Archive for April, 2008

Improve your yum-based repository mirror’s efficiency…

Published by bobgerman on April 23, 2008 in Information Technology. Comments

If you do a lot of Linux installs, and have a local mirror repo, you’re probably used to changing your /etc/yum.repos.d/ files to reflect your mirror after every install, and after some upgrades. You can make this more efficient and less painful by rebuilding the release RPM to point to your local mirror. This way, anyone who installs from your mirror will come back to your mirror for updates.

This is a trivial process, but none of the places I’ve worked have done it. If you do this, care must be taken to prevent the next update of the mirror from clobbering your customized release.

I’m going to demonstrate how to do it in CentOS, but RedHat and Fedora are similar, of course.

First, go to a computer with your distro freshly installed. Install the additional package rpm-build, then install the rpmrebuild package from http://sourceforge.net/project/showfiles.php?group_id=57523.

Now, update your /etc/yum.repos.d files to point to your local mirror, and then check their syntax using the yum check-update command. Assuming it works, you’re ready to rebuild your release rpm. (The centos-release, fedora-release, etc. package owns your repository files) The command to rebuild a CentOS release file is: rpmrebuild centos-release. It will confirm that you want to include the updated files, then it will ask if you want to change the release number (the default is no, so I stick with that). Once you accept these, it will tell you where it puts your newly-repackaged RPM.

Simply overwrite the original RPM in your repo with this one, and the next person who installs from your repo will have your customizations already included.

Honeydew Weekend

Published by bobgerman on April 20, 2008 in Personal. Comments

Yesterday was a busy day around the house. Aside from the critically important tasks, which included researching ways to update the maps in our new used Prius’ navigation system without paying $250-$300 to the dealer for the newest update, I attacked a number of things on the honeydew list.

I planted tomatoes and peppers.

I mulched the Japanese maples in the yard.

I weeded the lilac and butterfly bushes.

I refinished the surface of the dining room table.

I put grass seed down in the front yard.

Oh yes, I forgot to mention, the next-door neighbors who were renting to own moved out. I said it from the beginning, renting to own never works. It’s always structured in an unbalanced way in favor of the landlord/seller.

Today I just kind of sat around trying to nap. Watched Fight Club, had a beer, etc.

And yes, we bought a Prius the other night. My commute is 55-60 miles, and now we’re spending a lot less in gas to get me to and fro.

Post-RHCE: Studying for RHCSS, Part 3 of 3: SELinux Policy

Published by bobgerman on April 16, 2008 in Information Technology. Comments

This is the third and final installment in the RHCSS Study series. With this installment, especially since it is a newish technology that can be difficult to wrap your head around at first, I recommend studying the course objectives listed below along with one or more of these fine publications:

RHS 429: SELinux Policy Administration

Unit 1 - Introduction to SELinux

* Discretionary Access Control vs. Mandatory Access Control
* SELinux History and Architecture Overview
* Elements of the SELinux security model:
o user identity and role
o domain and type
o sensitivity and categories
o security context
* SELinux Policy and Red Hat’s Targeted Policy
* Configuring Policy with Booleans
* Archiving
* Setting and Displaying Extended Attributes
* Hands-on Lab: Understanding SELinux

Unit 2 - Using SELinux

* Controlling SELinux
* File Contexts
* Relabeling Files and Filesystems
* Mount options
* Hand-on Lab: Working with SELinux

Unit 3 - The Red Hat Targeted Policy

* Identifying and Toggling Protected Services
* Apache Security Contexts and Configuration Booleans
* Name Service Contexts and Configuration Booleans
* NIS Client Contexts
* Other Services
* File Context for Special Directory Trees
* Troubleshooting and avc Denial Messages
* setroubleshootd and Logging
* Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy

Unit 4 - Introduction to Policies

* Policy Overview and Organization
* Compiling and Loading the Monolithic Policy and Policy Modules
* Policy Type Enforcement Module Syntax
* Object Classes
* Domain Transition
* Hands-on Lab: Understanding policies

Unit 5 - Policy Utilities

* Tools available for manipulating and analyzing policies
o apol
o seaudit and seaudit_report
o checkpolicy
o sepcut
o sesearch
o sestatus
o audit2allow and audit2why
o sealert
o avcstat
o seinfo
o semanage and semodule
o Man pages
* Hands-on Lab: Exploring Utilities

Unit 6 - User and Role Security

* Role-based Access Control
* Multi Category Security
* Defining a Security Administrator
* Multi-Level Security
* The strict Policy
* User Identification and Declaration
* Role Identification and Declaration
* Roles in Use in Transitions
* Role Dominance
* Hands-on Lab: Implementing User and Role Based Policy Restrictions

Unit 7 - Anatomy of a Policy

* Policy Macros
* Type Attributes and Aliases
* Type Transitions
* When and How do Files Get Labeled
* restorecond
* Customizable Types
* Hands-on Lab: Building Policies

Unit 8 - Manipulating Policies

* Installing and Compiling Policies
* The Policy Language
* Access Vector
* SELinux logs
* Security Identifiers - SIDs
* Filesystem Labeling Behavior
* Context on Network Objects
* Creating and Using New Booleans
* Manipulating Policy by Example
* Macros
* Enableaudit
* Hands-on Lab: Compiling Policies

Unit 9 - Project

* Best practices
* Create File Contexts, Types and Typealiases
* Edit and Create Network Contexts
* Edit and Create Domains
* Hands-on Lab: Editing and Writing Policy

Virtualization Strategies, Part 2: VMware ESX vs XenEnterprise

Published by bobgerman on April 16, 2008 in Information Technology. Comments

XenSource published an interesting comparison of VMware ESX against XenEnterprise. It appears to be a rebuttal of an earlier VMware report, and places them neck and neck in terms of hypervisor performance. Take a look:

A Comparison of Commercial Hypervisors

Post-RHCE: Studying for RHCSS, Part 2 of 3: Directory Services and Authentication

Published by bobgerman on April 15, 2008 in Information Technology. Comments

In the first installment of this series, I discussed the overall structure of Red Hat’s advanced certifications (beyond RHCE — RHCSS, RHCDS, and RHCA), and listed the objectives for the first exam of the RHCSS certification, the Network Services exam. By the way, all Red Hat exams cost $749, or $549 if purchased with the corresponding class. Most classes are four days, with the exams scheduled on Friday, and most classes cost $2,898, with the exception of the clustering and storage class, which is $3,998, probably due to the additional cost of enterprise-class storage hardware for the labs.

In my humble opinion, these exams are far too expensive. I think the “certificate of expertise” exams, which together comprise the advanced certs, should cost $250 each. This way the two next-step certs (exam-only, of course) end up each costing approximately what the RHCE costs, and the RHCA ends up being $1,250. There is something to be said for the current lack of study materials for these exams outside of Red Hat’s official curriculum — this places a premium on those who obtain the cert, because you know they either took the official approved course or they know their stuff. They didn’t cram for free, because there’s nowhere to cram.

Here are the objectives for the second exam in the RHCSS series:

RH423 Red Hat Enterprise Directory Services and Authentication
Course Outline

1. Introduction to Directory Services
* What is a directory?
* LDAP: models, schema, and attributes
* Object classes
* LDIF
2. The LDAP Naming Model
* Directory information trees and Distingued Names
* X.500 and “Internet” naming suffixes
* Planning the directory hierarchy
3. Red Hat Directory Server: Basic Configuration
* Installation and setup of Red Hat Directory Server
* Using the Red Hat Console
* Using logging to monitor Red Hat Directory Server activity
* Backing up and restoring the directory
* Basic performance tuning with indexes
4. Red Hat Directory Server: Authentication and Security
* Configuring TLS security
* Using access control instructions (ACI’s)
* ACI’s and the Red Hat Console
5. Searching and Modifying the LDAP Directory
* Using command line utilities to search the directory
* Search filter syntax
* Updating the directory
* Using graphical LDAP client utilities
6. Linux User Authentication with NSS and PAM
* Understanding authentication and authorization
* Name service switch (NSS)
* Advanced pluggable authentication modules (PAM) configuration
7. Centralized User Authentication with LDAP
* Central account management with LDAP
* Using migration scripts to migrate existing data into an LDAP server
* LDAP user authentication
8. Kerberos and LDAP
* Introduction to Kerberos
* Configuring the Kerberos key distribution center (KDC) and clients
* Configuring LDAP to support Kerberos
* Access control with Simple Authentication and Security Layer (SASL)
9. Directory Referrals and Replication
* Referrals and replication
* Single master configuration
* Multiple master configuration
* Planning for directory server availability
10. Authenticating Windows Clients
* Windows networking overview
* Configuring a Samba primary domain controller (PDC) using LDAP
11. Windows Domain Authentication and Linux Clients
* Active Directory servers
* Linux as a client
* Active Directory and NSS
* OpenLDAP
* Winbind

Post-RHCE: Studying for RHCSS, part 1 of 3: Network Services

Published by bobgerman on April 14, 2008 in Information Technology. Comments

Beyond RHCE, Red Hat offers “certificates of expertise” which, when stacked together, become advanced certifications.

The RHCSS, Red Hat Certified Security Specialist, requires three exams:

Course Length Course Fee Exam
RHS333 Network Services 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS429SELinux Policy Administration 4 days $2,898 EX429

The RHCDS, Red Hat Certified Datacenter Specialist, requires three exams:

Course Length Course Fee Exam
RH401 Deployment, Virtualization & Systems Mgmt 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS436 Clustering and Storage Mgmt 4 days $3,998 EX429

The RHCA, the ultimate commercial-facing certification in the Red Hat family (there are further certs available for trainers and those conducting examinations, but to me those fall into the “academic” classification). RHCA requires five exams: the three from the RHCDS cert, one from the RHCSS cert, and one additional:

Course Length Course Fee Exam
RHS333 Network Services 4 days $2,898 EX333
RH401 Deployment, Virtualization & Systems Mgmt 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS436 Clustering and Storage Mgmt 4 days $3,998 EX429
RH442 System Monitoring and Performance Tuning 4 days $2,898 EX429

For now, let’s focus on the RHCSS, and more granularly on the first exam of the trifecta required for the RHCSS, the Network Services exam. Since there is an overwhelming lack of curriculum, study guides, etc., online or in print, I present here the objectives from Red Hat’s own course description, as well as links to books that will most certainly aid in your studying, as well as being permanent references on the relevant topics.

RHS333: Red Hat Enterprise Security: Network Services

What you will learn:

RHS333 goes beyond the essential security coverage offered in the RHCE curriculum and delves deeper into the security features, capabilities, and risks associated with the most commonly deployed services. Among the topics covered in this four-day, hands-on course are the following:

1. The Threat Model and Protection Methods
* Internet threat model and the attacker’s plan
* System security and service availability
* An overview of protection mechanisms
2. Basic Service Security
* SELinux
* Host-based access control
* Firewalls using Netfilter and iptables
* TCP wrappers
* xinetd and service limits
3. Cryptography
* Overview of cryptographic techniques
* Management of SSL certificates
* Using GnuPG
4. Logging and NTP
* Time synchronization with NTP
* Logging: syslog and its weaknesses
* Protecting log servers
5. BIND and DNS Security
* BIND vulnerabilities
* DNS Security: attacks on DNS
* Access control lists
* Transaction signatures
* Restricting zone transfers and recursive queries
* DNS Topologies
* Bogus servers and blackholes
* Views
* Monitoring and logging
* Dynamic DNS security
6. Network Authentication: RPC, NIS, and Kerberos
* Vulnerabilities
* Network-managed users and account management
* RPC and NIS security issues
* Improving NIS security
* Using Kerberos authentication
* Debugging Kerberized Services
* Kerberos Cross-Realm Trust
* Kerberos Encryption
7. Network File System
* Overview of NFS versions 2, 3, and 4
* Security in NFS versions 2 and 3
* Improvements in security in NFS4
* Troubleshooting NFS4
* Client-side mount options
8. OpenSSH
* Vulnerabilities
* Server configuration and the SSH protocols
* Authentication and access control
* Client-side security
* Protecting private keys
* Port-forwarding and X11-forwarding issues
9. Electronic Mail with Sendmail
* Vulnerabilities
* Server topologies
* Email encryption
* Access control and STARTTLS
* Anti-spam mechanisms
10. Postfix
* Vulnerabilities
* Security and Postfix design
* Configuring SASL/TLS
11. FTP
* Vulnerabilities
* The FTP protocol and FTP servers
* Logging
* Anonymous FTP
* Access control
12. Apache security
* Vulnerabilities
* Access control
* Authentication: files, passwords, Kerberos
* Security implications of common configuration options
* CGI security
* Server side includes
* suEXEC
13. Intrusion Detection and Recovery
* Intrusion risks
* Security policy
* Detecting possible intrusions
* Monitoring network traffic and open ports
* Detecting modified files
* Investigating and verifying detected intrusions
* Recovering from, reporting, and documenting intrusions

CBL blocks the good guys (temporarily)

Published by bobgerman on April 13, 2008 in Information Technology. Comments

Welcome to the real world, CBL. We understand, it’s not your fault. These things happen. We all have to do so much work to continue blocking the s**tball, beheading-candidate spammers that continuously deluge our mailboxes with advertisements for cheap diplomas, erection subsidizers and pump-and-dump stock scams, that it’s easy to misifre once in a while.

From their website:

2008-04-10 CBL Listing Problem: Commencing at approximately 5AM UTC on 2008-04-10, and lasting as much as 5 hours in some cases, a technical problem in one of our contributory feeds resulted in a number of invalid CBL listings, including some corresponding to servers at a few ISPs and other sites.

The feed was removed from operation as soon as we became aware of the issue and have purged all the IPs it listed in the last 48 hours as a precaution. We have verified that this has taken effect in everything the CBL publishes. Here at the CBL we take false positives extremely seriously, and we do apologize for this issue. We have taken steps to ensure that this cannot happen again in the future.

To further ensure the problem is resolved everywhere, we advise the relatively small number of email administrators who retrieve their copy of the CBL via zone transfer to ensure that they have fetched the CBL at least once after 10:30AM UTC on 2008-04-10 to ensure that the erroneous listings have been purged from their systems. Note that the vast majority of sites use the CBL via direct DNSBL query or zone transfers every 2 hours or less, and thus no action is necessary.

Virtualization Strategies, Part 1: Introduction and groundwork

Published by bobgerman on April 13, 2008 in Information Technology. Comments

Ready to take the plunge into VMware? Like the idea of server consolidation but don’t know where to start? Here’s a quick primer, that might save you some research time.

Hosts and Guests

A Host is the base operating system of the physical server. A Guest is an installed virtual machine server. Generally speaking, the Host operating system is independent of the Guest operating systems, and once you have a host system running, you can run just about any operating system inside of it as a Guest.

Choose Your Platform and Virtualization Software

I combined these two tasks because platform is often dependent on virtualization software. Xen uses Unix/Linux based Hosts, VMware uses Windows or Linux, Microsoft VM uses a Microsoft base. Parallels has products for Windows, Linux and even Mac, and seems to be growing, but it remains to be seen where their products will eventually converge focus. Parallels products include Parallels Desktop for Mac, Parallels Workstation, which seems to be comparable to VMware Workstation, and Parallels Virtuozzo, which was SWSoft’s virtualization product. SWSoft’s aggressive marketing led to fairly deep penetration in the large hosting provider markets, so Parallels may have a shot at serious competition in this arena.

I know that being RHCE-certified means I should be rocking Xen, but I haven’t gotten my feet wet in it yet. I have, however, heard good things about its virtualization methodology. Ask me again in a couple of weeks, or feel free to discuss your experiences in comments.

My primary focus has been VMware. There are things I really like about VMware. I’ve been happy with performance so far, even in just the Workstation version, but especially under ESX. There are plenty of comparisons out there between VMware, Microsoft Virtual Server and/or Xen, but they are largely unscientific and anecdotal, and some don’t even specify which version of VMware is being used. The consensus seems to be that Xen is faster than VMware (probably Workstation) which is faster than Microsoft Virtual Server.

For workstation-based Virtual Machine solutions, my preference is to house everything on a Unix or Linux base, with no graphical interface, reducing overhead. More specifically, my current preference is a CentOS base, and I’ll tell you why. Under Red Hat and Fedora-based systems, VMware generally needs to compile the VMMON for the working kernel. Because Fedora kernel updates are so frequent, this means that you will be running vmware-config.pl frequently to recompile vmmon, etc. CentOS is directly derivative of Red Hat Enterprise Linux (RHEL), and features far fewer kernel updates. There is a trade-off, of course, if you need to use things on the same PC which require newer kernel features. I have heard from a colleague that Debian’s approach may be a bit more sane in terms of its packaging these things (NVidia drivers have the same underlying problem of needing a recompile during kernel upgrades, and Debian may have conquered that as well) but again, I have not yet experienced it. I have a fundamental shortage of servers and time to do this type of research.

If you’ve read this far, you’ve read enough for today. I’ll continue this at a later date.

New job, and refocused priorities, and finally my weather is here.

Published by bobgerman on April 12, 2008 in Linux and Work. Comment

So I’ve got a new job, working for a security consulting company in northern Virginia. I’m working with a bunch of really sharp guys, using a lot of great advanced technology. It’s exciting.

Meanwhile, I’m also studying for more advanced certifications, although I haven’t nailed down exactly where to take it just yet. I think I may ultimately continue down the Red Hat path for a while, aiming eventually for RHCA, which would end up costing at least $4,500 for the exams alone. I function better on self-study than on classroom curriculum, which is good, because the classes for this series would cost a total of around $19K if I took them all. The tactic I’m using is to write articles on isp-guru.com as study aids, and then study the materials myself. I find that teaching helps me to learn. So regardless of whether anyone actually reads it, if I write as if I have an audience, then I fulfill multiple purposes: (1) I help myself learn; (2) I potentially help others; and (3) in the spirit of <i>if you build it, they will come</i>, I build up one of my sites which has been monetized for advertising, and hopefully populate it with useful materials for actual studying. I started with the first three articles for studying for the RHCSS cert (Red Hat Certified Security Specialist), which are set for release over the next few days. If things work out, I may be able to consider writing a study guide for that cert.

I’ll be working on my kayak some more this weekend. The plan is to install the deckbeam and carlins. After that is complete, I will be able to turn it over and snip the wires. Then I can begin the process of sanding in preparation for glassing the hull.

I’m really happy with the weather over the past couple of days. If I can just line my commute up properly with traffic situations, I’ll be sitting pretty. Sitting in the rush hour bumper-to-bumper in the heat SUCKS on a motorcycle.

Damned activation keys…

Published by bobgerman on April 12, 2008 in Information Technology. Comments

So you’re about to rebuild your WinXP system on another box, but you can’t find all those damned product activation keys. How annoying. You’ve got the software working already, you just need to activate the products on the other box. Enter RockXP, a tool that lets you quickly scan and recover all installed MS product activation keys on your Windows box. I ran it yesterday on one of my XP VMs, and recovered activation keys for XP, Office XP 2003 Pro, and Visio 2003 Pro, all within seconds. Good times. Thanks, Stephen, for cluing me in to that one.