Add a NoScript-like extension such as ScriptNo by ‘Andrew Y’, and Chrome is a safe and fast browser in an otherwise hostile world wide web.

Much like it’s competitors, Chrome allows an Incognito mode which will discard any browser data after the session ends. This is great, however there is no way (that I could find) to tell Chrome to always start in this mode. Yes you can change the shortcut on your desktop and add the -incognito switch but this is not a fool proof solution. If Chrome is your default browser Start > Run > http://www.google.com will not launch it in Incognito Mode. If any applications start the browser without using your shortcut (through protocol or file associations) the browser will start in normal mode.

There is no .conf or .ini or .json file you can edit to tell Chrome to always start in Incognito Mode, which seems like a strange omission from the Chrome dev team. By altering a few default settings, FF and IE can be told to remove all traces of browser data upon exiting. The only thing in Chrome that comes close is under Privacy\Cookies section. You can remove all cookies and “other site data” when exiting the browser but this is not the equivalent of Ctrl + Shift + Del.

What we can do is modify some registry settings and tell Windows to start a batch file instead of the chrome.exe main application. When Chrome is made the default browser, among other things, it modifies a few registry keys to tell Windows where to go when associating a protocol with an application (in our case: HTTP and HTTPS).

So let’s tell it to use chrome.cmd instead of chrome.exe:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\ChromeHTML\shell\open\command]
@="\"C:\\Tools\\start_chrome_incognito.cmd\" -- \"%1\""

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Tools\\start_chrome_incognito.cmd\" -- \"%1\""

[HKEY_CLASSES_ROOT\https\shell\open\command]
@="\"C:\\Tools\\start_chrome_incognito.cmd\" -- \"%1\""

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Tools\\start_chrome_incognito.cmd\""

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
@="\"C:\\Tools\\start_chrome_incognito.cmd\" %1"

Save this as chrome_file_association_fix.reg and run it. For reasons I have yet to understand, you can’t use environment variables in the registry path. Likely has to do with the host process not having an environment when it executes the application. But who knows..

You cannot add the switches directly to the registry key. This would be more convenient since it wouldn’t require a separate batch file to maintain, but this breaks the host process that attempts to start the application.

Create a start_chrome_incognito.cmd in your C:\Tools folder and put this into it:

@echo off
start /D"%LocalAppData%\Google\Chrome\Application\" chrome.exe -incognito --purge-memory-button --memory-model=low %*
:: for XP use the following
:: start /D"%AppData%\Google\Chrome\Application\" chrome.exe -incognito --purge-memory-button --memory-model=low %*

Add whatever options you want before %* and you should be good to go. If you are on Windows XP still, upgrade. If you can’t upgrade then make sure you use the appropriate path to chrome.exe in your batch file.

Now when you start Chrome using something like Start > Run > http://www.google.com you will be browsing in Incognito mode.

Hacky but it works.

Google, please add an option to do this natively, thanks.

TS Save Error

I googled around and saw suggestions to adjust the WMI provider’s memory allocation, restart the WMI service and even re-integrate MDT with SCCM.

I restarted the WMI services but the error did not go away. SMSAdminUI.log recorded the following messages:

...
instance of SMS_ExtendedStatus
{
	Description = "Invalid sequence input parameters - task sequence not found.";
	ErrorCode = 1078462229;
	File = "c:\\qfe\\nts_sms_fre\\sms\\siteserver\\sdk_provider\\smsprov\\ssptspackage.cpp";
	Line = 2711;
	Operation = "ExecMethod";
	ParameterInfo = "SMS_TaskSequencePackage";
	ProviderName = "WinMgmt";
	StatusCode = 2147749889;
};
...

“task sequence not found”??

I duplicated the task sequence from the console and was able to make changes, add steps and save the newly created TS. Exporting the troublesome TS also revealed that the task sequence was under the 4MB limit (only about 200kb).

After editing the duplicate task, I shutdown all instances of MMC, restarted WMI/SMS Agent Host services and was able to edit the task sequence once more.

Piping dir into a where and matching the files I wanted to rename was effective but tedious. Cue the mass_rename.ps1 script:

$ext = $args[0];
$dir = $args[1];

$what = $args[2];
$with = $args[3];

$whatif = $args[4];

$count = 0;

if ($args.length -lt 4) {
    write-host "Invalid parameters" -fore red;
    ""
    write-host "   .\mass_rename.ps1 <ext> <dir> <what> <with> [-whatif]";
    ""
    write-host " Example (don't do any replacing, -whatif):";
    write-host "   .\mass_rename.ps1 .docx c:\Documents 'version 1\.1' 'version 1.2' -whatif";
    ""
    exit 1;
}

ls -recurse -path $dir | ?{ ($_.name.endswith($ext)) -and ($_.name -imatch $what) } | %{
    if ($whatif -eq "-whatif") {
        write-host("whatif: '" + $_.fullname + "' -> '" + ($_.name -ireplace $what,$with) + "'");
    }
    else {
        $from = $_.fullname;
        $to = ($_.name -ireplace $what,$with);
        mv -literalpath $from -destination ($_.directoryname + "\" + $to) -force;
        write-host "Renamed '$from' -> '$to'" -fore yellow;
        $count++;
    }
}

write-host "Done. Processed $count files." -fore green

The script will accept 4 parameters with an optional -whatif as the 5th. Fairly self explanatory with one mention: the <what> parameter is a regular expression. Keep this in mind when, for example, you are trying to match for a period (.) as you would have to escape it (as per the example usage).

The -whatif parameter will only output the before and after file names thout modifying the files themselves.

That’s it, set the execution policy and enjoy.

I wrote a for loop to go through $(PROGS) and remove them from $(INSTLOC):

INSTLOC = /usr/bin
PROGS = mkcramfs cramfsck

all: $(PROGS)

distclean clean:
    for p in $(PROGS);\
    do\
        rm -rf $$p $(INSTLOC)/$$p;\
    done

install:
    cp $(PROGS) $(INSTLOC)

The problem was that I ran this as root (tsk tsk), and since Makefile requires that for loop variables be escaped (line 9: $$p not $p), the rm command translated to this:

rm -rf  /usr/bin/

Great! So now I had no binaries in /usr/bin, which includes: yum, bash, crontab, python, perl… (800+ in total on a minimal install).

Since I only deleted the binaries, the programs were still listed as installed in the RPM database. The first thing I had to do was reinstall yum and it’s “usrbin” dependency python:

[root@demon ~]# mount /dev/sr0 /media/cdrom
[root@demon ~]# cd /media/cdrom/Packages
[root@demon ~]# rpm -Uvh --force python-2.6.5-3.el6.i686.rpm
[root@demon ~]# rpm -Uvh --force yum-3.2.27-14.el6.noarch.rpm

The next step was to figure out which packages had binaries in /usr/bin so I can reinstall them:

[root@demon ~]# rpm -qf $(rpm -qla|grep ^/usr/bin)|uniq|sort

… and finally send those to yum to do a reinstall and get the binaries back:

[root@demon ~]# yum reinstall $(rpm -qf $(rpm -qla|grep ^/usr/bin)|uniq|sort)
[root@demon ~]# ls -la /usr/bin|wc -l
848
[root@demon ~]#

… crisis averted! Snapshot time.

One last note: If you manually installed third party RPMs (not listed in the /etc/yum.repos.d repositories), they will not be reinstalled. You can perform reinstall these one by one using the rpm -Uvh command above. Keep in mind that if these RPMs have not undergone proper QA they may overwrite your current configuration files

You can run these RPMs through rpmlint to see if they produce any warnings or errors that may cause a problem when reinstalling:

[root@demon ~]# rpmlint -iv iplog-2.2.1-1_RH7.i386.rpm
...
iplog.i386: W: conffile-without-noreplace-flag /etc/iplog.conf
A configuration file is stored in your package without the noreplace flag. A
way to resolve this is to put the following in your SPEC file:
%config(noreplace) /etc/your_config_file_here
...
[root@demon ~]#

Goodluck!

93.157.0.142 - - [14/Dec/2010:16:01:19 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 13
72.167.164.72 - - [17/Dec/2010:02:02:54 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 13
74.55.205.98 - - [18/Dec/2010:03:06:49 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 13
150.217.19.5 - - [19/Dec/2010:14:36:52 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 13
173.201.39.105 - - [21/Dec/2010:08:16:35 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 13
74.55.205.98 - - [24/Dec/2010:14:43:28 -0500] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 13

This is a truncated list, but each one of these “romanian blackhats” would attempt a few other directories as well. These are not really critical intrusion attempts but they do indicate drones that scan the Internet for potential security holes in webservers (read Phil’s Getting A Little Sick of ZmEu). I don’t want these hosts to access my server in any way since, well, they don’t really need to. I could’ve blocked each one of those IPs by hand but I decided to script it and crontab it.

The first thing I needed is a chain that would handle all of these bad IP addresses:

[root@demon ~]# iptables -N bad_traffic
[root@demon ~]# iptables -A INPUT -j bad_traffic
[root@demon ~]# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

The two rules should be applied in the order specified above. You want to DROP bad traffic before you ACCEPT any web connection.

This script will add a rule for each IP with the DROP target in the bad_traffic chain, if it is not already in the chain:

#!/usr/bin/env perl
# badht - Bad HTTP Traffic blocker
#
# Scans an Apache access log file for bad
# requests and blocks the IP responsible
#
# Usage: badht <access_log> [iptables_chain]
#
# ./badht /var/log/httpd/access_log bad_traffic
#
# badht will use the chain 'bad_traffic' unless
# otherwise specified

use strict;
use warnings;
use POSIX qw(strftime);

die("Usage: $0 </var/log/httpd/access_log> [iptables_chain]") if !$ARGV[0];
my $log = $ARGV[0];

my $chain = ($ARGV[1] ? $ARGV[1] : "bad_traffic");

my @bad = `grep w00tw00t $log|cut -f1 -d" "|sort -u`;
my @ablk = `/sbin/iptables -S $chain|grep DROP|awk '{print \$4}'|cut -d"/" -f1`;

foreach my $ip (@bad) {
    if (!grep $_ eq $ip, @ablk) {
        chomp $ip;
        `/sbin/iptables -A $chain -s $ip -j DROP`;
        print strftime("%b %d %T",localtime(time))." badht: blocked bad HTTP traffic from: $ip\n";
    }
}

By the way, it’s a good idea to block ALL incoming traffic (line 29) coming from these IP addresses because chances are they have already attempted to brute-force your SSH service:

[root@demon admin]# grep -E "sshd.*Failed password for.*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" /var/log/secure|wc -l
103
[root@demon admin]#

… within just 7 days of bringing demon.* online! These packets are just wasted CPU cycles from compromised hosts and they should be dropped before they get to any of my services.

Anyway… when I execute badht I get this output:

[root@demon admin]# ./badht /var/log/httpd/access_log bad_traffic
Dec 25 15:56:44 badht: blocked bad HTTP traffic from: 150.217.19.5
Dec 25 15:56:44 badht: blocked bad HTTP traffic from: 173.201.39.105
Dec 25 15:56:44 badht: blocked bad HTTP traffic from: 72.167.164.72
Dec 25 15:56:44 badht: blocked bad HTTP traffic from: 74.55.205.98
Dec 25 15:56:44 badht: blocked bad HTTP traffic from: 93.157.0.142
[root@demon admin]# ./badht /var/log/httpd/access_log bad_traffic
[root@demon admin]# iptables -L bad_traffic -n
Chain bad_traffic (1 references)
target     prot opt source               destination
DROP       all  --  150.217.19.5         0.0.0.0/0
DROP       all  --  173.201.39.105       0.0.0.0/0
DROP       all  --  72.167.164.72        0.0.0.0/0
DROP       all  --  74.55.205.98         0.0.0.0/0
DROP       all  --  93.157.0.142         0.0.0.0/0
[root@demon admin]#

As you can see the second time I ran the script it skipped the already-blocked IPs and said nothing.

I don’t want to run this manually, so I’ll let crontab handle it:

[root@demon ~]# crontab -lu root
*/30 * * * * ~/admin/badht /var/log/httpd/access_log bad_traffic >> /var/log/bad_traffic 2>&1
[root@demon ~]#

… this will run twice an hour and send all output to /var/log/bad_traffic. You can increase the frequency but you should keep in mind that this may needlessly slow the system down on large access_log files.

Note: The rules created by badht are temporary and will be lost on system reboot or when the iptables ‘service’ is restarted. Remember to periodically save the iptables rules, or at least the ‘bad_traffic’ chain. Since the crontab is persistant, badht will recreate all the rules the next time it runs.

SETroubleshoot also has an email notification system that is really easy to implement. There are a couple of things that you should consider before going forward.

Add the recipient email addresses to /var/lib/setroubleshoot/email_alert_recipients:

admin@example.com       filter_type=after_first

Note: the ‘after_first’ filter will prevent setroubleshoot from flooding your inbox with the same alert. There are other filter types, see the man page.

…and finally modify the [email] section in /etc/setroubleshoot/setroubleshoot.cfg:

[email]
# recipients_filepath: Path name of file with email recipients. One address
# per line, optionally followed by enable flag. Comment character is #.
recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients

# smtp_port: The SMTP server port
smtp_port = 2525

# smtp_host: The SMTP server address
smtp_host = mail.example.com

# from_address: The From: email header
from_address = security@demon.local

In my case, my MTA is listening on port 2525 as well as port 25, due to most ISPs blocking 25. The RHEL6 server is behind such an ISP and I had to use this as the mail port.

By default, SELinux allows only a short list of ports to be used by the SMTP protocol, and when setroubleshoot tried to send the alert, I saw this in /var/log/messages:

Dec 14 16:41:58 demon setroubleshoot: [avc.ERROR] Plugin Exception httpd_bad_labels #012Traceback (most recent call last):#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 156, in analyze_avc#012    report_receiver.report_problem(report)#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/server.py", line 195, in report_problem#012    email_alert(siginfo, to_addrs)#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/email_alert.py", line 77, in email_alert#012    smtp = smtplib.SMTP(smtp_host, smtp_port)#012  File "/usr/lib/python2.6/smtplib.py", line 239, in __init__#012    (code, msg) = self.connect(host, port)#012  File "/usr/lib/python2.6/smtplib.py", line 295, in connect#012    self.sock = self._get_socket(host, port, self.timeout)#012  File "/usr/lib/python2.6/smtplib.py", line 273, in _get_socket#012    return socket.create_connection((port, host), timeout)#012  File "/usr/lib/python2.6/socket.py", line 514, in create_connection#012    raise error, msg#012error: [Errno 13] Permission denied

…which basically means that the email_alert.py setroubleshoot script could not create an SMTP connection to my mail server on the port specified.

On RHEL6, these are the allowed SMTP ports:

[root@demon ~]# semanage port -l|grep smtp
smtp_port_t                    tcp      25, 465, 587

In order to allow demon.* to send mail to the remote MTA, I had to:

[root@demon ~]# semanage port -a -t smtp_port_t -p tcp 2525
[root@demon ~]# semanage port -l|grep smtp
smtp_port_t                    tcp      2525, 25, 465, 587

And that’s it! You can quickly test by generating an SELinux denial, and see if you get an email.

In my case, the remote MTA (running Exim) was dropping the messages and setroubleshoot would throw this in /var/log/messages:

Dec 17 09:53:19 demon setroubleshoot: [email.ERROR] email failed: {'admin@example.com': (550, 'Verification failed for <security@demon.local>\nThe mail server could not deliver mail to security@demon.local.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\nSender verify failed')}

This was due to Exim+SpamAssassin performing callbacks or callouts to ensure that the From: email address is valid on the mail server it comes from.

I got around this by adding the RHEL6 server’s IP block as a trusted ‘mail provider’. In /etc/mailproviders/ on the Exim server, I created the following tree:

root@exim [/etc/mailproviders]# tree
|-- rim
|   `-- ips
`-- demon
    `-- ips

2 directories, 2 files
root@exim [/etc/mailproviders]# cat demon/ips
172.16.1.0/24
root@exim [/etc/mailproviders]#

The ips files contain a list of IP blocks for Exim to trust as ‘mail providers’ and add to the whitelist. This is probably not the safest solution but it is the quickest.

Warning: if you don’t trust the entire IP block you can open your MTA to unchallenged spam. Use this method with caution.

During my F13 repository setup, I had to turn on a few SELinux booleans in order for HG to successfully serve my repositories. Apache was spitting out forbidden errors, and I suspected SELinux as the culprit. This was to be expected, however, unlike the F13 box there were no setroubleshoot messages in /var/log/messages. You know.. the ones with the friendly ‘sealert -l [hash]‘ and whatnot.

Everything was going to /var/log/audit/audit.log and written in a slightly less readable format. After going through Dan Walsh‘s blog, I’ve noticed I was missing the setroubleshoot-* packages. In a server environment (that is, no desktop) I only need to install setroubleshoot-server (and its deps) in order to get the cool descriptive SELinux audit messages.

Sample /var/log/audit/audit.log AVC denials:

[root@demon ~]# grep AVC /var/log/audit/audit.log
...
/var/log/audit/audit.log:type=AVC msg=audit(1292588343.092:3941): avc:  denied  { getattr } for  pid=2295 comm="httpd" path="/home/hg" dev=dm-3 ino=130823 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
/var/log/audit/audit.log:type=AVC msg=audit(1292588361.410:3942): avc:  denied  { search } for  pid=4945 comm="httpd" name="hg" dev=dm-3 ino=130823 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
/var/log/audit/audit.log:type=AVC msg=audit(1292588361.410:3943): avc:  denied  { getattr } for  pid=4945 comm="httpd" path="/home/hg" dev=dm-3 ino=130823 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
...

So I went ahead and installed the setroubleshoot-server RPMs, but I was still not getting anything friendly in /var/log/messages.

By the way, if you want to generate some SELinux denials you can try this command:

[root@demon ~]# sandbox /usr/bin/perl -e '`cat /dev/urandom`'
cat: /dev/urandom: Permission denied

The sandbox tool will run a binary in a paranoid domain, restricting it from accessing most objects in the system. Sandboxing is very cool and you should read up on it, especially if you’re running a web applications (hgweb in my case).

Starting with the Fedora 11 release date, Dan Walsh made a few changes to setroubleshoot to make it less of a memory hog. This meant that setroubleshootd was obsolete and replaced by sedispatch. This new binary was to be called by /sbin/audispd, which is called by auditd as the dispatcher for AVC messages. SEDispatch would only start setroubleshootd if it was needed. In fact, if you try to run setroubleshootd manually, it will start, wait for about 10 seconds and exit with code 0.

To make sure sedispatch is functional, you can do something like this:

[root@demon ~]# grep AVC /var/log/audit/audit.log | sedispatch
...
Got Reply: AVC
Got Reply: AVC
...
[root@demon ~]#

You should now see the setroubleshoot messages in /var/log/messages.

It turns out all I had to do to get setroubleshoot to work was to restart the auditd service to make sure it picked up the newly installed /etc/audisp/plugins.d/sedispatch.conf plugin.

Besides the newbie-friendly sealert database, setroubleshoot can also send email notifications when denials happen. This is a fairly straightforward process, however I did run into a couple of issues. Dan Walsh and the guys in #selinux@freenode were nice enough to help me get it working.

Since vcstool no longer has direct access to optparse (BaseScript does the parsing and locking) the main issue became returning the value of –vcs and creating the VCS object  BEFORE initializing the BaseScript functionality. If MercurialVCS was the class inheriting BaseScript it wasn’t possible to determine what VCS object to create without actually creating the MercurialVCS object first.

The solution was to create a wrapper class that would handle the creation of the object. This class would actually inherit BaseScript giving it access to the parsed command-line options, while also providing a method to create the VCS class and return it based on the –vcs switch selection:

class VCSWrapper(BaseScript):
    supported_vcs = ('hg',)

    def __init__(self, config_options=None):
        BaseScript.__init__(self, config_options=config_options)

    def get_vcs_object(self):
        __tmp_vcs = self.config.get('vcs', None)
        if __tmp_vcs == 'hg':
            return MercurialVCS(wrapper_obj=self)
        else:
            self.error('Unsupported VCS: ' + __tmp_vcs
                       + ', please use one of the following: '
                       + ' '.join(self.supported_vcs))
            return None

So now vcstool would create a wrapper object to handle logging and command-line options as well as a vcs object (returned by VCSWrapper.get_vcs_object()) to do the checkouts and whatnot.

One more thing: to simplify the whole thing, vcstool now accepts two extra switches: –repo and –dest. These are meant to replace hgtool’s [repo] and [dest] unnamed arguments. Because of the way BaseScript handles unnamed arguments this is the less complicated solution for passing these values to vcstool.

If you want to see this changeset’s files, click here.

P.S.: We have opened bug 606963 to track the progress of this port. All the patches to go from vcstool version 0.0 to 0.1.1 (and above) will be attached there.

So far:

I’ve created the MercurialVCS class which will handle tasks such as updates and checkouts. Later on we will have a library for all of the popular VCSs (ie: GitVCS, SubversionVCS, BazaarVCS) which vcstool can use based on the command line specification.

$ python vcstool.py -h
Usage: vcstool.py [-s|--vcs VCS] [-p|--props-file] [-l|--log-level LEVEL] [-r|--
rev REVISION] [-b|--branch BRANCH] repo [dest]
...

The log level can now be modified using the –log-level switch for vcstool.

I’ve also ported commands.py to MozTools class. It is responsible for tasks such as run_cmd (execute a command, such as ‘hg clone …’ and get_output (execute command and return the stdout/stderr). MercurialVCS (and others) makes use of these commands during a pull. The MozTools class also creates the logging object, so VCS child classes can reference self.log.{info|debug|whatever}.

You can follow the development progress on this blog (top-right) or here: http://git.slacknet.ca/mozharness.git/rss

In a nutshell, each developer has their own repository with their own detailed history of changes (changesets). This makes it easier to merge code (with less problems) when it comes time to put the application into production. If you have been using CVS/SVN for your version control, Mercurial concepts may get a bit confusing and a chart that gives you hg equivalents to svn commands, will complicate things further.

I found a site that actually has a re-education section for the Subversioners willing to switch to Mercurial/GIT: HGinit. If you’ve never used a VCS (distributed or otherwise) this is a great resource to get started.

I’ve setup my own Mercurial central repository: http://code.darkminds.org/hg/mozharness

EDIT: I’ve converted the mercurial repos to git: http://git.slacknet.ca

All I had to do is clone Mozharness from Mozilla’s central repository and it was ready to go. Compared to Subversion, setting up the published repository was actually quite painless and this tutorial can help you get one going too.

Oh and migration from SVN (or Git, or CVS, or Bazaar) couldn’t be easier:

$ hg convert http://nexusframework.svn.sourceforge.net/svn/nexusframework