major.io - Page 3 of 145 - Words of wisdom from a Linux engineer focused on information security

What I’m looking forward to at IBM Interconnect 2017

February 23, 2017 By Major Hayden 1 Comment

IBM Interconnect 2017 is coming up next month in Las Vegas. Last year’s conference was a whirlwind of useful talks, inspiring hallway conversations, and great networking opportunities. I was exhausted by the week’s end, but it was totally worth it.

One of my favorite sessions from last year was Tanmay Bakshi’s keynote. It was truly inspiring to see someone so young take command of such a large stage and teach us all something. I can’t wait to hear another of his talks.

Open Technology Summit (OTS)

This year, I’m interested to see the talks at the Open Technology Summit. It’s essentially a group of lightning talks from industry experts on a variety of topics. This year’s agenda has talks on OpenStack, Cloud Foundry, Blockchain, and others. Although the event is three hours long, it feels a lot shorter than that since each talk is anywhere from 10-20 minutes long.

The OTS starts on Sunday afternoon, so be sure to arrive in Las Vegas early enough to attend.

Security

Information security is always an interesting topic and I have my eye on the following sessions:

Watson & Cyber Security: Bringing AI to the Battle (it should be interesting to hear how machine learning can change the game)
Transforming Security Organizations: Case Studies and Lessons Learned (I’m always interested in new ways to improve security outside of the systems themselves)
Turning Traffic Lights Green: Defense and National Security in Cyberspace

IT Transformation

The Austin Convention Center Gets Agile in the Cloud (hearing the ‘how’ and ‘why’ about customers moving into cloud is valuable)

Open Source

Working in Open Communities is the Next Differentiator for Your Solution (Walmart has done a lot in this space and I’m eager to learn more)
Linux on the Mainframe: Linux Foundation and the Open Mainframe Project
Open Cloud Demystified: Open Source Leaders Tell All

I hope to see you there!

Photo credit: By Ronnie Macdonald from Chelmsford, United Kingdom (Mandalay Bay) [CC BY 2.0], via Wikimedia Commons

systemd-networkd on Ubuntu 16.04 LTS (Xenial)

January 15, 2017 By Major Hayden 2 Comments

My OpenStack cloud depends on Ubuntu, and the latest release of OpenStack-Ansible (what I use to deploy OpenStack) requires Ubuntu 16.04 at a minimum. I tried upgrading the servers in place from Ubuntu 14.04 to 16.04, but that didn’t work so well. Those servers wouldn’t boot and the only recourse was a re-install.

Once I finished re-installing them (and wrestling with several installer bugs in Ubuntu 16.04), it was time to set up networking. The traditional network configurations in /etc/network/interfaces are fine, but they weren’t working the same way they were in 14.04. The VLAN configuration syntax appears to be different now.

But wait — 16.04 has systemd 229! I can use systemd-networkd to configure the network in a way that is a lot more familiar to me. I’ve made posts about systemd-networkd before and the simplicity in the configurations.

I started with some simple configurations:

root@hydrogen:~# cd /etc/systemd/network
root@hydrogen:/etc/systemd/network# cat enp3s0.network 
[Match]
Name=enp3s0

[Network]
VLAN=vlan10
root@hydrogen:/etc/systemd/network# cat vlan10.netdev 
[NetDev]
Name=vlan10
Kind=vlan

[VLAN]
Id=10
root@hydrogen:/etc/systemd/network# cat vlan10.network 
[Match]
Name=vlan10

[Network]
Bridge=br-mgmt
root@hydrogen:/etc/systemd/network# cat br-mgmt.netdev 
[NetDev]
Name=br-mgmt
Kind=bridge
root@hydrogen:/etc/systemd/network# cat br-mgmt.network 
[Match]
Name=br-mgmt

[Network]
Address=172.29.236.21/22

root@hydrogen:~# cd /etc/systemd/network

root@hydrogen:/etc/systemd/network# cat enp3s0.network

[Match]

Name=enp3s0

[Network]

VLAN=vlan10

root@hydrogen:/etc/systemd/network# cat vlan10.netdev

[NetDev]

Name=vlan10

Kind=vlan

[VLAN]

Id=10

root@hydrogen:/etc/systemd/network# cat vlan10.network

[Match]

Name=vlan10

[Network]

Bridge=br-mgmt

root@hydrogen:/etc/systemd/network# cat br-mgmt.netdev

[NetDev]

Name=br-mgmt

Kind=bridge

root@hydrogen:/etc/systemd/network# cat br-mgmt.network

[Match]

Name=br-mgmt

[Network]

Address=172.29.236.21/22

Here’s a summary of the configurations:

Physical network interface is enp3s0
VLAN 10 is trunked down from a switch to that interface
Bridge br-mgmt should be on VLAN 10 (only send/receive traffic tagged with VLAN 10)

Once that was done, I restarted systemd-networkd to put the change into effect:

# systemctl restart systemd-networkd

1	# systemctl restart systemd-networkd

Great! Let’s check our work:

root@hydrogen:~# brctl show
bridge name bridge id       STP enabled interfaces
br-mgmt     8000.0a30a9a949d9   no      
root@hydrogen:~# networkctl
IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           carrier     unmanaged 
  2 enp2s0           ether              routable    configured
  3 enp3s0           ether              degraded    configured
  4 enp4s0           ether              off         unmanaged 
  5 enp5s0           ether              off         unmanaged 
  6 br-mgmt          ether              no-carrier  configuring
  7 vlan10           ether              degraded    unmanaged 

7 links listed.

root@hydrogen:~# brctl show

bridge name bridge id STP enabled interfaces

br-mgmt 8000.0a30a9a949d9 no

root@hydrogen:~# networkctl

IDX LINK TYPE OPERATIONAL SETUP

1 lo loopback carrier unmanaged

2 enp2s0 ether routable configured

3 enp3s0 ether degraded configured

4 enp4s0 ether off unmanaged

5 enp5s0 ether off unmanaged

6 br-mgmt ether no-carrier configuring

7 vlan10 ether degraded unmanaged

7 links listed.

So the bridge has no interfaces and it’s in a no-carrier status. Why? Let’s check the journal:

# journalctl --boot -u systemd-networkd
Jan 15 09:16:46 hydrogen systemd[1]: Started Network Service.
Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: netdev exists, using existing without changing its parameters
Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: Could not append VLANs: Operation not permitted
Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: Failed to assign VLANs to bridge port: Operation not permitted
Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: Could not set bridge vlan: Operation not permitted
Jan 15 09:16:59 hydrogen systemd-networkd[1903]: enp3s0: Configured
Jan 15 09:16:59 hydrogen systemd-networkd[1903]: enp2s0: Configured

# journalctl --boot -u systemd-networkd

Jan 15 09:16:46 hydrogen systemd[1]: Started Network Service.

Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: netdev exists, using existing without changing its parameters

Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: Could not append VLANs: Operation not permitted

Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: Failed to assign VLANs to bridge port: Operation not permitted

Jan 15 09:16:46 hydrogen systemd-networkd[1903]: br-mgmt: Could not set bridge vlan: Operation not permitted

Jan 15 09:16:59 hydrogen systemd-networkd[1903]: enp3s0: Configured

Jan 15 09:16:59 hydrogen systemd-networkd[1903]: enp2s0: Configured

The Could not append VLANs: Operation not permitted error is puzzling. After some searching on Google, I found a thread from Lennart:

> After an upgrade, systemd-networkd is broken, exactly the way descibed
> in this issue #3876[0]

Please upgrade to 231, where this should be fixed.

Lennart

> After an upgrade, systemd-networkd is broken, exactly the way descibed

> in this issue #3876[0]

Please upgrade to 231, where this should be fixed.

Lennart

But Ubuntu 16.04 has systemd 229:

# dpkg -l | grep systemd
ii  libpam-systemd:amd64                229-4ubuntu13                      amd64        system and service manager - PAM module
ii  libsystemd0:amd64                   229-4ubuntu13                      amd64        systemd utility library
ii  python3-systemd                     231-2build1                        amd64        Python 3 bindings for systemd
ii  systemd                             229-4ubuntu13                      amd64        system and service manager
ii  systemd-sysv                        229-4ubuntu13                      amd64        system and service manager - SysV links

# dpkg -l | grep systemd

ii libpam-systemd:amd64 229-4ubuntu13 amd64 system and service manager - PAM module

ii libsystemd0:amd64 229-4ubuntu13 amd64 systemd utility library

ii python3-systemd 231-2build1 amd64 Python 3 bindings for systemd

ii systemd 229-4ubuntu13 amd64 system and service manager

ii systemd-sysv 229-4ubuntu13 amd64 system and service manager - SysV links

I haven’t found a solution for this quite yet. Keep an eye on this post and I’ll update it once I know more!

ICC color profile for Lenovo ThinkPad X1 Carbon 4th generation

January 11, 2017 By Major Hayden 3 Comments

My new ThinkPad arrived this week and it is working well! The Fedora 25 installation was easy and all of the hardware was recognized immediately.

Hooray! pic.twitter.com/OiPSHREMLo

— Major Hayden (@majorhayden) January 9, 2017

However, there was a downside. The display looked washed out and had a strange tint. It seemed to be more pale than the previous ThinkPad. The default ICC profile in GNOME didn’t help much.

There’s a helpful review over at NotebookCheck that has a link to an ICC profile generated from a 4th generation ThinkPad X1 Carbon. This profile was marginally better than GNOME’s default, but it still looked a bit more washed out than what it should be.

I picked up a ColorMunki Display and went through a fast calibration in GNOME’s Color Manager. The low quality run finished in under 10 minutes and the improvement was definitely noticeable. Colors look much deeper and less washed out. The display looks very similar to the previous generation ThinkPad X1 Carbon.

Feel free to give my ICC profile a try on your 4th generation X1 and let me know what you think!

Lenovo_ThinkPad_X1_Carbon_4th_2017-01-11_mhayden.icc

Display auditd messages with journalctl

January 5, 2017 By Major Hayden 4 Comments

All systems running systemd come with a powerful tool for reviewing the system journal: journalctl. It allows you to get a quick look at the system journal while also allowing you to heavily customize your view of the log.

I logged into a server recently that was having a problem and I found that the audit logs weren’t going into syslog. That’s no problem — they’re in the system journal. The system journal was filled with tons of other messages, so I decided to limit the output only to messages from the auditd unit:

$ sudo journalctl -u auditd --boot
-- Logs begin at Thu 2015-11-05 09:20:01 CST, end at Thu 2017-01-05 09:38:49 CST. --
Jan 05 07:47:04 arsenic systemd[1]: Starting Security Auditing Service...
Jan 05 07:47:04 arsenic auditd[937]: Started dispatcher: /sbin/audispd pid: 949
Jan 05 07:47:04 arsenic audispd[949]: priority_boost_parser called with: 4
Jan 05 07:47:04 arsenic audispd[949]: max_restarts_parser called with: 10
Jan 05 07:47:04 arsenic audispd[949]: audispd initialized with q_depth=150 and 1 active plugins
Jan 05 07:47:04 arsenic augenrules[938]: /sbin/augenrules: No change
Jan 05 07:47:04 arsenic augenrules[938]: No rules
Jan 05 07:47:04 arsenic auditd[937]: Init complete, auditd 2.7 listening for events (startup state enable)
Jan 05 07:47:04 arsenic systemd[1]: Started Security Auditing Service.

$ sudo journalctl -u auditd --boot

-- Logs begin at Thu 2015-11-05 09:20:01 CST, end at Thu 2017-01-05 09:38:49 CST. --

Jan 05 07:47:04 arsenic systemd[1]: Starting Security Auditing Service...

Jan 05 07:47:04 arsenic auditd[937]: Started dispatcher: /sbin/audispd pid: 949

Jan 05 07:47:04 arsenic audispd[949]: priority_boost_parser called with: 4

Jan 05 07:47:04 arsenic audispd[949]: max_restarts_parser called with: 10

Jan 05 07:47:04 arsenic audispd[949]: audispd initialized with q_depth=150 and 1 active plugins

Jan 05 07:47:04 arsenic augenrules[938]: /sbin/augenrules: No change

Jan 05 07:47:04 arsenic augenrules[938]: No rules

Jan 05 07:47:04 arsenic auditd[937]: Init complete, auditd 2.7 listening for events (startup state enable)

Jan 05 07:47:04 arsenic systemd[1]: Started Security Auditing Service.

This isn’t helpful. I’m seeing messages about the auditd daemon itself. I want the actual output from the audit rules.

Then I remembered: the kernel is the one that sends messages about audit rules to the system journal. Let’s just look at what’s coming from the kernel instead:

$ sudo journalctl -k --boot
-- Logs begin at Thu 2015-11-05 09:20:01 CST, end at Thu 2017-01-05 09:40:44 CST. --
Jan 05 07:46:47 arsenic kernel: Linux version 4.8.15-300.fc25.x86_64 (mockbuild@bkernel01.phx2.fedoraproject.org) (gcc version 6.2.1 20160916 (Red Hat 6.2.1-2
Jan 05 07:46:47 arsenic kernel: Command line: BOOT_IMAGE=/vmlinuz-4.8.15-300.fc25.x86_64 root=/dev/mapper/luks-e... ro rd.luks
Jan 05 07:46:47 arsenic kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Jan 05 07:46:47 arsenic kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jan 05 07:46:47 arsenic kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Jan 05 07:46:47 arsenic kernel: x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256

$ sudo journalctl -k --boot

-- Logs begin at Thu 2015-11-05 09:20:01 CST, end at Thu 2017-01-05 09:40:44 CST. --

Jan 05 07:46:47 arsenic kernel: Linux version 4.8.15-300.fc25.x86_64 (mockbuild@bkernel01.phx2.fedoraproject.org) (gcc version 6.2.1 20160916 (Red Hat 6.2.1-2

Jan 05 07:46:47 arsenic kernel: Command line: BOOT_IMAGE=/vmlinuz-4.8.15-300.fc25.x86_64 root=/dev/mapper/luks-e... ro rd.luks

Jan 05 07:46:47 arsenic kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'

Jan 05 07:46:47 arsenic kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'

Jan 05 07:46:47 arsenic kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'

Jan 05 07:46:47 arsenic kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256

This is worse! Luckily, the system journal keeps a lot more data about what it receives than just the text of the log line. We can dig into that extra data with the verbose option:

$ sudo journalctl --boot -o verbose

1	$ sudo journalctl --boot -o verbose

After running that command, search for one of the audit log lines in the output:

    _UID=0
    _BOOT_ID=...
    _MACHINE_ID=...
    _HOSTNAME=arsenic
    _TRANSPORT=audit
    SYSLOG_FACILITY=4
    SYSLOG_IDENTIFIER=audit
    AUDIT_FIELD_HOSTNAME=?
    AUDIT_FIELD_ADDR=?
    AUDIT_FIELD_RES=success
    _AUDIT_TYPE=1105
    AUDIT_FIELD_OP=PAM:session_open
    _SELINUX_CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    _AUDIT_LOGINUID=1000
    _AUDIT_SESSION=3
    AUDIT_FIELD_ACCT=root
    AUDIT_FIELD_EXE=/usr/bin/sudo
    AUDIT_FIELD_GRANTORS=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix
    AUDIT_FIELD_TERMINAL=/dev/pts/4
    _PID=2666
    _SOURCE_REALTIME_TIMESTAMP=1483631103122000
    _AUDIT_ID=385
    MESSAGE=USER_START pid=2666 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'

_UID=0

_BOOT_ID=...

_MACHINE_ID=...

_HOSTNAME=arsenic

_TRANSPORT=audit

SYSLOG_FACILITY=4

SYSLOG_IDENTIFIER=audit

AUDIT_FIELD_HOSTNAME=?

AUDIT_FIELD_ADDR=?

AUDIT_FIELD_RES=success

_AUDIT_TYPE=1105

AUDIT_FIELD_OP=PAM:session_open

_SELINUX_CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

_AUDIT_LOGINUID=1000

_AUDIT_SESSION=3

AUDIT_FIELD_ACCT=root

AUDIT_FIELD_EXE=/usr/bin/sudo

AUDIT_FIELD_GRANTORS=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix

AUDIT_FIELD_TERMINAL=/dev/pts/4

_PID=2666

_SOURCE_REALTIME_TIMESTAMP=1483631103122000

_AUDIT_ID=385

MESSAGE=USER_START pid=2666 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'

One of the identifiers we can use is _TRANSPORT=audit. Let’s pass that to journalctl and see what we get:

$ sudo journalctl --boot _TRANSPORT=audit
-- Logs begin at Thu 2015-11-05 09:20:01 CST. --
Jan 05 09:47:24 arsenic audit[3028]: USER_END pid=3028 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
... more log lines snipped ...

$ sudo journalctl --boot _TRANSPORT=audit

-- Logs begin at Thu 2015-11-05 09:20:01 CST. --

Jan 05 09:47:24 arsenic audit[3028]: USER_END pid=3028 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'

... more log lines snipped ...

Success! You can get live output of the audit logs by tailing the output:

sudo journalctl -af _TRANSPORT=audit

1	sudo journalctl -af _TRANSPORT=audit

For more details on journalctl, refer to the online documentation.

augenrules fails with “rule exists” when loading rules into auditd

January 3, 2017 By Major Hayden 2 Comments

When I came back from the holiday break, I found that the openstack-ansible-security role wasn’t passing tests any longer. The Ansible playbook stopped when augenrules ran to load the new audit rules. The error wasn’t terribly helpful:

/usr/sbin/augenrules: No change
Error sending add rule data request (Rule exists)
There was an error in line 5 of /etc/audit/audit.rules

/usr/sbin/augenrules: No change

Error sending add rule data request (Rule exists)

There was an error in line 5 of /etc/audit/audit.rules

A duplicated rule?

I’ve been working on lots of changes to implement the Red Hat Enterprise Linux 7 Security Technical Implementation Guide (STIG) and I assumed I put in the same rule twice with an errant copy and paste.

That wasn’t the case. I checked the input rule file in /etc/audit/rules.d/ and found that all of the rules were unique.

Is something missing?

The augenrules command works by taking files from /etc/audit/rules.d/ and joining them together into /etc/audit/audit.rules. Based on the output from augenrules, the rule file checks out fine and it determined that the existing rule doesn’t need to be updated. However, augenrules is still unable to load the new rules into auditd.

I decided to check the first several lines of /etc/audit/rules.d/ to see if line 5 had a problem:

## This file is automatically generated from /etc/audit/rules.d


-f 1
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513

## This file is automatically generated from /etc/audit/rules.d

-f 1

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513

Two things looked strange to me:

Line 5 is correct and it is unique
Why are lines 2 and 3 blank?

I checked another CentOS 7 server and found the following in lines 2 and 3:

-D
-b 320

-D

-b 320

The -D deletes all previously loaded rules and -b increases the buffer size for busy periods. My rules weren’t loading properly because the -D was missing! Those two lines normally come from /etc/audit/rules.d/audit.rules, but that default file was not present.

Here’s what was going wrong:

augenrules read rules from rules.d/
augenrules found that the rules in rules.d/ were already in the main audit.rules file and didn’t need to be updated
augenrules attempted to load the rules into auditd, but that failed
auditd was rejecting the rules because at least one of them (line 5) already existed in the running rule set

All of this happened because the -D wasn’t handled first before new rules were loaded.

Fixing it

I decided to add the -D line explicitly in my rules file within rules.d/ to catch those situations when the audit.rules default file is missing. The augenrules command ensures that the line appears at the top of the rules when they are loaded into auditd.