I manage a Debian (Bookworm) host. The sshd config is set to disallow login as root. I've tested that one cannot login as root, as expected. However, I see hundreds of login attempts daily as root in /var/log/auth.log. Even though I have what I think is adequate reason to believe they can't succeed, the constant brute-force attacks make me uneasy. I am considering adding a ufw rule in /etc/ufw/before.rules to block any attempt to connect with ssh as root. Is there any value in adding the proposed rule or something like it? Or would that be redundant and/or potentially cause problems?

My question is not aimed specifically at understanding find's and its -exec option's security implications, but more generally at understanding why (if at all!) such programs are particularly exploitable with respect to an interactive approach to accomplish the same task. For instance, [here's an example of a command that is described as risky](https://www.gnu.org/software/findutils/manual/html_node/find_html/Race-Conditions-with-_002dexec.html) : >

> find /tmp -path /tmp/umsp/passwd -exec /bin/rm
>

> In this simple example, we are identifying just one file to be deleted and invoking /bin/rm to delete it. A problem exists because there is a time gap between the point where find decides that it needs to process the ‘-exec’ action and the point where the /bin/rm command actually issues the unlink() system call to delete the file from the filesystem. Within this time period, an attacker can rename the /tmp/umsp directory, replacing it with a symbolic link to /etc. There is no way for /bin/rm to determine that it is working on the same file that find had in mind. Once the symbolic link is in place, the attacker has persuaded find to cause the deletion of the /etc/passwd file, which is not the effect intended by the command which was actually invoked. Now, first and foremost, I don't understand why the "time gap" is even necessary for the security issue to exist; I mean, _an attacker can rename the /tmp/umsp directory, replacing it with a symbolic link to /etc_ even before find runs at all, wouldn't the result be the same? Secondly, since the intent of the command is to delete /tmp/umsp/passwd, I could have done /bin/rm /tmp/umsp/passwd. Wouldn't I incur the same risk of an attacker having performed the aforementioned substitution before I run this command, possibly right after I've cat /tmp/umsp/passwd to makes sure it's the one I want to delete?

I got some error I can not solve while setting up a default zone in firewalld. I added the interface with firewall-cmd --zone=public --change-interface=ens3 and then I saw the default public zone active. so then I firewall-cmd --reload *error: Command_failed: 'usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.2 (nf_tables): line 4: Rule_Replace faaled (no Such file or directory: rule in chain INPUT" so ip6tables-restore is trying to do something upon restart of firewalld. Yet when I "iptables -L" I get "bash: iptables: command not found. firewall-cmd --list-all *Error: Invalid_zone* But the zone showed moments ago...

I'm writing a program to allow unprivileged users to mount overlay filesystems using a setuid binary. I've implemented a few safeguards to improve the program's security, but I'd like a more definitive checklist of potential security risks such a program might expose. Here are the safeguards I've implemented so far: - The program dissociates its mount namespace before performing any mounts, ensuring that other processes remain unaffected by the new mount. The program then runs a user-provided command inside that namespace. - It verifies that every lowerdir is readable by the user. For sub-items within each lowerdir, I assume that POSIX ACLs will prevent unauthorized access. - It ensures that the upperdir is both readable and writable by the user. Again, I rely on ACLs to enforce access restrictions on sub-items. - It verifies that the workdir is writable. Since the workdir must be empty for OverlayFS to function, I consider the risk there to be minimal. - It ensures that the mountpoint is writable by the user. - The program resets the effective UID and GID to the real user’s IDs immediately after completing the mount operations. These measures cover all the attacks I could foresee, but I suspect there may be additional risks I haven't accounted for. I would appreciate it if someone could point out any security issues before this goes into production.

*New note with important details* I just ran a few version tests and resulted in the following: Alright, here’s my latest update: - 10.5 works - 10.6 doesn’t - 10.7 works - 10.8 work - etc. I was hoping to use 10.6 since it is the LTS release…clearly there is something wrong with it though. I’m on the MariaDB slack channel at the moment, but for now I’ll revert to 10.5 from the MariaDB repo, since that has support for 2 years-ish. Am I missing something else? I didn't change anything but the MariaDB version and restarting the process. *Edit note for reference* Installing the EL Repo MariaDB 10.5 installs a package "mysql-selinux" and the default repo (epel-release?) allows the necessary communications and php-fpm can connect to mariadb fine. It seems like maybe the MariaDB repo package is missing this functionality. I would have installed the EL repo MariaDB on my AL 8.6 system, but removed it and went with the MariaDB repo for regular operation. I found the source for "mysql-selinux" here and it's not trivial like my "fix": https://github.com/devexp-db/mysql-selinux/blob/master/mysql.te this package is NOT installed on my 8.6 system which works... ***** I have a system running fine with SELinux enabled on AlmaLinux 8.6. I'm using stock AL 8.6 Apache/httpd (2.4.37 I think) and php from Remi's Repo: https://rpms.remirepo.net/wizard/ I initially installed MariaDB 10.4 directly from the MariaDB repo using these instructions: https://mariadb.com/resources/blog/how-to-install-mariadb-on-rhel8-centos8/ SELinux is enabled and I don't believe I made any customizations specifically for php-fpm to connect to the mysql.sock socket/process. I recently upgraded to MariaDB 10.6, again from the MariaDB repo, and everything continued working as it always did. For reference my "working" validation is using phpMyAdmin configured to connect through a local socket. I've installed my AlmaLinux 9 VM with stock Apache/httpd (2.4.51 I think). I installed MariaDB 10.6 from the same repo with the same instructions. Now, I'm getting a denial from SELinux for php-fpm (running as httpd_t) trying to connect to the /var/lib/mysql/mysql.sock process (running as unconfinsed_service_t). This denial prevents the connection and subsequent login from phpMyAdmin (running under the php-fpm service):

time->Mon Sep 26 22:14:07 2022
type=PROCTITLE msg=audit(1664244847.002:83): proctitle=7068702D66706D3A20706F6F6C20777777
type=SYSCALL msg=audit(1664244847.002:83): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffc156c46b0 a2=1b a3=557032b785a0 items=0 ppid=706 pid=738 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/remi/php74/root/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1664244847.002:83): avc:  denied  { connectto } for  pid=738 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

This ONLY shows up on my AL 9 install, AL 8.6 does not report this denial and allows the connection and subsequent login. I checked the file and process SELinux contexts and they are the same between 8.6 and 9. I've also tried different php-fpm versions, including the same between my 8.6 install and 9 (both php 7.4 from Remi). I've tried running the fpm pool under apache:apache and under my phpMyAdmin user with group apache. Any advice on how to track this down? I can "fix" the SELinux denial with the following policy, but it allows httpd to connect to any unconfined process:

module phpfpm_mariadb_socket 1.0;

require {
        type httpd_t;
        type unconfined_service_t;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t unconfined_service_t:unix_stream_socket connectto;

I see two obvious differences: Apache 2.4.37 vs 2.4.51 (and potential related SELinux policy changes which I couldn't track down) and EL 8.6 vs EL 9 SELinux core changes (both had "latest" available updates applied). I copied the phpMyAdmin install from my 8.6 system into my 9 system, under the same usernames with the same permissions. I don't think that the php-fpm user:group configuration is relevant to the process contexts, or is it?

There is a proprietary document about system hardening/security standard stating that group users, nogroup, other, and some other groups should not contain any user except system administrators. I've found an explanation about nogroup group [here](https://unix.stackexchange.com/questions/22520/what-is-nogroup-groups-purpose) . What about the users and other groups and what are they for? Why regular (non-administrator) users should not be member of these groups? Distro is, RHEL (Red Hat Enterprise Linux)

I'm reading what *Kerberos : The Definitive Guide*, the original paper from *Xerox (Needham - Schroeder)* , MIT site and Wikipedia . **I'm having some challenges putting the protocol together. Is this correct? Is there some other documentation on it?** I tried to follow the Xerox Articles "Protocol 1" closer as they seem to show the **protocol** in more detail. I omit the PKE, case (pkinit) for now that will be another post. **Kerberos 5 : Needham - Schroeder Protocol** A = *Client Principal* A, B = *Server Principal* B, AS = *Authentication Server*, I = *time*, A->B : {G, H, I} = *A sends message to B with contents {...}*. {B}^{KA} = *Key A encrypts {B}*. CK_AB = *conversations session key between A and B*. Requesting a ticket to another service, start with TGS Ticket Granting Server. Client Authentication to AS: 1. Initial request when client has no tickets or tickets are expired, B = "krbtgt/REALM@REALM" client principal (Ticket Granting Server TGS), use *kinit* sends to KDC. 2. **A -> AS : {A, B, I_a, I_max}** : AS_REQ 3. AS verifies that B principal exists and time stamp I is close to local time. Grants ticket or throws error In AS_RESP. Assume no error here. 4. Authentication server responds with timestamp I, B/TGS Principal, Session Key CK_AB for A and B, Ticket Granting Ticket (TGT) encrypted with KB_KTGS. 5. **AS -> A : {I_a, I_max, B, CK_AB, {CK_AB, A, I_a, I_max}^{KB}}^{KA}** : AS_REP 6. Ticket Granting Ticket TGT = **{CK_AB, A, I_a, I_max}^{KB}**, and **CK, I** can be stored in client's local *credential cache*. See below on caching protocol change. 7. Make request to Ticket Granting Server TGS using the *authenticator* {CK_AB, A, I_a, I_max}^{KB}. 8. **A->B : {CK_AB, A, I_a, I_max}^{KB}** : TGS_REQA 9. Now continue with *Reply Attack Prevention*. This is as documented by *Xerox paper*: 10. **B->A : {I_b}^{CK_AB}** : TGS_REQB : Where B/TGS and I_b is the ticket lifetime 11. **A->B : {I_b - 1}^{CK_AB}** : TGS_REQB This is as documented by *The Definitive Guide*: 10. **A->B : {1_b}^{CK_AB}** : TGS_REQB 11. **B->A : {1_b + 1}^{CK_AB}** : TGS_REQB Client A Service Authorization request to TGS to access service from C: 12. **A->B: {A, C, I_a, {CK_AB, A, I_a, I_max}^{KB}}^CK_AB** : TGS_REQC 13. TGS/B creates new session key for A and C to communicate CK_AC is created and sent in reply. 14. **B->A: {CK_AC, I_c, {CK_AC, A, A_IP, I}^{KC}}^CK_AB** : TGS_REP Client A Service Request to C: 15. Client has session key **{CK_AC, I_c, {CK_AC, A, I}^{KC}}^CK_AB** 16. Client sends Authenticator to Application Server 17. **A->C: {A, C, I_a, {CK_AC, A, I}^{KC}}^CK_AC** : AP_REQ 18. Server provides requested services to client. : AP_REP Steps if CK is kept in client credential cache, reduces protocol steps to 3. Reduces compute on AS to generate {I_a, B, CK, {CK,A}^KB}^KA and client to decrypt and network traffic: 1. **A->B : {CK_AB, A}^KB, {I_A2}^CK_AB** 2. **B->A : {I_A2 - 1, I_B}^CK_AB** 3. **A->B : {I_B - 1}^CK_AB**

Are there any better alternative to chroot environment? I'm thinking about running nginx on a jailed environment. BTW, I'm on OpenVZ VPS, so modifying the Kernel is a no-no. (I think that prevents me from installing SELinux, AppArmor, etc.)

It's trivial to limit _all_ network access via systemd service sandboxing. However, would it be possible to disallow all external network connections, _except_ for listed domains?

So I have a Scientific Linux 6.3 (RHEL clone so basically the question is Redhat related) machine called "B" (with an extra "A" HDD besides the system HDD) and a notebook with SL 6.3. They are in a /24 IPv4 subnet, and can fully reach each other. **Q**: How can I export the "A" HDD device to the notebook, so that on the notebook I could see the "A" HDD as a device /HDD/? (, and locally encrypt it using LUKS - I know this last encrypting part) The important thing is that I need the connection to be secured (SSL?) so that no one can intercept the data that I encrypt on the notebook. **OR**: is it already encrypted via LUKS? (and an SSL connection between the notebook and the "B" machine would be just an overhead?) - extra: I also need that the "exporting of the device" must be routable over network. **ps.: so the main question is: does encrypted communication needed between the notebook and the "B" machine or are ALL the datas on the HDD already encrypted when leaving the notebook (even LUKS pwd too??)**

I want to restrict write access to certain files so that only specific process types (domains) can modify them. For this, I need to create a custom file label and assign it to those files. Following [this answer](https://unix.stackexchange.com/a/329677/620385) , I used:

type ;
files_type();

But files_type() seems to implicitly allow access to all process types. If I skip files_type() and just declare:

type ;

then semanage fcontext -a -t "/some/path" fails with:

ValueError: Type  is invalid, must be a file or device type

Question: What is the correct way to declare a file label that: - Can be assigned to paths via semanage fcontext. - Doesn’t allow access to any processes types except those explicitly granted via allow rules?

I am new on Linux ecosystem and have some confusions regarding the terminology that are being used. With that being said, my reason to switch to a Linux Distro from Windows because it provides a unified package manager from where I can download and install software, without needing to go on the web and find necessary ones. The distro I am currently using is Ubuntu 20.04.2.0, which is good, but the packages they provide are kind of old and I would not be complaining if they had at least provided the LTS version of the software. So, I recently came across Arch and Manjaro which are rolling release distros, but I am interested as it provides both the latest versions and LTS versions of the softwares. That is great. But, I am little worried because most of the software I use are in the Community Repo (Node JS, Dotnet Core and gh). And, here is quote from Arch documentation: > community contains packages that have been adopted by Trusted Users from the Arch User Repository. Some of these packages may eventually make the transition to the core or extra repositories as the developers consider them crucial to the distribution. It says "Trusted Users" (respect for them) pick the packages from the AUR to "Community Repo". From some online forums and articles, I learnt that it a good practice to avoid using AUR as it may cause unwanted things or even infect ones PC with viruses and malwares. Once again, I am a noob in Linux world and have absolutely no idea about Arch Linux and its derivatives. So, I wanted to know, is it safe to use packages from the Community Repo. Does the "Trusted Users" (maintainers of Community Repo) check for validity and security of the AURs that transition to the Community Repo?

If I suspect that my docking station (USB-C/Thunderbolt) might be infected with malware or used as an attack vector, how can I check for the following in Linux? 1. Could the docking station emulate a keyboard/mouse or inject malicious data? 2. How can I monitor for suspicious activity? 3. What commands help detect anomalies? What kind of security tools or commands are useful for this?

I just got a new GoDaddy dedicated VPS and I am trying to secure it. Its Centos 7.7 and the WHM does not come with any installed FW that I can tell. On an older VPS configServ security and firewall was pre-installed (but not active) on Centos 6.8 WHM. I tried getting it running once, ran into trouble and backed out never to touch it again. But now I need to get a FW operational. Are both firewalld and csf just front ends to using iptables? Or are they completely different? Which is easier to use, which has a better gui interface?....is the protection the same? Is there even a gui for firewalld - if so, how do I access it because I can't seem to find anything? It appears I have both firewalld and iptables installed (are iptables always installed?): ~]$ systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) For iptables I get this: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mail ACCEPT tcp -- anywhere localhost multiport dports smtp,urd,submission owner UID match cpanel ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner UID match root # systemctl status iptables Unit iptables.service could not be found. So...is iptables actually running...or not? Please help me make sense of all this.

The Mandatory Access Controls or MAC labels are different for NFS which are different for httpd, and different yet again for SaMBa. What is the proper way nowadays to label a SINGLE shared filesystem hierarchy on the server such that it is properly re-labelled by restorecon, can be accessed successfully server-side by all three services, and survives system updates? In other words, when the server side fs hierarchy is labelled for sharing over NFS, then that breaks access by httpd and smb daemons on the same server. If labelled for httpd, then NFS and SMB services stop sharing because the files are labelled httpd only, so are denied rw. And finally, SMB Labels break both NFS and httpd services. Is their a modern devops approach to this such as an Ansible playlist? I had made custom labels before but having to remake them after system updates caused too much friction. Wondering if custom labels are still the way, but now with automation?

I want to setup a captcha on SSH login that is a Caesar cipher that I came up with myself. I know there is pam-captcha and Google Authenticator for SSH login, but how would I setup something like a captcha on login, but requires the user to know my Caesar cipher in order to login. The current captcha only prevents someone from brute forcing a SSH login. And the Google Authenticator requires an extra device. This is why I was wonder how something like this can be done.

I’m seeking practical recommendations and tools to improve the security of my Linux server (CentOS) and minimize unauthorized access. I’m interested in both fundamental and advanced solutions that can be easily integrated and configured. Specifically, I need: * Protection Against Unauthorized Access: What tools and practices are most effective for preventing hacking and intrusion into the server? This includes authentication methods (e.g., two-factor authentication) and tools for monitoring activity and detecting suspicious behavior. What I’ve Tried: I experimented with SELinux, but when attempting to set the strictest security level (“military level”), the server failed to boot after rebooting. I likely made a configuration error. I would appreciate detailed guidance on correctly configuring SELinux, or alternative approaches to kernel-level security hardening. What Kind of Answers I’m Looking For: * Recommendations for specific tools, including open-source alternatives. * Detailed instructions on how to configure and use these tools. * Example configurations for different security levels (from basic to advanced). * Alternatives to SELinux for kernel-level security enhancement.

I'm running Ubuntu Mate 19.04. I want to enable apparmor for Firefox. I found an existing profile in /etc/apparmor.d/usr.bin.firefox, which I enabled by deleting /etc/apparmor.d/disable/usr.bin.firefox. It is mostly working, but I've noticed one issue. I can't open my downloads from Firefox. I can't even "Open Containing Folder" on a download. Both ask me what application I want to use to perform the action. Here are the errors I see from Firefox when I run it. Those first 4 apparmor errors happen as soon as I launch Firefox. The last 3 "cannot launch" errors happen when I try and open downloads. ** (firefox:6062): WARNING **: 17:58:37.874: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.138" (uid=1000 pid=6062 comm="/usr/lib/firefox/firefox " label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (/usr/lib/firefox/firefox:6127): WARNING **: 17:58:38.319: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.140" (uid=1000 pid=6127 comm="/usr/lib/firefox/firefox -contentproc -childID 1 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (/usr/lib/firefox/firefox:6184): WARNING **: 17:58:38.954: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.141" (uid=1000 pid=6184 comm="/usr/lib/firefox/firefox -contentproc -childID 2 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (/usr/lib/firefox/firefox:6253): WARNING **: 17:58:40.358: Unable to query dbus: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.142" (uid=1000 pid=6253 comm="/usr/lib/firefox/firefox -contentproc -childID 3 -" label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") interface="org.freedesktop.DBus" member="ListNames" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) ** (firefox:6062): WARNING **: 17:58:51.217: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied) ** (firefox:6062): WARNING **: 17:58:51.227: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied) ** (firefox:6062): WARNING **: 17:58:54.538: Cannot launch default application: Failed to execute child process “/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop” (Permission denied) Here is my full policy: # vim:syntax=apparmor # Author: Jamie Strandboge # Declare an apparmor variable to help with overrides @{MOZ_LIBDIR}=/usr/lib/firefox #include # We want to confine the binaries that match: # /usr/lib/firefox/firefox # /usr/lib/firefox/firefox # but not: # /usr/lib/firefox/firefox.sh /usr/lib/firefox/firefox{,*[^s][^h]} { #include #include #include #include #include #include #include #include #include #include #include #include #include dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/arp r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/wireless r, dbus (send) bus=system path=/org/freedesktop/NetworkManager member=state, dbus (receive) bus=system path=/org/freedesktop/NetworkManager, # should maybe be in abstractions /etc/ r, /etc/mime.types r, /etc/mailcap r, /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, owner @{HOME}/.local/share/applications/defaults.list r, owner @{HOME}/.local/share/applications/mimeapps.list r, owner @{HOME}/.local/share/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/*.desktop r, owner /tmp/** m, owner /var/tmp/** m, owner /{,var/}run/shm/shmfd-* rw, owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk, /tmp/.X[0-9]*-lock r, /etc/udev/udev.conf r, # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, # let the shell know we launched something dbus (send) bus=session interface=org.gtk.gio.DesktopAppInfo member=Launched, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # firefox specific /etc/firefox*/ r, /etc/firefox*/** r, /etc/xul-ext/** r, /etc/xulrunner-2.0*/ r, /etc/xulrunner-2.0*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny @{MOZ_LIBDIR}/** w, deny /usr/lib/firefox-addons/** w, deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, deny @{HOME}/.local/share/recently-used.xbel r, # TODO: investigate deny /usr/bin/gconftool-2 x, # These are needed when a new user starts firefox and firefox.sh is used @{MOZ_LIBDIR}/** ixr, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, /sbin/killall5 ixr, /bin/which ixr, /usr/bin/tr ixr, @{PROC}/ r, @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/mountinfo r, @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, @{PROC}/sys/vm/overcommit_memory r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/platform/**/uevent r, /sys/devices/pci*/**/{busnum,idVendor,idProduct} r, /sys/devices/pci*/**/{,subsystem_}device r, /sys/devices/pci*/**/{,subsystem_}vendor r, /sys/devices/system/node/node[0-9]*/meminfo r, owner @{HOME}/.cache/thumbnails/** rw, /etc/mtab r, /etc/fstab r, # Needed for the crash reporter owner @{PROC}/[0-9]*/environ r, owner @{PROC}/[0-9]*/auxv r, /etc/lsb-release r, /usr/bin/expr ix, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/** r, # about:memory owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/smaps r, # Needed for container to work in xul builds /usr/lib/xulrunner-*/plugin-container ixr, # allow access to documentation and other files the user may want to look # at in /usr and /opt /usr/ r, /usr/** r, /opt/ r, /opt/** r, # so browsing directories works / r, /**/ r, # Default profile allows downloads to ~/Downloads and uploads from ~/Public owner @{HOME}/ r, owner @{HOME}/Public/ r, owner @{HOME}/Public/* r, owner @{HOME}/Downloads/ r, owner @{HOME}/Downloads/* rw, # per-user firefox configuration owner @{HOME}/.{firefox,mozilla}/ rw, owner @{HOME}/.{firefox,mozilla}/** rw, owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{firefox,mozilla}/plugins/** rm, owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, owner @{HOME}/.gnome2/firefox* rwk, owner @{HOME}/.cache/mozilla/{,firefox/} rw, owner @{HOME}/.cache/mozilla/firefox/** rw, owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/dconf/user w, owner /{,var/}run/user/*/dconf/user w, dbus (send) bus=session path=/org/gnome/GConf/Server member=GetDefaultDatabase peer=(label=unconfined), dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify} peer=(label=unconfined), dbus (send) bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo peer=(label=unconfined), # gnome-session dbus (send) bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} peer=(label=unconfined), # unity screen API dbus (send) bus=system interface="org.freedesktop.DBus.Introspectable" path="/com/canonical/Unity/Screen" member="Introspect" peer=(label=unconfined), dbus (send) bus=system interface="com.canonical.Unity.Screen" path="/com/canonical/Unity/Screen" member={keepDisplayOn,removeDisplayOnRequest} peer=(label=unconfined), # freedesktop.org ScreenSaver dbus (send) bus=session path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver interface=org.freedesktop.ScreenSaver member={Inhibit,UnInhibit,SimulateUserActivity} peer=(label=unconfined), # gnome, kde and cinnamon screensaver dbus (send) bus=session path=/{,ScreenSaver} interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver} member=SimulateUserActivity peer=(label=unconfined), # UPower dbus (send) bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices peer=(label=unconfined), # # Extensions # /usr/share/.../extensions/... is already covered by '/usr/** r', above. # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr, deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, deny /usr/share/mozilla/ w, # Miscellaneous (to be abstracted) # Ideally these would use a child profile. They are all ELF executables # so running with 'Ux', while not ideal, is ok because we will at least # benefit from glibc's secure execute. /usr/bin/mkfifo Uxr, # investigate /bin/ps Uxr, /bin/uname Uxr, /usr/bin/lsb_release Cxr -> lsb_release, profile lsb_release { #include #include /usr/bin/lsb_release r, /bin/dash ixr, /usr/bin/dpkg-query ixr, /usr/include/python2./pyconfig.h r, /etc/lsb-release r, /etc/debian_version r, /usr/share/distro-info/*.csv r, /var/lib/dpkg/** r, /usr/local/lib/python3.[0-6]/dist-packages/ r, /usr/bin/ r, /usr/bin/python3.[0-6] mr, # file_inherit deny /tmp/gtalkplugin.log w, } # Addons #include # Site-specific additions and overrides. See local/README for details. #include } I tried to allow those ListNames methods myself, but I really have no idea what I am doing. I also tried to run firefox with aa-genprof, but I never saw these violations pop up while I did that. Any ideas?

I have an Ubunutu 18.04 LTS server that is receiving ERSPAN traffic sent from several sources. For those not familiar with ERSPAN it uses GRE tunneling to achieve this, wrapping the original L3 packet inside of another L3 packet preserving the original packet source/destination IP, payload, L2 details, etc... The server receives this on a dedicated interface (ens192 in this instance), but without decapsulating the traffic (removing the GRE header) when the IDS processes this traffic all that is seen is the source (the ERSPAN source) and the destination (the ubuntu server)...because the IDS stops processing that info once it finds a source/dest IP. To resolve this issue I have tried using RCDCAP, but it crashes after a short time with a memmory corruption issues. I have been relaying this to the developer of RCDCAP and they have been attempting to fix this issue but have not been able to yet. I am now looking at the capabilities of the kernel to do this job. I see that the kernel module ip_gre includes support for both ERSPAN Type I, Type II and Type III. I have done the following on the Ubunutu server: #load ip_gre module into kernel modprobe ip_gre #create tunnel in gre mode set local and remote ends of tunnel and turn link up ip tunnel add tun0 mode gre local 10.10.1.20 remote 10.10.1.143 ttl 255 ip link set tun0 up #assign IP address to tunnel interface ip addr add 10.10.1.20/24 dev tun0 Doing this successfully creates the tunnel, but it does not process the GRE traffic and is leaving the GRE headers attached. Is there a switch or something that I am missing when I create the GRE tunnel that tells it what type to expect? There are subtle differences between the GRE Types, if its expecting type I it would fail to process it....

I have this iptables where all working except tcp/udp port 3478 and 5349. $ cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Nov 21 10:21:41 2013 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 3478 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5349 -j ACCEPT -A INPUT -p udp -m udp --dport 5349 -j ACCEPT -A INPUT -p udp -m udp --dport 3478 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT -A INPUT -p udp -m udp -m string --dport 5080 -j DROP --string "friendly-scanner" --algo bm --to 65535 -A INPUT -p udp -m udp -m string --dport 5060 -j DROP --string "friendly-scanner" --algo bm --to 65535 -A INPUT -p tcp -m tcp --dport 5081 -j ACCEPT -A INPUT -p udp -m udp --dport 5081 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT -A INPUT -p udp -m udp --dport 5080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT -A INPUT -p udp -m udp --dport 5061 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 16000:42000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7007 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -s 178.162.205.224/32 -j DROP -A INPUT -s 65.55.44.100/32 -j DROP -A INPUT -s 178.162.205.224/32 -j DROP -A INPUT -s 91.218.247.162/32 -j DROP -A INPUT -s 85.25.78.58/32 -j DROP -A INPUT -s 91.218.247.162/32 -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -j ACCEPT COMMIT # Completed on Thu Nov 21 10:21:41 2013 # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed