Monthly Archives: August 2008

A little mutt help, please.

I know I’m not going crazy. Well, not completely crazy but that’s neither here nor there.

A while back I had mutt up and functioning PERFECTLY (or near perfect). Then I messed up and lost the configuration files I was using. I’ve never been the same since the incident.

This morning I decided I was going rebuild the files and get mutt back up and running. I have most of it worked out but I’m missing one little piece… the outgoing portion. I’ve looked for documentation for how to define an SMTP server but all I’ve found is people saying how you CAN’T do it. I know I’m not going crazy with this part as I remember my old build actually connecting to the SMTP server and sending messages.

Does anyone have this up and running?

Open Source down falls when dealing with the US Government

I don’t hide the fact that I am a contractor to a few US Government organizations and deal specifically with security issues. As such, I’m asked if I’m seeing any open source or Linux items in my daily work. Unfortunately the answer is always “not as much as I’d like to see”. I know that a Linux system can be hardened faster and easier (and cheaper) than that other brand of OS. I know that doing compliance testing takes half as long on Linux (and Solaris) than that other brand as well. This all equals to a larger cost savings to the customer (the gov’t) and to the American public. So why isn’t there more open source solutions out there being used? Two words: “testing” and “certifications”.

I’ll use LUKS as a good example. LUKS provides “Data at Rest (DAR) Encryption” for computer hard drives and removable media. By default, in Fedora, it uses AES encryption and protects all data on the hard drive from being copied or altered on a system that is powered down. Simple, easy to install, free, and meets the basic requirements for DAR Encryption. Why isn’t this an approved solution, then? Because LUKS doesn’t meet FIPS 140-2 requirements. Well, I won’t say that it doesn’t meet the requirements because it probably does but it has never been certified as such. And to do so is usually takes at least $100k+ and a few months of government testing. Now if you are developing open source software you probably don’t have the money to fund such testing.

There are a few notable exceptions. SELinux was a joint project between the community and the NSA. That worked out well for all involved.

I’d like to see the bar lowered for software to become accepted as solutions instead of being discarded because they don’t have a large amount of funding.

Anti-Virus, Anti-Spyware, and Rootkits in Linux

(I started working on this a few days ago and never finished it. I’ll finish it now.)

Last night a user joined up to the #fedora-security channel and sent the following:

Not trying to troll here, but after reading Sparks Blog regarding security it i started thinking again about Fedora and Linux in general if you DO get infected. If i understand correctly, if your infected with a rootkit your basically screwed. There is no way to really remove it or be sure that you’ve removed it.
In windows on the other hand ( I you believe the antivirus/Trojan/etc programs are telling you the truth ) it is possible to completely remove a virus/etc from windows. So lets say that in the “Year of the Linux Desktop” some not so nice programs start installing rootkits.
Everybody infected world have to reinstall Fedora. Imagine if all windows users had to reinstall after an infection. There would be a lot of angry users. I sure would really like to read a blog entry about Trojan Removal and Linux from Sparks.

This was interesting and if it hadn’t been so late at night (for me) I’d probably have responded better. But I didn’t and so now I sit at my desk at work contemplating what was asked and said.

As a prior Windoze administrator (servers and clients) I can say that I have NEVER been able to recover a Windoze computer from a rootkit or any other kind of virus. I’ve come close, I think, but after working for over six hours trying to recover the computer I ended up trashing it and re-imaged the system.

Now I’ve never had to recover a Unix/Linux system from a rootkit or other virus but I can imagine that it would be much easier. All you would have to do is remove and reinstall the particular package from one of the mirrors or other trusted source which is hashed and checked once downloaded for accuracy. You could potentially have your problem fixed in less than a minute once you realized you had a problem.

Ahh! First you have to figure out that you have a problem! Introducing AIDE! Now AIDE is nothing new and it is quite simple to setup and to use. Basically AIDE will scan your system every x minutes (you set it up with a cron job) and will compare a hash of the files you told it to keep a track of with the current hash of that file. It will tell you if something changed via an email.

I’m just shooting from the hip on this but I think I’m going down the right path here. I’d like to hear from others on the Red Hat Security Team and the Fedora Security Team to see how “on track” I am.

UPDATE: As mdious pointed out… Would I trust a rooted system if I hadn’t reinstalled the OS from scratch? The answer: NOPE! 🙂