Simplicity is a form of art... - Security

Automating compliance checks

Sven Vermeulen — Sat, 03 Mar 2018 13:20:00 +0100

With the configuration baseline for a technical service being described fully (see the first, second and third post in this series), it is time to consider the validation of the settings in an automated manner. The preferred method for this is to use Open Vulnerability and Assessment Language (OVAL), which is nowadays managed by the Center for Internet Security, abbreviated as CISecurity. Previously, OVAL was maintained and managed by Mitre under NIST supervision, and Google searches will often still point to the old sites. However, documentation is now maintained on CISecurity's github repositories.

But I digress...

Documenting a rule

Sven Vermeulen — Wed, 24 Jan 2018 20:40:00 +0100

In the first post I talked about why configuration documentation is important. In the second post I looked into a good structure for configuration documentation of a technological service, and ended with an XCCDF template in which this documentation can be structured.

The next step is to document the rules themselves, i.e. the actual content of a configuration baseline.

Structuring a configuration baseline

Sven Vermeulen — Wed, 17 Jan 2018 09:10:00 +0100

A good configuration baseline has a readable structure that allows all stakeholders to quickly see if the baseline is complete, as well as find a particular setting regardless of the technology. In this blog post, I'll cover a possible structure of the baseline which attempts to be sufficiently complete and technology agnostic.

If you haven't read the blog post on documenting configuration changes, it might be a good idea to do so as it declares the scope of configuration baselines and why I think XCCDF is a good match for this.

Documenting configuration changes

Sven Vermeulen — Sun, 07 Jan 2018 21:20:00 +0100

IT teams are continuously under pressure to set up and maintain infrastructure services quickly, efficiently and securely. As an infrastructure architect, my main concerns are related to the manageability of these services and the secure setup. And within those realms, a properly documented configuration setup is in my opinion very crucial.

In this blog post series, I'm going to look into using the Extensible Configuration Checklist Description Format (XCCDF) as the way to document these. This first post is an introduction to XCCDF functionally, and what I position it for.

Authenticating with U2F

Sven Vermeulen — Mon, 11 Sep 2017 18:25:00 +0200

In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.

Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk about the pam_u2f setup are indeed correct that it is fairly simple. For completeness sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.

Matching MD5 SSH fingerprint

Sven Vermeulen — Thu, 18 May 2017 18:20:00 +0200

Today I was attempting to update a local repository, when SSH complained about a changed fingerprint, something like the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:p4ZGs+YjsBAw26tn2a+HPkga1dPWWAWX+NEm4Cv4I9s.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:9
ECDSA host key for 192.168.56.101 has changed and you have requested strict checking.
Host key verification failed.

Talk about SELinux on GSE Linux/Security

Sven Vermeulen — Tue, 25 Mar 2014 23:11:00 +0100

On today's GSE Linux / GSE Security meeting (in cooperation with IMUG) I gave a small (30 minutes) presentation about what SELinux is. The slides are online and cover two aspects of SELinux: some of its design principles, and then a set of features provided by SELinux. The talk is directed …

Giving weights to compliance rules

Sven Vermeulen — Thu, 26 Dec 2013 04:13:00 +0100

Now that we wrote up a few OVAL statements and used those instead of SCE driven checks (where possible), let's finish up and go back to the XCCDF document and see how we can put weights in place.

The CVE (Common Vulnerability Exposure) standard allows for vulnerabilities to be given …

Doing a content check with OVAL

Sven Vermeulen — Tue, 24 Dec 2013 04:25:00 +0100

Let's create an OVAL check to see if /etc/inittab's single user definitions only refer to /sbin/sulogin or /sbin/rc single. First, the skeleton:

(XML content lost during blog conversion)

The first thing we notice is that there are several namespaces defined within OVAL. These namespaces refer to …

What is OVAL?

Sven Vermeulen — Sun, 22 Dec 2013 04:40:00 +0100

Time to discuss OVAL (Open Vulnerability Assessment Language). In all the previous posts I focused the checking of rules (does the system comply with the given rule) on scripts, through the Script Check Engine supported by openscap. The advantage of SCE is that most people can quickly provide automated checks …

Remediation through SCAP

Sven Vermeulen — Fri, 20 Dec 2013 04:47:00 +0100

I promised in my previous post to give some information about remediation.

Remediation is the process where you fix a system to become compliant again after finding out there is a violation on the system. The easiest form of remediation of course is to just notify the administrator and give …

Running a bit with the XCCDF document

Sven Vermeulen — Wed, 18 Dec 2013 04:23:00 +0100

In my previous post I introduced automated checking of rules through SCE (Script Check Engine). Let's focus a bit more now on running with an XCCDF document: how to automatically check the system, read the results and find more information of those results.

To provide a usable example, you can …

XCCDF - Documenting a bit more than just descriptions

Sven Vermeulen — Mon, 16 Dec 2013 04:58:00 +0100

In my previous post I made a skeleton XCCDF document. By now, we can create a well documented "baseline" (best practice) for our subject (say PostgreSQL). But for now I only talked about <description> whereas XCCDF allows many other tags as well.

You can add metadata information for a particular …

An XCCDF skeleton for PostgreSQL

Sven Vermeulen — Sat, 14 Dec 2013 04:00:00 +0100

In a previous post I wrote about the documentation structure I have in mind for a PostgreSQL security best practice. Considering what XCCDF can give us, the idea is to have the following structure:

Hardening PostgreSQL
+- Basic setup
+- Instance level configuration
|  +- Pre-startup configuration
|  `- PostgreSQL internal configuration
+- Database recommendations
`- User definitions …

Documenting security best practices - XCCDF introduction

Sven Vermeulen — Thu, 12 Dec 2013 16:04:00 +0100

When I have some free time, I try to work on a Gentoo Security Benchmark which not only documents security best practices (loosely based on the Gentoo Security Handbook which hasn't seen much updates in the last few years) but also uses the SCAP protocols. This set of protocols allows …

The mix of libffi with other changes

Sven Vermeulen — Sun, 03 Nov 2013 10:27:00 +0100

I once again came across libffi. Not only does the libffi approach fight with SELinux alone, it also triggers the TPE (Trusted Path Execution) protections in grSecurity. And when I tried to reinstall Portage, Portage seemed to create some sort of runtime environment in a temporary directory as well, and …

In-browser encryption for online password management

Sven Vermeulen — Sun, 20 Oct 2013 21:29:00 +0200

Lately I've been trying to find a good free software project that uses PHP or cgi-bin (one of the requirements for this particular organization) that allows its users to store passwords centrally, but uses encryption on the browser level before the passwords are sent to the central server. I've found …

Switching gpg key to 0x2EDD52403B68AF47

Sven Vermeulen — Thu, 19 Sep 2013 21:17:00 +0200

I recently switched my GnuPG key. The previous key - which is still in place for now (no revocation send out yet) - was 0x5DFAB3ECCDBA2FDB and was a 1024 bit DSA key. The new one, 0x2EDD52403B68AF47, is a 4096 bit RSA key. It also has the following preferences:

gpg> showpref
[ultimate] (1 …

cvechecker 3.3 released

Sven Vermeulen — Mon, 16 Sep 2013 16:06:00 +0200

I just uploaded a new release of cvechecker to the project files. The release is a (long overdue) bugfix release, but includes two small enhancements: support standard input for the binary list (so you can pipe the output of one command to cvechecker) and the introduction of the CVECHECKER_CONFFILE variable …

Putting OVAL at work

Sven Vermeulen — Thu, 01 Aug 2013 15:01:00 +0200

When we look at the SCAP security standards, you might get the feeling of "How does this work". The underlying interfaces, like OVAL and XCCDF, might seem a bit daunting to implement.

This is correct, but you need to remember that the standards are protocols, agreements that can be made …

Looking at the local Linux kernel privilege escalation

Sven Vermeulen — Fri, 17 May 2013 03:50:00 +0200

There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.

In …

Highlevel assessment of Cdorked and Gentoo Hardened/SELinux

Sven Vermeulen — Tue, 14 May 2013 03:50:00 +0200

With all the reports surrounding Cdorked, I took a look at if SELinux and/or other Gentoo Hardened technologies could reduce the likelihood that this infection occurs on your system.

First of all, we don't know yet how the malware gets installed on the server. We do know that the …

Overview of Linux capabilities, part 3

Sven Vermeulen — Mon, 06 May 2013 03:50:00 +0200

In previous posts I talked about capabilities and gave an introduction to how this powerful security feature within Linux can be used (and also exploited). I also covered a few capabilities, so let's wrap this up with the remainder of them.

CAP_AUDIT_CONTROL: Enable and disable kernel auditing; change auditing filter …

Overview of Linux capabilities, part 2

Sven Vermeulen — Sun, 05 May 2013 03:50:00 +0200

As I've (in a very high level) described capabilities and talked a bit on how to work with them, I started with a small overview of file-related capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).

CAP_IPC_LOCK: Allow the …

Overview of Linux capabilities, part 1

Sven Vermeulen — Sat, 04 May 2013 03:50:00 +0200

In the previous posts, I talked about capabilities and how they can be used to allow processes to run in a privileged fashion without granting them full root access to the system. An example given was how capabilities can be leveraged to run ping without granting it setuid root rights …

Restricting and granting capabilities

Sven Vermeulen — Fri, 03 May 2013 03:50:00 +0200

As capabilities are a way for running processes with some privileges, without having the need to grant them root privileges, it is important to understand that they exist if you are a system administrator, but also as an auditor or other security-related function. Having processes run as a non-root user …

Capabilities, a short intro

Sven Vermeulen — Thu, 02 May 2013 03:50:00 +0200

Capabilities. You probably have heard of them already, but when you start developing SELinux policies, you'll notice that you come in closer contact with them than before. This is because SELinux, when applications want to do something "root-like", checks the capability of that application. Without SELinux, this either requires the …

Securely handling libffi

Sven Vermeulen — Sun, 28 Apr 2013 03:50:00 +0200

I've recently came across libffi again. No, not because it was mentioned during the Gentoo Hardened online meeting, but because my /var/tmp wasn't mounted correctly, and emerge (actually python) uses libffi. Most users won't notice this, because libffi works behind the scenes. But when it fails, it fails bad …

Mitigating DDoS attacks

Sven Vermeulen — Mon, 22 Apr 2013 03:50:00 +0200

Lately, DDoS attacks have been in the news more than I was hoping for. It seems that the botnets or other methods that are used to generate high-volume traffic to a legitimate service are becoming more and more easy to get and direct. At the time that I'm writing this …

What could SELinux have done to mitigate the postgresql vulnerability?

Sven Vermeulen — Tue, 16 Apr 2013 14:00:00 +0200

Gentoo is one of the various distributions which supports SELinux as a Mandatory Access Control system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent PostgreSQL vulnerability?

When correctly configured, the PostgreSQL daemon will run in the postgresql_t domain. In SELinux-speak …

How far reaching vulnerabilities can go

Sven Vermeulen — Tue, 09 Apr 2013 19:39:00 +0200

If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …

Using stunnel for mutual authentication

Sven Vermeulen — Sat, 08 Dec 2012 14:24:00 +0100

Sometimes services do not support SSL/TLS, or if they do, they do not support using mutual authentication (i.e. requesting that the client also provides a certificate which is trusted by the service). If that is a requirement in your architecture, you can use stunnel to provide this additional …

Perimeter security testing

Sven Vermeulen — Tue, 28 Aug 2012 22:47:00 +0200

I've been asked a few times how I would do perimeter security testing. Personally, I'm not an offensive security guy, more a defensive one, meaning I'm more about security-related defensive methods rather than PEN testing of any kind. But still, even in a defensive position, having a "view" on how …

Hardening the Linux kernel updates

Sven Vermeulen — Sat, 21 Jul 2012 21:06:00 +0200

Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn't make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can't find any resources about the …

Hardening the Linux kernel

Sven Vermeulen — Fri, 20 Jul 2012 22:05:00 +0200

I have moved out the kernel configuration settings (and sysctl stuff) from the Hardening Gentoo Linux benchmark into its own Hardening the Linux kernel guide. It covers some common hardening-related kernel configuration entries (although I'm sure I'm missing a lot of them still) as well as grSecurity and PaX settings …

Hardening OpenSSH

Sven Vermeulen — Wed, 18 Jul 2012 22:20:00 +0200

A while ago I wrote about a Gentoo Security Benchmark which would talk about hardening a Gentoo Linux installation. Within that document, I was documenting how to harden specific services as well. However, I recently changed my mind and wanted to move the hardening stuff for the services in separate …

Why both chroot and SELinux?

Sven Vermeulen — Sun, 15 Apr 2012 09:41:00 +0200

In my previous post, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux?

Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate …

Mitigating risks, part 5 - application firewalls

Sven Vermeulen — Wed, 05 Oct 2011 23:38:00 +0200

The last isolation-related aspect on risk mitigation is called application firewalls. Like more "regular" firewalls, its purpose is to be put in front of a service, controlling which data/connections get through and which don't. But unlike these regular firewalls, application firewalls work on higher-level protocols (like HTTP, FTP) that …

Mitigating risks, part 4 - Mandatory Access Control

Sven Vermeulen — Fri, 23 Sep 2011 20:16:00 +0200

I've talked about service isolation earlier and the risks that it helps to mitigate. However, many applications still run as highly privileged accounts, or can be abused to execute more functions than intended. Service isolation doesn't help there, and system hardening can only go that far. The additional countermeasures that …

Mitigating risks, part 3 - hardening

Sven Vermeulen — Tue, 13 Sep 2011 22:46:00 +0200

While I'm writing this post, my neighbor is shouting. He's shouting so hard, that I was almost writing with CAPS on to make sure you could read me. But don't worry, he's not fighting - it is how he expresses his (positive) feelings about his religion.

Security is, for some, also …

Mitigating risks, part 2 - service isolation

Sven Vermeulen — Fri, 09 Sep 2011 23:12:00 +0200

Internet: absolute communication, absolute isolation
\~Paul Carvel

The quote might be ripped out of its context completely, since it wasn't made when talking about risks and the assurance you might need to get in order to reduce risks. But it does give a nice introduction to the second part of …

Mitigating risks, part 1

Sven Vermeulen — Mon, 05 Sep 2011 22:05:00 +0200

We are running Foobar 2.0 on Tomcat 4. We know that Tomcat 4 isn't supported, but hey - our (internal) customer is happy that the Foobar application works and would like to keep it that way. Upgrading to Tomcat 5 or higher is not possible - Foobar 2.0 only works …

checksec kernel security

Sven Vermeulen — Sun, 24 Jul 2011 00:18:00 +0200

I have blogged about checksec.sh earlier before. Jono, one of the #gentoo-hardened IRC-members, kindly pointed me to its --kernel option. So I feel obliged to give its options a stab as well. So, here goes the next batch of OPE-style (One Paragraph Explanations).

~# checksec.sh --kernel
* Kernel protection information …

High level explanation on some binary executable security

Sven Vermeulen — Fri, 15 Jul 2011 22:01:00 +0200

One very important functionality offered by Gentoo Hardened is a specific toolchain (compiler, libraries and more) that contains patches to make the built binaries a bit more protected from certain vulnerabilities. Explaining all those in detail is too much for a simple blog post like this, but some time ago …

cvechecker 3.0

Sven Vermeulen — Tue, 12 Apr 2011 22:47:00 +0200

I'm pleased to announce the immediate availability of cvechecker 3.0. It contains two major feature enhancements: watchlists and MySQL support.

watchlists allow cvechecker to track and report on CVEs for software that cvechecker didn't detect on the system (or perhaps even isn't installed on the system). You can use …

cvechecker updates

Sven Vermeulen — Sun, 27 Mar 2011 22:20:00 +0200

The in-svn version of cvechecker has seen quite a few changes in the last few days. I'm adding support for MySQL to it. This support will be added in three steps:

support the same features as cvechecker currently does using sqlite
streamline the database code so that duplicate code in …

cvechecker update

Sven Vermeulen — Sat, 19 Feb 2011 16:31:00 +0100

A while ago, I got the request to enhance cvechecker with support for providing a list of installed software (or software you want to watch over with cvechecker) even if cvechecker isn't able to detect that software on your system. I've implemented this and it is currently available in the …

cvechecker 2.0 released

Sven Vermeulen — Wed, 01 Dec 2010 22:29:00 +0100

Okay, enough play - time for a new release. Since cvechecker 1.0 was released, a few important changes have been made to the cvechecker tools:

You can now tell cvechecker to only check newly added files, or remove a set of files from its internal database. Previously, you had to …

Helping with version detection rules in cvechecker

Sven Vermeulen — Sat, 27 Nov 2010 17:59:00 +0100

The new development snapshot, available from the cvechecker project site, contains a helper script that returns potential version detection rules for your system if the current cvechecker database doesn't detect your software. The script is currently available for Gentoo (called cverules_gentoo) but other distributions can be easily added. The actual …

Delta processing in cvechecker

Sven Vermeulen — Tue, 02 Nov 2010 00:30:00 +0100

The cvechecker application will support delta file processing as well as higher version matching with its next release. The functionality is currently in version control and I still have to work out quite a few things before they can go live, but the functionality is there.

Now why would these …

Risk identification

Sven Vermeulen — Thu, 14 Oct 2010 20:18:00 +0200

Risk identification is a difficult subject. Analysts need it to defend mitigation strategies or to suggest investments. Yet risk identification is often a subjective method, especially in the IT industry. How do you give a number on a certain risk? When do you believe that that number exceeds a threshold …

cvechecker 1.0 released

Sven Vermeulen — Fri, 01 Oct 2010 21:34:00 +0200

With only a few small bugfixes between this release and the previous one, cvechecker 1.0 has finally been released. It runs fine on my few systems and I have not gotten any bugreports from other users anymore. It can definitely need more rules to identify installed software (those rules …

cvechecker 0.6 released

Sven Vermeulen — Wed, 08 Sep 2010 21:41:00 +0200

This release makes me quite happy, because it resolves one major PITA I had (performance), but you know how things go. If it works fine for the developer, it's probably an abomination for the rest of the world. Anyhow, cvechecker version 0.6 is now available. It improves reporting performance …

cvechecker 0.5 released

Sven Vermeulen — Thu, 02 Sep 2010 00:57:00 +0200

A new intermediate release of cvechecker is now released. The tool is reported to build properly on NetBSD and FreeBSD as well (although much user experience there is still welcome), introduces a cvereport command (example output), has lowered its initial dependency requirements and pullcves now only loads the CVE XML …

cvechecker 0.4 released

Sven Vermeulen — Wed, 25 Aug 2010 23:55:00 +0200

Albeit with less updates than 0.3 had, cvechecker 0.4 brings in internal project files reorganization (more to the liking of the GNU autoconf/automake standards - I think), fixes a databaseleak (instead of memoryleak ;-) bug and introduces a teenie weenie bit more intelligent pullcves command (with multiple return code …

cvechecker userguide

Sven Vermeulen — Sun, 22 Aug 2010 17:37:00 +0200

Just a quick note, I've created and uploaded the cvechecker userguide.

cvechecker 0.3 released

Sven Vermeulen — Fri, 20 Aug 2010 22:15:00 +0200

Time for a new intermediate cvechecker release, so here it is. Changes include (beyond the usual bugfixes) different CSV output (with some sort of version support) so that it can be easily used for reporting purposes, removal of debugging/verbose items and added example files for reporting.

cvechecker 0.2 released

Sven Vermeulen — Mon, 16 Aug 2010 21:35:00 +0200

I've made version 0.2 available of cvechecker. It fixes some build warnings and also supports the normal "make install" step. The pullcves command now also pulls in the latest versions.dat file. Special thanks to Per Andersson for reporting that the ./configure didn't fail if sqlite3 or libconfig wasn't …

cvechecker 0.1 released

Sven Vermeulen — Sat, 14 Aug 2010 22:03:00 +0200

cvechecker version 0.1 is out. This is the first publicly available development release, so it's still far from production-ready yet. However, it is usable so it can now be publicly analyzed to remove all icky bugs and such. I'm not planning (m)any new features (apart from the reporting …

Linux Sea sources online, cvechecker still in development

Sven Vermeulen — Fri, 23 Jul 2010 20:59:00 +0200

First of all, I've put the sources for Linux Sea online at GitHub. Not only does that safeguard any latest changes from not hitting my backup in time before my laptop dies (it's terminal, but I can't let him go yet ;-) but it also allows people who want to help …

cvechecker in development mode

Sven Vermeulen — Mon, 12 Jul 2010 20:31:00 +0200

A while ago I had the idea to create a simple tool that checks the CVE database against my current system. It would allow me to check if my system is somewhat up to date (no pending security vulnerabilities), but also to get an automated overview of the various software …

OVAL, SCAP, CVE, CPE, ...

Sven Vermeulen — Sat, 05 Jun 2010 15:13:00 +0200

For a personal POC I wanted to see if it is possible to generate, based on the collection of CVE entries publicly available, a report informing a system administrator about possible vulnerabilities. Nothing fancy, just based upon versions.

A simple example: tool detects Perl, acquires installed Perl version, then matches …