New Page: Creating an offline certificate authority using OpenSSL
A new page has been posted that covers Creating an offline certificate authority using OpenSSL, configuring a CRL distribution point, and having the CA be trusted by your Windows clients.
Encrypting “the disk” on a enterprise linux 6 system
I searched long and hard for a specific write up on how to encrypt “the disk” of an enterprise linux (centos6, red hat 6, fedora 6) system and came up empty handed. I found an old write up that I started to dive into, until I hit the GUI part.
I immediately realized why I had so much trouble finding a write up for CentOS6… it is too easy to detail.
Custom disk layout:
You create a custom disk layout, specifying a partition, and allocating about 500MB for the /boot partition unencrypted (I couldn’t find any info on encrypting the boot partition). Then create a physical LVM volume for with the remainder of space and check Encrypt. Then create logical LVM volumes on the previously created physical LVM volume. You do not need to encrypt these as they are already encrypted via the encrypted LVM physical volume.
Partition ratios:
The ratios are as follows:
Partition
| Size (percentage of “whole disk” unless otherwise noted) | |
| /dev/sda | 100% |
| /boot | 500MB (centOS minimal) |
| / | 67.56% (to the nearest GB) |
| /home | 29.72% (to the nearest GB) |
| swap | RAM*2 (see `cat /proc/meminfo` via CTRL-ALT-F2, then CTRL-ALT-F6 to get back to UI) |
You will then be prompted to enter the password via the file system mounting during the boot process.
You can edit /etc/fstab in order to exclude the LVM physical volume from mounting at boot, if you wish.
.cmdrc? Sort of with cmdrc.cmd.
Okay. So maybe I should just start using PowerShell. Until then, I pop out into cmd.exe very frequently, and through this, I wish I had aliases and other things I am used to with bash.
I have created a little script called cmdrc.cmd, but cmd.exe doesn’t seem to load it from %uesrprofile%, so I had placed it into c:\windows\system32\ and have run the following script to install the support:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft /v "Command Processor" /d "\"c:\windows\system32\cmdrc.cmd\""
Here is my cmdrc.cmd file so far:
doskey clear=cls
Also, check out clink.
Filter driver attachments to volumes, the file server resource manager and whole disk encryption (specifically truecrypt)
I needed to implement Quota reporting on a Windows 2003 R2 system with on a volume protected by truecrypt.
After creating the soft quota policy with File Server Resource Manager, I received the error:
The Quota Management Filter Driver service, or File Screening Filter Driver service is not running.
The drivers:
The filter drivers are kernel drivers.
The two drivers necessary for the services are:
- DataScrn: Datascren.sys is a kernel-mode mini-filter file system driver that implements the file screening checks in real time on configured volumes and folders.
- Quota: Quota.sys is a kernel-mode mini-filter file system driver that implements the quota checks in real time on configured volumes and folders.
You can start these by using `net` or `sc`. After confirming they were started, I still received the error.
I came across a blog post that suggested utilizing `fltmc.exe` to check if the filter drivers are available to the I/O stack.
C:\>fltmc filters Filter Name Num Instances Frame ------------------------------ ------------- ----- DfsDriver Datascrn 0 1 Quota 0 1 SIS
So, the drivers are available, but they are not bound to any volume (“num instances”). If they were not listed, I would use `fltmc.exe load [Datascrn|Quota]` to load them.
Find the volume name:
In order to attach them to a volume, I would find the Device path for the volumes with the following:
C:\>fltmc volumes
Dos Name Volume Name
------------------------------ ---------------------------------------
C: \Device\HarddiskVolume1
D: \Device\HarddiskVolume2
\Device\LanmanRedirector
\Device\RdpDr
\Device\HarddiskVolume4
E: \Device\TrueCryptVolumeE
The drive I am concerned with is \Device\TrueCryptVolumeE.
Insert the driver into the stack:
So, to attach the filter driver to a volume, I ran the following commands:
C:\>fltmc attach Datascrn \Device\TrueCryptVolumeE Attach failed with error: 0x80070001 Incorrect function. C:\>fltmc attach Quota \Device\TrueCryptVolumeE Attach failed with error: 0x80070001 Incorrect function.
Well, this is NFG.
To test if it has something to do with Truecrypt, I will try to attach the driver into the stack of a volume that isn’t encrypted with Truecrypt:
C:\>fltmc attach Datascrn \Device\HarddiskVolume1 ATTACH successful... Instance Name: Datascrn C:\>fltmc attach Quota \Device\HarddiskVolume1 ATTACH successful... Instance Name: Quota C:\>fltmc filters Filter Name Num Instances Frame ------------------------------ ------------- ----- DfsDriver Datascrn 1 1 Quota 1 1 SIS C:\>fltmc instances Filter Volume Name Altitude Instance Name ----------------------------- ----------------------------- ---------------- -------------------- Datascrn C: 261000 Datascrn Quota C: 125000 Quota
Truecrypt is one of the banes:
TrueCrypt also defeats the usage of volume shadow copies, because it stops the system calls needed, so it is no surprise to me that it also stops other filter drivers from functioning.
This is a bit of a hard spot with truecrypt, and long story short: you can not use File System Resource Manager to manage a drive that is encrypted with truecrypt.
More info is available on Known Issues & Limitations:
The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of active system encryption (e.g. a system partition encrypted by TrueCrypt, or a non-system partition located on a system drive encrypted by TrueCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.
“Microsoft is evil, you see,” exclaim the TrueCrypt developers.
Time to migrate to BitLocker:
Now to convince to upgrade to 2008/2012 and migrate to BitLocker. That is, if you trust MSFT.
References:
Anomaly detection, creating baselines, and determining statistical outliers with argus data
Carter covered how to use argus data and the argus-clients to data mine to find evidence of an APT1 infection within your network in a series of Emails to the argus-info mailing list some time ago.
The email thread started to get really twisted and is it quite difficult to read in the threaded gmane interface available for the argus mailing list.
In effort to make this thread more useful, I have created a PDF of the emails with some attempt at command and output separation, so that it is easier to read. It was created for printing, not for viewing on a computer screen, although you can do that as well of course.
Hopefully, when I am done dissecting the thread, I will be able to compile some queries that will be useful to building a model.
Here are three threads ont he mailing list that inquire about anomaly detection:
I believe rahisto will serve a great purpose here.
Build projectM on OSX
This is my second attempt at building projectM on OSX.
Since the last time I attempted, MacPorts has increased some version, my confidence in *nix has increased (not sure if my skills have progressed with it).
Download prerequisites:
1) download and install the latest package from the macports site.
2) download and build pulseaudio (source):
cd git clone git://anongit.freedesktop.org/pulseaudio/pulseaudio git clone git://github.com/zonque/PulseAudioOSX.git cd PulseAudioOSX/deploy ./bootstrap_machine.sh #this will take a very long time (as in seriously long time, 30+ minutes) cd PulseAudioOSX/deploy ./deploy.sh #breaks repeatedly... no idea how to progress cd PulseAudioOSX/deploy/output ls -al
2b) instead of pulse, I’m trying jack.
Download latest from http://www.jackosx.com/
3) download projectM:
cd git clone http://git.code.sf.net/p/projectm/code projectm-code cd projectm-code/src ccmake . #hit C #make some changes (as necessary)... our master plan is to be able to route system audio to projectM #hit G make && make install
