Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 3 - DEVELOPER TOOLS GUIDE
71727374757677787980
SystemTap Compile Server
67
The following sections describe new SystemTap features available in the Red Hat Enterprise Linux 6
release.
6.4.1. SystemTap Compile Server
SystemTap in Red Hat Enterprise Linux 6 supports a compile server and client deployment. With this
setup, the kernel information packages of all client systems in the network are installed on just one
compile server host (or a few). When a client system attempts to compile a kernel module from a
SystemTap script, it remotely accesses the kernel information it needs from the centralized compile
server host.
A properly configured and maintained SystemTap compile server host offers the following benefits:
The system administrator can verify the integrity of kernel information packages before making the
packages available to users.
The identity of a compile server can be authenticated using the Secure Socket Layer (SSL). SSL
provides an encrypted network connection that prevents eavesdropping or tampering during
transmission.
Individual users can run their own servers and authorize them for their own use as trusted.
System administrators can authorize one or more servers on the network as trusted for use by all
users.
A server that has not been explicitly authorized is ignored, preventing any server impersonations
and similar attacks.
6.4.2. SystemTap Support for Unprivileged Users
For security purposes, users in an enterprise setting are rarely given privileged (i.e. root or sudo)
access to their own machines. In addition, full SystemTap functionality should also be restricted to
privileged users, as this can provide the ability to completely take control of a system.
SystemTap in Red Hat Enterprise Linux 6 features a new option to the SystemTap client: --
unprivileged. This option allows an unprivileged user to run stap. Of course, several restrictions
apply to unprivileged users that attempt to run stap.
Note
An unprivileged user is a member of the group stapusr but is not a member of the group
stapdev (and is not root).
Before loading any kernel modules created by unprivileged users, SystemTap verifies the integrity
of the module using standard digital (cryptographic) signing techniques. Each time the --
unprivileged option is used, the server checks the script against the constraints imposed for
unprivileged users. If the checks are successful, the server compiles the script and signs the resulting
module using a self-generated certificate. When the client attempts to load the module, staprun first
verifies the signature of the module by checking it against a database of trusted signing certificates
maintained and authorized by root.
Once a signed kernel module is successfully verified, staprun is assured that:
The module was created using a trusted systemtap server implementation.