gmane.linux.centos.general

Re: TPM and secure boot

Denniston, Todd A CIV NAVSURFWARCENDIV Crane — 2013-05-20T13:17:09

As seen on LWN http://lwn.net/Articles/549597/ 
Matthew Garrett has been messing with TPM again
http://mjg59.dreamwidth.org/24818.html

You can secure a Linux system Quite well using TPM, but it takes work
and you need to know the capabilities of your TPM chip... Matthew
Garrett indicated that they are not all loaded the same.
For the purposes of doing ssl, I am wondering if you need the
Endorsement Key (EK), which Matt indicated some chips don't have. I know
you *can* get a system all the way through booting from tpm using
trusted grub and tpm-luks.
Matt indicated that "The Linux kernel has support for measuring each
binary run or each module loaded and extending PCRs accordingly", so you
can go deeper.


Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or
modify the terms of any contract.

Re: security breach - ftp?

Andy Goy — 2013-05-20T12:56:11

Although you have not said
I hope you changed the ftp account password and didn't save it on your  ftp client  program  in cleartext  (or anywhere else)

First time hack logins usually know the right credentials 

Regards,
Andy Goy
IT Consultant
-----Original Message-----
From: centos-bounces-IFYaIzF+flcdnm+yROfE0A< at >public.gmane.org [mailto:centos-bounces-IFYaIzF+flcdnm+yROfE0A< at >public.gmane.org] On Behalf Of mark
Sent: 20 May 2013 13:02
To: CentOS mailing list
Subject: Re: [CentOS] security breach - ftp?

On 05/19/13 11:59, Philipp Duffner wrote:
<snip>
<snip>
The bunch of these messages, above, make me wonder if the reason that the pam stack module is deprecated is vulnerability. Consider checking the proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see if you can change what it's calling.

mark


--
"The group mentality of the United States is fundamentally that of a
    teenager." -British Immigrant
_______________________________________________
CentOS mailing list
CentOS-IFYaIzF+f

Re: security breach - ftp?

mark — 2013-05-20T12:02:07

<snip>
<snip>
The bunch of these messages, above, make me wonder if the reason that the 
pam stack module is deprecated is vulnerability. Consider checking the 
proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see 
if you can change what it's calling.

mark

Re: TPM and secure boot

Michael H. Warfield — 2013-05-20T03:07:22

The comment that the complete chain of trust is more or less impossible
on a opensource system without make any 3rd party kernel module
completly impossible" is complete and utter bullshit, within the real
that ANYTHING can be a "complete chain of trust" in OpenSource or closed
source.  OpenSource has no disadvantage (and some advantages - peer
review and support) in this arena.  Cryptographers accept that the
security of a crypto system does NOT depend on the secrecy of the
algorithm but only upon the secrecy of the keys (private or shared).
Anyone telling you otherwise has something to sell you.

You might review Joanna (little miss blue pill) Rutkowska's work on the
"anti evil maid" to counter the "evil maid attack" against encrypted
drives.  If you wish to secure a system using TPM, this would be the
place to start.


Regards,
Mike

Centos6.4 cannot reboot

muiz — 2013-05-20T02:47:07

Dear all，
   I install new version centos 6.4 64bit and everything is ok except it cannot reboot, below is the /var/messages information:


May 20 10:08:07 ravi2 smbd[1712]:   failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
May 20 10:22:24 ravi2 init: tty (/dev/tty1) main process (1727) killed by TERM signal
May 20 10:22:24 ravi2 init: tty (/dev/tty2) main process (1729) killed by TERM signal
May 20 10:22:24 ravi2 init: tty (/dev/tty3) main process (1731) killed by TERM signal
May 20 10:22:24 ravi2 init: tty (/dev/tty4) main process (1733) killed by TERM signal
May 20 10:22:24 ravi2 init: tty (/dev/tty5) main process (1735) killed by TERM signal
May 20 10:22:24 ravi2 init: tty (/dev/tty6) main process (1737) killed by TERM signal
May 20 10:22:25 ravi2 xinetd[1618]: Exiting...
May 20 10:22:26 ravi2 init: Disconnected from system bus
May 20 10:22:26 ravi2 auditd[1530]: The audit daemon is exiting.
May 20 10:22:26 ravi2 kernel: type=1305 audit(1369016546.436:112): audit_pid=0 old=1530 auid=4294967295

Re: TPM and secure boot

John R Pierce — 2013-05-19T21:56:39

so basically, you're saying you can't use a TPM to secure a linux 
system?   hey, saves me a lot of work.     I'll tell my boss it can't be 
done.

Re: TPM and secure boot

John R Pierce — 2013-05-19T21:38:29


TPM is not the same as the new secureboot UEFI BIOS stuff.   this is an 
optional module (tamperproofed so if its unplugged, it erases) on most 
server motherboards, you initialize it with your OWN security keys if 
you want to use it, Microsoft has nothing to do with it. TPM has been 
around since 2006 or earlier.

TPM and secure boot

John R Pierce — 2013-05-19T20:59:46

has anyone implemented any sort of 'secure boot' using TPM 1.2 modules 
on the server boards using CentOS 6.x ?   I'm not finding much concrete 
stuff on how to setup and manage a system like this, but I've been asked 
to research it for a security application internally at my job.

our primary application for the TPM is for client authentication 
certificates in an SSL application (the machine with the TPM is an 
unmanned embedded client, that accesses webservices on a remote server 
which needs to authenticate this client).    We've already done similar 
client authentication using USB Tokens, but would like to use TPM for 
this in the future.    I think the client authentication part is pretty 
straight forward, using Trousers and so forth and PKCS#11 to access the 
keys.

Once we get the client authentication side working, we'd like to also 
secure the OS itself to prevent tampering, presumably using trusted grub 
and such?

is this typically used in conjunction with disk encryption such that the 
TPM mo

Re: 6.4 on old PC not connecting

Beartooth — 2013-05-19T18:36:57


Remember the problem machine can't even send *me* things over my 
LAN; what's more, I don't seem to see an app for writing them to a CD and 
sneaker-mailing them to myself.

Hi-yi-yippee-ki-yay! I did ps ax|grep networkmanager ; got a 
process number; killed it; and wonder of wonders, it put itself online. 

I launched firefox, opened a tab to weather, and got today's 
data ; so it really is online! 

Many many thanks!!

Re: 6.4 on old PC not connecting

Frank Cox — 2013-05-19T16:54:17

On Sun, 19 May 2013 15:46:20 +0000 (UTC)
Beartooth wrote:


(a) Post the output from ifconfig

(b) type this:

tail -f /var/log/messages

(c) Now tell networkmanager to connect.

(d) Post everything that shows up from that point until the connection attempt
fails.

Re: security breach - ftp?

John Hinton — 2013-05-19T16:49:52

1. Did you create a really strong password?
2. Does the new password you created still function or has it been reset 
by the intruder?
3. Are any files/directories/or the root directory on that website set 
world writable? (many of those CMS systems required this)
4. Is it possible that the system you used to change the password has a 
keystroke recorder/virus on it? (How did the intruder get the new password?)
5. Are there any new unexplained users on the system?
6. Is there more than one place where logins via Plesk might use the old 
password which have not been updated?

Otherwise, I think it might be a good idea to hit the Plesk list as that 
overlay does at times have security issues. It also has many other 
functions not CentOS related adding too many other variables for good 
troubleshooting here, unless you get help from another Plesk/CentOS user.

188.190.126.105 is your intruder from the Ukraine... You might want to 
grep for that through most of your system logs. For instance, could they 
be acce

security breach - ftp?

Philipp Duffner — 2013-05-19T15:59:17

Hi,

I'm running Plesk 11.0.9 on a Centos 5.5.
A website on that box got hacked last week and malicious code got inserted
into some html/php files. So I went to find out what happened...

I found no back doors by using rkhunter or manually searching for
suspicious files in /tmp, etc. No activity at all in the php logs at the
time of the attack. I also analysed of course the system logs (messages,
secure, ...) - nothing that I could see either - except for an entry of an
successful login to that domain via FTP just before the the modified dates
of the infected files.
I found one of the oldest infected files were in the folder of a hopelessly
outdated version of a WYSIWYG editor and decided to blame that due to
probability.

So in order to recover I did in this order...
* delete httpdocs from the website
* change the FTP password
* upgrade and update Plesk from 10.0.4 to 11.0.9
* upgrade php to php53 via plesk - this also updates mysql and phpmyadmin
* yum update everything, also made sure I have the latest ve

Re: 6.4 on old PC not connecting

Beartooth — 2013-05-19T15:46:20

can see

OK, I got lots of output from ifconfig, and tons from /var/log/
messages; so what should I look for??

Re: OT: Script Help

James Pifer — 2013-05-19T15:21:47

Thanks Larry! I was able to get it working!!!

James

Re: OT: Script Help

Larry Martell — 2013-05-19T13:03:47

sed only does greedy matching, so you'll have to move to a more modern
tool. I'd do this in python. Something like this:

import re, sys

pattern  = re.compile('^(CN=)(DATA\.OU)(.*?)(\..*$)')

for path in sys.argv:
    with open(path, 'r') as fh:
        for line in fh:
            line = line.strip()
            match = pattern.match(line)
            if match:
                print
match.group(1)+match.group(3)+'_'+match.group(2)+match.group(3)+match.group(4)
            else:
                print line

When I run that with your input I get your desired output.

Re: OpenStack Grizzly on CentOS-6.4

Nux! — 2013-05-19T08:45:01

Yes, I do need to clean them up a bit. I'll update this thread when 
this is done.
Other than that the images should be functional.

Need to look more into cloud-init, I'm thinking it may be more to do, 
such as to respect the Openstack "password" feature in addition to the 
ssh keys.
Btw, there's centos-virt mailing list and also #centos-virt on Freenode 
for this kind of discussions. :)

Lucian

Re: OpenStack Grizzly on CentOS-6.4

Florian La Roche — 2013-05-19T06:39:16

These kickstart files look very good. The 4 files each contain changes
not merged into the others, so you might want to diff/merge these a
little bit.

Too bad there are still no "official" CentOS images out there, also
Fedora working more towards Fedora-19 than RHEL6. :-)

best regards,

Florian La Roche

Re: OpenStack Grizzly on CentOS-6.4

Florian La Roche — 2013-05-19T06:21:47

Fixed.


Sure. (Also added notes to the wiki page for this.)

The document has many new sections and is much improved now:

    http://jur-linux.org/testwiki/index.php/CloudLinux/OpenStack

best regards,

Florian La Roche

Re: OT: Script Help

zGreenfelder — 2013-05-19T00:56:28

I can't say for sure it'll do what you want, it should be tested
extensively to make sure it doesn't destroy your car, sleep with your
wife,steal your money, etc etc all the warnings I can give, but I'd
suggest perl.   this is something I cooked up on a conf call:


[zep< at >nemesis throwaway]$ cat centoslist
CN=DATA.OU=XYZ.O=CO
CN=DATA.OU=XYY.OU=MEM.O=CO
CN=DATA.OU=XZZ.OU=OOP.O=CO
[zep< at >nemesis throwaway]$ cat cent-req
#!/usr/bin/perl

open(FH,"< $ARGV[0]") || die "can not open $ARGV[0]:";

while(<FH>){
  chomp $_;
  if($_=~/OU=/){
     $prepend=$_;
     < at >prepend=split(/.OU=/,$_);
     $mod=$prepend[1];
     $mod=~s/\..*//;
     $_=~s/^CN=/CN=${mod}_/;
  }
  print "$_\n";
}
[zep< at >nemesis throwaway]$ perl cent-req centoslist
CN=XYZ_DATA.OU=XYZ.O=CO
CN=XYY_DATA.OU=XYY.OU=MEM.O=CO
CN=XZZ_DATA.OU=XZZ.OU=OOP.O=CO
[zep< at >nemesis throwaway]$




--
Even the Magic 8 ball has an opinion on email clients: Outlook not so good.

Re: OT: Script Help

Leon Fauster — 2013-05-19T00:55:51

Am 19.05.2013 um 02:31 schrieb James Pifer <jep-2I/IFv/jpUMre736sURT7g< at >public.gmane.org>:


$ export file=FILENAME
$ for i in $(cat $file) ; do TAG=$(echo $i | cut -d. -f2 |cut -d= -f2) ; echo $i | sed s/CN=/CN=${TAG}_/ ; done

--
LF

Re: OT: Script Help

James Pifer — 2013-05-19T00:31:26

Larry,

Thanks for the answer. Still having trouble making it work. Been looking 
at sed for the last two hours. Let me give a specific example of a few 
lines I would want to change:

Let's say my original lines are:
CN=DATA.OU=XYZ.O=CO
CN=DATA.OU=XYY.OU=MEM.O=CO
CN=DATA.OU=XZZ.OU=OOP.O=CO

I want them to look like:
CN=XYZ_DATA.OU=XYZ.O=CO
CN=XYY_DATA.OU=XYY.OU=MEM.O=CO
CN=XZZ_DATA.OU=XZZ.OU=OOP.O=CO

So I need to take the data after the FIRST OU and stick in front of DATA 
with an _ in between. The rest of the line then remains the same.

Hope it makes sense. Appreciate the help!

Thanks,
James