Browsing the 2009 June archive
Time has come for the first msec release since Mandriva 2009.1!
This time we have several improvements, such as:
- support for audit plugins
- more msec auditing checks
- improved auditing logging
- and, of course, bugfixes.
So let me introduce some details about each one of them.
Support for audit plugins
You may remember that msec shipped with Mandriva 2009.1 introduced support for plugins infrastructure (take a look at your /usr/share/msec/plugins/ directory to see some examples). This new msec, which will be shipped with Mandriva 2010, also introduces auditing plugins.
Well, you might be asking what the ..? what is the difference between those plugins?, so let me clarify it a bit.
Msec has two main functionalities:
- Security configuration
- Security auditing
The security configuration is what you configure using msecgui or using security levels – basically, you say what settings should be used on your machine for ssh, user logins, and all kind of system configuration. The security auditing are those background checks that run daily on your machine, to determine what has changed since the last run and let you know about that.
In old msec, this security auditing was performed by security.sh, security_check.sh and diff_check.sh, so we had just three large and complex files with a lot of duplicated code. With new msec version, everything was split to reduce code duplication, improve readability and simplify plugins creation.
Let me show you a sample plugin which checks for changes in system users:
#!/bin/bash
# msec: check for changes in local users
# check if we are run from main script
if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" ]; then
# variables are set in security.sh and propagated to the subscripts
echo "Error: this check should be run by the main msec security check!"
echo " do not run it directly unless you know what you are doing."
return 1
fi
# files to log the list of today's and yesterday's, and difference between them
USERS_LIST_TODAY="/var/log/security/users_list.today"
USERS_LIST_YESTERDAY="/var/log/security/users_list.yesterday"
USERS_LIST_DIFF="/var/log/security/users_list.diff"
# update yesterday's list
if [[ -f ${USERS_LIST_TODAY} ]]; then
mv ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY};
fi
# check for changes in users
if [[ ${CHECK_USERS} == yes ]]; then
getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY}
Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users"
fi
that’s it. You just drop this file into /usr/share/msec/scripts/01_check_for_users.sh and this check will be executed every time msec security checks are run. The security log will be updated, the diff check mail will be created and mailed (along with all other checks), and it will be working automatically from now on.
More msec auditing checks
A few additional msec auditing checks were added:
- CHECK_FIREWALL — checks for changes in iptables configuration
- CHECK_USERS — checks for changes in local users (most of its code was shown above actually)
- CHECK_GROUPS — checks for changes in local groups
- FIX_OWNER — if unowned files are found on the system, this check gives the opportunity to change their ownership to nobody/nogroup, instead of blindly doing it automatically
- CHECK_RPM_PACKAGES — checks for changes in installed RPM packages
- CHECK_RPM_INTEGRITY — checks all the installed packages for changed files. Both those checks were run before under the CHECK_RPM check, but, as they are quite expensive, these two new checks were introduced instead
If you are using cooker or 2010 alpha, these options will not be added automatically to your /etc/security/msec/security.conf configuration file. The best way to experiment with them is by using msecgui, or running msec -f standard or msec -f secure to install default configuration for standard and secure levels.
Besides those items, I was thinking on an option to check for changes in PAM authentication, check for failed login attempts and support for rkhunter. And, as always, if you have any idea on some other functionality that should be interesting to have in msec, feel free to comment!
Improved auditing logging
The logging format of /var/log/security.log was changed to be compatible with syslog-based logging. This should make it easier for system applications to parse it, and for administrator to examine its contents. Now it is way easier to find information by date, kind of message and check type.
Other ideas
Among other ideas for msec I thought on the following:
- msec supports an arbitrary number of custom security levels, but msecgui only supports two basic ones (standard and secure). It could be nice to have a combobox to select a custom profile..
- gui for TOMOYO security framework, since the AppArmor project looks quite stone-cold dead. This is already a work in progress, so probably I’ll post some update on this later.
- Support for administrator-supplied rules for security and diff checks. For example, to exclude everything matching ‘/var/tmp’ from any kind of checks and reports, or excluding network ports from 3000 to 5000 from open port checks.
Besides that, there is a number of bugfixes (which are going to be backported to 2009.1 shortly).
So msec is definitely is alive and getting better and better. Stay tuned for more news! 
Well, this question appeared quite frequently to me. However, I never bothered with it, as I was either on a LAN, or had a different source from which I could resume using wget, or a file was sufficiently small to redownload it again. However, this time these approaches did not work:
- The file was big (a DVD ISO)
- The only way to access it was over a SSH connection
- The only authentication method it supported was public key authentication
- The directory from where the file was downloaded was read-only
- The link was sloooow
- I already had downloaded about 70% of the file
So I started looking for solutions. Most of ideas I found on google suggested using ‘rsync –partial –rsh=ssh‘, and indeed it could work. However, rsync tried to create a temporary file on the server, and, as the directory was read-only, it failed. There probably is some option to make it work, but I don’t have plenty of rsync experience. And this approach just looked to be over complicated.
After a bit of more googling, I found out that curl supported sftp backend. And, after a few minutes trying to figure out how to make it work with public key authentication, I finally figured it out:
curl -C - --pubkey ~/.ssh/key.pub --key ~/.ssh/key \
sftp://eugeni@somewhere/mnt/.../i586/my_precious_iso.iso \
-o my_precious_iso.iso
To shorten it up, it is possible to write a simple wrapper function (or a script) for bash:
#!/bin/bash
function scp_resume() {
URL="$1"
FILE="$2"
if [ "a$FILE" == "a" ]; then
echo "Usage: scp_resume <sftp url> <local target>"
return 1
fi
# the magic
curl -C - $URL -o $FILE
}
function scp_resume_key() {
URL="$1"
FILE="$2"
KEY="$3"
if [ "a$FILE" == "a" ]; then
echo "Usage: scp_resume <sftp url> <local target> <key file name>"
return 1
fi
# the magic
curl -C - --key $HOME/.ssh/$KEY --pubkey $HOME/.ssh/${KEY}.pub $URL -o $FILE
}
so it did the trick.
Just tried the about.me firefox extension with some quite fun results:
that’s all the hard work..
I noticed that this graph does not counts everything – more likely, the top-10 sites are the ones accessed using direct links, or by typing the site address manually. I access a lot of news from google reader, so they count as google.com domain. But still a nice statistics.
Together with WordPress update, I experimented the new WordPress theme search-and-install functionality. As you can see, I found a new theme for this blog, which is a bit lighter and cleaner than the last one. It also uses some nice javascripts all around, so the blog is a bit more ajax’ified right now.
So, after a bit more than year, old design is dead – long live new design .
Everything seems to be working nicely. Automatic update is great!
Was just playing with Google Chrome for Linux on my Mandriva installation.
In a few words – it rocks! There are still a lot of issues and non-implemented features, but even not it is:
- extremely fast
- surprisingly stable
- opens most of my favorite sites without any problems
It works pretty fine on Mandriva 2009.1/cooker, the only necessary thing is to setup the right links in /usr/lib for its libraries. But after that, it just works. I just miss the firefox extensions, like adblock, mouse gestures, stylish, twitter and delicious.com integration, but.. one cannot had it all .
