Monthly Archives: December 2014
Below document shows how to set up Java Enviornments in various operating systems and editing Java Control Panel Features and proxy settings.
Below link describing few tools in Linux to show directory or file system size in GUI .
Read earlier post for windows directory size analyzer tools
Grinch could affect all Linux systems(Belives not a severe as BASH or Shellshock), including Web servers and mobile devices. The security hole is actually a common configuration issue related to Polkit, a relatively new component used for controlling system-wide privileges on Unix-like operating systems.
Unlike Sudo, which enables system administrators to give certain users the ability to run commands as root or another user, Polkit allows a finer level of control by delimiting distinct actions and users, and defining how the users can perform those actions.
Privilege escalation can be achieved through “wheel,” a special user group with administrative privileges. On Linux systems, the default user is automatically assigned to this group.
Read Stephen Coty, chief security evangelist at Alert Logic blog post here https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/.
“The problem pointed out by Alert Logic is two fold. First of all, the default Polkit configuration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the Polkit configuration essentially just maps the ‘wheels’ group, which is commonly used for Sudo users, to the Polkit ‘Admin’. This gives users in the ‘wheel’ group access to administrative functions, like installing packages, without having to enter a password,” explained Johannes Ullrich of the SANS Internet Storm Center.
Alert Logic has pointed out that the flaw mostly affects home users, but the company believes an attack could also work in a corporate environment where many users are assigned to the “wheel” group for one reason or another.
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Library General Public License.
Fedora was the first distribution to include PolicyKit, and it has since been used in other distributions including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora,have already switched to the rewritten polkit.
Network Service account is a special built-in account that has limited privilege(authenticated) user account. A service that runs as the Network Service account accesses network resources using the credentials of the computer account.
Whereas local system is a special, built-in account that has most privileged(authenticated) account in a system, Local System acts as the machine account on the network.
Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered
this SSL(Secure Socket Layer) vulnerability in September 2014.The POODLE
(Padding Oracle On Downgraded Legacy Encryption) attack are not serious as the
Heartbleed and Shellshock attacks.On December 8, 2014 a variation of the
POODLE vulnerability that impacted TLS was announced.
The CVE ID’s(CVE-2014-3566 and CVE-2014-8730) associated with the original
POODLE attack and F5 Networks’ faulty implementation of TLS that allows
There is currently no fix for the vulnerability SSL 3.0.To mitigate the POODLE
attack,completely disable SSL 3.0 on the Server and client side.But, some old
clients and servers do not support TLS 1.0 and above. Thus,for such clients
browser and server better to implement TLS_FALLBACK_SCSV.
Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Chrome 39,already support TLS_FALLBACK_SCSV.
Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released
in December 2014, and will add support of TLS_FALLBACK_SCSV in Firefox 35.
Microsoft announced the plan to disable SSL 3.0 by default in their products
and services and a fix for to disable SSL 3.0 in Internet Explorer and Windows
Apple’s Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against
POODLE by removing support for all CBC protocols in SSL 3.0.
Service providers status
OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and
recommend the following upgrades
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should
upgrade to 0.9.8zc.
Both clients and servers need to support TLS_FALLBACK_SCSV to prevent
Akamai, a popular CDN, has accelerated its deprecation of SSL 3.0.
CloudFlare has disabled SSL 3.0 support by default for all customers.
Twitter and Wikimedia have dropped support of SSL 3.0 to prevent the POODLE
How to check your server&client
Web site test
Resolutions for Server and Clients
Disable in Microsoft Server
Microsoft OS registry disable for SSL
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
Type 00000000 in Binary Editor to set the value of the new key equal to “0”
CVE-2014-3566 – KB3009008
How to disable SSLv3 in Apache?
Include “SSLProtocol all -SSLv2 -SSLv3 ” within every VirtualHost in
httpd.conf of version 2.2.23
SSLProtocol all -SSLv2 -SSLv3
Note : if there is separeate ssl configuration like Ubuntu 10.04
SSLProtocol all -SSLv2 -SSLv3
For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a
wildcard for all TLS versions.
For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to allow only TLS 1.0+.
Apache Tomcat Web server
Configured via $TOMCAT_HOME/conf/server.xml
SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslProtocols = “TLSv1,TLSv1.1,TLSv1.2″ />
SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslEnabledProtocols = “TLSv1,TLSv1.1,TLSv1.2” />
For Lighttpd 1.4.28+, edit /etc/lighttpd/lighttpd.conf
ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”
Modify the smtpd_tls_mandatory_protocols configuration line.
Modify the LOCAL_CONFIG section of the sendmail.mc file.
For Dovecot 2.1+, edit /etc/dovecot/local.conf to add the below lines and then
ssl_protocols = !SSLv2 !SSLv3
For Dovecot 2, edit /etc/dovecot/conf.d/10-ssl.conf to add the below lines and
then restart Dovecot.
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
For Ubuntu 12.04, edit /etc/courier/imapd-ssl.
Edit the bind line in your /etc/haproxy.cfb file.
bind :443 ssl crt ciphers no-sslv3
Modify the ssl_protocols directive to only use TLSv1, TLSv1.1, and TLSv1.2. If
you do not have a ssl_protocols directive, add it to the top of your
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
389 Directory Server
Modify cn=encryption,cn=configA and restart the server.
ldapmodify -x -D “cn=Directory Manager” -W <<EOF
Enabling on Browser Settings
right click on shortcu and go to properties,and go to end “C:\Program Files
\Google\Chrome\Application\chrome.exe” add type ––ssl-version-min=tls1
Click on the Settings and then Internet options,advanced tab then security
section,un check SSL and check TLS
download and install the SSL Version Control 0.2 add-on from
Alternatively, you can set the value security.tls.version.min = 1 in the
Apple has released Security Update 2014-005, which disables CBC-mode ciphers
in coordination with SSLv3.
Note:POODLE attack against TLS
A new variant of the original POODLE attack was announced on December 8, 2014.
This attack exploits implementation flaws of CBC mode ciphers in the TLS 1.0 –
1.2 protocols. Even though TLS specifications require servers to check the
padding, some implementations fail to validate it properly, which makes some
servers vulnerable to POODLE even if they disable SSL 3.0. SSL Pulse showed
“about 10% of the servers are vulnerable to the POODLE attack against TLS”
before this vulnerability is announced. The CVE ID for F5 Networks’
implementation bug is CVE-2014-8730. The entry in NIST’s NVD states that this
CVE ID is to be used only for F5 Networks’ implementation of TLS, and that
other vendors whose products have the same failure to validate the padding
mistake in their implementations like A10 Networks and Cisco Systems need to
issue their own CVE ID’s for their implementation errors because this is not a
flaw in the protocol itself and is a flaw in the protocol’s implementation.
The POODLE attack against TLS was found to be easier to initiate than the
initial POODLE attack against SSL. There is no need to downgrade clients to
SSL 3.0, requiring less real-world scenarios to appear active.
Spacewalk is open source systems management software developed by Red Hat. It was formerly the upstream version of the Red Hat Satellite, which was open sourced in 2008. Spacewalk includes the web interface and back-end, as well as Red Hat Proxy Server and associated client software of Satellite and makes them available to users and developers under a free and open source software (FOSS) license.
Inventory your systems (hardware and software information)
Install and update software on your systems
Collect and distribute your custom software packages into manageable groups
Provision (kickstart) your systems
Manage and deploy configuration files to your systems
Monitor your systems
Provision virtual guests
Start/stop/configure virtual guests
Distribute content across multiple geographical sites in an efficient manner
Read more differences between Spacewalk and Red Hat Satellite.
Outbound open ports 80, 443, 4545 (only if you want to enable monitoring)
Inbound open ports 80, 443, 5222 (only if you want to push actions to client machines) and 5269 (only for push actions to a Spacewalk Proxy), 69 udp if you want to use tftp
Storage for database: 250 KiB per client system + 500 KiB per channel + 230 KiB per package in channel (i.e. 1.1GiB for channel with 5000 packages)
Storage for packages (default /var/satellite): Depends on what you’re storing; Red Hat recommend 6GB per channel for their channels
2GB RAM minimum, 4GB recommended
Make sure your underlying OS up-to-date.
If you use LDAP as a central identity service and wish to pull user and group information from it.
Make sure your operating system is fully up-to-date.
In the following steps we assume you have a default, vanilla installation of your operating system, without any customized setup of yum repositories, user management, security, etc.
Setting up Spacewalk repo -CentOS 5
rpm -Uvh http://yum.spacewalkproject.org/2.0/RHEL/5/x86_64/spacewalk-repo-2.0-3.el5.noarch.rpm
Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater.
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Follow the instructions to use EPEL 5 with the additions:
Necessary packages rhn-client-tools and rhnlib were removed from CentOS, they can be found in spacewalk-client repo. Setup it by installing spacewalk-client-repo package.
rpm -ihv http://yum.spacewalkproject.org/2.0-client/RHEL/5/x86_64/spacewalk-client-repo-2.0-3.el5.noarch.rpm
Import Red Hat’s RPM GPG key:
# wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release http://www.redhat.com/security/37017186.txt
# rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
PostgreSQL server, set up by Spacewalk (embedded)
You can let Spacewalk setup the PostgreSQL server on your machine without any manual intervention. Run:
yum install spacewalk-setup-postgresql
and skip to the section Installing Spacewalk.
yum install spacewalk-postgresql
Your Spacewalk server should have a resolvable FQDN such as ‘hostname.domain.com’. If the installer complains that the hostname is not the FQDN, do not use the –skip-fqdn-test flag to skip !
The setup requires that the database account has a password.
Note: Please don’t use ‘#’ (number sign/pound/hash) and ‘@’ in your database password otherwise installation will fail.
Once the Spacewalk RPM is installed you need to configure the application.
If you have installed spacewalk-setup-postgresql, run
admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = My Country
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
Configuring the firewall
Spacewalk needs various inbound ports to be connectible. Use system-config-firewall or edit /etc/sysconfig/iptables, adding the ports needed — 80 and 443. On system with firewalld use firewall-cmd –add-service=http ; firewall-cmd –add-service=https. Add port 5222 if you want to push actions to client machines and 5269 for push actions to a Spacewalk Proxy, 69 udp if you want to use tftp.
Spacewalk Proxy Installation
Around 6GB storage per distribution under /var/spool/squid (or wherever you want your Squid cache to be)
Outbound open ports 80, 443, 4545 (only if you want to enable monitoring) and 5269
Inbound open ports 80, 443 and 5222
An upstream RHN Satellite server with an available Proxy entitlement or a Spacewalk server
Machine where you will install Spacewalk Proxy must be registered against Spacewalk Server, which you will proxy.
A provisioning entitlement for the Proxy server
Enable EPEL yum repository
Ensure your machine is registered in Spacewalk and has a provisioning entitlement. Then just ask yum to install the application:
yum install spacewalk-proxy-selinux spacewalk-proxy-installer
If this is the first time installing an RPM from the Spacewalk repo, yum will prompt you to install the GPG key:
Importing GPG key 0x863A853D “Spacewalk <email@example.com>” from http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2012
Is this ok [y/N]: y
Then you need to configure the proxy. Run:
The configure-proxy.sh install script supports an answer file to allow you to preanswer the questions. For the full list of variables see “man configure-proxy.sh”.
PAL v2.0 is an easy to use tool which simplifies the analysis of Microsoft Performance Monitor Logs (.blg | .csv). It generates an HTML report containing graphical charts and alerts of the performance counters using known thresholds.
Execute the PAL icon in your Start Programs menu or run the PAL.ps1 script from a PowerShell.
Tested on Windows 7 and Windows 8, but should work on Windows Server 2008 R2 and Windows Server 2012. Not recommended or tested on Windows XP and Windows Server 2003 since these operating systems cannot open counter logs captured on Windows Vista and Windows Server 2008 and later.
Run the PAL setup MSI file that ships in the zip file at http://pal.codeplex.com.
Required Products (free and public):
Microsoft .NET Framework 3.5 Service Pack 1 (already on Windows 7 and Windows 8) (full package – no internet access required) http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe
Microsoft Chart Controls for Microsoft .NET Framework 3.5 http://www.microsoft.com/downloads/details.aspx?FamilyID=130f7986-bf49-4fe5-9ca8-910ae6ea442c&DisplayLang=en
PowerShell v2.0 (Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0)) (already on Windows 7 and Windows 8) http://support.microsoft.com/kb/968929
Warning: The PAL installer (MSI) will set the PowerShell execution policy to unrestricted. This will allow the execution of PowerShell scripts.
Globalization Known Issue: PAL has only been tested using an English-US locale. If you have problems using PAL v2.x, then try again using an English-US locale. This is an open source and voluntary project, so any assistance with globalization and localization is appreciated.
Big thank you to the Microsoft Premier Field Engineering (PFE) organization for the great support and feedback!
Threshold file update: Logical Disk Overwhelmed and Physical Memory Overwhelmed updated to use Avg. Disk Queue Length instead of % Idle Time to determine if the disk queue is busy when checking the other counters.
HTML report update: Changed Alerts to separate criticals and warnings with color.
Processing update: The file name of the counter log and the number of running threads now show in the progress bar during analysis.
Multi-threaded hang condition: When using more than one thread for analysis, the tool might hang. This has been fixed.
Threshold file update: Updated the System Overview threshold file. The Process Processor analyses now have thresholds associated with overall system processor time.
Threshold file update: In the Quick System Overview threshold file, I rewrote the Pool Paged and Pool Nonpaged analyses. Previously they assumed Windows Server 2003. Now, it includes all Microsoft Windows and Windows Server operating systems from Windows XP/Windows Server 2003 and later.
Question variables changed: Number of Processors was removed from Quick System Overview, but other threshold files might still need it – analyses that used this variable now use the \Processor(*)\% Processor Time counter instances. “OS” added to identify the architecture and operating system of the computer in the counter log. “UserVa” added to know what the /USERVA boot.ini switch value was or what the IncreaseUserVa value is on Windows Vista and Windows Server 2008 and later.
Bug fix: Low priority processing now works on all child threads (sessions).
Bug fix: When using more than one thread, PAL will go into an infinite loop (hang) if one or more analyses are disabled in one or more of the threshold files being processed. Fixed.
Threshold file update: Added Disk Overwhelmed analysis to the Quick System Overview threshold file.
Chart layout changes: To better accommodate copying and pasting into Microsoft Word, the legend has been moved to the bottom of the chart and the chart width has change to 620 pixels. Frank Balaguer (Microsoft PFE) inspired the changes. Also, the chart title’s font has been increased from 8 to 12 to be in better proportion to the chart.
SQL Server 2008 R2 threshold file update: David Pless has provided an update to the Microsoft SQL Server 2008 R2 threshold file.
Adobe has released security updates for Adobe Flash Player 184.108.40.206 and earlier versions for Windows and Macintosh and Adobe Flash Player 220.127.116.115 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.
Adobe Security Bulletins
System File Checker is a Microsoft utility to scan and restore corruptions in Windows system files(availble from Windows 98 onwards).
Open an elevated command prompt
System File Checker tool in Windows 98
Click Start, point to Programs, point to Accessories, point to System Tools, click System Information, and then click System File Checker on the Tools menu.
Click one of the following options:
Scan For Altered Files
Extract One File From Installation Disk
Click Settings, choose the configuration you want to use in System File Checker Settings, click OK, and then click Start.
To open Users and Computers(MMC-Active Directory Users and Computers)
Click Start, and then click Run.In the Open box, type dsa.msc, and then click OK.
Active Directory Users and Computers focused on domain1/server1
dsa.msc /domain=domain1 or dsa.msc /server=server1.domain1
To Open Sites and Services(MMC-Active Directory Sites and Services)
Active Directory Sites and Services focused on server1
To open Domains and Trusts(MMC-Active Directory Domains and Trusts)
Active Directory Domains and Trusts focused on server1
Note: Do not use both a /domain and /server command-line option at the same time.