Archive for the 'Information Technology' Category

Nothing is private anymore.

Published by bobgerman on June 19, 2008 in Information Technology, Privacy and Security. Comments

So once you’re “in the system,” nothing is private. Nothing is sacred. Nothing. In this article, a man accused of murdering his wife and daughter has his google searches and other browsing habits made public. I’ll tell you why it bothers me — one, because it might have no relevance to your behavior, and two, because the average Joe will believe that what he types in that search bar is between him and his computer, and that’s all.

What if he was in the system for another reason, for example, someone hopping wireless networks used his to send a threatening message to a celebrity, and the FBI traced it back to his house. The forensic guys would still search the computer, and as long as he’s a suspect, that information is fair game. What if it happened to you? What do you think they’d find on YOUR home PC? I could tell you one thing they’d find on mine. Last week I remembered that someone at the office mentioned “tofu flavored to taste like human flesh.” You know, one of those geekish attempts at one-upping each other in level of grossness. So since I was near a PC at the time I remembered it, I searched it on Google. Will the forensics examiners make an assumption that I’m a cannibal now, just because I was reading about HuFu?

Audiobooks

Published by bobgerman on May 28, 2008 in Information Technology and Reading. Comments

I bought a copy of Cryptonomicon. As an IT professional working in the security field, it seemed to fall right into place as the next book to read. It was originally recommended by Mike Terry, who seems to be a big Neal Stephenson fan. I was liking the book, but having limited time to read it now that I’m no longer commuting by train, I picked up the AudioBook of it.

Now I’m simultaneously gratified and annoyed. Sure, I can listen to it during my commute, and that works out well, especially with the Prius’ integrated audio and navigation system. When I get a call from my wife during the commute, the bluetooth-integrated system intercepts the call, PAUSES the CD while I take the call, and then resumes when I hang up. But I’m finding there are things I don’t like about audiobooks, especially for large books such as Cryptonomicon. Namely, the abridgements. I had left off reading the book shortly after a particularly satisfying brawl scene in a sushi bar, which had elements of comedy and adventure that I found fulfilling. This entire scene is left out of the audiobook and only referred to vaguely when describing the other character as having been met in a bar fight.

iptstate — Your new connection-viewing friend

Published by bobgerman on May 13, 2008 in Information Technology. Comments

In my security-related roles at various past jobs, I have often found the need to view open connections to a server. Sometimes I suspect a compromise, sometimes I’m troubleshooting a network issue. I had always used netstat to show me those open connections. Well, no more. I discovered iptstate (iptables state top), quite by accident, when pruning a distribution for size. From the man page:

iptstate displays information held in the IP Tables state table in real-time in a top-like format. Output can be sorted by any field, or any field reversed. Users can choose to have the output only print once and exit, rather than the top-like system. Refresh rate is configurable, IPs can be resolved to names, output can be formatted, the display can be filtered, and color coding are among some of the many features.

Improve your yum-based repository mirror’s efficiency…

Published by bobgerman on April 23, 2008 in Information Technology. Comments

If you do a lot of Linux installs, and have a local mirror repo, you’re probably used to changing your /etc/yum.repos.d/ files to reflect your mirror after every install, and after some upgrades. You can make this more efficient and less painful by rebuilding the release RPM to point to your local mirror. This way, anyone who installs from your mirror will come back to your mirror for updates.

This is a trivial process, but none of the places I’ve worked have done it. If you do this, care must be taken to prevent the next update of the mirror from clobbering your customized release.

I’m going to demonstrate how to do it in CentOS, but RedHat and Fedora are similar, of course.

First, go to a computer with your distro freshly installed. Install the additional package rpm-build, then install the rpmrebuild package from http://sourceforge.net/project/showfiles.php?group_id=57523.

Now, update your /etc/yum.repos.d files to point to your local mirror, and then check their syntax using the yum check-update command. Assuming it works, you’re ready to rebuild your release rpm. (The centos-release, fedora-release, etc. package owns your repository files) The command to rebuild a CentOS release file is: rpmrebuild centos-release. It will confirm that you want to include the updated files, then it will ask if you want to change the release number (the default is no, so I stick with that). Once you accept these, it will tell you where it puts your newly-repackaged RPM.

Simply overwrite the original RPM in your repo with this one, and the next person who installs from your repo will have your customizations already included.

Post-RHCE: Studying for RHCSS, Part 3 of 3: SELinux Policy

Published by bobgerman on April 16, 2008 in Information Technology. Comments

This is the third and final installment in the RHCSS Study series. With this installment, especially since it is a newish technology that can be difficult to wrap your head around at first, I recommend studying the course objectives listed below along with one or more of these fine publications:

RHS 429: SELinux Policy Administration

Unit 1 – Introduction to SELinux

* Discretionary Access Control vs. Mandatory Access Control
* SELinux History and Architecture Overview
* Elements of the SELinux security model:
o user identity and role
o domain and type
o sensitivity and categories
o security context
* SELinux Policy and Red Hat’s Targeted Policy
* Configuring Policy with Booleans
* Archiving
* Setting and Displaying Extended Attributes
* Hands-on Lab: Understanding SELinux

Unit 2 – Using SELinux

* Controlling SELinux
* File Contexts
* Relabeling Files and Filesystems
* Mount options
* Hand-on Lab: Working with SELinux

Unit 3 – The Red Hat Targeted Policy

* Identifying and Toggling Protected Services
* Apache Security Contexts and Configuration Booleans
* Name Service Contexts and Configuration Booleans
* NIS Client Contexts
* Other Services
* File Context for Special Directory Trees
* Troubleshooting and avc Denial Messages
* setroubleshootd and Logging
* Hands-on Lab: Understanding and Troubleshooting the Red Hat Targeted Policy

Unit 4 – Introduction to Policies

* Policy Overview and Organization
* Compiling and Loading the Monolithic Policy and Policy Modules
* Policy Type Enforcement Module Syntax
* Object Classes
* Domain Transition
* Hands-on Lab: Understanding policies

Unit 5 – Policy Utilities

* Tools available for manipulating and analyzing policies
o apol
o seaudit and seaudit_report
o checkpolicy
o sepcut
o sesearch
o sestatus
o audit2allow and audit2why
o sealert
o avcstat
o seinfo
o semanage and semodule
o Man pages
* Hands-on Lab: Exploring Utilities

Unit 6 – User and Role Security

* Role-based Access Control
* Multi Category Security
* Defining a Security Administrator
* Multi-Level Security
* The strict Policy
* User Identification and Declaration
* Role Identification and Declaration
* Roles in Use in Transitions
* Role Dominance
* Hands-on Lab: Implementing User and Role Based Policy Restrictions

Unit 7 – Anatomy of a Policy

* Policy Macros
* Type Attributes and Aliases
* Type Transitions
* When and How do Files Get Labeled
* restorecond
* Customizable Types
* Hands-on Lab: Building Policies

Unit 8 – Manipulating Policies

* Installing and Compiling Policies
* The Policy Language
* Access Vector
* SELinux logs
* Security Identifiers – SIDs
* Filesystem Labeling Behavior
* Context on Network Objects
* Creating and Using New Booleans
* Manipulating Policy by Example
* Macros
* Enableaudit
* Hands-on Lab: Compiling Policies

Unit 9 – Project

* Best practices
* Create File Contexts, Types and Typealiases
* Edit and Create Network Contexts
* Edit and Create Domains
* Hands-on Lab: Editing and Writing Policy

Virtualization Strategies, Part 2: VMware ESX vs XenEnterprise

Published by bobgerman on April 16, 2008 in Information Technology. Comments

XenSource published an interesting comparison of VMware ESX against XenEnterprise. It appears to be a rebuttal of an earlier VMware report, and places them neck and neck in terms of hypervisor performance. Take a look:

A Comparison of Commercial Hypervisors

Post-RHCE: Studying for RHCSS, Part 2 of 3: Directory Services and Authentication

Published by bobgerman on April 15, 2008 in Information Technology. Comments

In the first installment of this series, I discussed the overall structure of Red Hat’s advanced certifications (beyond RHCE — RHCSS, RHCDS, and RHCA), and listed the objectives for the first exam of the RHCSS certification, the Network Services exam. By the way, all Red Hat exams cost $749, or $549 if purchased with the corresponding class. Most classes are four days, with the exams scheduled on Friday, and most classes cost $2,898, with the exception of the clustering and storage class, which is $3,998, probably due to the additional cost of enterprise-class storage hardware for the labs.

In my humble opinion, these exams are far too expensive. I think the “certificate of expertise” exams, which together comprise the advanced certs, should cost $250 each. This way the two next-step certs (exam-only, of course) end up each costing approximately what the RHCE costs, and the RHCA ends up being $1,250. There is something to be said for the current lack of study materials for these exams outside of Red Hat’s official curriculum — this places a premium on those who obtain the cert, because you know they either took the official approved course or they know their stuff. They didn’t cram for free, because there’s nowhere to cram.

Here are the objectives for the second exam in the RHCSS series:

RH423 Red Hat Enterprise Directory Services and Authentication
Course Outline

1. Introduction to Directory Services
* What is a directory?
* LDAP: models, schema, and attributes
* Object classes
* LDIF
2. The LDAP Naming Model
* Directory information trees and Distingued Names
* X.500 and “Internet” naming suffixes
* Planning the directory hierarchy
3. Red Hat Directory Server: Basic Configuration
* Installation and setup of Red Hat Directory Server
* Using the Red Hat Console
* Using logging to monitor Red Hat Directory Server activity
* Backing up and restoring the directory
* Basic performance tuning with indexes
4. Red Hat Directory Server: Authentication and Security
* Configuring TLS security
* Using access control instructions (ACI’s)
* ACI’s and the Red Hat Console
5. Searching and Modifying the LDAP Directory
* Using command line utilities to search the directory
* Search filter syntax
* Updating the directory
* Using graphical LDAP client utilities
6. Linux User Authentication with NSS and PAM
* Understanding authentication and authorization
* Name service switch (NSS)
* Advanced pluggable authentication modules (PAM) configuration
7. Centralized User Authentication with LDAP
* Central account management with LDAP
* Using migration scripts to migrate existing data into an LDAP server
* LDAP user authentication
8. Kerberos and LDAP
* Introduction to Kerberos
* Configuring the Kerberos key distribution center (KDC) and clients
* Configuring LDAP to support Kerberos
* Access control with Simple Authentication and Security Layer (SASL)
9. Directory Referrals and Replication
* Referrals and replication
* Single master configuration
* Multiple master configuration
* Planning for directory server availability
10. Authenticating Windows Clients
* Windows networking overview
* Configuring a Samba primary domain controller (PDC) using LDAP
11. Windows Domain Authentication and Linux Clients
* Active Directory servers
* Linux as a client
* Active Directory and NSS
* OpenLDAP
* Winbind

Post-RHCE: Studying for RHCSS, part 1 of 3: Network Services

Published by bobgerman on April 14, 2008 in Information Technology. Comment

Beyond RHCE, Red Hat offers “certificates of expertise” which, when stacked together, become advanced certifications.

The RHCSS, Red Hat Certified Security Specialist, requires three exams:

Course Length Course Fee Exam
RHS333 Network Services 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS429SELinux Policy Administration 4 days $2,898 EX429

The RHCDS, Red Hat Certified Datacenter Specialist, requires three exams:

Course Length Course Fee Exam
RH401 Deployment, Virtualization & Systems Mgmt 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS436 Clustering and Storage Mgmt 4 days $3,998 EX429

The RHCA, the ultimate commercial-facing certification in the Red Hat family (there are further certs available for trainers and those conducting examinations, but to me those fall into the “academic” classification). RHCA requires five exams: the three from the RHCDS cert, one from the RHCSS cert, and one additional:

Course Length Course Fee Exam
RHS333 Network Services 4 days $2,898 EX333
RH401 Deployment, Virtualization & Systems Mgmt 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS436 Clustering and Storage Mgmt 4 days $3,998 EX429
RH442 System Monitoring and Performance Tuning 4 days $2,898 EX429

For now, let’s focus on the RHCSS, and more granularly on the first exam of the trifecta required for the RHCSS, the Network Services exam. Since there is an overwhelming lack of curriculum, study guides, etc., online or in print, I present here the objectives from Red Hat’s own course description, as well as links to books that will most certainly aid in your studying, as well as being permanent references on the relevant topics.

RHS333: Red Hat Enterprise Security: Network Services

What you will learn:

RHS333 goes beyond the essential security coverage offered in the RHCE curriculum and delves deeper into the security features, capabilities, and risks associated with the most commonly deployed services. Among the topics covered in this four-day, hands-on course are the following:

1. The Threat Model and Protection Methods
* Internet threat model and the attacker’s plan
* System security and service availability
* An overview of protection mechanisms
2. Basic Service Security
* SELinux
* Host-based access control
* Firewalls using Netfilter and iptables
* TCP wrappers
* xinetd and service limits
3. Cryptography
* Overview of cryptographic techniques
* Management of SSL certificates
* Using GnuPG
4. Logging and NTP
* Time synchronization with NTP
* Logging: syslog and its weaknesses
* Protecting log servers
5. BIND and DNS Security
* BIND vulnerabilities
* DNS Security: attacks on DNS
* Access control lists
* Transaction signatures
* Restricting zone transfers and recursive queries
* DNS Topologies
* Bogus servers and blackholes
* Views
* Monitoring and logging
* Dynamic DNS security
6. Network Authentication: RPC, NIS, and Kerberos
* Vulnerabilities
* Network-managed users and account management
* RPC and NIS security issues
* Improving NIS security
* Using Kerberos authentication
* Debugging Kerberized Services
* Kerberos Cross-Realm Trust
* Kerberos Encryption
7. Network File System
* Overview of NFS versions 2, 3, and 4
* Security in NFS versions 2 and 3
* Improvements in security in NFS4
* Troubleshooting NFS4
* Client-side mount options
8. OpenSSH
* Vulnerabilities
* Server configuration and the SSH protocols
* Authentication and access control
* Client-side security
* Protecting private keys
* Port-forwarding and X11-forwarding issues
9. Electronic Mail with Sendmail
* Vulnerabilities
* Server topologies
* Email encryption
* Access control and STARTTLS
* Anti-spam mechanisms
10. Postfix
* Vulnerabilities
* Security and Postfix design
* Configuring SASL/TLS
11. FTP
* Vulnerabilities
* The FTP protocol and FTP servers
* Logging
* Anonymous FTP
* Access control
12. Apache security
* Vulnerabilities
* Access control
* Authentication: files, passwords, Kerberos
* Security implications of common configuration options
* CGI security
* Server side includes
* suEXEC
13. Intrusion Detection and Recovery
* Intrusion risks
* Security policy
* Detecting possible intrusions
* Monitoring network traffic and open ports
* Detecting modified files
* Investigating and verifying detected intrusions
* Recovering from, reporting, and documenting intrusions

CBL blocks the good guys (temporarily)

Published by bobgerman on April 13, 2008 in Information Technology. Comments

Welcome to the real world, CBL. We understand, it’s not your fault. These things happen. We all have to do so much work to continue blocking the s**tball, beheading-candidate spammers that continuously deluge our mailboxes with advertisements for cheap diplomas, erection subsidizers and pump-and-dump stock scams, that it’s easy to misifre once in a while.

From their website:

2008-04-10 CBL Listing Problem: Commencing at approximately 5AM UTC on 2008-04-10, and lasting as much as 5 hours in some cases, a technical problem in one of our contributory feeds resulted in a number of invalid CBL listings, including some corresponding to servers at a few ISPs and other sites.

The feed was removed from operation as soon as we became aware of the issue and have purged all the IPs it listed in the last 48 hours as a precaution. We have verified that this has taken effect in everything the CBL publishes. Here at the CBL we take false positives extremely seriously, and we do apologize for this issue. We have taken steps to ensure that this cannot happen again in the future.

To further ensure the problem is resolved everywhere, we advise the relatively small number of email administrators who retrieve their copy of the CBL via zone transfer to ensure that they have fetched the CBL at least once after 10:30AM UTC on 2008-04-10 to ensure that the erroneous listings have been purged from their systems. Note that the vast majority of sites use the CBL via direct DNSBL query or zone transfers every 2 hours or less, and thus no action is necessary.

Virtualization Strategies, Part 1: Introduction and groundwork

Published by bobgerman on April 13, 2008 in Information Technology. Comments

Ready to take the plunge into VMware? Like the idea of server consolidation but don’t know where to start? Here’s a quick primer, that might save you some research time.

Hosts and Guests

A Host is the base operating system of the physical server. A Guest is an installed virtual machine server. Generally speaking, the Host operating system is independent of the Guest operating systems, and once you have a host system running, you can run just about any operating system inside of it as a Guest.

Choose Your Platform and Virtualization Software

I combined these two tasks because platform is often dependent on virtualization software. Xen uses Unix/Linux based Hosts, VMware uses Windows or Linux, Microsoft VM uses a Microsoft base. Parallels has products for Windows, Linux and even Mac, and seems to be growing, but it remains to be seen where their products will eventually converge focus. Parallels products include Parallels Desktop for Mac, Parallels Workstation, which seems to be comparable to VMware Workstation, and Parallels Virtuozzo, which was SWSoft’s virtualization product. SWSoft’s aggressive marketing led to fairly deep penetration in the large hosting provider markets, so Parallels may have a shot at serious competition in this arena.

I know that being RHCE-certified means I should be rocking Xen, but I haven’t gotten my feet wet in it yet. I have, however, heard good things about its virtualization methodology. Ask me again in a couple of weeks, or feel free to discuss your experiences in comments.

My primary focus has been VMware. There are things I really like about VMware. I’ve been happy with performance so far, even in just the Workstation version, but especially under ESX. There are plenty of comparisons out there between VMware, Microsoft Virtual Server and/or Xen, but they are largely unscientific and anecdotal, and some don’t even specify which version of VMware is being used. The consensus seems to be that Xen is faster than VMware (probably Workstation) which is faster than Microsoft Virtual Server.

For workstation-based Virtual Machine solutions, my preference is to house everything on a Unix or Linux base, with no graphical interface, reducing overhead. More specifically, my current preference is a CentOS base, and I’ll tell you why. Under Red Hat and Fedora-based systems, VMware generally needs to compile the VMMON for the working kernel. Because Fedora kernel updates are so frequent, this means that you will be running vmware-config.pl frequently to recompile vmmon, etc. CentOS is directly derivative of Red Hat Enterprise Linux (RHEL), and features far fewer kernel updates. There is a trade-off, of course, if you need to use things on the same PC which require newer kernel features. I have heard from a colleague that Debian’s approach may be a bit more sane in terms of its packaging these things (NVidia drivers have the same underlying problem of needing a recompile during kernel upgrades, and Debian may have conquered that as well) but again, I have not yet experienced it. I have a fundamental shortage of servers and time to do this type of research.

If you’ve read this far, you’ve read enough for today. I’ll continue this at a later date.