Posts

Showing posts with the label security

Red Hat Addresses Critical Firefox Vulnerability

On April 26th, 2016, Red Hat 5, 6, and 7 along with its community-supported counterpart CentOS have released a major new Firefox upgrade to address a number of Critical vulnerabilities in the Extend Support Release (ESR) version of Mozilla's browser software.  The version number jumps to 45 from the current 38.  According to the Security Advisory, Mozilla reported that the Firefox version available for Enterprise Linux distributions--i.e. 38.8--could allow
 "A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
(CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2814)"
Upstream, Mozilla's Security Advosories page for the Extended Support Release (ESR) of Firefox tracks this issue and has some relevant links for the different vulnerabilities addressed by this major update.

firefox-45.1.0-1.el7_2.src.rpm

Buffer Overflow in libstagefright  First, the…

LUKS Encryption and Unattended boot on Headless Servers

The anaconda installer on Redhat-based Linux distributions provides the user with an option to encrypt the /home partition by selecting a simple check-box. This adds an obviously valuable security/privacy feature to the system if it's selected. Consequently, this prompts the user for a password during the boot process, which then decrypts the partition and mounts it in the designated location on the filesystem. The default behaviour is not very well suited for unattended reboots or on headless servers. The crypttab(5) manual page provides great information on how to facilitate the process for unattended boots: DESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two …

SELinux Failure after Fedora22 Upgrade

SELinux got somehow mangled during upgrade process from Fedora21 -> Fedora22. Some of the modules were changed between the versions and as a result my SELinux "system" is borked. It'd be nice to have more available documentation on re-installing and/or resetting SELinux on a system.  I can't use any of the normal tools to manage SELinux, as it only prints out errors like `libsepol.permission_copy_callback...`.  Attempting to relabel a filecontext, for example results in:

# semanage fcontext -a -t system_dbusd_var_lib_t /var/lib/dbus/machine-id libsepol.context_from_record: type radicale_port_t is not defined (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsepol.port_from_record: could not create port structure for range 5232:5232 (tcp) (Invalid argument). libsepol.sepol_port_modify: could not load port range 5232 - 5232 (tcp) (Invalid argument). libsemanage.dbase_policydb_mo…

Password Aging and Authentication in RHEL7

As I posted in a previous note, the password policy in RHEL 7, and most other linux distributions, is handled by the dynamically-configurable PAM (Pluggable Authentication Modules) system. However, there are a number of other tools implemented in securing the RHEL system. One such tool is the shadow password suite. The shadow suite creates an additional layer of abstraction for the system's login passwords, by removing the account passwords from the /etc/passwd file to a separate file /etc/shadow;while maintaining the unobstructed use of the rest of the accounts system. The Linux Documentation Project explains it: the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.
According t…

Password Policy in RHEL 7

In Red Hat Enterprise Linux 7, the pam_pwquality PAM module replaced pam_cracklib, which was used in Red Hat Enterprise Linux 6 as a default module for password quality checking. It uses the same back end as pam_cracklib.
The code was originally based on pam_cracklib module, and the module is backwards compatible with its options.

The pam_pwquality module can be customized and configured in the file /etc/security/pwquality.conf. The possible options in the file are: difok Number of characters in the new password that must not be present in the old password. (default 5)

minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9)

dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. (default 1)

ucredit T…

fail2ban configuration in Fedora/RHEL

The configuration files in Fedora20 for fail2ban are located in the /etc directory under /etc/fail2ban/
with further sub-directories for actions, filters and jails.drwxr-xr-x.2 root 4.0K May 162014 action.d drwxr-xr-x.2 root 4.0K Mar 192014 fail2ban.d drwxr-xr-x.2 root 4.0K May 162014 filter.d drwxr-xr-x.2 root 4.0K Mar 192014 jail.d -rw-r--r--.1 root 2.1K Mar 142014 fail2ban.conf -rw-r--r--.1 root 33 Dec 1000:16 fail2ban.local-rw-r--r--.1 root 14K Dec 1001:06 jail.conf -rw-r--r--.1 root 16K Dec 1000:54 jail.conf.rpmnew -rw-r--r--.1 root 805 Dec 1007:48 jail.local-rw-r--r--.1 root 1.5K Mar 142014 paths-common.conf -rw-r--r--.1 root 606 Mar 142014 paths-debian.conf -rw-r--r--.1 root 649 Mar 142014 paths-fedora.conf -rw-r--r--.1 root 1.2K Mar 142014 paths-freebsd.conf -rw-r--r--.1 root 290 Mar 142014 paths-osx.confNOTE: In order to preserve your edits and customizations you should create separate *.local files, as the normal *.conf files (may) get overwritten during an upgrade.…