major.io - Words of wisdom from a Linux engineer focused on information security

Apply the STIG to even more operating systems with ansible-hardening

July 21, 2017 By Major Hayden Leave a Comment

Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month. The role has a new name, new documentation and extra tests.

The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.

These controls are now applied to an even wider variety of Linux distributions:

CentOS 7
Debian 8 Jessie (new for Pike)
Fedora 25 (new for Pike)
openSUSE Leap 42.2+ (new for Pike)
Red Hat Enterprise Linux 7
SUSE Linux Enterprise 12 (new for Pike)
Ubuntu 14.04 Trusty
Ubuntu 16.04 Xenial

Any patches to the ansible-hardening role are tested against all of these operating systems (except RHEL 7 and SUSE Linux Enterprise). Support for openSUSE testing landed this week.

Work is underway to put the finishing touches on the master branch before the Pike release and we need your help!

If you have any of these operating systems deployed, please test the role on your systems! This is pre-release software, so it’s best to apply it only to a new server. Read the “Getting Started” documentation to get started with ansible-galaxy or git.

Photo credit: Wikipedia

Customize LDAP autocompletion format in Thunderbird

July 18, 2017 By Major Hayden Leave a Comment

Thunderbird can connect to an LDAP server and autocomplete email addresses as you type, but it needs some adjustment for some LDAP servers. One of the LDAP servers that I use regularly returns email addresses like this in the thunderbird interface:

username <firstname.lastname@domain.tld>

1	username <firstname.lastname@domain.tld>

The email address looks fine, but I’d much rather have the person’s full name instead of the username. Here’s what I’m looking for:

Firstname Lastname <firstname.lastname@domain.tld>

1	Firstname Lastname <firstname.lastname@domain.tld>

In older Thunderbird versions, setting ldap_2.servers.SERVER_NAME.autoComplete.nameFormat to displayName was enough. However, this option isn’t used in recent versions of Thunderbird.

Digging in

After a fair amount of searching the Thunderbird source code with awk, I found a mention of DisplayName in nsAbLDAPAutoCompleteSearch.js that looked promising:

      // Create a minimal map just for the display name and primary email.
      this._attributes =
        Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]
                  .createInstance(Components.interfaces.nsIAbLDAPAttributeMap);
      this._attributes.setAttributeList("DisplayName",
        this._book.attributeMap.getAttributeList("DisplayName", {}), true);
      this._attributes.setAttributeList("PrimaryEmail",
        this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);
    }

// Create a minimal map just for the display name and primary email.

this._attributes =

Components.classes["@mozilla.org/addressbook/ldap-attribute-map;1"]

.createInstance(Components.interfaces.nsIAbLDAPAttributeMap);

this._attributes.setAttributeList("DisplayName",

this._book.attributeMap.getAttributeList("DisplayName", {}), true);

this._attributes.setAttributeList("PrimaryEmail",

this._book.attributeMap.getAttributeList("PrimaryEmail", {}), true);

}

Something is unusual here. The LDAP field is called displayName, but this attribute is called DisplayName (note the capitalization of the D). Just before that line, I see a lookup in an attributes map of some sort. There may be a configuration option that is called DisplayName.

In Thunderbird, I selected Edit > Preferences. I clicked the Advanced tab and then Config Editor. A quick search for DisplayName revealed an interesting configuration option:

ldap_2.servers.default.attrmap.DisplayName: cn,commonname

1	ldap_2.servers.default.attrmap.DisplayName: cn,commonname

Fixing it

That’s the problem! This needs to map to displayName in my case, and not cn,commonname (which returns a user’s username). There are two different ways to fix this:

# Change it for just one LDAP server
ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName
# Change it for all LDAP servers by default (careful)
ldap_2.servers.default.attrmap.DisplayName: displayName

# Change it for just one LDAP server

ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName

# Change it for all LDAP servers by default (careful)

ldap_2.servers.default.attrmap.DisplayName: displayName

After making the change, quit Thunderbird and relaunch it. Compose a new email and start typing in the email address field. The user’s first and last name should appear!

Old role, new name: ansible-hardening

June 27, 2017 By Major Hayden 2 Comments

The interest in the openstack-ansible-security role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role. Some users were unsure if they needed to use the role in an OpenStack cloud or if the OpenStack-Ansible project was required.

The role works everywhere — OpenStack cloud or not. I started a mailing list thread on the topic and we eventually settled on a new name: ansible-hardening! The updated documentation is already available.

The old openstack-ansible-security role is being retired and it will not receive any additional updates. Moving to the new role is easy:

Install ansible-hardening with ansible-galaxy (or git clone)
Change your playbooks to use the ansible-hardening role

There’s no need to change any variable names or tags — they are all kept the same in the new role.

As always, if you have questions or comments about the role, drop by #openstack-ansible on Freenode IRC or open a bug in Launchpad.

Enable AppArmor on a Debian Jessie cloud image

May 24, 2017 By Major Hayden 2 Comments

I merged some initial Debian support into the openstack-ansible-security role and ran into an issue enabling AppArmor. The apparmor service failed to start and I found this output in the system journal:

kernel: AppArmor: AppArmor disabled by boot time parameter

1	kernel: AppArmor: AppArmor disabled by boot time parameter

Digging in

That was unexpected. I was using the Debian jessie cloud image and it uses extlinux as the bootloader. The file didn’t reference AppArmor at all:

# cat /boot/extlinux/extlinux.conf 
default linux
timeout 1
label linux
kernel boot/vmlinuz-3.16.0-4-amd64
append initrd=boot/initrd.img-3.16.0-4-amd64 root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet

# cat /boot/extlinux/extlinux.conf

default linux

timeout 1

label linux

kernel boot/vmlinuz-3.16.0-4-amd64

append initrd=boot/initrd.img-3.16.0-4-amd64 root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet

I learned that AppArmor is disabled by default in Debian unless you explicitly enable it. In contrast, SELinux is enabled unless you turn it off. To make matters worse, Debian’s cloud image doesn’t have any facilities or scripts to automatically update the extlinux configuration file when new kernels are installed.

Making a repeatable fix

My two goals here were to:

Ensure AppArmor is enabled on the next boot
Ensure that AppArmor remains enabled when new kernels are installed

The first step is to install grub2:

apt-get -y install grub2

1	apt-get -y install grub2

During the installation, a package configuration window will appear that asks about where grub should be installed. I selected /dev/vda from the list and waited for apt to finish the package installation.

The next step is to edit /etc/default/grub and add in the AppArmor configuration. Adjust the GRUB_CMDLINE_LINUX_DEFAULT line to look like the one below:

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"
GRUB_CMDLINE_LINUX=""

GRUB_DEFAULT=0

GRUB_TIMEOUT=5

GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"

GRUB_CMDLINE_LINUX=""

Ensure that the required AppArmor packages are installed:

apt-get -y install apparmor apparmor-profiles apparmor-utils

1	apt-get -y install apparmor apparmor-profiles apparmor-utils

Enable the AppArmor service upon reboot:

systemctl enable apparmor

1	systemctl enable apparmor

Run update-grub and reboot. After the reboot, run apparmor_status and you should see lots of AppArmor profiles loaded:

# apparmor_status 
apparmor module is loaded.
38 profiles are loaded.
3 profiles are in enforce mode.
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
35 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

# apparmor_status

apparmor module is loaded.

38 profiles are loaded.

3 profiles are in enforce mode.

/usr/lib/chromium-browser/chromium-browser//browser_java

/usr/lib/chromium-browser/chromium-browser//browser_openjdk

/usr/lib/chromium-browser/chromium-browser//sanitized_helper

35 profiles are in complain mode.

/sbin/klogd

/sbin/syslog-ng

/sbin/syslogd

/usr/lib/chromium-browser/chromium-browser

/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox

/usr/lib/chromium-browser/chromium-browser//lsb_release

/usr/lib/chromium-browser/chromium-browser//xdgsettings

/usr/lib/dovecot/anvil

/usr/lib/dovecot/auth

/usr/lib/dovecot/config

/usr/lib/dovecot/deliver

/usr/lib/dovecot/dict

/usr/lib/dovecot/dovecot-auth

/usr/lib/dovecot/dovecot-lda

/usr/lib/dovecot/imap

/usr/lib/dovecot/imap-login

/usr/lib/dovecot/lmtp

/usr/lib/dovecot/log

/usr/lib/dovecot/managesieve

/usr/lib/dovecot/managesieve-login

/usr/lib/dovecot/pop3

/usr/lib/dovecot/pop3-login

/usr/lib/dovecot/ssl-params

/usr/sbin/avahi-daemon

/usr/sbin/dnsmasq

/usr/sbin/dovecot

/usr/sbin/identd

/usr/sbin/mdnsd

/usr/sbin/nmbd

/usr/sbin/nscd

/usr/sbin/smbd

/usr/sbin/smbldap-useradd

/usr/sbin/smbldap-useradd///etc/init.d/nscd

/usr/{sbin/traceroute,bin/traceroute.db}

/{usr/,}bin/ping

0 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

Final thoughts

I’m still unsure about why AppArmor is disabled by default. There aren’t that many profiles shipped by default (38 on my freshly installed jessie system versus 417 SELinux policies in Fedora 25) and many of them affect services that wouldn’t cause significant disruptions on the system.

There is a discussion that ended last year around how to automate the AppArmor enablement process when the AppArmor packages are installed. This would be a great first step to make the process easier, but it would probably make more sense to take the step of enabling it by default.

Photo credit: Max Pixel

Fixing OpenStack noVNC consoles that ignore keyboard input

May 18, 2017 By Major Hayden Leave a Comment

I opened up a noVNC console to a virtual machine today in my OpenStack cloud but found that the console wouldn’t take keyboard input. The Send Ctrl-Alt-Del button in the top right of the window worked just fine, but I couldn’t type anywhere in the console. This happened on an Ocata OpenStack cloud deployed with OpenStack-Ansible on CentOS 7.

Test the network path

The network path to the console is a little deep for this deployment, but here’s a quick explanation:

My laptop connects to HAProxy
HAProxy sends the traffic to the nova-novncproxy service
nova-novncproxy connects to the correct VNC port on the right hypervisor

If all of that works, I get a working console! I knew the network path was set up correctly because I could see the console in my browser.

My next troubleshooting step was to dump network traffic with tcpdump on the hypervisor itself. I dumped the traffic on port 5900 (which was the VNC port for this particular instance) and watched the output. Whenever I wiggled the mouse over the noVNC console in my browser, I saw a flurry of network traffic. The same thing happened if I punched lots of keys on the keyboard. At this point, it was clear that the keyboard input was making it to the hypervisor, but it wasn’t being handled correctly.

Test the console

Next, I opened up virt-manager, connected to the hypervisor, and opened a connection to the instance. The keyboard input worked fine there. I opened up remmina and connected via plain old VNC. The keyboard input worked fine there, too!