New Page: Creating an offline certificate authority using OpenSSL

May 24, 2013 Leave a comment

A new page has been posted that covers Creating an offline certificate authority using OpenSSL, configuring a CRL distribution point, and having the CA be trusted by your Windows clients.

Tags: , ,

Encrypting “the disk” on a enterprise linux 6 system

May 23, 2013 Leave a comment

I searched long and hard for a specific write up on how to encrypt “the disk” of an enterprise linux (centos6, red hat 6, fedora 6) system and came up empty handed. I found an old write up that I started to dive into, until I hit the GUI part.

I immediately realized why I had so much trouble finding a write up for CentOS6… it is too easy to detail.

Custom disk layout:
You create a custom disk layout, specifying a partition, and allocating about 500MB for the /boot partition unencrypted (I couldn’t find any info on encrypting the boot partition). Then create a physical LVM volume for with the remainder of space and check Encrypt. Then create logical LVM volumes on the previously created physical LVM volume. You do not need to encrypt these as they are already encrypted via the encrypted LVM physical volume.

Partition ratios:
The ratios are as follows:

Partition

Size (percentage of “whole disk” unless otherwise noted)
/dev/sda

100%
/boot

500MB (centOS minimal)
/

67.56% (to the nearest GB)
/home

29.72% (to the nearest GB)
swap

RAM*2 (see `cat /proc/meminfo` via CTRL-ALT-F2, then CTRL-ALT-F6 to get back to UI)

You will then be prompted to enter the password via the file system mounting during the boot process.

You can edit /etc/fstab in order to exclude the LVM physical volume from mounting at boot, if you wish.

.cmdrc? Sort of with cmdrc.cmd.

May 22, 2013 Leave a comment

Okay. So maybe I should just start using PowerShell. Until then, I pop out into cmd.exe very frequently, and through this, I wish I had aliases and other things I am used to with bash.

I have created a little script called cmdrc.cmd, but cmd.exe doesn’t seem to load it from %uesrprofile%, so I had placed it into c:\windows\system32\ and have run the following script to install the support:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft /v "Command Processor" /d "\"c:\windows\system32\cmdrc.cmd\""

Here is my cmdrc.cmd file so far:

doskey clear=cls

Also, check out clink.

Tags: , , ,

Filter driver attachments to volumes, the file server resource manager and whole disk encryption (specifically truecrypt)

May 22, 2013 Leave a comment

I needed to implement Quota reporting on a Windows 2003 R2 system with on a volume protected by truecrypt.

After creating the soft quota policy with File Server Resource Manager, I received the error:

The Quota Management Filter Driver service, or File Screening Filter Driver service is not running.

The drivers:
The filter drivers are kernel drivers.

The two drivers necessary for the services are:

  • DataScrn: Datascren.sys is a kernel-mode mini-filter file system driver that implements the file screening checks in real time on configured volumes and folders.
  • Quota: Quota.sys is a kernel-mode mini-filter file system driver that implements the quota checks in real time on configured volumes and folders.

You can start these by using `net` or `sc`. After confirming they were started, I still received the error.

I came across a blog post that suggested utilizing `fltmc.exe` to check if the filter drivers are available to the I/O stack.

C:\>fltmc filters
Filter Name                     Num Instances Frame
------------------------------  ------------- -----
DfsDriver                                    
Datascrn                                0       1
Quota                                   0       1
SIS                                          

So, the drivers are available, but they are not bound to any volume (“num instances”). If they were not listed, I would use `fltmc.exe load [Datascrn|Quota]` to load them.

Find the volume name:

In order to attach them to a volume, I would find the Device path for the volumes with the following:

C:\>fltmc volumes
Dos Name                        Volume Name
------------------------------  ---------------------------------------
C:                              \Device\HarddiskVolume1
D:                              \Device\HarddiskVolume2
                                \Device\LanmanRedirector
                                \Device\RdpDr
                                \Device\HarddiskVolume4
E:                              \Device\TrueCryptVolumeE

The drive I am concerned with is \Device\TrueCryptVolumeE.

Insert the driver into the stack:

So, to attach the filter driver to a volume, I ran the following commands:

C:\>fltmc attach Datascrn \Device\TrueCryptVolumeE

Attach failed with error: 0x80070001
Incorrect function.

C:\>fltmc attach Quota \Device\TrueCryptVolumeE

Attach failed with error: 0x80070001
Incorrect function.

Well, this is NFG.

To test if it has something to do with Truecrypt, I will try to attach the driver into the stack of a volume that isn’t encrypted with Truecrypt:

C:\>fltmc attach Datascrn \Device\HarddiskVolume1

ATTACH successful... Instance Name: Datascrn

C:\>fltmc attach Quota \Device\HarddiskVolume1

ATTACH successful... Instance Name: Quota

C:\>fltmc filters

Filter Name                     Num Instances Frame
------------------------------  ------------- -----
DfsDriver                                    
Datascrn                                1       1
Quota                                   1       1
SIS                                          

C:\>fltmc instances
Filter                         Volume Name                    Altitude          Instance Name
-----------------------------  -----------------------------  ----------------  --------------------
Datascrn                       C:                             261000            Datascrn
Quota                          C:                             125000            Quota

Truecrypt is one of the banes:

TrueCrypt also defeats the usage of volume shadow copies, because it stops the system calls needed, so it is no surprise to me that it also stops other filter drivers from functioning.

This is a bit of a hard spot with truecrypt, and long story short: you can not use File System Resource Manager to manage a drive that is encrypted with truecrypt.
More info is available on Known Issues & Limitations:

The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of active system encryption (e.g. a system partition encrypted by TrueCrypt, or a non-system partition located on a system drive encrypted by TrueCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.

“Microsoft is evil, you see,” exclaim the TrueCrypt developers.

Time to migrate to BitLocker:
Now to convince to upgrade to 2008/2012 and migrate to BitLocker. That is, if you trust MSFT.

References:

Anomaly detection, creating baselines, and determining statistical outliers with argus data

May 21, 2013 Leave a comment

Carter covered how to use argus data and the argus-clients to data mine to find evidence of an APT1 infection within your network in a series of Emails to the argus-info mailing list some time ago.

The email thread started to get really twisted and is it quite difficult to read in the threaded gmane interface available for the argus mailing list.

In effort to make this thread more useful, I have created a PDF of the emails with some attempt at command and output separation, so that it is easier to read. It was created for printing, not for viewing on a computer screen, although you can do that as well of course.

Hopefully, when I am done dissecting the thread, I will be able to compile some queries that will be useful to building a model.

Here are three threads ont he mailing list that inquire about anomaly detection:

I believe rahisto will serve a great purpose here.

Build projectM on OSX

May 13, 2013 Leave a comment

This is my second attempt at building projectM on OSX.

Since the last time I attempted, MacPorts has increased some version, my confidence in *nix has increased (not sure if my skills have progressed with it).

Download prerequisites:

1) download and install the latest package from the macports site.

2) download and build pulseaudio (source):

cd
git clone git://anongit.freedesktop.org/pulseaudio/pulseaudio
git clone git://github.com/zonque/PulseAudioOSX.git
cd PulseAudioOSX/deploy
./bootstrap_machine.sh #this will take a very long time (as in seriously long time, 30+ minutes)
cd PulseAudioOSX/deploy
./deploy.sh #breaks repeatedly... no idea how to progress
cd PulseAudioOSX/deploy/output
ls -al

2b) instead of pulse, I’m trying jack.
Download latest from http://www.jackosx.com/

3) download projectM:

cd
git clone http://git.code.sf.net/p/projectm/code projectm-code
cd projectm-code/src
ccmake .
#hit C
#make some changes (as necessary)... our master plan is to be able to route system audio to projectM 
#hit G
make && make install

Explorer file URI handler for file URI to UNC conversion

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: