Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[John Jasen]

On 02/18/2011 03:09 PM, Michael B Allen wrote:

> Hackerguiardian is a commercial service (it's actually "COMODO CA
> Limited"). Their scan looks thorough. Obviously they're just matching
> up version numbers with CVE notices but I have a feeling most of these
> guys are going to be doing the same thing. I was just hoping one would
> be more sophisticated about the fact that ALL of their "Fail" items
> I've checked so far are things that were backported or fixed by
> Redhat.

Probably not. I've yet to see any vulnerability scanning service that
does much above running nessus in safe mode (which only does banner grabs).

If you're prepared to monkey around with the scanner people, you can
request waivers, false positives, etc from the various companies,
proving that you're patched against the CVEs they're looking for.

If there is a really competent vendor out there, and if you're
comfortable with it, ask them to run a more thorough scan against your box.

> I just had to add N/A for
> questions like the "do you run anti-virus software" and explain that
> everything goes through the one Linux machine for which no anti-virus
> software exists or is necessary.

I would have marked that "other than satisfactory" in an audit. There
are AV products for Linux, and on a personal level, rootkit checks and
file integrity checks on a public CC handling server are a good idea.

>> I would *very* strongly recommmend that you talk to the bank or agency
>> that's asking you for this, and ask them for recommendations.
> 
> If you mean my merchant account service, they claim to be the largest
> Authorized.Net reseller, they sanity checked my SAQC and thought I
> would be ready for approval as soon as I get a good scan.
> 
> So trustwave and Qualys ... I'll check them out.
> 
> Thanks,

I'm faintly surprised they aren't in the scam racket of mandating you
use a certain vendor, or one of a select few.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 40TB File System Recommendations

[John Jasen]

On 04/12/2011 10:21 AM, Boris Epstein wrote:
> On Tue, Apr 12, 2011 at 3:36 AM, Alain Péan
>  > wrote:



I would chime in with a dis-commendation for XFS. At my previous
employer, two cases involving XFS resulted in irrecoverable data
corruption. These were on RAID systems running from 4 to 20 TB.


-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 40TB File System Recommendations

[John Jasen]

On 04/12/2011 11:30 AM, Les Mikesell wrote:
> On 4/12/2011 9:36 AM, John Jasen wrote:
>>
>> 
>>
>> I would chime in with a dis-commendation for XFS. At my previous
>> employer, two cases involving XFS resulted in irrecoverable data
>> corruption. These were on RAID systems running from 4 to 20 TB.
> 
> Was this on a 32 or 64 bit system?
> 

Yes. IE: both.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 40TB File System Recommendations

[John Jasen]

On 04/12/2011 08:19 PM, Christopher Chan wrote:
> On Tuesday, April 12, 2011 10:36 PM, John Jasen wrote:
>> On 04/12/2011 10:21 AM, Boris Epstein wrote:
>>> On Tue, Apr 12, 2011 at 3:36 AM, Alain Péan
>>> >> <mailto:alain.p...@lpp.polytechnique.fr>>  wrote:
>>
>> 
>>
>> I would chime in with a dis-commendation for XFS. At my previous
>> employer, two cases involving XFS resulted in irrecoverable data
>> corruption. These were on RAID systems running from 4 to 20 TB.
>>
>>
> 
> What were those circumstances? Crash? Power outage? What are the 
> components of the RAID systems?

One was a hardware raid over fibre channel, which silently corrupted
itself. System checked out fine, raid array checked out fine, xfs was
replaced with ext3, and the system ran without issue.

Second was multiple hardware arrays over linux md raid0, also over fibre
channel. This was not so silent corruption, as in xfs would detect it
and lock the filesystem into read-only before it, pardon the pun, truly
fscked itself. Happened two or three times, before we gave up, split up
the raid, and went ext3, Again, no issues.
-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 40TB File System Recommendations

[John Jasen]

On 04/13/2011 09:04 PM, Ross Walker wrote:
> On Apr 13, 2011, at 7:26 PM, John Jasen  wrote:




> Every now and then I hear these XFS horror stories. They seem too impossible 
> to believe.
> 
> Nothing breaks for absolutely no reason and failure to know where the 
> breakage was shows that maybe there wasn't adequately skilled techinicians 
> for the technology deployed.

Waving your hands and insulting the people who went through XFS failures
doesn't make me feel any better or make the problems not have occurred.

I would presume that we were lucky enough to have technicians on-site
skilled enough to track the problems down to XFS itself.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 40TB File System Recommendations

[John Jasen]

One was 32 bit, the other 64 bit.



Christopher Chan  wrote:

>On Thursday, April 14, 2011 07:26 AM, John Jasen wrote:
>> On 04/12/2011 08:19 PM, Christopher Chan wrote:
>>> On Tuesday, April 12, 2011 10:36 PM, John Jasen wrote:
>>>> On 04/12/2011 10:21 AM, Boris Epstein wrote:
>>>>> On Tue, Apr 12, 2011 at 3:36 AM, Alain Péan
>>>>> >>>> <mailto:alain.p...@lpp.polytechnique.fr>>   wrote:
>>>>
>>>> 
>>>>
>>>> I would chime in with a dis-commendation for XFS. At my previous
>>>> employer, two cases involving XFS resulted in irrecoverable data
>>>> corruption. These were on RAID systems running from 4 to 20 TB.
>>>>
>>>>
>>>
>>> What were those circumstances? Crash? Power outage? What are the
>>> components of the RAID systems?
>>
>> One was a hardware raid over fibre channel, which silently corrupted
>> itself. System checked out fine, raid array checked out fine, xfs was
>> replaced with ext3, and the system ran without issue.
>>
>> Second was multiple hardware arrays over linux md raid0, also over fibre
>> channel. This was not so silent corruption, as in xfs would detect it
>> and lock the filesystem into read-only before it, pardon the pun, truly
>> fscked itself. Happened two or three times, before we gave up, split up
>> the raid, and went ext3, Again, no issues.
>
>32-bit kernel by any chance?
>___
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how many people still use NIS?

[John Jasen]

Iain Morris wrote:
> 
> 
> On Sat, Oct 2, 2010 at 7:29 PM, Craig White  > wrote:
> 
> 
> 
> This discussion completely ignores the fact that user authentication is
> just one of the many things LDAP does. If all you are going to do with
> LDAP is simple user & group management then you have a lack of
> imagination.
> 
> 
> Not to stray much further off the subject, nor defend AD much further on
> the CentOS list, but AD does a lot more than user/group auth.  In fact
> it does everything in your list (DNS, mail access lists, etc), and quite
> a bit more out of the box. 
> 
> Apple's Open Directory is a nice start, but pretty far behind in the
> race.  In fact if I had a 1000 Mac installation, I'd rather build an AD
> domain and extend the schema to include the Apple attributes and use WG
> Manager for the Macs.  I honestly believe Apple has put more engineering
> time into their AD plugin than their OD native interface.

For a mixed installation with a bunch of Windows boxes, you're probably
not going to get away from AD, so you might as well leverage it.
Honestly, its a pretty slick kerberos+LDAP+etc integration. There are a
few things it does wrong, but trying to beat its manageability,
replication, etc with openldap+mit-krb5 is _hard_.

You may get it working, but then someone has to support it down the line. :)

As for Apple's OpenDirectory, I would not inflict it on anyone I like or
had to support. While 2/3rds of it is openldap+mit-krb5, the third leg
is their own proprietary crap that is frail, prone to obscure failures,
generally undocumented, stores all the password hashes in yet another
database on the server, doesn't handle replication, and generally
interferes with your life.

> And NIS servers belong in a museum!  :-)

Of bad ideas? :)


-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: linux desktop market share more than 1%

[John Jasen]

On 10/08/2010 06:25 PM, Warren Young wrote:
> On 10/8/2010 4:09 PM, m.r...@5-cent.us wrote:
>> But OS X can legally only run on Apple (tm$$$) systems, where Linux can
>> run on *anything* and anybody's inexpensive hardware.
> 
> Apple hardware is fairly priced when compared on quality.  Yes, there 
> are cheap POS PCs that compare favorably on features with Apple hardware 
> at a lower cost.  I've used many such.  They often break more readily, 
> or fail to satisfy on some other level.  There's more to a PC than spec 
> list.

Apple has not had a rigorous hardware quality control for several years
now. At least since the G5 days.

On a commercial level, dealing with dozens or hundreds of them, the
failure rate can be double that of Dell systems. At least from what I've
seen. And Apple's hardware support is useless.

The high quality Apple that costs 3x as much is using the same
components as the el-cheapo laptop next to it. Heck, they might be made
in the same factory!

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mount/automount fails with krb5-enabled nfs4

[John Jasen]

For what its worth, every time that I've tried kerberized NFS with RHEL,
I've run into issues unless I was running the latest version of
mount-utils, which I _think_ included rpc.gssd and rpc.svcgssd.

My memory may be failing, and I'll look later, but my recollection is
that it was very sensitive to those.

(apologies for top-posting)

On 10/21/2010 01:34 PM, James A. Peltier wrote:
> - Original Message -
> | I have a problem that is driving me crazy. Our nfs server is running
> | Solaris. Most clients mount directories from it with no problems,

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] XFS or EXT3 ?

[John Jasen]

>From personal experience, the last three times I ran XFS on large
volumes (4+ TB), they all became irrecoverably corrupted in some way or
another.

The final occasion resulted in XFS being permanently banned from that
establishment.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] XFS or EXT3 ?

[John Jasen]

On 12/03/2010 03:16 PM, Les Mikesell wrote:

> Was this on 32-bit RH/Centos where the 4k stacks are a known problem for 
> XFS?

Both 32 and 64 bit kernels.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Graphing System Load MRTG

[John Jasen]

On 12/21/2010 11:09 AM, Matt wrote:
> I check system load like so:
> 
> [r...@server cron.daily]# w
>  10:07:33 up 4 days, 15:01,  2 users,  load average: 4.22, 3.17, 3.09
> 
> I would like to to graph the 3.17 5 minute average with MRTG.  Anyone
> know of some examples of doing this?

The easy way or the hard way?

The easy way:

You take the snmpget command someone else previously provided, convert
it to the oid, add it to the appropriate place in your mrtg.cfg (If I
recall correctly).

The hard way:

use one of the shell scripts provided, cat /proc/loadavg, or your perl
script to grab the values, figure out how to stuff them into rrdtool,
then figure out how to convince mrtg to render the resulting rrd files.

Really, the best way is to install cacti, and be done with it, as others
have suggested.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] which firewall to automatically block bandwidth abusers?

[John Jasen]

Apologies for top posting.

I fear you will either have to work with cacti bandwidth alerts,
figuring out how to grab the client IP and push it into iptables; find
another way to get the client IP out of cacti and into iptables; or look
into the QoS capabilities within Linux.


On 08/18/2011 03:01 PM, Rudi Ahlers wrote:
> Let's try again:
> 
> 
> I need to automatically block any user who abuses bandwidth, either
> incoming or outgoing. I should be able to set the limits, in either
> rate/s or usage/s: 1Mb/s or 10GB/h, for example.
> 
> Then, any users, connecting from anywhere, on any IP should be blocked
> - either if he uploads or downloads (i.e ingres & outgres) for a
> specific amount of time.
> 
> 
> My research:
> 
> The firewalls which we've tried (both normal Linux iptables and
> hardware based firewalls) can do this, as long as I can specify the
> IP's to block - this is standard for an office-type firewall.
> BUT, I don't have a range of IP's to specify since these particular
> servers are on the internet, thus any possible IP on the net could
> connect to the server.
> 
> 
> I also need to exclude certain IP's from this rule (i.e. for backup
> servers which actually need to transfer a lot of traffic).
> 
> To some degree this would mean "traffic accounting", but that just
> keeps a log of traffic usage. And we already measure traffic use with
> cacti & SNMP. Cacti can send us an email if a certain amount of
> bandwidth is used up, but it doesn't tell the firewall to block the
> offending IP address.
> 
> DDOS protection type firewalls doesn't help much either since they
> only block incoming "attacks", but not really normal uploads. They
> also don't block outgoing traffic once the condition is met.
> 


-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [WTA] Automatically blocking on failed login

[John Jasen]

David Suhendrik wrote:
> Hello All,
> I had problems with the security server, the server is frequently
> attacked using bruteforce attacks. Is there an application that can
> perform automatic blocking when there are failed login to the ports
> smtp, pop3 port, and others?
> 
> I am currently using CentOS 5.5 in some servers
> Thanks in advanced...

You can also do some amount of work with the pam mod_access and
mod_tally modules.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security compliance vs. old software versions

[John Jasen]

Kwan Lowe wrote:
> On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell  wrote:
>> What's the correct response to a security scan that points out that
>> apache versions below 2.2.14 have multiple known vulnerabilities?  Is
>> there an official document about what known vulnerabilities have been
>> fixed in the RHEL/CentOS updates or do you have to wade through the
>> changelog to try to find each thing?
>>
> 
> The upstream vendor backports many fixes. The best thing to do is
> reference the CVE number in the changelogs. It's still wading through
> a lot of changelogs, but with the CVE you can find it pretty quickly.

Googling the CVE # and the vendor will usually turn up the patched
version or disposition quickly.

Depending on the assessment tool and how bright it is, you can adjust
the settings for a more thorough scan that may reduce false positives.

Others can actually be set up to ssh into the box and verify patches.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security compliance vs. old software versions

[John Jasen]

m.r...@5-cent.us wrote:
> Frank Cox wrote:
>> On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
>>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>>> the
>>> printers, and left it off. This, of course, slows things down a lot,
>>> but
>>> it's "Secure".
>> The point is that the security scan is supposed to be verifying that
>> your setup is, in fact, secure.  If you change your setup before running
>> the scan, and then change it back immediately afterward, how is that
>> verifying that your setup is, in fact, secure?  What you scanned != what
>> you are actually using.
>>
>> If your purpose is simply to check off a box on a form, why not just
>> write the Sooper Dooper Security Scanner yourself?
> 
>> You would gain just as much from that as what you're gaining right now,
>> and it would take less effort on your part.
> 
> Frank, I'm not sure of the object of your part of the conversation, me, or
> the security team that I have to deal with. I'm also feeling as though
> we're talking past each other. They ran the scan. My manager handed the
> response handling of it to me. As part of what I did, I had to turn off
> the laser printers access to their own h/d/ramdisk, thus afflicting the
> printers. I did not turn the access back on, so some of the capabilities
> and speed of these printerSSS is utterly wasted, and for what? Someone
> might get through the gov't firewall, and fill up the h/d on the printer?
> Someone might run the trays out of paper?
> 
> To me, this indicates that they have *no* concept of what they're
> requiring, that they've included treating printers as though they were
> servers or workstations.

Forgive the minor nit, and hopefully not continuing the talking past
each other, but modern printers have more computer resources than a
smart phone, and the embedded OS is either equally as complex or an
embedded braindead version of Windows.

In other words, they are assets worth protecting.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security compliance vs. old software versions

[John Jasen]

m.r...@5-cent.us wrote:
> John Jasen wrote:
>> m.r...@5-cent.us wrote:
>>> Frank Cox wrote:
>>>> On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
>>>>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>>>>> the printers, and left it off. This, of course, slows things down a lot,
>>>>> but it's "Secure".
> 
>> Forgive the minor nit, and hopefully not continuing the talking past
>> each other, but modern printers have more computer resources than a
>> smart phone, and the embedded OS is either equally as complex or an
>> embedded braindead version of Windows.
>>
>> In other words, they are assets worth protecting.
> 
> So, you're saying protection is more important than having them usable for
> the folks whose use they were bought for? You're saying that we should
> just get rid of them, and buy less capable printers that can't do as much?
> Even when the only way to get to the existing printers is from a system
> that's *inside* the firewall, and on our network? Hey, how 'bout I just
> unplug them from the network altogether? They'll be doorstops, but they'll
> be "secure".

Well, I'm a security admin, so of course protection is more important
than utility! :)

But seriously, the assessment tools provide information on your
environment, based on certain standard metrics. Its (HOPEFULLY! PCI
compliance notwithstanding ) up to the people who end up reading
them to fix the environment, determine that its not a problem, or accept
the risk that was discovered.

-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Windows 2003 AD, Winbind, Kerberos and NFSv4

[John Jasen]

Please forgive joining the broadcast already in progress, and for top
posting. However, I have found that removing all but the DES CBC keytab
entries on the client helps.

With Windows 2003, you may also have to set the default encryption type
for the kerberos account to DES, and use ADSIEDIT.msc to change the
UserPrincipalName to nfs/hostname.fqdn.

For what its worth, "net", part of the Samba client package, populates
the keytabs accordingly.

For advanced debugging, the rpc.*gssd services can be configured to run
very verbosely, by adding multiple -v arguments on start.

Louis Lagendijk wrote:
> On Fri, 2010-07-02 at 11:27 -0700, James A. Peltier wrote:
>> Hi All,
> 
>> To support NFSv4 with Kerberos security, we also need to generate service 
>> principal for NFS:
>>
>> [r...@aconite ~]# net -U administrator ads keytab add nfs
>>
>> which then looks like this
>>
>> [r...@aconite ~]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>>  
>> --
>> 3 host/aconite.my.ad.n...@my.ad.name
>> 3 host/aconite.my.ad.n...@my.ad.name
>> 3 host/aconite.my.ad.n...@my.ad.name
>> 3 host/acon...@my.ad.name
>> 3 host/acon...@my.ad.name
>> 3 host/acon...@my.ad.name
>> 3 aconi...@my.ad.name
>> 3 aconi...@my.ad.name
>> 3 aconi...@my.ad.name
>> 3 nfs/aconite.my.ad.n...@my.ad.name
>> 3 nfs/aconite.my.ad.n...@my.ad.name
>> 3 nfs/aconite.my.ad.n...@my.ad.name
>> 3 nfs/acon...@my.ad.name
>> 3 nfs/acon...@my.ad.name
>> 3 nfs/acon...@my.ad.name
>>
> did you create the keytab on the CLIENT also?
> 
>> Test on the client
>>
>> [r...@celastrina ~]# showmount -e aconite
>> Export list for aconite:
>> /exports *
>> [r...@celastrina ~]# mount -t nfs4 aconite:/ /mnt
>> [r...@celastrina ~]# mount |grep -i nfs4
>> aconite:/ on /mnt type nfs4 (rw,addr=199.60.1.84)
>> [r...@celastrina ~]#
>>
>> So as you can see everything is now working *without* Kerberos.  However, 
>> if I change the /etc/exports file on aconite to
>>
>> [r...@aconite ~]# cat /etc/exports
>> /exportsgss/krb5(rw,fsid=0)
>> [r...@aconite ~]# exportfs
>> /exportsgss/krb5
>>
>>
>> and then try to mount with the -o sec=krb5 on the client
>>
> is rpc.gssd running on the client?
> rpc.svc.gssd on the server?
> 
>> [r...@celastrina ~]# mount -t nfs4 -o sec=krb5 aconite:/ /mnt
>> mount.nfs4: Permission denied
>>
>> and the entry in /var/log/messages on celastrina is
>>
>> Jul  2 11:21:57 celastrina rpc.gssd[3302]: Using keytab file 
>> '/etc/krb5.keytab'
>> Jul  2 11:21:57 celastrina rpc.gssd[3302]: WARNING: Failed to obtain 
>> machine credentials for connection to server aconite.my.ad.name
>>
>> nothing appears in the logs on aconite.
>>
> so you most likely do not have a keytab on the client.
> 
> Using kerberos is not simple
> 
> Louis
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security compliance vs. old software versions

[John Jasen]

John Hinton wrote:
> On 6/30/2010 8:54 PM, John Jasen wrote:
>> Well, I'm a security admin, so of course protection is more important
>> than utility! :)
>>
>> But seriously, the assessment tools provide information on your
>> environment, based on certain standard metrics. Its (HOPEFULLY! PCI
>> compliance notwithstanding ) up to the people who end up reading
>> them to fix the environment, determine that its not a problem, or accept
>> the risk that was discovered.
>>
>>
> Sorry to drag this back out to the front... I've been beyond busy and 
> just now catching up.
> 
> One of the things that is blaring to me in these 'security' scans is 
> that there is no check of passwords. We can jump through every hoop in 
> the world to provide a 'secure' environment, yet without 'verifying' 
> with the client a quality password and password policy, this is simply a 
> moot point. Yes, one would hope... but if they don't check this how do 
> they know? I have had requests for password changes to the most ignorant 
> and guessable things. We don't allow any of our users to set their 
> passwords, but I do wonder about these supposedly 'secure' sites.

Well, security assessment tools should just be a part of your holistic
security posture. Hopefully, if passwords are a concern, you've set
requirements for complex password in your authentication system, and are
routinely running password scans against them.

FWIW, nessus does have a check for stupid default passwords for default
accounts.


-- 
-- John E. Jasen (jja...@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux getsebool request

[John Jasen]

Out of faint curiosity, how do we push change requests upstream to RHEL?

I'm using puppet to automate systems, including the application of
SELinux policy. While setsebool -P is non-damaging to repeat, it is time
consuming -- taking about 45 seconds per execution to process the
existing policy and re-commit to disk.

I'd like a simple ability to put an unless in the execution of
setsebool, to key off whether its necessary -- to reduce a SELinux
puppet run from 250 seconds to about 60.  Unfortunately, in the current
format, getsebool has defeated me.

Would it be possible to have getsebool extended, so something like
getsebool -b $variablename would return true or false as the exit code?



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux getsebool request

[John Jasen]

On 04/12/2016 02:31 PM, James Hogarth wrote:
> For example:
>
> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on
> &> /dev/null"

D'oh! That's what I get for overcomplicating the whole darn thing. :)
>
> Incidentally one nice trick if you're dealing with potentially changing
> multiple booleans and the policy compile time is to either skip -P and
> understand it's not persistent so puppet needs to fix at boot, or passing
> multiple booleans to setsebool at the same time so the compile only happens
> once.

Huh. Stacking setsebool has a lot of potential. I should add remedial
man-page reading to my list of tasks.

I'm of the camp that systems should come up in a ready state, regardless
of the immediate availability of puppet. So, using puppet to push
SELinux changes without committing to on-disk policy alarms me.

Thanks for the ideas!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux getsebool request

[John Jasen]

re: puppet selboolean

And ... a double d'oh! for the day. That's just what I was looking for!

Thanks for pointing it out!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[John Jasen]

Various government entities may use it extensively. I don't recall if
tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in
several CIS benchmarks.



On 03/20/2014 03:55 PM, Keith Keller wrote:
> On 2014-03-20, Matthew Miller  wrote:
>> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
>> mechanism? As defense-in-depth? Do you have policies which mandate it?
> 
> I currently use it in conjunction with denyhosts, but have been
> considering moving to something like sshguard with iptables instead.  If
> hosts.deny support disappeared then I would simply go that route when
> necessary.
> 
> May I ask what the reason is for considering dropping tcp wrappers
> support?
> 
> --keith
> 


-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[John Jasen]

On 03/20/2014 04:13 PM, Matthew Miller wrote:
> On Thu, Mar 20, 2014 at 04:00:49PM -0400, John Jasen wrote:
>> Various government entities may use it extensively. I don't recall if
>> tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in
>> several CIS benchmarks.
> 
> Good question. I checked with both that and the DoD National Checklist
> Program, and neither mention it. Also, unless I missed something else, the
> USGCB covers RHEL 5, so there won't be any impact there.
> 
> Are the CIS benchmarks something you could point me to?
> 

https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf

Also note, agencies or groups required to implement CIS or better who
maintain a mixed environment may also use tcp_wrappers on all their
platforms, as from a cursory glance, ever UNIX benchmark lists it.

I would recommend against dropping tcp wrappers.


-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

[John Jasen]

On 03/20/2014 06:23 PM, Les Mikesell wrote:

> Not sure there's a one-to-one mapping or even a conceptual overlap in
> what tcpwrappers and iptables do.   Applications can be configured to
> use different ports than someone setting up iptables might expect -
> and how would you handle portmapper?
> 

As another case, read some of the extended use cases for vsftpd. They
require tcpd to pass an environmental variable telling vsftpd which
configuration file to use.


-- 
-- John Jasen (jja...@realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] performance problems with OpenLDAP and multiple simultaneous clients

[John Jasen]

Running CentOS7, with openldap-2.4.40-13.el7. The environment consists
of two ldap providers, in mirror mode, serving over a shared virtual IP.
Client-facing services are provided by 4 consumers, most of which are
accessed over a layer 4 load balancer.

Periodically, the consumers encounter some sort of client request(s)
which consume all available threads, cause backload threads to spike,
and cause slapd to go unresponsive for a long period of time. I've no
idea what is causing these events, or if there is anything in the
configurations that I can tweak to help.

Anyone have any ideas?









___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7.3 and e1000e

[John Jasen]

This may be the wrong approach, but install the
NetworkManager-config-server rpm. It sets a config option to allow
interfaces to be configured before being available, which may help.



On 07/08/2017 07:45 AM, Jerry Geis wrote:
>> Do you use NetworkManager or the network sysv service?
> I use the sysv service
> Thanks,
>
> Jerry
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening Apache on CentOS 7

[John Jasen]

If your site(s) are simple enough, look into modsecurity for Apache web
servers.

Also, use either iptables or the built-in firewalld stuff on centos7 to
restrict in/outbound ports.



On 07/09/2017 12:01 PM, Nicolas Kovacs wrote:
> Hi,
>
> Some time ago one of my public servers (running Slackware64 14.0) got
> attacked and was misused to send phishing emails.
>
> This misadventure made me more concerned about security, so I spent the
> last few weeks catching up on security, reading docs about SELinux and
> how to use it, etc.
>
> I have a public sandbox server running CentOS 7, and I'm currently
> experimenting quite a lot with Apache and how to secure it. My approach
> is very much trial-and-error. I've started with these two articles:
>
> https://devops.profitbricks.com/tutorials/how-to-harden-the-apache-web-server-on-centos-7/
>
> https://www.tecmint.com/apache-security-tips/
>
> I've also discovered the Nikto vulnerability scanner, and I'm playing
> around with it.
>
> Besides all this, I'd be curious to know your approach in securing
> Apache, the tools you use, maybe the odd do's and don'ts, suggestions,
> some good books and/or online docs about the subject, etc.
>
> Cheers from the sunny South of France,
>
> Niki

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SOLVED Re: performance problems with OpenLDAP and multiple simultaneous clients

[John Jasen]

This turned out to be a blocking issue with rsyslog. So, the slapd issue
is solved by uncovering the root cause.


On 07/07/2017 07:24 PM, John Jasen wrote:
> Running CentOS7, with openldap-2.4.40-13.el7. The environment consists
> of two ldap providers, in mirror mode, serving over a shared virtual IP.
> Client-facing services are provided by 4 consumers, most of which are
> accessed over a layer 4 load balancer.
>
> Periodically, the consumers encounter some sort of client request(s)
> which consume all available threads, cause backload threads to spike,
> and cause slapd to go unresponsive for a long period of time. I've no
> idea what is causing these events, or if there is anything in the
> configurations that I can tweak to help.
>
> Anyone have any ideas?
>
>
>
>
>
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] rsyslog stops logging on service reload?

[John Jasen]

I have multiple servers running stock CentOS 7 rsyslog 7.4.7-16.el7,
which are configured to log locally and over TCP to a remote logserver,
also running stock CentOS 7 rsyslog. The remote server uses imptcp to
receive, and pretty basic rules to parse and commit to disk.

I have several systems that log prolifically, but periodically, they
stop soon after the remote log server HUPs (daily logrotate). Very soon
after they stop logging (completely, even to local files), the services
on these systems block, and our monitoring system starts alerting.
Restarting rsyslog on the clients proves ineffectual.

The situation may clear itself without intervention after 90 minutes to
several hours.

However, this does not happen on all client systems in a similar
situation (CentOS 7, large volume of constant log data); nor does it
happen daily.

Any ideas as to what's going on?

Thanks in advance.







___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting started with mod_security

[John Jasen]

mod_security 2.7.3 from CentOS is pretty old and pretty broken. The crs
package is equally out of date.

Recompiling mod_security from a more recent fedora SRPM and grabbing the
OWASP core-rule-set from git will yield much better results, in my opinion.



On 07/16/2017 02:32 PM, Nicolas Kovacs wrote:
> Hi,
>
> I'm currently fiddling with mod_security, and before going any further,
> I simply wanted to ask here for any recommended documentation/tutorials
> on the subject. There seems to be a lot of information about
> mod_security out there, and right now I have a bit of a hard time
> wrapping my head around it.
>
> I'm grateful for any suggestions.
>
> Cheers,
>
> Niki Kovacs

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsyslog stops logging on service reload?

[John Jasen]

The long and the short of the story was that another misconfigured
client on the network was swamping the central logserver right after
logrotate kicked offed.

The best fix was to enable client memory/file queues.

On 07/13/2017 04:40 AM, Fabian Arrotin wrote:
> On 09/07/17 18:37, John Jasen wrote:
>> I have multiple servers running stock CentOS 7 rsyslog 7.4.7-16.el7,
>> which are configured to log locally and over TCP to a remote logserver,
>> also running stock CentOS 7 rsyslog. The remote server uses imptcp to
>> receive, and pretty basic rules to parse and commit to disk.
>>
>> I have several systems that log prolifically, but periodically, they
>> stop soon after the remote log server HUPs (daily logrotate). Very soon
>> after they stop logging (completely, even to local files), the services
>> on these systems block, and our monitoring system starts alerting.
>> Restarting rsyslog on the clients proves ineffectual.
>>
>> The situation may clear itself without intervention after 90 minutes to
>> several hours.
>>
>> However, this does not happen on all client systems in a similar
>> situation (CentOS 7, large volume of constant log data); nor does it
>> happen daily.
>>
>> Any ideas as to what's going on?
>>
>> Thanks in advance.
>>
> Sorry for the late answer, but can you give more details ?
> I remember having seen that kind of issue only when sending other logs
> that the default one (so when using imfile plugin, tracking other files
> like httpd logs as an example)
>
> What are your rules ? How is the network between all those nodes ? I had
> also an issue over "unreliable" network with buffer/queue and also when
> the receiver had his main msg queue size too small.
>
> Some parameters that can help (?) :
> # sender size
> $WorkDirectory /var/lib/rsyslog # default location for work (spool) files
> $ActionQueueType LinkedList # use asynchronous processing
> $ActionQueueFileName forwardqueue # set file name, also enables disk mode
> $ActionResumeRetryCount -1 # infinite retries on insert failure
> $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
>
> # receiver side
> $MainMsgQueueSize 10
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] migrate openldap to centos 7 server..

[John Jasen]

You should be able to use slapd.conf. You may need to toggle
/etc/sysconfig/slapd to do so, but my testing with CentOS7 has all been
slapd.conf-based.


On 08/21/2016 11:49 AM, Jason Welsh wrote:
> I hope this isnt terribly off-topic, but Im trying to migrate openldap from 
> an old 32bit install 
> of gentoo linux to 64bit centos 7. Ive searched and found all kinds of info 
> on migrating, but 
> none if it seems to work completely for me. 
> It seems that the newer centos 7 opendlap config doesnt use the slapd.conf 
> file any more.
> So It appears I need two ldif files. one for the config and one for the 
> actual database?
> on the old server if I do (as root) 
> slapcat -n 0, i get the error
> slapcat: could not open database.
> but I was able to get a dump of the (non-config) database with 
>  slapcat -n 1, but I cant import that ldif on the new centos 7 server without 
> the config part... 
> anyone know what the right procedure for this would be ?
>
> regards,
> Jason
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] An 'orrible question: Outlook 365 under wine on CentOS?

[John Jasen]

The only linux-based client that, if I recall, can speak native MS mail
protocols, was Evolution.

I don't know if it still does.


On 09/23/2016 07:25 PM, John R Pierce wrote:
> On 9/23/2016 12:50 PM, m.r...@5-cent.us wrote:
>> Upper Management has decided on a policy that IMAP is going to go
>> away in
>> the near future, and they want everyone on Lookout, sorry, Outlook 365.
>
> let me guess, outsourcing the mail server operations to 'the cloud' ?
>
>

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] An 'orrible question: Outlook 365 under wine on CentOS?

[John Jasen]

On 09/26/2016 01:28 PM, m.r...@5-cent.us wrote:
> John Jasen wrote:
>> The only linux-based client that, if I recall, can speak native MS mail
>> protocols, was Evolution.
>>
>> I don't know if it still does.
>>
> Yeah... and this is O365.
>
> Stupid question: if I check out evolution... will it munge my thunderbid
> email inbox or folders, or could it read them, and just create its own
> indices?
If they're both reasonably well-behaved mail clients, they should
generally leave each other alone. I've not had major issues doing
Exchange or OWA from one client, and IMAP from thunderbird -- but I've
not tried evolution in a LONG time.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] New laptop recomendation

[John Jasen]

At least one I looked at, the 17.3 inch, had an option for Ubuntu 14.04.



On 11/22/2016 06:50 PM, Dr. Mikeal Hughes wrote:
> When you go to the Dell Linux site and choose shop now you are taken to a 
> page featuring Windows 10 machines.
>
> Sent from my iPad
>
>> On Nov 22, 2016, at 13:01, Tony Molloy  wrote:
>>
>>> On Tuesday 22 November 2016 18:32:14 Gordon Messmer wrote:
 On 11/22/2016 07:23 AM, Tony Molloy wrote:
 I am looking for a laptop  to run CentOS 6/7. My university was a
 traditional Dell site so I've used Latitude laptops for years,
 currently E6500/E6510.
>>> Dell's Linux laptops are listed here:
>>>
>>> http://www.dell.com/learn/us/en/555/campaigns/xps-linux-laptop?c=us
>>> &l=en&s=biz
>>>
>> Been through the Dell site, I'm very familiar with Dell.
>>
>> The original question was whether anybody was running CentOS 6/7 on 
>> Dell Latitude or Precision Workstation so I could replace Ubuntu with 
>> CentOS.
>>
>> Rather not go for XPS basically a gaming machine not expandable enough 
>> same with Inspiron.
>>
>> Thanks,
>>
>> Tony
>>
>> -- 
>> Linux nogs.tonyshome.ie 2.6.32-642.11.1.el6.x86_64 #1 SMP Fri Nov 18 
>> 19:25:05 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] openldap: replica consumers and ppolicy overlay values

[John Jasen]

I'm trying to setup OpenLDAP on CentOS7, in a provider/consumer
relationship. In general, provider/consumer is working quite well,
except when it comes to password policy.

Specifically, I want PwdFailureTime to be written to the provider from
one of the front end consumers when appropriate.

I'm lead to believe this requires:

a) ppolicy_foward_updates TRUE (done)

b) an appropriate syncrepl configuration for the consumer (I believe done)

c) updateref $LDAP-provider-URI (done)

d) an appropriate chain overlay on the provider (I think done)

e) appropriate ACLs on the provider to allow the consumer bind-user
access to manage PwdFailureTime (I believe done)

I've attempted all of the above, but the consumer (when run in debugging
mode), does not seem to be trying any updates upon authentication
failure. It gives no indication of modifying locally, or of trying to
contact the provider at all over this.

Any idea whats going wrong?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] amanda and selinux

[John Jasen]

There's an option to get selinux to report on all the 'don't audit'
bits, which can be toggled on and off as needed. This may help in debugging.

On 01/19/2017 06:25 PM, Jon LaBadie wrote:
> Anyone familiar with the selinux policy for the
> amanda backup software package?  I'm getting lots
> of data not being backed up.  For example, under
> /home there are 2 directory trees owned by root.
> Those get backed up, user home dirs do not.
>
> No AVC denials nor messages in /var/log/messages
> or journalctl log.  But if I turn off selinux
> enforcing, or set amanda_t type to permissive,
> complete backups are made.
>
> I expected the selinux policy would have allowed
> amanda to be able to read all files.  Else, how
> does one make backups?
>
> I'm seeing this on CentOS 7.2, Fedora 24 & 25.
> Amanda packages from the respective distro repos.
> As far as I can tell, the selinux policies are
> the same in all three.  But then, I know little
> selinux speak.
>
> Jon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kerberized-nfs - any experts out there?

[John Jasen]

On 03/22/2017 03:26 PM, Matt Garman wrote:
> Is anyone on the list using kerberized-nfs on any kind of scale?

Not for a good many years.

Are you using v3 or v4 NFS?

Also, you can probably stuff the rpc.gss* and idmapd services into
verbose mode, which may give you a better ideas as to whats going on.

And yes, the kernel does some kerberos caching. I think 10 to 15 minutes.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos