Daemon Security News

BSD Honeypots with Zeek talk accepted for Virtual ZeekWeek 2020

Daemon Security (Daemon Security) — Thu, 08 Oct 2020 00:00:00 +0000

I submitted a modified BSD Honeypots talk to ZeekWeek 2020 and the talk was accepted. This talk will be shorter and focus on the use of Zeek with the intel framework and a honeypot running within FreeBSD jails. Similar to BSDCan, Virtual ZeekWeek will be online only. You can still register, but viewing may be limited for certain talks. Virtual ZeekWeek 2020 will take place from October 13th through the 15th.

BSD Honeypots talk accepted at BSDCan 2020

Daemon Security (Daemon Security) — Mon, 01 Jun 2020 00:00:00 +0000

My talk, “BSD Honeypots - Of course it runs on BSD” was accepted by the BSDCan 2020 committee earlier this year. Due to the pandemic, BSDCan organizers moved the conference to an online format. All of the scheduled talks will be made available as a stream during their spot on the schedule. I checked today, and it appears that the conference will be freely available online, so take this opportunity to enjoy great BSD content from a great BSD conference.

New Website 2020

Daemon Security (Daemon Security) — Thu, 09 Apr 2020 00:00:00 +0000

After a long time, we have finally updated the website using HUGO to generate the static-site content. I wish to thank Project Trident for sharing their website setup on github, which our site is based on. In working through the setup, I even found a typo that helped both of our sites look better.

We are looking forward to more content for the rest of 2020, including some blog posts coming up soon so stay safe and stay healthy.

Xorg and fun with local root privileges

Daemon Security (Daemon Security) — Mon, 03 Dec 2018 00:00:00 +0000

Last week, I gave a talk at the CharmBUG meetup on the recent Xorg vulnerability that allowed for local users to elevate their privileges through a vulnerability in the Xorg command line options. The vulnerability allowed users to overwrite files and run code as the root user. The original vulnerability was found in recent versions of Xorg on Debian, RHEL, and CentOS, but was not patched in OpenBSD until the details of the vulnerability were released. Credit for the vulnerability discovery goes to Narendra Shinde, with Matt Hickey providing an exploit for OpenBSD. You can find the slides from the talk here:

Running CentOS with Bhyve

Daemon Security (Daemon Security) — Wed, 10 Jan 2018 00:00:00 +0000

With the addition of UEFI in FreeBSD (since version 11), users of bhyve can use the UEFI boot loader instead of the grub2-bhyve port for booting operating systems such as Microsoft Windows, Linux and OpenBSD. The following page provides information necessary for setting up bhyve with UEFI boot loader support:

https://wiki.freebsd.org/bhyve/UEFI

Features have been added to vmrun.sh to make it easier to setup the UEFI boot loader, but the following is required to install the UEFI firmware pkg:

From BSDCan to vBSDCon

Daemon Security (Daemon Security) — Fri, 04 Aug 2017 00:00:00 +0000

As always, BSDCan 2017 was another great conference. I recommend BSDCan to anyone I speak to as one of the best BSD conferences to attend in this part of the world. I gave my talk on the State of Network Security Monitoring (NSM) tools on the BSD operating systems. The talk was well received, but I will be updating my slides when I give this talk again at vBSDCon with updated information and allow time for more questions. In addition to being a speaker at the conference, Daemon Security once again is a “Silver Sponsor” of vBSDCon and I am looking forward to the conference venue that will be in the Reston Town Center, at the Hyatt Regency Hotel. Registration is now available from the conference website:

Running Bro in a FreeBSD Jail

Daemon Security (Daemon Security) — Wed, 18 Jan 2017 00:00:00 +0000

A few weeks ago, a user on the Bro IDS mailing list was looking for a way to run Bro in a FreeBSD jail. FreeBSD jails provide the foundation of operating system-level virtualization, later utilized and enhanced by Solaris zones, and those containers that everyone thinks are something new. To avoid going on a complete rant, I recommend the following write-up as an overview of FreeBSD jails:

https://www.freebsd.org/doc/handbook/jails.html

The purpose of this howto is to document that basic steps necessary to use Bro within a FreeBSD jail. For jail management, ezjail is normally the recommended way to setup jails. With a recent copy of FreeBSD (FreeBSD 11), run the following commands to install the ezjail package and setup your Bro jail (Note: vtnet0 is my network interface on the host, which could also be em0, or re0 in your case):

Recap of BroCon and SuriCon 2016

Daemon Security (Daemon Security) — Mon, 28 Nov 2016 00:00:00 +0000

In September, I gave a talk about running Bro NSM on BSD operating systems. The talk was well received and stirred interest in the BSD operating systems and their use for network security monitoring. The slides (and at the some point the video) for my talk are posted here:

https://www.bro.org/community/brocon2016.html

One of the interesting things I learned at this conference, was the important role that FreeBSD plays in regards to Bro. FreeBSD and Linux are treated as the tier 1 operating systems for which Bro must work on before a software update is released. After my talk was given, the updated netmap code was merged into the FreeBSD 12-CURRENT tree to add better support for packet I/O on FreeBSD which Bro can be configured to use. For those interested in running Bro, Bro 2.5 is now available for download from here:

vmrun.sh - The default way to use bhyve on FreeBSD

Daemon Security (Daemon Security) — Wed, 13 Jul 2016 00:00:00 +0000

bhyve is a type-2 hypervisor that is installed by default in FreeBSD 10+. One of its greatest features is how simple the interface is to create and run virtual machines on FreeBSD. Since bhyve first appeared in FreeBSD 10, the operating systems support has expanded beyond FreeBSD and OpenBSD to include most Linux distributions and Microsoft Windows. In FreeBSD 11, bhyve will feature graphical support (UEFI-GOP) allowing for graphical UEFI installations. There are several tools that have been created to make the managing of bhyve VMs as easy as the managing of FreeBSD jails.

Daemon Security, a Silver Sponsor of vBSDCon 2015

Daemon Security (Daemon Security) — Tue, 08 Sep 2015 00:00:00 +0000

Daemon Security is a “Silver Sponsor” of vBSDCon 2015, the biennial BSD conference hosted by Verisign, Inc. The conference will bring together members of the BSD community in a series of round-table discussions including presentations on various BSD topics including system administration, networking and security. Daemon Security is proud to be sponsoring this event for a second time to help solidify the BSD operating systems as the only choice for deploying security tools and solutions. The conference is only days away, so be sure to register as soon as possible. Hope to see everyone at the Hacker Lounge to discuss Network Security with BSD, HardenedBSD and the MetaBoF.

Hunter NSM - A modular platform for deploying network sensors

Daemon Security (Daemon Security) — Mon, 27 Jul 2015 00:00:00 +0000

Hunter NSM is a simple install script for Snort or Bro IDS with JSON logging configured for FreeBSD. This is a simplified version of the snorby install script, as the goal is to provide a modular platform to plug into any existing security architecture. The current version has been tested on FreeBSD 10.1 and HardenedBSD.

The script is available on github:

https://github.com/shirkdog/hunter-nsm

zfscron - A great idea from the BSDNow podcast

Daemon Security (Daemon Security) — Fri, 29 May 2015 00:00:00 +0000

First off, if you are interested in all of the latest news and information on the BSD operating systems, you should checkout the [BSDNow] (http://www.bsdnow.tv) podcast. In the segment where Allan Jude and Kris Moore discuss viewer’s questions, Allan was talking about creating zfs snapshots of your home directory every 30 minutes or so. This seemed like a great idea to capture changes that may have occurred since the last daily backup in your user home directory. zfscron.sh has been added to the zfsbackup scripts and only needs to be setup as a cronjob for a user account that has privilege to perform zfs snapshots.

Mumblehard - Malware that affects Linux and BSD Systems

Daemon Security (Daemon Security) — Tue, 05 May 2015 00:00:00 +0000

Several websites have discussed this writeup by Marc-Etienne M.Leveille of ESET in regards to the Mumblehard malware ESET discovered while working with a customer. Though Linux malware (just like OSX malware) is nothing new, this software included a very interesting binary packer that actually detects BSD systems. The attack vector for this malware was by way of Joomla and Wordpress exploits, and an illegal copy of DirectMailer, which installs the backdoor once the software is loaded (M.Leveille, 2015).

jail.conf hack when upgrading from FreeBSD 9.x to 10

Daemon Security (Daemon Security) — Wed, 29 Apr 2015 00:00:00 +0000

If you are still using FreeBSD 9.x, you will want to migrate your jails to the new jail.conf format when you upgrade to FreeBSD 10. The new jail.conf format has been around since FreeBSD 9.1:

jail.conf manpage

In an effort to assist with migrating to the new jail.conf format, a template file is created based on the configuration of the jails within your rc.conf file. In the following example, a jail called “testjail” is configured in rc.conf then started on a FreeBSD 10.1 system:

ZFS-Backup now supports a non-root user.

Daemon Security (Daemon Security) — Wed, 14 Jan 2015 00:00:00 +0000

zfsbackup.sh has been modified to use a non-root user with the necessary privileges to perform ZFS send/receive and to administer snapshots. The script was initially a proof-of-concept for providing an easy way to do backups. Now the zfsbackup.sh script requires a non-root user to operate. Checkout the updated code on github: http://github.com/shirkdog/zfsbackup/

Upgrading FreeBSD, make sure you upgrade your zpools

Daemon Security (Daemon Security) — Mon, 29 Dec 2014 00:00:00 +0000

Depending on the way you perform upgrades (freebsd-update or building from source) you may be interested in features that were added in the 10.1 release of FreeBSD for ZFS. The following options were added with the latest stable release of FreeBSD:

 spacemap_histogram</b> 
This features allows ZFS to maintain more information about how free space is organized within the pool

 enabled_txg 
Once this feature is enabled ZFS records the transaction group number in which new features are enabled.

 hole_birth 
This feature improves performance of incremental sends (zfs send -i'') and receives for objects with many holes. The most common case of hole-filled objects is zvols.

 extensible_dataset 
 This feature allows more flexible use of internal ZFS data structures, and exists for other features to depend on.

 embedded_data 
This feature improves the performance and compression ratio of highly-compressible blocks. Blocks whose contents can compress to 112 bytes or smaller can take advantage of this feature

bookmarks 
 This feature enables use of the zfs bookmark subcommand.

 filesystem_limits 
This feature enables filesystem and snapshot limits.

You can validate whether your zpool can be upgraded by running “zpool status” and observing the following output:

ZFS Corruption: Postmortem

Daemon Security (Daemon Security) — Wed, 17 Sep 2014 00:00:00 +0000

Are you performing backups of your filesystems? A recent blog post described the process for using remote snapshots with ZFS to ensure data is backed up. This post describes an incident where data was almost lost on a ZFS filesystem due to a corrupted pool (Are you backing up your filesystems yet?).

A VM running within VirtualBox only had a single VirtualDisk with ZFS as its filesystem. One day, while using the VM, the power went off on the host operating system. ZFS, with its Copy-On-Write functionality should be resistant to this type of sudden power-loss, but in this case, something happened to the VirtualDisk provided by VirtualBox. One thing that can cause serious issues for any filesystem is hardware faults (though technically it was a software fault). When trying to boot up, FreeBSD was unable to mount root on ZFS. If this happens, you will be dropped to a boot prompt:

Simple ZFS Backup Script

Daemon Security (Daemon Security) — Tue, 05 Aug 2014 00:00:00 +0000

ZFS is a powerful filesystem that helps to maintain integrity by avoiding data corruption. A useful feature of ZFS is its ability to clone filesystems. Creating snapshots allows for filesystems to be cloned and restored if anything happens to the original data. Going beyond this is the ability to maintain incremental changes between snapshots. There are a number of scripts available that setup a similar backup system, but the idea here is to maintain a current dataset, with the ability to restore from two previous backups.

Full Featured FreeBSD Desktop in 5 Minutes

Daemon Security (Daemon Security) — Thu, 27 Mar 2014 00:00:00 +0000

The FreeBSD community has been very excited about http://www.freebsd.org/doc/handbook/pkgng-intro.html, the next generation package manager now installed by default with FreeBSD 10. pkgng allows for binary packages to be installed in a similar fashion to yum or apt-get on Linux. The most important feature of binary packages is the speed at which a system can be deployed. pkgng allows for the creation of custom repos that can be configured with pkg.conf files.

Updates for the Daemon Security Blog and website

Daemon Security (Daemon Security) — Fri, 03 Jan 2014 00:00:00 +0000

An archive has been created to save older blog postings in an effort to provide updated content for current initiatives. The Snorby installation script has been placed on github where development will be tracked. New blog postings will be coming in the next few weeks including the steps for building Bro IDS on OpenBSD and other BSD configuration options.

Daemon Security, a Silver Sponsor of vBSDCon 2013

Daemon Security (Daemon Security) — Mon, 07 Oct 2013 00:00:00 +0000

Daemon Security is a “Silver Sponsor” of vBSDCon 2013, the first biennial BSD conference being hosted by Verisign, Inc. The conference will bring together members of the BSD community in a series of round-table discussions including presentations on various BSD topics including system administration, networking and security. Daemon Security is proud to be sponsoring this event to help solidify the BSD operating systems as the only choice for deploying security tools and solutions. Slots are still available so be sure to register soon.

Cisco Acquires Sourcefire, what of open source security?

Daemon Security (Daemon Security) — Wed, 24 Jul 2013 00:00:00 +0000

Cisco announced on July 23rd that it will be acquiring Sourcefire for 2.7 billion dollars. The first reaction from everyone in the Snort community was, “What will happen with open source Snort?”. Marty Roesch, Founder and CTO of Sourcefire and the author of the Snort IDS assured everyone that Snort will remain free and open source. Even with the worse case being that Cisco does not support open source Snort, where does this leave the state of open source security? One of the most enduring values of tools like Snort is that the code is freely available to evaluate, providing security researchers and administrators access to evaluate and extend functionality as necessary. With all of the “open source” products being brought into commercial products, there is a risk that the transparency into potential vulnerabilities will be a right reserved to the vendor.

The one thing cloud computing is supposed to do is not fail

Daemon Security (Daemon Security) — Tue, 17 Jul 2012 00:00:00 +0000

Two interesting failures in cloud computing occurred over the past couple of weeks. The first failure was a power outage caused by severe storms that brought down the East Coast Cloud services for Amazon (Cohen, 2012). The outage affected sites like Netflix as it disrupted streaming services for customers (Cohen, 2012). The second failure occurred when a electrical glitch brought down power in the Salesforce data center in Silicon Valley (Babcock, 2012). The outage brought down primary instances of the cloud-based service which affected customers for at least seven hours (Babcock, 2012).

BSD Magazine Article for FreeBSD MAC Part 3

Daemon Security (Daemon Security) — Wed, 12 Sep 2012 00:00:00 +0000

The September BSD Magazine has been released which includes part 3 of the “Hardening FreeBSD with Mandatory Access Controls” which highlights the mac_bsdextended module and the ugidfw utility.

The article is available at http://bsdmag.org/magazine/1812-what-s-new-in-pc-bsd-9-1

BSD Magazine Article for FreeBSD MAC Part 4

Daemon Security (Daemon Security) — Fri, 21 Dec 2012 00:00:00 +0000

The December BSD Magazine has been released which includes part 4 of the “Hardening FreeBSD with Mandatory Access Controls” which highlights the mac_seeotheruids module.

The article is available at http://bsdmag.org/magazine/1826-linux-jails-in-pc-bsd

BSD Magazine Article for FreeBSD MAC Part 5

Daemon Security (Daemon Security) — Tue, 26 Mar 2013 00:00:00 +0000

The March BSD Magazine has been released which includes the fifth and final part of the “Hardening FreeBSD with Mandatory Access Controls” articles. This article highlights the mac_ifoff, mac_portacl, and MAC LOMAC modules.

The article is available at http://bsdmag.org/magazine/1832-handling-kernel-panic

BSD Magazine Article for Jails Firewall with pdf

Daemon Security (Daemon Security) — Sat, 08 Jun 2013 00:00:00 +0000

The May BSD Magazine has been released which includes an article about configuring the pf firewall with FreeBSD jails. This article provides a way to expose jailed services with pf.

The article is available at http://bsdmag.org/magazine/1838-jails-firewall-with-pf