Re: Linux Journal May 2011 issue is out with "Security Monitoring and Enforcement with Cfengine 3"
Aleksey Tsalolikhin wrote: I'm super-pleased to report the Linux Journal May issue is now out, with Aleksey's "Security Monitoring and Enforcement with Cfengine 3" article: http://www.linuxjournal.com/on-newsstands Thanks to Mark for encouraging me to write and to Diego for the sshd-related code. Best, -at_ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine Aleksey that's outstanding! I can't wait to read it. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: Cfengine Help: How to setup protected server as its own policyhost?
no-re...@cfengine.com wrote: Forum: Cfengine Help Subject: How to setup protected server as its own policyhost? Author: sdodier Link to topic: https://cfengine.com/forum/read.php?3,21883,21883#msg-21883 Hello, I have an out of the ordinary request, and I wanted to see if anyone else is doing a similar setup. I have a server that is locked down due to its functionality as a log server. It currently has cfengine2 running on it. I have upgraded the rest of our environment to cfengine3, and am now working on the log server. I have basically made the log server a standalone cfengine installation. It serves as its own policyhost with its own mastercfengine repository. When trying to run cfengine on it, it tells me it can't connect to the 5308 port on the local server. This is because I don't have cf-serverd running and don't want to open any additional ports on the log server. My current installation of the cfengine2 is set up the same way, in that it does not have cfservd running with an associated port. Yet, cfengine2 knows that the policyhost is itself, and will just use the local directory structure to get what it needs. Is there any way to tell cfengine3 not to use a port and to just connect to the localhost directories for what it needs? Thanks in advance, Steve_ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine Sorry I can't answer your question but what about just connecting to 127.0.0.1 or do you not want to allow even connections on the loopback? -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: Security Tools and Root Access
Aleksey Tsalolikhin wrote: On Fri, Aug 12, 2011 at 5:47 PM, Tom Tucker wrote: > > 1) Are you aware of a wrapper, unique shell or simiar tool that could > provide root level access at a read only level? There is no such thing in UNIX. If you have super-user privs, you can write. > 2) Any recommendations on an open source or commerical enterprise level file > integrity checker similar to Tripwire? Cfengine has file integrity checking functionality. Best, -at _ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine You could use acls to provide read access to things. I'm really not sure what if any oddities might occur, it doesn't sound like a good a good idea. But you could recursively add read permission to an acl for a specific user. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: Security Tools and Root Access
"Daniel V. Klein" wrote: On Aug 13, 2011, at 9:38 AM, Diego Zamboni wrote: > Hi Tom, > >> 1) Are you aware of a wrapper, unique shell or simiar tool that could >> provide root level access at a read only level? > > What comes to mind is to put the read-only functionality you want in a > specific program, and then give sudo access to certain people *only* to that > program. As long as (a big assumption!) that program only does what it's > meant to, and doesn't have any ways of braking out into a shell, those people > should only be able to have root powers as far as the functionality of the > program allows them. Can you say "sudo"? -Dan _ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine I think diego is just pointing out that even though you can restrict which users can elevate permissions for specific binaries you cant control what that program does with those elevated privileges. If a program runs as root it can do what it likes. Consider what happens if the program provides a way too shell out and execute arbitrary command itself. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Random connection reset by peer and other messages
no-re...@cfengine.com wrote: Forum: CFEngine Help Subject: Random connection reset by peer and other messages Author: wchung Link to topic: https://cfengine.com/forum/read.php?3,23151,23151#msg-23151 Every so often I get emails like this: Protocol transaction broken off (1) !!! System reports error for recv: "Connection reset by peer" Even more randomly and less frequently I get something like: Page 1: item 0 of unrecognizable type Page 1: gap between items at offset 12340 Page 1: item order check unsafe: skipping /var/cfengine/state/cf_lock.db: DB_VERIFY_BAD: Database verification failed BDB_VerifyDB: database /var/cfengine/state/cf_lock.db is corrupted: DB_VERIFY_BAD: Database verification failed I haven't been able to determine if it's a system or network problem and was wondering if anyone else has the same messages. I have about 40 hosts now that check in to 1 server (spaytime is 4 min, the server is a VM, and I have max connections set at 100 FWIW) so I don't think it's a resource limit. I'm using CFE community edition 3.1.5 on a variety of boxes: FreeBSD 7.x, OpenBSD, Ubuntu 9/10, RHEL/CentOS 4/5/6. Any thoughts? Thanks _ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine That looks like the berklydb corruption fix bug. The fix made things worse. I don't recall when the bug was introduced, but I think its corrected in svn. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
