Monthly Archives: December 2014

Setting up java enviornment and control Panel

Below document shows how to set up Java Enviornments in various operating systems and editing Java Control Panel Features and proxy settings.

Configure Java environment

Advertisements

Display directory size in Linux GUI

Below link describing few tools in Linux to show directory or file system size in GUI .

How to display directory size in Linux GUI

Read earlier post for windows directory size analyzer tools

https://teckadmin.wordpress.com/2013/03/11/windows-directory-size-using-treeviewr/

https://teckadmin.wordpress.com/2013/12/12/how-to-view-directory-size-in-windows-2/

Linux platform that can lead to privilege escalation “Grinch” attacks

Grinch could affect all Linux systems(Belives not a severe as BASH or Shellshock), including Web servers and mobile devices. The security hole is actually a common configuration issue related to Polkit, a relatively new component used for controlling system-wide privileges on Unix-like operating systems.

Unlike Sudo, which enables system administrators to give certain users the ability to run commands as root or another user, Polkit allows a finer level of control by delimiting distinct actions and users, and defining how the users can perform those actions.

Privilege escalation can be achieved through “wheel,” a special user group with administrative privileges. On Linux systems, the default user is automatically assigned to this group.
Read Stephen Coty, chief security evangelist at Alert Logic blog post here https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/.

“The problem pointed out by Alert Logic is two fold. First of all, the default Polkit configuration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the Polkit configuration essentially just maps the ‘wheels’ group, which is commonly used for Sudo users, to the Polkit ‘Admin’. This gives users in the ‘wheel’ group access to administrative functions, like installing packages, without having to enter a password,” explained Johannes Ullrich of the SANS Internet Storm Center.

Alert Logic has pointed out that the flaw mostly affects home users, but the company believes an attack could also work in a corporate environment where many users are assigned to the “wheel” group for one reason or another.

Notes:

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Library General Public License.
Fedora was the first distribution to include PolicyKit, and it has since been used in other distributions including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora,have already switched to the rewritten polkit.

Differentiate Local system and Network Service account

Network Service account is a special built-in account that has limited privilege(authenticated) user account. A service that runs as the Network Service account accesses network resources using the credentials of the computer account.

Whereas local system is a special, built-in account that has most privileged(authenticated) account in a system, Local System acts as the machine account on the network.

POODLE Attack

Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered

this SSL(Secure Socket Layer) vulnerability in September 2014.The POODLE

(Padding Oracle On Downgraded Legacy Encryption) attack are not serious as the

Heartbleed and Shellshock attacks.On December 8, 2014 a variation of the

POODLE vulnerability that impacted TLS was announced.
The CVE ID’s(CVE-2014-3566 and CVE-2014-8730) associated with the original

POODLE attack and F5 Networks’ faulty implementation of TLS that allows

POODLE.

There is currently no fix for the vulnerability SSL 3.0.To mitigate the POODLE

attack,completely disable SSL 3.0 on the Server and client side.But, some old

clients and servers do not support TLS 1.0 and above. Thus,for such clients

browser and server better to implement TLS_FALLBACK_SCSV.

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Browser enabled
===============
Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Chrome 39,already support TLS_FALLBACK_SCSV.
Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released

in December 2014, and will add support of TLS_FALLBACK_SCSV in Firefox 35.
Microsoft announced the plan to disable SSL 3.0 by default in their products

and services and a fix for to disable SSL 3.0 in Internet Explorer and Windows

OS.
Apple’s Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against

POODLE by removing support for all CBC protocols in SSL 3.0.

Service providers status
————————
OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and

recommend the following upgrades
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should

upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent

downgrade attacks

Akamai, a popular CDN, has accelerated its deprecation of SSL 3.0.
CloudFlare has disabled SSL 3.0 support by default for all customers.
Twitter and Wikimedia have dropped support of SSL 3.0 to prevent the POODLE

attack.

https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-

poodlebleed

How to check your server&client
===============================
Web site test
https://www.ssllabs.com/ssltest/

Client test
https://www.ssllabs.com/ssltest/viewMyClient.html

Resolutions for Server and Clients
==================================

Disable in Microsoft Server
—————————
Microsoft OS registry disable for SSL
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders

\SCHANNEL\Protocols\SSL 3.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
Type 00000000 in Binary Editor to set the value of the new key equal to “0”

and restart.

CVE-2014-3566 – KB3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx

How to disable SSLv3 in Apache?
——————————-
Include “SSLProtocol all -SSLv2 -SSLv3 ” within every VirtualHost in

httpd.conf of version 2.2.23

<VirtualHost your.website.example.com:443>
DocumentRoot /var/www/directory
ServerName your.website.example.com


SSLEngine on

SSLProtocol all -SSLv2 -SSLv3

</VirtualHost>

Note : if there is separeate ssl configuration like Ubuntu 10.04
/etc/apache2/mods-available/ssl.conf :
SSLProtocol all -SSLv2 -SSLv3

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a

wildcard for all TLS versions.

SSLProtocol TLSv1

For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to allow only TLS 1.0+.

NSSProtocol TLSv1.0,TLSv1.1

Apache Tomcat Web server
————————
Tomcat 5

Configured via $TOMCAT_HOME/conf/server.xml

<Connector
protocol=”org.apache.coyote.http11.Http11AprProtocol”
port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
SSLCertificateFile=”/usr/local/ssl/server.crt”
SSLCertificateKeyFile=”/usr/local/ssl/server.pem”
clientAuth=”false” sslProtocols = “TLSv1,TLSv1.1,TLSv1.2″ />

Tomcat 6,7

<Connector
protocol=”org.apache.coyote.http11.Http11AprProtocol”
port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
SSLCertificateFile=”/usr/local/ssl/server.crt”
SSLCertificateKeyFile=”/usr/local/ssl/server.pem”
clientAuth=”false” sslEnabledProtocols = “TLSv1,TLSv1.1,TLSv1.2” />

Lighthttpd
————
For Lighttpd 1.4.28+, edit /etc/lighttpd/lighttpd.conf

ssl.use-sslv2 = “disable”

ssl.use-sslv3 = “disable”

Postfix SMTP
————-
Modify the smtpd_tls_mandatory_protocols configuration line.

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Sendmail
———
Modify the LOCAL_CONFIG section of the sendmail.mc file.

CipherList=HIGH

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

+SSL_OP_CIPHER_SERVER_PREFERENCE

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Dovecot
——–
For Dovecot 2.1+, edit /etc/dovecot/local.conf to add the below lines and then

restart Dovecot.

ssl_protocols = !SSLv2 !SSLv3

For Dovecot 2, edit /etc/dovecot/conf.d/10-ssl.conf to add the below lines and

then restart Dovecot.

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

Courier-imap
————-
For Ubuntu 12.04, edit /etc/courier/imapd-ssl.

IMAPDSSLSTART=NO

IMAPDSTARTTLS=YES

IMAP_TLS_REQUIRED=1

TLS_PROTOCOL=TLS1

TLS_STARTTLS_PROTOCOL=TLS1

HAProxy Server
—————-
Edit the bind line in your /etc/haproxy.cfb file.

bind :443 ssl crt  ciphers  no-sslv3

Nginx
—–
Modify the ssl_protocols directive to only use TLSv1, TLSv1.1, and TLSv1.2. If

you do not have a ssl_protocols directive, add it to the top of your

configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

389 Directory Server
——————–
Modify cn=encryption,cn=configA and restart the server.

ldapmodify -x -D “cn=Directory Manager” -W <<EOF

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: off

Enabling on Browser Settings
—————————-
Chrome:
right click on shortcu and go to properties,and go to end “C:\Program Files

\Google\Chrome\Application\chrome.exe” add type ––ssl-version-min=tls1

IE:
Click on the Settings and then Internet options,advanced tab then security

section,un check SSL and check TLS

Firefox:
download and install the SSL Version Control 0.2 add-on from

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Alternatively, you can set the value security.tls.version.min = 1 in the

about:config dialog.

Safari:
Apple has released Security Update 2014-005, which disables CBC-mode ciphers

in coordination with SSLv3.

Mac OS Mavericks: http://support.apple.com/kb/DL1772
MAC OS Mountain Lion: http://support.apple.com/kb/DL1771
MAC OS Yosemite: https://support.apple.com/kb/HT6535

Hardware providers
==================
F5 Networks
———–
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

A10 Networks
————
https://www.a10networks.com/vadc/index.php/cve-2014-3566-from-beast-to-

poodle-or-dancing-with-beast/

Cisco Networks
—————
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-

sa-20141015-poodle
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014

.html

Juniper Networks
—————–
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656&actp=RSS

Note:POODLE attack against TLS
A new variant of the original POODLE attack was announced on December 8, 2014.

This attack exploits implementation flaws of CBC mode ciphers in the TLS 1.0 –

1.2 protocols. Even though TLS specifications require servers to check the

padding, some implementations fail to validate it properly, which makes some

servers vulnerable to POODLE even if they disable SSL 3.0. SSL Pulse showed

“about 10% of the servers are vulnerable to the POODLE attack against TLS”

before this vulnerability is announced. The CVE ID for F5 Networks’

implementation bug is CVE-2014-8730. The entry in NIST’s NVD states that this

CVE ID is to be used only for F5 Networks’ implementation of TLS, and that

other vendors whose products have the same failure to validate the padding

mistake in their implementations like A10 Networks and Cisco Systems need to

issue their own CVE ID’s for their implementation errors because this is not a

flaw in the protocol itself and is a flaw in the protocol’s implementation.

The POODLE attack against TLS was found to be easier to initiate than the

initial POODLE attack against SSL. There is no need to downgrade clients to

SSL 3.0, requiring less real-world scenarios to appear active.

Spacewalk -Open Source Systems Management

Spacewalk is open source systems management software developed by Red Hat. It was formerly the upstream version of the Red Hat Satellite, which was open sourced in 2008.  Spacewalk includes the web interface and back-end, as well as Red Hat Proxy Server and associated client software of Satellite and makes them available to users and developers under a free and open source software (FOSS) license.

It include

Inventory your systems (hardware and software information)
Install and update software on your systems
Collect and distribute your custom software packages into manageable groups
Provision (kickstart) your systems
Manage and deploy configuration files to your systems
Monitor your systems
Provision virtual guests
Start/stop/configure virtual guests
Distribute content across multiple geographical sites in an efficient manner

Read more differences between Spacewalk and Red Hat Satellite.
http://spacewalk.redhat.com/faq.html#compare

spacewalk

Installations
Prerequisites
Outbound open ports 80, 443, 4545 (only if you want to enable monitoring)
Inbound open ports 80, 443, 5222 (only if you want to push actions to client machines) and 5269 (only for push actions to a Spacewalk Proxy), 69 udp if you want to use tftp
Storage for database: 250 KiB per client system + 500 KiB per channel + 230 KiB per package in channel (i.e. 1.1GiB for channel with 5000 packages)
Storage for packages (default /var/satellite): Depends on what you’re storing; Red Hat recommend 6GB per channel for their channels
2GB RAM minimum, 4GB recommended
Make sure your underlying OS up-to-date.
If you use LDAP as a central identity service and wish to pull user and group information from it.
Make sure your operating system is fully up-to-date.
In the following steps we assume you have a default, vanilla installation of your operating system, without any customized setup of yum repositories, user management, security, etc.

Setting up Spacewalk repo -CentOS 5
rpm -Uvh http://yum.spacewalkproject.org/2.0/RHEL/5/x86_64/spacewalk-repo-2.0-3.el5.noarch.rpm

Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater.
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

Follow the instructions to use EPEL 5 with the additions:

Necessary packages rhn-client-tools and rhnlib were removed from CentOS, they can be found in spacewalk-client repo. Setup it by installing spacewalk-client-repo package.
rpm -ihv http://yum.spacewalkproject.org/2.0-client/RHEL/5/x86_64/spacewalk-client-repo-2.0-3.el5.noarch.rpm
Import Red Hat’s RPM GPG key:
# wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release http://www.redhat.com/security/37017186.txt
# rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

PostgreSQL server, set up by Spacewalk (embedded)
You can let Spacewalk setup the PostgreSQL server on your machine without any manual intervention. Run:

yum install spacewalk-setup-postgresql
and skip to the section Installing Spacewalk.

Installing Spacewalk
yum install spacewalk-postgresql

Configuring Spacewalk
Your Spacewalk server should have a resolvable FQDN such as ‘hostname.domain.com’. If the installer complains that the hostname is not the FQDN, do not use the –skip-fqdn-test flag to skip !

The setup requires that the database account has a password.
Note: Please don’t use ‘#’ (number sign/pound/hash) and ‘@’ in your database password otherwise installation will fail.

Once the Spacewalk RPM is installed you need to configure the application.

If you have installed spacewalk-setup-postgresql, run

spacewalk-setup –disconnected

For PostgreSQL
admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = My Country
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=host
db-port=5432
enable-tftp=Y

Managing Spacewalk
/usr/sbin/spacewalk-service [stop|start|restart].

Configuring the firewall
Spacewalk needs various inbound ports to be connectible. Use system-config-firewall or edit /etc/sysconfig/iptables, adding the ports needed — 80 and 443. On system with firewalld use firewall-cmd –add-service=http ; firewall-cmd –add-service=https. Add port 5222 if you want to push actions to client machines and 5269 for push actions to a Spacewalk Proxy, 69 udp if you want to use tftp.

Spacewalk Proxy Installation

Prerequisites
Around 6GB storage per distribution under /var/spool/squid (or wherever you want your Squid cache to be)
Outbound open ports 80, 443, 4545 (only if you want to enable monitoring) and 5269
Inbound open ports 80, 443 and 5222
An upstream RHN Satellite server with an available Proxy entitlement or a Spacewalk server
Machine where you will install Spacewalk Proxy must be registered against Spacewalk Server, which you will proxy.
A provisioning entitlement for the Proxy server
Enable EPEL yum repository

Installation
Ensure your machine is registered in Spacewalk and has a provisioning entitlement. Then just ask yum to install the application:

yum install spacewalk-proxy-selinux spacewalk-proxy-installer

If this is the first time installing an RPM from the Spacewalk repo, yum will prompt you to install the GPG key:

Importing GPG key 0x863A853D “Spacewalk <spacewalk-devel@redhat.com>” from http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2012
Is this ok [y/N]: y
Then you need to configure the proxy. Run:

configure-proxy.sh

Automated Installation
The configure-proxy.sh install script supports an answer file to allow you to preanswer the questions. For the full list of variables see “man configure-proxy.sh”.

configure-proxy.sh –answer-file=proxyanswers.txt
proxyanswers.txt:

VERSION=”1.9″
RHN_PARENT=”spacewalk.example.com”
TRACEBACK_EMAIL=”admin@example.com”
USE_SSL=”Y”
CA_CHAIN=”/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT”
HTTP_PROXY=
SSL_ORG=”Example Org”
SSL_ORGUNIT=”proxy1.example.com”
SSL_COMMON=”proxy1.example.com”
SSL_CITY=”My City”
SSL_STATE=”My State”
SSL_COUNTRY=”My Country”
SSL_EMAIL=”admin@example.com”
INSTALL_MONITORING=”n”
POPULATE_CONFIG_CHANNEL=”n”

Reference

https://fedorahosted.org/spacewalk/wiki/HowToInstall
https://fedorahosted.org/spacewalk/

PALV2(Performance Analysis of Logs) Tool

PAL v2.0 is an easy to use tool which simplifies the analysis of Microsoft Performance Monitor Logs (.blg | .csv). It generates an HTML report containing graphical charts and alerts of the performance counters using known thresholds.
Usage
Execute the PAL icon in your Start Programs menu or run the PAL.ps1 script from a PowerShell.
Installation
Tested on Windows 7 and Windows 8, but should work on Windows Server 2008 R2 and Windows Server 2012. Not recommended or tested on Windows XP and Windows Server 2003 since these operating systems cannot open counter logs captured on Windows Vista and Windows Server 2008 and later.

Run the PAL setup MSI file that ships in the zip file at http://pal.codeplex.com.

Required Products (free and public):

Microsoft .NET Framework 3.5 Service Pack 1 (already on Windows 7 and Windows 8) (full package – no internet access required) http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe

Microsoft Chart Controls for Microsoft .NET Framework 3.5 http://www.microsoft.com/downloads/details.aspx?FamilyID=130f7986-bf49-4fe5-9ca8-910ae6ea442c&DisplayLang=en

PowerShell v2.0 (Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0)) (already on Windows 7 and Windows 8) http://support.microsoft.com/kb/968929

Warning: The PAL installer (MSI) will set the PowerShell execution policy to unrestricted. This will allow the execution of PowerShell scripts.

Globalization Known Issue: PAL has only been tested using an English-US locale. If you have problems using PAL v2.x, then try again using an English-US locale. This is an open source and voluntary project, so any assistance with globalization and localization is appreciated.

Big thank you to the Microsoft Premier Field Engineering (PFE) organization for the great support and feedback!

v2.4.0

Threshold file update: Logical Disk Overwhelmed and Physical Memory Overwhelmed updated to use Avg. Disk Queue Length instead of % Idle Time to determine if the disk queue is busy when checking the other counters.
HTML report update: Changed Alerts to separate criticals and warnings with color.
Processing update: The file name of the counter log and the number of running threads now show in the progress bar during analysis.
Multi-threaded hang condition: When using more than one thread for analysis, the tool might hang. This has been fixed.
Threshold file update: Updated the System Overview threshold file. The Process Processor analyses now have thresholds associated with overall system processor time.
Threshold file update: In the Quick System Overview threshold file, I rewrote the Pool Paged and Pool Nonpaged analyses. Previously they assumed Windows Server 2003. Now, it includes all Microsoft Windows and Windows Server operating systems from Windows XP/Windows Server 2003 and later.
Question variables changed: Number of Processors was removed from Quick System Overview, but other threshold files might still need it – analyses that used this variable now use the \Processor(*)\% Processor Time counter instances. “OS” added to identify the architecture and operating system of the computer in the counter log. “UserVa” added to know what the /USERVA boot.ini switch value was or what the IncreaseUserVa value is on Windows Vista and Windows Server 2008 and later.
Bug fix: Low priority processing now works on all child threads (sessions).

v2.3.6

Bug fix: When using more than one thread, PAL will go into an infinite loop (hang) if one or more analyses are disabled in one or more of the threshold files being processed. Fixed.
Threshold file update: Added Disk Overwhelmed analysis to the Quick System Overview threshold file.
Chart layout changes: To better accommodate copying and pasting into Microsoft Word, the legend has been moved to the bottom of the chart and the chart width has change to 620 pixels. Frank Balaguer (Microsoft PFE) inspired the changes. Also, the chart title’s font has been increased from 8 to 12 to be in better proportion to the chart.
SQL Server 2008 R2 threshold file update: David Pless has provided an update to the Microsoft SQL Server 2008 R2 threshold file.

Adobe Vulnerabilities

Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.
adobevulnerability
Adobe Security Bulletins
————————-
http://helpx.adobe.com/in/security.html
http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

System File Checker

System File Checker is a Microsoft utility to scan and restore corruptions in Windows system files(availble from Windows 98 onwards).

Open an elevated command prompt

sfc /scannow

System File Checker tool in Windows 98
—————————————
Click Start, point to Programs, point to Accessories, point to System Tools, click System Information, and then click System File Checker on the Tools menu.
Click one of the following options:
Scan For Altered Files
Extract One File From Installation Disk

Click Settings, choose the configuration you want to use in System File Checker Settings, click OK, and then click Start.

Active Directory commands

To open Users and Computers(MMC-Active Directory Users and Computers)
———————————————————————-
Click Start, and then click Run.In the Open box, type dsa.msc, and then click OK.

Active Directory Users and Computers focused on domain1/server1
dsa.msc /domain=domain1 or dsa.msc /server=server1.domain1

To Open Sites and Services(MMC-Active Directory Sites and Services)
——————————————————————–
Active Directory Sites and Services focused on server1
dssite.msc /server=server1.domain1

To open Domains and Trusts(MMC-Active Directory Domains and Trusts)
——————————————————————-
Active Directory Domains and Trusts focused on server1
domain.msc /server=server1.domain1

Note: Do not use both a /domain and /server command-line option at the same time.

%d bloggers like this: