Enabling Kernel Samepage Merging (KSM)
by Sven Vermeulen, post on Thu 09 May 2013When using virtualization extensively, you will pretty soon hit the limits of your system (at least, the resources on it). When the virtualization is used primarily for testing (such as in my case), the limit is memory. So it makes sense to seek memory optimization strategies on such systems. The …
Overview of Linux capabilities, part 3
by Sven Vermeulen, post on Mon 06 May 2013In previous posts I talked about capabilities and gave an introduction to how this powerful security feature within Linux can be used (and also exploited). I also covered a few capabilities, so let's wrap this up with the remainder of them.
- CAP_AUDIT_CONTROL
- Enable and disable kernel auditing; change auditing filter …
Overview of Linux capabilities, part 2
by Sven Vermeulen, post on Sun 05 May 2013As I've (in a very high level) described capabilities and talked a bit on how to work with them, I started with a small overview of file-related capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).
- CAP_IPC_LOCK
- Allow the …
Overview of Linux capabilities, part 1
by Sven Vermeulen, post on Sat 04 May 2013In the previous posts, I talked about capabilities and how they can be used to allow processes to run in a privileged fashion without granting them full root access to the system. An example given was how capabilities can be leveraged to run ping without granting it setuid root rights …
Restricting and granting capabilities
by Sven Vermeulen, post on Fri 03 May 2013As capabilities are a way for running processes with some privileges, without having the need to grant them root privileges, it is important to understand that they exist if you are a system administrator, but also as an auditor or other security-related function. Having processes run as a non-root user …
Capabilities, a short intro
by Sven Vermeulen, post on Thu 02 May 2013Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …
Simple drawing for I/O positioning
by Sven Vermeulen, post on Thu 18 April 2013Instead of repeatedly trying to create an overview of the various layers involved with I/O operations within Linux on whatever white-board is in the vicinity, I decided to draw one up in Draw.io that I can then update as I learn more from this fascinating world. The drawing's …