Linux tty auditing

Posted on January 19, 2012 by Jared

Since RHEL 5.4, and in recent Fedora releases, it’s possible to audit what users type at their tty (command prompt), thanks to the work of Steve Grubb, a RedHat employee.

Edit /etc/pam.d/system-auth and append the following, but not both:

session required pam_tty_audit.so disable=* enable=root
session required pam_tty_audit.so enable=*

Wait for users to log in and type into a terminal. Later, to see audited tty input, run:

aureport --tty

When a user logs in, the pam module tells the kernel to enable tty auditing for a process and its children. All tty input is logged, but it may not be incredibly easy to read (it includes backspaces, control characters, etc.). I’m unclear as to when and how often the kernel flushes out accumulated tty input to the audit log. The records are identified with a type of TTY in /var/log/audit/audit.log.

In addition to tty auditing, RedHat patched their bash shell so that it neatly audits each and every command line it executes, with a record type of USER_TTY. It’s prettier to read than raw tty auditing — and it’s easy for a user to bypass by using a shell that doesn’t send its commands to the Linux audit system, like zsh, or a custom-built unpatched bash. Maybe that’s why “aureport –tty” doesn’t show USER_TTY records.

The Linux auditing system is powerful. It’s possible to write rules that watch for modification to certain files, or that log the use of certain system calls. See the “audit.rules” manpage for more information.

Fedora 14, SSH ports and SELinux

Posted on February 8, 2011 by Jared

SELinux in Fedora 14 is configured to constrain the ports on which SSH can listen (see the bug report). The solution:

setsebool -P sshdforwardports 1

This allows SSH to listen on ports besides 22, and to forward ports. Reading the bug report is interesting. In my opinion, OpenSSH has an outstanding security track record, and we probably don’t need additional SELinux policy to constrain it. It’s probably wise to practice security in-depth (to have more than one line of defense), but it creates a large road bump for most SSH power users. From what I read, it sounds like most people still disable SELinux.

Trust, but verify

Posted on February 19, 2010 by Jared

In a comment over at LWN.net, a reader pointed out that it’s a good idea to verify not just SSL certificate, but also doctors, mechanics, etc. He says, “it’s simply a requirement of a healthy society that it’s citizens have a healthy skepticism and be willing to put the effort into understanding what is going on around them. It’s not that you don’t trust them. Its that you do what you can, in your limited way, to make sure that you can trust them.”

Users, Security and Scams

Posted on December 21, 2009 by Jared

I read Bruce Schneier’s Crypto-Gram monthly. It’s from there that I found most of these links, with the exception of the ones on social engineering. I found the first paper on scam victims to be especially thought provoking (although it’s long). The video clip demonstrating social proof was amusing.

Understanding scam victims: seven principles for systems security

Summary: Scammers manipulate people with distraction, deception, herd mentality, greed, time pressure and by impersonating authority. If something sounds too good to be true, it probably is.

Social Engineering [2] [3]

Summary: Social engineers exploit people’s tendency to trust and to be helpful. They do this with ingratiation, impersonation, diffusion of responsibility, urgency, appeal to conformity (aka “social proof” or herd mentality), intimidation, deception, and authoritative orders.

There’s an entertaining Candid Camera video clip demonstrating “social proof”.

The Rational Rejection of Security Advice by Users

Summary: Security practitioners often dole out advice that is perceived by users as too time consuming. So users ignore or reject the security advice. However, “Advice that has compelling cost-benefit tradeoff has real chance of user adoption…. the costs and benefits have to be those the user cares about”. Time is one thing users care about.

Article: Election Fraud in Kentucky

Posted on April 21, 2009 by jared

Bruce Schneier summarizes the first documented case of election fraud using new electronic voting machines in his article Election Fraud in Kentucky:

Five Clay County officials, including the circuit court judge, the county clerk, and election officers were arrested Thursday after they were indicted on federal charges accusing them of using corrupt tactics to obtain political power and personal gain.

They used a low-tech social engineering trick to commit their crime.

Bypassing the I.T. security fortress

Posted on February 28, 2009 by jared

On the back of my mind for the past few years, I've been thinking about how I.T. security becomes less meaningful as time goes on. The use of digital cameras isn't usually allowed, yet a company isn't (usually) going to boot out an employee for having a cell phone with a digital camera -- or even using it to take a snapshot of a diagram that will be placed on a corporate wiki. The use of USB thumb drives for transferring and storing corporate data is perceived as a risk, but often, it's a practical way of getting one's job done. Remember network firewalls? They're still in place, but they're increasingly meaningless. They certainly don't keep out viruses and trojan horses. And with the increasing prevalence of wireless networking, there's even less incentive for people to play by the I.T. security rules. Dan Kaminsky expresses these thoughts better than I have :

... every restriction, every alteration [I.T. makes] in people's day to day business, carries with it a risk that users will abandon the corporate network entirely, going "off-grid" in search of a more open and more useful operating environment. You might scoff, and think people would get fired for this stuff, but you know what people really get fired for? Missing their numbers.

Its never been easier to get away with going off-grid. Widespread availability of WiMax and 3G networks mean there's an alternate, unmonitored high speed network available at every desk.

Kaminsky goes on to discuss some of the ramifications of these ongoing changes, including "the Cloud" (e.g. Google docs) and the security of corporate data.

Fedora 10 lacks “wow” appeal; OpenSolaris 11

Posted on January 6, 2009 by jared

I upgraded one of my machines to Fedora 10 last month, and for me, this release lacks the “wow” appeal that other releases have had. A minor annoyance is that the keyboard repeat delay is broken for me and so far, there is no fix other than disabling keyboard repeat. On the plus side, Fedora 10 includes OpenOffice.org 3 and other new features. Be sure to check out the Common Issues people have experienced with Fedora 10.

The other day, a co-worker handed me an OpenSolaris 11 Live CD. I booted it, expecting to be underwhelmed like I was with the Solaris 10 JavaDesktop. I was pleasantly surprised, however. Sun’s “Nimbus” GNOME theme knocks the socks off of the boring Fedora window manager themes. The experience felt like I was running Linux. It was responsive, supported my newer hardware, and the system was built with GNU utilities on the command line so I get my favourite options to ‘ls’, ‘grep’, etc. It supported my NVidia card out-of-the box, and had Compiz eye-candy as an option. The only thing I missed (in my superficial test) was the familiar ‘yum’ and ‘rpm’ for package management. I suspect that if I used it from day to day, I’d find other things I miss. Does OpenSolaris support encrypted file systems? Does it have as much optional software as I can get with Fedora Extras?

I’ll keep my eye on OpenSolaris a little more closely in the future.

Web App Security Statistics

Posted on October 13, 2008 by jared

Perhaps this is a bit old, but it’s the first time I’ve seen it, and I thought it was interesting enough to share.

http://www.webappsec.org/projects/statistics/

more than 7% of analyzed sites can be compromised automatically
Detailed manual and automated assessment using white and black box methods shows that probability to detect high severity vulnerability reaches 96.85%.
The most prevalent vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection and Predictable Resource Location

REST versus RPC

Posted on October 13, 2008 by jared

Have you considered the merits and applicability of RESTful web apps? Here are a few notes I’ve made.

There was quite a discussion about RPC, REST, and message queuing — they are not the same thing. Each one is needed in a different scenario. All are used in building distributed systems.

Wikipedia’s explanation of REST is quite informative, especially their examples of RPC versus REST.

The poster “soabloke” says RPC “Promotes tightly coupled systems which are difficult to scale and maintain. Other abstractions have been more successful in building distributed systems. One such abstraction is message queueing where systems communicate with each other by passing messages through a distributed queue. REST is another completely different abstraction based around the concept of a ‘Resource’. Message queuing can be used to simulate RPC-type calls (request/reply) and REST might commonly use a request/reply protocol (HTTP) but they are fundamentally different from RPC as most people conceive it. “

The REST FAQ says, “Most applications that self-identify as using “RPC” do not conform to the REST. In particular, most use a single URL to represent the end-point (dispatch point) instead of using a multitude of URLs representing every interesting data object. Then they hide their data objects behind method calls and parameters, making them unavailable to applications built of the Web. REST-based services give addresses to every useful data object and use the resources themselves as the targets for method calls (typically using HTTP methods)… REST is incompatible with ‘end-point’ RPC. Either you address data objects (REST) or you don’t.”

RPC: Remote Procedure Call assumes that people agree on what kinds of procedures they would like to do. RPC is about algorithms, code, etc. that operate on data, rather than about the data itself. Usually fast. Usually binary encoded. Okay for software designed and consumed by a single vendor.

REST: All data is addressed using URLs, and is encoded using a standard MIME type. Data that is made up of other data would simply have URLs pointing to the other data. Assumes that people won’t agree on what they want to do with data, so they let people get the data, and act on it independently, without agreeing on procedures.

xguest

Posted on August 15, 2008 by jared

I just discovered and installed the xguest package for Fedora 8 and 9. Here’s what it does:

Installing this package sets up the xguest user to be used as a temporary account to switch to or as a kiosk user account. The account is disabled unless SELinux is in enforcing mode. The user is only allowed to log in via gdm [or the fast-user-swiching applet]. The home and temporary directories of the user will be polyinstantiated and mounted on tmpfs.

Here’s how to install it:

yum install xguest

I hit a brick wall when I first tried it. I thought my machine was in SELinux Enforcing mode, when it wasn’t — it was in Permissive mode. I fixed it using system-config-selinux.

It’s possible to change what the xguest user can do using system-config-selinux. I’ve attached a screenshot showing what capabilities can be granted or revoked.

SELinux Administration for xguest user

jaredrobinson.com

Category Archives: Security