USENIX Lisa 2015 - Conference Day Two - Washington, DC

Washington Marriott Wardman Park

2660 Woodley Road NW, Washington, DC 20008

Sysadmins and Their Role in Cyberwar: Why Several Governments Want to Spy on and Hack You, Even If You Have Nothing to Hide

9:00 am-10:30 am, Keynote Address, Christopher Soghoian, Principal Technologist, American Civil Liberties Union

I explain technology and survalience to lawyers.

“I have nothing to hide” so why up my security?

You are targets, whether you like it or not.

Even if you have nothing to hide, you are still useful.

Governments with budgets in the Billions are willing to compromise individuals who themselves have done nothing wrong in order to gain access to information they can get to as a means to an end.

Things you can do as somebody with access to make yourself a harder target:

• Signal - Private Messenger iOS and Android How to: Use Signal on iOS
• Encrypt by default
• Penetration resistent OSes such as Qubes
• The linux kernel team is focused on performance and reliability not as much on security as outlined it The kernel of the argument Washington Post article. Microsoft took a lot of heat early on for being insecure but they have greatly advanced their security practices. Linux needs to increase their kernel level security efforts as well.

Docker Tutorial

11:00 am-12:30 pm, Mini Tutorial, John Willis, Docker - @botchagalupe

• Dropbox Files
• GIST Files - Cheat Sheet
• Docker Book
• Docker Cookbook
• The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations Paperback – March 7, 2016 by Gene Kim (Author), Patrick Debois (Author), John Willis (Author), Jez Humble (Author), John Allspaw (Foreword)
• Instructors docker.com posts

This is a one day class thats hard to fit into 3 hours. The examples in the PDF are easy to do without instructor help.

OS Level Virtualization - class of virtualization for Docker

Realizing Linux Containers (LXC) - Hypervisors vs containers

Docker Machine is a client for building Docker hosts. Doc on installing it

Why Docker? Isolation, Lightweight, Simplicity, Workflow, and Community

Docker Client and Daemon of Docker Engine - docker version

Docker images are read only templates used to create containers which are isolated application platforms.

Registry (eg. Docker Hub) contain various repositories for images.

Docker installations are supported on my Linux platforms. Installation script Note that if you use the default OS repositories you will likely get an older version.

To run docker commands without sudo you just need to add your user to the docker group.

Install Toolbox on Windows and Mac

docker run does two things. Creates the container using the image we specify and runs the container. Has two important flags: -i to connect STDIN on the terminal and -t specifies to get a pseudo-terminal

docker exec is a much cleaner way to attach and detach from a docker container

docker inspect is how you get all of the metadata information for a container

Automated Build and Deployment of Docker Hosts and Containers

2:00 pm-3:30 pm, Mini Tutorial, Bill Fraser and Dimitrios Liappis, Pythian @wmjfraser

LISA 2015 Docker Tutorial

Pythian standard toolbelt in AWS: Auto Scaling Groups, CloudFormation template(s), Configuration Management (Puppet/Chef)

The Wrech was all environments including production must use Docker, Architecture must limit use of Amazon services, Ansible to be used for config management, Ansible Tower to be used for scheduling of tasks.

Deployment summary

• Ansible tower and shipyard for orchestration
• Ansible to deploy Docker images via Shipyard API
• Consul for

The Consilience Of Networking and Computing

4:00 pm-4:45 pm, Invited Talk, Dinesh G Dutt, Chief Scientist, Cumulus Networks @ddcumulus

A while ago, networking and compute diverged causing us to need to solve problems twice.

TensorFlow: smarter machine learning, for everyone

Structured I/O vs Myth of the Uniform Data Model

You can use Vagrant, Ansible (or you favorite configuration tool, and Cumulus VX to build a data center on your laptop.

Vulnerability Scanning is Not Good Enough: Enforcing Security and Compliance at Velocity Using Infrastructure As Code

4:45 pm-5:30 pm, Invited Talk, Julian Dunn, Chef Software, Inc.

Verizon 2015 PCI Compliance report - Key findings are 80% of companies fail at interim assessment right out of the gate. From poor general hygeine patch management, dev security, log management/configuration, or firewall configuration

The compliance tower of babel - Compliance speaks Excel, Security speaks in Shell, DevOps speak in code to manage systems.

InSpec

OpenSCAP is very good if you have a set of benchmarks you can already apply to your system. InSpec is easier to read and write rules.

InSpec has very little to do with Chef and does not require configuration management. It can be run locally on a machine or remotely.