BSDCan Day 2

by Dru Lavigne

Related link: http://www.bsdcan.org/2005/



The first talk I attended today was Chris Vance of the TrustedBSD project on the port of SELinux to FreeBSD. Chris works for Sparta Inc., an R&D lab which most of you will probably recognize by one of its earlier names: NAI labs or McAfee Research. Until the talk I was unaware that the same lab that produces SELinux is also responsible for the FreeBSD MAC framework and the SEDarwin Policy Module. In a nutshell, these 3 projects have the same goal of augmenting the traditional Unix DAC-style permissions with MAC/RBAC policy modules. Chris covered the reasoning for providing a modular framework, some of the cleanup work that was required to introduce the framework and the future goals of the project. He also gave insight on how the experience gained from implementing the Linux version benefited the FreeBSD version which in turn is benefiting the Darwin version. He also described some of the extra modifications required for Darwin because of the Mach kernel. Being used to the FreeBSD MAC terminology, I gained some knowledge of the equivalent Linux terminology which will help when I administer Linux systems.

During the next talk, I learned that the entertaining speaker with the hearty laugh that can be heard across a crowded noisy bar was Bob Beck, author of OpenBSD's spamd. His talk was also very practical and demonstrated how minimalistic code which provides whitelisting, greylisting and blacklisting can provide an effective defense against spam without resorting to the delaying effects of DNS lookups. Now that pf is available in FreeBSD and spamd is a port, this is something I'll definitely be trying out for myself. Watch the FreeBSD Basics Column to see how things went.

On break, Michael Lucas had mentioned that he would go insane if he had to eat yet another meal at a pub. We also discovered that Greg Lehey had always wanted to try shwarma. Since downtown Ottawa has a minimum of 3 shwarma shops on every block we decided that lunch would be when we'd introduce Greg to this tasty treat. Greg wasn't disappointed.

Afterwards, we decided to walk a block to the nearest Chapters to see whose books would be on display. (yes, authors are weird when they get together) It is sorta sad to watch 3 technical authors scour the shelves of a shrinking technical section in search of a BSD book. We're sad to report that not even one such book was present and took pictures to commemorate the event. We were surprised to instead discover 2 HP-UX books. We then wandered to the networking section where we found one copy of Cisco Routers for the Desperate and watched Michael Lucas do his happy dance. After escalating jokes on which sections probably did contain our books (which I won't repeat here), we headed back to take in the afternoon talks.

Ike Levy's talk on jailing with FreeBSD did not disappoint. (For the curious, Ike created the logo for that site and it represents Beastie dreaming of root while in jail) Ike is one of those rare souls who is equally talented in the artistic and technical sides of his brain. This quickly became apparent when he used a mandlebrot Julia set to help the audience visualize the virtualization provided by a jail.

Ike then went on to explain the reasons for using a jail, when not to use a jail and provided a walk through of creating and maintaining a jail. He also provided some useful been-there-done-that caveats to watch out for when working with jails.

Poul-Henning Kamp, the author of jail, was also in the audience and provided some useful input regarding the development and future goals of jail.

The final talk of the day was by FreeBSD's Security Officer, Jacques Vidrine. He described VuXML an XML-based document format for describing security issues that effect a software collection. He described the reasoning for creating the format and how it compares to existing formats.

If you follow FreshPorts, you've already seen VuXML in action. Ports which have security issues are marked with a warning skull icon.

The format itself is easy to learn and documented here.

The conference ended with an all conference assembly. Again, I have a recording of this and will give the URL once it is online. It started with a random draw for several different tshirts and books. Dan also made note that the random draw was accomplished using misc/shuffle in the ports collection.

Chris Coleman of BSDMall donated a painting by his talented wife for auction. It was a picture of an "Apache Daemon" entitled "We Were Here First". For a visual, envision Beastie in a headdress looking majestically over an escarpment. George Rosamond of NYCBug was the auctioneer. After a slow start, NetBSD's security officer David Maxwell and FreeBSD's Scott Long started some intense bidding around the $100 mark. With some humourous egging on from the crowd and some exciting moments, the painting was sold for $150 to David Maxwell.

Afterwards, Matthew Wilcox held a key-signing session. An interesting turn of events occurred when we discovered the Real Tom Rhodes.

Before meeting the rest of the gang at Paddy Bolands (yet another Ottawa pub), we agreed to take Greg Lehey to an amazing Indian restaurant down the street for supper. Apparently Thai food is very good down under, but one is hard pressed to find a good Indian restaurant. So Greg, Murray Stokely, Brad Davis, Michael Lucas, Robert Bernier and my boss headed off to Haveli for some good conversation over an Indian feast.

We then headed off to Paddy Boland's to say our goodbyes to those that would be leaving town before Sunday's breakfast get-together.