is provided by RHEL-5.2? It looked like it would be needed when I talked with Steve Grubb because it required stuff that had not been ported to EL-5. I would be interested in helping you test/document this? Where can I start? Yep, RHEL's audit is not compiled with '--enable-prelude', so I respun F-9's. I also built rawhide's prelude stack. All of these packages are in the fedora-infrastructure repo. As far as testing goes, I recommend setting up the stack on your home network to get familar with it (http://people.redhat.com/sgrubb/audit/prelude.txt). As for documentation, we definitely need to throw together a SOP, and maybe some sort of audit policy for all of our various server groups. Before we start tweaking out our audit rules, we should probably start by defining security policies for our various systems so we can turn them into audit rules and selinux policy. luke ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
