Monthly Archives: January 2016

HOWTO install the XFCE 4.12 Desktop on NetBSD 7

30 Saturday Jan 2016

Posted by in NetBSD, XFCE

4 Comments

Tags

,

This is an update to previous posts for NetBSD 6x:
https://slice2.com/2015/01/03/howto-install-the-xfce-4-desktop-on-netbsd-6-1-5/
https://slice2.com/2013/10/10/howto-install-the-xfce-4-desktop-on-netbsd-6-1-2/

For a lightweight functional desktop on NetBSD, install XFCE. As root, perform the following steps. This covers 32 and 64 bit x86 hardware. Since NetBSD essentially runs on everything, simply adjust the repository path to your architecture from the list here: http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/

Note that your hardware support may vary. Especially for video cards. Although NetBSD runs on everything, the command line always gets the most love. Video card support can be hit or miss.

1) Setup your binary repository.
> mkdir -p /usr/pkg/etc/pkgin
> touch /usr/pkg/etc/pkgin/repositories.conf
> vi /usr/pkg/etc/pkgin/repositories.conf and add path:

For x64
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/7.0_2016Q1/All/

For x32
http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/7.0_2016Q1/All/

2) Add the NetBSD ftp server to your host file. This is for convenience and can be removed when done.
> vi /etc/hosts and add:
199.233.217.201 ftp.netbsd.org

3) Export your path.
Note: I don’t know why the encoded quote characters keep appearing after /ALL/ in the path statements below. It must be an html coding issue and I’m not a developer. Just make sure that at the end of the path statement it ends with /7.0_2016Q1/ALL/” with no trailing characters. In other words, it should look like the paths depicted in step 1 above only it must end in a ” character.

For x64:
> export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/7.0_2016Q1/All/”

For x32:
> export PKG_PATH=”http://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/7.0_2016Q1/All/”

4) Install the latest version of pkgin on your system.
> pkg_add -v pkgin-*

5) Update the pkgin database and install XFCE.
> pkgin update

> pkgin install xfce4
calculating dependencies… done.

nothing to upgrade.
121 packages to be installed (251M to download, 887M to install):

nettle-3.1.1 libtasn1-4.5 libcfg+-0.6.2nb3 gmp-6.0.0a libproxy-0.4.11 libgpg-error-1.20 libcddb-1.3.2nb1 p5-Business-ISBN-Data-20140910.002nb1 py27-cElementTree-2.7.10 libIDL-0.8.14nb4 at-spi2-core-2.16.0 icu-55.1nb1 libepoxy-1.3.1nb1 at-spi2-atk-2.16.0 ORBit2-2.14.19nb4 gobject-introspection-1.44.0 p5-Business-ISBN-2.09nb1 usbids-20081118 pciids-20150907 libvolume_id-0.81.1nb1 hal-info-20091130nb4 libcdio-0.93nb3 libgcrypt-1.6.4 glib-networking-2.36.2nb2 readline-6.3nb3 popt-1.16nb1 mit-krb5-1.10.7nb7 libiconv-1.14nb2 gnutls-3.3.18 gettext-lib-0.19.4 jbigkit-2.1 fribidi-0.19.7 enca-1.15 libogg-1.3.2 libidn-1.32 xvidcore-1.3.3 x264-devel-20150717 libvpx-1.4.0nb1 libtheora-1.1.1nb2 libass-0.12.2 lame-3.99.5nb3 tiff-4.0.6 lcms2-2.7 poppler-0.34.0 samba-3.6.25nb2 libsoup-2.50.0 libgnome-keyring-3.12.0 libcdio-paranoia-0.93nb1 hal-0.5.14nb16 p5-URI-1.69 xcb-util-0.4.0 libvorbis-1.3.5 libltdl-2.4.2 gstreamer0.10-0.10.36nb8 GConf-2.32.4nb10 iso-codes-3.61 gtk3+-3.16.6nb1 xmlcatmgr-2.2nb1 perl-5.22.0 pcre-8.38 libelf-0.8.13nb1 lzo-2.09 harfbuzz-1.0.3 cairo-gobject-1.14.2nb1 libffi-3.2.1 libxml2-2.9.2nb3 gnome-icon-theme-3.12.0 shared-mime-info-1.4 python27-2.7.10 py27-expat-2.7.10 pango-1.37.1 cairo-1.14.2nb1 atk-2.16.0 gtksourceview2-2.10.5nb24 glib2-2.44.1nb1 policykit-0.9nb18 xfce4-garcon-0.5.0 xfce4-conf-4.12.0nb2 libxklavier-5.0nb5 libglade-2.6.4nb22 libcanberra-0.27nb5 vte-0.28.1nb16 startup-notification-0.12nb3 xfce4-exo-0.10.6 libxfce4util-4.12.1nb1 libnotify-0.7.6nb2 libexif-0.6.21 gvfs-1.6.7nb17 poppler-glib-0.34.0 png-1.6.20 openjpeg-2.1.0 libgsf-1.14.34 jpeg-9anb1 gdk-pixbuf2-2.30.8nb1 ffmpegthumbnailer-2.0.8nb4 ffmpeg1-1.2.12nb1 dbus-glib-0.104 dbus-1.10.0nb1 curl-7.44.0 libxfce4ui-4.12.1nb2 libwnck-2.30.6nb18 hicolor-icon-theme-0.13 desktop-file-utils-0.22 xfce4-xarchiver-0.5.4nb1 xfce4-wm-themes-4.10.0nb1 xfce4-wm-4.12.3 xfce4-tumbler-0.1.31nb3 xfce4-thunar-1.6.10nb1 xfce4-terminal-0.6.3nb1 xfce4-settings-4.12.0nb1 xfce4-session-4.12.1 xfce4-panel-4.12.0nb1 xfce4-orage-4.12.1 xfce4-mousepad-0.4.0nb1 xfce4-gtk2-engine-3.2.0nb1 xfce4-desktop-4.12.3 xfce4-appfinder-4.12.0nb1 gtk2+-2.24.28 elementary-xfce-icon-theme-0.6 xfce4-4.12.0nb2

proceed ? [Y/n] Y

6) Add fonts, fam, screen lock and file manager.
> pkgin install font-adobe-75*
> pkgin install font-adobe-100*
> pkgin install font-adobe-utopia*
> pkgin install xscreensaver
> pkgin install fam
> pkgin install tbd (dependency of thunar)
> pkgin install gvfs (dependency of thunar)
> pkgin install xfce4-thunar

> cp /usr/pkg/share/examples/rc.d/famd /etc/rc.d/
> cp /usr/pkg/share/examples/rc.d/dbus /etc/rc.d/
> cp /usr/pkg/share/examples/rc.d/hal /etc/rc.d/

> echo rpcbind=YES >> /etc/rc.conf
> echo famd=YES >> /etc/rc.conf
> echo dbus=YES >> /etc/rc.conf
> echo hal=YES >> /etc/rc.conf

> /etc/rc.d/rpcbind start
> /etc/rc.d/famd start
> /etc/rc.d/dbus start
> /etc/rc.d/hal start

7) Configure X and start the desktop for the first time. Note that you should not start X as root. Run the following for users on the system. For example, the user slice2 would be setup as:
> echo xfce4-session >> /home/slice2/.xinitrc
> ln /home/slice2/.xinitrc /home/slice2/.xsession
> su – slice2
> startx   (note: be patient, it may take a minute to load)
a) When prompted, select use default config. In the upper left, select Applications > Log out.

8) Install apps as desired. This step is optional. Enter Y when asked to proceed ? [Y/n] for each app.
Browsers and plugins:
> pkgin install firefox
> pkgin install opera
> pkgin install xpdf
> pkgin install flashplayer
> pkgin install openquicktime
> pkgin install mozilla-fonts*
> pkgin install icedtea-web
a) when done installing icedtea-web, run the three commands below to configure avahi.
> cp /usr/pkg/share/examples/rc.d/avahidaemon /etc/rc.d/avahidaemon
> chmod 0755 /etc/rc.d/avahidaemon
> echo avahidaemon=YES >> /etc/rc.conf

Install security apps, utils and shells:
> pkgin install wireshark
> pkgin install nmap
> pkgin install iftop
> pkgin install keepassx
> pkgin install bash
> pkgin install lsof
> pkgin install mhash
> pkgin install nbtscan
> pkgin install netcat
> pkgin install vim

GUI ftp/scp client:
> pkgin install filezilla

Office Suite and multimedia:
> pkgin install libreoffice*
> pkgin install xmms
> pkgin install xfce4-xmms-plugin
> pkgin install xcdroast
> pkgin install xcalc
> pkgin install vlc
> pkgin install tree

You can launch liberoffice from Applications > Office, or enter the soffice command in an xterm.

9) Now that all your apps are installed, start your desktop.
> su – slice2 (su to your user account)
> startx

Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.

01 Friday Jan 2016

Posted by in Security, Splunk

Leave a comment

Tags

,

Good luck. You will need it. Certificates are a major headache and complicated to implement. Using them with Splunk is no different. Splunk’s penchant for twiddling files all over the place makes this process time consuming an rife with error. This post will hopefully help you get it done. This covers encrypting the management console and forwarder traffic. This HOWTO is not for a clustered deployment although it could be adapted to serve that purpose. It was done on Windows 2012 R2 with a single Splunk Enterprise deployment (search head and indexer on the same server) and several forwarders. Use your own naming conventions and hosts for fqdn. Please don’t ask me questions on this post. I almost didn’t survive the process. I won’t have time to reply for a while anyway.

1) On the Splunk Search Head, set your environment.

> cd C:\Program Files\Splunk\bin
> splunk envvars > setsplunkenv.bat & setsplunkenv.bat
> setsplunkenv.bat

2) Create dir $SPLUNK_HOME\etc\auth\UScerts and cd into it.

> cd C:\Program Files\Splunk\etc\auth\UScerts

3) Create a root key.
> openssl genrsa -aes256 -out USCA_root.key 2048

4) Generate and sign the certificate.
> openssl req -new -key USCA_root.key -out USCA_root.csr

5) Generate the public certificate.
> openssl x509 -req -in USCA_root.csr -sha256 -signkey USCA_root.key -CAcreateserial -out USCA_root.pem -days 3650

6) Generate a key for your Web(search head)server certificate.
> openssl genrsa -aes256 -out me.fqdn.com.key 2048

7) Request and sign a new server certificate.
> openssl req -new -key me.fqdn.com.key -out me.fqdn.com.csr

8) Use the CSR me.fqdn.com.csr and your CA certificate and private key to generate a server certificate.
> openssl x509 -req -in me.fqdn.com.csr -sha256 -CA USCA_root.pem -CAkey USCA_root.key -CAcreateserial -out
me.fqdn.com.pem -days 730

9) Creating a (removing encryption from priv key) priv key without a passphrase. Required for webservers.
> openssl rsa -in me.fqdn.com.key -out me.fqdn.com_nopass.key

10) Create a combined cert file.
> type me.fqdn.com.pem me.fqdn.com_nopass.key USCA_root.pem > me.fqdn.com_nopass_use.pem

11) On the search head, edit the \etc\system\local\web.conf and add the following:
[settings]
enableSplunkWebSSL = 1
httpport = 8843
privKeyPath = etc\auth\UScerts\me.fqdn.com_nopass_use.pem
CaCertPath = etc\auth\UScerts\USCA_root.pem

Add to \etc\system\local\server.conf

enableSplunkdSSL = true
sslVersions = tls1.2
allowSslCompression = false
allowSslRenegotiation = false
cipherSuite = TLSv1+HIGH:@STRENGTH

12) Restart Splunk. Close your browser, relaunch and login to the console to verify (make sure to use the port defined above in web.conf; https://hostname or ip:8843).  If you scan with Nessus, Retina, etc., it should now be free from SSL errors.

Certs for Forwarders:

Create a SAN (subject alternative name) cert. Although not officially supported by Splunk when I originally wrote this, it does work.

1) Create a new folder in etc\auth\UScerts\SANcert.

2) Copy the openssl.cnf to the new folder.  C:\Program Files\Splunk\openssl.cnf to C:\Program Files\Splunk\etc\auth\UScerts\SANcert

> cd C:\Program Files\Splunk\etc\auth\UScerts\SANcert

3) In Windows 2012 R2 – Take ownership of the copied openssl.cnf file. Right-click > properties, and then add your user with Full Control to the file.

4) In Notepad or Wordpad, edit openssl.cnf. Wordpad is preferred.

a) Search (using the Find function in the upper right of Wordpad) and uncomment this line:
# req_extensions = v3_req # The extensions to add to a certificate request

b) Next, search for and modify this section to include the following if it does not already have it:
[ v3_req ] # Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAtlName = @alt_names

c) Create this section next, between [ v3_req ] and [ v3_ca ].
[alt_names]
DNS.1 = your.server.com
DNS.2 = your.next.server.com
DNS.3 = your.other.server.com
IP.1 = an IP address for a server
IP.2 = another IP address for a server
— note, add as many as you like. You will need one for each forwarder if you want to identify them individually.

5) Generate a new CSR.
openssl req -new -key me.fqdn.com.key -out me.fqdn.com_SAN.csr -config “C:\Program Files\Splunk\etc\auth\UScerts\SANcert\openssl.cnf”

Make sure you use: *.your.fqdn for Common name question. This is the wildcard for your domain, such as *.yourdomain.com

6) Check text of cert csr. You should see the items in the alt_names from above.
> openssl req -text -noout -in me.fqdn.com_SAN.csr

7) Create a cert.
> openssl x509 -req -in me.fqdn.com_SAN.csr -sha256 -CA USCA_root.pem -CAkey USCA_root.key -CAcreateserial -out me.fqdn.com_SAN.pem -extensions v3_req -days 730 -extfile “C:\Program Files\Splunk\etc\auth\UScerts\SANcert\openssl.cnf”

8) On the Indexer, edit \etc\system\local\inputs.conf and add the following and restart Splunk.

[SSL]
rootCA = etc\auth\UScerts\USCA_root.pem
servercert = etc\auth\UScerts\me.fqdn.com_SAN.pem
password = your_password
cipherSuite = TLSv1+HIGH:@STRENGTH

[splunktcp-ssl:9997]
compressed = false

9) Now restart splunk:
$SPLUNK_HOME\bin\splunk restart splunkd

10) Configure your Forwarders to use the certificates. Use your Deployment Server to distribute the certs and modified outputs.conf to your forwarders.

a) On the Search head that is acting as your deployment server, edit the outputs.conf file in etc\deployment-apps\<your name for SendToIndexer>\local\ with the following.

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = your.ip.:9997
compressed = false
sslRootCAPath = etc\apps\<your name for SendToIndexer>\USCA_root.pem
sslCertPath = etc\apps\<your name for SendToIndexer>\me.fqdn.com_SAN.pem
sslPassword = <your password>
sslVerifyServerCert = true

b) Copy the etc\auth\UScerts\USCA_root.pem and etc\auth\UScerts\me.fqdn.com_SAN.pem files to the etc\deployment-apps\<your name for SendToIndexer>\local folder on your deployment server and they will be copied to each Forwarder for you.

11) Restart Splunk.
$SPLUNK_HOME\bin\splunk restart splunkd

12) Done. I hope.