Sunday, January 28, 2007

OSS support for Croatian language

I was just looking at the Asterisk open source PBX and one of the features of that software is possibility of integration with Festival. Festival is a text to speech synthesis software, freely available on the Internet! And it's quite good piece of software. Using only Festival, or Festival in combination with some other application, like Asterisk, interesting services could emerge.

Now, we come to the point! I searched for possibility to use Croatian language in that application. And guess what, there is no application that supports it. There are quite few application for speech synthesis and none of them, you guessed, has support for Croatian! Actually, there is possibility of adding Croatian to those software using generic support but it's far from usefull.

So, this made me think a bit! What the hell is Croatian Ministry of Sciences and whatever else doing!? Shouldn't at least they care about this aspect of development? Shouldn't they try to invest some money in development of such software? Shouldn't they put out some tender searching for interested parties that would develop such software? Also, the license of that software should be such that afterwards this software could be used in both, open source and commercial applications, e.g. some BSD style license. And not only there is a problem with software for speech synthesis. There's no OCR capable software, syntax and grammar checking are also not well supported, if supported at all, and to talk about voice recognition is to much!

Speaking of syntax checking, thanks to enthusiasts there is some support in open source office applications, but much remains to be done and I believe that investment in that respect would help, but would help to Croatian language – and I believe that's important to the Government and also to the aforementioned Ministry.

Saturday, January 27, 2007

VIP UMTS/EDGE/whatever...

Ok, I prepared this post while I was trying to connect to the Internet and I was very angry! For the problems I have I blame VIP and this post summarizes my experiences with them. I doubt that the others are different. And yes, for those that don't know, VIP is Internet provider in Croatia.

To buy the card and subscription was the least problem and it was quick. Although, I heard that now they require contract for two years instead of one. Probably because they were giving devices for 1 kuna and it turned out that it doesn't pay off. Namely, you could have PCMCIA card that costs about 1800 kuna (cca. 7.5kuna is 1EUR) for already mentioned 1 kuna. Lowest subscription per month is 50 kn, so it turns out that you could have a device for 600kn! Clearly, math was not on their side in that one.

But before I took subscription, the first problem was finding out if devices they offer work on Linux. And finding that information was impossible. Even though I contacted technical support through regular channels and via some friends. So, I took device not knowing if it works and hoping at best. It turned out that with a bit of luck and some hacking it worked! The device is Nozomi, and it can be recognized by NZ letters in serial number. More on that you can find on my homepage.

The second problem was with connecting to VIP. Namely, first it turned out I have to use PAP, and the second problem was that PAP always returns success code, no matter if it succeeded or not!?

After finally overcoming and that obstacle, the next one was random disconnections. Not only that, but I also had problems trying to connect or reconnect to VIP. And now, story leads us to the help desk service. When I called them I never expected to help me resolve problem. How could they when they probably never saw Linux!? I just wanted to find out if they know of some current problems in the network so that I know if the problem is with me, or with them. Well, I never found out if they have a problem. Also, sometimes they blamed CARNet. And the story usually starts with something like: “What you see in the application about signal strength...” and after telling them that I don't have that application, all the further conversation stops. And so much about help desk. Well, to be honest, those interruptions are now rare, but still, they can become very frustrating and actually, they are the reason I'm writing this.

And finally, something about the speed. It's not even close to the promised speed of UMTS! It seems to be good in some larger towns, but at the moment you are in suburbs it drops sharply! It never goes above 50 kbps (that's kilobits), and usually it's around 20 kbps!

All in all, I started to think about using DSL. But it's another story....

Sunday, January 14, 2007

“You will work on the newest technologies”

The title of this entry is actually taken from one ad searching for prospective students to work in a Croatian telecom after graduating. Actually, ad itself is very cleverly thought out and I have to give credit to the one who thought of it. But, there is always doubt that it was actually “taken” from someone else...

What's important about this sentence is how little it actually says and how misleading it is. To work on the newest technologies is very attractive, but, the secretaries working on Word 2007, or whatever latest version is, are also working on the newest technologies! So, in order to find out what this sentence really means, I'm going to dissect it a bit. But before I continue let me stress one thing. I'm talking about average case, and correspondingly, it might be true for the particular telecom, but it also might be false!

The hart of the problem is that the reality of Croatia is the fact that there is almost no development, and everything boils down to giving services and selling something. So, the phrase working on the newest technologies means actually configuring devices or application software products, and if you are particularly unlucky, to sell them! And what is so attractive of being user and/or seller instead of being engineer?! I suppose that students enrolled in electrical engineering and/or computer science courses because they don't treat themselves as users.

Now, you might say that by configuring this devices, or application software, one is actually using it as a tool and doing something new! But let's try again, when we are talking about telecom - and the others are more or less the same, the marketing department is the one who says that company needs another service/product/whatever. Engineering department then reads manuals of available equipment and their capabilities and configures it so that requested service is implemented! Now, where's development in that process?!

And one related thing, namely, there are a plenty of different ads seeking employees and offering work on newest technologies, while the truth is, when you start working, you are only allowed to look into this equipment (if there is any) and, because it is used in production environment, you are not allowed to play with it!

So, to conclude, working on the newest technology in Croatia isn't so exciting for an engineer as it might sound at first.

Thursday, January 4, 2007

BGPlay and whois...

And here comes first "serious" post. :) It's about handy tool called BGPlay.

The purpose of this tool is to visualize AS connectivity in time from some point in the Internet to the given network/AS. Actually, it's Java applet, and you can find it here. I didn't saw link where source, or application, can be downloaded.

First of all, let me try to explain briefly what AS is. Internet consists of different networks connected together. But the real truth is that those networks are first grouped into autonomous systems (AS) and then those autonomous systems form the Internet. More precisely, autonomous system is a collection of (computer) networks that is under single administrative control. Usually, autonomous systems run single interior routing protocol, but not always.

So, armed with this, let's start the applet. It will present you the following dialog:

In field titled prefix, you write network address you are interested in. For example, we can put 161.53.0.0/16, it's prefix for Croatian Academic and Research Network (CARNet). Also, you may wish to change start date field into something earlier than offered by default. After clicking on OK, and some waitinig, you'll be presented with the following window:


This window has four parts. In the left, smaller, pane there is time axis with time running from bottom up. Values ploted on this axis represent number of changes in AS conectivity. In the right pane, the biggest one, there is drawn graph with shown connectivity of our network. Actually, it's not network shown, but AS to which out network belongs. This AS is marked red and it has number 2108. At the bottom of this window there are some controls that allow control of connectivity visualisation. Finally, at the top, you can see what's drawn at some particular moment.

So, start visualisation by pressing play button. What you'll see is how route change between different ASes, either because they are withdrawn, announced, or just changed. On the top pane in window is message that states what exactly happened. And, in the left pane, you can see arrow going up, meaning that the time is running.

So, nice, but there is something else that can be seen from this figure, and that is, with whom particular AS is connected. Looking at the figure, you see that two ASes domine in connectivity with our AS, AS1299 and AS3356. So, let's find out who's behind those ASes. For that purpose we'll use whois utility.

Run the following query in the Linux command line:

$ whois AS1299

After some short time you'll get output. There are few interesting peaces. The first one is the following:

aut-num: AS1299
as-name: TELIANET
descr: TeliaNet Global Network
descr: Telia International Carrier

This gives us idea who is behind this AS. It's TeliaNet, and after some simple googling, we find that it's internet provider from Sweden. Actually, googling reveals much more that this about TeliaNet, but that's unimportant for now.

The other important part of the output is:

remarks: 1299:210x Peers at VIX

which indicates us that CARNet is peering with TeliaNet at VIX peering exchange. Again, some small amount of googling, and we find it's Vienna Internet Exchange. Actually, search term was "VIX internet exchange", since searching only for VIX gives false results.

I'll leave searching for other AS to you.

There are also some caveats with this approach. You can not find out exact connectivity of some AS because peering arrangements are usually not propagated into BGP and thus, there is no way for this software to find out those connections.

Still, this is very interesting piece of software with only one shortcoming I found during this short period of it's use. There is no zoom button or anyhting like that!

My first entry, something about design...

So, I just managed to chose template. The simpler the better. The other problem is that currently I'm using UMTS/GPRS to access Internet and it's sloooooooooow! And that's enough to make me very nervous. So, no fancy features for now. Anyway, in time I hope I'll customize these pages better.

And I'm still figuring out what can I do with this blog system.

vi tips & tricks

Note: This post has been transferred from my old home page on January 4th, 2020 and the date of the publication is only approximate.

Stuff collected from different places. Majority of this came from the one Slashdot discussion. I don't know if there is something like Did you know... welcome screens (fortune might be, I'll have to check) but from this stuff I would like to write it at some point.
All your comments, criticisms and a like please send me on my e-mail address!

Spelling checking

Enabling spell checking

To enable spell checking in vi just execute the following command:
:setlocal spell
This will enable spell checking of English language. You can also ask for suggestions. Just place cursor on misspelled word and press z=. You'll be provided with a list of suggestions you can select from.

Installing spell files

vi, at least in Fedora, comes without any spell checking dictionary except for English. In order to be able to spell check Croatian and other languages you have to run vi as a root and then try to enable spell checking in a language you need, e.g. for Croatian:
:setlocal spell spelllang=hr_HR
vi will then ask you if you wish to download dictionaries for hr language and guide you through the installation process, which is very simple.

Links to other similar sites

[20120610] Best of Vim Tips
VI wiki with tips
Scripting the Vim editor, Part 1: Variables, values, and expressions
Best of Vim Tips
Vim anti-patterns

OVAL definitions for Fedora

Note: This post has been transferred from my old home page on January 4th, 2020 and the date of the publication is only approximate.
... or to be honest, a start of OVAL definitions for F9F14 and CentOS, i.e. work in (very long) progress. I'm just learning how to use this technology, and if it's of any use at all! :)
In short, OVAL is a XML based specification language for vulnerability assessment. It is already used by different vendors and it will probably see wider adoption as NIST is pushing OVAL as a part of automated solution for vulnerability assessment and management. For example, RedHat publishes vulnerability advisories in OVAL format.
I have to stress that I didn't yet fully learned the idea behind OVAL as well as the technology used so there is a high probability of errors in the following text. If you spot an error please mail me the correction!

What is OVAL and how to use it

As I already said, OVAL is a language that describes checks to be performed on a system in order to determine if any vulnerability is present on it, either to a software bug or to a configuration setting. This is performed via tool in a package called ovaldi, which is available in Fedora's RPM repository. So, you should install it as usual using the yum command. After installation process finishes, you'll have command line tool called, surprisingly, ovaldi! :) The next thing you need in order to use this tool are definitions of vulnerabilities. Unfortunately, there are no vulnerability descriptions for Fedora in OVAL form. I'll try to make few, for Fedora and CentOS. In case I missed some repository, please notify me via e-mail message! While we are at CentOS, it's possible that RedHat's OVAL definitions could be used with a little bit of hacking, but I didn't try it so it could prove false!
Anyway, in order to try ovaldi tool you need OVAL definitions. You can use RedHat's but all the results will be false which is expected as you are not running RedHat on your computer. So, in order for you to try oval, download this definition file I prepared. It is very simple OVAL definition and only checks which version of Fedora is installed on the computer, 8 or 9.

Running ovaldi

To run ovaldi it has to have schema definitions. Now, this is interesting as those are placed in the /usr/share/ovaldi directory but the tool looks for them in the current directory.
Even more interesting is that I can't seem to identify option that would allow me to change schema path. To get around this problem, copy all the content from the /usr/share/ovaldi directory into current directory. Be carefull to create separate working directory for this or otherwise you'll have a mess on your disk!
There are two ways to define where schema files will be searched. The first one is using the option -a. The default value for this option is /usr/share/ovaldi but for some reason this value is not used, i.e. ovaldi tool can not find schema files. The other, and not so good(!), approach is to encode path in the XML file itself. This approach will be described later.
Now, run the ovaldi tool as follows:

$ ovaldi -o fedora.9.oval.xml -m

Note that in real situations is could be possible that you'll have to run ovaldi as root since it could try to access data not accessible to ordinary users. In this case it is not necessary as the tests are very simple.
The output from the command on the Fedora 9 will be:

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.4 Build: 2
Build date: Jun  7 2008 15:06:57
Copyright (c) 2002-2008 - The MITRE Corporation
----------------------------------------------------

Tue Jul  8 17:00:52 2008

 ** parsing fedora.9.oval.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.4
 ** skipping Schematron validation
 ** creating a new OVAL System Charateristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                        
 ** saving data model to system-characteristics.xml.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                        
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.fedoraproject.oval:def:1       true           
    oval:org.fedoraproject.oval:def:2       false          
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: results_to_html.xsl.

----------------------------------------------------

The part that is in bold shows the results of two tests. The one that is true is a test for Fedora 9, while the other one is the test for Fedora 8. Apart from the output on stdout there are few files created along the way, those are:

  • results.html is HTML version of the results. I slightly modified this file in order to remove IP addresses, but otherwise it is untouched!
  • results.xml is XML version of the previous file.
  • results_to_html.xsl
  • system-characteristics.xml is where you'll find some data that the tests run against. It is usefull for debugging purposes!
  • ovaldi.log is basically what was seen on the stdout.

What's in the OVAL file

The simple OVAL file I provided checks if Fedora 8 or 9 is running on the computer where ovaldi is started. So, before going further open it in some text or XML editor. Few notes to bare in mind while we step through this file:

  • I wrote it based on RedHat's definition so there are some references on RedHat left in the file. I think they are harmless, and also, I don't (yet) know what to place there.
  • As an ID for all the stuff in the file I used org.fedoraproject.oval namespace!

General structure of OVAL definition file

The file has the following general structure:
First there is XML PI element that defines it's XML version 1.0 as well as that UTF-8 coding is used.
Top level element is oval_definitions and it has attributes with schemas that I just c/p!
The first element is generator. I didn't changed it, but I suppose it's for metadata about file itself, e.g. who created it, with what tool, etc.
Then there are the following important four parts:

  1. definitions that define checks to be performed.
  2. tests defines basic tests to be performed.
  3. objects are the elements on which tests are performed. For example, if version of some package is checked, then the object is the package.
  4. states are states that are checked on objects. For example, certain package is an object, version is a state. Probably it could be more complicated than that, but this is enough to get and idea.

Example OVAL definition file

So what we have in the example file? We are determining the exact version of Fedora running on the test computer and this is done by looking what the version (state) of the package fedora-release is present. Thus, the object is the package, and the state is either version 8 or 9.
In the example file, the object is specified in the objects part of the definition file as follows:

<rpminfo_object id="oval:org.fedoraproject.oval:obj:1"
		version="1" comment="the fedora-release rpm"
		xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
  <name>fedora-release</name>
</rpminfo_object>

rpminfo_object element is predefined in OVAL library and it's used to query RPM objects, i.e. packages. In our case, we are querying for package with the name fedora-release. The attribute id is used for referencing this definition in other parts of the file!
The other part of the equation, states, are defined within the states element of the OVAL definition file as follows:

  <rpminfo_state id="oval:org.fedoraproject.oval:ste:1"
	version="1"
	xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
    <version operation="pattern match">9<version>
  <rpminfo_state>

  <rpminfo_state id="oval:org.fedoraproject.oval:ste:2"
	version="1"
	xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
    <version operation="pattern match">8<version>
  <rpminfo_state>

The state simply matches the version variable (identified by the version attribute) with number 8 (for Fedora 8) or 9 (for Fedora 9). Also, id attributes are used for referencing those states in other parts of the file.
Now, we have two tests. One that checks for Fedora 8 and another one for Fedora 9. Those go within tests element.

<rpminfo_test id="oval:org.fedoraproject.oval:tst:1" version="1"
	comment="Fedora 9 is installed"
	check_existence="at_least_one_exists" check="at least one"
	xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
  <object object_ref="oval:org.fedoraproject.oval:obj:1"/>
  <state state_ref="oval:org.fedoraproject.oval:ste:1"/>
<rpminfo_test>

<rpminfo_test id="oval:org.fedoraproject.oval:tst:2" version="1"
	comment="Fedora 8 is installed"
	check_existence="at_least_one_exists" check="at least one"
	xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
  <object object_ref="oval:org.fedoraproject.oval:obj:1"/>
  <state state_ref="oval:org.fedoraproject.oval:ste:2"/>
<rpminfo_test>

Note that each of those two tests simply says that object referenced by the object element has to be in the state referenced by the state element. So, what we have here are two tests that check if a single object is in the one state and then in the other.
Finally, beacuse both tests have to be executed, and the results of each one of them has to be printed, there are two definitions. If we are interested in some logical combination of the two tests we could write them in a single definition. So, the definition that checks for Fedora 9 is within definitions element and has the following structure:


<definition id="oval:org.fedoraproject.oval:def:1" version="1" class="inventory">
  <metadata>
    <title>The operating system installed on the system is Fedora 9<title>
    <affected family="unix">
          <platform>Fedora 9<platform>
    <affected>
    <reference source="CPE" ref_id="cpe:/o:redhat:enterprise_linux:3::ix86"/>
    <description>The operating system installed on the system is Fedora 9<description>
    <oval_repository>
      <dates>
        <submitted date="2008-01-12T14:07:00">
          <contributor organization="University of Zagreb, FER">Stjepan Groš<contributor>
        <submitted>
        <status_change date="2008-07-08T13:56:57.725+02:00">DRAFT<status_change>
      <dates>
      <status>DRAFT<status>
    <oval_repository>
  <metadata>
  <criteria>
    <criterion comment="Fedora 9 is installed" test_ref="oval:org.fedoraproject.oval:tst:1"/>
  <criteria>
<definition>

Esentially, the part in criterion element references tests that have to be performed in order to determine whether vulnerability is present or not.

Implementing sysctl checks in OVAL

On one occasion I had to do a security analysis of a CentOS server. In order to do that as best as I can, I found document Guide to the Secure Configuration of Red Hat Enterprise Linux 5 that I took as a starting point in doing security analysis. Then, I realised that by manually checking what's done isn't going to be enough for two reasons:
  1. There are another servers that I want also to check and it's going to be too much work so I have to automate somehow this whole process.
  2. Also, once the things are configured it has to be regularity verified, which is also to be problematic if done manually.
So I decided to write OVAL checks that will be customized for each server and that will be periodically run in order to very if security settings are in place.
Of course, it want' be easy as there is lot to learn in order for me to be able to write OVAL security checks. So, I'm going to write here what and how I did.

Checking sysctl variables

In section 2.5.1.1 of the Guide to the Secure Configuration of Red Hat Enterprise Linux 5 there is recommendation for the following sysctl values:
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
It turns out that in the version 5.9 of OVAL there is sysctl test available. So until it is available in Fedora I'll have to wait.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive