HOWTO quickly STIG Firefox 59.01

Tags

,

The latest Firefox STIG leaves out important details and lists settings that no longer exist. It took a few hours to get this config file to work with settings that are actually still available in 59.01. For reference, see: http://kb.mozillazine.org/About:config

Note that I use Notepad++ on Windows to avoid formatting issues with notepad.exe. Do yourself a favor and download the latest at https://notepad-plus-plus.org/

1) Create a file named local-settings.js and add one line. Using Notepad++, you can save it as a proper JavaScript file (.js):
pref(“general.config.filename”,”mozilla.cfg”);

2) Place local-settings.js file in the following locations depending on whether you have x32 or x64 bit Firefox:

For x64 bit:
C:\Program Files\Mozilla Firefox\defaults\pref

For x32 bit:
C:\Program Files (x86)\Mozilla Firefox\defaults\pref

3) Create a file called mozilla.txt. Add the text below (everything under contents of mozilla.txt staring with //Firefox). Launch a browser (Chrome, IE, Opera) and browse to:

http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi

4) In the middle of the page, under Upload mozilla.txt to get mozilla.cfg (byteshift 13), click browse, and select your mozilla.txt file. Next, click Convert mozilla.txt to mozilla.cfg, and save the file when prompted.

5) Place the mozilla.cfg file into the root of the Firefox directory as show below.

For x64 bit:
C:\Program Files\Mozilla Firefox\

For x32 bit:
C:\Program Files (x86)\Mozilla Firefox\

6) Start Firefox. In the Location bar, enter about:config. Click I accept the risk. At the top of the page in the center, click Status to sort the status of the settings. All of the locked settings should be italicized with a status of locked.

Contents of mozilla.txt:

//Firefox settings that work from Mozilla_Firefox_V4R20 as of Firefox 59.01 March 2018
lockPref(“security.default_personal_cert”, “Ask Every Time”);
lockPref(“network.protocol-handler.external.shell”, false);
lockPref(“plugin.disable_full_page_plugin_for_types”, “application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks”);
lockPref(“browser.formfill.enable”, false);
lockPref(“signon.autofillForms”, false);
lockPref(“signon.autofillForms.http”, false);
lockPref(“signon.rememberSignons”, false);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“dom.disable_window_move_resize”, true);
lockPref(“security.tls.version.min”, 2);
lockPref(“security.tls.version.max”, 3);
lockPref(“dom.disable_window_flip”, true);
lockPref(“dom.event.contextmenu.enabled”, false);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“app.update.enabled”, false);
lockPref(“extensions.update.enabled”, false);
lockPref(“browser.search.update”, false);
lockPref(“datareporting.policy.dataSubmissionEnabled”, false);

7) Click the link below for a copy of the files. The zip has a converted mozilla.cfg, the source mozilla.txt, local-settings.js and a README file.

Firefox_STIGv4R20

HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled

If you haven’t disabled SMBv1 everywhere, on every PC, NAS, server, you should.

https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

https://www.synology.com/en-uk/knowledgebase/DSM/help/DSM/AdminCenter/file_winmacnfs_win

After disabling SMBv1 on a Synology NAS with DSM 6.1.5-15254 Update 1, I could no longer mount the shares from Linux. On Linux Mint 18.3 with KDE, you can’t select SMBv2 or 3 in the Dolphin or Smb4K GUI (yet) so you have to mount it from the cli.

Both smbclient and mount worked when I specified the SMB version. Note that both commands will prompt you for your password.

user1@lmint ~ $ sudo mount -t cifs //192.168.1.10/data /home/user1/Synology -o username=user1,vers=2.0,sec=ntlmv2

user1@lmint ~ $ smbclient ‘//192.168.1.10/data’ -m SMB2

Howto safely delete the WSUS WID on Windows 2012R2

For whatever reason, you have a Windows 2012R2 WSUS database that is full of unwanted patch data or legacy products and you want to start over without breaking IIS and ruining your weekend. You have tried to remove the WSUS role and you still have old data showing up. This simple Howto will purge your WID and content so you can start over with a fresh DB.

1) Uninstall WSUS. Server Manager > click Manage > Remove Roles and Features > Next > Next > select Windows Server Update Services, click Next and finish the wizard.

2) My WSUS content was installed on the D:\ drive of my server. Yours may be different. Inside the D:\WSUS\ folder, delete the WsusContent folder. Also make sure there are no files in the D:\WSUS\UpdateServicesPackages folder.

3) You need a SQL access tool. If you don’t have the SQL Management client tools installed, download the components below and install them in the order posted (ODBC first, cli utils second). They are a small subset that provide enough functionality to access the WSUS WID from the cli without the need for overblown GUIs and multiple .NET packages (plus about 20 additional patches).

Microsoft ODBC Driver 13.1 for SQL Server
https://www.microsoft.com/en-us/download/details.aspx?id=53339
Make sure you select the x64 bit version when prompted \amd64\msodbcsql.msi

Microsoft Command Line Utilities 13.1 for SQL Server
https://www.microsoft.com/en-us/download/details.aspx?id=53591
Make sure you select the x64 bit version when prompted \amd64\MsSqlCmdLnUtils.msi

4) Create the SQL drop command file. Launch notepad.exe and paste the SQL syntax below into a new file called wsuspurge.sql. Save it to c:\temp or the location of your choice. I use c:\temp. Note that notepad.exe appends the .txt file extension to the file. That’s OK.

select name from sys.sysdatabases
drop database susdb
select name from sys.sysdatabases

5) Launch an elevated cmd.exe prompt and run the following command. The output is also shown below.

:>sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i c:\temp\wsuspurge.sql.txt

name
———————————————————————-
master
tempdb
model
msdb
SUSDB

(5 rows affected)
name
———————————————————————–
master
tempdb
model
msdb

(4 rows affected)

6) Reinstall WSUS. Launch the WSUS Management applet and the configuration wizard will start just like it was a new installation.

HOWTO quickly STIG Firefox 45.0.1

Tags

,

This Firefox STIG leaves out important details. They could make it very simple to implement but they don’t.  For more, see: http://kb.mozillazine.org/About:config

1) Create a file called local-settings.js and add one line:
pref(“general.config.filename”,”mozilla.cfg”);

2) Place local-settings.js in:

c:\<firefox path>\defaults\pref folder.

3) Create a file called mozilla.txt. Add the text below (everything under contents of mozilla.txt).  Launch Firefox and browse to:
http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi

4) View the middle of the page. Under Upload mozilla.txt to get mozilla.cfg (byteshift 13), click browse, select your mozilla.txt file. Next, click Convert mozilla.txt to mozilla.cfg, save the file when prompted and place it in c:\<firefox path>\Mozilla Firefox\.

Contents of mozilla.txt:

//Firefox Settings
lockPref(“security.tls.version.min”, 1);
lockPref(“security.default_personal_cert”, “Ask Every Time”);
lockPref(“network.protocol-handler.external.shell”, false);
lockPref(“plugin.disable_full_page_plugin_for_types”, “application/pdf,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/ad,application/,application/adp”);
lockPref(“browser.formfill.enable”, false);
lockPref(“signon.autofillForms”, false);
lockPref(“signon.rememberSignons”, false);
lockPref(“privacy.sanitize.sanitizeOnShutdown”, true);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“dom.disable_window_move_resize”, true);
lockPref(“security.tls.version.max”, 3);
lockPref(“dom.disable_window_flip”, true);
lockPref(“dom.event.contextmenu.enabled”, false);
lockPref(“dom.disable_window_status_change”, true);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“browser.startup.homepage”, “about:home”);
lockPref(“app.update.enabled”, false);
lockPref(“extensions.update.enabled”, false);
lockPref(“browser.search.update”, false);
// The end

Completing the vSphere vCenter Appliance Hardening Process

Tags

, , ,

The vCenter Appliance is a SuSE Linux VM that ships fully hardened by VMware to the DoD STIG specifications. There are a few site specific settings you must perform to complete the hardening. This post provides the steps to complete the process.

1) Change the root password. Login to the appliance and as root, run:
> passwd
New password:
Retype new password:
Password changed.

> cat /etc/shadow | grep root
root:$6$(truncated)

If the root password starts with a $6$ hash, this confirms it is using a sha512 hash.

2) Set password expiry. Change the root expiry from 3 years to 1 year.
> passwd -x 365 root
Password expiry information changed.

3) Execute the Dodscript.sh script.
> cd /etc/
> ./dodscript.sh
Shutting down auditd                done
Starting auditd

4) You may be a company or site that has a custom banner. If so, edit (and verify) the banners to replace the DoD language with your own.
> vi /opt/vmware/etc/isv/welcometextDoD and paste in your banner.
> cat /opt/vmware/etc/isv/welcometextDoD > /etc/issue  (linked to issue.DoD)
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext.template

5) Configure secure shell, admin accounts, and console access on the appliance. Add a user account that can su to root:
> useradd -s /bin/bash -m -d /home/(your username) -g users -G wheel (your username)

> passwd <your username>
Changing password for (your username)
New password:
Retype new password:
Password changed.

> su – (your username) to verify.

a) Test ability to su to root and verify identity:
> su – root
Password:
Last login: Sat 19 12 12:51:26 UTC 2016 from PC on pts/1
Directory: /root
Tue Mar 19 13:18:33 UTC 2016

> whoami
root

b) Note: The step below isn’t included in the documentation but if you don’t do it you will be locked out.
> vi /etc/security/access.conf

At the end of the file change -:ALL:ALL to +:ALL:ALL

c) Test that the user you just created can login via SSH and su – root before you proceed. Use ssh cli, PuTTY, etc.
> ssh -v (your username)@(your vCenter appliance hostname or IP)
Once logged in:
> su – root

d) Disable direct root SSH access to the appliance.
> vi /etc/ssh/sshd_config

change PermitRootLogin yes to PermitRootLogin no

e) Restrict SSH to the local network of the appliance.
> vi /etc/hosts.allow and add the following:

sshd:127.0.0.1:ALLOW
sshd:[::1]:ALLOW
sshd:(the same network your appliance is on):ALLOW

f) Restart sshd to read the changes:

> service sshd restart
Shutting down SSH daemon                  done
Starting SSH daemon

g) Disable direct root console login on the appliance. This means you must first login as a user and su to root. After setting this, when you try to login on the appliance console as root, it should say login incorrect.
> vi /etc/securetty

Set the first two lines as follows:
#tty1
console

6) Verify time synchronization. Recall that NTP is configured when you first import and setup the appliance. As root, verify:

> service ntp status
remote           refid      st t when poll reach   delay   offset  jitter
=============================================
192.168.1.252    .LOCL.       1 u   37   64    1    1.145  459.906   0.001
192.168.1.252     192.168.1.253  2 u   36   64    1    1.273  464.924   0.001

Checking for network time protocol daemon (NTPD):    Running

7) Setup log forwarding with syslog-ng and auditd. Uncomment and edit the following lines to fit your remote syslog server IP address:
> vi /etc/syslog-ng/syslog-ng.conf

destination logserver { udp(“Syslog_svr_IP_Address” port(514));};
log {source(src); destination(logserver);};

a) Restart the service.
> service syslog restart
Shutting down syslog services               done
Starting syslog services

b) Send your audit data to syslog.
> vi /etc/audisp/plugins.d/syslog.conf

change active=no to active=yes

c) Restart auditd.
> service auditd restart
Shutting down auditd                         done
Starting auditd

d) Tune audit performance.
> vi /etc/audisp/audispd.conf

change the following to 1280 and 8
q_depth = 1280
priority_boost = 8

e) Control the number and rotation of log files.
> vi /etc/logrotate.d/syslog

change all entries for rotate 15 to rotate 7

> vi /etc/logrotate.d/audit

change all entries for rotate 15 to rotate 7

8) Set a boot loader or grub password.
> cat /boot/grub/menu.lst | grep password

password –md5 (a_long_hash_will_be_here)

a) Create a password for grub. This is how the sequence goes: you enter grub and run the md5crypt command to create a hashed password. Once you type in the password, the hash is presented. Copy the password hash. Run the quit command to return to the root shell.

> grub

grub> md5crypt

Password: (Enter your password here)
Encrypted: (a_long_hash_will_be_here)
grub> quit

b) Add the following to the third line of the file:
> vi /boot/grub/menu.lst

password –md5 (the password hash from above)

9) Configure NFS and NIS. If you are not using NFS or NIS, disabled the services. You probably aren’t using them.
> chkconfig ypbind off
> chkconfig nfs off
> chkconfig rpcbind off
> service ypbind stop
> service nfs stop
> service rpcbind stop

10) Reboot to refresh your system and seat all of the changes.
> reboot

HOWTO install the XFCE 4.12 Desktop on NetBSD 7

Tags

,

This is an update to previous posts for NetBSD 6x:
https://slice2.com/2015/01/03/howto-install-the-xfce-4-desktop-on-netbsd-6-1-5/
https://slice2.com/2013/10/10/howto-install-the-xfce-4-desktop-on-netbsd-6-1-2/

For a lightweight functional desktop on NetBSD, install XFCE. As root, perform the following steps. This covers 32 and 64 bit x86 hardware. Since NetBSD essentially runs on everything, simply adjust the repository path to your architecture from the list here: http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/

Note that your hardware support may vary. Especially for video cards. Although NetBSD runs on everything, the command line always gets the most love. Video card support can be hit or miss.

1) Setup your binary repository.
> mkdir -p /usr/pkg/etc/pkgin
> touch /usr/pkg/etc/pkgin/repositories.conf
> vi /usr/pkg/etc/pkgin/repositories.conf and add path:

For x64
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/7.0_2016Q1/All/

For x32
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/7.0_2016Q1/All/

2) Add the NetBSD ftp server to your host file. This is for convenience and can be removed when done.
> vi /etc/hosts and add:
199.233.217.201 ftp.netbsd.org

3) Export your path.
Note: I don’t know why the encoded quote characters keep appearing after /ALL/ in the path statements below. It must be an html coding issue and I’m not a developer. Just make sure that at the end of the path statement it ends with /7.0_2016Q1/ALL/” with no trailing characters. In other words, it should look like the paths depicted in step 1 above only it must end in a ” character.

For x64:
> export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/7.0_2016Q1/All/&#8221;

For x32:
> export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/7.0_2016Q1/All/&#8221;

4) Install the latest version of pkgin on your system.
> pkg_add -v pkgin-*

5) Update the pkgin database and install XFCE.
> pkgin update

> pkgin install xfce4
calculating dependencies… done.

nothing to upgrade.
121 packages to be installed (251M to download, 887M to install):

nettle-3.1.1 libtasn1-4.5 libcfg+-0.6.2nb3 gmp-6.0.0a libproxy-0.4.11 libgpg-error-1.20 libcddb-1.3.2nb1 p5-Business-ISBN-Data-20140910.002nb1 py27-cElementTree-2.7.10 libIDL-0.8.14nb4 at-spi2-core-2.16.0 icu-55.1nb1 libepoxy-1.3.1nb1 at-spi2-atk-2.16.0 ORBit2-2.14.19nb4 gobject-introspection-1.44.0 p5-Business-ISBN-2.09nb1 usbids-20081118 pciids-20150907 libvolume_id-0.81.1nb1 hal-info-20091130nb4 libcdio-0.93nb3 libgcrypt-1.6.4 glib-networking-2.36.2nb2 readline-6.3nb3 popt-1.16nb1 mit-krb5-1.10.7nb7 libiconv-1.14nb2 gnutls-3.3.18 gettext-lib-0.19.4 jbigkit-2.1 fribidi-0.19.7 enca-1.15 libogg-1.3.2 libidn-1.32 xvidcore-1.3.3 x264-devel-20150717 libvpx-1.4.0nb1 libtheora-1.1.1nb2 libass-0.12.2 lame-3.99.5nb3 tiff-4.0.6 lcms2-2.7 poppler-0.34.0 samba-3.6.25nb2 libsoup-2.50.0 libgnome-keyring-3.12.0 libcdio-paranoia-0.93nb1 hal-0.5.14nb16 p5-URI-1.69 xcb-util-0.4.0 libvorbis-1.3.5 libltdl-2.4.2 gstreamer0.10-0.10.36nb8 GConf-2.32.4nb10 iso-codes-3.61 gtk3+-3.16.6nb1 xmlcatmgr-2.2nb1 perl-5.22.0 pcre-8.38 libelf-0.8.13nb1 lzo-2.09 harfbuzz-1.0.3 cairo-gobject-1.14.2nb1 libffi-3.2.1 libxml2-2.9.2nb3 gnome-icon-theme-3.12.0 shared-mime-info-1.4 python27-2.7.10 py27-expat-2.7.10 pango-1.37.1 cairo-1.14.2nb1 atk-2.16.0 gtksourceview2-2.10.5nb24 glib2-2.44.1nb1 policykit-0.9nb18 xfce4-garcon-0.5.0 xfce4-conf-4.12.0nb2 libxklavier-5.0nb5 libglade-2.6.4nb22 libcanberra-0.27nb5 vte-0.28.1nb16 startup-notification-0.12nb3 xfce4-exo-0.10.6 libxfce4util-4.12.1nb1 libnotify-0.7.6nb2 libexif-0.6.21 gvfs-1.6.7nb17 poppler-glib-0.34.0 png-1.6.20 openjpeg-2.1.0 libgsf-1.14.34 jpeg-9anb1 gdk-pixbuf2-2.30.8nb1 ffmpegthumbnailer-2.0.8nb4 ffmpeg1-1.2.12nb1 dbus-glib-0.104 dbus-1.10.0nb1 curl-7.44.0 libxfce4ui-4.12.1nb2 libwnck-2.30.6nb18 hicolor-icon-theme-0.13 desktop-file-utils-0.22 xfce4-xarchiver-0.5.4nb1 xfce4-wm-themes-4.10.0nb1 xfce4-wm-4.12.3 xfce4-tumbler-0.1.31nb3 xfce4-thunar-1.6.10nb1 xfce4-terminal-0.6.3nb1 xfce4-settings-4.12.0nb1 xfce4-session-4.12.1 xfce4-panel-4.12.0nb1 xfce4-orage-4.12.1 xfce4-mousepad-0.4.0nb1 xfce4-gtk2-engine-3.2.0nb1 xfce4-desktop-4.12.3 xfce4-appfinder-4.12.0nb1 gtk2+-2.24.28 elementary-xfce-icon-theme-0.6 xfce4-4.12.0nb2

proceed ? [Y/n] Y

6) Add fonts, fam, screen lock and file manager.
> pkgin install font-adobe-75*
> pkgin install font-adobe-100*
> pkgin install font-adobe-utopia*
> pkgin install xscreensaver
> pkgin install fam
> pkgin install tbd (dependency of thunar)
> pkgin install gvfs (dependency of thunar)
> pkgin install xfce4-thunar

> cp /usr/pkg/share/examples/rc.d/famd /etc/rc.d/
> cp /usr/pkg/share/examples/rc.d/dbus /etc/rc.d/
> cp /usr/pkg/share/examples/rc.d/hal /etc/rc.d/

> echo rpcbind=YES >> /etc/rc.conf
> echo famd=YES >> /etc/rc.conf
> echo dbus=YES >> /etc/rc.conf
> echo hal=YES >> /etc/rc.conf

> /etc/rc.d/rpcbind start
> /etc/rc.d/famd start
> /etc/rc.d/dbus start
> /etc/rc.d/hal start

7) Configure X and start the desktop for the first time. Note that you should not start X as root. Run the following for users on the system. For example, the user slice2 would be setup as:
> echo xfce4-session >> /home/slice2/.xinitrc
> ln /home/slice2/.xinitrc /home/slice2/.xsession
> su – slice2
> startx   (note: be patient, it may take a minute to load)
a) When prompted, select use default config. In the upper left, select Applications > Log out.

8) Install apps as desired. This step is optional. Enter Y when asked to proceed ? [Y/n] for each app.
Browsers and plugins:
> pkgin install firefox
> pkgin install opera
> pkgin install xpdf
> pkgin install flashplayer
> pkgin install openquicktime
> pkgin install mozilla-fonts*
> pkgin install icedtea-web
a) when done installing icedtea-web, run the three commands below to configure avahi.
> cp /usr/pkg/share/examples/rc.d/avahidaemon /etc/rc.d/avahidaemon
> chmod 0755 /etc/rc.d/avahidaemon
> echo avahidaemon=YES >> /etc/rc.conf

Install security apps, utils and shells:
> pkgin install wireshark
> pkgin install nmap
> pkgin install iftop
> pkgin install keepassx
> pkgin install bash
> pkgin install lsof
> pkgin install mhash
> pkgin install nbtscan
> pkgin install netcat
> pkgin install vim

GUI ftp/scp client:
> pkgin install filezilla

Office Suite and multimedia:
> pkgin install libreoffice*
> pkgin install xmms
> pkgin install xfce4-xmms-plugin
> pkgin install xcdroast
> pkgin install xcalc
> pkgin install vlc
> pkgin install tree

You can launch liberoffice from Applications > Office, or enter the soffice command in an xterm.

9) Now that all your apps are installed, start your desktop.
> su – slice2 (su to your user account)
> startx

Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.

Tags

,

Good luck. You will need it. Certificates are a major headache and complicated to implement. Using them with Splunk is no different. Splunk’s penchant for twiddling files all over the place makes this process time consuming an rife with error. This post will hopefully help you get it done. This covers encrypting the management console and forwarder traffic. This HOWTO is not for a clustered deployment although it could be adapted to serve that purpose. It was done on Windows 2012 R2 with a single Splunk Enterprise deployment (search head and indexer on the same server) and several forwarders. Use your own naming conventions and hosts for fqdn. Please don’t ask me questions on this post. I almost didn’t survive the process. I won’t have time to reply for a while anyway.

1) On the Splunk Search Head, set your environment.

> cd C:\Program Files\Splunk\bin
> splunk envvars > setsplunkenv.bat & setsplunkenv.bat
> setsplunkenv.bat

2) Create dir $SPLUNK_HOME\etc\auth\UScerts and cd into it.

> cd C:\Program Files\Splunk\etc\auth\UScerts

3) Create a root key.
> openssl genrsa -aes256 -out USCA_root.key 2048

4) Generate and sign the certificate.
> openssl req -new -key USCA_root.key -out USCA_root.csr

5) Generate the public certificate.
> openssl x509 -req -in USCA_root.csr -sha256 -signkey USCA_root.key -CAcreateserial -out USCA_root.pem -days 3650

6) Generate a key for your Web(search head)server certificate.
> openssl genrsa -aes256 -out me.fqdn.com.key 2048

7) Request and sign a new server certificate.
> openssl req -new -key me.fqdn.com.key -out me.fqdn.com.csr

8) Use the CSR me.fqdn.com.csr and your CA certificate and private key to generate a server certificate.
> openssl x509 -req -in me.fqdn.com.csr -sha256 -CA USCA_root.pem -CAkey USCA_root.key -CAcreateserial -out
me.fqdn.com.pem -days 730

9) Creating a (removing encryption from priv key) priv key without a passphrase. Required for webservers.
> openssl rsa -in me.fqdn.com.key -out me.fqdn.com_nopass.key

10) Create a combined cert file.
> type me.fqdn.com.pem me.fqdn.com_nopass.key USCA_root.pem > me.fqdn.com_nopass_use.pem

11) On the search head, edit the \etc\system\local\web.conf and add the following:
[settings]
enableSplunkWebSSL = 1
httpport = 8843
privKeyPath = etc\auth\UScerts\me.fqdn.com_nopass_use.pem
CaCertPath = etc\auth\UScerts\USCA_root.pem

Add to \etc\system\local\server.conf

enableSplunkdSSL = true
sslVersions = tls1.2
allowSslCompression = false
allowSslRenegotiation = false
cipherSuite = TLSv1+HIGH:@STRENGTH

12) Restart Splunk. Close your browser, relaunch and login to the console to verify (make sure to use the port defined above in web.conf; https://hostname or ip:8843).  If you scan with Nessus, Retina, etc., it should now be free from SSL errors.

Certs for Forwarders:

Create a SAN (subject alternative name) cert. Although not officially supported by Splunk when I originally wrote this, it does work.

1) Create a new folder in etc\auth\UScerts\SANcert.

2) Copy the openssl.cnf to the new folder.  C:\Program Files\Splunk\openssl.cnf to C:\Program Files\Splunk\etc\auth\UScerts\SANcert

> cd C:\Program Files\Splunk\etc\auth\UScerts\SANcert

3) In Windows 2012 R2 – Take ownership of the copied openssl.cnf file. Right-click > properties, and then add your user with Full Control to the file.

4) In Notepad or Wordpad, edit openssl.cnf. Wordpad is preferred.

a) Search (using the Find function in the upper right of Wordpad) and uncomment this line:
# req_extensions = v3_req # The extensions to add to a certificate request

b) Next, search for and modify this section to include the following if it does not already have it:
[ v3_req ] # Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAtlName = @alt_names

c) Create this section next, between [ v3_req ] and [ v3_ca ].
[alt_names]
DNS.1 = your.server.com
DNS.2 = your.next.server.com
DNS.3 = your.other.server.com
IP.1 = an IP address for a server
IP.2 = another IP address for a server
— note, add as many as you like. You will need one for each forwarder if you want to identify them individually.

5) Generate a new CSR.
openssl req -new -key me.fqdn.com.key -out me.fqdn.com_SAN.csr -config “C:\Program Files\Splunk\etc\auth\UScerts\SANcert\openssl.cnf”

Make sure you use: *.your.fqdn for Common name question. This is the wildcard for your domain, such as *.yourdomain.com

6) Check text of cert csr. You should see the items in the alt_names from above.
> openssl req -text -noout -in me.fqdn.com_SAN.csr

7) Create a cert.
> openssl x509 -req -in me.fqdn.com_SAN.csr -sha256 -CA USCA_root.pem -CAkey USCA_root.key -CAcreateserial -out me.fqdn.com_SAN.pem -extensions v3_req -days 730 -extfile “C:\Program Files\Splunk\etc\auth\UScerts\SANcert\openssl.cnf”

8) On the Indexer, edit \etc\system\local\inputs.conf and add the following and restart Splunk.

[SSL]
rootCA = etc\auth\UScerts\USCA_root.pem
servercert = etc\auth\UScerts\me.fqdn.com_SAN.pem
password = your_password
cipherSuite = TLSv1+HIGH:@STRENGTH

[splunktcp-ssl:9997]
compressed = false

9) Now restart splunk:
$SPLUNK_HOME\bin\splunk restart splunkd

10) Configure your Forwarders to use the certificates. Use your Deployment Server to distribute the certs and modified outputs.conf to your forwarders.

a) On the Search head that is acting as your deployment server, edit the outputs.conf file in etc\deployment-apps\<your name for SendToIndexer>\local\ with the following.

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = your.ip.:9997
compressed = false
sslRootCAPath = etc\apps\<your name for SendToIndexer>\USCA_root.pem
sslCertPath = etc\apps\<your name for SendToIndexer>\me.fqdn.com_SAN.pem
sslPassword = <your password>
sslVerifyServerCert = true

b) Copy the etc\auth\UScerts\USCA_root.pem and etc\auth\UScerts\me.fqdn.com_SAN.pem files to the etc\deployment-apps\<your name for SendToIndexer>\local folder on your deployment server and they will be copied to each Forwarder for you.

11) Restart Splunk.
$SPLUNK_HOME\bin\splunk restart splunkd

12) Done. I hope.

Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server

Tags

,

This post demonstrates how to apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server that is not in the domain. For this example, I’ll use the Internet Explorer 11 (IE11) lock downs I applied using a domain GPO.

This process also worked when I applied the 2012 R2 IE policy to a standalone Windows 7 Enterprise workstation.

1) Launch Group Policy Management on the Domain Controller. Browse to the policy you want to apply to the standalone servers (in my case IE11), right-click it and select Backup. Save it to a location of your choice and give it a description, such as IE11 GPO.

2) Download and install Microsoft SCM 3.0 (not on your domain controller). I just built a VM since SCM is only needed temporarily. I was only able to get it fully installed without errors on Windows 2008 R2. It supposedly supports Vista through 2012. I opted to install the bundled SQL Express since all I want is the LocalGPO executable. No need to point to a SQL server. You can uninstall the whole thing when done. The only reason to install the full package is so you can get a copy of the LocalGPO folder. Download it from:

Security Compliance Manager (SCM) Info:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Download page:
https://www.microsoft.com/en-us/download/details.aspx?id=16776

a) When done downloading, double-click the Security_Compliance_Manager_Setup.exe > click Run > deselect Always check for SCM baseline updates (you don’t care about them right now) and click Next > accept the license and click Next > Next > Next > accept the SQL Express license and click Next > Install > Finish. The app will auto-load the baselines. Just let it finish.

b) When done installing, browse to C:\Program Files (x86)\Microsoft Security Compliance Manager. Copy the LocalGPO folder to a location of your choice. You will need to install the executable in this folder on each standalone server that will receive the Domain GPO.

5) Login as a local admin on the server to receive the GPO. Install LocalGPO on your standalone server. When done, browse to the C:\Program Files (x86)\LocalGPO folder, right-click LocalGPO.wsf, select Properties, select the Security tab and give your admin user full control of the file.

6) Create a folder on this server called c:\gpos. Copy your IE11 GPO backup folder into the c:\gpos folder.

7) Edit the LocalGPO.wsf file to recognize 2012 R2 (Windows 2012 R2 is version 6.3). Open C:\Program Files (x86)\LocalGPO\LocalGPO.wsf in notepad (right-click > Edit). Search for 6.2. On the first instance of 6.2, change it to 6.3.

From this: If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

To this: If(Left(strOpVer,3) = 6.3) and (strProductType <> “1”) then

8) The Windows Firewall must be running temporarily before you run this tool. Even though you may have disabled the firewall and use a third-party product like McAfee Firewall, etc., turn on the native Windows firewall in the services.msc applet now.

9) Click start (lower left corner), and then Search icon in the upper right. Enter LocalGPO. Right-click LocalGPO Command line and select Run as Administrator. Before you run the next command, close all Windows except the cmd prompt.

Enter this command:

> cscript localgpo.wsf /path:”C:\gpos\{A81C84F4-F8F5-4E8A-B077-9EA1471B3886}”

– note: your IE11 GPO backup folder name inside c:\gpos will be different. Just add your folder name in the command above.

You should see Applied valid Machine POL and Applied valid User POL. No valid audit or INF is OK.

10) Clean up after yourself. Uninstall LocalGPO if you don’t plan to use it again. Delete the gpo backup in c:\gpos.

You can run > gpupdate /force or reboot the server to apply the policy completely.

11 Verify that it applied the policy. Launch IE11 and verify your settings are locked down. Note that on a fresh system, you  may have to launch IE and then immediately close it. Launch it again and the lock downs will be set. Sometimes it takes two startups for the settings to apply. Not sure why. If you had the Windows firewall turned off, open services.msc and disable it.

Enable legacy SSL and Java SSL support in your browser for those old, crusty websites

Tags

,

This is a quick post to show you how to enable legacy SSL and Java SSL support in your browser for those old, crusty websites and applications you have in your organization. Note that this should not be done on Internet facing systems. Only offline or systems that are not routed to the Internet should implement these changes.

1) Launch Firefox. Type about:config in the location bar.
2) In the search bar that comes up, enter: security.tls.version.min. Double-click on the entry that appears and change the value to 0.
3) Do the same for security.tls.version.fallback-limit.
4) Try to connect to your site. It should now work for you.

Enable SSL in Java (it has been disabled for a few rev’s now)
1) Open Windows explorer and browse to either (or both if you have x32/x64 bit Java installed):

C:\Program Files (x86)\Java\jre1.8.0_45\lib\security
C:\Program Files\Java\jre1.8.0_45\lib\security

2) Double-click the file named java.security. You will be prompted to select a program to open the file. Choose select a program from a list of installed programs and click OK. Choose either Wordpad or notepad.

3) Scroll down to the bottom of the file. You should see:
jdk.tls.disabledAlgorithms=SSLv3

4) Change this by back-spacing over SSLv3 and save the file so it looks like:
jdk.tls.disabledAlgorithms=

You should now be able to access legacy sites with Java SSL support.