Archive
Encrypting “the disk” on a enterprise linux 6 system
I searched long and hard for a specific write up on how to encrypt “the disk” of an enterprise linux (centos6, red hat 6, fedora 6) system and came up empty handed. I found an old write up that I started to dive into, until I hit the GUI part.
I immediately realized why I had so much trouble finding a write up for CentOS6… it is too easy to detail.
Custom disk layout:
You create a custom disk layout, specifying a partition, and allocating about 500MB for the /boot partition unencrypted (I couldn’t find any info on encrypting the boot partition). Then create a physical LVM volume for with the remainder of space and check Encrypt. Then create logical LVM volumes on the previously created physical LVM volume. You do not need to encrypt these as they are already encrypted via the encrypted LVM physical volume.
Partition ratios:
The ratios are as follows:
Partition
| Size (percentage of “whole disk” unless otherwise noted) | |
| /dev/sda | 100% |
| /boot | 500MB (centOS minimal) |
| / | 67.56% (to the nearest GB) |
| /home | 29.72% (to the nearest GB) |
| swap | RAM*2 (see `cat /proc/meminfo` via CTRL-ALT-F2, then CTRL-ALT-F6 to get back to UI) |
You will then be prompted to enter the password via the file system mounting during the boot process.
You can edit /etc/fstab in order to exclude the LVM physical volume from mounting at boot, if you wish.
.cmdrc? Sort of with cmdrc.cmd.
Okay. So maybe I should just start using PowerShell. Until then, I pop out into cmd.exe very frequently, and through this, I wish I had aliases and other things I am used to with bash.
I have created a little script called cmdrc.cmd, but cmd.exe doesn’t seem to load it from %uesrprofile%, so I had placed it into c:\windows\system32\ and have run the following script to install the support:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft /v "Command Processor" /d "\"c:\windows\system32\cmdrc.cmd\""
Here is my cmdrc.cmd file so far:
doskey clear=cls
Also, check out clink.
Filter driver attachments to volumes, the file server resource manager and whole disk encryption (specifically truecrypt)
I needed to implement Quota reporting on a Windows 2003 R2 system with on a volume protected by truecrypt.
After creating the soft quota policy with File Server Resource Manager, I received the error:
The Quota Management Filter Driver service, or File Screening Filter Driver service is not running.
The drivers:
The filter drivers are kernel drivers.
The two drivers necessary for the services are:
- DataScrn: Datascren.sys is a kernel-mode mini-filter file system driver that implements the file screening checks in real time on configured volumes and folders.
- Quota: Quota.sys is a kernel-mode mini-filter file system driver that implements the quota checks in real time on configured volumes and folders.
You can start these by using `net` or `sc`. After confirming they were started, I still received the error.
I came across a blog post that suggested utilizing `fltmc.exe` to check if the filter drivers are available to the I/O stack.
C:\>fltmc filters Filter Name Num Instances Frame ------------------------------ ------------- ----- DfsDriver Datascrn 0 1 Quota 0 1 SIS
So, the drivers are available, but they are not bound to any volume (“num instances”). If they were not listed, I would use `fltmc.exe load [Datascrn|Quota]` to load them.
Find the volume name:
In order to attach them to a volume, I would find the Device path for the volumes with the following:
C:\>fltmc volumes
Dos Name Volume Name
------------------------------ ---------------------------------------
C: \Device\HarddiskVolume1
D: \Device\HarddiskVolume2
\Device\LanmanRedirector
\Device\RdpDr
\Device\HarddiskVolume4
E: \Device\TrueCryptVolumeE
The drive I am concerned with is \Device\TrueCryptVolumeE.
Insert the driver into the stack:
So, to attach the filter driver to a volume, I ran the following commands:
C:\>fltmc attach Datascrn \Device\TrueCryptVolumeE Attach failed with error: 0x80070001 Incorrect function. C:\>fltmc attach Quota \Device\TrueCryptVolumeE Attach failed with error: 0x80070001 Incorrect function.
Well, this is NFG.
To test if it has something to do with Truecrypt, I will try to attach the driver into the stack of a volume that isn’t encrypted with Truecrypt:
C:\>fltmc attach Datascrn \Device\HarddiskVolume1 ATTACH successful... Instance Name: Datascrn C:\>fltmc attach Quota \Device\HarddiskVolume1 ATTACH successful... Instance Name: Quota C:\>fltmc filters Filter Name Num Instances Frame ------------------------------ ------------- ----- DfsDriver Datascrn 1 1 Quota 1 1 SIS C:\>fltmc instances Filter Volume Name Altitude Instance Name ----------------------------- ----------------------------- ---------------- -------------------- Datascrn C: 261000 Datascrn Quota C: 125000 Quota
Truecrypt is one of the banes:
TrueCrypt also defeats the usage of volume shadow copies, because it stops the system calls needed, so it is no surprise to me that it also stops other filter drivers from functioning.
This is a bit of a hard spot with truecrypt, and long story short: you can not use File System Resource Manager to manage a drive that is encrypted with truecrypt.
More info is available on Known Issues & Limitations:
The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of active system encryption (e.g. a system partition encrypted by TrueCrypt, or a non-system partition located on a system drive encrypted by TrueCrypt, mounted when the encrypted operating system is running). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is not available.
“Microsoft is evil, you see,” exclaim the TrueCrypt developers.
Time to migrate to BitLocker:
Now to convince to upgrade to 2008/2012 and migrate to BitLocker. That is, if you trust MSFT.
References:
Anomaly detection, creating baselines, and determining statistical outliers with argus data
Carter covered how to use argus data and the argus-clients to data mine to find evidence of an APT1 infection within your network in a series of Emails to the argus-info mailing list some time ago.
The email thread started to get really twisted and is it quite difficult to read in the threaded gmane interface available for the argus mailing list.
In effort to make this thread more useful, I have created a PDF of the emails with some attempt at command and output separation, so that it is easier to read. It was created for printing, not for viewing on a computer screen, although you can do that as well of course.
Hopefully, when I am done dissecting the thread, I will be able to compile some queries that will be useful to building a model.
Here are three threads ont he mailing list that inquire about anomaly detection:
I believe rahisto will serve a great purpose here.
Build projectM on OSX
This is my second attempt at building projectM on OSX.
Since the last time I attempted, MacPorts has increased some version, my confidence in *nix has increased (not sure if my skills have progressed with it).
Download prerequisites:
1) download and install the latest package from the macports site.
2) download and build pulseaudio (source):
cd git clone git://anongit.freedesktop.org/pulseaudio/pulseaudio git clone git://github.com/zonque/PulseAudioOSX.git cd PulseAudioOSX/deploy ./bootstrap_machine.sh #this will take a very long time (as in seriously long time, 30+ minutes) cd PulseAudioOSX/deploy ./deploy.sh #breaks repeatedly... no idea how to progress cd PulseAudioOSX/deploy/output ls -al
2b) instead of pulse, I’m trying jack.
Download latest from http://www.jackosx.com/
3) download projectM:
cd git clone http://git.code.sf.net/p/projectm/code projectm-code cd projectm-code/src ccmake . #hit C #make some changes (as necessary)... our master plan is to be able to route system audio to projectM #hit G make && make install
Effectively parsing PCAPs with python’s querycsv
Here is a quick method I used today, before implementing an argus probe in a sustainable way, to create and parse PCAPs to determine high bandwidth offends.
Create PCAPs:
ifconfig eth0 promisc netstat -i | grep eth #check for the P flag mkdir /pcaps/ nohup tcpdump -i 1 -w /pcaps/pcap -C 20 -W 250 'host 192.168.100.27' -Z root & #not really secure, look at -Z
Note that querycsv.py/sqlite3.py doesn’t like _underscores_, -dashes-, and files that contains only numbers.
This will generate /pcaps/pcapNNN…
Process PCAPs on a Windows box with tshark.exe:
echo echo ipsrc,ipdst,dstporttcp,srcporttcp,len ^> %1.csv > %temp%\tshark_len.bat echo ".\Wireshark\tshark.EXE" -r %1 -T fields -e ip.src -e ip.dst -e tcp.dstport -e tcp.srcport -e frame.len -E separator=, -E quote=d ^>^> %1.csv >> %temp%\tshark_len.bat for /r . %G in (pcap*) do %temp%\tshark_len.bat %G
`tcpdump` has relatively the same syntax.
Query CSVs with SQL statements:
Use a python module to quickly return calculations (http://pythonhosted.org/querycsv/):
pip install querycsv
Per-file operations
Find the total bytes incoming to host:
querycsv.py -i test.csv "select ipsrc, ipdst, dstporttcp, dstporttcp, srcporttcp, sum(len) as 'len_in_bytes' from test group by ipsrc" 1 Find the total bytes outgoing from host: 1 querycsv.py -i test.csv "select ipsrc, ipdst, dstporttcp, dstporttcp, srcporttcp, sum(len) as 'len_in_bytes' from test group by ipdst"
For all files:
echo ipsrc,ipdst,dstporttcp,srcporttcp,len > mergedpcap.csv cat *.csv | grep -v "ipsrc,ipdst,dstporttcp,srcporttcp,len" >> mergedpcap.csv
Find the total bytes incoming to host:
querycsv.py -i mergedpcap.csv "select distinct dstporttcp, ipsrc, ipdst, sum(len) as 'len_in_bytes' from mergedpcap group by ipdst" > incoming.log [/source ] The record where ipsrc is the targeted host (in this case 192.168.100.27), will return the TOTAL length of all packets sent from the targeted host. (all uploadeded, yes UPloaded, bytes) Find the total bytes outgoing from host: 1 querycsv.py -i mergedpcap.csv "select distinct dstporttcp, ipsrc, ipdst, sum(len) as 'len_in_bytes' from mergedpcap group by ipdst" > outgoing.log
The record where ipdst is the targeted host (in this case 192.168.100.27), will return the TOTAL length of all packets sent to the targeted host. (all downloaded, yes DOWNloaded, bytes)
Other solutions:
You’ll notice that querycsv first imports the csv data to an in memory sqlite3 db. This makes offering a full set of sql queries and functions trivial.
There exists other options to solve this sort of situation:
1) PCAP to SQL platforms: pcap2sql and c5 sigma.
2) SQL querying PCAP directly: PacketQ (which lacks some SQL queries and functions, see here). Here is a neat example of displaying some results.
3) robust solutions like pcapr-local, with integration to mu studio.
Quick script to parse Windows DNS logs and produce a report
grep "[client address]" dns.log | grep "\ R\ " | grep -v "SERVFAIL]" | awk "{print $1,$2,$16}" | awk "{$1=$1}1" OFS=","
grep "[client address]" dns.log | grep "\ R\ " | grep -v "SERVFAIL]" | awk "{print $16}" | sed "s/([0-9])\|([0-9][0-9])/./g" | sed "s/^.//g" | sort | uniq
Using ipfixFlowInspectorExporter with VERMONT merge-features branch
As of May 1st, 2013, Lothar Braun has yet to merge the module that exports from VERMONT to the flow-inspector redis queue called ipfixFlowInspectorExported to the mainline git repo for VERMONT, but it is located in a repo called merge-features.
I will be continuing from the first reference to this page from the page on Configuring Vermont.
The general data flow from packets to the flow-inspector web UI.
Clone the VERMONT repo and append the merged-features repo:
git clone http://github.com/constcast/vermont.git cd ./vermont git branch merge-features origin/merge-features git checkout merge-features cmake -DSUPPORT_SCTP=OFF -DSUPPORT_REDIS=ON -DWITH_TOOLS=OFF . make #find and remove the follow section from .\CMakeList.txt #INSTALL(FILES ipfix-config-schema.xsd # DESTINATION share/vermont #) make install
You may continue back to section “Download and Build the VERMONT Manager web UI” (if you wish) on Configure VERMONT (VERsatile MONitoring Toolkit) on CentOS6.
or…
Start dumping flows to the redis queue:
The binary is located: /usr/local/bin/vermont
The flow-inspector config is located: ./configs/flowinspector_exporter.xml
cp /usr/local/share/vermont/configs/flowinspector_exporter.xml /usr/local/share/vermont/configs/flowinspector_exporter_original.xml
Refer to the Understanding a Vermont config file and modify `flowinspector_exporter.xml` as necessary.
Start the VERMONT probe:
/usr/local/bin/vermont -f /usr/local/share/vermont/configs/flowinspector_exporter.xml
Patience…
As Lothar describes in detail the waiting for data in his writeup, the following occurs:
1) VERMONT has a timeout on active flows of 10 minutes and inactive flows of 5 minutes. This means, it doesn’t push the flows to the redis queue until that time. You will see “Processed 0 flows” in the output of preprocess.py when there are no flows being pushed.
2) flow-inspector also caches data in the redis queue for five minutes before flushing it to the backend DB to be presented over the web UI. You will see “Live import. Flushing caches …” in the output of preprocess.py when this process occurs.
Understanding ipFixPrinter module for Vermont
Here is the output of the various stdout formats available from ipfixprinter:
table:
srcip dstip srcport dstport prot srcpkts dstpkts srcoct dstoct srcstart srcend dststart dstend srcplen dstplen forcedexp revart flowcnt tranoct revtranoct 8.8.8.8 192.168.100.27 443 2050 0 4631 0 6889619 0 1367430677347 1367430688342 0 0 0 0 0 0 13105524809039621472 13160276945998446592 192.168.100.27 8.8.8.8 2050 443 0 2149 0 85960 0 1367430677347 1367430688342 0 0 0 0 0 0 13105480347538162928 13160276945998446592 192.168.100.170 192.168.100.23 22 5199 0 13 0 1532 0 1367430677348 1367430680400 0 0 0 0 0 0 13105524809039621472 13160276945998446592 192.168.101.22 192.168.100.36 34773 5432 0 83 0 12106 0 1367430677349 1367430688237 0 0 0 0 0 0 13105480347538162928 13160276945998446592
tree:
-+--- Ipfix Data Data Record (id=997, preceding=0) from non-IPv4 address:0 (0) `- fixed data ' `- protocolIdentifier (id=4, length=1) : UDP `- variable data ' `- sourceIPv4Address (id=8, length=5) : 192.168.100.111/32 ' `- destinationIPv4Address (id=12, length=5) : 192.168.100.251/32 ' `- sourceTransportPort (id=7, length=2) : 62523 ' `- destinationTransportPort (id=11, length=2) : 53 ' `- flowStartMilliSeconds (id=152, length=8) : 1367431737884 (Wed May 1 14:08:57 2013) ' `- flowEndMilliSeconds (id=153, length=8) : 1367431737884 (Wed May 1 14:08:57 2013) ' `- octetDeltaCount (id=1, length=8) : 67 ' `- packetDeltaCount (id=2, length=8) : 1 `--- -+--- Ipfix Data Data Record (id=997, preceding=0) from non-IPv4 address:0 (0) `- fixed data ' `- protocolIdentifier (id=4, length=1) : UDP `- variable data ' `- sourceIPv4Address (id=8, length=5) : 192.168.100.251/32 ' `- destinationIPv4Address (id=12, length=5) : 192.168.100.111/32 ' `- sourceTransportPort (id=7, length=2) : 53 ' `- destinationTransportPort (id=11, length=2) : 62523 ' `- flowStartMilliSeconds (id=152, length=8) : 1367431737890 (Wed May 1 14:08:57 2013) ' `- flowEndMilliSeconds (id=153, length=8) : 1367431737890 (Wed May 1 14:08:57 2013) ' `- octetDeltaCount (id=1, length=8) : 230 ' `- packetDeltaCount (id=2, length=8) : 1 `---
line:
Flow recvd. Flow start Duratn Prot Src IP:Port Dst IP:Port Pckts Bytes
-----------------------------------------------------------------------------------------------------------------
2013-05-01 14:10:25.120 2013-05-01 14:10:24 2799331.0944 --- 192.168.100.21:49357 4.2.2.1:443 1 130
2013-05-01 14:10:25.120 2013-05-01 14:10:24 2799332.0944 --- 4.2.2.1:443 192.168.100.21:49321 1 40
It appears that the best way to be able to use the stdout is via the `table` option.
Here is a way to create output in command separated list using awk:
/usr/local/bin/vermont -f /usr/local/share/vermont/configs/flow-inspector-stdout_table.xml | awk '{$1=$1}1' OFS=","
The field output is:
srcip,dstip,srcport,dstport,prot,srcpkts,dstpkts,srcoct,dstoct,srcstart,srcend,dststart,dstend,srcplen,dstplen,forcedexp,revstart,flowcnt,tranoct,revtranoct
./src/modules/ipfix/IpfixPrinter.cpp contains:
void IpfixPrinter::printTableRecord(IpfixDataRecord* record)
{
Connection c(record);
fprintf(fh, "%s\t%s\t%hu\t%hu\t%hhu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%u\t%u\t%hhu\t%hhu\t%u\t%llu\t%llu\n", IPToString(c.srcIP).c_str(), IPToString(c.dstIP).c_str(), ntohs(c.srcPort), ntohs(c.dstPort), c.protocol, (long long unsigned)ntohll(c.srcPackets), (long long unsigned)ntohll(c.dstPackets), (long long unsigned)ntohll(c.srcOctets), (long long unsigned)ntohll(c.dstOctets), (long long unsigned)c.srcTimeStart, (long long unsigned)c.srcTimeEnd, (long long unsigned)c.dstTimeStart, (long long unsigned)c.dstTimeEnd, c.srcPayloadLen, c.dstPayloadLen, c.dpaForcedExport, c.dpaReverseStart, c.dpaFlowCount, (long long unsigned)c.srcTransOctets, (long long unsigned)c.dstTransOctets);
}
An IpfixDataRecord is defined in ./src/modules/ipfix/IpfixRecord.hpp:
class IpfixDataRecord : public IpfixRecord, public ManagedInstance<IpfixDataRecord> {
public:
IpfixDataRecord(InstanceManager<IpfixDataRecord>* im) : ManagedInstance<IpfixDataRecord>(im) {}
boost::shared_ptr<TemplateInfo> templateInfo;
int dataLength;
boost::shared_array<IpfixRecord::Data> message; /**< data block that contains @c data */
IpfixRecord::Data* data; /**< pointer to start of field data in @c message. Undefined after @c message goes out of scope. */
// redirector to reference remover of ManagedInstance
virtual void removeReference() { ManagedInstance<IpfixDataRecord>::removeReference(); }
virtual void addReference(int count = 1) { ManagedInstance<IpfixDataRecord>::addReference(count); }
};
Connection is defined in: ./src/modules/ipfix/Connection.h:
Back to redis for flow-inspector:
So, we need the following IPFIX information elements for input:
sourceIPv4Address = Connection.srcIP = first column
destinationIPv4Address = Connection.dstIP = second column
sourceTransportPort = Connection.srcPort = third column
destinationTransportPort = Connection.dstPort = fourth column
protocolIdentifier = Connection.protocol = fifth column
packetDeltaCount = n/a
octetDeltaCount = n/a
Both the latter are available in the “line” view of the ipFixPrinter module according to code in: ./src/modules/ipfix/IpfixPrinter.cpp as long as the fields aren’t NULL, so I guess they are null? hmm…
