SecMon Guy

Kerberos is a network authentication protocol developed by MIT. It enables secure, mutual authentication between client and service over insecure network. Kerberos typically uses symmetric key encryption, although it is capable of both symmetric and asymmetric cryptography. Free implementation is available from the MIT, the most recent is krb5-1.19.3 (as of 14 Mar 2022). It is also widely used by many operating systems, such as MS Windows, RHEL, HP-UX and others.  Terminology Principal - a unique identity identified by username and realm (domain), represented in the format username@REALM.NAME Realm - logical group of resources and identities within Kerberos; called also domain and typically named after DNS domain Ticket - an encrypted data block used for authentication; tickets contain ticket key and session key KDC - Key Distribution Center, a trusted third party that issues tickets to principals TGT - Ticket Granting Ticket, a ticket that allows the client to obtain additional ti...

auditd stands for the audit daemon and it can be used to log events happening on a Linux host. It is a very powerful tool that can enable Threat Detection and/or - as the name suggests - create audit records. It writes to /var/log/audit/audit.log and collects such information as timestamp, PID, UID, Audit UID (auid), session info (ses), SELinux info (subj) and message (msg). Installation auditd is installed by default on most of the Linux distributions. In my case, I'm using RHEL 8 for the test purpose. The package is called audit .  Rules auditd is rule-based software and it support the following three types of rules: control : to configure general settings of the audit system, such as event rate limit, etc. file : file rules or watches can monitor files or directories and are using the following syntax: -w path-to-file -p permissions -k keyname syscall : these rules are loaded into the matching engine that intercepts every single syscall on the system and for this reason they ...

 Advanced Intrusion Detection Environment (AIDE) is a linux tool to detect changes in the system state. It can be classified as File Integrity Monitoring (FIM) software. It simply builds a database that describes current contents and attributes of monitored files. Later it can be used for comparison to detect any changes to the system. AIDE uses checksums to perform integrity checks; it support such algorithms as  sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and a few more, by optional integrations. Available rules and hashing algorithms are listed in /etc/aide.conf and on man pages. Installation sudo yum -y install aide In this case I am using Red Hat 8 and yum.  Set up monitoring /var/log/secure$ p+u+g+n+S+acl+selinux+xattrs Add this line to monitor changes to /var/log/secure.  Initialize database sudo aide --init Once this is completed, you need to move the new database to AIDE master database.  mv /var/lib/aide/aide.db.new.gz /var/lib/...

DNSSEC Recently I have been researching materials covering DNSSEC as it is an important subject for LPIC-3 Exam 303. DNSSEC has been developed to address security issues of the DNS protocol, in particular preventing DNS cache poisoning attacks . Below I post DNSSEC description from Internet Corporation for Assigned Names and Numbers (ICANN), which I find useful and included in my study notes.  "DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself ...

  Encryption is probably the best way to secure sensitive data and protect your private files from unauthorized access. eCryptfs is a Linux tool to create an encrypted directory (user home directory encryption is also supported, see below). eCryptfs acts as a stacked filesystem and it works by mounting an encrypted directory to another unencrypted mount point at runtime.   This is also a topic for LPIC-303 exam:   331.3 Encrypted File Systems Use eCryptfs to encrypt file systems, including home directories and PAM integration Installation sudo apt-get install ecryptfs-utils ecryptfs-utils package installation example (Ubuntu). Creating an encrypted directory sudo mount -t ecryptfs ~/private/ ~/private/ Using mount command and selecting ecryptfs as the filesystem.  Encrypting home directory sudo ecryptfs-migrate-home -u test Note : user has to be logged out during this operation.                      ...

This is yet another blog post related to LPIC-3 Exam 303: Security. Knowing Apache configuration options is an important topic for Security Engineers. Apache web server is often serving web interfaces or acting as reverse proxy (for example for Splunk or Kibana). TLS configuration is an important step for securing these interfaces from eavesdropping and man-in-the-middle attacks. Let's examine Apache web server configuration with mod_ssl. TLS configuration SSL/TLS configuration file resides under /etc/httpd/conf.d/ssl.conf . SSLCertificateFile and SSLCertificateKeyFile mod_ssl directives are used to enable https.  SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"   Mutual TLS authentication To enable client authentication with certificate we need the following three directives: SSLVerifyClient : set to require , so client has to present a valid certificate SSLVerifyDepth : the ma...

  Troubleshooting certificate issues is not an easy task. They can be caused by various root causes: Common Name (CN) mismatch, usage of self-signed certificate, expired certificate, invalid cert chain and many other. Fortunately, here we have some commands to help!   Testing client connection echo | openssl s_client -connect host:443 -state In this example echo command is used to send a new line and terminate connection and -state prints out the SSL session states. echo | openssl s_client -connect host:443 -status -status switch sends an Online Certificate Status Protocol (OCSP) request to the server to check revocation status of the certificate "With OSCP, a relying party is able to submit a certificate status request to an OCSP responder, such as a Certification Authority (CA). This returns an authentic, digitally signed response indicating the certificate status." - Entrust More on OCSP: https://www.entrust.com/knowledgebase/ssl/online-certificate-stat...

Creating a certificate using openssl is a task that most IT Admins will face sooner or later. SSL/TLS is often used to secure communications between browser and web server - but that's not the only use case. Certificates can be used by Log Management/SIEM Engineers to protect data in transit by establishing secure links between system components ( note: TLS mutual authentication is also desired in this scenario to ensure data integrity ).  Example: Secure communication with Logstash .   Eventually, understanding openssl is an important topic for LPIC-303 exam (and the primary reason that encouraged me to write this post, to be honest).  Creating a private key openssl genrsa -des3 -out priv.key 2048 genrsa      generate an RSA private key -des3      use 3DES cipher to encrypt the key; passphrase is required -out <filename>      output the key to the specified file [numbits] 2048      the size of the pr...