ClearNet Security

I've been setting up  SELinux from scratch for a machine lately.   Here is the quick and dirty way to let an application run that doesn't have permissions.

Copy the log messages for the blocked application to a file, say tomcatlog.msg which looks something like this:

avc:  denied  { ioctl } for  pid=6256 comm="su" name="tomcat.log" dev=tmpfs ino=23418 scontext=system_u:system_r:initrc_su_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file 

run audit2allow which compiles the log message in to an selinux package:

audit2allow -M tomcatlog < ./tomcatlog.msg

Then load the new selinux package into selinux with semodule:

sudo /usr/sbin/semodule -i tomcatlog.pp 

I don't recommend building a whole system this way but after beating on it for a while this is just a really easy way to allow something to run. 

technorati tags: linux, selinux

OK so I guess I have touched a nerve with this subject as our traffic to our blog has spiked since Richard Bejtlich's blog linked to my "VA and Bureaucracy" post. As one to not let a good story go to waste I will finish the story in 2 more parts before I leave for BlackHat 2006.

As you remember from my previous post on the subject Tate and I were part of a large team of people contracted to go audit the VA computer networks and systems at every VA facility in the country. We had thought that we would be working with other individuals of our technical caliber on a comprehensive audit process that follows along with the NIST SP 800 series of documents. As we flew from Colorado to Virginia we had some expectations of this project that were brutally shattered in the coming days.

Before the trip our expertise had been doing security in the corporate space, i.e. a company would hire us to conduct a penetration test or a vulnerability assessment, etc. The government space with its money capital and processes at its disposal must be better, at least in my mind. However, it quickly became apparent that what we were really tasked to do at the VA would get us fired at any of our other private corporate space clients for negligence. One note about the ethics of what we could do in this particular situation. Two things:

• First is that in the initial meetings with VA respresentatives there was spirited push back on the VA and contract companies that this whole thing was just not right. In fact I think that many people just gave up after the introductory meetings because no one was listening.
• Second is that we stayed on the project at this point mostly because we just couldn't forsee that it could be as bad as it turned out to be. We were always looking for the gotcha that would dispel the myth and make the project make sense.

And on with the story...

So Tate and I were flabbergasted at the first meeting with the VA but we were at least optimistic on what the next day would hold as we were being trained on the specific audit procedures for each technical area we would be qualified to test in. The technical areas we were going to test were Windows, network, and policy. So the next day bright and early we had to report to the main office of the chief company controlling all the audit teams.

First up for us was Windows testing. We had a lot of ideas of what we would want to hear, like which scanners were going to be run, what tools to follow up results with and what kind of forensic analysis would happen if a computer was exploited, infected, or warez'ed. Well basically a checklist was handed out and a so-called “trainer” read through the procedure. It went something like this:

• Write down info about computer like name, room location, date, OS installed.
• Run MBSA.
• Dump Registry.
• Dump users and groups
• Dump logs if any are even there
• Take a screenshot of the screensaver properties

Gee that sure is comprehensive huh? At least it is super expensive so it must be good. Basically our job as high paid and trained security professionals was to dictate step-by-step procedures (click here, click there, click save-as, etc.) to a VA employee while shoulder surfing. Then after they completed a step we would check it off along with the time it took to run it. The hardest part would be to get the room number and address of the computer we were on as a lot of the VA facilities did not label every room.

Right after our "training" a person asked how many computers we would have to do this to at each facility. The answer was a sampling and possibly all the Windows Servers. Later on at my first facility I went to I tested 10 computers at a VA facility that was about a ~1000 computer facility. I will tell more detail on this in my next entry.

Then another person in the room brought up scripting, "Hey you could write a script that could be run on logon or log off to grab these results from every computer in the facility"

The trainer replied "Scripting is not allowed because it is too dangerous; it could bring down a critical computer"

"OK then why not just leave the critical computers out and do those by hand and leave the non-critical computers in the script"

"No. No scripting can be done as was agreed earlier."

That was the end of that. No scripting because it is too dangerous. The network training was basically the same thing but added in that architecture was not to be looked at. For example if a facility left their network on the Internet with no firewall, it was not to be noted. Just stay to the checklist, don’t look left or right.

At this point we were seriously considering dropping off the project but we decided to give it a shot and remain open-minded. But I can tell you it was hard. I mean if I saw by happenstance (and I am not saying I did) that a computer was running a warez site, if it wasn't caught by the checklist then according to the VA’s audit procedures, it was OK. Again concerns were raised to the company we were contracted under and I believe they had sent it up the ladder but I never heard anything. The checklists were even revised multiple times because many people still had a hard time following it step by step, but the revisions they made never really meant much with respect to security.

In the next part I will talk about my first experience at a VA facility - as a screenshot properties collector, err I mean security auditor.

I’ve involuntarily joined the club of stolen personal account information.  I received a letter from my student loan holder:

[…]
"We are writing to inform you that a computer tape containing personal account information about your current or former student loan was apparently lost while in the possession of United Parcel Service (UPS)." 
[…]
"This situation arose during the routine shipment of a data tape which contained borrower names, Social Security numbers, and other related account information. "
[…]

I’m excited to hit BlackHat this year; we’re in for the full week.  BlackHat Training, then Briefings, followed by DEFCON. 

I’m back to writing.  I took a hiatus to deal with a heart issue (I’m recovering from a short Hospital stay).  Thanks to a fantastic doctor in Boulder, Dr. Oza, we caught an electrical condition in my heart that was potentially fatal; particularly to my case when I engaged in hard cardio activities (playing hockey triggered the worst symptoms).  Anyway, back to work, to enjoying life, and hopefully in the near future to juking opponents.