Sunday Apr 06, 2008

Importing audit records into a databse

I've checked up on how my friends are progressing with the AuditAnalyzer and they have gotten quite far!

I've played with some pre-alpha stuff off and on, and the main problem have been importing audit data into the database - it has been too slow. It has managed to import about 150 records/second, which may sound much but if you are like me and get audit trails from 300+ systems, it is not enough to keep up with the stream of inbound records.

Luckily they worked on the import speed now, and have two possible solutions. One yields around 1500 records/second and the other a whopping 4500 records/second!

I can't wait until they have a new version available for me to try out :)

[Technorati Tags: ] ]

Monday Mar 31, 2008

The danger of growing too fast

Out esteemed director has pushed us too far too long - he requires us to rack 'em and stack 'em all day long, and after the last spree of installing alpha hardware he got from engineering (the new 4 way, 16-core Rock based systems, code name lurad) for the www.sun.com cluster we now have such a big mess in our server room that I thought I'd share it with you:

Picture by: VespaGT

We have added 72 of these little monsters since the beginning of last week and haven't had time to clean up the cables - so now it is time to bring out the dymo and start labeling...

[Technorati Tags: ]

Friday Mar 28, 2008

Consumer terrorism

I'm going to war!

Unfortunately I can't blog about why, when and how yet, as I'm taking legal actions, but as soon as that is resolved I'll post it here.

Meanwhile, I'm looking for good info on consumer terrorism, like this book, and other ways to get back at the <beeeeeeeep> company that caused me considerable monetary damage and have wasted months of my time.

I've already registered a domain name where I'm going to push all information and documentation about this case, and I am thinking about typosquatting the company's site :)

Like my old boss said when I told him about it: Never pick on a pedantic security puke!

Friday Mar 07, 2008

Converting HFS from case sensitive to case insensitive

I've managed to solve the problem I was blogging about earlier.

I started out by forcing TimeMachine to do a backup and since I wasn't sure I'd succeed in restoring my data using it, I did a gtar backup of all user directories too.

Once the backups were done I booted the Leopard install DVD, started DiskUtility, and reformatted the disk as HFS, Journalling and Case Insensitive. After that I started TimeMachine and choose the restore option. It immediately reformatted my disk to match the backup, and that wasn't what I wanted.

So I reformatted the disk again and then choose to do an install from scratch. When the installation completed and the system rebooted, the migration assistant asked if I would like to mograte old data, and I picked the option to restore from the last TimeMachine backup.

This time is didn't do anything with my file system and all files & settings were restored - and I could start the Photoshop CS3 installation and get it installed!

I don't know how it would have handled a conflict, i.e. restoring foo and Foo, since I wrote a Perl script to make sure that I didn't have any conflicts.

Monday Mar 03, 2008

Insensitive file systems

cASe inSEnsITIvE file system - what an utterly stupid idea!

When I installed Leopard on my MacBook Pro it was a natural choice to make the file system case sensitive. Besides being a UNIX geek I had a legitimate reason for doing so:
you can't do

hg clone ssh://martin@hg.opensolaris.org/hg/audit/patches

as the OpenSolaris source code contains case insensitivity conflicts.

So what am I bitching about then? Yesterday I tried to install Adobe Photoshop CS3 on my wife's MacBook pro (which I also installed with case sensitivity) and got this very unintuitive dialog:


This software cannot be installed because the file system of the OS volume is not supported

After scratching my head for a while, I figured out that it is due to the case sensitivity! Adobe hasn't bothered to fix their code, and it is not like it is a new feature in Mac OS X either... they have had several years to fix it.

Unfortunately there is no solution to this, but to reformat the file system and make it case insensitive! To go from bad to worse I can't use TimeMachine to do it, as it too doesn't support backing up a case sensitive file system and restoring it to a case insensitive. It just has to alert me if there is a conflict - which there isn't in my case, I've checked!

Luckily Mac OS X comes with all the UNIX tools we love and cherish, so I'll just use cpio or gtar to back up all my data and then nuke the / partition (while keeping my zpool)

Update: as suggested by zdz and Dick Davies I tried creating a disk image with a case insensitive HFS, but that didn't work either for the Photoshop installer. The hint is in the error message "OS volume is not supported". Back to the original plan of backup/reinstall/restore...

Wednesday Dec 05, 2007

Johann Lipowitz is back

Johann Lipowitz (David Armand) is back with two new hilarious mime acts:

Tuesday Nov 27, 2007

Trying out mirrored zfs root on Indiana

I've been playing around with project Indiana, and the new installer and packaging system, and they are really nice.

When you install it turns the root disk into a zpool called zpl_slim, but it doesn't let you select two disks and mirror the zpool. Luckily you can fix this once the installation is done. When the system has booted, you can use the zpool attach command:

# zpool attach zpl_slim c7d0s0 c8d0s0
# zpool status
  pool: zpl_slim
 state: ONLINE
 scrub: resilver in progress, 11.75% done, 0h3m to go
config:

        NAME        STATE     READ WRITE CKSUM
        zpl_slim    ONLINE       0     0     0
          mirror    ONLINE       0     0     0
            c7d0s0  ONLINE       0     0     0
            c8d0s0  ONLINE       0     0     0

errors: No known data errors

Monday Nov 26, 2007

root as a role and zlogin

If you have turned root into a role in a zone and try to use zlogin from the global zone to log in as root you will see something like this:

root@global# zlogin zn1
[Connected to zone 'zn1' pts/2]
Login incorrect

[Connection to zone 'zn1' pts/2 closed]

This is because pam.conf is by default configured to prevent this, as roles must only be assumed by authorized users.

If you trust the ones who can become root in the global zone, you can change this restriction by adding the following line to pam.conf

zlogin  account required        pam_unix_account.so.1

Now you can zlogin directly to a role without having to first log in to a normal user:

root@global# zlogin zn1
[Connected to zone 'zn1' pts/2]
Sun Microsystems Inc.   SunOS 5.11      snv_75  October 2007
root@zn1#

Friday Nov 09, 2007

CSWmercurial 0.9.5

Now that CSWpython is upgraded I've finally got my act together and found some spare cycles lying around in a drawer, so I could finish the update of the CSWmercurial package. I've sent it out for alfa-testing, so hopefully I'll be able to publish it by the end of next week.

Saturday Nov 03, 2007

13949712720901ForOSX

This post is a petition to Apple to get their act together and finish Java 6 for Leopard

If you wonder what the strange title means, read this blog post.

Monday Oct 29, 2007

Time Machine & ZFS

I've just installed Leopard on my MacBook Pro, and was first disapointed that it only had read only zfs, but after checking out ADC that was solved :)

I also wanted to try out Time Machine and thought that I could place the backups on zfs, but Time Machine doesn't let me select zfs as a destination. Hopefully I'll be able to trick it somehow ;)

Update:
after Jeff Harrell's comment I read up on Time Machine here and here, and as Jess says it uses directory hard-links, so that won't work with zfs. Bummer! :(

Thursday Sep 20, 2007

S/Y Talalla

I'm a boat owner! Last week my brother and I bought a sailboat together, S/Y Talalla. She is a 25 foot (7.62 meters) folkbåt from 1969 built of pine oak.

This weekend we plan to sail from Ängelholm to Skillinge, a trip which should take about three days if things go according to plan. I'm really exited to go sailing, I haven't done that since I was a teenager. Hopefully it won't be too cold...

During the winter we plan to work on her and fix her up a bit, so she'll nice and shiny for spring. Then we plan to sail to Denmark on the weekends to buy beer :)

Wednesday Sep 19, 2007

Solaris audit settings for PCI DSS version 1.1

I've reviewed the Payment Card Industry Data Security Standard version 1.1 for which audit settings are needed to be compliant, and thought I should share this. The reason for sharing it is twofold: I want to verify that I got it right as many of the requirements are vague or ambiguous, and think it is useful for those of you who also have to be compliant with the PCI DSS.

Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical. The presence of
logs in all environments allows thorough tracking and analysis if something does go wrong.
Determining the cause of a compromise is very difficult without system activity logs.

10.1 Establish a process for linking all access to system components (especially access done with 
administrative privileges such as root) to each individual user. 

This is handled by default through Solaris auditing, but you need to configure what to audit.

10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual user accesses to cardholder data 

This requirement is met by the fr and fw audit classes, but unfortunately you can not enable it for just the cardholder data, you will have to audit all files, which will generate a considerable amount of traffic.

10.2.2 All actions taken by any individual with root or administrative privileges 

This requirement is a bit vague. What is an action? Assuming that they mean executed commands, you can meet this requirement by using the ex audit class.

10.2.3 Access to all audit trails 

Access to the audit trails is audited using the fr and fw classes. As with 10.2.1 this will generate loads of unwanted audit records.

10.2.4 Invalid logical access attempts 

Again this requirement is vague. Access to what? Assuming that they refer to files, this requirement is met by the -fr and -fw audit classes.

10.2 5 Use of identification and authentication mechanisms 

This requirement depends on what authentication mechanisms you are using. Assuming that you just use plain Solaris it is covered by the lo class, and if you use Kerberos you need the ap class too.

10.2.6 Initialization of the audit logs 

This requirement is met by the +aa class.

10.2.7 Creation and deletion of system-level objects. 

This requirement is met by the fc and fd classes (file creation and file deletion). I assume that they only mean successful events, so we can use +fc,+fd to reduce the size of the audit trail.

10.3 Record at least the following audit trail entries for all system components for each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource. 

All these requirements are met by the audit records generated by Solaris.

10.4 Synchronize all critical system clocks and times. 

This requirement is met by synchronizing time using NTP.

10.5 Secure audit trails so they cannot be altered. 
10.5.1 Limit viewing of audit trails to those with a job-related need 

This requirement is met by limiting who can become root, which is best handled by turning root into a role, as it require explicit authorization (knowing the password isn't enough).

10.5.2 Protect audit trail files from unauthorized modifications 

The default owner, group and mode of the audit trails are root, root and 640, and the only user who is a member of the root group is root, unless you have changed that this requirement is met by default.

10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter 

Upon audit file rotation (audit -n) it should immediately be sent through a drop box to a remote system.

10.5.4 Copy logs for wireless networks onto a log server on the internal LAN. 

This requirement has nothing to do with Solaris auditing, so I don't cover it here.

10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing
log data cannot be changed without generating alerts (although new data being added 
should not cause an alert). 

This requirement can be met by computing a MAC (mac -a sha256_hmac) of the audit file once it is terminated (audit -n) and recomputing it before you use it again.

10.6 Review logs for all system components at least daily. Log reviews must include those servers that 
perform security functions like intrusion detection system (IDS) and authentication, authorization, 
and accounting protocol (AAA) servers (for example, RADIUS). 
Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6. 

This is the hard part. The above settings will generate several gigabytes of data on one busy system.

10.7 Retain audit trail history for at least one year, with a minimum of three months online availability.

Two tips for storing audit trails: either compress it using gzip or save them on a zfs file system with compression enabled. See this post for more information.

A trick

Since we are required to audit all file access it will generate a gargantuan amount of data, probably several gigabytes per day per system. This got me thinking of how to minimize this without post-processing the audit trail, and I came up with a solution.

There are two sets of files for which we must audit access to: cardholder data and audit files.

If you make the cardholder data owned by a role (e.g. pci), and set the file mode so that only the role may access the file (chown pci and chmod 0600), you don't have to audit fr for everyone. It will be enough to audit fr for the pci role. When the users who are authorized to access the data assume the pcirole, they get audited for fr even though their normal account aren't.

However, since root can read all files, that account also needs to be audited for fr. This also takes care of the auditing of access to the audit file, which are only accessible by root.

To catch someone changing the mode of cardholder data, e.g. making it world readable, the pci role should be audited for +fm (successful file attribute modification).

Audit configuration files

Below are the audit configuration for the the PCI DSS version 1.1:

/etc/security/audit_control

flags:lo,-fr,+fc,+fd

/etc/security/audit_user

root:ex,fr,fw,+aa:no
pci:fr,fw,+fm:no

Note! I have yet to try this out on a live system, but as soon as I have, I'll post the results here.

[Technorati Tags: ]

Tuesday Sep 18, 2007

Death by powerpoint

Unfortunately I have experienced many presentations like this...

Monday Sep 03, 2007

Movie suggestion: Cidade dos Homens

We went to the premiere of Cidade dos Homens (City of Men) the other day. Having seen all the episodes of the TV series with the same name, it was no question that I would see the movie.

For those of you who doesn't know anything about the TV series or the movie, it is about two boys, Acerola and Laranjinha, who grow up in a (fictitious) favela in Rio de Janeiro. Through the TV series you get to follow them from the early teens to their 18th birthday (in the movie), and how they try to stay out of trouble. The subjects ranges from things at school, girls, making a living to staying alive (and away from the drug dealers).


© O2 Filmes

The movie manages to combine humor and serious issues in a perfect blend, to make you feel for the main characters. It also shows the ugly side of Rio, with gang wars between the different favelas, where innocent people can get killed just for being at the wrong place at the wrong time.

You really should see it in a movie theatre, as the film is beautifully shot with stunning views of Rio from the top of the favelas, which will be lost if you see it on a TV.


© O2 Filmes

Once the movie is released (in your country) I highly recommend you to watch it. I'll see it once more with subtitles, as my portuguese isn't good enough to catch all nuances, and they use a lot of favela slang which I'm not used to.

Cidade dos Homens will leave you with a sad feeling but not with despair, and watching it will help to illuminate the problem.

About

martin

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today