Apply the Mozilla Firefox STIG to Firefox on Ubuntu Linux 18.04

1) Applying the STIG on Windows is quite easy. However they fail to provide guidance on how to apply it on Linux. I hope this helps.

2) You will create two files; autoconfig.js and mozilla.cfg.

a) autoconfig.js is as follows. There must be two additional forward slashes at the start of the text below.

pref(“general.config.filename”, “mozilla.cfg”);
pref(“general.config.obscure_value”, 0);

b) mozilla.cfg is as follows. There must be two additional forward slashes at the start of the text below.

// SV-16707 – DTBF050
lockPref(“security.default_personal_cert”, “Ask Every Time”);
// SV-16710 – DTBF105
// SV-16711 – DTBF110
// SV-16713 – DTBF140
lockPref(“browser.formfill.enable”, false);
// SV-16714 – DTBF150
lockPref(“signon.autofillForms”, false);
// SV-16715 – DTBF160
lockPref(“signon.rememberSignons”, false);
// SV-16717 – DTBF180
lockPref(“dom.disable_window_open_feature.status”, true);
// SV-16718 – DTBF181
lockPref(“dom.disable_window_move_resize”, true);
// SV-16925 – DTBF030
lockPref(“security.enable_tls”, true);
// SV-16925 – DTBF030
lockPref(“security.tls.version.min”, 2);
// SV-16925 – DTBF030
lockPref(“security.tls.version.max”, 4);
// SV-16727 – DTBF182
lockPref(“dom.disable_window_flip”, true);
// SV-16928 – DTBF183
lockPref(“dom.event.contextmenu.enabled”, false);
// SV-21890 – DTBF085
lockPref(“”, false);
// SV-59603 – DTBF090
lockPref(“extensions.update.enabled”, false);
// SV-79381 – DTBF186
lockPref(“xpinstall.enabled”, false);
// SV-93759 – DTBF190
lockPref(“datareporting.policy.dataSubmissionEnabled”, false);
// SV-106633 – DTBF195
lockPref(“devtools.policy.disabled”, true);
// SV-111837 – DTBF200
lockPref(“toolkit.telemetry.enabled”, false);
// SV-111839 – DTBF205
lockPref(“toolkit.telemetry.archive.enabled”, false);
// SV-111841 – DTBF210
lockPref(“privacy.trackingprotection.fingerprinting.enabled”, true);
// SV-111843 – DTBF215
lockPref(“privacy.trackingprotection.cryptomining.enabled”, true);
// SV-111845 – DTBF220
lockPref(“browser.contentblocking.category”, “strict”);
// SV-111847 – DTBF225
lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false);
// SV-111849 – DTBF230
lockPref(“browser.newtabpage.activity-stream.enabled”, false);
// SV-111851 – DTBF235
lockPref(“security.ssl3.rsa_des_ede3_sha”, false);

3) At the console or via ssh, create the files in the Ubuntu locations.

> sudo vi /usr/lib/firefox/mozilla.cfg and paste the text shown above in 2b. There should be no extra space or line at the top or bottom of the text.
> sudo chmod 644 /usr/lib/firefox/mozilla.cfg

> sudo vi /usr/lib/firefox/defaults/pref/autoconfig.js and paste the text above in 2a. There should be no extra space or line at the top or bottom of the text.
> sudo chmod 644 /usr/lib/firefox/defaults/pref/autoconfig.js

4) Start Firefox. In the location bar, enter about:config. In the search field enter plugin. and you will see that plugin.disable_full_page_plugin_for_types is grayed out with a lock icon to the left. Try any other from the mozilla.cfg list and they should be the same.ffox_lock

Dynamically Resize Those Tiny BlackArch Linux Terminals

BlackArch Linux is a great security distro but I’ve always been annoyed by the small terminal windows and could never find a way to resize them. I just used PuTTY on Windows or an xterm from another host/VM to get an easily adjustable xterm window. I found this obscure but simple method to resize the terminal. Hope you find this as helpful as I did.

1) Login to BlachArch as root. Right-click the desktop > select Terminal > and pick any terminal color you like.

2) Example resizing commands are listed below. Depending on your monitor size, you can play with the numbers to get your perfect terminal window. The set of numbers after the 8; sets the height and the last set with a “t” sets the width. The commands are dynamic and will change the terminal immediately. If you don’t like your choice, simply up-arrow and enter a new number.

[blackarch ~]# printf ‘\e[8;20;90t’
[blackarch ~]# printf ‘\e[8;30;90t’
[blackarch ~]# printf ‘\e[8;40;90t’
[blackarch ~]# printf ‘\e[8;50;95t’
[blackarch ~]# printf ‘\e[8;40;100t’

Kali Linux OVA for Air-Gapped Use Build Process

If your forensics lab employs Kali Linux as its primary security based Linux distro, this document describes how to build, augment, patch and export an OVA image for use in the lab where you have no internet access.

Software needed to complete this task include:
1) The latest Kali Linux release. As of this writing, its 2020.1b.

2) VirtualBox 6.1.6 and Extensions (or the most recent version).

3) PuTTY terminal emulator for Windows.

5) A Windows 10 PC or laptop with at least 8 Gigs of memory. 16 is better but 8 will do. You also need at least 200 Gigs of available hard drive space for the image and the exported OVA.

6) Once built, you will export the VM as an OVA and import it to the lab after it has been through your QA process.

IMPORTANT: A Special Note Regarding Word, PDF and Text Character Formatting

1) In some cases, Word and PDF character formatting gets mangled when you copy/paste into a Linux terminal. Before you press enter on a pasted command, make sure it looks the same.
2) If it looks the same and doesn’t run, its typically a broken “-“ as in the –v, or any other switch. The double dash “ – -“ can be merged as a single “–“ when the document is converted. Also, even if the “-“ looks normal and the command doesn’t run or has errors, simply paste the command into the terminal, then using the left-arrow key, roll back and place the cursor behind the “-“ dash, press the backspace key to remove and then enter a new single dash or double dash as needed. This will create them in the native terminal character font. I know, it can be a hassle.
3) Since some of these commands are quite long, you might consider pasting them into Notepad first, and then copy from Notepad into the Linux terminal.

STEP 1 – Obtain the Software and Install on your PC or Laptop

1) Download the software mentioned above.
2) Install PuTTY and VirtualBox first and then install the Extension pack. Defaults are fine unless you have reasons to choose otherwise.

STEP 2 – Build the VM

1) Building the VM must be done offsite if you have restrictions due to access limitations and/or security requirements that prevent you from installing software, accessing the repos, or your destination system is air-gapped.
2) Create a folder on your c:\ drive named vboxshare.
3) Launch VirtualBox Manager and select Machine > New.
a. Name it kali01 or whatever you like).
b. Choose your machine folder location.
c. Type: Linux.
d. Version: Debian x64.
e. Memory size: minimum 4096 MB but 8192 is preferred if you have it.
f. Select Create the virtual disk now and click create.
g. Change the File size to 80.00 GB.
h. Hard disk file type: VDI.
i. Storage on physical disk: select Fixed size and click Create to create the VM.
j. Right-click the new VM profile and select settings.
k. Under System > Processors you can change this to 2 if you have the horsepower on your PC or laptop. If not, 1 should be fine. Both memory and CPU can be changed after being imported on the FAS.
l. Select Display, change Video memory to 128 MB and make sure graphics controller is VMSVGA.
m. Select Storage, under Controller IDE, select the Empty disc icon. On the right, under Attributes, across from Optical Driver select the Disc icon and then Choose/Create a virtual optical disk. If not listed, click +Add and browse out to the Kali ISO you downloaded, select it and click Choose > OK.
n. Select Network. Change Attached to: Bridged Adapter, expand Advanced and change Promiscuous mode to Allow All.
o. Select Shared Folders and click the green + folder icon in the upper right.
i. Folder path: C:\vboxshare.
ii. Folder name: vboxshare and select Auto-mount.
iii. Mount point: /vboxshare (note the forward slash, not backslash).
iv. Click OK > OK. Right-click the VM and select Start. If prompted, select the Kali ISO.

4) On the Kali Installation process:
a. Select Graphical installation, English as the language, United States as location, American English for Keyboard.
b. If you have DHCP your network should autoconfig. If not, click Continue on the Network screen, select Configure Network Manually, enter an IP, netmask, gateway, name servers or DNS.
c. Enter the hostname, leave the domain name blank, create the user account (such as kaliadm), add a password, set the clock to Eastern.
d. For partition, select Guided – use entire disk, select the vbox harddisk, select all files in one partition and click Continue on Finish partitioning and write changes to disk, select Yes to write changes to disk.
e. Enter the proxy information if you need one, otherwise leave it blank,
f. On the Software selection page, make sure Desktop, Xfce, Collection of Tools, top 10, default and large are selected. The system will begin to install the packages.
g. Select Yes on Grub boot loader, select the vbox hardisk as the boot loader device, click Continue on Installation complete to reboot the VM.

5) Enable SSH. It’s off by default.
> sudo systemctl start ssh
> sudo systemctl enable ssh
a. Test your access using PuTTY to login as the kaliadm user. Check the new OS release.

> cat /etc/os-release
> lsb_release -a

6) Install the official “everything” metapackage set (even though it really isn’t all of them) and few utilities. Login as the kaliadm user.

> sudo apt update
> sudo apt install kali-linux-everything
> sudo reboot
> sudo apt upgrade (if noting installs, skip the next reboot)
> sudo reboot

7) Login as kaliadm and install the VirtualBox Guest Additions. First, make sure the prerequisites are installed (they should be by now).

> sudo apt install dkms linux-headers-$(uname -r) build-essential

a. On the VM frame across the top select Devices > Insert Guest Additions CD Image.
> sudo mount /dev/cdrom /mnt
> cd /mnt
> sudo ./
> sudo reboot

8) List installed apps. Grep for stuff if you need to.
> sudo apt-cache search ” | sort -d | awk ‘{print $1}’
> sudo apt-cache search ” | sort -d | awk ‘{print $1}’ | grep <app name>

9) List installed apps with some detail. Grep for stuff if you need to.
> sudo apt-cache policy $(apt-cache search ” | sort -d | awk ‘{print $1}’)
> sudo apt-cache policy $(apt-cache search ” | sort -d | awk ‘{print $1}’) | grep <app name>

10) Create the /cases folder. This is where case data is localized.
> sudo mkdir -pv /cases

STEP 3 – Install Additional Tools

1) Use PuTTY on your PC to SSH as the kaliadm user into the VM or login to the GUI.
2) Install ClamAV AntiVirus and verify. From this point forward, it’s your choice to either via SSH or right-click the Desktop and open a terminal.
> sudo apt install clamav clamav-freshclam clamav-base clamav-docs clamav-daemon clamtk
> sudo mkdir -pv /clamav_quarantine
> sudo clamscan –v –r –log=/home/kaliadm/clav.log –copy=/clamav_quarantine /etc/*
> sudo cat /var/log/clamav/freshclam.log
> sudo cat /home/kaliadm/clav.log

3) Install additional tools and utilities for the lab.
a. Python Steganography Tools.
> sudo /usr/bin/pip3 install Stegano
> sudo pip3 install stegoveritas_binwalk
> sudo pip3 install stegoveritas

b. Install stego-lsb.
> sudo git clone
> cd Steganography
> sudo python3 install
> sudo stegolsb test

c. Install OpenStego
> sudo wget -v -S
> sudo apt install ./openstego_0.7.3-1_amd64.deb

d. Python Rekall Forensic Framework:
> sudo pip3 install rekall

e. Windows Event Carving:
> sudo pip3 install evtxtract

f. Steganography Tools:
> sudo apt install stegosuite
> sudo apt install exiftool
> sudo apt install pngcheck
> sudo apt install stepic

g. Network tools:
> sudo apt install iftop
> sudo apt install iptraf-ng
> sudo apt install etherape

h. Office and File Transfer Tools:
> sudo apt install filezilla
> sudo apt install libreoffice
> sudo apt install thunderbird
> sudo apt install tree
> sudo apt install putty
> sudo apt install glogg
> sudo apt install xpdf
> sudo apt install evince
> sudo apt install qpdfview
> sudo apt install xtail

i. Multimedia, Audio, Video, Images/Graphics:
> sudo apt install vlc
> sudo apt install xpaint
> sudo apt install mplayer
> sudo apt install smplayer
> sudo apt install audacious
> sudo apt install audacity
> sudo apt install calibre
> sudo apt install libdvd-pkg
Note: if you get an error at the end of this install
run sudo dpkg-reconfigure libdvd-pkg and select yes.

> sudo apt install rhythmbox
> sudo apt install lsdvd
> sudo apt install libavcodec-extra
> sudo apt install cdparanoia
> sudo apt install brasero
> sudo apt install ripperx
> sudo apt install xcfa
> sudo apt install cdda2wav
> sudo apt install pacpl
> sudo apt install abcde
> sudo apt install vobcopy
> sudo apt install dvdbackup
> sudo apt install sound-juicer
> sudo apt install grip
> sudo apt-get install libspeex*
> sudo apt-get install libopus*
> sudo apt-get install libaacs*
> sudo apt-get install libbluray*

j. Google Chrome and cli browsers:
> sudo wget -v
> sudo apt install ./google-chrome-stable_current_amd64.deb
> sudo apt install w3m
> sudo apt install lynx
> sudo apt install links2
> sudo apt install elinks

k. Additional Shells:
> sudo apt install golang
> sudo apt install csh
> sudo apt install ksh
> sudo apt install fish
> sudo apt install tcsh
> sudo apt install scanssh

STEP 4 – Export the VM as an OVA and Import Onsite

1) Once the new Kali VM is functioning and updated with the latest versions, it must be exported as an OVA and moved to the Lab. This step should be done as new versions are released to keep the Lab images updated.

2) In VirtualBox Manager, select the Kali VM. Click File > Export Appliance and fill out the following details under Virtual System Settings.
a. Name: should already list kali01.
b. Product: Kali Linux 2020.1b OVA
c. Product-URL: NA
d. Vendor: Kali, but built by <your name here>.
e. Version: 1.0, 06 May 2020 (rev the version for each OVA export, and use today’s date)
f. Description (click edit): Kali Linux 2020.1b, Everything Metapackage group, additional tools and Utils, VirtualBox 6.1.6 additions.
g. License: leave blank.
h. Under appliance settings, change format to Open Virtualization Format 2.0.
i. File: choose the location where you want to write the file.
j. Click Export.
k. When done, burn the OVA file to a Blu-ray disc or removable media.

3) Move the OVA Blu-ray to the internal host with VirtualBox installed.
a. Launch VirtualBox Manager and select File > Import Appliance.
b. Source: select Local File System.
c. File: on the right, click the folder with green arrow icon, browse to and select the kali01.ova file and click Open > Next.
d. Machine Base Folder: accept the default location or change this path to fit your installation.
e. Click Import to import the VM. When done, edit Settings as needed (more CPU, Memory, etc).
f. Boot the VM, login and set the IP address for the internal network and change the hostname if needed.
g. Manually reboot to seat the network changes or shutdown.

STEP 5 – What a Monthly (or as needed) Update Task Looks Like

1) Check to see if there is a new release for VirtualBox. If so, upgrade and make sure the Lab is upgraded as well.

2) Update the Kali image.
a. Boot the public facing VM. Login to the VM as kaliadm.
b. Get the latest ClamAV updates for the VM and test a quick scan of /etc.
> sudo systemctl stop clamav-daemon
> sudo systemctl stop clamav-freshclam
> sudo freshclam
> sudo systemctl start clamav-daemon
> sudo systemctl start clamav-freshclam
> sudo clamscan –log=/home/kaliadm/clav.log –copy=/clamav_quarantine /etc/*

c. Update Google Chrome and the Python tools.

> sudo wget -v
> sudo apt install ./google-chrome-stable_current_amd64.deb
> sudo /usr/bin/pip3 install Stegano
> sudo pip3 install stegoveritas_binwalk
> sudo pip3 install stegoveritas

> sudo git clone
> cd Steganography
> sudo python3 install
> sudo stegolsb test

> sudo pip3 install rekall

> sudo pip3 install evtxtract

d. Update the OS and tools.
> sudo apt update
> sudo apt upgrade (if noting installs, skip the next reboot)
> sudo reboot
> sudo apt list –upgradable –a (if nothing else to patch, proceed)

e. Export and Import the VM as described in STEP 4.


HOWTO install the XFCE 4 Desktop on NetBSD 8.1

This is an update to previous posts for NetBSD 6x and 7x:

For a lightweight functional desktop on NetBSD, install XFCE. As root, perform the following steps. This covers 32 and 64 bit x86 hardware. Make sure you have the X11 Sets installed. Since NetBSD essentially runs on everything, simply adjust the repository path to your architecture from the list here:

1) Setup your binary repository.
> mkdir -p /usr/pkg/etc/pkgin
> touch /usr/pkg/etc/pkgin/repositories.conf
> vi /usr/pkg/etc/pkgin/repositories.conf and add path:
For x64
For x32

2) Add the NetBSD ftp server to your host file. This is for convenience and can be removed when done.
> vi /etc/hosts and add:

3) Export your path.
Note: I don’t know why the encoded quote characters keep appearing after /ALL/ in the path statements below. It must be an html coding issue and I’m not a developer. Just make sure that at the end of the path statement it ends with /8.1/All/” with no trailing characters. In other words, it should look like the paths depicted in step 1 above only it must end in a ” character.
For x64:
> export PKG_PATH=”;
For x32:
> export PKG_PATH=”;

4) Install the latest version of pkgin on your system.
> pkg_add -v pkgin-*

5) Update the pkgin database and install XFCE.
> pkgin update
> pkgin install xfce4
calculating dependencies…done.

139 packages to install:
enca-1.15 libproxy-0.4.15 gsettings-desktop-schemas-3.24.0 libgpg-error-1.36 libIDL-0.8.14nb4 nspr-4.21 spidermonkey52-52.7.4nb9
libogg-1.3.3 p11-kit-0.23.15 nettle-3.4.1 libtasn1-4.13 libcfg+-0.7.0 gmp-6.1.2 ORBit2-2.14.19nb4 libgcrypt-1.8.5 libpsl-0.20.2nb4
glib-networking-2.60.3 tdb-1.4.0nb1 popt-1.16nb2 jbigkit-2.1 xvidcore-1.3.3nb1 x264-devel-20190312 libvpx-1.8.0 libvdpau-1.2
libva-2.3.0 libtheora-1.1.1nb2 libbluray-1.1.2 libass-0.14.0nb2 lame-3.100nb1 libunistring-0.9.10 mozilla-rootcerts-1.0.20190306
python27-2.7.16 py27-expat-2.7.16 libidn2-2.0.5 ffmpeg3-3.4.6nb1 tiff-4.0.10nb1 lcms2-2.9 poppler-0.76.1 py37-expat-3.7.3
py37-cElementTree-3.7.3 samba-3.6.25nb16 libsoup-2.64.2nb3 libgnome-keyring-3.12.0 GConf-3.2.3nb2 perl-5.28.2 p5-URI-1.76
xcb-util-0.4.0 pcre2-10.33 gnutls-3.6.7 libvorbis-1.3.6nb1 libltdl-2.4.6 gstreamer1-1.16.0 xmlcatmgr-2.2nb1 iso-codes-3.77nb1
libxfce4util-4.13.3 python37-3.7.3nb1 gle-3.1.0nb4 polkit-0.115nb2 zonetab-0 icu-64.2nb1 pcre-8.43 libffi-3.2.1nb4 readline-8.0
at-spi2-core-2.26.2nb1 lzo-2.10 libuuid-2.32.1 harfbuzz-2.4.0nb3 graphite2-1.3.11nb2 fribidi-0.19.7 libxml2-2.9.9 libcroco-0.6.8
freetype2-2.10.0 gnome-icon-theme-3.12.0nb3 librsvg-2.44.14nb1 shared-mime-info-1.10 pango-1.42.4nb5 libepoxy-1.4.3nb2 libXft-2.3.3
fontconfig-2.13.1 cairo-gobject-1.16.0nb3 cairo-1.16.0 atk-2.26.1 at-spi2-atk-2.26.1nb1 gsed-4.7 bash-5.0.7 gtksourceview3-3.24.9
glib2-2.60.4nb5 libical-3.0.3nb4 consolekit-1.2.1nb2 xscreensaver-5.40nb1 mate-polkit-1.22.0nb1 xfce4-garcon-0.6.2 xfce4-conf-4.13.7
upower-0.99.4nb4 libxklavier-5.4nb3 libwnck-2.30.6nb25 libglade-2.6.4nb29 libcanberra-0.30 vte3-0.54.3 startup-notification-0.12nb3
xfce4-exo-0.12.6 libnotify-0.7.7nb5 libexif-0.6.21nb1 gvfs-1.6.7nb42 gobject-introspection-1.60.1nb1 poppler-glib-0.76.1 png-1.6.37
openjpeg-2.3.1 libgsf-1.14.45 jpeg-9cnb1 gdk-pixbuf2-2.36.12 ffmpegthumbnailer-2.2.0nb1 dbus-glib-0.110 dbus-1.12.16 curl-7.65.1
libxfce4ui-4.13.5 libwnck3-3.24.1nb5 hicolor-icon-theme-0.17 gtk2+-2.24.32nb8 desktop-file-utils-0.23nb1 xfce4-xarchiver-0.5.4nb10
xfce4-wm-themes-4.10.0nb10 xfce4-wm-4.13.2 xfce4-tumbler-0.2.4 xfce4-thunar-1.8.6 xfce4-terminal- xfce4-settings-4.13.6
xfce4-session-4.13.2 xfce4-power-manager-1.6.2 xfce4-panel-4.13.5 xfce4-orage-4.12.1nb14 xfce4-mousepad-0.4.1nb2 xfce4-desktop-4.13.4
xfce4-appfinder-4.13.3 xdg-utils-1.1.3nb1 gtk3+-3.24.8 gnome-themes-standard-3.20.2nb8 elementary-xfce-icon-theme-0.11

0 to refresh, 0 to upgrade, 139 to install
219M to download, 1360M to install

proceed ? [Y/n] Y

6) Add fonts and fam.
> pkgin install font-adobe-75*
> pkgin install font-adobe-100*
> pkgin install font-adobe-utopia*
> pkgin install fam
> cp /usr/pkg/share/examples/rc.d/famd /etc/rc.d/
> cp /usr/pkg/share/examples/rc.d/dbus /etc/rc.d/
> echo rpcbind=YES >> /etc/rc.conf
> echo famd=YES >> /etc/rc.conf
> echo dbus=YES >> /etc/rc.conf
> /etc/rc.d/rpcbind start
> /etc/rc.d/famd start
> /etc/rc.d/dbus start

7) Configure X and start the desktop for the first time. You can start X as root or other users. Run the following for users on the system. For example, the user slice2 would be setup as:
> echo xfce4-session >> /home/slice2/.xinitrc
> ln /home/slice2/.xinitrc /home/slice2/.xsession
> chown slice2:users /home/slice2/.xinitrc
> chown slice2:users /home/slice2/.xsession
> su – slice2
> startx (note: be patient, it may take a minute to load)
a) In the upper left, select Applications > Log out to continue to install the apps below.

b) For root:
> echo xfce4-session >> /root/.xinitrc
> ln /root/.xinitrc /root/.xsession
> startx

8) Install additional apps as desired. This step is optional. Enter Y when asked to proceed ? [Y/n] for each app. You can add the pkgin -y install if you want to skip the prompt. I just like to see what dependencies will be installed.
Browsers and plugins:
> pkgin -y install firefox
> pkgin -y install opera
> pkgin -y install flashplayer
> pkgin -y install mozilla-fonts*
> pkgin -y install openjdk*
> pkgin -y install openquicktime
> pkgin -y install xpdf

Install optional security apps, utils and shells:
> pkgin -y install chkrootkit
> pkgin -y install clamav
a) after installing clamav, refresh the virus db.
> /usr/pkg/bin/freshclam
> pkgin -y install coreutils
> pkgin -y install emacs
> pkgin -y install fish
> pkgin -y install iftop
> pkgin -y install keepassx
> pkgin -y install mhash
> pkgin -y install nbtscan
> pkgin -y install nmap
> pkgin -y install xtail
> pkgin -y install xtraceroute
> pkgin -y install vim
> pkgin -y install wget

Office productivity apps, zip tools, DVD burning, file transfer and multimedia:
> pkgin -y install audacious
> pkgin -y install audacity
> pkgin -y install brasero
> pkgin -y install bunzip
> pkgin -y install bzip2
> pkgin -y install filezilla
> pkgin -y install libreoffice*
Note: you can launch liberoffice from Applications > Office, or enter the soffice command in an xterm.
> pkgin -y install thunderbird
> pkgin -y install tree
> pkgin -y install vlc*
> pkgin -y install xmms
> pkgin -y install xfce4-xmms-plugin
> pkgin -y install xcdroast
> pkgin -y install xcalc
> pkgin -y install xpad
> pkgin -y install xpaint

Note: For Audio CD playback in XMMS, configure XMMS in the following manner:
a) Select “Options” -> “Preferences” (or press Control-P)
b) Select “Audio I/O Plugins” tab
c) Configure “CD Audio Player … []”
d) Change “Device:” to the raw partition of your CD player (e.g., `/dev/cd0d’).
e) Change “Directory:” to an existing (empty) directory to be used within the
XMMS file selection dialog boxes as the path to select tracks on audio CDs
(e.g., `/cdrom/’).
f) Select “OK” to save the changes.

9) Now that all your apps are installed, start your desktop.
> su – slice2 (su to your user account)
> startx (remember, it takes a minute to load)
Or as root:
> startx

Build a Kali Linux ISO with the latest OS patches and packages

This post demonstrates how to build an updated Kali Linux ISO with the latest patches and package updates for the current 2019.2 release. This is helpful for offline environments, when you want a different desktop experience or you want every package available for Kali in one ISO. This is done as the root user.

1) Build a Kali Linux physical or virtual system. Downloads are available here:

2) Once built, update your system.
> apt update
> apt upgrade

3) Setup the build environment.
> mkdir -p /root/ISO
> cd /root/ISO/
> apt install -y curl git live-build cdebootstrap
> git clone

4) Modify the package list to get everything bundled into your ISO.
> cd /root/ISO/live-build-config/kali-config/variant-default/package-lists
> vi kali.list.chroot

Under the Kali applications header, set the file to look like the lines below. Basically, comment kali-linux-default (in red) and remove the comment on kali-linux-everything (in green). Leave the defaults for everything else in the file. When done, wq! to save your changes.

# Kali applications
# You can customize the set of Kali metapackages (groups of tools) to install
# For the complete list see:
# kali-linux-default
# kali-linux-large
# kali-tools-top10

5) Build your ISO. Depending on your host’s CPU and internet speed, this could take an hour or more to complete.
> cd /root/ISO/live-build-config
> ./ –verbose

Note: if you want a different desktop, run the associated variant below. Options are MATE, Gnome, XFCE, KDE, E17, I3WM, LXDE. For example:
./ –variant xfce –verbose
./ –variant kde –verbose
./ –variant mate –verbose

6) When done, cd to the images folder and list the contents.
> cd /root/ISO/live-build-config/images
> ls -l
-rw-r–r– 1 root root 8184537088 Aug 31 14:23 kali-linux-rolling-amd64.iso
-rw-r–r– 1 root root 1619921 Aug 31 14:24 kali-linux-rolling-amd64.log

To check the size of the ISO:
> du -h kali-linux-rolling-amd64.iso
7.7G kali-linux-rolling-amd64.iso

HOWTO quickly STIG Firefox 59.01



The latest Firefox STIG leaves out important details and lists settings that no longer exist. It took a few hours to get this config file to work with settings that are actually still available in 59.01. For reference, see:

Note that I use Notepad++ on Windows to avoid formatting issues with notepad.exe. Do yourself a favor and download the latest at

1) Create a file named local-settings.js and add one line. Using Notepad++, you can save it as a proper JavaScript file (.js):

2) Place local-settings.js file in the following locations depending on whether you have x32 or x64 bit Firefox:

For x64 bit:
C:\Program Files\Mozilla Firefox\defaults\pref

For x32 bit:
C:\Program Files (x86)\Mozilla Firefox\defaults\pref

3) Create a file called mozilla.txt. Add the text below (everything under contents of mozilla.txt staring with //Firefox). Launch a browser (Chrome, IE, Opera) and browse to:

4) In the middle of the page, under Upload mozilla.txt to get mozilla.cfg (byteshift 13), click browse, and select your mozilla.txt file. Next, click Convert mozilla.txt to mozilla.cfg, and save the file when prompted.

5) Place the mozilla.cfg file into the root of the Firefox directory as show below.

For x64 bit:
C:\Program Files\Mozilla Firefox\

For x32 bit:
C:\Program Files (x86)\Mozilla Firefox\

6) Start Firefox. In the Location bar, enter about:config. Click I accept the risk. At the top of the page in the center, click Status to sort the status of the settings. All of the locked settings should be italicized with a status of locked.

Contents of mozilla.txt:

//Firefox settings that work from Mozilla_Firefox_V4R20 as of Firefox 59.01 March 2018
lockPref(“security.default_personal_cert”, “Ask Every Time”);
lockPref(“”, false);
lockPref(“plugin.disable_full_page_plugin_for_types”, “application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks”);
lockPref(“browser.formfill.enable”, false);
lockPref(“signon.autofillForms”, false);
lockPref(“signon.autofillForms.http”, false);
lockPref(“signon.rememberSignons”, false);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“dom.disable_window_move_resize”, true);
lockPref(“security.tls.version.min”, 2);
lockPref(“security.tls.version.max”, 3);
lockPref(“dom.disable_window_flip”, true);
lockPref(“dom.event.contextmenu.enabled”, false);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“app.update.enabled”, false);
lockPref(“extensions.update.enabled”, false);
lockPref(“”, false);
lockPref(“datareporting.policy.dataSubmissionEnabled”, false);

7) Click the link below for a copy of the files. The zip has a converted mozilla.cfg, the source mozilla.txt, local-settings.js and a README file.


HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled

If you haven’t disabled SMBv1 everywhere, on every PC, NAS, server, you should.

After disabling SMBv1 on a Synology NAS with DSM 6.1.5-15254 Update 1, I could no longer mount the shares from Linux. On Linux Mint 18.3 with KDE, you can’t select SMBv2 or 3 in the Dolphin or Smb4K GUI (yet) so you have to mount it from the cli.

Both smbclient and mount worked when I specified the SMB version. Note that both commands will prompt you for your password.

user1@lmint ~ $ sudo mount -t cifs // /home/user1/Synology -o username=user1,vers=2.0,sec=ntlmv2

user1@lmint ~ $ smbclient ‘//’ -m SMB2

Howto safely delete the WSUS WID on Windows 2012R2

For whatever reason, you have a Windows 2012R2 WSUS database that is full of unwanted patch data or legacy products and you want to start over without breaking IIS and ruining your weekend. You have tried to remove the WSUS role and you still have old data showing up. This simple Howto will purge your WID and content so you can start over with a fresh DB.

1) Uninstall WSUS. Server Manager > click Manage > Remove Roles and Features > Next > Next > select Windows Server Update Services, click Next and finish the wizard.

2) My WSUS content was installed on the D:\ drive of my server. Yours may be different. Inside the D:\WSUS\ folder, delete the WsusContent folder. Also make sure there are no files in the D:\WSUS\UpdateServicesPackages folder.

3) You need a SQL access tool. If you don’t have the SQL Management client tools installed, download the components below and install them in the order posted (ODBC first, cli utils second). They are a small subset that provide enough functionality to access the WSUS WID from the cli without the need for overblown GUIs and multiple .NET packages (plus about 20 additional patches).

Microsoft ODBC Driver 13.1 for SQL Server
Make sure you select the x64 bit version when prompted \amd64\msodbcsql.msi

Microsoft Command Line Utilities 13.1 for SQL Server
Make sure you select the x64 bit version when prompted \amd64\MsSqlCmdLnUtils.msi

4) Create the SQL drop command file. Launch notepad.exe and paste the SQL syntax below into a new file called wsuspurge.sql. Save it to c:\temp or the location of your choice. I use c:\temp. Note that notepad.exe appends the .txt file extension to the file. That’s OK.

select name from sys.sysdatabases
drop database susdb
select name from sys.sysdatabases

5) Launch an elevated cmd.exe prompt and run the following command. The output is also shown below.

:>sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i c:\temp\wsuspurge.sql.txt


(5 rows affected)

(4 rows affected)

6) Reinstall WSUS. Launch the WSUS Management applet and the configuration wizard will start just like it was a new installation.

HOWTO quickly STIG Firefox 45.0.1



This Firefox STIG leaves out important details. They could make it very simple to implement but they don’t.  For more, see:

1) Create a file called local-settings.js and add one line:

2) Place local-settings.js in:

c:\<firefox path>\defaults\pref folder.

3) Create a file called mozilla.txt. Add the text below (everything under contents of mozilla.txt).  Launch Firefox and browse to:

4) View the middle of the page. Under Upload mozilla.txt to get mozilla.cfg (byteshift 13), click browse, select your mozilla.txt file. Next, click Convert mozilla.txt to mozilla.cfg, save the file when prompted and place it in c:\<firefox path>\Mozilla Firefox\.

Contents of mozilla.txt:

//Firefox Settings
lockPref(“security.tls.version.min”, 1);
lockPref(“security.default_personal_cert”, “Ask Every Time”);
lockPref(“”, false);
lockPref(“plugin.disable_full_page_plugin_for_types”, “application/pdf,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/ad,application/,application/adp”);
lockPref(“browser.formfill.enable”, false);
lockPref(“signon.autofillForms”, false);
lockPref(“signon.rememberSignons”, false);
lockPref(“privacy.sanitize.sanitizeOnShutdown”, true);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“dom.disable_window_move_resize”, true);
lockPref(“security.tls.version.max”, 3);
lockPref(“dom.disable_window_flip”, true);
lockPref(“dom.event.contextmenu.enabled”, false);
lockPref(“dom.disable_window_status_change”, true);
lockPref(“dom.disable_window_open_feature.status”, true);
lockPref(“browser.startup.homepage”, “about:home”);
lockPref(“app.update.enabled”, false);
lockPref(“extensions.update.enabled”, false);
lockPref(“”, false);
// The end

Completing the vSphere vCenter Appliance Hardening Process


, , ,

The vCenter Appliance is a SuSE Linux VM that ships fully hardened by VMware to the DoD STIG specifications. There are a few site specific settings you must perform to complete the hardening. This post provides the steps to complete the process.

1) Change the root password. Login to the appliance and as root, run:
> passwd
New password:
Retype new password:
Password changed.

> cat /etc/shadow | grep root

If the root password starts with a $6$ hash, this confirms it is using a sha512 hash.

2) Set password expiry. Change the root expiry from 3 years to 1 year.
> passwd -x 365 root
Password expiry information changed.

3) Execute the script.
> cd /etc/
> ./
Shutting down auditd                done
Starting auditd

4) You may be a company or site that has a custom banner. If so, edit (and verify) the banners to replace the DoD language with your own.
> vi /opt/vmware/etc/isv/welcometextDoD and paste in your banner.
> cat /opt/vmware/etc/isv/welcometextDoD > /etc/issue  (linked to issue.DoD)
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext
> cat /opt/vmware/etc/isv/welcometextDoD > /opt/vmware/etc/isv/welcometext.template

5) Configure secure shell, admin accounts, and console access on the appliance. Add a user account that can su to root:
> useradd -s /bin/bash -m -d /home/(your username) -g users -G wheel (your username)

> passwd <your username>
Changing password for (your username)
New password:
Retype new password:
Password changed.

> su – (your username) to verify.

a) Test ability to su to root and verify identity:
> su – root
Last login: Sat 19 12 12:51:26 UTC 2016 from PC on pts/1
Directory: /root
Tue Mar 19 13:18:33 UTC 2016

> whoami

b) Note: The step below isn’t included in the documentation but if you don’t do it you will be locked out.
> vi /etc/security/access.conf

At the end of the file change -:ALL:ALL to +:ALL:ALL

c) Test that the user you just created can login via SSH and su – root before you proceed. Use ssh cli, PuTTY, etc.
> ssh -v (your username)@(your vCenter appliance hostname or IP)
Once logged in:
> su – root

d) Disable direct root SSH access to the appliance.
> vi /etc/ssh/sshd_config

change PermitRootLogin yes to PermitRootLogin no

e) Restrict SSH to the local network of the appliance.
> vi /etc/hosts.allow and add the following:

sshd:(the same network your appliance is on):ALLOW

f) Restart sshd to read the changes:

> service sshd restart
Shutting down SSH daemon                  done
Starting SSH daemon

g) Disable direct root console login on the appliance. This means you must first login as a user and su to root. After setting this, when you try to login on the appliance console as root, it should say login incorrect.
> vi /etc/securetty

Set the first two lines as follows:

6) Verify time synchronization. Recall that NTP is configured when you first import and setup the appliance. As root, verify:

> service ntp status
remote           refid      st t when poll reach   delay   offset  jitter
=============================================    .LOCL.       1 u   37   64    1    1.145  459.906   0.001  2 u   36   64    1    1.273  464.924   0.001

Checking for network time protocol daemon (NTPD):    Running

7) Setup log forwarding with syslog-ng and auditd. Uncomment and edit the following lines to fit your remote syslog server IP address:
> vi /etc/syslog-ng/syslog-ng.conf

destination logserver { udp(“Syslog_svr_IP_Address” port(514));};
log {source(src); destination(logserver);};

a) Restart the service.
> service syslog restart
Shutting down syslog services               done
Starting syslog services

b) Send your audit data to syslog.
> vi /etc/audisp/plugins.d/syslog.conf

change active=no to active=yes

c) Restart auditd.
> service auditd restart
Shutting down auditd                         done
Starting auditd

d) Tune audit performance.
> vi /etc/audisp/audispd.conf

change the following to 1280 and 8
q_depth = 1280
priority_boost = 8

e) Control the number and rotation of log files.
> vi /etc/logrotate.d/syslog

change all entries for rotate 15 to rotate 7

> vi /etc/logrotate.d/audit

change all entries for rotate 15 to rotate 7

8) Set a boot loader or grub password.
> cat /boot/grub/menu.lst | grep password

password –md5 (a_long_hash_will_be_here)

a) Create a password for grub. This is how the sequence goes: you enter grub and run the md5crypt command to create a hashed password. Once you type in the password, the hash is presented. Copy the password hash. Run the quit command to return to the root shell.

> grub

grub> md5crypt

Password: (Enter your password here)
Encrypted: (a_long_hash_will_be_here)
grub> quit

b) Add the following to the third line of the file:
> vi /boot/grub/menu.lst

password –md5 (the password hash from above)

9) Configure NFS and NIS. If you are not using NFS or NIS, disabled the services. You probably aren’t using them.
> chkconfig ypbind off
> chkconfig nfs off
> chkconfig rpcbind off
> service ypbind stop
> service nfs stop
> service rpcbind stop

10) Reboot to refresh your system and seat all of the changes.
> reboot