Notes | Flyn Computing

Terminal colors

Wed, 14 Aug 2024 10:33:41 -0400

Setting your terminal’s colors is a matter of use and personal preference, but it is generally important that the colors contrast sufficiently to leave text legible. Use of a projector, operating equipment in dark or sunny conditions, and office environments can all impact color choice. My uses favor a dark background with vibrant foreground colors.

The basis for color terminals is commonly related to the ANSI standard that defined eight colors. Modern terminals often support far more colors, but building a palette based on the original eight leaves applications displaying more-or-less as intended. If you deviate too much, you might find a terminal application uses green—rather than red—for a critical alert or places light blue text on a blue background. An example of careful color selection is Ethan Schoonover’s Solarised.

Here are the original eight colors, along with their bold variants (i.e., modifier = 1), which brings the total count to sixteen:

Modifier	Value	Normal hue	Escape code example
0	30	Black	`printf '\033[0;30mCOLOR\033[0m'`
0	31	Red	`printf '\033[0;31mCOLOR\033[0m'`
0	32	Green	`printf '\033[0;32mCOLOR\033[0m'`
0	33	Brown/Orange	`printf '\033[0;33mCOLOR\033[0m'`
0	34	Blue	`printf '\033[0;34mCOLOR\033[0m'`
0	35	Purple	`printf '\033[0;35mCOLOR\033[0m'`
0	36	Cyan	`printf '\033[0;36mCOLOR\033[0m'`
0	37	Light Gray	`printf '\033[0;37mCOLOR\033[0m'`
1	30	Dark Gray	`printf '\033[1;30mCOLOR\033[0m'`
1	31	Light Red	`printf '\033[1;31mCOLOR\033[0m'`
1	32	Light Green	`printf '\033[1;32mCOLOR\033[0m'`
1	33	Yellow	`printf '\033[1;33mCOLOR\033[0m'`
1	34	Light Blue	`printf '\033[1;34mCOLOR\033[0m'`
1	35	Light Purple	`printf '\033[1;35mCOLOR\033[0m'`
1	36	Light Cyan	`printf '\033[1;36mCOLOR\033[0m'`
1	37	White	`printf '\033[1;37mCOLOR\033[0m'`

My color preferences follow. I do not use the full GNOME desktop environment, but many of my applications, including gnome-terminal, follow GNOME’s settings.

Set the TERM environment variable to hold the value xterm-256color.
Run gnome-control-center, and set GNOME→Appearance→Style to Dark.
Run gnome-terminal, and select Custom in Preferences→Colors. Next, customize the following values:

Palette entry 0: #000000
Palette entry 1: #ff0000
Palette entry 2: #00ff00
Palette entry 3: #ff8800
Palette entry 4: #00ccff
Palette entry 5: #ff00ff
Palette entry 6: #00ffff
Palette entry 7: #f0f0f0
Palette entry 8: #888888
Palette entry 9: #ff8888
Palette entry 10: #88ff88
Palette entry 11: #ffff00
Palette entry 12: #8888ff
Palette entry 13: #ff88ff
Palette entry 14: #88ffff
Palette entry 15: #ffffff

Edit .vimrc and add colorscheme=koehler.
Edit .muttrc and add the following color definitions (notice mutt expects variants of the ANSI colors):

color hdrdefault red default
color quoted yellow default
color signature red default
color indicator black brightyellow
color error brightred default
color status black white
color tree magenta default
color tilde magenta default
color message brightcyan default
color markers brightcyan default
color attachment brightmagenta default
color search default green
color header blue default ^(From|Subject|To):
color body magenta default "(ftp|http)://[^ ]+"
color body magenta default [-a-z_0-9.]+@[-a-z_0-9.]+
color underline brightgreen default
color index black brightred '~h "X-Spam-Flag: YES"'    # Spamassassin.
color index black brightyellow '~h "X-Bogosity: Spam"' # Bogofilter.

Testing terminal colors involves running various commands and observing the appearance of their output. You should test under the conditions you expect, such as with a projector, in sunlight, or in a dark office. Here are some illustrative commands:

mutt
dircolors --print-ls-colors (and the LS_COLORS environment variable)
grep
vim (view various languages and HTML)
diff --color
git diff
git log
git status

FIDO2 and its companions

Tue, 21 Nov 2023 13:42:58 -0400

Commands that interact with a YubiKey

Display basic information about an attached YubiKey:

ykman info

Disable YubiKey features:

ykman config usb --disable F, where F is OTP, OATH, PIV, OPENPGP, or HSMAUTH

Change a YubiKey's PIN:

ykman fido access change-pin

Reset a YubiKey's PIN and other persistent storage:

ykman fido reset

List the credentials present on a YubiKey:

ykman fido credentials list

Web security playground

Wed, 24 Mar 2021 12:01:36 -0500

View this page in various browsers to observe how they handle different aspects of web security. Most browsers include development tools that will allow you to inspect your browser’s behavior.

Loading this page created the following cookies:

<script>
	document.cookie = "name1=val1; SameSite=Strict";
	document.cookie = "name2=val2; Path=/; SameSite=Strict";
	document.cookie = "name3=val3; Path=/; SameSite=Lax";
	document.cookie = "name4=val4; Path=/; SameSite=None; Secure";
</script>

Reloading this page should cause your browser to submit cookies “name1”, “name2”, “name2”, and “name4”.

This link should cause your browser to submit cookies “name2”, “name3”, and “name4”. The default Path attribute forbids cookie “name1” here.

Selecting this link and then following the “Flyn Computing” link therein back to https://www.flyn.org should cause your browser to submit cookies “name3” and “name4”. The SameSite=Strict attribute causes your browser not to submit cookie “name2” when entering this site from another.

An HTML document that is provided by another web server and that references the image at https://www.flyn.org/projects/VisorFlow/fig-architecture.png should cause your browser to submit cookie “name4”. Your browser will only submit cookies marked with SameSite=None in such a cross-site scenario. See, for example, https://www.cs.uwlax.edu/~wpetullo/web-security.html.

Mixed passive content

The following image is fetched using HTTP. Many browsers will log to their console the presence of mixed passive content, and they might indicate this with a broken security lock.

Source:

<img src="http://nacl.cr.yp.to/cace-logo-25.png"/>

Mixed active content

The following “script” is fetched using HTTP. Many browsers will refuse to load this mixed active content, and many will log this refusal to their console.

<script src="http://cr.yp.to/"></script>

HTTPS Strict Transport Security

This web server makes use of HTTPS Strict Transport Security. You should find that it provides a Strict-Transport-Security field in its response headers.

This page attempts to load WebAssembly code from https://www.aquinas.dev/wasm/busycrate.wasm. This should fail because (1) the domain hosting the code is different than the domain hosting this page and (2) aquinas.dev does not set the Access-Control-Allow-Origin header. A server sets an Access-Control-Allow-Origin header to indicate that its API is meant for use from third-party sites. Many browsers will log to their console the action they take to block these types of requests.

<script>
const go = new Go();
go.argv = [];
WebAssembly.instantiateStreaming(fetch("https://www.aquinas.dev/wasm/busycrate.wasm"), go.importObject).then((result) => {
    go.run(result.instance);
});
</script>

This page also loads JavaScript code from https://api.flyn.org/httpsmtp/wasm_exec.js. The browser allows this because the server at api.flyn.org sets the appropriate CORS header.

<script src="https://api.flyn.org/httpsmtp/wasm_exec.js"></script>

Note that the user could load the code in either of the above cases by clicking on the links. CORS regulates only fetches from JavaScript, WebAssembly, and other dynamic code ran by the browser. The use of a Content-Security-Policy header could further define the sites from which this page could load scripts and other resources.

GnuPG signing party

Wed, 17 Mar 2021 20:16:53 -0500

This document summarizes how to host a GnuPG signing party. For a more detailed description that considers how to store keys and how to handle large parties, see The Keysigning Party HOWTO.

If you do not yet have a set of keys, generate them. Run gpg --full-generate-key. Select the default key type, select the default curve or number of bits, indicate a lifetime of five years, and provide your full name and email address.
Obtain your key’s identifier (MY-ID) by running gpg --list-secret-keys. The identifier is comprised of 40 hex digits.
Optionally edit the key to add additional email addresses you own. Run gpg --edit-key MY-ID, and execute adduid and save.
Export your key by running gpg --armor --export MY-ID. Share this form of your key with the other key-signing attendees.
Prepare to confirm the other attendees safely received your key: Display your key’s fingerprint with gpg --fingerprint MY-ID. The fingerprint is comprised of 40 hex digits, and they are separated by spaces to make them easier for a human to read.
Import other attendee keys with gpg --import F, where F is a file containing their exported key.
Find each attendee’s key by running gpg --list-keys, and note its identifier (HIS-ID).
For each key identifier HIS-ID, run gpg --fingerprint HIS-ID. Verbally confirm the fingerprint with its owner. Once satisfied, run gpg --sign-key HIS-ID. This records that you have met the owner of the key, and that you confirmed the key is valid.

Now you can safely encrypt messages intended for the owners of keys you imported and verified. For example, encrypt the file F for the recipient bob@example.com by running the command gpg --encrypt --recipient=bob@example.com --compress-algo none --armor F.

OpenWrt-based XMPP server

Wed, 03 Jun 2020 14:56:43 -0400

This document describes how to build an OpenWrt-based XMPP server. We build on top of OpenWrt because of the distribution’s simplicity and small size. Here we assume that the server will run within the confines of a Xen hypervisor.

Establish the VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host the XMPP server:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/prosody-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Write the following at /etc/xen/vm-prosody.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "prosody"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/prosody-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on the VM:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
	logd \
        luci-app-firewall \
        luci-lib-ip \
	luci-lib-jsonc \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
	luci-mod-admin-full \
	luci-base \
	luci \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
        freifunk-watchdog \
        prosody \
        zoneinfo-core \
        zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring the Prosody chat server

/etc/prosody/certs/example.com.cert: Concatenate your certificate, the immediate certificate, and the root certificate to produce etc/prosody/certs/example.com.cert.
/etc/prosody/certs/example.com.key: Place your private key in etc/prosody/certs/example.com.key.
/etc/prosody/prosody.cfg.lua (replace example.com):

admins = { }

modules_enabled = {
	"roster";
	"saslauth";
	"tls";
	"dialback";
	"disco";
	"private";
	"vcard";
	"legacyauth";
	"version";
	"uptime";
	"time";
	"ping";
	"pep";
	"register";
	"posix";
};

allow_registration = false;

pidfile = "/var/run/prosody/prosody.pid";
	
ssl = { 
	key = "/etc/prosody/certs/example.com.key";
	certificate = "/etc/prosody/certs/example.com.cert";
	c2s_require_encryption = true;
	s2s_require_encryption = true;
}

log = {
	{ levels = { "error" }; to = "syslog";  };
	{ levels = { "error" }; to = "file"; 
		filename = "/var/log/prosody/prosody.err";  };
	{ levels = { min = "info" }; to = "file"; 
		filename = "/var/log/prosody/prosody.log";  };
}

VirtualHost "example.com"
	enabled = true

Set the ownership of Prosody’s sensitive files using chown prosody /etc/prosody/certs/*, and set the permissions on these files with chmod 600 /etc/prosody/certs/*.
For each prosody user, prosodyctl register USERNAME example.com PASSWORD, replacing USERNAME, PASSWORD, and example.com. (Use LDAP?)

Configure the host firewall

/etc/config/firewall:

config defaults
	option drop_invalid 1
	option input ACCEPT
	option output ACCEPT
	option forward ACCEPT

config zone
	option name lan
	option network lan
	option input DROP
	option output ACCEPT
	option forward DROP

# Allow Jabber client-to-server connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 5222

# Allow Jabber server-to-server connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 5269

Configure basic system settings

/etc/config/system:

config system
	option hostname	prosody.flyn.org
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

ulimit

Fri, 27 Mar 2020 17:33:54 -0400

UNIX provides the getrlimit and setrlimit system calls to limit the resources available to processes, and most shells provide a command—such as ulimit—to provide an interface to these settings. Running ulimit -a using a modern Bourne shell will print the current limitations:

$ ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 11724
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 11724
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

The output above included resource categories (e.g., file size), an optional unit (e.g., blocks), the flag used to adjust the resource limit (e.g., -f), and the current limit (e.g., unlimited). Limiting the size of the file that can be created by any process run by the current shell to 1,024 blocks is a matter of running:

$ ulimit -f 1024

Similar commands can limit the other resource categories.

The following program is useful for testing one’s understanding of ulimit. Assuming you save this to a file named ulimitest.c, you can compile this program with cc -o ulimitest ulimitest.c. Inspecting the source should give you an indication of what resources the program uses. The For example, lots_of_files functions simultaneously opens 128 files; this would exceed the limit set by ulimit -n 64.

#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

/* Test -d, data segment size. */
unsigned char buf1[1024 * 1024];

void
recurse(int n)
{
	if (n-- > 1) {
		recurse(n);
	}
}

void
big_file(void)
{
	FILE *f;
	size_t rc;

	f = tmpfile();
	if (NULL == f) {
		perror("error creating temporary file");
		exit(EXIT_FAILURE);
	}

	rc = fwrite(buf1, 1, sizeof buf1, f);	
	if (rc != sizeof buf1) {
		perror("error writing 1 MB to file");
		exit(EXIT_FAILURE);
	}

	fclose(f);
}

void
lots_of_processes(void)
{
	/* NOTE: parent makes 128. */
	pid_t c[127], rc, fail = false;

	for (int i = 0; i < sizeof c / sizeof *c; i++) {
		c[i] = fork();
		switch (c[i]) {
		case -1:
			/* Parent (error). */
			perror("error forking");
			fail = true;
			goto done;
		case 0:
			/* Child. */
			sleep(100);
			exit(EXIT_SUCCESS);
		default:
			/* Parent. */
			{}
		}
	}

done:
	for (int i = 0; i < sizeof c / sizeof *c; i++) {
		kill(c[i], SIGKILL);
	}

	for (int i = 0; i < sizeof c / sizeof *c; i++) {
		rc = waitpid(c[i], NULL, 0);
		if (-1 == rc) {
			perror("error waiting for process");
			exit(EXIT_FAILURE);
		} else if (rc != c[i]) {
			fprintf(stderr, "waited on wrong process\n");
			exit(EXIT_FAILURE);
		}
	}

	if (fail) {
		exit(EXIT_FAILURE);
	}
}

void
lots_of_files(void)
{
	int f[128];

	for (int i = 0; i < sizeof f / sizeof *f; i++) {
		f[i] = open("/dev/null", O_RDONLY);

		if (-1 == f[i]) {
			perror("error opening file");
			exit(EXIT_FAILURE);
		}
	}

	for (int i = 0; i < sizeof f / sizeof *f; i++) {
		close(f[i]);
	}
}

int
main(void)
{
	/* Test -s, stack size. */
	recurse(128);

	/* Test -f, maximum file size. */
	big_file();

	/* Test -m, maximum memory size. */
	unsigned char buf2[1024 * 1024];

	/* Test -n, open files. */
	lots_of_files();

	/* Test -u, open files. */
	lots_of_processes();

	printf("finished\n");

	exit(EXIT_SUCCESS);
}

The -u limit refers to threads rather than strictly processes, and the limit applies to every program the user has running. Ulimitest will try to simultaneously run 128 processes, but you likely already have a number of processes running (to include your shell). Use ps -eLf | grep $USER | wc -l to count the number of threads you are presently running, and take this into account when setting a limit.

USA

Fri, 27 Mar 2020 17:33:54 -0400

I try to buy products that are made in the USA. Here are some manufacturers I have found:

System76 builds their THELIO line of desktop computers in Colorado.
Kendall Howard builds server racks and other products in Minnesota.
Made in USA Tools sells tools from manufacturers that build their products in the USA.

Adventure

Thu, 12 Mar 2020 09:02:58 -0400

I have been playing William Crowther’s Colossal Cave Adventure with my children.

We have found these actions useful:

north
south
east
west
ne
se
nw
sw
up
down
building
climb
downstream
drop
enter
forest
info
inventory
pour
save
score
take
throw

We also found a technique which allows us to script Adventure when running the program from a graphical terminal. Since Adventure responds to commands entered on standard in, we can paste a series of commands into Adventure. For example, the following scripts work as described when executed immediately after starting Adventure:

Such scripting is confounded by rooms with randomized passages, so you should proceed through passages like these manually.

We have been using Graphviz to record the adventures we have had. I share here our map in two formats: .dot .svg The map also appears below.

Colossal Cave Adventure map

Apple

Thu, 12 Mar 2020 09:02:58 -0400

Introduction

This is a collection of Open Source applications for the Macintosh. This collection is intended to supplement package manager-based distributions such as MacPorts.

If you would like to build these applications yourself using my instructions, then you will need to install MacPorts. The following instructions document how to install GTK+/Quartz:

Ensure that you have Apple's X11 package installed.
Install Apple's Xcode.
Install MacPorts.
Add the following lines to ~/.bash_profile:

export PATH="/opt/local/bin:$PATH"
export CPPFLAGS="-I/opt/local/include $CPPFLAGS"
export LDFLAGS="-L/opt/local/lib $LDFLAGS"

Use the command sudo port install PACKAGE to build and install the following packages and their dependencies:

cairo +quartz+no_x11
pango +quartz+no_x11
gtk2 +quartz+no_x11
poppler +quartz

Packages

AbiWord

AbiWord screenshot

AbiWord is a word processor. This package contains a native build for Mac OS X and does not require X11. Download.

Building from Source

Edit AbiWord's configure script, setting ABIWORD_CONTENTSDIR to /Applications/AbiWord.app/Contents.
Run ./configure.
Run make
Run sudo make install

Bugs Filed

I have filed or reviewed the following bugs related to AbiWord:

~~Abisource Bugzilla #11793, Build Abiword against GTK/Quartz~~
~~AbiSource Bugzilla #12446, Compile error on Snow Leopard~~
Abisource Bugzilla #13233, configure script does not allow customization of ABIWORD_CONTENTSDIR
MacPorts ticket #17012, Request newer build of abiword

Gnumeric

Gnumeric screenshot

Gnumeric is a spreadsheet application. The following instructions will build the application to use GTK's Quartz backend (no X11 required.) Mac OS X 10.4 or newer is required for this build. GTK's Quartz backend is currently experimental, so this package is also unstable. These instructions are provided so that people may more easily build and test GTK Quartz. Download.

Building from Source

Use the command sudo port install gnumeric to build and install gnumeric.

Bugs Filed

I have filed or reviewed the following bugs related to this process and the resulting Gnumeric application:

~~GNOME Bugzilla #382925, gail doesn't build with Quartz GDK backend~~
~~GNOME Bugzilla #396329, src/Makefile still includes -lpopt~~
~~GNOME Bugzilla [#396434}(http://bugzilla.gnome.org/show_bug.cgi?id=396434), Gnumeric crashes when mouse over File->Open on Mac OS X / gtk-quartz~~
~~GNOME Bugzilla #396438, Build fails on Mac OS X / gtk-quartz because of missing -lgthread-2.0~~
~~GNOME Bugzilla #396654, libgnomeprint ./configure fails on Mac OS X~~
GNOME Bugzilla #477381, Use the Mac OS X menubar when built with GTK+/Quartz
GNOME Bugzilla #534134, Gnumeric does not seem to support XDG Base Directory Specification
~~GNOME Bugzilla #600085, Cell labels' text not rendered on Mac OS X / Quartz~~
~~MacPorts ticket #14853, RFE: have icon-naming-utils not depend on p5-getopt-long~~
~~MacPorts ticket #15052, pango: Font display problems when compiled against cairo 1.6.4~~
~~MacPorts ticket #15558](http://trac.macports.org/ticket/15558), Provide quartz-only variant of cairo port~~
~~MacPorts ticket #15559, gtk2 error for missing ${prefix}/include/cairo/cairo-quartz.h incorrect~~
~~MacPorts ticket #15560, Patch gnumeric to integrate into Mac OS X menu~~
~~MacPorts ticket #16083, gnumeric row/column labels show broken character box instead of the letter/number~~
~~MacPorts ticket #16798, gnumeric fails to build on Leopard~~
~~MacPorts ticket #17049, pango +quartz cannot build 64-bit~~
~~MacPorts ticket #20924, OS X 10.6 with +no_x11 +quartz: Pango-WARNING **: shaping failure, expect ugly output~~
~~MacPorts ticket #21624, pango @1.26.0_0+macosx makes software freeze~~
~~MacPorts ticket #22581, new Portfile: goffice08~~

Building Application Bundle

In order to make an Application Bundle for Gnumeric, follow these steps:

Use the command sudo port install ige-mac-bundler to build and install the ige-mac-bundler utility
Download the definitions of Gnumeric.app.
Extract the Gnumeric.app definitions, enter its directory and execute the following:

ige-mac-bundler Gnumeric.bundle

Replace Gnumeric.app/Contents/Resources/etc/pango with the contents of /opt/local/etc/pango
Double-click on Gnumeric (Gnumeric.app) in the Finder.

Gthumb

Gthumb screenshot

Gthumb is an image viewer. The following instructions will build the application to use GTK's Quartz backend (no X11 required.) Mac OS X 10.4 or newer is required for this build. GTK's Quartz backend is currently experimental, so this package is also unstable. These instructions are provided so that people may more easily build and test GTK Quartz.

Building from Source

Use the command sudo port install gthumb to build and install gthumb.

Bugs Filed

I have filed or reviewed the following bugs related to this process and the resulting Gthumb application:

~~GNOME Bugzilla #551225, Gthumb will not build against GTK/Quartz (Mac OS), requires X11~~
~~GNOME Bugzilla #554240, Use the Mac OS X menubar when built with GTK+/Quartz~~

Building Application Bundle

In order to make an Application Bundle for Gthumb, follow these steps:

Use the command sudo port install ige-mac-bundler to build and install the ige-mac-bundler utility
Download the definitions of Gthumb.app.
Extract the Gthumb.app definitions, enter its directory and execute the following:

ige-mac-bundler Gthumb.bundle

Double-click on Gthumb (Gthumb.app) in the Finder.

Inkscape

Inkscape screenshot

Inkscape is a vector graphics illustration program. The following instructions will build the application to use GTK's Quartz backend (no X11 required.) Mac OS X 10.4 or newer is required for this build. GTK's Quartz backend is currently experimental, so this package is also unstable. These instructions are provided so that people may more easily build and test GTK Quartz. Download.

Building from Source

Use the command sudo port install inkscape to build and install inkscape.

Bugs Filed

I have filed or reviewed the following bugs related to this process and the resulting Inkscape application:

~~Inkscape / Launchpad bug #251982, Inkscape's -g option does not make sense when using GTK/Quartz on Mac OS X~~
~~libproxy bug #101, libproxy does not compile on Mac OS X 10.6.2~~
To file: Xft2 (required by Inkscape) requires xorg-proto and xrender
To file: Xft2 build requires xorg-xcmiscproto and xorg-bigreqsproto, but Portfile does not

Building Application Bundle

In order to make an Application Bundle for Inkscape, follow these steps:

Use the command sudo port install ige-mac-bundler to build and install the ige-mac-bundler utility
Download the definitions of Inkscape.app.
Extract the Inkscape.app definitions, enter its directory and execute the following:

ige-mac-bundler Inkscape.bundle

Double-click on Inkscape (Inkscape.app) in the Finder.

Awesome

Thu, 12 Mar 2020 09:02:58 -0400

First, install the Awesome window manager:

$ dnf install awesome

Next, configure Awesome. I maintain my Awesome configuration such that it is accessible with:

$ git clone https://www.flyn.org/git/awesome-config

You should install the contents of the awesome-config folder at ~/.config/awesome (i.e., drop the -config portion of the directory name). My configuration assumes that ~/.config/awesome/themes/flyn/background is a symbolic link to a background picture. Set this with something like:

$ ln -sf /usr/share/backgrounds/default.png ~/.config/awesome/themes/flyn/background.png

To login with awesome, select the “awesome” option presented by GDM (gears button). The result is a very simple configuration with the following input bindings. The modifier key (i.e., Mod) is the key most often labeled something like Command or Windows.

Mod-Ctrl-q: Quit Awesome and thus terminate the login session.
Mod-Ctrl-r: Restart Awesome.
Mod-Ctrl-Space: Toggle the focused window between floating and tiled mode.
Mod-Escape: Return to the previous virtual desktop.
Mod-Left: Select the next virtual desktop to the left.
Mod-Right: Select the next virtual desktop to the right.
Mod-Return: Run a gnome-terminal.
Mod-f: Grow the focused window to span the screen.
Mod-q: Quit the focused application.
Mod-r: Activate a run-command prompt at the bottom of the screen.
Mod-r: Activate a run-command prompt at the bottom of the screen.
Mod-Space: Toggle the tiling style.
Mod-Tab: Shift focus to previous window.
Mod-Volume Down: Lower the speaker volume.
Mod-Volume Mute: Mute the speaker.
Mod-Volume Up: Raise the speaker volume.
Mod-Click-and-drag: Move a window.
Mod-Left-click-and-drag: Resize a window.

I use many of the GNOME tools along with Awesome. Some of them require a little nudging to get to work:

gnome-control-center requires the XDG_CURRENT_DESKTOP environment variable set to GNOME.

Beholder

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Beholder, a multi-function server. Beholder runs on commodity router hardware and provides a number of features:

SSH access
a Snort network intrusion prevention system
a NetFlow exporter

We build Beholder on top of OpenWrt because of the distribution’s simplicity and small size. Beholder is made up of roughly 90 packages, and its programs and configurations take up less than 40 MB of storage space. Here we assume that Beholder will run within the confines of a Xen hypervisor.

Establish the Beholder VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Beholder:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/beholder-data.qcow.
Write the following at /etc/xen/vm-beholder.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "beholder"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on Beholder:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
dnsmasq \
kmod-ppp \
kmod-pppoe \
kmod-pppox \
kmod-r8169 \
logd \
luci \
luci-app-firewall \
luci-base \
luci-lib-ip \
luci-lib-nixio \
luci-proto-ipv6 \
luci-proto-ppp \
luci-theme-bootstrap \
mtd \
odhcpd-ipv6only \
ppp \
ppp-mod-pppoe \
r8169-firmware \
uhttpd-mod-ubus \
uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
	freifunk-watchdog \	
	snort \
	softflowd \
	syslog-ng \
	zoneinfo-core \
	zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configure the firewall

/etc/config/firewall:

config defaults
        option drop_invalid 1
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name lan
        option network lan
        option input ACCEPT
        option output ACCEPT
        option forward DROP

Configure basic system settings

/etc/config/system:

config system
        option hostname beholder.EXAMPLE.COM
        option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/freifunk-watchdog:

config process
        option process dropbear
        option initscript /etc/init.d/dropbear

config process
        option process snort
        option initscript /etc/init.d/snort

/etc/config/network:

config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname eth0
        option proto dhcp

/etc/config/dropbear:

config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Port         '22'

Forwarding packets to Snort host

Once Snort is running, you will want to forward a copy of network packets to the Snort host. The tee feature of netfilter can perform this work. To configure an OpenWrt router to forward a copy of each packet to the Snort host at beholder.EXAMPLE.COM, add the following to /etc/firewall.user on the router (replace BEHOLDER-IP):

iptables -t mangle -A INPUT  ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A OUTPUT ! -d BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A FORWARD ! -d BEHOLDER-IP/32 ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP

Configuring Snort

/etc/config/snort:

config snort snort
	option config_dir /etc/snort/etc/
	option alert_module alert_syslog
	option interface eth0

Register with Snort, download the registered Snort rules from https://www.snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz, and install them at /etc/snort/.
Uncomment the appropriate rules in each file found in /etc/snort/rules/.
Restart Snort, and test its functionality. One way to do this is to uncomment the NessusTest rule in /etc/snort/rules/snort3-server-webapp.rules and run wget http://webserver/NessusTest. Snort should log something like this: “SERVER-WEBAPP nessus 2.x 404 probe.”

Configuring softflowd

/etc/config/softflowd (replace example.com):

config softflowd
	option enabled        '1'
	option interface      'eth0'
	option pcap_file      ''
	option timeout        ''
	option max_flows      '8192'
	option host_port      'golem.example.com:9995'
	option pid_file       '/var/run/softflowd.pid'
	option control_socket '/var/run/softflowd.ctl'
	option export_version '5'
	option hoplimit       ''
	option tracking_level 'full'
	option track_ipv6     '0'
	option sampling_rate  '100'

C

Thu, 12 Mar 2020 09:02:58 -0400

Standardizing style with the aim of aiding inspection and removing pitfalls

Human review remains one of the best ways to ensure a body of source code specifies the program that the programmer set out to write. Testing is usually a practical necessity, but a programmer’s ultimate goal should be a program that humans can read and understand. Source files that follow a single style are easier to review and audit. The pedansee utility parses source files in C and indicates whether they comply with one such style.

Pedansee’s default style strives for consistency, and it also removes pitfalls that lead to bugs. For example, C does not require braces around one-line blocks. However, leaving them off sometimes leads to the situation where a programmer later indents a statement following a block and expects it to be included in the block.

It is possible to integrate pedansee with a project that builds using the GNU autotools. First, add the following to the project’s configure.ac:

AC_PATH_PROG(PEDANSEE, pedansee)
AM_CONDITIONAL(HAVE_PEDANSEE, test -n "$PEDANSEE")

Next, add this to the Makefile.am responsible for compiling the project’s source code (replace proj_1_0):

check:
if HAVE_PEDANSEE
       set -e; for i in $(proj_1_0_la_SOURCES); do $(PEDANSEE) $$i -- -x c $(DEFS) $(proj_1_0_la_CFLAGS); done
endif

With this, running pedansee is a matter of executing make check.

The tool indent will reformat C source code according to a configurable style. Flyn Computing’s preferred use is indent -linux foo.c. This follows Linus Torvalds’s preferred style.

Catching bugs with assertions

Assertions can help catch the bugs that result from ill composition or otherwise misused interfaces, but you should not use them to catch runtime conditions from which a program could otherwise recover. In general, it is best to catch bugs as early as possible during the course of writing a program; the following definition of C_ASSERT will at compile time catch bugs involving constants:

#define C_ASSERT(e) typedef char __C_ASSERT__[(e)?1:-1] __attribute__((unused))

Catching bugs with run-time unit testing

Proving the correctness of a program or relying completely on code audits does not measure up to the complexity found in most programs. Thus run-time testing remains necessary. Unit testing tests the components of a program independently, and it is best performed as a program is written. For example, the programmer specifies a C function, and then he writes a series of tests to ensure the C function implements the specification. Finally, he writes the function itself and runs the tests. This makes the programmer an adversary of himself. Precisely when he best has in mind the purpose of a function, he writes the tests for that function. Only after the tests exist and can provide evidence of the correctness of the function does he write the function itself.

The check framework aids in writing unit tests for programs specified in C. Check can use fork/exec to allow a series of tests to run even if one terminates due to a memory error, although this feature can be turned off to facilitate running the tests in a debugger. Check also supports environment variables that result in running a subset of tests.

It is possible to integrate check with a project that builds using the GNU autotools. First, add the following to the project’s configure.ac:

PKG_CHECK_MODULES([CHECK], [check &gt;= 0.9.4],have_check=yes,have_check=no)
AM_CONDITIONAL(HAVE_CHECK, test x"$have_check" = "xyes")

Next, add this to the Makefile.am responsible for compiling the project’s tests (replace … or omit the statement entirely):

if HAVE_CHECK
noinst_PROGRAMS += unit-test
endif

if HAVE_CHECK
unit_test_SOURCES = unit-test.c
unit_test_LDADD = ...
endif

Note that this example assumes that the project ships a library, namely libproj.

Each source file ought to contain tests. For example, this checks that the function x produces the string bar when passed foo:

#ifdef HAVE_CHECK

START_TEST(x_test)
{
    ck_assert_str_eq(x("foo"), "bar");
}
END_TEST

#endif

Refer to check’s documentation for a description of the API used to write such tests.

Writing the framework code necessary for test execution can be tedious, as it involves bundling tests into suites and maintaining a main function. Some projects include a script that generates this source; see libdmapsharing’s generate-test-suites, for example.

Measuring code coverage using gcov

Unit tests ought to maximally cover the body of source code that makes up a program. Although it is impossible to test other than the simplest programs across all possible inputs, testing should at least try to execute each possible branch in a program. GCC’s gcov can help achieve path coverage.

To use gcov to measure your path coverage, compile your program using -fprofile-arcs -ftest-coverage. You can build with the GNU autotools a configure script that activates these flags when passed --enable-coverage. To do this, use the following pattern in configure.ac:

AC_ARG_ENABLE(debug, [AC_HELP_STRING([--enable-debug],[enable debugging build])])
AC_ARG_ENABLE(coverage, [AC_HELP_STRING([--enable-coverage],[enable code-coverage build])])
if test "x$enable_debug" = "xyes"; then
    CFLAGS="$CFLAGS -g"
elif test "x$enable_coverage" = "xyes"; then
    CFLAGS="$CFLAGS -fprofile-arcs -ftest-coverage"
else
    CFLAGS="$CFLAGS -O2"
fi

AC_PROG_CC

Run your program after building it with gcov support. The result is an instrumented execution that will produce files containing the details of the execution. To view these details, run:

$ gcov foo.c

where foo.c is a source file. This will provide a summary along with a detailed report in foo.c.gcov. The report marks lines with an integer representing how many times that line executed. A line preceded by ##### did not execute, and thus indicates insufficient test coverage.

Some projects require an argument that points gcov to the directory containing the project’s object files (i.e., .libs). This is the case when the project includes library code:

$ gcov foo.c -o .libs/libfoo_1_0-foo.gnco

Catching memory errors with Valgrind

Valgrind helps find in programs memory errors such as buffer overflows and memory leaks, and thus it might help find bugs missed even when unit tests provide full path coverage. To use Valgrind, compile your program to include debugging symbols and without optimization. Then run the following (replace program -options …):

$ valgrind --leak-check=full --num-callers=100 program -options ...

The configure.ac fragment described in the gcov section above also provides support for a --enable-debug flag.

Catching memory errors with GCC

Always use GCC’s -Wall and -Wextra options.

GCC supports a -fsanitize=address option that instruments a program to catch memory errors, including out-of-bounds memory accesses and memory that is used after having been freed. Simply invoke the option when compiling, and run the resulting program. As a dynamic analyzer, this will only catch errors that manifest while running. Refer to GCC’s documentation for other GCC sanitize options.

GCC also supports a -fanalyzer option that invokes a static analyzer on the program GCC is compiling.

Catching programming errors with American Fuzzy Lop

Fuzzing provides randomized input patterns to a program in an attempt to cause the program to crash and thereby expose a bug. This technique might help find bugs missed by the techniques above.

For a program to be tested by American Fuzzy Lop (AFL), the program must read its input from standard input. If this is not the case, then you will need to write a wrapper program to facilitate testing.

To use AFL, compile your program using the following pattern:

$ afl-gcc program.c -o program

Next, craft a series of input patterns that will guide AFL as it later produces its random inputs. The AFL documentation describes how to do this, but placing the following in fuzz_testcase_dir/0 will cause AFL to produce character inputs:

Finally, run the program with:

$ afl-fuzz -i fuzz_testcase_dir -o fuzz_findings_dir ./fuzz

This will run AFL. AFL provides a real-time display and, when run as described, places crash-producing inputs in fuzz_findings_dir/crashes/.

Static linking with the GNU linker

When you statically link using the GNU linker, ld adds library symbols referenced by your code to the program it outputs. Ld adds these symbols using source-file granularity; that is, if you require the function foo, then ld will include foo along with any other symbols defined in the same source file as foo. If you want to produce small programs, then it might make sense to write your libraries such that each source file contains a single externally-visible function; this will minimize the amount of code included in your program.

Ld only includes symbols that you have not already defined, allowing you to override library functions. This must be used with care, because if you redefine foo but not bar but both were defined in the same library source file, then you will get a symbol conflict; ld will include both foo and bar, and the conflict arises as a result of two definitions: your foo and the library's foo.

Certificates

Thu, 12 Mar 2020 09:02:58 -0400

Generate

Generate a CA certificate and key

openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -extensions v3_ca -nodes -keyout ca.key -out ca.pem

This should result in a certificate with X509v3 Basic Constraints set to CA:TRUE.

Generate a self-signed certificate and key

openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.pem

Generate a PKCS#10 X.509 certificate signing request

Generate a private key:

openssl genrsa -out example.com.key 4096

Produce a corresponding CSR:

openssl req -new -key example.com.key -out example.com.csr

Review the CSR:

openssl req -in example.com.csr -noout -text

Generate a “CA”-signed certificate from a certificate signing request and “CA” certificate/key

openssl x509 -req -sha256 -days 365 -in example.com.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out example.com.pem

Display

Display in human-readable form the contents of a certificate in PEM format

openssl x509 -in example.com.pem -noout -text

Display in human-readable form the contents of a certificate in DER format

openssl x509 -in example.com.der -inform DER -noout -text

Display in human-readable form the contents of a certificate revocation list in DER format

openssl crl -in example.com.crl -inform DER -noout -text

Convert

Convert a PKCS#7 certificate into a X.509 certificate

openssl pkcs7 -print_certs -in example.com.p7p -out example.com.pem

Convert a certificate and private key into a PKCS#12 file

openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.pem -certfile ca.pem

DoD Common Access Card and other smartcards on Unix

Thu, 12 Mar 2020 09:02:58 -0400

Fedora

Prerequisites

Install the DoD root certificates:

Download the DoD root certificates. Visit the DoD PKI/PKE Document Library, and download the target of the link “PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.6”.
Unzip the downloaded package, and enter the unzipped directory.
Copy the certificates to the system directory: cp DoD_PKE_CA_chain.pem /etc/pki/ca-trust/source/anchors/.
Update the CA trust store: update-ca-trust.

Install the necessary packages: yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools
Start the PC/SC daemon: systemctl start pcscd
Configure the system to start the PC/SC daemon each time it boots: systemctl enable pcscd.service

DoD Common Access Card

This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.

Firefox

Insert your CAC into the smart-card reader
Introduce the PC/SC interface to Firefox:

Select Preferences→Privacy & Security
Select Security Devices
Select Load
Name the module something like CAC Support and select /usr/lib64/pkcs11/opensc-pkcs11.so

PAM

Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database: certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb
Review /etc/pam.d/smartcard-auth
Edit /etc/pam_pkcs11/pam_pkcs11.conf and set user_mappers to subject
Run pkcs11_inspect debug, and look for Printing data for ...
Edit /etc/pam_pkcs11/subject_mapping to contain something like CN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output from pkcs11_inspect and username with the corresponding UNIX username

GnuPG

First, complete the following steps:

Install the necessary packages: yum install dirmngr gnupg2-smime gnupg-pkcs11-scd
Add scdaemon-program /usr/bin/gnupg-pkcs11-scd to ~/.gnupg/gpg-agent.conf
Add the following to ~/.gnupg/gnupg-pkcs11-scd.conf:

providers p1
provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so
emulate-openpgpg
openpgp-sign hash
openpgp-encr hash
openpgp-auth hash

Replace hash with the output from echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)

Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/

PIVKey C910

A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:

Set the PIN of the smartcard (the default is 000000)
Set the administrative key of the smartcard (the default is 000000000000000000000000)
Load a PKCS#12 certificate/key onto the smartcard

The PIVKey C910 supports a number of key slots which are defined by various standards:

Slot identifier	Description
9A	Authentication (e.g., system logins)
9C	Digital signatures
9D	Key management (encryption)
9E	Card authentication; does not require PIN (e.g., door locks)

You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:

PivKeyTool.exe --listmd: List the certificates/keys present on the smartcard.
PivKeyTool.exe --listpiv: List the mappings between certificate IDs and key slots.
PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e: Establish a mapping between a certificate ID and key slot.

Once you have installed and configured GnuPG, you might find the following commands helpful:

gpg2 --card-status: Test the interoperability between GnuPG and the CAC
gpgsm --import DODCA_29.cer DODEMAILCA_29.cer: Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
gpgsm --import name.cer: Import the personal certificate downloaded from https://dod411.gds.disa.mil/
gpgsm --learn-card: Learn about the CAC
gpgsm --list-secret-keys: Describe the secret keys available on the CAC
gpgsm --verbose --disable-crl-checks --armour --sign path: Perform a test signature
gpgsm --verbose --disable-crl-checks --armour --verify path: Perform a test verification

Domain Controller

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to configure a computer running FreeBSD to serve as an Active Directory domain controller.

Base UNIX Domain Controller

First, setup the server:

Install FreeBSD and configure networking. Be sure to set the server’s hostname such as with hostname="dc.example.com" in /etc/rc.conf
Configure the Samba 4 port by entering /usr/ports/net/samba43/ and running make config. (The version 4.4 of the Samba port is presently broken.)
For a minimal install, select neither mDNSresponder nor avahi while configuring the build.
Build and install Samba 4 by running make install clean.
Activate filesystem ACLs in /etc/fstab, e.g., /dev/ada0p2 / ufs rw,acls 1 1.
Configure Samba by running samba-tool domain provision --use-rfc2307 --interactive.
Use samba-tool user add to add users to Samba’s authentication database.
Activate Samba by adding samba_server_enable="YES" to /etc/rc.conf.

Next, add a Windows client to the domain:

Set the Windows host’s DNS resolver to point to the Samba server’s IP address.
Right click on the computer icon; select properties; select change settings near the text computer name; and press the button to change the computer’s domain.
Select the domain radio button and type in Samba 4’s full domain.
Click ok and provide the administrative password for the Samba 4 domain.
Restart the client computer.

As an aside, Red Hat-derived Linux distributions such as RHEL, CentOS, and Fedora make it difficult to configure Samba 4 as an Active Directory domain controller. This is primarily because these distributions use MIT Kerberos, while many of the Active Directory-related features in Samba 4 require Heimdal Kerberos. Information about the coming solution to this problem can be found on the Internet, including as documented by the Samba project.

Adding Host Records to Samba’s DNS implementation

Each domain host will likely require a DNS record in Samba’s DNS service. You can use the following command to add an A record to the domain controller at dc.example.com for the host which is named host.example.com and bears the IP address 10.0.0.64: samba-tool dns add dc.example.com example.com host A 10.0.0.64.

Remote Management from a Windows Computer

Windows provides facilities for remotely managing domain-connected computers. In order to activate one such facility on a user computer, run the following on that user computer:

Enable-PSremoting

Once the user computer is set to accept remote-management requests, you can run the following command as the domain administrator from an administrative computer to test remote management (replace TARGET with the computer you intent to manage):

Invoke-Command -Computer TARGET -ScriptBlock { "C:\Program files" |  Get-ChildItem }

Smart-Card Authentication

Certificate Production

Establish a Certificate Authority

Smart-card-based authentication requires a number of certificates: CA "root-of-trust" certificate, a certificate for the domain controller, and certificates for each user.

Create a basic CA directory structure from within the root of where you intend to store your certificates and other materials: mkdir certs crl private newcerts.
Create a blank file named index.txt.
Create files named serial and crlnumber containing 00.
Add the following to /etc/openssl.cnf:

CRLURL      = [URL of CRL server, e.g., https://crl.example.com/example.com.crl]
BASEDIR     = [Base of certificate store; where signed certificates go]
COUNTRY     = [Two-letter country code]
STATE       = [State of province (not abbreviated)]
LOCALITY    = [City, town, etc.]
ORG         = [Name of organization]
OU          = [Organizational unit]
DOMAIN      = [Domain, e.g., example.com]
EMAIL       = [Email address]@$DOMAIN
DC          = [Hostname of domain controller]

# Using "ADSI Edit" on Windows:
#   1. Connect to domain controller
#   2. Default naming context
#   3. DC=...
#   4. OU=Domain Controllers
#   5. Right click on CN=... and select Properties
#   6. View objectGUID in hexadecimal
DCGUID      = [Domain controller's GUID in HEX, eg, FEEDDEADBEEF...]

# Using "ADSI Edit" on Windows:
#   1. Connect to domain controller
#   2. Default naming context
#   3. DC=...
#   4. CN=Users
#   5. Right click on CN=... and select Properties
#   6. View usePrincipalName
UPN         = [UPN of user]

oid_section = new_oids

[ new_oids ]
scardLogin = 1.3.6.1.4.1.311.20.2.2
msUPN      = 1.3.6.1.4.1.311.20.2.3
msKDC      = 1.3.6.1.5.2.3.5
msADGUID   = 1.3.6.1.4.1.311.25.1

[ ca ]
default_ca  = CA_default                  # The default ca section

[ CA_default ]
dir              = $BASEDIR               # Where everything is kept
certs            = $dir/certs             # Where the issued certs are kept
crl_dir          = $dir/crl               # Where the issued crl are kept
database         = $dir/index.txt         # database index file.
unique_subject   = yes                    # Set to 'no' to allow creation of
new_certs_dir    = $dir/newcerts          # default place for new certs.
certificate      = $dir/cacert.pem        # The CA certificate
serial           = $dir/serial            # The current serial number
crlnumber        = $dir/crlnumber         # the current crl number
crl              = $dir/ca-crl.pem        # The current CRL
private_key      = $dir/private/cakey.pem # The private key
RANDFILE         = $dir/private/.rand     # private random number file
# x509_extensions =               # Extensions to add to certificate
name_opt         = ca_default             # Subject Name options
cert_opt         = ca_default             # Certificate field options
crl_extensions   = crl_ext
default_days     = 730                    # how long to certify for
default_crl_days = 30                     # how long before next CRL
default_md       = sha256                 # use public key default MD
preserve         = no                     # keep passed DN ordering
policy           = policy_match

[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName       = match
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[ policy_anything ]
countryName            = match
stateOrProvinceName    = match
localityName           = match
organizationName       = match
organizationalUnitName = match
commonName             = supplied
emailAddress           = supplied

[ req ]
default_bits           = 4096
default_keyfile        = privkey.pem
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca            # The extensions to add to the self signed cert
string_mask            = utf8only
attributes             = req_attributes

[ req_attributes ]
challengePassword     = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName      = An optional company name

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = $COUNTRY
countryName_min                = 2
countryName_max                = 2
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = $STATE
localityName                   = Locality Name (eg, city)
localityName_default           = $LOCALITY
organizationName               = Organization Name (eg, company)
organizationName_default       = $ORG
organizationalUnitName         = Organizational Unit Name (eg, section)
organizationalUnitName_default = $OU
emailAddress                   = Email Address
emailAddress_default           = $EMAIL
emailAddress_max               = 64
commonName                     = Common Name (eg, YOUR name)
commonName_default             = hostname.$DOMAIN
commonName_max                 = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true
keyUsage               = cRLSign, keyCertSign
crlDistributionPoints  = URI:$CRLURL
nsCertType             = sslCA, emailCA
subjectAltName         = email:copy
issuerAltName          = issuer:copy

[ crl_ext ]
issuerAltName          = issuer:copy
authorityKeyIdentifier = keyid:always

# Extensions for domain-controller certificates:

[ usr_cert_mskdc ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end-user certificate as a CA.
basicConstraints       = CA:FALSE
crlDistributionPoints  = URI:$CRLURL
nsCertType             = server
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
nsComment              = "Domain Controller Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = @dc_subjalt
issuerAltName          = issuer:copy
nsCaRevocationUrl      = $CRLURL
extendedKeyUsage       = clientAuth,serverAuth,msKDC

[dc_subjalt]
DNS                    = $DC
otherName              = msADGUID;FORMAT:HEX,OCTETSTRING:$DCGUID

# Extensions for smart-card user certificates:

[ usr_cert_scarduser ]

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end-user certificate as a CA.
basicConstraints       = CA:FALSE
crlDistributionPoints  = URI:$CRLURL
nsCertType             = client, email
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
nsComment              = Smart Card Login Certificate
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = email:copy,otherName:msUPN;UTF8:$UPN
issuerAltName          = issuer:copy
nsCaRevocationUrl      = $CRLURL
extendedKeyUsage       = clientAuth,scardLogin

Generate a CA Root Certificate

Properly define the variables at the top of openssl.cnf.
See notes on the use of certificates. You will want to use the -config openssl.cnf option to use the above configuration.

Generate a Certificate for Samba

Under the CA_default section of openssl.cnf, set x509_extensions = usr_cert_mskdc and ensure the line is not commented out.
Generate the certificate using openssl req -new -newkey rsa:4096 -keyout private/dc-key.pem -out dc-req.pem -config openssl.cnf -nodes.
Sign the Samba certificate using the CA certificate openssl ca -config openssl.cnf -in dc-req.pem -out dc-cert.pem.

Generate a Smart-Card User Certificate

Under the CA_default section of openssl.cnf, set x509_extensions = usr_cert_scarduser and ensure the line is not commented out.
Generate the certificate using openssl req -new -newkey rsa:2048 -keyout private/user-key.pem -out user-req.pem -config openssl.cnf -nodes. Note that you might have limited key types/sizes to choose from, depending on the type of smartcard you plan to use.
Sign the user certificate using the CA certificate openssl ca -config openssl.cnf -in user-req.pem -out user-cert.pem.
Install the certificate and private key onto a smartcard.

Certificate-Revocation-List Server

Configure, build, and install the apache24 port.
Generate and install a certificate and private key for Apache at /usr/local/etc/apache24/.
Configure Apache, including the following in /usr/local/etc/apache24/httpd.conf:

LoadModule ssl_module modules/mod_ssl.so
ServerName crl.example.com:443
Listen 443
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/crl.example.com.pem
SSLCertificateKeyFile /usr/local/etc/apache24/crl.example.com.key

Generate the CRL with openssl ca -config openssl.cnf -gencrl -out example.com.crl and install the result in Apache’s document directory.

Copy the necessary certificates and the CRL onto the Samba host (see the next step for what Samba will require).
Generate Diffie-Hellman parameters: openssl dhparam 4096 -out dc-dhparams.pem.
Add to smb4.conf:

tls enabled       = yes
tls certfile      = /usr/local/samba/private/tls/dc-cert.pem
tls keyfile       = /usr/local/samba/private/tls/secure/dc-privkey.pem
tls cafile        = /usr/local/samba/private/tls/cacert.pem
tls crlfile       = /usr/local/samba/private/tls/ca.crl
tls dhparams file = /usr/local/samba/private/tls/dc-dhparams.pem

Convert your PEM-format CA certificate to DER: openssl x509 -in cacert.pem -out cacert.cer -outform DER.
Convert your user certificate to DER: openssl x509 -in Administrator-cert.pem -out Administrator-cert.cer -outform DER.

Doppelganger

Thu, 12 Mar 2020 09:02:58 -0400

Doppelganger is configured as Mimic with the following exceptions:

Change the hostname in /etc/hostname.
Configure logging in a way appropriate for the host network.
Adjust mynetworks in golem’s /etc/postfix/main.cf, because Doppelganger might exist on a different network than Mimic.
Adjust /etc/postfix/saslpasswd and relayhost in golem’s /etc/postfix/main.cf to use a relay appropriate for Doppelganger’s network. Compile with postmap.
Install the wireguard-tools package, configure WireGuard by writing the configuration below to /etc/wireguard/wg0.conf, and run systemctl enable wg-quick@wg0.

[Interface]
Address = 192.168.2.4/32
ListenPort = 51820
# Generate with umask 077 && wg genkey | tee privkey | wg pubkey >pubkey
# Deploy public key to server.
PrivateKey = PRIVATEKEY

[Peer]
# Obtain public- and pre-shared-key from server.
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 192.168.2.0/24, 192.168.1.0/24
EndPoint = IP:51820
PersistentKeepalive = 30

Fedora Nano

Thu, 12 Mar 2020 09:02:58 -0400

Introduction

Fedora Nano is a project with three goals:

Develop and document a technique for installing the smallest possible Fedora installation onto a CompactFlash or other solid-state disk.
Provide a centralized location for package enhancement requests geared towards small, embedded systems. Most often, packages will be broken up into core and optional components, reducing core package dependencies.
Document redundancy within Fedora. Redundancy can be an indication of a healthy software environment as competing projects may promote innovation. However, redundancy also increases memory and disk usage and makes code auditing more difficult.

I am using the following components:

VIA EPIA ME6000 Fanless Mini-ITX Motherboard
PC2100/DDR266 256MB Memory
Morex 2699 Mini-ITX Case
Round IDE cables
CFDISK.2G CompactFlash to IDE adapter
Notebook 2.5" to 2.3" HD IDE adapter (soldered into molex connector)

Installation of Fedora 9 on a CompactFlash disk

These instructions assume your build host is of the same architecture as your target.

Create a filesystem on the CompactFlash disk and mount it at /mnt. Mount any other filesystems required on top of /mnt.
Use the command yumdownloader –installroot=/mnt –resolve –destdir=packages package to download the following packages and their dependencies (see also Use yum to install to a temporary, yumless filesystem, yum bug #1):
- filesystem
- busybox
Use the command rpm --root /mnt -Uvh packages/*.rpm to install the packages downloaded using the previous step.
At a minimum, create the following busybox links:
- ln -s /sbin/busybox /mnt/sbin/init
- ln -s /sbin/busybox /mnt/bin/sh
- ln -s /sbin/busybox /mnt/bin/hostname
- ln -s /sbin/busybox /mnt/bin/mv
- ln -s /sbin/busybox /mnt/bin/touch
Edit /mnt/etc/init.d/rcS to execute startup services.
Build and install a custom kernel (my configuration is available here):
- Copy your kernel config to .config and run make oldconfig or run make menuconfig to configure the kernel.
- make clean
- make clean binrpm-pkg
- rpm --root /mnt -Uvh /usr/src/redhat/RPMS/i386/*kernel*.rpm
Add an entry to /etc/grub.conf for the new root disk.
Execute grub-install primary-disk-devnode.
Use pwconv to create /etc/shadow.

In order to make the root filesystem readonly, perform the following steps:

/var, /home and /tmp should be mounted from a readwrite partition. I have these directories on one partition and mount them by adding /shared/var /var none bind 0 0 to /etc/fstab.
Set READONLY=yes in /etc/sysconfig/readonly-root.

Note: The febootstrap project looks like an interesting project to create a small Fedora installation.

Fine-grained Package Requests

Pull out perl dependency

Perl is a good language, but may be too large a requirement for some small systems.

Stunnel: Pull /usr/sbin/stunnel3 into seperate package?, ✓Red Hat Bugzilla #442842
Bogofilter: Pull /usr/bin/bogoupgrade into seperate package?, ✓Red Hat Bugzilla #442843

cups: /usr/lib/cups/backend/dnssd is written in perl. This is a CUPS backend that discovers printers using avahi. See the ✓CUPS Software Programmers Manual . move cups perl backends into sub package, ✓Red Hat Bugzilla #465157.
fedora-ds-base: Several FDS scripts are written in perl.
foomatic: Much of foomatic is written in perl. RFE: Migrate to C foomatic once feasible, Red Hat Bugzilla #466068
ghostscript: The X11 code in ghostscript could be placed in a separate package.
texlive-utils: The X11 code in texlive-utils (/usr/bin/mf) could be placed in a separate package.
avahi-tools: The X11 code in avahi-tools (/usr/bin/avahi-discover) could be placed in a separate package. avahi-discover requires GTK, should move to avahi-ui-tools, ✓Red Hat Bugzilla #513768.
postfix: /usr/sbin/qshape is written in perl. Pull components dependent on perl out of main postfix package?, ✓Red Hat Bugzilla #467529.
ntp: /usr/sbin/ntp-wait and /usr/sbin/ntptrace are written in perl.
net-snmp: Some components are written in perl.

Pull out MySQL dependency

Postfix: Provide both mysql and postgresql support using loadable maps patch, ✓Red Hat Bugzilla #455206

Break up ImageMagick

ImageMagick provides a valuable library for image processing. However, Fedora presently packages ImageMagick in such a way that several X11 libraries are always required. I proposed that ImageMagick be broken up into -libs and -utilities packages. See Make ImageMagick package more fine-grained, ✓Red Hat Bugzilla #478789.

Break up GStreamer

Fine-grained packaging of GStreamer would allow users to choose which modules they want to install. See ✓gstreamer-plugins should be split up, Red Hat Bugzilla #108463.

Separate documentation packages

Package documentation, installed in /usr/share/doc, can occupy a lot of storage space. It would be beneficial to separate documentation into a -doc sub-package.

Separate locale packages

The /usr/lib/locale and /usr/share/locale directories quickly grow as more internationalized packages are added to a system. It would be beneficial to control which locales are installed. Perhaps a specialized package installation system like the one that has been developed for media codecs could be applied to this problem.

Redundancy Tracker

Tracking redundancy throughout all of Fedora is beyond the scope of this project. Instead, we focus on redundencies brought in by the following packages:

Fedora Directory Server
Kerberos
FreeIPA
Apache
mod_nss
OpenSSH
Postfix
Dovecot
Samba
Avahi
Jabberd
Bogofilter
mt-daapd
inadyn

FreeIPA requires OpenLDAP, FDS requires mozldap

It now seems that the 389 Directory Server may build against OpenLDAP in the future. See ✓Use OpenLDAP Clients in 389. It would follow that FreeIPA could do the same.

Previously, I tried to remove the OpenLDAP requirement from FreeIPA. I submitted a ✓patch so that FreeIPA may be built against mozldap. This package was integrated into FreeIPA. However, it was later reported that my patch broke ipa-kpasswd. As a result, I submitted a ✓second patch that fixed a preexisting misuse of the OpenLDAP API. Ipa-server ends up requiring both openldap-clients and mozldap-tools, ✓Red Hat Bugzilla #434153.

The following packages require OpenLDAP:

quota
openldap-clients
postfix
openldap
httpd
cyrus-sasl
libcurl
libuser
nfs-utils-lib
krb5-server-ldap
curl
nss_ldap
GConf2
gnupg
samba-winbind
samba-common
samba
libsmbclient
sudo
autofs
apr-util-ldap
cups
dirmngr
gnupg2
dhcp

The following packages require mozldap:

ipa-client
slapi-nis
mozldap-tools
perl-Mozilla-LDAP
ipa-server
389-ds-base

NSS vs. OpenSSL vs. the world

The ✓Crypto Consolidation Bug is an ambitious project to make NSS the standard cryptological library for Fedora.

FiOS G1100 Bridge

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to configure a Verizon FiOS G1100 to act in bridge mode. This mode deactivates some cable television features, but it allows another router to obtain an IP address directly from Verizon. Other users have documented these steps in publications such as DSL Reports.

Login to the G1100 from a computer which is directly connected to one of the G1100’s LAN ports.
Select Wireless Settings→ Basic Security Settings, and turn off 2.4 Ghz and 5 GHz wireless. Click Apply.
Select Wireless Settings→Advanced Security Settings, and disable 2.4 GHz and 5 GHz SSID broadcasting.
Select Firewall, and set Minimum Security for both IPv4 and IPv6. Click Apply.
Select My Network→Network Connections→ Advanced. Disable the listed access points, and click Apply.
Note the listed broadband connection. Select it, along with Settings, and uncheck Internet Connection Firewall. Set Internet Protocol to No IP Address. Click Apply. At this point, you will loose you connection to the Internet through the G1100.
Click Release and then Apply.
Select My Network→Network Connections→Network (Home/Office). Change the G1100’s IP address to 192.168.1.2 so as not to conflict with the replacement router. Under the bridge section, check Broadband Connection (Ethernet/Coax) and uncheck both wireless APs. Change IP Address Distribution to Disabled.
Click Apply. The G1100 is now in bridge mode, so it will no longer obtain an IP address. Connect your replacement router to one of the G1100’s LAN ports. From this point forward, you can interact with the G1100 by connecting a computer to its WAN port and manually assigning the computer an IP address on the 192.168.1.0/24 network.

firewalld

Thu, 12 Mar 2020 09:02:58 -0400

Commands that make use of --permanent will not take effect until firewalld restarts.

List the known zones:

firewall-cmd --get-zones

View information about the active zones:

firewall-cmd --get-active-zones

Add an interface to the DMZ zone:

firewall-cmd --permanent --zone=dmz --change-interface=interface
In /etc/sysconfig/network-scripts/ifcfg-interface, set ZONE=dmz

List the services known by firewalld—known service definitions exist in /usr/lib/firewalld/services/:

firewall-cmd --get-services

Describe the service named https:

firewall-cmd --info-service https

List the services permitted within within the zone named public:

firewall-cmd --zone=public --list-all

Permit the https service on the interfaces in the dmz zone:

firewall-cmd --permanent --zone=dmz --add-service=https

and:

firewall-cmd --zone=dmz --add-service=https

Define a new service, based on Wazuh:

* `firewall-cmd --permanent --new-service=wazuh` * `firewall-cmd --permanent --service=wazuh --set-description="Wazuh agent communication"` * `firewall-cmd --permanent --service=wazuh --set-short="Wazuh"` * `firewall-cmd --permanent --service=wazuh --add-port=1514/tcp` * `firewall-cmd --permanent --service=wazuh --add-port=1515/tcp` * `firewall-cmd --permanent --zone=public --add-service=wazuh`

Log rejections:

firewall-cmd --set-log-denied=all

Forensic analysis

Thu, 12 Mar 2020 09:02:58 -0400

Post-compromise analysis on Red-Hat-like operating systems

This describes some useful techniques for performing a post-compromise forensic analysis of a Red-Hat-like operating system, such as Red Hat Enterprise Linux, CentOS, and Fedora. While these instructions are RPM-centric, similar techniques could apply elsewhere, for example by replacing rpm with dpkg and yum with apt. We assume that you have an image of the compromised host’s disk partition (or partitions) which we refer to here as /evidence/partition.img. Where a whole disk is required, we use the name /evidence/disk.img. (See below for how to manipulate a partition within a whole-disk image and how to deal with Linux Volume Management.) We further assume that the compromised host was protected by neither a trusted boot process, nor a file integrity tool such as Tripwire, nor an encrypted disk. Such protections would only make this task easier.

Partition carving and Linux Volume Management

Given a whole-disk image, you can mount a single partition by first identifying where the partition begins with parted and then providing this byte offset to the mount command. The following example assumes a 512-byte sector size while mounting partition one:

$ parted /evidence/disk.img unit s print
WARNING: You are not superuser.  Watch out for permissions.
Model:  (file)
Disk /evidence/disk.img: 62914560s
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start     End        Size       Type     File system  Flags
 1      2048s     1026047s   1024000s   primary  xfs          boot
 2      1026048s  62914559s  61888512s  primary               lvm

$ sudo mount -o offset=$((2048*512)) /evidence/disk.img /mnt/

In the above example, the second partition is dedicated to LVM. You can mount partitions subject to LVM in this way:

$ sudo kpartx -va /evidence/disk.img
add map loop1p1 (253:4): 0 1024000 linear /dev/loop1 2048
add map loop1p2 (253:5): 0 61888512 linear /dev/loop1 1026048
$ ls /dev/mapper/
centos-root  loop1p1
centos-swap  loop1p2
control
$ sudo mount /dev/mapper/centos-root /mnt

Analysis setup

First, you will mount /evidence/partition.img into the filesystem of a trustworthy (i.e., likely uncompromised) computer. It would not hurt to isolate this computer from the rest of your network, but it is very important that you not immediately directly boot /evidence/partition.img. (Some analysis will require that you boot partition.img; you will need to decide when to do so in order to perform tests like netstat checks.)

mount /evidence/partition.img /mnt

It is possible that you will start with a disk image which is in some virtualization-platform format. If this is the case, then you can use qemu-img to convert it to a raw disk image. For an example of a disk-image-format conversion, see our notes on virtualization.

Weak RPM verification

The following will check the integrity of the files which were installed on /evidence/partition.img (mounted at /mnt) from RPM packages. However, this check relies on the integrity of the (possibly compromised) RPM database on /evidence/partition.img, and so the results here cannot be fully trusted. Despite this step’s flaws, it might turn up something of interest, especially if the attacker was careless.

sudo rpm --root /mnt --verify -a | grep "\(^[^.]\)\|^.[^.]\|^..[^.]\|^...[^.]\|^....[^.]\|^.....[^.]\|^......[^.]\|^.......[^.T]\|^........[^.]"

The rpm manpage documents the details of the output from this command. In summary, it indicates which files have changed since being installed from an RPM package. The use of grep prints only the files RPM thinks are modified other than mere mtime changes.

Trustworthy RPM verification

Here we describe how to check the integrity of a program named foo which we assume to have been installed using the package foo-version.rpm. You can identify version by running sudo rpm --root /mnt -q foo. Let us first install a trustworthy copy of foo on our trustworthy host:

sudo yum --releasever=/ --installroot=/tmp/scratch install foo-version

You will likely find that yum installs a number of dependencies for foo. This can cause trouble, because we are about to compare files on the compromised host with the files we download here. Rather than allow yum to install the latest versions of dependencies, you ought to install the same version which is present on the compromised host. Note the dependencies, identify the proper versions using rpm ... -q ..., and explicitly add these dependencies to the yum command line. You should write a script to perform these steps.

Once you have installed a trustworthy copy of the software which exists on the compromised host, you can start comparing files. This is a matter of running

md5sum /mnt/path/to/file

and

md5sum /scratch/path/to/file

and comparing the hashes. Again, you should write a script to automate these steps.

Considering the nature of dynamically-linked programs

Does a proper hash of /usr/bin/foo mean that foo is not compromised? No! Modern systems employ shared libraries, which a dynamic linker combines with program code at runtime. To illustrate this, run the following command to display the shared libraries that foo makes use of:

ldd /usr/bin/foo

If you run this command, then you should see that foo makes use of a number of shared libraries. You must check the integrity of each of these in addition to foo itself. Some programs are instead statically linked (i.e., all of their code is present in a single executable file). The file command will report whether a given executable is dynamically or statically linked.

Some environment variables influence from where the dynamic linker will load shared libraries. These include LD_LIBRARY_PATH and LD_PRELOAD. An attacker could set these variables to cause the linker to load a library from an unexpected location. Likewise, the dynamic linker honors a number of configuration files, including /etc/ld.so.conf and /etc/ld.so.preload.

Particularly dangerous programs

Setuid-bit programs run with the privileges of the owner of the program's file within the filesystem instead of the parent process. This mechanism is often used to temporarily escalate privileges, and so compromised setuid-bit programs are particularly dangerous. You can list the setuid-bit programs on the compromised system by running the following command:

find /mnt -perm -4000 -type f

A second set of commands which are dangerous are those that listen on a network socket. If they are compromised, then they might give a remote attacker access to the computer. To view the programs which are listening on (or are connected via) UNIX-domain, TCP, and UDP sockets, run:

netstat -ap

It is wise to compare these setuid and network-facing programs to the list of files modified since being installed by RPM.

Even more dangerous is a compromised kernel or bootloader, which we describe next.

The boot process

Modern PC hardware first executes a bootloader either from a master-boot record or—on capable firmware—from a particular file within a filesystem. In either case, the bootloader could be compromised. To investigate the 512-byte master-boot record, copy it to /scratch using:

dd bs=1 count=512 if=/evidence/disk.img of=/scratch/mbr

Other documentation describes the structure of the master-boot record.

The GRUB 2 bootloader places a stage-one bootloader, boot.img, within the master-boot record. This stage-one loader loads a stage-1.5 loader, core.img, which exists between the master-boot record and the first disk partition. The stage 1.5 loader also maintains a configuration file and a number of loadable modules which perform various tasks such as parsing various filesystem layouts. GRUB 2's first interaction with a filesystem takes place while executing its stage-two loader which finally loads the OS kernel. The stage-two loader is generally found in the /boot directory, and its configuration exists at /boot/grub2/config AKA /etc/grub2.cfg.

Checking GRUB 2 requires inspecting the stage-one, stage-1.5, and stage-two loaders as well as the related configuration files and loadable modules.

Instead of verifying each of GRUB 2's installed files, you can merely overwrite them with trustworthy copies. Updating a GRUB 2 installation is a matter of running as root:

grub2-mkconfig > /boot/grub2/grub.cfg
grub2-install /dev/sda

Kernels exist in /boot, and are named vmlinuz-version. Each kernel can load dynamic modules into its address space, and these modules exist in /lib/modules.

Checking a kernel is a matter of checking the kernel itself, as well as each of its loadable modules. While you can use the lsmod to review the currently loaded kernel modules, it is likely that lsmod is compromised.

The files /etc/passwd, /etc/shadow, and /etc/group define standard UNIX accounts and groups. However, many programs perform authentication using Pluggable Authentication Modules (PAM) which provide many other authentication techniques. Such techniques include Kerberos, NIS, and so on. The PAM modules each PAM-capable program uses to authenticate are defined using configuration files in /etc/pam.d. Thus checking for proper authentication involves:

Checking the integrity of each authenticating program
Checking the PAM configuration of each authenticating program
Checking the accounts themselves (e.g., expected accounts with strong passwords)

Graphical login authentication is generally performed using a display manager such as gdm, and text logins usually use agetty which spawns login.

Access controls

Access controls constrain programs. On UNIX, OS objects—such as files—bear permissions. For example, ls -l /path/to/file will display the permissions (along with other information) for the file at /path/to/file. An attacker might perturb these permissions to make returning to the compromised computer easier in the future. Thus it is wise to check the permissions of installed files in a manner similar to how you checked the integrity of the files themselves.

Permissions on block and 8char device nodes* are particularly troublesome. For example, if a block device which corresponds to a disk has permissive access controls, then an attacker could use this block device to undermine the access controls within the filesystem contained therein. To enumerate all of the device nodes on the compromised host, run

find /mnt -type b -o -type c

Other forms of access controls provide stronger or more expressive protections. For example, a filesystem’s access-control lists can be displayed using getfacl /path/to/file. SELinux policy source and binary files exist in /etc/selinux/, and SELinux can be activated/deactivated by editing /etc/sysconfig/selinux.

Checklist

Verify kernel, kernel modules, and GRUB 2 (do not forget to look for extra kernel modules)
Verify setuid programs and their shared libraries
Verify programs and their shared libraries
Verify permissions (especially device nodes)
Verify SELinux policy
Review PAM configurations
Review accounts
Review boot services
Review cron and at jobs

Golem

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Golem, a multi-function server. Golem runs on commodity router hardware and provides a number of features:

SSH access
a media service compatible with iTunes
a file share
an LDAP and Kerberos service
a network proxy
a NetFlow collector

We build Golem on top of OpenWrt because of the distribution’s simplicity and small size. Golem is made up of roughly 120 packages, and its programs and configurations take up less than 50 MB of storage space. Here we assume that Golem will run within the confines of a Xen hypervisor.

Establish the Golem VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Golem:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/golem-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/golem-data.qcow.
Write the following at /etc/xen/vm-golem.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "golem"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [
  "tap2:tapdisk:aio:/var/lib/xen/images/golem-lede-17.01.1-x86-64-combined-ext4.img,xvda,w",
  "tap2:qcow:/var/lib/xen/images/golem-data.qcow,xvdb,w"
          ]
serial  = "pty"

Software installation

Perform the following steps on Golem:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
	logd \
	luci \
        luci-app-firewall \
        luci-base \
        luci-lib-ip \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
	block-mount \
	ca-certificates \
	dmapd \
	freifunk-watchdog \
	gst1-mod-app \
	gst1-mod-audioconvert \
	gst1-mod-audioparsers \
	gst1-mod-flac \
	gst1-mod-gio \
	gst1-mod-id3demux \
	gst1-mod-lame \
	gst1-mod-mpeg2dec \
	gst1-mod-mpg123 \
	gst1-mod-ogg \
	gst1-mod-playback \
	gst1-mod-theora \
	gst1-mod-typefindfunctions \
	gst1-mod-vorbis \
	krb5-server \
	nfdump \
	nfs-kernel-server \
	openldap-server \
	rsync \
	syslog-ng \
	tinyproxy \
	zoneinfo-core \
	zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring Kerberos authentication

/etc/krb5.conf (replace EXAMPLE.COM):

[libdefaults]
	default_realm = EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = false
	ticket_lifetime = 24h
	forwardable = yes

[realms]
	EXAMPLE.COM = {
		kdc = localhost:88
		admin_server = localhost:749
		default_domain = local
	}

[domain_realm]
	.local = EXAMPLE.COM
	local = EXAMPLE.COM

Add Kerberos principals by running kadmin.local and then add_principal user for each user.

Configuring LDAP network information

/etc/openldap/example.com.cert: Place your certificate in /etc/openldap/example.com.cert.
/etc/openldap/example.com.key: Place your private key in /etc/openldap/example.com.key.
/etc/openldap/ca.cert: Place your CA certificate in /etc/openldap/ca.cert.
/etc/openldap/slapd.conf (replace PASSWORD and example.com):

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/autofs.schema
include         /etc/openldap/schema/sudoers.schema

allow bind_v2

TLSCACertificateFile /etc/openldap/ca.cert
TLSCertificateFile /etc/openldap/example.com.cert
TLSCertificateKeyFile /etc/openldap/example.com.key

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

database        ldif
directory	/etc/openldap/db
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          PASSWORD

/etc/openldap/schema/sudoers.schema:

attributetype ( 1.3.6.1.4.1.15953.9.1.1
	NAME 'sudoUser'
	DESC 'User(s) who may  run sudo'
	EQUALITY caseExactIA5Match
	SUBSTR caseExactIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
	NAME 'sudoHost'
	DESC 'Host(s) who may run sudo'
	EQUALITY caseExactIA5Match
	SUBSTR caseExactIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
	NAME 'sudoCommand'
	DESC 'Command(s) to be executed by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
	NAME 'sudoRunAs'
	DESC 'User(s) impersonated by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
	NAME 'sudoOption'
	DESC 'Options(s) followed by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.6
	NAME 'sudoRunAsUser'
	DESC 'User(s) impersonated by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7
	NAME 'sudoRunAsGroup'
	DESC 'Group(s) impersonated by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.8
	NAME 'sudoNotBefore'
	DESC 'Start of time interval for which the entry is valid'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributetype ( 1.3.6.1.4.1.15953.9.1.9
	NAME 'sudoNotAfter'
	DESC 'End of time interval for which the entry is valid'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
	NAME 'sudoOrder'
	DESC 'an integer to order the sudoRole entries'
	EQUALITY integerMatch
	ORDERING integerOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
	DESC 'Sudoer Entries'
	MUST ( cn )
	MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
		sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
		sudoOrder $ description )
	)

From a computer with ldapadd on golem’s network, execute ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f accounts.ldif, where accounts.ldif contains records like (replace example, com, user, and Some User):

dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
o: Example Organization
dc: example

dn: automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_master

dn: automountMapName=auto_root,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_root

dn: automountKey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
automountInformation: auto_root

dn: automountKey=/home,automountMapName=auto_root,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home
automountInformation: golem.example.com:/home/

dn: ou=group,dc=example,dc=com
objectClass: organizationalUnit
ou: group

dn: cn=ldapusers,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword:: WFhYWA==
gidNumber: 1002

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: uid=user,ou=people,dc=example,dc=com
uid: user
cn: Some User 
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: WFhYWA==
loginShell: /bin/bash
uidNumber: 1102
gidNumber: 1002
homeDirectory: /home/user
gecos: Some User

dn: ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers

dn: cn=user,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: user
sudoUser: user
sudoHost: ALL
sudoCommand: ALL

Configuring the dmapd media server

/etc/dmapd.conf:

[General]
Database-Dir=/mnt/sda1/var/dmapd

[Music]
Type=DAAP
Dirs=/mnt/sda1/Storage/Music/
Transcode-Mimetype=audio/mp3

[Picture]
Type=DPAP
Dirs=/mnt/sda1/Storage/Pictures/

Configuring NFS

/etc/exports:

/mnt/sda1 *(fsid=root,rw,insecure,no_subtree_check,async)
/mnt/sda1/Storage *(rw,insecure,no_subtree_check,async)
/mnt/sda1/home *(rw,insecure,no_subtree_check,async)

Configuring Tinyproxy

/etc/tinyproxy-filter.conf: List the websites that you want tinyproxy to allow access to, one per line (e.g., www.example.com).

Configure the firewall

/etc/config/firewall:

config defaults
        option drop_invalid 1
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name lan
        option network lan
        option input ACCEPT
        option output ACCEPT
        option forward DROP

Configure basic system settings

/etc/config/fstab:

config global automount
	option from_fstab 1
	option anon_mount 1

config global autoswap
	option from_fstab 1
	option anon_swap  1

/etc/config/nfs:

config nfs nfs
	option minversion '4'

/etc/config/system:

config system
	option hostname	golem.example.com
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/tinyproxy:

config tinyproxy

option enable 1
option User nobody
option Group nogroup
option Port 8080
option Timeout 600
option SysLog 1
option LogLevel Info
option MaxClients 100
option MinSpareServers 1
option MaxSpareServers 3
option StartServers 1
option MaxRequestsPerChild 0
option ViaProxyName "tinyproxy"
option Filter "/etc/tinyproxy-filter.conf"
option FilterDefaultDeny 1

/etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

config process
        option process crond
        option initscript '/etc/init.d/cron'
	
config process
	option process dmapd
	option initscript /etc/init.d/dmapd	

config process
	option process krb5kdc
	option initscript /etc/init.d/krb5kdc
	
config process
	option process slapd
	option initscript /etc/init.d/ldap

/etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

/etc/config/nfcapd:

config nfcapd nfcapd
	option enabled 1
	option port 9995
	option logdir /mnt/sda1/var/log/netflow

Growing a filesystem

Thu, 12 Mar 2020 09:02:58 -0400

Growing a Linux filesystem requires the manipulation of each level of abstraction involved from filesystem to disk partition. Here we assume that the disk is a virtual disk image and that the following things must be resized: the virtual disk image, the partition, the LVM volume group, the LVM logical volume, and the filesystem. Other scenarios will require similar procedures. We assume that you want to increase the size of a filesystem within the disk image named disk.img by 16 GB.

First, shut down the virtual machine which contains the disk you want to grow. Next, increase the size of the disk image:

dd if=/dev/zero bs=1G count=16 >> disk.img

You should complete the next steps from within the virtual machine. However, if you are resizing the root filesystem, then you will need to boot the virtual machine using some form of bootable external media. In any case, these instructions assume that the disk you resize is not mounted. Here we assume the disk is known as /dev/sda, that you want to resize partition 2, that the LVM logical volume you wish to resize is known as /dev/mapper/centos-root, and that all of this hosts an XFS filesystem.

Run fdisk /dev/sda to delete and recreate partition 2. Use d to delete, and n to create. When recreating partition 2, use the same start block, but use the new end block.
Run kpartx -va /dev/sda to scan the disk’s LVM logical volumes.
Run pvresize /dev/sda2 to cause LVM to use all of /dev/sda2’s new size.
Run pvdisplay to confirm the change.
Run lvextend -L+16GB /dev/mapper/centos-root to extend the logical volume to span the new disk size.
Resize the filesystem using xfs_growfs /.

GStreamer

Thu, 12 Mar 2020 09:02:58 -0400

Adjust the system volume (e.g., bind these to the volume-control keys on a keyboard):

amixer set Master 5%+ unmute; ogg123 /usr/share/sounds/freedesktop/stereo/bell.oga
amixer set Master 5%- unmute; ogg123 /usr/share/sounds/freedesktop/stereo/bell.oga
amixer set Master toggle;     ogg123 /usr/share/sounds/freedesktop/stereo/bell.oga

Record audio:

arecord -f S16_LE -c 2 output.wav

Manipulate PulseAudio:

PULSE_RUNTIME_PATH=/var/run/user/UID/pulse pacmd ...

Get the title of a DVD:

dvdbackup -i /dev/cdrom -I | head -n 1 | awk -F \" '{ print $2 }'

Backup a DVD to an image file:

readom dev=/dev/cdrom f=output.iso

Alternatively:

dvdbackup -i /dev/cdrom -M
genisoimage -dvd-video -o output.iso /path/to/dvd/folder

Gst-launch examples

Transcode to WebM/VP8/Vorbis and scale to 1280×720 (this format is often used with HTML5):

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	webmmux name=mux ! filesink location=output.webm \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! vp8enc ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! vorbisenc ! mux.

Transcode to QuickTime/H.264 and scale to 1280×720 (this format is often used with HTML5, and it is—with the `profile=high` setting—suitable for Firefox and iOS/Safari):

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	qtmux name=mux ! filesink location=output.mov \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! x264enc ! \
                   video/x-h264,profile=high ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! avenc_aac ! mux.

Transcode to Ogg/Theora/Vorbis and scale to 1280×720 (this format is sometimes used with HTML5 on open-source browsers):

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	oggmux name=mux ! filesink location=output.ogg \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! theoraenc ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! vorbisenc ! mux.

Transcode to MPEG2 and scale to 1280×720:

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	avmux_mpeg name=mux ! filesink location=output.mpg \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! avenc_mpeg2video ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! lamemp3enc ! mux.

Transcode title two from a DVD to the QuickTime format above:

gst-launch-1.0 dvdreadsrc title="2" device=/dev/cdrom ! decodebin name="decoder" \
        qtmux name=mux ! filesink location=output.mov \
        decoder. ! videoscale ! video/x-raw,width=720,height=480 ! videoconvert ! x264enc ! mux. \
        decoder. ! progressreport ! audioconvert ! audiorate ! avenc_aac ! mux.

Build a stop-motion video out of a series of images (the first command normalizes the images names—otherwise, there might be a missing number):

i=0; for f in *.JPG; do mv $f $i.JPG; i=$((i+1)); done
gst-launch-1.0 multifilesrc location=%d.JPG caps=“image/jpeg,framerate=(fraction)4/1” 

! jpegdec ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! videorate ! theoraenc 

! oggmux ! filesink location=output.ogg

Combine two videos to produce a blue/green-screen effect (here we specify the RGB values of the mask):

gst-launch-1.0 compositor name=mixer ! videoconvert ! xvimagesink \
	filesrc location=background.mts ! decodebin ! alpha ! mixer.sink_0 \
	filesrc location=foreground.mts ! decodebin \
	! alpha method=custom target-r=182 target-g=168 target-b=148 ! mixer.sink_1

Determine the plugin graph produced by playbin:

GST_DEBUG_DUMP_DOT_DIR=/tmp/ gst-launch-1.0 playbin uri=file:///path
dot -Tpng output.dot > graph.png

The first command will produce a number of GraphViz files which represent the pipelines produced by playbin. The most interesting of these is often the one that contains the string READY_PAUSED. The second command produces an image file which represents one of the pipelines.

Guardian

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Guardian, a switch, router, and firewall. Guardian runs on commodity router hardware and provides a number of features, including:

a wireless access point,
a switch comprised of a number of Gigabit Ethernet ports,
a firewall and NAT translator, and
a print service.

Guardian is made up of the following hardware components:

a Microtik RouterBoard 493G,
a Microtik RouterBoard R52n-M miniPCI wireless adapter,
a Microtik 5V USB power injector,
a RouterBoard 493G case with interior USB extension cable,
two whip antennas,
a Belkin USB-to-RS-232 adapter,
an RS-232 cable,
a null-modem adapter,
a GFP121U-0520 GME switching AC/DC power adapter, and
a USB printer.

I purchased my hardware from Baltic Networks.

Selecting the software for a Guardian image

This section describes how to gather and select the OpenWrt source code which makes up Guardian.

Obtain the OpenWrt source tree using git clone https://git.openwrt.org/openwrt/openwrt.git.
Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.
Activate the necessary packages using:

./scripts/feeds install ca-certificates \
                        ddns-scripts \
                        freifunk-watchdog \
                        libustream-openssl \
                        openvpn \
                        p910nd \
                        rsync \
                        wget \
                        zoneinfo-core \
                        zoneinfo-northamerica

Run make menuconfig and select:

Target System: Atheros ATH79 (DTS)
Subtarget: Mikrotik devices
Target Profile: MikroTik RouterBoard 493G
Target Images: ramdisk then tar.gz (Note that you need to build twice for the RB493G: (1) for a TFTP image and (2) for an installable rootfs image.)
Base system:
- ca-certificates
- Kernel Modules:
  - Netfilter Extensions: kmod-ipt-tee
  - Other modules: kmod-softdog
  - USB Support:
    - kmod-usb-ohci
    - kmod-usb-printer
    - kmod-usb2
  - Wireless Drivers: kmod-ath9k
LuCI: Freifunk: freifunk-watchdog
Network:
- File Transfer:
  - rsync
  - wget
- Firewall: iptables-mod-tee
- IP Addresses and Names:
  - ddns-scripts
  - ddns-scripts_no-ip.com
- Printing: p910nd
- VPN:
  - openvpn-openssl
Utilities:
- zoneinfo: zoneinfo-northamerica

Create the directory files and populate it as described in the following sections.

Configuring the network interfaces

Aside from the standard loopback device, Guardian provides for four networks:

a private LAN for workstations and internal servers (192.168.1.128/25),
a public LAN for Internet-facing servers (192.168.1.0/25),
a WAN (DHCP-assigned), and
a network for use with OpenVPN (192.168.2.0/24).

Guardian splits its switch ports between the private and public LANs. Guardian also provides WiFi connectivity to its private and public LANs.

/etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config switch
	option name switch0
	option enable 1
	option reset 1
	option enable_vlan 1

config switch
	option name switch1
	option enable 1
	option reset 1
	option enable_vlan 1

# Private:
config switch_vlan
	option device switch0
	option vlan 0
	option vid 100
	# 0: CPU, 1--4: phy. ports, 5 unused.
	# t indicates packets sent will be VLAN tagged; rec'd must match tag. 
	option ports "0t 1 2 3 4"

config interface privlan
	option ifname 'eth0.100 tap0' # Bridge in OpenVPN tap device.
	option type bridge
	option proto static
	option ipaddr 192.168.1.129
	option netmask 255.255.255.128

# Public:
config switch_vlan
	option device switch1
	option vlan 1
	option vid 200
	# 0: CPU, 1--4: phy. ports, 5 below.
	# t indicates packets sent will be VLAN tagged; rec'd must match tag. 
	option ports "0t 1 2 3 4"

config interface publan
	option ifname eth1.200
	option type bridge
	option proto static
	option ipaddr 192.168.1.1
	option netmask 255.255.255.128

# WAN:
config switch_vlan
	option device switch1
	option vlan 2
	option vid 300
	# t indicates packets sent will be VLAN tagged; rec'd must match tag. 
	option ports "0t 5"

config interface wan
	option ifname eth1.300
	option proto dhcp
	# Use OpenDNS (not ISP DNS) for content filter.                              
	option dns  "208.67.222.123 208.67.220.123"                                  
	option peerdns 0 

# OpenVPN:
config interface vpn
	option ifname tun0
	option proto none

/etc/config/wireless (replace PCIPATH, ExampleCom, ExampleComGuest, KEY1, and KEY2):

config wifi-device radio0
	option type     mac80211
	option country	US
	option channel  11
	option hwmode   11ng
	option htmode   HT20
	option path     PCIPATH
	list ht_capab   SHORT-GI-40
	list ht_capab   TX-STBC
	list ht_capab   RX-STBC1
	list ht_capab   DSSS_CCK-40

config wifi-iface                  
	option device   radio0     
	option network  privlan    
	option mode     ap         
	option ssid     ExampleCom
	option encryption psk2       
	option key      KEY1

config wifi-iface                                                               
	option device   radio0                                                  
	option network  publan                                                  
	option mode     ap                                                      
	option ssid     ExampleComGuest
	option encryption psk2                                                  
	option key      KEY2

Configuring the firewall

Guardian’s firewall drops most incoming traffic destined for its private and OpenVPN LANs. Guardian also blocks outgoing DNS queries from its LANs which are destined to servers other than Guardian. Aside from this, Guardian allows:

connections from the private LAN to Guardian,
connections from the OpenVPN LAN to Guardian,
DHCP and DNS requests from the public LAN to Guardian,
and OpenVPN connections from anywhere to Guardian.

Guardian allows LDAPS and Kerberos traffic to flow from the public LAN to the private LAN because it assumes that the network’s authentication services exist on the private LAN.

Guardian redirects connections for the following services from the WAN to 192.168.1.5 on the public LAN:

SSH,
HTTP,
HTTPS,
SMTP,
XMPP client-to-server connections, and
XMPP server-to-server connections.

Guardian also provides a copy of all packets to 192.168.1.8 for analysis.

/etc/config/firewall:

config include
	option path /etc/firewall.user

config defaults
	option drop_invalid 1
	option input DROP
	option output DROP
	option forward DROP

# WAN: NAT, drop incoming; accept outgoing; drop forward.
config zone
	option name wan
	option network wan
	option input DROP
	option output ACCEPT
	option forward DROP
	option masq 1

# Private LAN: drop incoming; accept outgoing; reject forward.
config zone
	option name privlan
	option network privlan
	option input DROP
	option output ACCEPT
	option forward REJECT

# Public (guest) LAN: drop incoming; accept outgoing; reject forward.
config zone
	option name publan
	option network publan
	option input DROP
	option output ACCEPT
	option forward REJECT

# OpenVPN LAN: drop incoming; accept outgoing; reject forward.
config zone
	option name vpn
	option network vpn
	option input DROP
	option output ACCEPT
	option forward REJECT

# Forward from private LAN to WAN.
config forwarding
	option src privlan
	option dest wan

# Forward from public LAN to WAN.
config forwarding
	option src publan
	option dest wan

# Forward from OpenVPN LAN to WAN.
config forwarding
	option src vpn
	option dest wan

# Forward from private LAN to public LAN.
config forwarding
	option src privlan
	option dest publan

# Forward from OpenVPN LAN to public LAN.
config forwarding
	option src vpn
	option dest publan

# Forward from OpenVPN LAN to private LAN.
config forwarding
	option src vpn
	option dest privlan

# Forward from private LAN to OpenVPN LAN.
config forwarding
	option src privlan
	option dest vpn

# Forbid DNS requests to outside servers unless from router.
config rule
	option target REJECT
	option src *
	option dest wan
	option dest_port 53
	option proto tcpudp

# Allow DNS requests from public LAN.
config rule
	option target ACCEPT
	option src publan
	option dest_port 53
	option proto tcpudp

# Allow ALL connections from private LAN to router.
config rule
	option target ACCEPT
	option src privlan
	option proto all

# Allow ALL connections from OpenVPN LAN to router.
config rule
	option target ACCEPT
	option src vpn
	option proto all

# Allow OpenVPN connections from anywhere to router.
config rule
	option target ACCEPT
	option src *
	option dest_port 1194
	option proto udp

# Allow DHCP requests from public LAN to router.
config rule
	option target ACCEPT
	option src publan
	option src_port 67-68
	option dest_port 67-68
	option proto udp

# Allow LDAPS requests from public LAN to private LAN.
config rule
	option target ACCEPT
	option src publan
	option dest privlan
	option dest_port 636
	option proto tcp

# Allow Kerberos requests from public LAN to private LAN.
config rule
	option target ACCEPT
	option src publan
	option dest privlan
	option dest_port 88
	option proto tcp

# Redirect HTTP to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 80
	option dest_ip 192.168.1.5
	option dest publan

# Redirect HTTPS to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 443
	option dest_ip 192.168.1.5
	option dest publan

# Redirect SMTP to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 25
	option dest_ip 192.168.1.5
	option dest publan

# Redirect Jabber client-to-server connections to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 5222
	option dest_ip 192.168.1.5
	option dest publan

# Redirect Jabber server-to-server connections to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 5269
	option dest_ip 192.168.1.5
	option dest publan

/etc/firewall.user:

iptables -t mangle -A INPUT  ! -s 192.168.1.8/32 -j TEE --gateway 192.168.1.8
iptables -t mangle -A OUTPUT ! -d 192.168.1.8/32 -j TEE --gateway 192.168.1.8
iptables -t mangle -A FORWARD ! -d 192.168.1.8/32 ! -s 192.168.1.8/32 -j TEE --gateway 192.168.1.8

Configure OpenVPN

Guardian accepts OpenVPN connections, allowing access to its private LAN from remote workstations.

/etc/config/openvpn (replace example.com):

package openvpn

config openvpn privlan
	option enable 1
	option port 1194
	option proto udp
	option dev tun0
	option txqueuelen 1000
	option tun-mtu 1500
	option mssfix 1300
	option ca /etc/openvpn/ca.cert
	option cert /etc/openvpn/example.com.cert
	option key /etc/openvpn/example.com.key
	option dh /etc/openvpn/dh2048.pem
	option ifconfig-pool-persist /tmp/ipp.txt
	option keepalive '10 120'
	option persist-key 1
	option persist-tun 1
	option status /var/log/openvpn-status.log
	option verb 3
	option server '192.168.2.0 255.255.255.0'
	option client-to-client 1
	option tls-version-min 1.2
	option tls ECDHE-RSA-AES256-GCM-SHA384
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.1.129'
	list push 'route 192.168.1.0   255.255.255.128'
	list push 'route 192.168.1.128 255.255.255.128'

## Configure basic system settings

1. `/etc/config/p910nd`:

config p910nd option device /dev/usb/lp0 option port 0 option bidirectional 1 option enabled 1

2. `/etc/config/system`:

config system option hostname guardian.example.com option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp list server 0.openwrt.pool.ntp.org list server 1.openwrt.pool.ntp.org list server 2.openwrt.pool.ntp.org list server 3.openwrt.pool.ntp.org option enabled 1 option enable_server 0

3 `/etc/config/ddns` (replace `examplecom`, `example.com`, `USERNAME`, and `PASSWORD`):

config service ’examplecom' option enabled ‘1’ option interface ‘wan’ option service_name ’no-ip.com' option lookup_host ‘www.example.com’ option domain ’example.com' option username ‘USERNAME’ option password ‘PASSWORD’ option use_https ‘1’ option cacert ‘/etc/ssl/certs’ option use_syslog ‘3’ 4. /etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

config process
	option process crond
	option initscript '/etc/init.d/cron'
	
config process
	option process dnsmasq
	option initscript /etc/init.d/dnsmasq
	
config process
	option process p910nd
	option initscript /etc/init.d/p910nd

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

/etc/config/dhcp:

config dhcp privlan
	option interface    privlan
	option start        138 # Room for static at bottom.
	option limit        254 # Room for OpenVPN at top.
	option leasetime    24h
	# GW, DNS:
	list dhcp_option "3,192.168.1.129"
	list dhcp_option "6,192.168.1.129"

config dhcp publan
	option interface    publan
	option start        10
	option limit        126
	option leasetime    24h
	# GW, DNS:
	list dhcp_option "3,192.168.1.1"
	list dhcp_option "6,192.168.1.1"

config dnsmasq
	option leasefile   '/tmp/dhcp.leases'
	option resolvfile  '/tmp/resolv.conf.auto'
	option localise_queries 1

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config host
	option name 'host.example.com'
	option ip '192.168.1.2'
	option mac 'aa:bb:cc:dd:ee:ff'

/etc/hosts (replace examplecom):

127.0.0.1 localhost
192.168.1.1 guardian.example.com
192.168.1.5 www.example.com example.com

Build software and perform installation

Run make V=99.
Install the image you just built onto your router. The instructions here require a computer running Linux, in addition to the Guardian device.

On the Linux computer:
1. Install dhcp-server, tftp-server, minicom, mtd-utils, and mtd-utils-ubi. Configure minicom to emulate an 115,200-bps 8N1 terminal without hardware flow control and without software flow control.
2. Temporarily disable the host’s firewall (or allow incoming TFTP requests).
3. Run the tftp service with in.tftpd -v -s -p -L /var/lib/tftpboot/.
4. Place openwrt-ath79-mikrotik-mikrotik_routerboard-493g-initramfs-kernel.bin in /var/lib/tftpboot.
5. Set the computer’s IP address to 192.168.1.3 using ip addr add 192.168.1.3/24 dev enp0s25. (You might have to do this repeatedly, because the Linux computer’s interface might drop its IP address when the router reboots.)
6. Configure DHCP as shown below (replace XX:XX:XX:XX:XX:XX with your router’s MAC address (likely eth1), which you can discover using the router’s firmware utility), and start the DHCP server with systemctl start dhcpd.

allow booting;
allow bootp;

subnet 192.168.1.0 netmask 255.255.255.0 {
	option routers 192.168.1.3;
	option subnet-mask 255.255.255.0;
	option broadcast-address 192.168.1.255;
}

group {
	host routerboard {
		hardware ethernet XX:XX:XX:XX:XX:XX;
		next-server 192.168.1.3;
		fixed-address 192.168.1.2;
		filename "openwrt-ath79-mikrotik-mikrotik_routerboard-493g-initramfs-kernel.bin";
	}
}

On the router:
1. At boot menu, use e to erase the existing OS firmware.
2. Instruct the boot firmware to boot from the network (select o, e, and x). In order to boot the router over the network, it might be necessary to reset the Linux computer’s IP address (because the IP address might have been lost after the link momentarily went down). After the router boots, it might be necessary to wait while the router configures its network interfaces and generates its SSH keys; you might also need to deactivate the firewall’s router to permit SSH connections over its WAN interface.
3. After booting, run passwd to set the root password.
4. The router’s IP address should now be 192.168.1.2. Use scp to copy openwrt-ath79-mikrotik-mikrotik_routerboard-493g-squashfs-sysupgrade.bin to the router.
5. Run sysupgrade -n openwrt-ath79-mikrotik-mikrotik_routerboard-493g-squashfs-sysupgrade.bin.
6. Reboot the router, ensuring it boots from its internal flash.

Finalize the router install:

Run passwd to set the root password.
Create the OpenVPN key material using:
1. clean-all
2. build-ca
3. build-dh
4. build-key-server example.com
5. build-key client
Copy ca.cert, dh2048.pem, example.com.cert, and example.com.key to /etc/openvpn.
Copy ca.cert, dh2048.pem, client.cert, and client.key to the client’s /etc/openvpn.

Configure OpenVPN on each client host.

Place the client’s certificate, the client’s private key, and the CA certificate in /etc/openvpn.
Option 1: Configuration using NetworkManager
1. Create a new VPN connection using NetworkManager.
2. Under Advanced→TLS Authentication:
3. Set Subject Match to /CN=example.com.
4. Select Verify peer (server) certificate usage signature and set to Server.
Option 2: Direct configuration of OpenVPN
1. Copy /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up and client.down to /etc/openvpn.
2. Set the scripts’ permissions with chmod +x client.up client.down.
3. /etc/openvpn/example.conf (replace client.cert, client.key, and server.example.com):

dev tun
proto udp
verb 3
ca /etc/openvpn/ca.cert
cert /etc/openvpn/client.cert
key /etc/openvpn/client.key
dh /etc/openvpn/dh2048.pem
persist-tun
persist-key
client
remote-cert-tls server
remote server.example.com 1194
script-security 2
up /etc/openvpn/client.up
down /etc/openvpn/client.down

  4. `ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@example.service`
  5. `systemctl start openvpn@example.service`

Hardening Unix computers

Thu, 12 Mar 2020 09:02:58 -0400

This describes some techniques which help harden Unix computers, that is reduce the likelihood that the will be compromised by an attacker. There is some overlap with another document, forensic analysis. This is because both hardening and forensic analysis require a deep understanding of how Unix works.

Strong access controls

If available, administrators should learn and apply the strong access controls available on their computers. For example, mandatory access control systems such as SELinux or AppArmor go a long way to constrain programs beyond the traditional Unix access controls. Using these controls requires a bit of study, but can provide a large benefit. Another document, SELinux, provides a basic introduction to SELinux.

Passwords and system accounts

Ideally, passwords should be used only for local authentication, where a user must be physically present at the computer performing authentication. The reason for this is that passwords are often compromised using various forms of guessing attacks, and extending password-based authentication beyond physically-present users increases the set of people who can mount these attacks. Other forms of authentication, such as public-key-based systems should authenticate network users.

The passwords that do exist must be strong. In most cases, as review of /etc/passwd will reveal the accounts which will need a password audit.

Another consideration is whether accounts should exist in the first place. A review of /etc/passwd will reveal a number of accounts with a legitimate shell and other accounts whose shell is set to something like /sbin/nologin. You should remove unnecessary accounts of the former case. Accounts of the latter case are pseudo-users. They do not have passwords, and are generally created by the act of installing some package. Pseudo-users exist to run software with the least privileges possible. To remove these latter accounts, remove unnecessary packages.

Pluggable Authentication Modules

Checking the integrity of each authenticating program
Checking the PAM configuration of each authenticating program
Checking the accounts themselves (e.g., expected accounts with strong passwords)

Graphical login authentication is generally performed using a display manager such as gdm, and text logins usually use agetty which spawns login.

Service/application-level accounts

Some services, such as databases and web-based applications, often provide their own account databases instead of relying on the system accounts provided by Unix. In such cases, you must audit these accounts too, as they exist separately from the system accounts. Since each account is defined in an application-specific way, you will need to refer to each service’s documentation to find out how to review that service’s accounts.

Least privilege

Avoid running programs as root to the maximum extent possible. Network-facing programs should run as pseudo-users, except when root privileges are absolutely needed (see the design of OpenSSH, qmail, Postfix, and Dovecot). X11 applications should never run as root. Indeed, even administrators should minimize running programs as root to avoid accidents. Use sudo to administer your system.

Minimal packages

A hardened computer contains only the software needed to serve its purpose. On Red Hat-like version of Linux, you can enumerate the packages installed with rpm -qa and remove a package with rpm -e *pkg-name*. In general, you should interact with the computer’s package system (i.e., RPM on Red Hat, dpkg on Debian/Ubuntu, or ports on BSD) rather than manually removing things with rm.

Dangerous programs

It is very difficult to audit everything on a modern, general-purpose computer (very small distributions such as OpenWrt can be of help here). Because of this, it is wise to consider those programs which might give an attacker a foothold on the computer. This includes network-facing programs and setuid-bit programs.

Network-facing programs

One way to audit the network-facing programs running on a computer is with a port scan. The nmap utility serves this purpose. There are a few things to remember here:

nmap scans only common ports by default, but you can scan all ports using -p1-;
nmap scans TCP by default, but you can scan UDP using -sU; and
nmap scans IPv4 by default, but you can scan IPv6 using -6.

You should scan the entire port range of IPv4 TCP and UDP and also IPv6 TCP and UDP.

Setuid-bit programs

find /mnt -perm -4000 -type f

It is especially important to remove unnecessary programs which have their setuid bit set.

Memory-bug countermeasures

Attackers sometimes use a memory bug present in a program to a undermine security policy. Such bugs include unchecked buffer accesses. It is generally best to select software which is written using a type-safe language, because type-safe languages remove entire classes of bugs. However, sometimes software written in unsafe languages such as C cannot be avoided. In these cases, certain features of Unix and compilers can help thwart attacks on memory bugs.

The following is a list of memory exploits along with countermeasures.

Stack smash, payload on stack: Non-executable stack, a feature of Unix.
Stack smash, return to existing library: Stack canaries, a compiler feature.
Stack smash, return-oriented programming: Address-space layout randomization, a feature of Unix which relies on code compiled in a position-independent way.

While these techniques can make the act of exploiting a bug more difficult, they often fail when software has more than one bug. For examples, ASLR might be ineffective in the presence of both a buffer-overflow bug and a bug which leaks the address of one of the program’s symbol.

Centralized logging

Computers should log events and send these logs to a centralized log consolidator using an encrypted and authenticated network channel. This allows a network administrator to view the activities on his network in a unified manner, and it stores a record of the activities on each computer separate from the computer being monitored. If a computer is compromised, the attacker might find it difficult to compromise the log server. Of course, the log server itself must also be hardened. Another document, logging strategies, describes one way to build a logging system with these properties.

Update software

Ensure that the software on the computer is up-to-date. You can do this using the computer’s package-management tool.

SSH configuration

Administrators commonly use SSH to administer a set of computers. SSH is a good choice, because it encrypts the connections it provides. Yet SSH can succumb to password-guessing attacks. For this reason, administrators should configure SSH to use public-key-based authentication and forbid password-based authentication.

You can disable OpenSSH’s use of passwords by setting PasswordAuthentication to no in /etc/ssh/sshd_config.

Generating the keys necessary for public-key-based authentication is a matter of running ssh-keygen -b 4096 and copying the resulting ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys on the computers you wish to login on.

Herald

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Herald, a multi-function server. Herald runs on commodity router hardware and provides a number of features:

SSH access
a web service with PHP support
an SMTP service
an IMAP service
a Git service

We build Herald on top of OpenWrt because of the distribution’s simplicity and small size. Herald is made up of roughly 120 packages, and its programs and configurations take up less than 50 MB of storage space. Here we assume that Herald will run within the confines of a Xen hypervisor.

Establish the Herald VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Herald:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/herald-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/herald-data.qcow.
Write the following at /etc/xen/vm-herald.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "herald"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [
  "tap2:tapdisk:aio:/var/lib/xen/images/herald-lede-17.01.1-x86-64-combined-ext4.img,xvda,w",
  "tap2:qcow:/var/lib/xen/images/herald-data.qcow,xvdb,w"
          ]
serial  = "pty"

Software installation

Perform the following steps on Herald:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
	logd \
        luci-app-firewall \
        luci-lib-ip \
	luci-lib-jsonc \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
	luci-mod-admin-full \
	luci-base \
	luci \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
        block-mount \
        bogofilter \
        ca-certificates \
        dovecot (with GSSAPI and LDAP modules) \
	dovecot-pigeonhole \
        freifunk-watchdog \
        git \
        lighttpd \
	lighttpd-mod-accesslog \
        lighttpd-mod-auth \
        lighttpd-mod-authn_file \
        lighttpd-mod-authn_gssapi \
        lighttpd-mod-fastcgi \
        lighttpd-mod-redirect \
        lighttpd-mod-setenv  \
        php7 \
        php7-fastcgi \
        php7-mod-ctype \
        php7-mod-curl \
        php7-mod-dom \
        php7-mod-exif \
        php7-mod-fileinfo \
        php7-mod-gd \
        php7-mod-hash \
        php7-mod-iconv \
        php7-mod-json \
        php7-mod-mbstring \
        php7-mod-opcache \
        php7-mod-openssl \
        php7-mod-pdo \
        php7-mod-pdo-sqlite \
        php7-mod-session \
        php7-mod-simplexml \
        php7-mod-sqlite3 \
        php7-mod-xml \
        php7-mod-xmlreader \
        php7-mod-xmlwriter \
        php7-mod-zip \
	php7-pecl-krb5 \
	php7-pecl-ldap \
	php7-pecl-mcrypt \
        postfix \
        rsync \
	syslog-ng \
        zoneinfo-core \
        zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring the lighttpd web server

Here we describe how to configure lighttpd to redirect HTTP to HTTPS; authenticate using passwords or GSSAPI, depending on which network the client connects from; maintain a log using syslog; and support FastCGI.

Create /etc/lighttpd/htpasswd to define non-Kerberos accounts which mirror the accounts defined by the network’s Kerberos server.
Set up lighttpd’s Kerberos principal by running kadmin.local on the network’s Kerberos server, and executing the following commands (replace example.com and EXAMPLE.COM):
1. add_principal -randkey HTTP/www.example.com@EXAMPLE.COM
2. (if needed) purgekeys -all HTTP/www.example.com@EXAMPLE.COM
3. ktadd -k keytab HTTP/www.example.com@EXAMPLE.COM
To configure Firefox to authenticate using Kerberos, visit about:config and set (replace example.com):
1. network.negotiate-auth.trusted-uris = https://
2. network.negotiate-auth.delegation-uris = .example.com
. Ensure the /etc/krb5.conf on each client contains dns_canonicalize_hostname = false.
Copy keytab from the network’s Kerberos server to /etc/lighttpd/ on Herald. Set the ownership and permissions of the file with chgrp www-data keytab and chmod 640 keytab, respectively.
/etc/lighttpd/example.com.pem: Some TLS certificate authorities provide free TLS/X.509 certificates. Run openssl req -out CSR.csr -new -newkey rsa:4096 -nodes -keyout privateKey.key to generate a private key and corresponding certificate signing request. You should submit the request (CSR.csr) to your certificate authority, and they should respond with your new certificate, a root CA certificate, and an immediate certificate. Concatenate the private key and certificate to produce etc/lighttpd/example.com.pem.
/etc/lighttpd/ca.pem: Concatenate the immediate and root certificate to produce etc/lighttpd/ca.pem.
/etc/lighttpd/dh-param.pem: Generate Diffie-Hellman parameters using openssl dhparam -out dh-param.pem -2 2048.
/etc/lighttpd/lighttpd.conf (replace example.com):

server.modules = (
)

server.errorlog-use-syslog  = "enable"
server.document-root        = "/mnt/sda1/var/www/example.com"
server.upload-dirs          = ( "/tmp" )
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "http"
server.groupname            = "www-data"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                                "index.lighttpd.html" )

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

server.modules += ( "mod_openssl" )

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/example.com.pem"
        ssl.ca-file = "/etc/lighttpd/ca.pem"
}

include       "/etc/lighttpd/mime.conf"
include_shell "cat /etc/lighttpd/conf.d/*.conf"

/etc/lighttpd/conf.d/10-redirect.conf:

server.modules += ( "mod_redirect" )

$HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
                url.redirect = (".*" => "https://%0$0")
        }
}

/etc/lighttpd/conf.d/20-auth.conf (replace network-cidr, example.com, EXAMPLE.COM, protected-path and application-name; network-cidr represents the network containing the hosts which have access to Kerberos authentication):

server.modules += ( "mod_auth" )

$HTTP["remoteip"] == "network-cidr" {
	auth.backend                  = "gssapi"
	auth.backend.gssapi.keytab    = "/etc/lighttpd/keytab"
	auth.backend.gssapi.principal = "HTTP/www.example.com@EXAMPLE.COM"

        auth.require = (
		"/protected-path" => (
			"method"  => "gssapi",
			"realm"   => "EXAMPLE.COM",
			"require" => "valid-user"
		),
	)
} else {
	auth.backend                   = "htpasswd"
	auth.backend.htpasswd.userfile = "/etc/lighttpd/htpasswd"

	auth.require = (
		"/protected-path" => (
			"method"  => "basic",
			"realm"   => "application-name",
			"require" => "valid-user"
		),
	)
}

/etc/lighttpd/conf.d/30-accesslog.conf:

server.modules += ( "mod_accesslog" )
  
accesslog.use-syslog   = "enable"
accesslog.syslog-level = 6

/etc/lighttpd/conf.d/30-fastcgi.conf:

server.modules += ( "mod_fastcgi" )

fastcgi.server = (
        ".php" => ((
                "bin-path" => "/usr/bin/php-cgi",
                "socket" => "/tmp/php-fastcgi.socket"
        ))
)

Set the ownership of lighttpd’s sensitive files using chown root:www-data /etc/lighttpd/*.pem /etc/lighttpd/htpasswd, and set the permissions on these files with chmod 640 /etc/lighttpd/*.pem /etc/lighttpd/htpasswd.
/etc/php.ini: Set doc_root = "/mnt/sda1/var/www/example.com", error_log = syslog, and date.timezone = America/New_York. 15.

Configuring the Postfix SMTP server and Bogofilter spam filter

/etc/postfix/master.cf (replace host.example.com):

# Do not filter mail from localhost (e.g., from Roundcube or a ssh tunnel).
127.0.0.1:smtp      inet  n       -       n       -       -       smtpd

# Filter all other mail through bogofilter (see below).
host.example.com:smtp      inet  n       -       n       -       -       smtpd
   -o content_filter=filter

pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
filter	  unix	-	n	n	-	-	pipe
   flags=Rq user=bogofilter argv=/usr/sbin/postfix-bogofilter -f ${sender} -- ${recipient}

/etc/postfix/main.cf (replace host.example.com, example.com, and mailrelay.example.com):

mail_owner = postfix
setgid_group = postdrop

myhostname = host.example.com
myorigin = example.com
mynetworks = 127.0.0.0/8 192.168.1.0/24

queue_directory = /mnt/sda1/var/spool/postfix
data_directory = /mnt/sda1/var/lib/postfix
mail_spool_directory = /mnt/sda1/var/spool/mail
virtual_mailbox_base = /mnt/sda1/var/spool/mail

relay_domains = $mydestination

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
	permit_mynetworks,
	reject_non_fqdn_helo_hostname,
	reject_invalid_helo_hostname,
	permit

strict_rfc821_envelopes = yes
disable_vrfy_command = yes

smtpd_relay_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_destination

# Note, we leave reject_rbl_client-like checks for later processing.
smtpd_recipient_restrictions =
	permit_mynetworks,
	reject_unauth_pipelining,
	reject_invalid_hostname,
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_unknown_reverse_client_hostname,
	reject_unauth_destination,
	reject_rhsbl_helo dbl.spamhaus.org,
	reject_rhsbl_sender dbl.spamhaus.org,
	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14],
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client dyna.spamrats.com,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
	reject_rbl_client truncate.gbudb.net,
	reject_rbl_client dnsbl.cobion.com,
	reject_rbl_client bl.fmb.la=127.0.0.2,
	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client bl.spamcop.net,
	check_recipient_access cdb:/etc/postfix/recipient_access,
	check_sender_access cdb:/etc/postfix/sender_access,
	reject

relayhost = [mailrelay.example.com]:587
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = cdb:/etc/postfix/saslpasswd
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous

virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_mailbox_lock = fcntl
virtual_uid_maps = ldap:/etc/postfix/ldap-uids.cf
virtual_gid_maps = static:8
virtual_alias_maps = cdb:/etc/postfix/virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp

message_size_limit = 104857600
mailbox_size_limit = 0
virtual_mailbox_limit = 0

unknown_local_recipient_reject_code = 550
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

biff = no
html_directory = no
manpage_directory = no
readme_directory = no
inet_protocols = ipv4

mailbox_transport = lmtp:unix:private/dovecot-lmtp

/etc/postfix/virtual (replace recipient@example.com):

root recipient@example.com

/etc/postfix/saslpasswd (replace mailrelay.example.com, user@example.com, and password):

[mailrelay.example.com]:587 user@example.com:password

/etc/postfix/recipient_access (replace unrestricted_recipient@example.com):

unrestricted_recipient@example.com OK

/etc/postfix/sender_access (replace permitted_sender@example.com):

permitted_sender@example.com OK

Use postmap to compile each of virtual, saslpasswd, recipient_access, and sender_access.
/etc/postfix/aliases: Set the recipient of root's mail and run postalias /etc/postfix/aliases.
/etc/postfix/ldap-users.cf (replace ldap-server and dc=example,dc=com):

server_host = ldaps://ldap-server
server_port = 636
search_base = ou=people,dc=example,dc=com
version = 3
query_filter = uid=%u
result_attribute = uid

/etc/postfix/ldap-uids.cf (replace ldap-server and dc=example,dc=com):

server_host = ldaps://ldap-server
server_port = 636
search_base = ou=people,dc=example,dc=com
version = 3
query_filter = uid=%u
result_attribute = uidNumber

Check the ownership of Postfix's spool directories.
Create a bogofilter user in /etc/passwd, /etc/group, and /etc/shadow. Set the user’s shell to /bin/false and his home directory to /mnt/sda1/var/spool/bogofilter.
Create the directory /mnt/sda1/var/spool/bogofilter. Restrict the permissions of this directory so that only the bogofilter user may access it. Configure bogofilter to make use of the directory by modifying /etc/bogofilter.cf:

bogofilter_dir=/mnt/sda1/var/spool/bogofilter

Set the ownership of /etc/bogofilter.cf with chown bogofilter /etc/bogofilter.cf.

Configuring the Dovecot POP3/IMAP server

Set up Dovecot’s Kerberos principal by running kadmin.local on the network’s Kerberos server, and executing the following commands (replace example.com and EXAMPLE.COM):
1. add_principal -randkey imap/www.example.com@EXAMPLE.COM
2. (if needed) purgekeys -all imap/www.example.com@EXAMPLE.COM
3. ktadd -k keytab imap/www.example.com@EXAMPLE.COM
Copy keytab from the network’s Kerberos server to /etc/dovecot on Herald. Set the ownership and permissions of the file with chown dovecot keytab and chmod 600 keytab, respectively.
/etc/dovecot/dovecot.conf (replace example.com):

protocols = imap pop3 lmtp

auth_gssapi_hostname = "$ALL"
auth_mechanisms = plain login gssapi
auth_krb5_keytab = /etc/dovecot/keytab

userdb {
	driver = ldap
	args = /etc/dovecot/dovecot-ldap.conf
}

passdb {
	driver = passwd-file
	args = /etc/dovecot/passwd
}

service imap-login {
        inet_listener imaps {
                port = 0
        }
}

service pop3-login {
        inet_listener pop3s {
                port = 0
        }
}

service lmtp {
	unix_listener /mnt/sda1/var/spool/postfix/private/dovecot-lmtp {
		user = postfix
		group = postfix
		mode = 0600
	}
}

protocol lmtp {
	postmaster_address = postmaster@flyn.org
	hostname = flyn.org
	mail_plugins = $mail_plugins sieve
}

plugin {
        fts_autoindex=yes                                                            
	sieve_default = /etc/dovecot/sieve/default.sieve
}

ssl = required
ssl_cert = </etc/dovecot/example.com.cert
ssl_key = </etc/dovecot/example.com.key
ssl_dh = </etc/dovecot/dh-param.pem
mail_location = \
	mbox:/mnt/sda1/var/spool/mail/%n-folders:INBOX=/mnt/sda1/var/spool/mail/%n
mail_access_groups = mail
default_login_user = nobody
disable_plaintext_auth = yes
auth_username_format = %Ln
mbox_write_locks = fcntl

/etc/dovecot/dovecot-ldap.conf (replace dc=example,dc=com):

hosts = localhost
base = ou=people,dc=example,dc=com
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%n))

/etc/dovecot/passwd (replace placeholder fields; hope to eventually use Kerberos):

user:{PLAIN}password:uid:gid:Full Name:/var/run/dovecot:/bin/false

/etc/dovecot/sieve/default.sieve:

require [
	"body",
	"fileinto",
	"regex",
	"variables"
];

set "blacklist" "(a v(e)*ry bad word|viagra)";

if header :matches "X-Bogosity" "Spam,*" {
	fileinto "Junk";
}

elsif header :regex "Subject" "${blacklist}" {
	fileinto "Junk";
}

elsif body :regex "${blacklist}" {
	fileinto "Junk";
}

else {
	keep;
}

/etc/dovecot/dh-param.pem: Generate Diffie-Hellman parameters using openssl dhparam -out dh-param.pem -2 2048.
Run sievec /etc/dovecot/sieve.
Copy certificate and private key to example.com.cert and example.com.key, respectively.
Set the ownership of Dovecot’s files using chown -R dovecot /etc/dovecot, and set the permissions on the most sensitive files with chmod 600 /etc/dovecot/example.com.key /etc/dovecot/passwd.

Configure Git

Add /usr/bin/git-shell to /etc/shells.
Create a git user in /etc/passwd, /etc/group, and /etc/shadow. Set the user’s shell to /usr/bin/git-shell and his home directory to /mnt/sda1/var/git.
Install the authorized users’ public SSH keys at /mnt/sda1/var/git/.ssh/authorized_keys.

Configure the host firewall

/etc/config/firewall:

config defaults
	option drop_invalid 1
	option input ACCEPT
	option output ACCEPT
	option forward ACCEPT

config zone
	option name lan
	option network lan
	option input DROP
	option output ACCEPT
	option forward DROP

# Allow SSH connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 22

# Allow SMTP connections from LAN.
config rule                 
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 25

# Allow IMAP connections from LAN.
config rule                 
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 143

# Allow HTTP connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 80

# Allow HTTPS connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 443

Configure basic system settings

/etc/config/fstab:

config mount
        option device   /dev/sda1
        option target   /mnt/sda1
	option fstype   ext4
        option options  rw
        option enabled  1
        option enabled_fsck 0

/etc/config/php7-fastcgi:

config php7-fastcgi
	option enabled 1

/etc/config/system:

config system
	option hostname	herald.flyn.org
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

config process
        option process crond
        option initscript '/etc/init.d/cron'
	
config process
	option process lighttpd
	option initscript /etc/init.d/lighttpd

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

Herald applications

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to install a number of web applications on Herald. In each case, the instructions describe setting up the application within a local directory for later synchronization with Herald. This adds a bit of complexity but leaves the web applications managed in the same way as static files.

We call the local directory Local Root and the remote directory on Herald Remote Root. Under the conditions of the default install, Remote Root is /mnt/sda1/var/www/example.com on Herald. We also reference Remote Parent which is /mnt/sda1/var/www/ by default.

Nextcloud server

Installation

Download the Nextcloud Server source code.
Extract the source code at Local Root and rename its top-level folder to share.
Synchronize Local Root with Herald.
Create the directory Remote Root/example.com/share/data.
Run chgrp -R www-data Remote Root/example.com/share/apps Remote Root/example.com/share/config Remote Root/example.com/share/data.
Run chmod -R g+w Remote Root/example.com/share/apps Remote Root/example.com/share/config Remote Root/example.com/share/data.
Ensure that the file /etc/ssl/openssl.cnf exists, even if it is empty.
Use a browser to visit https://www.example.com/share/.

Once functioning, it is desirable to move Nextcloud Server’s data directory to Remote Parent/nextcloud-data.

Run mv Remote Root/example.com/share/data Remote Parent/nextcloud-data.
Update Remote Root/example.com/share/config/config.php to contain the following definition of datadirectory (replace Remote Parent):

'datadirectory' => 'Remote Parent/nextcloud-data/',

You might want to install a number of NextCloud applications, namely:

Calendar
Contacts
Deck
Forms
JavaScript XMPP Client
Mail
Polls
Talk
Workflow external scripts

Finally copy the apps and config directories back to Local Root/share. You should do this again each time you install a new Nextcloud application.

Configure

Using the Nextcloud Settings interface, configure Nextcloud in the following way:

Under Administration: Groupware, set a provisional email account.
Under Administration: JavaScript XMPP Client, set an external XMPP server.

Upgrade

Place the new version of Nextcloud at Local Root/share-new.
Synchronize Local Root with Herald.
Copy the old configuration into the new directory, but edit to use nextcloud-data-new.
Run chgrp -R www-data Remote Root/example.com/share-new/apps Remote Root/example.com/share-new/config.
Run chmod -R g+w Remote Root/example.com/share-new/apps Remote Root/example.com/share-new/config.
Run cp -a Remote Parent/nextcloud-data Remote Parent/nextcloud-data-new.
From Remote Root/example.com/share-new/, run php-cli occ upgrade.
Run mv Remote Root/example.com/share Remote Root/example.com/share-old.
Run mv Remote Root/example.com/share-new Remote Root/example.com/share.
Run mv Remote Parent/nextcloud-data Remote Parent/nextcloud-data-old.
Run mv Remote Parent/nextcloud-data-new Remote Parent/nextcloud-data.

Hugo

Thu, 12 Mar 2020 09:02:58 -0400

Hugo is a static HTML and CSS website generator, and Academic adds themes and features to Hugo.

Clone the Hugo Academic kickstart project: git clone https://github.com/sourcethemes/academic-kickstart.git www.example.com.
Enter the www.example.com directory.
Clone the theme submodule: git submodule update --init --recursive.
Edit the files in content/home, setting the active flag based on the site needs.
Edit config/_default/params.toml and config/_default/config.toml as appropriate. Set disablePathToLower = true in config.toml.
Edit content/authors/admin/_index.md.
Replace content/authors/admin/avatar.jpg or configure to use Gravatar.
Replace assets/images/icon.png with a 512×512 image.
Create content using commands like hugo new --kind project notes/foo.md.
Edit config/_default.menu.toml.
Adjust appearance by editing assets/scss/custom.scss.
Run hugo server to test the site.

insert

Thu, 12 Mar 2020 09:02:58 -0400

Many laptops and other small devices do not have an insert key. X11 allows you to remap keys using xmodmap.

Identify the event that you want to produce an insert: run xev and press the key to be remapped
Run xmodmap -e "keycode CODE = Insert"

LaTeX

Thu, 12 Mar 2020 09:02:58 -0400

After a fresh install of Fedora, I sometimes see the error “pdfTeX error (font expansion): auto expansion is only possible with scalable fonts” when running pdflatex. Installing the texlive-collection-fontsextra package collection seems to fix this.

The following error is fixed by installing texlive-updmap-map:

kpathsea: Running mktexpk --mfmode / --bdpi 600 --mag 1+57/600 --dpi 657 ptmri8r
gsftopk: fatal: map file `psfonts.map' not found.
mktexpk: don't know how to create bitmap font for ptmri8r.
mktexpk: perhaps ptmri8r is missing from the map file.
kpathsea: Appending font creation commands to missfont.log.
 )
!pdfTeX error: pdflatex (file ptmri8r): Font ptmri8r at 657 not found
 ==> Fatal error occurred, no output PDF file produced!
make: *** [Makefile:48: 02_summary.pdf] Error 1

Learning

Thu, 12 Mar 2020 09:02:58 -0400

Websites (paid and free) which teach programming

… kernel programming

The Eudyptula Challenge

… low-level security techniques

… cryptography

Cryptopals

Capture-the-flag competitions

Frameworks, code, and other such things

CTFd, a CTF framework
iCTF, A CTF framework
SecGen, Create vulnerable virtual machines
Scratch, The Scratch programming environment; great for children

Linux kernel development

Thu, 12 Mar 2020 09:02:58 -0400

Building a Linux kernel module on Red Hat-derived distributions requires the kernel-devel package. Place the following in hello.c:

#include <linux/module.h>
#include <linux/kernel.h>

int init_module(void)
{
        /* NOTE: See kern_levels.h for level constants. */
        printk(KERN_INFO "Hello, world!\n");

        return 0;
}

void cleanup_module(void)
{
        printk(KERN_INFO "Goodbye, world!\n");
}

MODULE_LICENSE("GPL");

Place the following in Makefile:

obj-m += hello.o

all:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Build the module using make. Load the module using insmod hello.ko, and remove it using rmmod hello; upon completing either, you should see a message recorded by the computer’s logging system.

Receiving parameters at module load time

The module_param and MODULE_PARM_DESC macros aid in declaring and documenting kernel-module parameters, respectively. The module_param macro takes as arguments a parameter name, parameter type, and a series of permission bits which, if non-zero, apply to a sysfs entry that the module might later create. Each use of module_param should correspond with a global variable which shares the name of the parameter.

static char *option = "default value";

module_param(option, charp, 0000);
MODULE_PARM_DESC(option, "An example character string option");

The sample option above could be set using the command insmod hello.ko option=foo.

Reproducing the kernel source used to build the kernel for a Red Hat-derived distribution

These steps require the dnf-utils and rpm-build packages, along with the compiler and other tools needed to build the Linux kernel.

yumdownloader --source kernel
rpm -Uvh kernel...
rpmbuild -bp ~/rpmbuild/SPECS/kernel.spec

This will result in a copy of the kernel source tree at ~/rpmbuild/BUILD/kernel.... One way to build the kernel is to modify this source tree, produce a patch, place the patch in ~/rpmbuild/SOURCES, modify ~/rpmbuild/SPECS/kernel.spec to make use of the patch, and rebuild the kernel using rpmbuild -ba ~/rpmbuild/SPECS/kernel.spec:

Make a vanilla copy of the kernel source: cp -a ~/rpmbuild/BUILD/kernel.../linux.../ ~/rpmbuild/BUILD/kernel.../linux...-vanilla/.
Add pr_notice("Hello, world!\n"); to ~/rpmbuild/BUILD/kernel.../linux.../init/main.c immediately after the kernel prints "Kernel command line: ...".
Set your current directory to ~/rpmbuild/BUILD/kernel.../ and create a patch by running diff -u --recursive linux...-vanilla/ linux.../ >~/rpmbuild/SOURCES/kernel-hello.patch.
Add the patch to the kernel’s RPM specification by adding Patch2: kernel-hello.patch to ~/rpmbuild/SPECS/kernel.spec after the definition of Patch1.
Set the specification to apply your patch by adding ApplyOptionalPatch kernel-hello.patch after the application of patch-%{patchversion}-redhat.patch.
Run rpmbuild -ba ~/rpmbuild/SPECS/kernel.spec to build the result. This will take a long time, and it will use a lot of disk space.

Finally run rpm -ivh ~/rpmbuild/RPMS/x86_64/kernel-* to install your new kernel, and reboot the computer. After booting, you should find that dmesg includes Hello, world! in its output.

Logging strategies

Thu, 12 Mar 2020 09:02:58 -0400

Configure a client to forward logs to a server using rsyslog/TLS

Install rsyslog using yum install rsyslog rsyslog-gnutls.
If you have not already done so, generate a self-signed CA certificate and private key. See the notes on certificates.
Generate a CA-signed certificate and private key for the log server and each client. See the notes on certificates.
On the log server and each client, place the CA certificate at /etc/pki/ca-trust/source/anchor/, and run update-ca-trust.
Install each host’s certificate and private key at /etc/pki/rsyslog/. Ensure that you use chmod to remove the read permissions from the private key.
On the server, ensure a large disk exists at /mnt/sda1 and place the following in /etc/rsyslog.conf, replacing example.com and logserver.example.com:

$ModLoad imuxsock
$ModLoad imtcp

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/example.com.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/logserver.example.com.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/logserver.example.com.key

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.com
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 6514

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
local7.*                                                /var/log/boot.log

On each client, place the following in /etc/rsyslog.conf, replacing example.com, logserver.example.com, and logclient.example.com:

$ModLoad imuxsock
$ModLoad imjournal

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/example.com.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/logclient.example.com.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/logclient.example.com.key

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer logserver.example.com
$ActionSendStreamDriverMode 1

*.* @@(o)logserver.example.com:6514;RSYSLOG_SyslogProtocol23Format

On each host, run systemctl enable rsyslog and systemctl restart rsyslog.
Permit rsyslog traffic through the server’s firewall:

Place the following in /etc/firewalld/services/syslog.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Syslog</short>
  <description>Remote syslog</description>
  <port protocol="tcp" port="6514"/>
</service>

Run firewall-cmd --permanent --add-service rsyslog.

You can troubleshoot rsyslog by running it manually: rsyslogd -nd.

Configure a client to forward logs to a server using syslog-ng/TLS

The EPEL repository provides the syslog-ng package for CentOS or RHEL: rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm.
Remove rsyslog using yum remove rsyslog.
Install syslog-ng using yum install syslog-ng.
If you have not already done so, generate a self-signed CA certificate and private key. See the notes on certificates.
Generate a CA-signed certificate and private key for the log server and each client. See the notes on certificates.
On the log server and each client, place the CA certificate at /etc/pki/ca-trust/source/anchors/, and run update-ca-trust.
Calculate the hash of the CA certificate’s common name with openssl x509 -noout -hash -in example.com.pem.
Within /etc/pki/ca-trust/source/anchors/, create a symbolic link from hash.0 to example.com.pem, where hash is the output from the previous step.
Install each host’s certificate and private key at /etc/pki/syslog-ng/. Ensure that you use chmod to remove the read permissions from the private key.
On the server, place the following in /etc/syslog-ng/syslog-ng.conf, replacing example.com and logserver.example.com:

@version:3.5
@include "scl.conf"

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
};

source s_net {
    syslog(ip(0.0.0.0) port(6514)
        transport("tls")
        tls(ca-dir("/etc/pki/ca-trust/source/anchors")
            cert-file("/etc/pki/rsyslog/logserver.example.com.pem")
            key-file("/etc/pki/rsyslog/logserver.example.com.key")
        )
    );
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

log { source(s_sys); source(s_net); filter(f_kernel); destination(d_kern); };
log { source(s_sys); source(s_net); filter(f_default); destination(d_mesg); };
log { source(s_sys); source(s_net); filter(f_auth); destination(d_auth); };
log { source(s_sys); source(s_net); filter(f_mail); destination(d_mail); };
log { source(s_sys); source(s_net); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); source(s_net); filter(f_news); destination(d_spol); };
log { source(s_sys); source(s_net); filter(f_boot); destination(d_boot); };
log { source(s_sys); source(s_net); filter(f_cron); destination(d_cron); };

@include "/etc/syslog-ng/conf.d/*.conf"

On each client, place the following in /etc/syslog-ng/syslog-ng.conf, replacing example.com, logserver.example.com, and logclient.example.com:

@version:3.5
@include "scl.conf"

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

destination d_net {
    syslog("logserver.example.com" port(6514)
        transport("tls")
        tls(ca-dir("/etc/pki/ca-trust/source/anchors")
            cert-file("/etc/pki/syslog-ng/logclient.example.com.cert")
            key-file("/etc/pki/syslog-ng/logclient.example.com.key")
        )
    );
};

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_net); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_net); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_net); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_net); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_net); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_net); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_net); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_net); destination(d_cron); };


@include "/etc/syslog-ng/conf.d/*.conf"

On each host, run systemctl enable syslog-ng and systemctl restart syslog-ng.
Permit syslog-ng traffic through the server’s firewall:

Place the following in /etc/firewalld/services/syslog.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Syslog</short>
  <description>Remote syslog</description>
  <port protocol="tcp" port="6514"/>
</service>

Run firewall-cmd --permanent --add-service syslog.

Configure a Windows client to forward logs to a server using Nxlog/TLS

Install Nxlog community edition on the Windows client.
Install the host’s TLS key material at C:\Program Files (x86)\nxlog\cert.
Configure Nxlog by writing to C:\Program Files (x86)\nxlog\conf\nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog

ModuleDir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
LogFile   %ROOT%\data\nxlog.log

<Extension syslog>
	Module xm_syslog
</Extension>

<Input in>
	Module im_msvistalog
</Input>

<Output out>
	Module om_ssl
	Host logserver.example.com
	Port 6514
	CAFile %ROOT%\cert\ca.pem
	CertFile %ROOT%\cert\logserver.example.com.pem
	CertKeyFile %ROOT%\cert\logserver.example.com.key
	AllowUntrusted FALSE
	Exec to_syslog_ietf();
	OutputType Syslog_TLS
</Output>

<Route 1>
	Path in => out
</Route>

Restart the Nxlog service.
Test connectivity by generating a log message on the Windows hosts using: eventcreate /ID 1 /L APPLICATION /T INFORMATION /SO MYEVENTSOURCE /D "Hello, world!".

Configure an OpenWrt server along with clients which forward logs to the server using syslog-ng/TLS

Stop the default logging service using /etc/init.d/log stop.
Remove the default logging service using opkg remove logd.
Remove the existing log with rm /var/log/messages.
Install syslog-ng using opkg install syslog-ng.
On the server, place the following in /etc/syslog-ng.conf:

@version:3.8

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(1024);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
};

source sys {
        internal();
        unix-dgram("/dev/log");
};

source net {
	syslog(ip(0.0.0.0) port(6514)
		max-connections(50)
		transport("tls")
		tls(ca-dir("/etc/syslog-ng.d/anchors")
			cert-file("/etc/syslog-ng.d/logserver.example.com.cert")
			key-file("/etc/syslog-ng.d/logserver.example.com.key")
		)
	);
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
        file("/mnt/sda1/var/log/messages");
};

log {
        source(sys);
        source(net);
        source(kernel);
        destination(messages);
};

On each client, place the following in /etc/syslog-ng.conf (replace SERVER and SERVER.EXAMPLE.COM, and consider removing the local file destination if the host’s local disk is small):

@version:3.8

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(1024);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
};

source sys {
        internal();
        unix-dgram("/dev/log");
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
        file("/mnt/sda1/var/log/messages");
};

destination SERVER {
        syslog("SERVER.EXAMPLE.COM" port(6514)
		transport("tls")
		tls(ca-dir("/etc/syslog-ng.d/anchors")
			cert-file("/etc/syslog-ng.d/logclient.example.com.cert")
			key-file("/etc/syslog-ng.d/logclient.example.com.key")
		)
	);
};

log {
        source(sys);
        source(kernel);
        destination(messages);
        destination(SERVER);
};

Install and configure Graylog2 on CentOS 7

Install and configure dependencies

Install the EPEL yum repository: rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm.
Install: yum install java-1.8.0-openjdk-headless mongodb-server pwgen policycoreutils-python.
Start MongoDB: systemctl restart mongod.
Ensure MongoDB starts on reboot: systemctl enable mongod.
Properly label MongoDB’s port: semanage port -a -t mongod_port_t -p tcp 27017.

Install and configure Elasticsearch

Install the Elasticsearch yum repository. Add the following to /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-1.7]
name=Elasticsearch repository for 1.7.x packages
baseurl=http://packages.elastic.co/elasticsearch/1.7/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

Install Elasticsearch: yum install elasticsearch.
Ensure the following settings exist in /etc/elasticsearch/elasticsearch.yml:

cluster.name: graylog-production
network.host: 127.0.0.1

Start Elasticsearch: systemctl restart elasticsearch.
Ensure Elasticsearch starts on reboot: systemctl enable elasticsearch.
Test Elasticsearch with: curl -XGET http://localhost:9200/_cluster/health?pretty=true; you should see a status of green.

Install and configure Graylog2

Install the Graylog2 yum repository: rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-1.3-repository-el7_latest.rpm.
Install Graylog2: yum install graylog-server.
Ensure the following settings exist in /etc/graylog/server/server.conf:

password_secret = [random secret generated using: pwgen -N 1 -s 96]
root_password_sha2 = [hashed password generated using: echo -n password | sha256sum]
elasticsearch_shards = 1
elasticsearch_replicas = 1
elasticsearch_cluster_name = graylog-production
elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300

Also consider adding the following:

root_timezone = America/New_York
allow_highlighting = true

Start Graylog2: systemctl restart graylog-server.
Ensure Graylog2 starts on reboot: systemctl enable graylog-server.

Configure syslog-ng to forward log entries to Graylog2

Add the following to /etc/syslog-ng/syslog-ng.conf, repeating variations of the log statement as necessary:

destination d_graylog { syslog("127.0.0.1" port(1514)); };

log { source(s_sys); source(s_net); filter(f_default); destination(d_mesg); destination(d_graylog); };

Properly label the alternate syslog port: semanage port -a -t syslogd_port_t -p tcp 1514.

Install and configure Graylog2’s web frontend

Install Graylog2: yum install graylog-web.
Ensure the following settings exist in /etc/graylog/web/web.conf:

graylog2_server.uris="http://127.0.0.1:12900"
application.secret="<i>random secret generated using: pwgen -N 1 -s 96</i>"

Start Graylog2’s web frontend: systemctl restart graylog-web.
Ensure Graylog2’s web frontend starts on reboot: systemctl enable graylog-web.
Once Graylog2’s web frontend is running, connect to it (http://localhost:9000/) and configure a log input which matches the syslog-ng configuration. Set the input’s Bind address to 127.0.0.1, its Port to 1514, and also set the its Title.
Permit Graylog web frontend traffic through the server’s firewall:

Place the following in /etc/firewalld/services/graylog-web.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Graylog</short>
  <description>Graylog's web frontend</description>
  <port protocol="tcp" port="9000"/>
</service>

Run firewall-cmd --permanent --add-service graylog-web.

Install and configure Graylog2’s NetFlow plugin

Download the plugin from https://github.com/Graylog2/graylog-plugin-netflow/releases.
Install the plugin at /usr/share/graylog-server/plugin, ensuring its permissions match the existing plugins.
Reload Graylog and add a NetFlow input using the web frontend.
Permit NetFlow traffic through the server’s firewall:

Place the following in /etc/firewalld/services/netflow.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>NetFlow</short>
  <description>Remote NetFlow</description>
  <port protocol="udp" port="2055"/>
</service>

Run firewall-cmd --permanent --add-service netflow.

Maven

Thu, 12 Mar 2020 09:02:58 -0400

Building a JAR with dependencies

<build>
	<plugins>
		<plugin>
			<groupId>org.apache.maven.plugins</groupId>
			<artifactId>maven-dependency-plugin</artifactId>
			<executions>
				<execution>
					<id>copy-dependencies</id>
					<phase>prepare-package</phase>
					<goals>
						<goal>copy-dependencies</goal>
					</goals>
					<configuration>
						<outputDirectory>${project.build.directory}/lib</outputDirectory>
						<overWriteReleases>false</overWriteReleases>
						<overWriteSnapshots>false</overWriteSnapshots>
						<overWriteIfNewer>true</overWriteIfNewer>
					</configuration>
				</execution>
			</executions>
		</plugin>
		<plugin>
			<groupId>org.apache.maven.plugins</groupId>
			<artifactId>maven-jar-plugin</artifactId>
			<configuration>
				<archive>       
					<manifest>              
						<addClasspath>true</addClasspath>
						<classpathPrefix>lib/</classpathPrefix>
						<mainClass>full.path.to.MainClass</mainClass>
					</manifest>
				</archive>
			</configuration>
		</plugin>
	</plugins>
</build>

Mimic

Thu, 12 Mar 2020 09:02:58 -0400

The Mimic Xen host is capable of efficiently running a number of virtual machines. If you are reinstalling over an existing host, then you will first need to backup

the Xen domains’ disk images,
the Xen domains’ configurations,
data on partitions that are passed through to Xen domains (e.g., using rsync --inplace --delete -aHA * /BACKUP-DISK-MOUNT-POINT),
/etc/NetworkManager/system-connections/*, and
a public SSH key.

To ensure a GPT partition label, even on disks less than 2 GB, provide the inst.gpt argument to the Fedora installer’s boot process. Set aside partitions for any virtual machines that will require direct disk access; I used the following scheme:

Partition	Type	Mount point	Name	Size
1	BIOS boot	n/a	n/a	1,024 KiB
2	Standard/ext4	/boot	boot	1,024 MiB
3	btrfs (single subvolume)	/	root	200 GiB
4	Standard/ext4	n/a	herald	1.25 TiB
5	Standard/ext4	n/a	golem	Remaining space

Perform a minimal Fedora install on the computer. After finishing the install, complete the following steps:

Review the host’s BIOS/firmware menu to ensure its virtualization instructions are active.
Add nomodeset to the kernel’s command-line arguments if necessary (/etc/default/grub).
The combination of Xen and AVX2 instructions presents a vulnerability when using some CPUs under certain circumstances. RHEL 10 and compatible distributions require the AVX2 instructions. Add GRUB_CMDLINE_XEN_DEFAULT="spec-ctrl=gds-mit=no" to /etc/default/grub to turn off the related mitigation and enable AVX2 instructions.
During the Fedora install:
1. Set the hostname to mimic.flyn.org.
2. Activate the root account, and set its password.
3. Select the minimal install package set.
4. Set the timezone.
5. Layout the disk as described above, taking care to ensure the partition numbers are assigned as indicated.
Remove the firewalld-filesystem, firewalld, and systemd-resolved packages.
Run dnf update.
Install Xen, syslog-ng, net-tools, and the network bridge utilities: dnf install xen grub2-efi-modules syslog-ng net-tools bridge-utils.
Install a public SSH key, deactivate password-based SSH logins, and run systemctl restart sshd.
Configure syslog-ng (replace the host names that use example.com):
1. Generate an internal-CA-signed certificate for mimic.example.com.
2. Place the CA certificate at /etc/pki/ca-trust/source/anchors/ca.cert.
3. Identify the CA certificate’s hash by running openssl x509 -hash -noout -in ca.cert.
4. Link ca.cert to hash.0, where hash is the value from the previous step.
5. Place the host’s certificate and private key in /etc/pki/syslog-ng/.
6. Restrict the permissions on the private key.
7. Write the following to /etc/syslog-ng/syslog-ng.conf (replace the host names that use example.com):

@version: 3.35
@include "scl.conf"

options {
	flush_lines (0);
	time_reopen (10);
	log_fifo_size (1000);
	chain_hostnames (off);
	use_dns (no);
	use_fqdn (no);
	create_dirs (no);
	keep_hostname (yes);
};

source s_sys {
	system();
	internal();
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

destination d_net {
	syslog("logserver.example.com" port(6514)
		transport("tls")
		tls(
			ca-dir("/etc/pki/ca-trust/source/anchors")
			cert-file("/etc/pki/syslog-ng/mimic.flyn.org.cert")
			key-file("/etc/pki/syslog-ng/mimic.flyn.org.key")
		)
	);
};

filter f_kernel    { facility(kern); };
filter f_default   { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth      { facility(authpriv); };
filter f_mail      { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news      { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_boot      { facility(local7); };
filter f_cron      { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_net); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_net); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_net); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_net); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_net); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_net); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_net); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_net); destination(d_cron); };

@include "/etc/syslog-ng/conf.d/*.conf"

Configure a Xen network bridge device for each network interface on Mimic; for example /etc/NetworkManager/system-connections/xenbr0.nmconnection (replace xenbr0 and XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, and set method to auto if you would like to assign an IP address):

[connection]
id=xenbr0
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
type=bridge
interface-name=xenbr0

[bridge]
stp=false

[ipv4]
method=auto

[ipv6]
dhcp-iaid=mac
method=auto

Ensure this file is owned by root and bears the permissions 0600.

Configure each network interface on Mimic; for example /etc/NetworkManager/system-connections/bridge-slave-eno0.nmconnection (replace eno0, XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, and xenbr0):

[connection]
id=bridge-slave-eno0
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
type=ethernet
interface-name=eno0
master=xenbr0
slave-type=bridge

Ensure this file is owned by root and bears the permissions 0600.

Place Xen guest configurations in /etc/xen, create links to /etc/xen/auto, and place guest disk images in /var/lib/xen/images. Here is an example guest configuration which boots an OpenWrt installation (replace guest and xx:xx:xx:xx:xx:xx):

name    = "guest"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr1,mac=xx:xx:xx:xx:xx:xx" ]
disk    = [ 
  "tap2:tapdisk:aio:/var/lib/xen/images/guest-openwrt-15.05.1-x86-64-combined-ext4.img,xvda,w",
  "tap2:qcow:/var/lib/xen/images/guest-data.qcow,xvdb,w"
          ]
serial  = "pty"

Allow xenstored to run under SELinux’s policy by running setsebool -P domain_can_mmap_files=true.
Ensure the Xen hypervisor is the default boot selection:

grub2-set-default "Fedora, with Xen hypervisor"
grub2-mkconfig -o /boot/grub2/grub.cfg

Optionally restore the backed up data from the previous install.

NAT

Thu, 12 Mar 2020 09:02:58 -0400

Basic configuration using iptables

Perform the following steps to provide NAT routing on a Linux computer using iptables (replace wls3 with your Internet-facing interface and em1 with your private-network-facing interface):

sysctl net.ipv4.ip_forward=1
ip addr add W.X.Y.Z/N dev em1
iptables -t nat -A POSTROUTING -o wls3 -j MASQUERADE
iptables -A FORWARD -i wls3 -o em1 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip tables -A FORWARD -i em1 -o wls3 -j ACCEPT

Basic configuration using iptables

If you run firewalld, then you can substitute the following command:

firewall-cmd --add-masquerade

Configuration using a WiFi Internet connection and firewalld without NetworkManager

On a smaller computer or device, you might not have NetworkManager installed. These instructions demonstrate how to configure a WiFi adapter to use WPA, and then how to use this device to perform NAT when firewalld is installed.

wpa_passphrase ESSID >> /etc/wpa_supplicant/wpa_supplicant.conf (replace ESSID).
/etc/sysconfig/wpa_supplicant (replace EXTNETIF with your external network interface):

INTERFACES="-iEXTNETIF"

/etc/sysconfig/network-scripts/ifcfg-ESSID (replace ESSID and EXTMACADDRESS):

HWADDR=EXTMACADDRESS
MODE=managed
ESSID=EECSDS3
BOOTPROTO=dhcp
DEFROUTE=yes
ZONE=external
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-INTNETIF (replace INTNETIF and INTMACADDRESS):

HWADDR=INTMACADDRESS
BOOTPROTO=none
IPADDR=10.0.0.1
NETMASK=255.255.255.0
ZONE=internal
ONBOOT=yes

The use of the ZONE keyword above causes ifup to run following commands when bringing up the interfaces:

firewall-cmd --zone=external --change-interface=EXTNETIF
firewall-cmd --zone=internal --change-interface=INTNETIF

Network monitoring

Thu, 12 Mar 2020 09:02:58 -0400

yum install nagios.
Start the httpd and nagios services.
Set the Nagios administrator password using htpasswd -c /etc/nagios/passwd nagiosadmin.
Define the network to be monitored by editing Nagios' configuration files. You can place your configuration in /etc/nagios/conf.g/*foo.cfg*. For example, the following will define a host named smtp.example.com and also check that smtp.example.com is providing an SMTP service:

define host {
	use			linux-server
	host_name		smtp.example.com
	address			10.1.10.1
}

define service {
	use			generic-service
	host_name		smtp.example.com
	service_description	SMTP
	check_command		check_smtp
	notifications_enabled	0
}

Load http://localhost/nagios in a browser. (Note securing Nagios so that it can be accessed away from localhost is beyond the scope of these notes.)

Fedora packages plugins such as check_smtp separately from the core Nagios package installed above. The following packages provide common plugins:

Plugin package	Use
nagios-plugins-ping	Check the availability of a host using ICMP
nagios-plugins-tcp	Check the availability of common Internet services including FTP and IMAP
nagios-plugins-http	Check the availability of a HTTP/HTTPS service
nagios-plugins-smtp	Check the availability of a SMTP service
nagios-plugins-dns	Check the availability of a DNS service

Network monitoring

Thu, 12 Mar 2020 09:02:58 -0400

Monitoring a network from the command line

It is often convenient to monitor a network from the command line. For example, the use of command-line tools allows you to log into an OpenWrt router remotely in order to diagnose a network performance problem. Here I describe how to use some common open-source tools.

Bmon

Bmon monitors the use of a network interface in aggregate; it provides real-time information about the utilization of the network interfaces in a computer. After running bmon, you will likely want to press d and g to provide a detailed and graphical display, respectively. The graphical display plots utilization over time.

Iftop

Iftop helps determine the degree to which individual connections are using the network. For example, running iftop -i eth0 -P will show the connections making use of the interface eth0. Each measurement is displayed using two lines, which represent the two directions of communication. Behind each line, iftop displays, using a highlight, a bar which is proportional to the percentage the respective connection represents of the total network utilization (the unit for each bar is some degree of bits per second).

Throughput tests

Services like Speedtest.net allow you to measure the throughput of your network connection, but are generally designed for use with a web browser. The command-line tool speedtest-cli allows you to interact with Speedtest.net’s measurement servers. For an even lighter-weight solution, first obtain the list of Speedtest.net servers at http://www.speedtest.net/speedtest-servers.php. Next, choose a nearby server from the list and run time wget http://sto-chic-01.sys.comcast.net/speedtest/random4000x4000.jpg -O /dev/null.

NetFlow

Installing softflowd on a device that has visibility of your network allows that device to provide NetFlow data representing its observations (see beholder). Nfcapd can receive such a NetFlow stream and store it to disk (see golem). The nfdump utility will print stored NetFlow data in human-readable form. Here are some useful invocations of nfdump:

Print first five flows of month

nfdump -R . -c 5 -t 2020/01

Print first five flows of date range

nfdump -R . -c 5 -t 2020/01/01-2020/01/07

Print first five flows of time period

nfdump -R . -c 5 -t 2020/01/01.12-2020/01/01.13

Top users of upload bandwidth

nfdump -R . -s srcip/bytes -L +10M 'src net 192.168.1.0/24'

Top users of download bandwidth

nfdump -R . -s dstip/bytes -L +10M 'dst net 192.168.1.0/24'

Biggest download sources off local network

nfdump -R . -s srcip/bytes -L +10M 'not src net 192.168.1.0/24'

Ethtool

Running ethtool eth0 will describe the interface eth0, including the connection speed of the interface.

NTP

Thu, 12 Mar 2020 09:02:58 -0400

These instructions describe how to configure ntpd across the 10.0.0.0/24 subnet so that one host, NTP.EXAMPLE.COM, acts as the subnet’s NTP server. We make use of ntpd instead of chrony.

On each host:

rpm -e chrony.
yum install ntp.
Hosts other than NTP.EXAMPLE.COM should only permit NTP connections from localhost. In these cases, merely replace the server statements in /etc/ntp.conf with one that references your NTP server, NTP.EXAMPLE.COM.
Start the ntpservice.

On NTP.EXAMPLE.COM, follow the steps above, except:

Set server to point to the upstream NTP host.
Set restrict *10.0.0.0* mask *255.255.255.0* nomodify notrap.
Run firewall-cmd --permanent --add-service=ntp
Run firewall-cmd --permanent --add-service=ntp --permanent

OpenWrt-based DHCP/DNS server

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build a simple DHCP/DNS server on top of OpenWrt. We assume you already have a working OpenWrt installation and that you have configured basic networking (/etc/config/network) and the host’s name (/etc/config/system).

The following will configure dnsmasq to provide DHCP (assigning .1–.100), and DNS (e.g., assigning the hostname server.example.com to the computer with MAC address aa:bb:cc:dd:ee:ff). The DNS service will also resolve the local host’s name, as set in /etc/config/system.

config dnsmasq
	option domainneeded '1'	
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/example.com/'
	option domain 'example.com'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option server '192.168.1.1' # Upstream DNS.

config dhcp 'lan'
	option interface 'lan'
	option start '1'
	option limit '100'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '3,192.168.1.1' # Default gateway.
	list dhcp_option '121,192.168.0.0/16,192.168.1.1' # A static route.

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config host
	option name 'server.example.com'
	option ip '192.168.1.101'
	option mac 'aa:bb:cc:dd:ee:ff'

OpenWrt-based FTP server

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build a simple FTP server on top of OpenWrt. We assume you already have a working OpenWrt installation and that you have configured basic networking (/etc/config/network) and the host’s name (/etc/config/system).

Install the following packages:

zlib
libopenssl
vsftpd-tls
openssh-keygen
openssh-server
openssl-util

Remove the dropbear package
Take care to set the root password.
Create the directory /home/ftp.
Add a new user to the system, setting his home directory to /home/ftp and his shell to /bin/false.
Set the new user’s password.
Configure cleartext FTP: write the following to /etc/vsftpd.conf:

background=YES
listen=YES
anonymous_enable=YES
write_enable=NO
local_umask=022
check_shell=NO
local_root=/home/ftp
session_support=NO

Configure ciphertext SFTP: write the following to /etc/ssh/sshd_config:

AuthorizedKeysFile	.ssh/authorized_keys
UsePrivilegeSeparation	sandbox
Subsystem		sftp internal-sftp

Match User *
	ChrootDirectory 	%h
	AllowTCPForwarding 	no
	X11Forwarding		no
	ForceCommand		internal-sftp

Packets

Thu, 12 Mar 2020 09:02:58 -0400

Print a summary of the transmitting hosts present in the output from tcpdump:

tcpdump >packet-summaries
[Ctrl-C]
cat packet-summaries | egrep ^.{16}IP | awk '{ print $3 }' | sed 's/\(.*\)\..*/\1/g' \
                     | sort | uniq -c | sort -n

Profiling programs

Thu, 12 Mar 2020 09:02:58 -0400

Profiling using operf

Ensure you have access to your kernel’s debug symbols. On Fedora, you can install these symbols with sudo debuginfo-install kernel.
Run sudo operf --system-wide --vmlinux /usr/lib/debug/lib/modules/KERNEL-VERSION/vmlinux, execute your experiments, and press Ctrl-C.
Run opreport -l.

Profiling using gprof

Run a program and its children while collecting profiling data:

Compile with GCC’s -pg flag.
Run with GMON_OUT_PREFIX=prefix ./a.out.
Run gprof a.out prefix.PID.

Red Hat Enterprise Linux without root

Thu, 12 Mar 2020 09:02:58 -0400

Replacing GNOME’s metacity and gnome-panel with the awesome window manager

Build confuse and imlib2 from within their respective source directories using:

./configure --prefix=$HOME/Root --disable-shared
make all install

Build awesome from within its source directory using:

PKG_CONFIG_PATH=$HOME/Root/lib/pkgconfig ./configure --prefix=$HOME/Root

Add $HOME/Root/bin to your .bash_profile/.bashrc.
Set the contents of $HOME/.local/share/applications/awesome.desktop to:

[Desktop Entry]
Version=1.0
Type=Application
Name=Awesome
Comment=The awesome launcher!
TryExec=awesome
Exec=awesome

Use gconf-editor to:

edit the values at /desktop/gnome/session/required_components_list, ensuring only windowmanager and terminal are present,
set the value of /desktop/gnome/session/required_components/windowmanager to awesome, and
set the value of /desktop/gnome/session/required_components/terminal to gnome-terminal.

SELinux

Thu, 12 Mar 2020 09:02:58 -0400

Activating and deactivating SELinux

A Linux kernel which supports SELinux can assume three modes: enforcing, where the kernel enforces the SELinux policy; permissive, where the kernel loads the policy but does not enforce its constraints; and disabled, where the kernel completely disables SELinux. Avoid the disabled mode because it can result in a mislabeled system which will not function if SELinux is reactivated. You can deactivate or activate enforcing mode temporarily by running the following commands:

setenforce 0
setenforce 1

The command getenforce will print the current enforcing status.

You can configure the SELinux mode which the kernel will adopt upon booting by editing /etc/syslinux/selinux.

SELinux labels

Under SELinux, system objects bear labels. You can use the standard Linux utilities to inspect these labels. Here are some examples:

Display the labels of filesystem nodes:

ls -Z

Recursively modify the label of part of the filesystem, and update the policy to retain the labels through a relabel:

chcon -v -R --type=mytype_file_t /path/to/branch
semanage fcontext -a -t mytype_file_t "/path/to/branch(/.*)?"

Restore the label of a filesystem node to the path’s SELinux policy default:

restorecon -v myfile.txt

Relabel the entire filesystem according to the SELinux policy:

touch /.autorelabel
reboot

Display the labels of TCP and UDP ports:

semanage port -l

Modify the label of a port:

semanage port -a -t mytype_port_t -p tcp 8080

Display the domains of running processes:

ps auxZ

Note that the domain a running process adopts is a function of the parent process’s domain, the label of the process’s program on disk, and the SELinux policy. One of these must be changes to modify the domain a process will run in.

SELinux booleans

The kernel permits the customization of many details about its SELinux policy through the use of boolean flags. To list the available booleans, along with their current status, run:

getsebool -a

You can modify a boolean by running statements such as:

setsebool -P httpd_can_network_connect_db on

Writing SELinux policy modules

Booleans only help tailor a policy to do things the original policy authors intended. When installing an uncommon program, an administrator might need to write an entirely new policy module. Here is a sample program in C, setoy.c, which we would like to constrain using a custom SELinux policy module:

#include <stdio.h>
#include <stdlib.h>

int main (int argc, char *argv[])
{
	int val;
	FILE *f = NULL;
	char buf[BUFSIZ];
	char *ptr = NULL;

	f = fopen ("setoy.txt", "r+");
	if (NULL == f) {
		perror("Could not open setoy.txt");
		exit(EXIT_FAILURE);
	}

	ptr = fgets(buf, BUFSIZ, f);
	if (NULL == ptr) {
		perror("Could not read setoy.txt");
		exit(EXIT_FAILURE);
	}

	val = fprintf(f, "%s\n", "Goodbye, cruel world!");
	if (val < 0) {
		perror("Could not write setoy.txt");
		exit(EXIT_FAILURE);
	}

	val = fclose(f);
	if (val != 0) {
		perror("Could not close setoy.txt");
		exit(EXIT_FAILURE);
	}

	f = fopen ("setoy2.txt", "w");
	if (NULL == f) {
		perror("Could not open setoy2.txt");
		exit(EXIT_FAILURE);
	}

	val = fprintf(f, "%s\n", "Goodbye, cruel world!");
	if (val < 0) {
		perror("Could not write setoy2.txt");
		exit(EXIT_FAILURE);
	}

	val = fclose(f);
	if (val != 0) {
		perror("Could not close setoy2.txt");
		exit(EXIT_FAILURE);
	}

	printf("All system calls succeeded: success (or failure?)\n");
	printf("Press enter to exit ");

	getchar();

	exit(EXIT_SUCCESS);
}

Here is a policy which constrains the program, mysetoy.te:

policy_module(mysetoy, 1.0.0)

# Must require any core policy definitions you use. This is similar to
# an import in Java or #include in C.
require {
	attribute file_type;
	type unconfined_t;
	role unconfined_r;
	type user_devpts_t;
	type user_home_t;
	type fs_t;
	class dir search;
	class chr_file { read write append getattr };
	class filesystem associate;
}

# ==============================================================================
# | Declare a number of types                                                  |
# ==============================================================================
type mysetoy_t;                 # The type we will assign to mysetoy processes.
type mysetoy_file_t, file_type; # Will assign to files mysetoy can read/write.
type mysetoy_exec_t;            # Will assign to the mysetoy program on disk.

# ==============================================================================
# | Allow/cause unconfined_t-domain processes to run mysetoy in mysetoy_t      |
# | domain.                                                                    |
# ==============================================================================
domain_type(mysetoy_t)
domain_entry_file(mysetoy_t, mysetoy_exec_t)
role unconfined_r types mysetoy_t;
type_transition unconfined_t mysetoy_exec_t:process mysetoy_t;

# ==============================================================================
# | Now we decide what SELinux will permit mysetoy to do.                      |
# ==============================================================================
# Allow mysetoy_t domain to read and write file objects labeled with mysetoy_file_t.
allow mysetoy_t mysetoy_file_t:file { open read write };

# Allow mysetoy_t domain to read and write the console.
allow mysetoy_t user_devpts_t:chr_file { read write append getattr };

# Allow mysetoy_t domain to enumerate contents of a directory in ~.
allow mysetoy_t user_home_t:dir search;

# Allow mysetoy_t domain to create a file in ~ ...
allow mysetoy_t user_home_t:dir { write add_name create };
allow mysetoy_t mysetoy_file_t:file { create };

# ... and ensure it bears the label mysetoy_t.
allow mysetoy_t fs_t:filesystem associate;
filetrans_pattern(mysetoy_t, user_home_t, mysetoy_file_t, file)

You can compile an SELinux policy with make -f /usr/share/selinux/devel/Makefile mysenettoy.pp, and you can install the compiled policy using semodule -i mysetoy.pp.

Properly running setoy will also require:

echo Hello, world\! >setoy.txt
chcon -v --type=mysetoy_exec_t setoy
chcon -v --type=mysetoy_file_t setoy.txt

SELinux logging and machine-assisted policy modules

SELinux logs policy violations to /var/log/audit/audit.log. The command audit2allow can help turn the logs which result from a policy being overly cautious into a new, more appropriate policy module for a program. This should be done with care, because most of the time the enforcement of the policy is precisely what ought to happen. Thus you should carefully review the results from audit2allow before loading it into the running policy. Sometimes it is helpful to avoid ignoring common failures (i.e., do-not-audit rules) using:

semodule -DB

Restore the do-not-audit rules with:

semodule -B

Other resources

Shrieker

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Shrieker, a Raspberry Pi-based ringer. Shrieker connects to an XMPP server, listens for messages, and displays messages that arrive before activating an audible alarm.

Shrieker is designed to run on the hardware listed below:

Raspberry Pi Model B
PiFace Control & Display
PiFace Control & Display Case
5V Micro USB AC Adapter
8GB SD Card
Edimax 802.11b/g/n Nano USB Adapter
HDMI Cable
USB Keyboard (For initial setup)

At the time of writing, most of this hardware is available from MCM Electronics.

Selecting the software for a Shrieker image

Obtain the OpenWrt source tree using git clone git://git.openwrt.org/openwrt/openwrt.git.
Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.

Pull the appropriate feeds, using ./scripts/feeds install \ freifunk-watchdog \ gst1-mod-mad \ lcdringer \ wpa-supplicant \ zoneinfo-core \ zoneinfo-northamerica
Run make menuconfig and select:
1. Target System: Broadcom BCM2708/BCM2709/
2. Subtarget: BCM2708 based boards
3. Target Profile: Raspberry Pi Model B

Base system:

Remove dnsmasq
Kernel Modules:
- Other modules: kmod-softdog
SPI Support:
- kmod-spi-bcm2835
- kmod-spi-dev
Wireless Drivers:
- kmod-rtl8192cu (for firmware)
- kmod-rtl8xxxu
LuCI: Freifunk: freifunk-watchdog
Multimedia:
- gstreamer1-plugins-base
  - Select all GStreamer base modules
- gstreamer1-plugins-good
  - Select all GStreamer good modules
- gstreamer1-plugins-ugly
  - Select all GStreamer ugly modules
Network:
- lcdringer
- Remove odhcpd
- wpa-supplicant
Utilities:
- zoneinfo: zoneinfo-northamerica

Create the directory files and populate it as described in the following sections.

Configure networking

etc/config/network:

config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname wlan0
        option proto dhcp

etc/config/wireless (replace MACADDR, SSID, and KEY):

config wifi-device radio0
        option type     mac80211
        option channel  11
        option hwmode   11g
        option country  US
        option macaddr  MACADDR

config wifi-iface
        option device   radio0
        option network  lan
        option mode     sta
        option ssid     SSID
        option encryption psk2
        option key      KEY

Configure lcdringer

etc/lcdringer.conf (replace EXAMPLE.COM, PASSWORD, USER1, and USER2; USER1 and USER2 are the users permitted to cause lcdringer to ring):

[account]
jid=lcdringer@EXAMPLE.COM
password=PASSWORD
ring_path=/usr/share/lcdringer/ring.mp3

[friends]
jids=USER1@EXAMPLE.COM;USER2@EXAMPLE.COM

Configure basic system settings

etc/config/system:

config system
	option hostname	shrieker.example.com
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

etc/config/freifunk-watchdog:

config process
        option process lcdringer
        option initscript /etc/init.d/lcdringer

Build software and perform installation

Run make V=99.
Use dd to copy openwrt-brcm2708-bcm2708-rpi-b-ext4-sdcard.bin to the Raspberry Pi’s flash card.

Siren

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Siren, a Raspberry Pi-based music player. Siren can play music made available by a DAAP server such as dmapd.

Siren is designed to run on the hardware listed below:

Raspberry Pi Model B
PiFace Control & Display
PiFace Control & Display Case
5V Micro USB AC Adapter
8GB SD Card
Edimax 802.11b/g/n Nano USB Adapter
HDMI Cable
USB Keyboard (For initial setup)

At the time of writing, most of this hardware is available from MCM Electronics.

Selecting the software for a Siren image

Obtain the OpenWrt source tree using git clone git://git.openwrt.org/openwrt/openwrt.git.
Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.
Pull the appropriate feeds, using

./scripts/feeds install \
	freifunk-watchdog \
	gst1-mod-mad \
	gst1-mod-ogg \
	gst1-mod-vorbis \
	gst1-mod-flac \
	lcdgrilo \
	wpa-supplicant \
	zoneinfo-core \
	zoneinfo-northamerica</pre></li>

Run make menuconfig and select:

Target System: Broadcom BCM2708/BCM2709
Subtarget: BCM2708 based boards
Target Profile: Raspberry Pi Model B
Base system:
- Remove dnsmasq
Kernel Modules:
- Other modules: kmod-softdog
- SPI Support:
  - kmod-spi-bcm2835
  - kmod-spi-dev
- Wireless Drivers:
  - kmod-rtl8192cu (for firmware)
  - kmod-rtl8xxxu
LuCI: Freifunk: freifunk-watchdog
Multimedia:
- grilo-plugins
- Select grilo-plugins-dmap
- gstreamer1-plugins-base
- Select all GStreamer base modules
- gstreamer1-plugins-good
- Select all GStreamer good modules
- gstreamer1-plugins-ugly
- Select all GStreamer ugly modules
- lcdgrilo
Network:
- Remove odhcpd
- wpa-supplicant
Utilities:
- zoneinfo: zoneinfo-northamerica

Create the directory files and populate it as described in the following sections.

Configure networking

etc/config/network:

config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname wlan0
        option proto dhcp

etc/config/wireless (replace MACADDR, SSID, and KEY):

config wifi-device radio0
        option type     mac80211
        option channel  11
        option hwmode   11g
        option country  US
        option macaddr  MACADDR

config wifi-iface
        option device   radio0
        option network  lan
        option mode     sta
        option ssid     SSID
        option encryption psk2
        option key      KEY

Configure basic system settings

etc/config/system:

config system
	option hostname	siren.example.com
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

etc/config/freifunk-watchdog:

config process
        option process lcdgrilo
        option initscript /etc/init.d/lcdgrilo

Build software and perform installation

Run make V=99.
Use dd to copy openwrt-brcm2708-bcm2708-rpi-b-ext4-sdcard.bin to the Raspberry Pi’s flash card.

Spam

Thu, 12 Mar 2020 09:02:58 -0400

This technique uses bogofilter to categorize email as spam or ham on a server, and it uses spamassassin and manual characterization on a client computer to train bogofilter. This assumes that the administrator will use the client computer to review spamassassin's classification decisions and deem missed email as spam where appropriate. Any unread email found in spam-samples was placed there as a result of automatic (spamassassin or bogofilter) classification; read mail was either hand-classified or manually reviewed. The efficacy of this technique requires that the administrator's spam resemble each user's spam.

Install and configure Postfix and bogofilter on your mail server.
Use spamassassin and mutt on a client machine to continuously train bogofilter:
Configure spamassassin:

required_hits 3.5
report_safe 0

Configure procmail to filter incoming mail using spamassassin and to move the email classified as spam to the folder spam-samples:

:0:
* ^X-Bogosity: (Spam|Yes)
$MAILDIR/spam-samples

# Process with spamassassin unless too big.   
:0fw: spamassassin.lock
* < 1048576   
| spamassassin                           

# Dump spamassassin spam in spam-samples.
:0:                  
* ^X-Spam-Status: Yes            
$MAILDIR/spam-samples

Add a cronjob to analyze spam-samples using bogofilter and install the resulting wordlist.db:

0	0	*	*	*	rm -f ~/mail/wordlist.db
	&& grep -av '\(^X-Spam[^ ]*:\|^X-Bogosity:\)' ~/mail/spam-samples | bogofilter -d ~/mail -M -s
	&& grep -av '\(^X-Spam[^ ]*:\|^X-Bogosity:\)' ~/mail/ham-samples  | bogofilter -d ~/mail -M -n
	&& scp ~/mail/wordlist.db root@example.com:/etc/bogofilter/

Configure mutt with hotkeys which manually characterize email as spam or ham and spam index highlights:

color index black brightred '~h "X-Spam-Flag: YES"'    # Spamassassin.
color index black brightyellow '~h "X-Bogosity: Spam"' # Bogofilter.

macro index S "\
<enter-command>set resolve=no<enter>\
<clear-flag>N\
<enter-command>set resolve=yes<enter>\
<save-message&gt;=spam-samples<enter><enter>" "Save to spam-samples"

macro pager S "\
<enter-command>set resolve=no<enter>\
<clear-flag>N\
<enter-command>set resolve=yes<enter>\
<save-message>=spam-samples<enter><enter>" "Save to spam-samples"

macro index H "\
<enter-command>set my_resolve=\$resolve resolve=no<enter>\
<copy-message>=ham-samples<enter><enter>\
<enter-command>set resolve=\$my_resolve<enter>" "Copy to ham-samples"

macro pager H "\
<enter-command>set my_resolve=\$resolve resolve=no<enter>\
<copy-message>=ham-samples<enter><enter>\
<enter-command>set resolve=\$my_resolve<enter>" "Copy to ham-samples"

macro index B "&lt;shell-escape&gt;rm -f ~/mail/wordlist.db
&& grep -av '\\(\^X-Spam[^ ]*:\\|\^X-Bogosity:\\)' ~/mail/spam-samples | bogofilter -d ~/mail -M -s\
&& grep -av '\\(\^X-Spam[^ ]*:\\|\^X-Bogosity:\\)' ~/mail/ham-samples  | bogofilter -d ~/mail -M -n\
&& scp ~/mail/wordlist.db root@www.flyn.org:/etc/bogofilter/&lt;enter&gt;" "Push bogofilter samples"

Sprite

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Sprite, a home entertainment system.

Sprite is designed to run on a Zotac ZBOX Blu-ray, which provides the following:

1.8GHz Intel Atom processor
2GB memory
Bluray/DVD player
WiFi and Ethernet network interfaces
HDMI audio/video output
USB ports (Only the front-left USB port works with the ZBOX BIOS during the initial stages of booting.)

Sprite also makes use of two SNES-style USB joypads and a Rii mini wireless keyboard with touchpad.

Follow the instructions below to build Sprite:

Install Fedora using a CD-ROM containing a disk image such as Fedora-20-x86_64-netinst.iso.

During installation, create a 2GB swap partition and a / partition that spans the rest of the disk.
Create a user named sprite.
Install the minimum set of packages.

Use rpm -e to remove any unnecessary packages.
Use

rpm -Uvh \
	http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-20.noarch.rpm \
	http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-20.noarch.rpm \
	http://rpm.livna.org/livna-release.rpm

to install the RPM Fusion and livna repositories. 4. Install the required packages using

yum install \
	ConsoleKit \
	gdm
	kernel-modules-extra \
	mesa-dri-drivers \
	xorg-x11-drv-nouveau \
	xorg-x11-drv-evdev \
	libdvdcss \
	nfs-utils \
	nss-mdns \
	Nestopia \
	snes9x \
	xbmc

Configure Sprite to boot in graphical mode: ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target.
Install your public SSH key as /root/.ssh/authorized_keys and configure sshd to disallow password-based logins by editing /etc/ssh/sshd_config.
/etc/sysconfig/network-scripts/ifcfg-Auto_ExampleCom (replace ExampleCom, UUID [uuidgen], and MACADDRESS [ip link]):

ESSID="ExampleCom"
MODE=Managed
KEY_MGMT=WPA-PSK
TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME="Auto ExampleCom"
UUID=UUID
ONBOOT=yes
HWADDR=MACADDRESS
WPA_ALLOW_WPA=yes
WPA_ALLOW_WPA2=yes
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

/etc/sysconfig/network-scripts/keys-Auto_ExampleCom (replace ExampleCom and PSK):

WPA_PSK='PSK'

/etc/hostname (replace example.com):

sprite.example.com

/etc/sysconfig/network:

NETWORKING=yes
NETWORKWAIT=1

/home/sprite/.snes9x/snes9x.xml:

<?xml version="1.0"?>
<snes9x>
 <preferences>
  <option name="default_esc_behavior" value="2"/>
  <option name="hires_effect" value="0"/>
  <option name="full_screen_on_open" value="1"/>
  <option name="video_mode_width" value="1920"/>
  <option name="video_mode_height" value="1080"/>
  <option name="window_width" value="1920"/>
  <option name="window_height" value="1080"/>
  <option name="prevent_screensaver" value="1"/>
  <option name="aspect_ratio" value="1"/>
  <option name="maintain_aspect_ratio" value="1"/>
  <option name="ui_visible" value="0"/>
  <option name="statusbar_visible" value="0"/>
  <option name="modal_dialogs" value="1"/>
  <option name="sync_to_vblank" value="1"/>
  <option name="joystick_threshold" value="40"/>
  <option name="sound_buffer_size" value="32"/>
  <option name="sound_driver" value="0"/>
  <option name="sound_input_rate" value="31950"/>
  <option name="sound_sync" value="1"/>
  <option name="transparency" value="1"/>
  <option name="frameskip" value="200"/>
  <option name="16bit_sound" value="1"/>
  <option name="stereo" value="1"/>
  <option name="playback_rate" value="5"/>
  <option name="block_invalid_vram_access" value="1"/>
  <option name="sram_directory" value="/home/sprite/.snes9x"/>
 </preferences>
 <controls>
  <calibration joystick="0">
   <axis number="0" min="-32767" max="32767" center="0"/>
   <axis number="1" min="-32767" max="32767" center="0"/>
  </calibration>
  <calibration joystick="1">
   <axis number="0" min="-32767" max="32767" center="0"/>
   <axis number="1" min="-32767" max="32767" center="0"/>
  </calibration>
  <joypad number="0">
   <binding name="Up" binding="556270082"/>
   <binding name="Down" binding="556270083"/>
   <binding name="Left" binding="556270080"/>
   <binding name="Right" binding="556270081"/>
   <binding name="Start" binding="553648135"/>
   <binding name="Select" binding="553648134"/>
   <binding name="A" binding="553648129"/>
   <binding name="B" binding="553648128"/>
   <binding name="X" binding="553648131"/>
   <binding name="Y" binding="553648130"/>
   <binding name="L" binding="553648132"/>
   <binding name="R" binding="553648133"/>
  </joypad>
  <joypad number="1">
   <binding name="Up" binding="573047298"/>
   <binding name="Down" binding="573047299"/>
   <binding name="Left" binding="573047296"/>
   <binding name="Right" binding="573047297"/>
   <binding name="Start" binding="570425351"/>
   <binding name="Select" binding="570425350"/>
   <binding name="A" binding="570425345"/>
   <binding name="B" binding="570425344"/>
   <binding name="X" binding="570425347"/>
   <binding name="Y" binding="570425346"/>
   <binding name="L" binding="570425348"/>
   <binding name="R" binding="570425349"/>
  </joypad>
 </controls>
</snes9x>

The first time you run Nestopia, perform the following configurations using a mouse:

Press escape to display Nestopia’s menu bar.
Configure Nestopia to use joypads for input.
Configure Nestopia to start in fullscreen mode.
Set the audio output to SDL.
After quitting Nestopia, edit /home/sprite/.nestopia/nstcontrols and replace the line STOP _ESCAPE with EXIT _ESCAPE. From this point on, you can access the Nestopia menu by pressing f.
Modify /etc/asound.conf so that the HDMI sound device is the default:

defaults.ctl.card	1
defaults.pcm.card	1
defaults.pcm.device	7
defaults.timer.card	1

XBMC’s default behavior allows the use of the backslash key to toggle full-screen mode, but this is rarely useful. Copy /usr/share/xbmc/system/keymaps/keyboard.xml to /home/sprite/.xbmc/userdata/keymaps/, and edit the file to replace <backslash>ToggleFullScreen</backslash> with <backslash>OSD</backslash>.
Using XBMC, perform the following configuration:
- Install video add-ons (e.g., select System→Add-ons→Get Add-ons→XMBC.org Add-ons→Video Add-ons→USTV VoD→Install).
- Install the Rom Collection Browser (i.e., select System→Add-ons→Get Add-ons→XMBC.org Add-ons→Program Add-ons→Rom Collection Browser→Install).
- Configure the Rom Collection Browser (i.e., select Programs→Rom Collection Browser):
  - Create configuration: yes
  - Scrape game information and artwork online
  - Choose a platform: NES
  - Path to NES emulator: /usr/bin/nestopia
  - Emulator parameters: "%ROM%" (default)
  - Path to NES ROMs: ...
  - File mask: *
  - NES artwork: /home/sprite/NES
Turn off the RSS feed ticker (i.e., deactivate System→Appearance→Show RSS news feeds).

Tracker

Thu, 12 Mar 2020 09:02:58 -0400

Tracker stores information about your files, and makes this information available to applications.

tracker-control: Show the current status of tracker, including its store and miners.
tracker-control -s: Start the tracker miners, which collect information about your files.
tracker-control -l: List the miners that are running.
tracker-control -a: List the miners preset on the system whether they are running or not.

Virtualization

Thu, 12 Mar 2020 09:02:58 -0400

Platform virtualization

Software-based virtualization (simulation)

Create an empty disk image and then install Fedora onto it, running the procedure in a qemu simulator:

$ qemu-img create -f qcow2 disk.qcow2 4G
$ qemu-system-x86_64 -hda disk.qcow2 \
	-cdrom Fedora-20-x86_64-netinst.iso \
	-boot d \
	-net nic \
	-net user \
	-m 1024

To accelerate qemu when virtualizing the same platform as the host, first use modprobe to install the appropriate KVM modules, and then add the --enable-kvm option to the qemu-system-x86_64 command above.

You might want to run qemu with -nographic when running on a computer with no graphical console. For this to work, the hosted kernel must use the serial device as its console. You can arrange for this by passing console=ttyS0 on the hosted kernel’s command line, likely by editing your bootloader’s configuration.

You can also set the host’s MAC address by using -net nic,macaddr=aa:bb:cc:dd:ee:ff.

Another option allows you to configure a network between two QEMU hosts without root access on the host running QEMU. Start one host with -device e1000,netdev=n1,mac=52:54:00:12:34:56 -netdev socket,id=n1,listen=:1024, and start another with -device e1000,netdev=n1,mac=52:54:00:12:34:57 -netdev socket,id=n1,connect=:1024.

Simulating other architectures

Qemu can simulate one architecture on another. For example, qemu can facilitate experimenting with the RISC-V architecture on an AMD64 computer. Fedora provides RISC-V kernels and disk images that are suitable for running in qemu at https://dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/. After gathering and uncompressing a related pair of .elf and .raw files, you can boot them using qemu by running:

$ qemu-system-riscv64 -nographic \
        -machine virt \
        -smp 4 \
        -m 4G \
        -kernel riscv.elf \
        -bios none \
        -object rng-random,filename=/dev/urandom,id=rng0 \
        -device virtio-rng-device,rng=rng0 \
        -device virtio-blk-device,drive=hd0 \
        -drive file=riscv.raw,format=raw,id=hd0 \
        -device virtio-net-device,netdev=usernet \
        -netdev user,id=usernet,hostfwd=tcp::10000-:22

(Replace riscv.elf and riscv.raw with the name of the files you downloaded.)

“Real” networking in qemu

Qemu can easily simulate a network connection in userspace with the help of the host computer, but this approach has limitations. Sometimes it is helpful to tie the simulated computer’s network adapter into the host computer kernel’s view of networking. This is done using bridge and tap interfaces. Assuming the host computer uses NetworkManager, define a bridge interface by creating a file such as /etc/NetworkManager/system-connections/br0.nmconnection:

[connection]
id=br0
type=bridge
interface-name=br0

[bridge]
stp=false

[ipv4]
method=auto

Ensure /etc/NetworkManager/system-connections/br0.nmconnection is readable only by root. Next, configure a physical interface to be a member of the bridge, such as by editing /etc/NetworkManager/system-connections/enp3s0f0.nmconnection:

[connection]
id=enp3s0f0
type=ethernet
interface-name=enp3s0f0
master=br0
slave-type=bridge

In this way, the bridge can obtain an IPv4 address through the physical interface, which is defined to be a member of the bridge.

Next, create a tap interface for the simulated host, and add it to the bridge by running these commands:

$ tunctl -t tap0 -u root
$ brctl addif br0 tap0
$ ifconfig tap0 up

Finally, start the simulated host and associate the host with the tab device by running:

$ qemu-system-riscv64 -nographic \
        -machine virt \
        -smp 4 \
        -m 4G \
        -kernel riscv.elf \
        -bios none \
        -object rng-random,filename=/dev/urandom,id=rng0 \
        -device virtio-rng-device,rng=rng0 \
        -device virtio-blk-device,drive=hd0 \
        -drive file=riscv.raw,format=raw,id=hd0 \
        -device e1000,netdev=net0,mac=aa:bb:cc:dd:ee:ff \
        -device tap,id=net0,ifname=tap0,script=no,downscript=no

Notice the -device and -netdev options have changed from the earlier example.

Xen

Running OpenWrt as a Xen HVM DomU guest

The following Xen DomU configuration defines a guest named OpenWrt:

name    = "OpenWrt"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge" ]
disk    = [ "tap2:tapdisk:aio:/path/to/openwrt-x86-generic-combined-ext4.img,xvda,w" ]
serial  = "pty"

To select a network bridge on a host which has configured more than one, add a statement of the form bridge=brname to the list of network parameters. To hard-code an Ethernet MAC, add mac=mac.

Running CentOS as a Xen HVM DomU guest

The following Xen DomU configuration defines a guest named CentOS, which includes an SDL-based graphics console:

name    = "CentOS"
memory  =  4096
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge" ]
disk    = [ "tap2:tapdisk:aio:/path/to/disk.img,xvda,w" ]
serial  = "pty"
sdl     = 1

If you click on the SDL window, then the Xen interface will capture your mouse. To release the mouse, press Ctrl-Alt. Ctl-Alt-f will enter or leave full screen mode. Alternatively, you can omit sdl = 1 and configure GRUB to boot the Linux kernel with console=ttyS0.

Running OpenBSD as a Xen HVM DomU guest

The following Xen DomU configuration defines a guest named OpenBSD:

name    = "OpenBSD"
memory  =  4096
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge" ]
disk    = [ "tap2:tapdisk:aio:/path/to/disk.img,xvda,w" ]
serial  = "pty"
sdl     = 1

See the description of CentOS above for how to use the SDL console. Alternatively, you can omit sdl = 1 and configure OpenBSD to use a serial console. To do this, add tty00 "/usr/libexec/getty std.9600" vt220 on secure to /etc/ttys and add:

stty com0 19200
set tty com0

to /etc/boot.conf.

Networking

The Xen domain configurations above assume bridged networking. This requires some configuration on the host. The examples here assume the use of NetworkManager.

Bridged

You can set up a network bridge by placing the following in Dom0’s /etc/sysconfig/network-scripts/ifcfg-xenbr0: Define a bridge interface by creating a file such as /etc/NetworkManager/system-connections/xenbr0.nmconnection:

[connection]
id=xenbr0
type=bridge
interface-name=xenbr1

[ipv4]
method=auto

[ipv6]
dhcp-iaid=mac
method=auto

Replace the use of method=auto with method=link-local if you do not want the Dom0 host to obtain an IP address.

Associate an physical interface with the bridge, for example by creating /etc/NetworkManager/system-connections/bridge-slave-eno1.nmconnection:

[connection]
id=bridge-slave-eno1
type=ethernet
interface-name=eno1
master=xenbr0
slave-type=bridge

NAT

Alternatively, you can configure a Xen guest to connect to a network through Dom0 with Dom0 acting as a NAT router.

Configure the guest with vif = [ "model=e1000,script=vif-nat,ip=10.0.0.1/32,gatewaydev=INTERFACE" ], where INTERFACE is the network interface which links to your default Internet router.
Add the following to /etc/sysctl.conf on Dom0: net.ipv4.ip_forward=1 and run sysctl -p1.
Run iptables -t nat -A POSTROUTING -o INTERFACE -j MASQUERADE, where INTERFACE is the interface from step one. (If you use firewalld, then run firewall-cmd --add-masquerade instead.)
Boot the guest and configure its IP address as 10.0.0.1, its default gateway to 10.0.0.129 (Dom0’s virtual interface), and its DNS resolver to a valid server.

Boot from an installation CD-ROM

Add the following to your Xen DomU guest configuration:

disk = [ "tap2:tapdisk:aio:/path/to/cdrom.iso,hdc:cdrom,r" ]

You might want to instead add this statement to an existing disk list, as his will provide access to both the virtual CD-ROM and disk.

Pass an entire logical volume into a Xen guest

If you have an entire logical volume on Dom0 set aside for the guest, then you can pass it to the guest with the following configuration fragment:

disk = [ "phy:/dev/mapper/lv-name,xvdb,w" ]

Pass a USB device into a Xen guest

Add the following to your Xen DomU guest configuration:

usb       = 1
usbdevice = "host:xxxx:yyyy"

usb       = 1
usbdevice = "host:x.y"

In the first example, xxxx:xxxx represents the USB device’s tag. In the second example, x.y represents the USB device’s bus address. You can learn these identifiers by using lsusb.

Ensuring DomU virtual machines start after booting Dom0

Place the configurations which you want to start upon booting in /etc/xen/.
Make a symlink for each configuration from /etc/xen/ to /etc/xen/auto/.
Run systemctl enable xendomains to ensure the xendomains script executes when Dom0 boots.

OpenStack

Extracting a disk image that can be imported into other virtualization platforms

Generate a snapshot of a running instance.
Run glance image-list to find the identifier of the snapshot you want to extract.
Run glance image-download ID --file FILENAME.qcow2

Create an OpenStack image from an image on disk

In order for a disk image to interact fully with OpenStack it must contain a few utilities. On Fedora, the acpid, cloud-init, and cloud-utils-growpart packages provide them. Enable the acpid service, edit /etc/cloud/cloud.cfg accordingly (pay attention to the default username), and add NOZEROCONF=yes to /etc/sysconfig/network. Also ensure a SSH server is present.

Additionally, the disk image must include the virtual I/O drivers in its initial ramdisk. Edit /etc/dracut.conf.d/openstack.conf, and add add_drivers="virtio_blk virtio_gpu". Run dracut --regenerate-all --force on the computer to update its existing initial ramdisks to reflect this. You can inspect an initial ramdisk by running lsinitrd /boot/initramfs-VERSION.img.

To load the image into OpenStack, run glance image-create --name NAME --visibility=private --disk-format=qcow2 --container-format=bare --file=IMAGE-FILE.qcow2.

Manage OpenStack quotas

View quotas for a project using openstack quota show $(openstack project show -f value -c id PROJECT).
Set a quota using openstack quota set --QUOTANAME N $(openstack project show -f value -c id PROJECT).

General OpenStack management

Run openstack server list --all-projects as the admin user to view all servers.
Run openstack server show SERVER-ID to view the details about a server.
Run openstack volume list --all-projects as the admin user to view all volumes.
Run openstack server remove volume SERVER-ID VOLUME-ID to detach a volume from a server.
Run openstack volume delete VOLUME-ID to delete a detached volume.
Sometimes a volumes stays attached to a server that no longer exists. This command is the remedy: cinder reset-state --attach-status detached VOLUME-ID.

Interacting with underlying KVM

Lookup an instance name in OpenStack’s web UI.
Run virsh list --all --uuid --name to discover the KVM virtual machine name that corresponds with the instance ID.
Run virsh console VM-NAME to connect to the virtual machine’s console.

VirtualBox

Select guest Settings→Shared Folders.
Add the folder on your host which you would like to add to your guest; remember the folder name.
Ensure VirtualBox guest addition exists on the guest.
On the Linux guest, run mount -t vboxsf folder-name mount-point.

Pass a USB device from host to Linux guest

If you need USB 2 and 3 support, then install the VirtualBox extension pack from Oracle on the host: sudo VBoxManage extpack install path-to-extpack.
Add the user running VirtualBox to the vboxusers group: sudo gpasswd -a $USER vboxusers. You might need to log out and log back in for this change to take affect.
After booting the guest, look for the USB icon in VirtualBox’s guest control panel at the bottom of the guest’s window. Right click on it to select a USB device to pass through.

You might want to always pass a certain USB device to the guest. To do this, first identify the device’s properties using VBoxManager list usbhost, and then create a filter using the interface at guest Settings→USB.

Disk images

Convert a raw disk image such that it can be used with VirtualBox or VMware: qemu-img convert -f raw FOO.img -O vmdk FOO.vmdk (This will allow the use of an OpenWrt image such as openwrt-x86-generic-combined-ext4.img.gz if you uncompress it first.)
Create a sparse QCOW image for use with Xen: qcow-create $((1024*1024)) vm-disk.qcow

Eucalyptus

Administrative commands

Reset the password on a Eucalyptus account: euare-usermodloginprofile --as-account ACCOUNT-NAME -u admin -p "PASSWORD".
List the instances: euca-describe-instances verbose
List the security groups: euca-describe-groups verbose
List the keypairs: euca-describe-keypairs verbose
List the snapshots: euca-describe-snapshots verbose
List the volumes: euca-describe-volumes verbose

Publishing base images

Create a disk image containing an OS install; here we use fedora-37.img as an example.
With root privileges, run euca-import-volume --format raw --availability-zone ZONE --bucket fedora-37-3gb-ebs --description "Fedora 37 3 GB EBS" fedora-37.img.
Run euca-describe-conversion-tasks import-vol-ID, where ID is the value reported by the previous step.
Run euca-create-snapshot vol-ID.
Run euca-register --name "Fedora37-3GB-EBS" --snapshot snap-acef31baa17c634f0 -a x86_64 --root-device-name /dev/sda --description "Fedora 37 3 GB EBS".
Edit the image’s details, and set the access controls to “public”.

As an alternative to steps 1–4, you can snapshot an existing instance’s volume.

As written, the commands above will make an image available from within the administrator account, and the administrator can elect to mark them public and thus available to other accounts. Adding the -I ACCESS-KEY and -S SECRET-KEY arguments (and additionally the --owner-akid=ACCESS-KEY and --owner-sak=SECRET-KEY, in the case of euca-import-volume) will instead associate the image with another account. You can generate access and secret keys using Eucalyptus’s “Security Credentials” feature within the “Users” panel.

Extracting a true disk image that can be imported into other virtualization platforms

Inspect the instance to discover the volume name.
Stop the instance.
Find the instance’s volume file, which should exist in /var/lib/eucalyptus/volumes/.
Copy the volume file to a computer that has the utilities required by the remaining steps.
Associate the volume file with a loopback device by running losetup -f -P VOLUME-FILE.
Associate the loopback device with the computer’s LVM subsystem by running pvscan --cache and vgchange -ay.
Run losetup and pvdisplay and observe the links in /dev/mapper/ to identify the associations between disk images, loopback devices, physical devices, volume groups, and device mappings.
Extract the disk image using dd if=/dev/dm-N of=IMAGE, where N is the correct device number.
Make use of the disk image. It should boot in QEMU, for example. If it makes use of cloud-init, then a full virtualization suite should be able to setup SSH keys and other material after booting a virtual machine based around the disk image.

VPN

Thu, 12 Mar 2020 09:02:58 -0400

This assumes you have built an OpenVPN server as described in the Guardian document. After configuring an OpenVPN client as described below, you can start the VPN tunnel by running:

$ systemctl start openvpn-client@EXAMPLECOM

Place the CA certificate at /etc/openvpn/client/ca.pem.
Place the client host’s certificate at /etc/openvpn/client/CLIENT.EXAMPLE.COM.pem.
Place the client host’s private key at /etc/openvpn/client/CLIENT.EXAMPLE.COM.key.
Run chmod 600 /etc/openvpn/client/CLIENT.EXAMPLE.COM.key.
Write the following files:

/etc/openvpn/client/EXAMPLECOM.conf:

dev tun
txqueuelen 1000
proto udp
verb 3
ca /etc/openvpn/client/ca.pem
cert /etc/openvpn/client/CLIENT.EXAMPLE.COM.pem
key /etc/openvpn/client/CLIENT.EXAMPLE.COM.key
persist-tun
persist-key
client
remote-cert-tls server
remote guardian.EXAMPLE.COM 1194
script-security 2
up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

/etc/openvpn/client/client.up (See Red Hat bug #1381413):

#!/bin/sh

# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
# Licensed under the GPL version 2

# First version by Jesse Adelman
# someone at boldandbusted dink com
# http://www.boldandbusted.com/

# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
# as pulled down from an OpenVPN server.

# INSTALL NOTES:
# Place this in /etc/openvpn/client.up
# Then, add the following to your /etc/openvpn/&lt;clientconfig&gt;.conf:
#   client
#   up /etc/openvpn/client.up
# Next, "chmod a+x /etc/openvpn/client.up"

# USAGE NOTES:
# Note that this script is best served with the companion "client.down"
# script.

# Tested under Debian lenny with OpenVPN 2.1_rc11
# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf

# This runs with the context of the OpenVPN UID/GID 
# at the time of execution. This generally means that
# the client "up" script will run fine, but the "down" script
# will require the use of the OpenVPN "down-root" plugin
# which is in the plugins/ directory of the OpenVPN source tree

# A horrid work around, from a security perspective,
# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
# been WARNED.
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

# init variables

i=1
domains=
fopt=
ndoms=0
nns=0
nl='
'

# $foreign_option_&lt;n&gt; is something like
# "dhcp-option DOMAIN example.com" (multiple allowed)
# or
# "dhcp-option DNS 10.10.10.10" (multiple allowed)

# each DNS option becomes a "nameserver" option in resolv.conf
# if we get one DOMAIN, that becomes "domain" in resolv.conf
# if we get multiple DOMAINS, those become "search" lines in resolv.conf
# if we get no DOMAINS, then don't use either domain or search.

while true; do
  eval fopt=\$foreign_option_${i}
  [ -z "${fopt}" ] &amp;&amp; break

  case ${fopt} in
        dhcp-option\ DOMAIN\ *)
       ndoms=$((ndoms + 1))
       domains="${domains} ${fopt#dhcp-option DOMAIN }"
       ;;
        dhcp-option\ DNS\ *)
       nns=$((nns + 1))
       if [ $nns -le 3 ]; then
         dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
       else
         printf "%s\n" "Too many nameservers - ignoring after third" &gt;&amp;2
       fi
       ;;
    *)
       printf "%s\n" "Unknown option \"${fopt}\" - ignored" &gt;&amp;2
       ;;
    esac
  i=$((i + 1))
done

ds=""
if [ $ndoms -eq 1 ]; then
  ds="${nl}domain"
elif [ $ndoms -gt 1 ]; then
  ds="${nl}search"
fi

# This is the complete file - "$domains" has a leading space already
out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${ds}${domains}"

# use resolvconf if it's available
if type resolvconf &gt;/dev/null 2&gt;&amp;1; then
  printf "%s\n" "${out}" | resolvconf -p -a "${1}"
else
  # Preserve the existing resolv.conf
  if [ -e /etc/resolv.conf ] ; then
    cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
  fi
  printf "%s\n" "${out}" &gt; /etc/resolv.conf
  chmod 644 /etc/resolv.conf
fi

exit 0

/etc/openvpn/client/client.down (See Red Hat bug #1381413):

#!/bin/sh

# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
# Licensed under the GPL version 2

# First version by Jesse Adelman
# someone at boldandbusted dink com
# http://www.boldandbusted.com/

# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
# set by the companion script "client.up".

# INSTALL NOTES:
# Place this in /etc/openvpn/client.down
# Then, add the following to your /etc/openvpn/&lt;clientconfig&gt;.conf:
#   client
#   up /etc/openvpn/client.up
#   down /etc/openvpn/client.down
# Next, "chmod a+x /etc/openvpn/client.down"

# USAGE NOTES:
# Note that this script is best served with the companion "client.up"
# script.

# Tested under Debian lenny with OpenVPN 2.1_rc11
# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf

# This runs with the context of the OpenVPN UID/GID 
# at the time of execution. This generally means that
# the client "up" script will run fine, but the "down" script
# will require the use of the OpenVPN "down-root" plugin
# which is in the plugins/ directory of the OpenVPN source tree

# A horrid work around, from a security perspective,
# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
# been WARNED.
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

if type resolvconf &gt;/dev/null 2&gt;&amp;1; then
  resolvconf -d "${1}" -f
elif [ -e /etc/resolv.conf.ovpnsave ] ; then
  # cp + rm rather than mv in case it's a symlink
  cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
  rm -f /etc/resolv.conf.ovpnsave
fi

exit 0

WebDAV, CalDAV, and CardDAV

Thu, 12 Mar 2020 09:02:58 -0400

We at Flyn Computing share our calendars and contacts using NextCloud and the CalDAV and CardDAV protocols. The following notes demonstrate the key parts of how to configure a selection of clients to use these services. You should also replace name with your calendar/address book name and password with your password. (We assume that NextCloud exists at the URL https://www.flyn.org/share/, but you could replace this portion of the examples below if you wish to use an NextCloud-based service hosted elsewhere.)

Apple iOS (Settings→Passwords & Accounts→Add Account→Other→Add CalDAV Account)

Replace name and password:

Server: https://www.flyn.org/share/remote.php/dav/principals/users/name/
User Name: name
Password: password
Description: Human-friendly description

Android

These directions require the DAVx⁵ app, which is available from the Android app store. Selecting the app will present a configuration dialog that you should fill out as described below. The native calendar and contact apps will display shared data after you have configured DAVx⁵. Replace name and password:

Base URL: https://www.flyn.org/share/remote.php/dav/
Email address: name
Password: password

Apple iCal 5.0.3

Replace name:

Server Address: www.flyn.org
Server Path: /share/remote.php/dav/principals/users/name/
Use SSL: checked

GNOME (gnome-control-center→Online Accounts)

Replace name and password:

Server: https://www.flyn.org/share/
Username: name
Password: password

vdirsyncer

Replace name and password:

url: https://www.flyn.org/share/remote.php/dav/
auth: basic
username: name
password: password

Wiping devices

Thu, 12 Mar 2020 09:02:58 -0400

These instructions document how to wipe the data from various devices.

Android

Plug the phone in so that it does not loose power during this process.
Reset the device by selecting Settings→Backup→Factory data reset.
When the phone restarts, follow the initialization steps, skipping the ones that are not required. Elect to associate a password with the screen lock. Use a very strong password such as a sequence of random characters.
Encrypt the device by selecting Settings→Security→Encrypt phone. This will prevent someone from recovering deleted data.
Reset the device again by selecting Settings→Backup→Factory data reset.

iPad

Plug the iPad in so that it does not loose power during this process.
Reset the device by selecting Settings→General→Reset. Select Erase All Content and Settings.

Workstation

Thu, 12 Mar 2020 09:02:58 -0400

These instructions document how to configure a workstation for use with Golem and other servers. You will need two computers: the workstations itself and a build computer capable of downloading and preparing materials to install on the workstation.

Download the latest Fedora installer.
Attach a USB thumb drive to the build computer. Run dmesg and observe the device name associated with the thumb drive. You should see a message which resembles [X] Attached SCSI removable disk. Here, X indicates that you can access the thumb drive through /dev/X
Copy the Fedora installer image to the thumb drive by running dd if=Fedora-Everything-netinst-x86_64-30-1.2.iso of=/dev/X with root privileges. You should replace X with the correct name.
After copying the Fedora installer image to the thumb drive, remove it from the build computer, and attach it to the workstation. Turn on the workstation.
You should soon see a screen such as this:

Fedora 30

 Install Fedora 30
 Test this media &amp; install Fedora

 Troubleshooting

Press Tab to edit the installers parameters. Append the following to the end of the configuration line: ks=https://www.flyn.org/kickstart/Fedora-30-x86_64-workstation.ks.

Eventually, the installer will present a menu that allows you to set the workstation’s root password. Press 7 and enter a password of your choosing twice.
Enter b to begin the installation.
Reboot the workstation after the installation completes.

XMPP

Thu, 12 Mar 2020 09:02:58 -0400

Description of Empathy components

Description	RFC	Software
Debugging		empathy-debugger
Call management		(libexec) empathy-call
Streaming		farstream
NAT traversal	5245	libnice

Relevant bugs

Patches

A kludge which allows the use of libnice on an OpenVPN client

Debugging

Debug empathy-call, which establishes audio and video calls: G_MESSAGES_DEBUG=libnice,libnice-stun,libnice-nice-verbose EMPATHY_PERSIST=1 /usr/libexec/empathy-call

Zombie

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Zombie, a PXE and other protocol boot server. Zombie runs on commodity router hardware and provides a number of features:

PXE boot server

We build Zombie on top of OpenWrt because of the distribution’s simplicity and small size. Zombie is made up of roughly 80 packages, and its programs and configurations take up less than 125 MB of storage space. Here we assume that Zombie will run within the confines of a Xen hypervisor.

Establish the Zombie VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Zombie:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/zombie-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Write the following at /etc/xen/vm-zombie.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "zombie"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/herald-lede-17.01.1-x86-64-combined-ext4.img ,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on Zombie:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
	kmod-ppp \
	kmod-pppoe \
	kmod-pppox \
	kmod-r8169 \
	logd \
	luci-app-firewall \
	luci-lib-ip \
	luci-lib-jsonc \
	luci-lib-nixio \
	luci-proto-ipv6 \
	luci-proto-ppp \
	luci-theme-bootstrap \
	luci-mod-admin-full \
	luci-base \
	luci \
	mtd \
	odhcpd-ipv6only \
	ppp \
	ppp-mod-pppoe \
	r8169-firmware \
	uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
        freifunk-watchdog \
	syslog-ng

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring TFTP

Here we describe how to configure dnsmasq to provide a TFTP service.

/etc/config/dhcp:

config dnsmasq
	option enable_tftp	1
	option tftp_root	/usr/libexec/tftpboot
	option localservice	1

config dhcp lan
	option ignore		1

Create the directory /usr/libexec/tftpboot/pxelinux/bios/.
Install the syslinux package on a Fedora host, and copy the files /usr/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,pxelinux.0,vesamenu.c32} to /usr/libexec/tftpboot/pxelinux/bios/ on Zombie.
usr/libexec/tftpboot/pxelinux/bios/pxelinux.cfg/default:

default vesamenu.c32
prompt 1
timeout 600

display boot.msg

label linux
	menu label ^Install or upgrade an existing system
	menu default
	kernel vmlinuz
	append initrd=initrd.img inst.repo=https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/ inst.ks=https://www.flyn.org/kickstart/Fedora-35-x86_64-workstation.ks

Create the directory /usr/libexec/tftpboot/pxelinux/efi/.
Install the shim, grub2-efi, and grub2-efi-x64 packages on a Fedora host, and copy the file /boot/efi/EFI/fedora/shim.efi to /usr/libexec/tftpboot/pxelinux/efi/ on Zombie.
Copy the files /boot/efi/EFI/fedora/grubx64.efi to /usr/libexec/tftpboot/ on Zombie.
usr/libexec/tftpboot/grub.cfg:

function load_video {
	insmod efi_gop
	insmod efi_uga
	insmod video_bochs
	insmod video_cirrus
	insmod all_video
}

load_video
set gfxpayload=keep
insmod gzio

menuentry 'Install Fedora 64-bit'  --class fedora --class gnu-linux --class gnu --class os {
	linuxefi pxelinux/bios/vmlinuz ip=dhcp inst.repo=https://download.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/ inst.ks=https://www.flyn.org/kickstart/Fedora-35-x86_64-workstation.ks
	initrdefi pxelinux/bios/initrd.img
}

Copy https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/images/pxeboot/vmlinuz to usr/libexec/tftpboot/pxelinux/bios/vmlinuz.
Copy https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/images/pxeboot/initrd.img to usr/libexec/tftpboot/pxelinux/bios/initrd.img.

Configuring DHCP

Add the following to /etc/config/dhcp on the host that provides your network’s DHCP service (replace W.X.Y.Z and example.com with Zombie’s IP address and domain name, respectively):

config boot linux
	option serveraddress 'W.X.Y.Z'
	option servername 'zombie.example.com'
	option filename 'pxelinux/bios/pxelinux.0'

# For EFI:
# config boot linux
#	option serveraddress 'W.X.Y.Z'
#	option servername 'zombie.example.com'
#	option filename 'pxelinux/efi/shim.efi'

Notes | Flyn Computing

Terminal colors

FIDO2 and its companions

Commands that interact with a YubiKey

Web security playground

Cookie attributes

Mixed passive content

Mixed active content

HTTPS Strict Transport Security

Cross-Origin Resource Sharing (CORS)

GnuPG signing party

OpenWrt-based XMPP server

Establish the VM

Software installation

Configuring the Prosody chat server

Configure the host firewall

Configure basic system settings

ulimit

USA

Adventure

Apple

Introduction

Packages

AbiWord

Building from Source

Bugs Filed

Gnumeric

Building from Source

Bugs Filed

Building Application Bundle

Gthumb

Building from Source

Bugs Filed

Building Application Bundle

Inkscape

Building from Source

Bugs Filed

Building Application Bundle

Awesome

Beholder

Establish the Beholder VM

Software installation

Configure the firewall

Configure basic system settings

Forwarding packets to Snort host

Configuring Snort

Configuring softflowd

C

Standardizing style with the aim of aiding inspection and removing pitfalls

Catching bugs with assertions

Catching bugs with run-time unit testing

Measuring code coverage using gcov

Catching memory errors with Valgrind

Catching memory errors with GCC

Catching programming errors with American Fuzzy Lop

Static linking with the GNU linker

Certificates

Generate

Generate a CA certificate and key

Generate a self-signed certificate and key

Generate a PKCS#10 X.509 certificate signing request

Generate a “CA”-signed certificate from a certificate signing request and “CA” certificate/key

Display

Display in human-readable form the contents of a certificate in PEM format

Display in human-readable form the contents of a certificate in DER format

Display in human-readable form the contents of a certificate revocation list in DER format

Convert

Convert a PKCS#7 certificate into a X.509 certificate

Convert a certificate and private key into a PKCS#12 file

DoD Common Access Card and other smartcards on Unix

Fedora

Prerequisites

DoD Common Access Card

Firefox

PAM

GnuPG

PIVKey C910

Smart-card-related GnuPG commands

Domain Controller

Base UNIX Domain Controller