At a minimum, you want to:

• Add the RHEL-specific RPMs for yum.
• Reconfigure packages to use “5Server” as the base OS version, instead of “5.”
• Register the computer with the Red Hat Network.

Locate the Red Hat RPMs

Unlike with CentOS and its public repository, the required Red Hat RPMs are located on the installation media.  Luckily, anyone with a RHN license should have access to the Red Hat download center, which contains the media as ISOs.   Download the 5.3 ISO for your CPU architecture (i386, x85_64, etc), as this seems to most closely match the CentOS 5 RPMs.

mkdir -p /mnt/cdrom
mount -o loop rhel-server-5.3-x86_64-dvd.iso /mnt/cdrom

Of course, change this to whatever name you may have given the downloaded ISO.  If you are converting multiple machines, you may find it handy to copy the RPMs to an internal website, rather than mounting the ISO on each host in question, but that’s out of the scope of this post.

Remove the CentOS Release RPMs

These RPMs provide the $releasever information used by several utilities, along with the defaul /etc/issue and other “branded” files.  However, they need to be removed before installing the RHEL equivalent RPMs.

rpm -e --nodeps centos-release centos-release-notes

Add the Red Hat Release RPMs

Remember to point to whevever you mounted the ISO, or copied the RPMs.

cd /mnt/cdrom/Server
rpm -Uvh redhat-release-5Server-5.3.0.3.x86_64.rpm \
   redhat-release-notes-5Server-25.x86_64.rpm

Add the RHN-related RPMS

cd /mnt/cdrom/Server
rpm -Uvh rhn-check-0.4.19-17.el5.noarch.rpm \
   rhn-client-tools-0.4.19-17.el5.noarch.rpm \
   rhnsd-4.6.1-1.el5.x86_64.rpm \
   rhn-setup-0.4.19-17.el5.noarch.rpm \
   rhnlib-2.2.6-2.el5.noarch.rpm \
   yum-rhn-plugin-0.5.3-30.el5.noarch.rpm \
   pyOpenSSL-0.6-1.p24.7.2.2.x86_64.rpm

Register the host with RHN

At this point, you can either use the GUI, or command-line.

rhnreg_ks –user <RHN-user> –pass <RHN-pass>

Ensure Channel Subscription

Ensure you’re connected to the correct channel.  You may need to visit the RHN website to add any additional entitlement channels at this time.

yum repolist

Apply Waiting Updates

At this point, we’re running an out-of-date RHEL 5.3 system.  You’ll want to patch it and reboot.  Expect over 200 packages, and make sure you have 250+ megabytes of disk space for the patch download. Also, make sure you say “yes” to import the Red Hat GPG key.

yum update
reboot

VMware and other kernel-related packages may fail to load, but you should be able to update them after the reboot.  However, this is outside the scope of this post.  Find and install any updates for these kernel packages to fix those errors.

Post-Reboot

Remove any CentOS-specific yum plugins.

yum erase yum-fastestmirror

Do this after the conversion. Else, you may find all your yum-related packages get uninstalled due to the dependency checks.

Red Hat has documentation on how to install/configure it under a standard RHEL 6 build. However, some of the tools are still being modified, and not all of the documentation matches the current reality.  Read their documentation first.

Required Packages

Not all Linux distributions install the KVM packages by default.  Under Red Hat, you can add the packages via yum:

yum install kvm virt-manager libvirt libvirt-python python-virtinst libvirt-client

VM Images: Flat files versus Volume groups

By default, KVM stores disk images as flat files in /var. This is reasonable for most workstation installs, where performance and VM expandability aren’t an issue.  The installation will automatically configure the proper SELinux context for the directory.

% ls -Zd /var/lib/libvirt/images
drwx--x--x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images/

However, if your system has /var as its own partition, it may be too small to hold the VM disk images. You can resize the volume, create an additional volume for this mountpoint, or store the images elsewhere. If you store them on another partition, remember to set the SELinux context.

semanage fcontext -a -t virt_image_t "/data/libvirt/images(/.*)?"
restorecon -F -R -v /data/libvirt/images

As an alternative to flat files, you can create logical volumes in LVM, dedicating a volume per VM.  This allows you to easily expand your virtual disks as needed, and provides a performance benefit. Both the virt-manager GUI and the virt-install command-line support LVM-based storage.

% virsh vol-info --pool VolGroup00 vm_rhel6-32
Name:           vm_rhel6-32
Type:           block
Capacity:       10.00 GB
Allocation:     10.00 GB

Moving a VMware VM into KVM

The VMware “flat” .vmdk files can be read directly by QEMU/KVM, which allows you to import a disk image directly into KVM using the virt-install(1) with the “–import” option. However, moving this image to a logical volume may improve performance. You’ll need to confirm the image is a “raw” format, and the virtual disk’s exact size.

# qemu-img info /var/libvirt/images/RHEL5_32bit-flat.vmdk
image: /var/libvirt/images/RHEL5_32bit-flat.vmdk
file format: raw
virtual size: 10G (10737418240 bytes)
disk size: 10G

Next, create a logical volume of the same size, then use dd(1) to copy the disk image to the volume.

lvcreate -L10GB -n vm_rhel5-32 vg_kvms
dd if=/var/libvirt/images/RHEL5_32bit-flat.vmdk of=/dev/vg_kvms/vm_rhel5-32 bs=1M

If you’ve already created a VM using the disk image, you can either recreate the virtual host, or just edit the existing definition.

virsh dumpxml rhel5-32 > /tmp/rhel5-32.orig
virsh edit rhel5-32

Change the disk entry as needed, particularly the “type” and “source”:

Original:

   <disk type='file' device='disk'>
     <driver name='qemu' type='raw' cache='none'/>
     <source file='/var/libvirt/images/RHEL5_32bit-flat.vmdk'/>
     <target dev='hda' bus='ide'/>
     <address type='drive' controller='0' bus='0' unit='0'/>
   </disk>

New:

   <disk type='block' device='disk'>
     <driver name='qemu' type='raw' cache='none'/>
     <source dev='/dev/vg_kvms/vm_rhel5-32'/>
     <target dev='hda' bus='ide'/>
     <alias name='ide0-0-0'/>
     <address type='drive' controller='0' bus='0' unit='0'/>
   </disk>

Once you’re up and running, remove the VMware tools and re-enable the ACPI daemon, or else the host-based shutdown/reboot options won’t work.

/usr/sbin/vmware-uninstall.pl
chkconfig acpid on

While not as full-featured as VMware ESX, KVM can more meet the virtualization needs of smaller shops.

While COMPANY PRODUCT A sets the standard for mission-critical
enterprise operating systems, COMPANY PRODUCT B raises the bar. In
this next-generation release, COMPANY continues the pattern of
innovation, building on the many groundbreaking technologies
introduced in COMPANY PRODUCT A. At the same time, COMPANY preserves
the long-standing guarantee of binary compatibility – applications
that run on previous COMPANY PRODUCT releases can still run unchanged
on COMPANY PRODUCT B within the same processor architecture: Y or Z.

If someone can plug any vendor and any product into the equation and come up with an equivalent “release statement,” then its too generic.  This many buzzwords in the first page of the release pretty much killed my interest in a supposed technical article.

For the record, it’s from Oracle’s Introducing Solaris 11 Express White Paper.

Inaccurate marketing

Antivirus software is often pitched as a panacea, supposedly allowing the user to engage in all sorts of unsafe computing practices as long as they use the vendor’s antivirus product. Many vendors claim that they prevent 85-100 percent of potential threats. However, Greg Shipley’s article “The Wrong Protection” (InformationWeek, October 11) points out that the current antivirus software only provides 20-30 percent protection — a far cry from most vendors’ numbers.  As a result, the end users’ experience is rarely what the vendor promises, resulting in product dissatisfaction.

Obsolete detection methods

Early antivirus software scanned executables against a database of known malware checksums. This approach required a known infection first (and a checksum created) before anyone could protect against it. At the time, this worked reasonably well, as malware authors were blasting out the exploit code to as many computers as possible to maximize the infection rate. This lead to development of a checksum database, which could be distributed to individual desktop engines on a regular basis.

However, as the malware writers realized they could make money with their wares, they began writing customized software for specific purposes, using multiple vulnerabilities to quietly infect systems without users being the wiser. This resulted in thousands, then tens of thousands, and currently hundreds of thousands of new malware variants a year, making the traditional checksum approach obsolete except against the most primitive attacks.

Thus, most current antivirus engines complement the reactive approach with proactive systems — heuristics that examine the behavior of unknown code and compare it to known malware. Unfortunately, heuristics engines tend to have a higher false positive rate, which can lead to the end-user ignoring the warnings, or worse yet disabling the software.

The rise of custom malware

The Zeus and EyeSpy trojans have opened up malware to an entirely new type of fraudster. The newer authors sell their malware to others, who then use automatic tools to “pack” the malware payload into new binaries, often customized for a specific computer. Not only does this bypass traditional reactive antivirus checksums, it makes it even harder for the companies to write software to defeat it, as the custom payloads won’t run on a computer other than what originally downloaded it.

Out of date software

Many commercial antivirus software is licensed yearly. After the license expires, the software can no longer download updates. While the software may protect against older threats, it cannot detect newer malware variants.  However, the licensing reminders are often viewed as little more than nagware, and since they only show up when the computer boots, the user rarely notices, much less reads them.

It’s not just the antivirus software that’s out of date. Many Windows computers are missing patches freely available from Microsoft’s website, and over half of Firefox users were running unsafe older versions of Adobe’s Flash Player, to say nothing of Adobe Acrobat Reader or Shockwave installations. Older versions of Oracle’s Java are still in widespread use, and malware authors are actively exploiting them.

Unsafe browsing practices

Most users still view security as an impediment — something to be worked around. A majority of people will still click on links in Facebook or emails, with anywhere between 23 and 88% of people dismissing any error messages or security notices.  In addition, 73% of computer users still use the same password to access multiple accounts, allowing fraudsters to leverage one break-in to access multiple other systems. Thus, no matter what we do to improve the software, the end user is still the easiest security component to defeat.

Alternative approaches

Despite all the doom and gloom, I still stand my by earlier basic desktop security advice as a good place to start. However, it may be time to retire the special-purpose antivirus software. A number of alternatives show promise.

Application whitelists

Rather than spending so much processing on figuring out bad software, why not only allow known good software to run? This approach is known as application whitelisting, and is gaining traction in antivirus software as well as newer operating systems.  Various systems use application signatures, with a signature stating whether the program comes from a recognized company.  Symantec and others are working with a variation on this, granting files a “reputation” based upon the number of other computers seeing the same file.

Privilege separation

A user’s normal account doesn’t need to modify the operating system. The web browser, even less so. Microsoft’s User Account Control is a step in the right direction, although it still depends upon the user making a judgment call.

Automated software updates

Both Microsoft and Apple have automatic updates as part of their current operating systems. However, there’s no standard method to update third-party applications and web plugins. Apple and Adobe have their own (incompatible) methods for their own products, as does Oracle.  There’s no one control panel to manage them all. An application update API would seem a logical solution.

Virtual applications

We can virtualize the web browser and web-based applications. This should limit any potential malware to a virtual PC, which is reloaded every time you restart the application. Unfortunately, the early attempts have proven buggy and unpopular. Microsoft Windows has many different API calls which transfer data from the virtual browser window to the host operating system. A bug in any one of these can be used by malware to break out of the virtual sandbox and infect the host. The idea has potential, even if the products to date haven’t proven successful.

Network detection

Rather than focusing on prevention on the desktop, some security professionals recommend watching the network for signs of compromise, identifying the infected host(s), and removing them from the network until they’ve been cleaned. Unfortunately, this returns us to the reactive approach, as we have to know the system has been infected (and figure out an appropriate signature) before we can recognize it and quarantine the system.  In addition, modern malware can use convert command and control channels, receiving encrypted data from normally benign locations such as Google Mail.  This makes it even harder to distinguish the good traffic from the bad.

All of the above

Rather than focusing upon a single technology to save us from malware, we need to get into the mindset of “defense in depth” — multiple layers of “good enough” security that together provide us an acceptable solution to our level of risk. The higher the risk, the more levels of protection we need.

However, this can make a large difference to the established antivirus providers. You can’t charge $39.99 for an A/V signature engine, $19.99 for an application whitelist, then tack on another $9.99 for browser virtalization. Well, technically you could try, but that’s over 10% the cost of a new computer in just antivirus software. That’s not acceptable in today’s market. Some of these layers will become commodities focusing on price and performance, handled by Microsoft and the other operating system vendors. We’ll see how the market changes in the next few years.

A recent Bloomberg poll shows most Americans don’t know how the economy has expanded following the latest depression.  They don’t know that the Federal government will be paid back for what it invested in the banks.  They don’t even realize that their taxes have gone down.  And yet, these citizens who will vote against “the man,” because television tells them that they are worse off than they were two years ago.

In aligning themselves with the Tea Party, some percentage of these citizens consider themselves American Patriots. Unfortunately for most of them, it’s nothing more than uninformed hype.  These “patriots” claim that Moses wrote the US Constitution or that the founding fathers never supported the separation of church and state.  The dream of fiscal responsibility is lost in a sea of falsehoods and slander.

In today’s Information Age, it should be trivial for citizens to look up information from multiple sources, and come to informed decisions on what is best for them and the rest of the country.  And yet, it seems that the American populace has gone in the other direction — depending on mass media to spoon-feed them factoids that even an elementary student could refute with a simple web search.

Americans, please prove me wrong.  Educate yourself, and cast an informed vote.

Personal blogs are vulnerable to this due to the general lack of SSL support on hosted sites, but even major players such as Facebook are also vulnerable, despite investing in their own infrastructure.  Despite some long-standing misconceptions, enabling SSL doesn’t require that much additional infrastructure, but it does have an up-front administrative component which cannot be glossed over.

WordPress users may find the WPMu post on the topic useful, assuming they already have a SSL certificate installed.  Else, they’ll need to work with their ISP to install a cert.

Whenever I have a question like this, I try a few web searches to see if anyone’s come up with a suitable answer.  This led me to Zachary Turpin’s article The Odds of Jury Duty, which ends with this statistic:

In the end, the odds an adult 18 or older will actually serve on a jury in a year are only 1 in 125.

This is a good overall statistic, but without a breakdown on repeat juror rejections, this doesn’t help confirm or deny any bias in the jury selection process.  Perhaps the lawyers have an answer?  The NCSC has a collection of resource links for Jury Selection, Trial, and Deliberations.  Their resources include a section on voir dire, which is how attorneys select the jurors.  While reading up on recommended questions, I ran across Mark Bennett’s simple rules for better jury selection.

Assuming that my county’s lawyers are reasonably intelligent, they probably have some similar rules or guidelines when selecting a jury.  Perhaps I’m giving some answer to their standardized questions they don’t like?  Can I find out what answers they’re looking for?  If so, should I?  After all, in that case, wouldn’t the knowledge bias my own responses?

I guess my participation in a court proceeding shall remain limited to a member of the audience.  It’s better than being a defendant.

• Ballotpedia is a good place to find out what candidates and ballot measures you’ll see on November 2nd.
• Topix can show you what others think are hot topics.
• Reuters and the BBC often provide more-rounded information than what we can get from MSNBC or Fox News.
• OpenSecrets.org seems to do a good job of following the money trail, especially showing what politicial groups are bankrolling which candidates.
• Check your local newspaper for information comparing the candidates.  It seems the spirit of real journalism is alive and well on Main Street, even if not on Wall Street or Capitol Hill.

If a candidate can’t keep religion out of the debate, you may want to keep Jefferson’s response to the Danbury Baptists in mind.

Patch your computer.

• Microsoft Windows Update

The threat of “zero-day” (previously unknown) exploits for the desktop is over-hyped.  Most types of computer malware use known bugs that Microsoft patched months ago.  Thus, if you want to keep your computer secure, the first step is to shut down these known bugs.

Install a current anti-virus program.

• Microsoft Security Essentials

Believe it or not, the Microsoft product isn’t bad.  It’s a free download, and tested out comparably to many of the other commercial anti-virus programs.  However, its focus is rather limited, and there are gaps in what it checks for.  Fortunately, there’s freeware to help close the gaps.

• Ad-Aware
• HijackThis
• Spybot: S&D

Use a different web browser.

As convenient as Internet Explorer may be, it tends to be overly permissive in what it allows websites to do.  If you’re a security-minded individual, you want to deny by default, then explicitly allow permissions to websites you trust.  Firefox allows you to do this via addons.  Opera is also a good choice.

• NoScript
• Adblock Plus

Don’t surf as “Administrator.”

The default “Administrator” account has full rights to modify every aspect of your computer.  Thus, any program you run as administrator can install malware.  To limit the effect of any web-based exploit, you don’t want your browser to have those god-like permissions.  The easiest way to accomplish this is via “privilege separation” — have your everyday account as a regular “user,” and only switch to the “administrator” account when needed.  Windows 7 (and Vista) can separate these privileges within a single account, hiding it under the moniker “User Account Control” (UAC).   Use it, but only allow the UAC escalation for programs you know and trust.

• Microsoft TechNet
  • Microsoft Malware Protection Center
  • Microsoft DHCP Team
• Solaris Internals
  • Richard McDougall
• WordPress-Mu
  • WordPress Plugins
• Mark Minasi

Most of these sites also publish RSS feeds, which works well for me.  Even if I don’t remember the details of a post, I’ll remember reading a post on the topic.