Summary
The internet is rife with bots and bad actors trying to compromise your servers. To counteract these threats it is necessary to diligently harden your systems to improve server security. Unfortunately, the hardening process can be complex or confusing. In this week’s episode 18 year old Orhun Parmaksiz shares the story of how he and his friends created the GrapheneX framework to simplify the process of securing and maintaining your servers using the power and flexibility of Python. If you run your own software then this is definitely worth a listen.
Announcements
- Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
- When you’re ready to launch your next app or want to try a project you hear about on the show, you’ll need somewhere to deploy it, so take a look at our friends over at Linode. With 200 Gbit/s private networking, scalable shared block storage, node balancers, and a 40 Gbit/s public network, all controlled by a brand new API you’ve got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. Go to pythonpodcast.com/linode to get a $20 credit and launch a new server in under a minute. And don’t forget to thank them for their continued support of this show!
- Having all of your logs and event data in one place makes your life easier when something breaks, unless that something is your Elastic Search cluster because it’s storing too much data. CHAOSSEARCH frees you from having to worry about data retention, unexpected failures, and expanding operating costs. They give you a fully managed service to search and analyze all of your logs in S3, entirely under your control, all for half the cost of running your own Elastic Search cluster or using a hosted platform. Try it out for yourself at pythonpodcast.com/chaossearch and don’t forget to thank them for supporting the show!
- You listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers you don’t want to miss out on this year’s conference season. We have partnered with organizations such as O’Reilly Media, Dataversity, Corinium Global Intelligence, Alluxio, and Data Council. Upcoming events include the combined events of the Data Architecture Summit and Graphorum, the Data Orchestration Summit, and Data Council in NYC. Go to pythonpodcast.com/conferences to learn more about these and other events, and take advantage of our partner discounts to save money when you register today.
- Your host as usual is Tobias Macey and today I’m interviewing Orhun Parmaksiz about GrapheneX, a framework for simplifying the process of hardening your servers
Interview
- Introductions
- How did you get introduced to Python?
- Can you start by explaining what we mean when we talk about hardening of servers?
- What are the common ways of hardening a system, which techniques can we use for this purpose?
- What are some of the high level categories of threats that operators should be considering?
- What is GrapheneX and what was your motivation for creating it?
- How does GrapheneX aid users in the process of increasing the security of their infrastructure?
- Is any extra operating system knowledge required for using GrapheneX?
- Can you talk through the workflow for someone using GrapheneX to harden their systems?
- What options does it support for managing deployment across a fleet of servers?
- Some security controls can actually prevent proper operation of the applications and services that are deployed on a server. How do you approach preventing those scenarios or educating the users in determining which controls are appropriate?
- Why did you choose Python for a project like GrapheneX?
- How is GrapheneX implemented?
- How has the design evolved since you first began working on it?
- If you were to start the project over today, what would you do differently?
- Do you accept contributions to the framework? If so, what kind of contributions are needed for improving GrapheneX?
- For someone who is interested in adding a new module to the framework, what is involved?
- What have you found to be the most interesting or challenging aspects of your work on GrapheneX?
- What, if any, aspects of server security have you consciously avoided implementing in GrapheneX?
- What are your future plans about the GrapheneX?
Keep In Touch
Picks
- Tobias
- Orhun
- Creeping in My Soul by Cryoshell
- Gravity Hurts by Cryoshell
Closing Announcements
- Thank you for listening! Don’t forget to check out our other show, the Data Engineering Podcast for the latest on modern data management.
- Visit the site to subscribe to the show, sign up for the mailing list, and read the show notes.
- If you’ve learned something or tried out a project from the show then tell us about it! Email hosts@podcastinit.com) with your story.
- To help other people find the show please leave a review on iTunes and tell your friends and co-workers
- Join the community in the new Zulip chat workspace at pythonpodcast.com/chat
Links
- GrapheneX
- Graphene
- New Modules for GNU/Linux & Windows (Issue)
- Flask
- React
- trimstray/linux-hardening-checklist
- The Windows Server Hardening Checklist
- Firewall
- PCI-DSS 2.2 requirement- server hardening standards
- CIS Benchmarks
The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA
[00:00:12]
Unknown:
Hello, and welcome to podcast dot in it, the podcast about Python and the people who make it great. When you're ready to launch your next app or want to try a project you hear about on the show, you'll need somewhere to deploy it. So take a look at our friends over at Linode. With 200 gigabit private networking, scalable shared block storage, node balancers, and a 40 gigabit public network, all controlled by a brand new API, you've got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. And they also have a new object storage service to make storing data for your apps even easier.
Go to python podcast.com/linode, that's l I n o d e, today to get a $20 credit and launch a new server in under a minute. And don't forget to thank them for their continued support of this show. Having all of your logs and event data in 1 place makes your life easier when something breaks, unless that something is your Elasticsearch cluster because it's storing too much data. ChaosSearch frees you from having to worry about data retention, unexpected failures, and expanding operating costs. They give you a fully managed service to search and analyze all of your logs from s 3 entirely under your control, all for half the cost of running your own Elasticsearch cluster or using a hosted platform. Try it out for yourself at pythonpodcast.com/chaossearch, and don't forget to thank them for supporting the show.
And you listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers, you don't want to miss out on this year's conference season. We have partnered with organizations such as O'Reilly Media, Corinium Global Intelligence, Alexio, and Data Council. Upcoming events include the data orchestration summit and Data Council in New York City. Go to python podcasts.com/conferences to learn more about these and other events, and take advantage of our partner discounts to save money when you register today.
[00:02:12] Unknown:
Your host as usual is Tobias Macy, and today I'm interviewing Orhan Parmaxes about GrapheneX, a framework for simplifying the process of hardening your servers. So, Orhan, can you start by introducing yourself?
[00:02:23] Unknown:
Thanks for having me on the podcast, Tobias. It's an honor to be here. My name is Orhan, and I'm a analytics enthusiast. Also, I'm studying software engineering. Most of the time, I like to deal with the Linux stuff, and I try to create projects for Linux also. And I can say that I'm a self taught programmer and developer, and I still try to learn program languages and new technologies to implement in those projects. And my goal is to keep innovating and create projects that will help the community and the users.
[00:03:04] Unknown:
And do you remember how you first got introduced to Python? Yes. It was I think it was 2016
[00:03:10] Unknown:
that I decided to learn Python. It was because my classmates at school were into it, and they were doing some simple programs with it. And I was just curious about Python. So I go to your bookstore and bought a book about Python. It was kind of a tutorial, book. But when I got to the middle of the book, I was bored because the most of the time when I decided to learn a program language, I tried to do something with it, not just following a tutorial. So I left reading the book and I tried to create a simple project with it. And Python is a very simple and easy to do language and you can there's a lot of, libraries for doing various things.
So I create my first Python project in 2016. Then it just it was a good project for me to learn Python, practice it, and I kept learning it. And that's that's how I introduced Python.
[00:04:17] Unknown:
And now you've been working on the GrapheneX project, which as we said is for hardening servers. I'm assuming Linux servers primarily. And I'm wondering if you can just start by explaining a bit about what we mean when we use the term hardening in the context of servers and security and some of the common techniques and methods that you might use to achieve that hardening?
[00:04:36] Unknown:
Yeah. Of course. So when we say hardening, we we mostly mean that securing a system by reducing its surface of vulnerability. I'll just continue with an example. So let's say we have a Linux server running and we misconfigured some files. We have some bad configuration files that will allow users to access the admin panel with the default password. It's a very common scenario. So if we change the configuration files and change the password as well, this this process we call we can call this in this is a hardening process. And another example is disabling services or removing users on on a system that will cause different things like, you you know, that will exploit the system.
So these are the different examples. Removing users, re disabling services, or disabling or removing services. So the other thing that we can do to harden our system is enabling a firewall also. And there's different examples too, but this is hardening, basically. So if you want to harden a system, we can, achieve this by 2 ways. 1 is the executing system commands to handling, that system. And the other 1 is mostly about standards, handling standards. And it will include it it includes, some tools for automating the hardening process. So these are the common techniques.
[00:06:26] Unknown:
And what are some of the typical types of threats in terms of the attack vectors and some of the general categories of security issues that operators should be considering?
[00:06:38] Unknown:
So I face elevation of privilege attacks or attack vectors most of the time, but there is also some network issues like the like some vulnerabilities that will let users to spoof network packages or send malicious requests. So these are the 2 common, things that I face. And considering those type of threats, hardening should be an important term to developers and the operators
[00:07:10] Unknown:
as well. So can you describe a bit about what the GrapheneX project is and some of your motivation for creating it? So,
[00:07:18] Unknown:
GrapheneX is an automated system hardening framework. So before I give a explanation about the project, I want to give a quick shout out to my friends that helped me to be build the Graphinx because we are a team, actually. Actually, we're friends, but we create a team called Graphinx team, and I lead the project. So their names are Amar Baruk, Oruch, Enes Koputan, Efidin, and Thailand. They helped me to build the GraphNex project. So I like to mention about the, name of the project too. So Graphene is a is is a 1 atom thick layer of carbon atoms arranged in a hexagonal lattice. So it's about 100 times stronger than the strongest steel.
We chose GrapheneX name because graphene is something stronger than the strongest steel, and we try to harden systems. So we think it's a good relation between these 2 names. And x is just the suffix that we like to use while we're creating projects. So GraphX project is automated framework. We call the project the framework because you there's different features and different commands that you can run or different type of things that you can do. And it's automated because there's a thing called presets in Graphinx that will automate the process of hardening.
So we try to provide a framework for securing the system with hardening commands automatically. So, we have some we actually, I like I like to mention about the motivation behind it before I go into technical details. So we have a group at Telegram with my friends. We always like to do things together, like projects. So 1 day, we tried to we decided to do decide to make a project together, and we were thinking 1 of my teammates, if I didn't just send a repository to our group, which was hardening checklist Linux hardening checklist.
It's it contains different hardening commands for hardening your Linux system. So I was like, can we just automate this and put these commands in a framework that will run depending on the user desire assignment. So we we just they they were okay. We we decided to create a project for this purpose. And we just tried to design design the project for end user as well as the links and Windows developers. And the basically, it executes hardening commands on the back end side. And there's a web website of it too. And that's that's basically it about the refinance.
[00:10:39] Unknown:
And you mentioned that it helps to automate executing this list of commands for being able to improve the overall security of a system. I'm wondering if you can talk through an example workflow of somebody using Graphinex to harden their system and some of the options that are exposed and just some of the overall decisions that they need to make as they're interacting with the software?
[00:11:02] Unknown:
Okay. So first of all, you have to install Graphinx, obviously. You can achieve that by building from the source or, using the PIP package. We have a PIP package called Graphinx. And after that, you have 2 options for hardening your system with Graphinx which are using the interactive shell or the web interface. Interactive shell, we developed this side of the project for the people that are used to to is used to the Linux operating system. And there's commands for hardening. And when you go to your terminal and type the name of the project, Refinix, it will give you an interactive shell. You can list commands with help command.
And it's it's very easy, actually. You can switch to namespaces or modules. We call the hardening commands modules and the part of their the let me think here. And every individual module affects a part of the system so we call that part a namespace. There's different namespaces there. You can switch to them with the switch command or use command for selecting a module. Then hardening command will execute the hardening command of that module automatically. The other option for using GraphX is the web interface. You can start the web interface with the dashw command parameter from the from your terminal or just typing web into your interactive shell. It will open up a it will start in web server to access the Graphinx web website of the Graphinx. And there's an extra precaution there, which is the access tokens because you can access the web interface from different machines if you start with the local host parameter. But we try to prevent this with the access tokens. So it will request an access token for redirecting to you the actual GrafanaX, interface.
So when you start the web interface from terminal, it will give you a access token and you can access your web inter interactive I'm sorry, web interface with that access token. So these are the 2 ways of using GraphiNEXT. The web interface is quite simple to use because there's a list of modules that you can see the hardening commands or execute the hardening command. There's a drop down menu for seeing the namespaces, and that's that's pretty much it.
[00:14:03] Unknown:
And for performing this hardening on a single server, it's obviously easy to choose between either doing a web interface or a command line for somebody who's comfortable in either environment. But for using this across a fleet of servers when you're trying to automate deployment, I'm assuming that you would just use the command line, or is it possible to generate a configuration file that GrapheneX can consume and then run the automated set of routines that you want given the profile of the instance?
[00:14:35] Unknown:
Actually, there's not a feature for, this type of operation, but you can use the web interface for for these type of servers. Or there's a Dockerfile that you can use to automate this this process. But, actually, know that we don't support this type of thing. But we can, you know, improve the framework for this purpose.
[00:15:04] Unknown:
And as far as the security controls that you're enabling, sometimes it can end up interfering with the operation of software that you're actually trying to run on the system, such as maybe you accidentally closed down firewall ports that are necessary for a network interface for a a network application that you're trying to build or, you know, sometimes some of the, for instance, AppArmor profiles and Debian based systems can interfere with proper operation of a piece of software. And so I'm curious if you have any safety mechanisms or warnings built into GrapheneX to let people know that this might end up interfering with their software or maybe some way of detecting what software is running and then letting people know that if you enable a particular profile a particular command within a namespace, that it's going to prevent a piece of software from working? Oh, this is a good question because
[00:15:56] Unknown:
when we try to find eligible modules for the framework, it's there's something that we always considered. So we have modules, then modules have the description of the OS command for the hardening process. Actually, we try to give every try to give, every detail about that command to user with the info information section of the module. But we don't have a control mechanism like that for preventing running some running the the commands that you you said. But we always try to inform user about that command. And most of the commands require the root access. So we we warn users about them, but we don't warn about the contents of that module. Instead, we try to inform about the contents of that module.
And user should be should be careful about what he or she is doing about the module. So we don't have any warning mechanism or checking. We we don't do not check the the service or the file content before the before executing the hardening command or the module. But we we try to inform the user, basically.
[00:17:28] Unknown:
Can you talk through a bit about how Graphene is, implemented at the sort of technical level and some of the ways that the overall system design and capabilities have evolved since you first began working on it?
[00:17:40] Unknown:
Of course. So we we have a team. So we try to keep things simple, and we try to choose a program language that everybody knows and capable of doing some things with it. And we choose Python to move on. We started with writing the interactive shell. We used the Python's CMD module for it. It's it was pretty much the it has the features that we wanted. We create the interactive shell with it, then we moved on to the web interface, which is currently Flask and socket IO based, but we will probably change it later to something else. Actually, we have a full request that will change the entire back end side of that web interface, but we use the Flask for now. And the hardening process was handled with the standard built in libraries.
We used them for executing a system command that was we didn't use anything external for this purpose. And other things like the logs and the the colored logs, we use the color command, colored logs module. And printing is handled with the terminal tables library and some commands request user input and we used py inquiry library for the prompt and this is pretty much it's about the technical side of the project. It's we try to keep it simple. And the on the website, I have to mention about the JavaScript and HTML and CSS, the classic way of creating simple websites.
Actually, I'm not a web guy, so power candled all the web side of the project. And this is this is pretty much it about the technical side of the project.
[00:19:43] Unknown:
And if you were to start the whole project over now that you have gotten further into it and have a better understanding of the overall problem space and some of the design constraints and possibilities, are there any aspects of it that you would change or anything that you would do differently? Probably, I will start,
[00:20:00] Unknown:
with the finding finding modules because it's the hard side of, doing a project like this. You have to find eligible modules for the framework. And we did it at the end of the project. We created our margins dot XML file, which contains all of the modules. At the end of the project, we we basically finished all the features then we try to find modules or create my create our own modules. So I will probably start with that step because you can't find or create your Linux or Windows commands easily and quickly. So I will start with that. And probably, I will use a different technology on the web, website of the project because we we just changing it right now to React. I don't know why actually it's probably more optimized than the socket IO and Flask.
I will probably think more about the web web interface, and I will just lead the project according to that changes.
[00:21:12] Unknown:
And as far as the module interface, what is involved in actually creating a new module, and are there any gaps in terms of the current implementation that you are looking for help as far as adding new capabilities to the framework?
[00:21:28] Unknown:
Okay. So if you want to add a module to the framework, there's there are 3 ways of doing this. The first 1 is using the manage commands from interactive shell. It's it's it will ask you inputs about that module. Actually, there's 3 things that you can do with manage command. First 1 is adding a module. The editing a module and removing a module. So if you choose the add option, it will ask you about it ask you the module description name and the OS command that will that will run for the hardening process. You can use manage command for the adding a module, or you can add modules from the web interface.
It's pretty simple. There's a button for adding a module, and you'll see a page that will ask for the module details. And the 3rd way is editing the modules dot XML file directly. We use that file for parsing the module details and listing them or any or any other operations. So if you modify the module style XML file, it will change the module details on the framework. Since we try to design the GraphNex very abstract from the modules dot XML, you can just change that file for changing the purpose of the project because it basically takes the hardening commands from that file and executes it depending on the user input.
So there there are 3 ways of adding a new module. So we actually, we have an open issue for the GraphX con contributions. It's about adding modules, to the framework, obviously, because we can improve the framework technically, but back end on on the front end side. But we need modules for framework to run or operate, as expected. And it's important to add more modules to the framework. So we we accept contributions to the framework in terms of modules.
[00:23:51] Unknown:
And for the different modules, as do you have any built in testing for verifying when they run effectively or to prevent a duplicate run if a particular setting has already been configured? Actually, we do not test them with,
[00:24:06] Unknown:
any type of tool, but we test them on our systems or the virtual machines. You know, it's like a process of approving a pull request. All of the team members have to approve the module before we add into the framework. And we use our own systems, but we use virtual machines to test those commands too. So it's the technique that we use for testing modules before adding to the framework.
[00:24:37] Unknown:
And as far as your experience of building GrapheneX and working with your friends on improving it, what have you found to be some of the most interesting or unexpected or challenging aspects of the project and any particularly useful lessons that you've learned as a result? The interesting part of the project was learning
[00:24:56] Unknown:
frameworks, especially Flask, and the web website is something that I'm not used to do I'm not used to. So it was interesting to learn different technologies while working on this project. And the challenging aspects of GraphNex was the, obviously, the finding modules and creating modules. And since I lead the project, it was even harder to, split the team for finding eligible modules for the framework. And it was not my first experience Python experience, but some technical stuff was challenging too. Like, you can write write the same program with different approaches. So we have a team, so we have different opinions.
We we were always thinking about which which is the the optimized way of doing something. It was was challenging, but it was fun. So that's it, I think.
[00:26:04] Unknown:
And then as far as your understanding and experience of server and system security, how has that grown as a result of working on GrapheneX? And are there any areas of system security that you have consciously avoided implementing in GrapheneX just because they would either be too difficult or too bespoke?
[00:26:25] Unknown:
So when I was working on Graphinx, I had a chance to know my, you know, Linux setup better because we we were just experiencing different things with the modules and the Python. So it was a good experience for me to learn my learn the internals of the Linux internals of a Linux system. And the thing that we tried to avoid was, the firewall exploits or firewall threats because it's something hard to configure in my opinion. It's not for every user to configure configure a firewall or the network because there's there are tools for it, but mostly, they use IP tables on Linux.
And we try to avoid different threats by adding different modules about network configuration, IP tables, and it's I hope it will help users to understand the internals of a system. But these are the things that we try to avoid, mostly the firewall and the network things. And I hope it will help users to understand the operating system internals.
[00:27:56] Unknown:
And what are your overall goals for the GrapheneX project? And what do you have on the roadmap for the near to medium term as far as new features or overall system improvements?
[00:28:07] Unknown:
Probably we will add more modules and we will improve the web interface. The other than other than those goals, we do not have anything like anything big or anything that will change the whole whole purpose of the project. But we will try to improve, according to the user feedback. And I think it's it's a project that we should keep alive because there are some open source projects that is in dust, but they are working so well that people are still using it. So we try to keep project updated so so that people can still use it on different machines and different systems. We basically this is our goal to keep the project updated and keep the modules updated for the individual services or configurations.
So that's that's it about the goal.
[00:29:15] Unknown:
And as far as the system support, it seems that the majority of the focus is on Linux, but I'm wondering if you have experimented at all with running it on any BSD based systems or any other operating systems that you're planning to target.
[00:29:30] Unknown:
Well, actually, I'm I'm talking like, the graphics is just for the Linux, but it's not. It's it support Windows 2. But since I'm using Linux, I I just think it's just for Linux. But we we plan to test the GraphX on diff different systems because we we think that we can automate the hardening process on the systems to, like, BSD or other things. We we plan to do that, but right now, it supports Linux and Windows. The Windows part is a little bit wide wider than the Linux because Windows has Windows Windows modules are target more parts of their system than Linux.
It it depends on us actually. It was not about the Linux or Windows. But we we try to find or create modules for different operating systems.
[00:30:34] Unknown:
Are there any other aspects of the work that you've been done on GrapheneX or your experiences with managing system security and hardening processes that we didn't discuss yet that you'd like to cover before we close out the show? So
[00:30:46] Unknown:
I I can talk about, the ways of the way of way the way that we choose for hardening the technique that we choose. There are different techniques for hardening a system. First 1 is using a checklist or list of commands, and the other 1 is tools, which is a graphics is a tool. And third 1 is standards. There are some standards actually for hard link. So they they call CIS, I suppose, and or different standard like PCI DSS. They have different approaches for hardening a system. They target most of the time Windows. But we did did not choose this approach while implementing GraphX because the standards are maybe sometimes too strict that you can they won't let you to do things that you want.
So we try to use checklists for GraphNex to automate the hardening process. So it's you can use those checklists for manually hardening your system too, but the Graphinix is automated. It will do things automated for you. And, actually, it's a framework. So it it will help you hard to harden your system. And I'd like to talk about the automated part of the GraphX, which has the preset command for running different, different modules at, at 1 with 1, okay. Let me let me explain this again. There's a preset command that will run set of command set of hardening commands from different namespaces or a namespace or a single namespace, you can adjust or change the modules dot XML file for changing the presets.
Mostly, we target the, a part a part of the system. So there is a preset called kernel access restriction that will run 2 modules for restricting the kernel access without permission. So it's it will run 2 modules in order to hiring a specific part of that system. So we try to give Graphinx an automated design for with the, preset
[00:33:27] Unknown:
command. Alright. Well, for anybody who wants to follow along with you and get in touch, I'll have you add your preferred contact information to the show notes. And so with that, I'll move us into the picks. And this week, I'm going to choose chess because I've been able to spend a bit more time recently playing with my kids and my dad. So, it's good to revisit it every now and then. So if you haven't found the time to play chess or you haven't learned it yet, it's definitely worth, worth a shot. It's a fun game with a lot of different strategies involved, so definitely recommend that for anybody who's looking for something to pass the time. And so with that, I'll pass it to you, Orhun. Do you have any picks this week? Yes. I have a band called Cryo Shell.
[00:34:06] Unknown:
It's it's originally, makes there's a LEGO set called Bionicle, and they make the advertisement or short film songs for the LEGO set Bionicle. And I think they are very good at this job, and their songs are amazing. I will pick 2 songs of them. 1 of them is Creeping in My Soul and Gravity Hurts. They are very amazing songs.
[00:34:35] Unknown:
I suggest everyone to listen them. So that's it. Well, thank you for taking the time today to join me and discuss your work on GrapheneX. It's definitely an interesting project, and it's targeting a very, necessary space for people to understand. And, it's great to make that a bit easier for them. So thank you for all of your efforts on that front, and I hope you enjoy the rest of your day. Thank you. Have a good day.
[00:35:00] Unknown:
Thank you for listening. Don't forget to check out our other show, the Data Engineering Podcast at dataengineeringpodcast.com for the latest on modern data management. And visit the site of pythonpodcastdot com to subscribe to the show, sign up for the mailing list, and read the show notes. And if you've learned something or tried out a project from the show, then tell us about it. Email host at podcastinit.com with your story. To help other people find the show, please leave a review on Itunes and tell your friends and coworkers.
Hello, and welcome to podcast dot in it, the podcast about Python and the people who make it great. When you're ready to launch your next app or want to try a project you hear about on the show, you'll need somewhere to deploy it. So take a look at our friends over at Linode. With 200 gigabit private networking, scalable shared block storage, node balancers, and a 40 gigabit public network, all controlled by a brand new API, you've got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. And they also have a new object storage service to make storing data for your apps even easier.
Go to python podcast.com/linode, that's l I n o d e, today to get a $20 credit and launch a new server in under a minute. And don't forget to thank them for their continued support of this show. Having all of your logs and event data in 1 place makes your life easier when something breaks, unless that something is your Elasticsearch cluster because it's storing too much data. ChaosSearch frees you from having to worry about data retention, unexpected failures, and expanding operating costs. They give you a fully managed service to search and analyze all of your logs from s 3 entirely under your control, all for half the cost of running your own Elasticsearch cluster or using a hosted platform. Try it out for yourself at pythonpodcast.com/chaossearch, and don't forget to thank them for supporting the show.
And you listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers, you don't want to miss out on this year's conference season. We have partnered with organizations such as O'Reilly Media, Corinium Global Intelligence, Alexio, and Data Council. Upcoming events include the data orchestration summit and Data Council in New York City. Go to python podcasts.com/conferences to learn more about these and other events, and take advantage of our partner discounts to save money when you register today.
[00:02:12] Unknown:
Your host as usual is Tobias Macy, and today I'm interviewing Orhan Parmaxes about GrapheneX, a framework for simplifying the process of hardening your servers. So, Orhan, can you start by introducing yourself?
[00:02:23] Unknown:
Thanks for having me on the podcast, Tobias. It's an honor to be here. My name is Orhan, and I'm a analytics enthusiast. Also, I'm studying software engineering. Most of the time, I like to deal with the Linux stuff, and I try to create projects for Linux also. And I can say that I'm a self taught programmer and developer, and I still try to learn program languages and new technologies to implement in those projects. And my goal is to keep innovating and create projects that will help the community and the users.
[00:03:04] Unknown:
And do you remember how you first got introduced to Python? Yes. It was I think it was 2016
[00:03:10] Unknown:
that I decided to learn Python. It was because my classmates at school were into it, and they were doing some simple programs with it. And I was just curious about Python. So I go to your bookstore and bought a book about Python. It was kind of a tutorial, book. But when I got to the middle of the book, I was bored because the most of the time when I decided to learn a program language, I tried to do something with it, not just following a tutorial. So I left reading the book and I tried to create a simple project with it. And Python is a very simple and easy to do language and you can there's a lot of, libraries for doing various things.
So I create my first Python project in 2016. Then it just it was a good project for me to learn Python, practice it, and I kept learning it. And that's that's how I introduced Python.
[00:04:17] Unknown:
And now you've been working on the GrapheneX project, which as we said is for hardening servers. I'm assuming Linux servers primarily. And I'm wondering if you can just start by explaining a bit about what we mean when we use the term hardening in the context of servers and security and some of the common techniques and methods that you might use to achieve that hardening?
[00:04:36] Unknown:
Yeah. Of course. So when we say hardening, we we mostly mean that securing a system by reducing its surface of vulnerability. I'll just continue with an example. So let's say we have a Linux server running and we misconfigured some files. We have some bad configuration files that will allow users to access the admin panel with the default password. It's a very common scenario. So if we change the configuration files and change the password as well, this this process we call we can call this in this is a hardening process. And another example is disabling services or removing users on on a system that will cause different things like, you you know, that will exploit the system.
So these are the different examples. Removing users, re disabling services, or disabling or removing services. So the other thing that we can do to harden our system is enabling a firewall also. And there's different examples too, but this is hardening, basically. So if you want to harden a system, we can, achieve this by 2 ways. 1 is the executing system commands to handling, that system. And the other 1 is mostly about standards, handling standards. And it will include it it includes, some tools for automating the hardening process. So these are the common techniques.
[00:06:26] Unknown:
And what are some of the typical types of threats in terms of the attack vectors and some of the general categories of security issues that operators should be considering?
[00:06:38] Unknown:
So I face elevation of privilege attacks or attack vectors most of the time, but there is also some network issues like the like some vulnerabilities that will let users to spoof network packages or send malicious requests. So these are the 2 common, things that I face. And considering those type of threats, hardening should be an important term to developers and the operators
[00:07:10] Unknown:
as well. So can you describe a bit about what the GrapheneX project is and some of your motivation for creating it? So,
[00:07:18] Unknown:
GrapheneX is an automated system hardening framework. So before I give a explanation about the project, I want to give a quick shout out to my friends that helped me to be build the Graphinx because we are a team, actually. Actually, we're friends, but we create a team called Graphinx team, and I lead the project. So their names are Amar Baruk, Oruch, Enes Koputan, Efidin, and Thailand. They helped me to build the GraphNex project. So I like to mention about the, name of the project too. So Graphene is a is is a 1 atom thick layer of carbon atoms arranged in a hexagonal lattice. So it's about 100 times stronger than the strongest steel.
We chose GrapheneX name because graphene is something stronger than the strongest steel, and we try to harden systems. So we think it's a good relation between these 2 names. And x is just the suffix that we like to use while we're creating projects. So GraphX project is automated framework. We call the project the framework because you there's different features and different commands that you can run or different type of things that you can do. And it's automated because there's a thing called presets in Graphinx that will automate the process of hardening.
So we try to provide a framework for securing the system with hardening commands automatically. So, we have some we actually, I like I like to mention about the motivation behind it before I go into technical details. So we have a group at Telegram with my friends. We always like to do things together, like projects. So 1 day, we tried to we decided to do decide to make a project together, and we were thinking 1 of my teammates, if I didn't just send a repository to our group, which was hardening checklist Linux hardening checklist.
It's it contains different hardening commands for hardening your Linux system. So I was like, can we just automate this and put these commands in a framework that will run depending on the user desire assignment. So we we just they they were okay. We we decided to create a project for this purpose. And we just tried to design design the project for end user as well as the links and Windows developers. And the basically, it executes hardening commands on the back end side. And there's a web website of it too. And that's that's basically it about the refinance.
[00:10:39] Unknown:
And you mentioned that it helps to automate executing this list of commands for being able to improve the overall security of a system. I'm wondering if you can talk through an example workflow of somebody using Graphinex to harden their system and some of the options that are exposed and just some of the overall decisions that they need to make as they're interacting with the software?
[00:11:02] Unknown:
Okay. So first of all, you have to install Graphinx, obviously. You can achieve that by building from the source or, using the PIP package. We have a PIP package called Graphinx. And after that, you have 2 options for hardening your system with Graphinx which are using the interactive shell or the web interface. Interactive shell, we developed this side of the project for the people that are used to to is used to the Linux operating system. And there's commands for hardening. And when you go to your terminal and type the name of the project, Refinix, it will give you an interactive shell. You can list commands with help command.
And it's it's very easy, actually. You can switch to namespaces or modules. We call the hardening commands modules and the part of their the let me think here. And every individual module affects a part of the system so we call that part a namespace. There's different namespaces there. You can switch to them with the switch command or use command for selecting a module. Then hardening command will execute the hardening command of that module automatically. The other option for using GraphX is the web interface. You can start the web interface with the dashw command parameter from the from your terminal or just typing web into your interactive shell. It will open up a it will start in web server to access the Graphinx web website of the Graphinx. And there's an extra precaution there, which is the access tokens because you can access the web interface from different machines if you start with the local host parameter. But we try to prevent this with the access tokens. So it will request an access token for redirecting to you the actual GrafanaX, interface.
So when you start the web interface from terminal, it will give you a access token and you can access your web inter interactive I'm sorry, web interface with that access token. So these are the 2 ways of using GraphiNEXT. The web interface is quite simple to use because there's a list of modules that you can see the hardening commands or execute the hardening command. There's a drop down menu for seeing the namespaces, and that's that's pretty much it.
[00:14:03] Unknown:
And for performing this hardening on a single server, it's obviously easy to choose between either doing a web interface or a command line for somebody who's comfortable in either environment. But for using this across a fleet of servers when you're trying to automate deployment, I'm assuming that you would just use the command line, or is it possible to generate a configuration file that GrapheneX can consume and then run the automated set of routines that you want given the profile of the instance?
[00:14:35] Unknown:
Actually, there's not a feature for, this type of operation, but you can use the web interface for for these type of servers. Or there's a Dockerfile that you can use to automate this this process. But, actually, know that we don't support this type of thing. But we can, you know, improve the framework for this purpose.
[00:15:04] Unknown:
And as far as the security controls that you're enabling, sometimes it can end up interfering with the operation of software that you're actually trying to run on the system, such as maybe you accidentally closed down firewall ports that are necessary for a network interface for a a network application that you're trying to build or, you know, sometimes some of the, for instance, AppArmor profiles and Debian based systems can interfere with proper operation of a piece of software. And so I'm curious if you have any safety mechanisms or warnings built into GrapheneX to let people know that this might end up interfering with their software or maybe some way of detecting what software is running and then letting people know that if you enable a particular profile a particular command within a namespace, that it's going to prevent a piece of software from working? Oh, this is a good question because
[00:15:56] Unknown:
when we try to find eligible modules for the framework, it's there's something that we always considered. So we have modules, then modules have the description of the OS command for the hardening process. Actually, we try to give every try to give, every detail about that command to user with the info information section of the module. But we don't have a control mechanism like that for preventing running some running the the commands that you you said. But we always try to inform user about that command. And most of the commands require the root access. So we we warn users about them, but we don't warn about the contents of that module. Instead, we try to inform about the contents of that module.
And user should be should be careful about what he or she is doing about the module. So we don't have any warning mechanism or checking. We we don't do not check the the service or the file content before the before executing the hardening command or the module. But we we try to inform the user, basically.
[00:17:28] Unknown:
Can you talk through a bit about how Graphene is, implemented at the sort of technical level and some of the ways that the overall system design and capabilities have evolved since you first began working on it?
[00:17:40] Unknown:
Of course. So we we have a team. So we try to keep things simple, and we try to choose a program language that everybody knows and capable of doing some things with it. And we choose Python to move on. We started with writing the interactive shell. We used the Python's CMD module for it. It's it was pretty much the it has the features that we wanted. We create the interactive shell with it, then we moved on to the web interface, which is currently Flask and socket IO based, but we will probably change it later to something else. Actually, we have a full request that will change the entire back end side of that web interface, but we use the Flask for now. And the hardening process was handled with the standard built in libraries.
We used them for executing a system command that was we didn't use anything external for this purpose. And other things like the logs and the the colored logs, we use the color command, colored logs module. And printing is handled with the terminal tables library and some commands request user input and we used py inquiry library for the prompt and this is pretty much it's about the technical side of the project. It's we try to keep it simple. And the on the website, I have to mention about the JavaScript and HTML and CSS, the classic way of creating simple websites.
Actually, I'm not a web guy, so power candled all the web side of the project. And this is this is pretty much it about the technical side of the project.
[00:19:43] Unknown:
And if you were to start the whole project over now that you have gotten further into it and have a better understanding of the overall problem space and some of the design constraints and possibilities, are there any aspects of it that you would change or anything that you would do differently? Probably, I will start,
[00:20:00] Unknown:
with the finding finding modules because it's the hard side of, doing a project like this. You have to find eligible modules for the framework. And we did it at the end of the project. We created our margins dot XML file, which contains all of the modules. At the end of the project, we we basically finished all the features then we try to find modules or create my create our own modules. So I will probably start with that step because you can't find or create your Linux or Windows commands easily and quickly. So I will start with that. And probably, I will use a different technology on the web, website of the project because we we just changing it right now to React. I don't know why actually it's probably more optimized than the socket IO and Flask.
I will probably think more about the web web interface, and I will just lead the project according to that changes.
[00:21:12] Unknown:
And as far as the module interface, what is involved in actually creating a new module, and are there any gaps in terms of the current implementation that you are looking for help as far as adding new capabilities to the framework?
[00:21:28] Unknown:
Okay. So if you want to add a module to the framework, there's there are 3 ways of doing this. The first 1 is using the manage commands from interactive shell. It's it's it will ask you inputs about that module. Actually, there's 3 things that you can do with manage command. First 1 is adding a module. The editing a module and removing a module. So if you choose the add option, it will ask you about it ask you the module description name and the OS command that will that will run for the hardening process. You can use manage command for the adding a module, or you can add modules from the web interface.
It's pretty simple. There's a button for adding a module, and you'll see a page that will ask for the module details. And the 3rd way is editing the modules dot XML file directly. We use that file for parsing the module details and listing them or any or any other operations. So if you modify the module style XML file, it will change the module details on the framework. Since we try to design the GraphNex very abstract from the modules dot XML, you can just change that file for changing the purpose of the project because it basically takes the hardening commands from that file and executes it depending on the user input.
So there there are 3 ways of adding a new module. So we actually, we have an open issue for the GraphX con contributions. It's about adding modules, to the framework, obviously, because we can improve the framework technically, but back end on on the front end side. But we need modules for framework to run or operate, as expected. And it's important to add more modules to the framework. So we we accept contributions to the framework in terms of modules.
[00:23:51] Unknown:
And for the different modules, as do you have any built in testing for verifying when they run effectively or to prevent a duplicate run if a particular setting has already been configured? Actually, we do not test them with,
[00:24:06] Unknown:
any type of tool, but we test them on our systems or the virtual machines. You know, it's like a process of approving a pull request. All of the team members have to approve the module before we add into the framework. And we use our own systems, but we use virtual machines to test those commands too. So it's the technique that we use for testing modules before adding to the framework.
[00:24:37] Unknown:
And as far as your experience of building GrapheneX and working with your friends on improving it, what have you found to be some of the most interesting or unexpected or challenging aspects of the project and any particularly useful lessons that you've learned as a result? The interesting part of the project was learning
[00:24:56] Unknown:
frameworks, especially Flask, and the web website is something that I'm not used to do I'm not used to. So it was interesting to learn different technologies while working on this project. And the challenging aspects of GraphNex was the, obviously, the finding modules and creating modules. And since I lead the project, it was even harder to, split the team for finding eligible modules for the framework. And it was not my first experience Python experience, but some technical stuff was challenging too. Like, you can write write the same program with different approaches. So we have a team, so we have different opinions.
We we were always thinking about which which is the the optimized way of doing something. It was was challenging, but it was fun. So that's it, I think.
[00:26:04] Unknown:
And then as far as your understanding and experience of server and system security, how has that grown as a result of working on GrapheneX? And are there any areas of system security that you have consciously avoided implementing in GrapheneX just because they would either be too difficult or too bespoke?
[00:26:25] Unknown:
So when I was working on Graphinx, I had a chance to know my, you know, Linux setup better because we we were just experiencing different things with the modules and the Python. So it was a good experience for me to learn my learn the internals of the Linux internals of a Linux system. And the thing that we tried to avoid was, the firewall exploits or firewall threats because it's something hard to configure in my opinion. It's not for every user to configure configure a firewall or the network because there's there are tools for it, but mostly, they use IP tables on Linux.
And we try to avoid different threats by adding different modules about network configuration, IP tables, and it's I hope it will help users to understand the internals of a system. But these are the things that we try to avoid, mostly the firewall and the network things. And I hope it will help users to understand the operating system internals.
[00:27:56] Unknown:
And what are your overall goals for the GrapheneX project? And what do you have on the roadmap for the near to medium term as far as new features or overall system improvements?
[00:28:07] Unknown:
Probably we will add more modules and we will improve the web interface. The other than other than those goals, we do not have anything like anything big or anything that will change the whole whole purpose of the project. But we will try to improve, according to the user feedback. And I think it's it's a project that we should keep alive because there are some open source projects that is in dust, but they are working so well that people are still using it. So we try to keep project updated so so that people can still use it on different machines and different systems. We basically this is our goal to keep the project updated and keep the modules updated for the individual services or configurations.
So that's that's it about the goal.
[00:29:15] Unknown:
And as far as the system support, it seems that the majority of the focus is on Linux, but I'm wondering if you have experimented at all with running it on any BSD based systems or any other operating systems that you're planning to target.
[00:29:30] Unknown:
Well, actually, I'm I'm talking like, the graphics is just for the Linux, but it's not. It's it support Windows 2. But since I'm using Linux, I I just think it's just for Linux. But we we plan to test the GraphX on diff different systems because we we think that we can automate the hardening process on the systems to, like, BSD or other things. We we plan to do that, but right now, it supports Linux and Windows. The Windows part is a little bit wide wider than the Linux because Windows has Windows Windows modules are target more parts of their system than Linux.
It it depends on us actually. It was not about the Linux or Windows. But we we try to find or create modules for different operating systems.
[00:30:34] Unknown:
Are there any other aspects of the work that you've been done on GrapheneX or your experiences with managing system security and hardening processes that we didn't discuss yet that you'd like to cover before we close out the show? So
[00:30:46] Unknown:
I I can talk about, the ways of the way of way the way that we choose for hardening the technique that we choose. There are different techniques for hardening a system. First 1 is using a checklist or list of commands, and the other 1 is tools, which is a graphics is a tool. And third 1 is standards. There are some standards actually for hard link. So they they call CIS, I suppose, and or different standard like PCI DSS. They have different approaches for hardening a system. They target most of the time Windows. But we did did not choose this approach while implementing GraphX because the standards are maybe sometimes too strict that you can they won't let you to do things that you want.
So we try to use checklists for GraphNex to automate the hardening process. So it's you can use those checklists for manually hardening your system too, but the Graphinix is automated. It will do things automated for you. And, actually, it's a framework. So it it will help you hard to harden your system. And I'd like to talk about the automated part of the GraphX, which has the preset command for running different, different modules at, at 1 with 1, okay. Let me let me explain this again. There's a preset command that will run set of command set of hardening commands from different namespaces or a namespace or a single namespace, you can adjust or change the modules dot XML file for changing the presets.
Mostly, we target the, a part a part of the system. So there is a preset called kernel access restriction that will run 2 modules for restricting the kernel access without permission. So it's it will run 2 modules in order to hiring a specific part of that system. So we try to give Graphinx an automated design for with the, preset
[00:33:27] Unknown:
command. Alright. Well, for anybody who wants to follow along with you and get in touch, I'll have you add your preferred contact information to the show notes. And so with that, I'll move us into the picks. And this week, I'm going to choose chess because I've been able to spend a bit more time recently playing with my kids and my dad. So, it's good to revisit it every now and then. So if you haven't found the time to play chess or you haven't learned it yet, it's definitely worth, worth a shot. It's a fun game with a lot of different strategies involved, so definitely recommend that for anybody who's looking for something to pass the time. And so with that, I'll pass it to you, Orhun. Do you have any picks this week? Yes. I have a band called Cryo Shell.
[00:34:06] Unknown:
It's it's originally, makes there's a LEGO set called Bionicle, and they make the advertisement or short film songs for the LEGO set Bionicle. And I think they are very good at this job, and their songs are amazing. I will pick 2 songs of them. 1 of them is Creeping in My Soul and Gravity Hurts. They are very amazing songs.
[00:34:35] Unknown:
I suggest everyone to listen them. So that's it. Well, thank you for taking the time today to join me and discuss your work on GrapheneX. It's definitely an interesting project, and it's targeting a very, necessary space for people to understand. And, it's great to make that a bit easier for them. So thank you for all of your efforts on that front, and I hope you enjoy the rest of your day. Thank you. Have a good day.
[00:35:00] Unknown:
Thank you for listening. Don't forget to check out our other show, the Data Engineering Podcast at dataengineeringpodcast.com for the latest on modern data management. And visit the site of pythonpodcastdot com to subscribe to the show, sign up for the mailing list, and read the show notes. And if you've learned something or tried out a project from the show, then tell us about it. Email host at podcastinit.com with your story. To help other people find the show, please leave a review on Itunes and tell your friends and coworkers.
Introduction and Sponsor Messages
Interview with Orhan Parmaxes
Introduction to GrapheneX
Common Security Threats
Overview of GrapheneX Project
Using GrapheneX
Technical Implementation of GrapheneX
Challenges and Lessons Learned
Future Goals and Roadmap
System Support and Expansion
Closing Remarks and Picks
