Recent blog entries for jfs

Working on Tiger

After a week on vacation I've managed to squash quite a number of bugs on Tiger, put up a webpage (www.tigersecurity.org) and send a new release candidate (for version 3.2).

And then after more testing I send two more release candidates, so it's slowly moving towards the definite release which will be, I hope, more bug free. Once done I might need to focus on documentation (as requested in the mailing list) and on merging parts of the TARA codebase (they have developed more checks and also fixed bugs in their latest 3.0.3 release). I would like to write new checks (better integration with tripwire, crack, integrit, and other tools) but I will have to try to refrain from adding new features until I have fixed Tiger for good.

Once that it's done I believe Tiger could be a powerful tool that other free software Linux/*BSD distributions could include. Currently there a miriad of security tools to do local security checks: Mandrake's msec, OpenBSD's /etc/security, SUSE's Seccheck. Steve Kemp, after a proposal I made at the debian-devel mailing list, reviewed some of these tools. I'm not sure if Tiger could replace of all of these scripts providing a common framework.

In any case I've been looking deeper into OVAL and provided a Debian schema in the mailing list (for some reason the archives seem to show only mails from a few people ????). A free OVAL query interpreter for UNIX would be very nice. However I'll have to hack it myself since there seems to be few active people at OVAL besides the Microsoft people. And the only available interpreter is Windows-only and provided with a non-free license (even if the FAQ says free to use), ouch!

As usual, it's been quite a while since I wrote anything. Too much work. However I did wanted to note one thing in the diary which I'm proud of (finally) doing: Debian Security Crossreferences. It might seem kind of simple, but, believe me, it's not that easy. One of the things that sparked it was a diary entry from Mark Cox. Now I can say: "Boo! Debian has a full crossreference mapping of security references for not one, but three different security sources" :-)

The enabler of these crossreference mapping is really the work I did on the wml security templates for the Debian web server way back in january which have been used extensively in DSAs since then.

Anyway, it's funny that no distribution/vendor (either free software or propietary) has this kind of information up on their security-related webpages. It's kind of hard to do security research without this. Fortunately, stuff like OSVDB will help to do this type of work easier (or at least cheaper than paying securityfocus to provide you with a copy of the Bugtraq database.

Oh, and hopefully Mitre will update their mapping soon, since it is not entirely correct.

I have been working with Tiger quite a bit recently, tested it with Solaris and cleaning a lot of stuff that was broken (but didn't look like it was when running under my Debian GNU/Linux system).

I expect to make a new 3.0.1 release soon. I want to finish, first, my submission for honeynet's August's scan of the month. I did not submit anything to the Reverse Challenge (too tough) but did so for the previous scan of the month (21, here is my submission). Let's see if this time I get to be in the "top three" :) It sure is taking me quite some time but it's fun time after all.

Once I'm done with tiger I will start working on Bastille, a soon-to-become Debian Developer has asked to package psad, so probably I will get to fix Bug #150614 sooner than I thought. I still have to properly test the new Bastille 2.0 scripts so that Debian GNU/Linux could be officially supported in next releases (maybe in 2.1 if we follow the roadmap).

I know, I should have finished testing Bastille 2.0 by now but I haven't got around to do it, Real Life (tm) has gotten in the way as well as the lack of a permanent Internet connection at home. In any case, working without a connection has helped getting focused and updating the "Debian Securing Manual". It seems that I do not focus enough when I have a web browser open :(

Another wild thought: why is certification so expensive? I've been looking at SANS's GIAC is just way too expensive. Even the "only certification attempt" seems too expensive (specially if I have to pay it for myself).

Anyway, another wild thought: I've recently setup a Wishlist basket at Amazon recently :) Not that I expect anyone to check-it-out, but... just in case....

Funny, I just read mjcox entry after writting mine and found out that he's working trying to have a full CVE mapping of RedHat's advisories.

Just recently, on the debian-security mailing list Phillip Hofmeister asked if there was some way to retrieve stats easily regarding security. Well, it's not easy IMHO, but I did so (manually) for Debian some time ago (on december last year) and answered this same question in a section of the Securing Debian Manual.

However, I have recently automated the way DSAs get published on the web (here) and there are automatic ways to link DSAs to many security databases. (It's all in the web source code at the secrity template, see a DSA sample here). It should be pretty easy to automate references now (but they have to be kept uptodate).

We do need, in any case, a common database format that could be used to link many security databases like Bugtraq, CERT, CVE, ICAT. That's one of my pet projects, I will try to have an automated tool working....

30 Jul 2002 (updated 30 Jul 2002 at 13:27 UTC) »

Not too much to say, but I haven't written for a long time. Guess what, I got married June 29th (no online pictures currently, move along...). It has brought a lot of changes, but all for good (YMMV).

I did three interesting things on the same month: getting married, ascending, and submitting an entry to the Honeynet challenge (after all the ork wI didn't win though :( )

OTOH, I will hopefully get Internet access at home soon, and probably would be able to fix the huge number of bugs I currently have open (help is appreciated :)

I do have, however, an almost finished 3.0.1 release of Tiger which should fix a lot of Solaris issues (hopefully cleaning the code and making it easier to port and spot issues too). One of the reasons I'm testing it in a non-free platform is to check out how easier would be to port to other platforms (and hopefully document it soon). I promised the guys at LinuxSecurity an article about Tiger (which will hopefully also draw some attention to the new developments I included). I have only a draft written but I expect to have it finished by the end of the month...

If time permits I should test also the latest pre-release of Bastille (pre BETA 2.0) in Debian, but I haven't setup a proper environment to work (and not mess up with my environment). I'm looking at bochs and plex86 to make it (instead of using vmware). I learnt about (and tested) them while writting an article (in Spanish, not yet online, sorry) featuring Emulators for linux.

Funny, I just read mjcox entry after writting mine and found out that he's working trying to have a full CVE mapping of RedHat's advisories.

Just recently, on the debian-security mailing list Phillip Hofmeister asked if there was some way to retrieve stats easily regarding security. Well, it's not easy IMHO, but I did so (manually) for Debian some time ago (on december last year) and answered this same question in a section of the Securing Debian Manual.

However, I have recently automated the way DSAs get published on the web (here) and there are automatic ways to link DSAs to many security databases. (It's all in the web source code at the secrity template, see a DSA sample here). It should be pretty easy to automate references now (but they have to be kept uptodate).

There needs to be, in any case, a way to automatically link all the security databases like Bugtraq, CERT, CVE, ICAT. That's one of my pet projects, I will try to have an automated tool working Very Soon Now (tm)....

Been quite busy lately, hopefully, I am now back at the office after finishing an installation of a high availability active-active firewall cluster, along with DNS, LDAP services and load balancing. A cool project overall, although I loathe Solaris 2.6, and Solaris 8 they have cool things but not for the power user.

Fortunately for the free software :) they asked me to install two load balanced RADIUS servers with Linux. After studying different possibilities, since the main problem is that it needs to be LDAP-enabled, I have found FREERADIUS based on Livingston's radius but with much more capabilities.

I am currently trying to get a nive debian package built that would make installation easier, since they are going now to beta stage, I have also offered them Debian's BTS. I pretend to have them ready so that when they go beta (or even now, in alpha stage) Debian packages will be provided. So, I've cleaned up the (old) Debian subdirs which were related to cistron's radius... I'm very excited about this. This will be the first proyect in SGI that will allow me to put two hardened Debian GNU/Linux server offering Radius and DNS services, in an installation for a client (as a matter of fact my first installation!)

Anyhow, I have investigated the HA options in Linux and I found the Linux-HA project, Legato Cluster, the tool I used is also ported to Linux, but not having VRRP brings out a lot of problems.

I will try to write an article (in spanish) on HA soon, if I find a magazine that can publish it without having any problem with me publishing it also on the internet, on magazines like OpenResources and with a free license.

Working on LDAP for two days, first day waiting for a guy from Intel to do a demonstration on Shiva (not worth giving an URL, even if simple, since they just have a Solaris and NT version) Access Manager. I was quite fired up, because

  1. the guy was not prepared for the questions regarding LDAP integration we were going to make him, although we sent them a week in advance. Moreover, it took me thirty minutes to see how to make it work and he was not able even to find it on the help
  2. The versions are supposed to provide the sam stuff but there is no documentation in the Solaris version, whileas the NT Console comes with many help files. I do not say that they have to port the Administration GUI (even if it would not be difficult) but for heaven's sake, give me the documentation to configure it by myself (i.e without the GUI).

I was quite disappointed of commercial support.

Today I've been working with Netscape's LDAP, trying to build a new schema, I did not find a lot of documentation, until I looked at iplanet instead of NDS. The point is, I do not want to use the Java console for administration... just vi :)

I've had time to make a new package, or rather, adopt it. It seems that sac had not been updated in Debian, and I read in the wnpp that it was orphaned, so I took the latest version, updated it and sent it to the University's server in order to upload it to master today...

I've been to a Newlink group of conferences, and product presentations... nice to see that many are going to the appliances market (easy to install, configure, hardware boxes) and that some of them work with Linux. Even though the guy said it run on Linux 2.0 and didn't know what to answer when I asked: is it based on any distribution or is it home-brewed? (BTW, it was Watchguard's Firebox.. small and red).

Nice to see too that Checkpoint has more throughput on Linux even if the guy from Nokia insisted that it was better with their own propietary OS. They put Linux (Redhat 6.1) the last of the table, Nokia the fist, NT, Sun in between, but Linux gave the best througput of the lot. Anyway, I don't like comparatives that are done on different OS and different hardware.

The technical guy at from Aladdin, when talking about etoken (using bus cards for authentication) said they had developed PAMs for Linux and Solaris, as well as 2000, NT et al... although in their web page there is no mention of Linux systems... oh well.. I am checking with proyects are there for USB cards, it seems that linux-usb.org might be worth checking as well as linuxnet.com.

And after doing it I've found here that Aladdin's etoken is not supported (yet). I might be thinking on downloading the SDK and do it myself but there's already someone working on one.. so we'll see...

Another day at work.... I have for the moment been able to post a new notice in barrapunto (spanish version of slashdot) regarding Microsoft's latest and worst client vulnerability. If someone told you that NetBIOS and SMB was secure, you will think it twice after reading bugtrack and Network Security Focus. announce. I tackled smbclient's sources, but was unable to properly code an exploit, alas, the Nsfocus team posted an exploit last monday (which worked perfectly BTW).

I find it fun that I can work with Debian GNU/Linux 100% of the time and contribute with bug reports (for example xfig strange, but at the same time, understandable behavior with WMaker, description here, and make new packages. I have just submitted to the upload queue:

  • libexpect-perl_1.08-1_all.deb
  • libio-stty-perl_0.02-1_all.deb
  • libio-tty-perl_0.04-1_i386.deb
  • libnet-snmp-perl_3.6-1_all.deb

Taken from CPAN, which I needed in order to make Vlad work. BTW there are a lot of CPAN packages, someone should try to check automatically which are not yet packaged in Debian.

I'm seriously thinking on joining Debian's security team, since I keep track of bugtrack now (spend at least 1h a day reading advisories) they are overloaded, and I find it fun to play with the source in order to find a reasonable exploit... Another good thing of my work is that you need to learn a lot (I read yesterday an article on buffer overflow, wirtten by mixter, boy was it good!)

I'm doing search within a proyect in order to define and develop access to a LDAP database. Did'nt know much about LDAP up to last friday :)

I'm impressed, however, on how easy to install OpenLDAP is vs. other commercial directories (Netscape's Directory Server) on Linux. The later seems to have an installer compiled against *old* libraries and I can only get it to "core dump", the former is installed nicely using debconf :)

Also, there are a number of useful open source proyects:

  • Of course openLDAP.
  • gq: VERY nice gtk LDAP client (tried it against OpenLDAP, Netscape's Directory Server and Sun's)
  • Frood a Gtk+Perl interace using Mozilla's Libperl
  • libnet-ldap-perl easy to use Perl Modules, not be confused with
  • Mozilla::LDAP which is another implementation using Netscape's C SDK.

Well... back to coding in Perl to test LDAP features...

3 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!