AFAIK there are no smartmontools rpms for version 5.39.1 for anything but fedora.
Here is a src rpm, and x86_64 binary that works with Scientific Linux 5.3, and probably centos.

I just took the spec from here:
ftp://194.199.20.114/linux/sourceforge/s/project/sm/smartmontools/smartmontools/5.36/smartmontools-5.36-1.src.rpm

Updated the version and source code and built the rpm. This was done because there are no current centos/scilin rpms for smartmontools which support MEGARAID cards.

smartmontools-5.39.1-1.x86_64.rpm

smartmontools-5.39.1-1.src.rpm

IN PROGRESS

Gipplet is an rpm for gnome which puts the ip in the taskbar. I liked it for users that didn’t know how to find their own ip, it makes coaching them over the phone a bit easier.

I built the rpm from source, ill post its specs soon.

Based on:

http://giplet.sourceforge.net/

Initial Giplet spec:

cat /usr/src/redhat/SPECS/giplet.spec
Name: giplet
Epoch: 1
Version: 0.1.8
Release: 0.1
Summary: Applet to show ip in gnome taskbar.
Group: User Interface/Desktops
License: GPL
URL: http://giplet.sourceforge.net/
BuildArch: noarch
Requires: python
Requires: gnome-python2-applet
Requires: pygtk2-devel
Requires: pkgconfig
Requires: libbonobo
Source0: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

%description
An application to show the ip address of a machine in the gnome panel.

%prep
%setup -q

%build
./configure –prefix=/usr
make

%install
rm -rvf $RPM_BUILD_ROOT
make DESTDIR=$RPM_BUILD_ROOT install
%pre

%post

%postun

%files
%{_libdir}/giplet/giplet_globals.py
%{_libdir}/giplet/giplet_globals.pyc
%{_libdir}/giplet/giplet_globals.pyo
%{_libdir}/giplet/gipletprefs.py
%{_libdir}/giplet/gipletprefs.pyc
%{_libdir}/giplet/gipletprefs.pyo
%{_libdir}/bonobo/servers/GNOME_GipletApplet.server
%{_libdir}/giplet/giplet
%{_datadir}/giplet/giplet.glade
%{_datadir}/pixmaps/giplet.svg

%changelog
* Tue Oct 20 2009 Nathan Yehle - 0.1.8-0.1
- Initial rpm spec

/*
Shipping Rates by Order Price Range and Zipcode
internet-goods.com modified version of zipship.php

calculates shipping price the same way but with
price ranges used in the same fields the original uses weights in.

$Id: zipship.php,v 1.27 2007/06/06 22:41:52 me

osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com

Copyright (c) 2003-2007 osCommerce - by mark enriquez

REVISION HISTORY
—————-

4/10/07 - fixed handling fee bug (THANKS DUX!!) and added REGEX zipcode matching.

REGEX NOW SUPPORTED! Due to popular demand, I’ve modified the code to allow cart
users to specify parts of zipcodes to set shipping rates to, using Regular Expression
(REGEX) matching conventions. For a quick primer on REGEX, look here…

http://regexlib.com/CheatSheet.aspx

This should allow unlimited control on setting postcode-based “zones” for your cart.
The most obvious use is to use the first few characters of the post/zip code (DO NOT
USE THE * CHARACTER!! THIS WILL MESS UP THE REGEX EVALUATOR!!!) that you want to match.

USAGE

BE CAREFUL TO USE THE MORE EXACT MATCHES IN THE HIGHER ZONES! This is a crucial
part of using this mod…if you use “329″ in, say Zone 4, and try to use “3294″ in Zone
3, THE PROGRAM WILL MATCH ALL 3294X post codes to ZONE 4 BEFORE matching it to 3294 in
ZONE 3!!

In general, be careful where to place your substring match characters, and DO NOT USE
the * character. I am pretty sure that and properly formed regular expression strings
will be evaluated correctly by my program, but to test your REGEX, go here…

http://regexlib.com/RETester.aspx

..and play with your ideas. If they work there, they will work in your cart.

USAGE
By default, the module comes with support for 3 postcode “zones”.
This can be easily changed by editing the line below in the zones constructor
that defines $this->num_zones.

Next, you will want to activate the module by going to the Admin screen,
clicking on Modules, then clicking on Shipping. A list of all shipping
modules should appear. Click on the green dot next to the one labeled
zipships.php. A list of settings will appear to the right. Click on the
Edit button.

PLEASE NOTE THAT YOU WILL LOSE YOUR CURRENT SHIPPING RATES AND OTHER
SETTINGS IF YOU TURN OFF THIS SHIPPING METHOD. Make sure you keep a
backup of your shipping settings somewhere at all times.

If you want an additional handling charge applied to orders that use this
method, set the Handling Fee field.

Next, you will need to define which postcodes are in each zone. Determining
this might take some time and effort. You should group a set of postcodes
that has similar shipping charges for the same weight. As an example, one
of my customers is using this set of postcodes/zones:

When you enter these postcode lists, enter them into the Zone X Zipcodes
fields, where “X” is the number of the zone. They should be entered as
five diget postcodes. They should be
separated by commas with no spaces or other punctuation. For example:

1: 32903,32937
2: 32901,32935
3: 32940,32904

Now you need to set up the shipping/deliver rate tables for each zone. Again,
some time and effort will go into setting the appropriate rates. You
will define a set of weight ranges and the shipping price for each
range. For instance, you might want an order than weighs more than 0
and less than or equal to 3 to cost 5.50 to ship to a certain zone.
This would be defined by this: 3:5.5

You should combine a bunch of these rates together in a comma delimited
list and enter them into the “Zone X Shipping Table” fields where “X”
is the zone number. For example, this might be used for Zone 1:
1:3.5,2:3.95,3:5.2,4:6.45,5:7.7,6:10.4,7:11.85, 8:13.3,9:14.75,10:16.2,11:17.65,
12:19.1,13:20.55,14:22,15:23.45

The above example includes weights over 0 and up to 15. Note that
units are not specified in this explanation since they should be
specific to your locale.

CAVEATS
At this time, it does not deal with weights that are above the highest amount
defined. This will probably be the next area to be improved with the
module. For now, you could have one last very high range with a very
high shipping rate to discourage orders of that magnitude. For
instance: 999:1000

If you want to be able to ship to any postcode in the world, you will
need to enter every postcode into the zipcodes fields. For most
shops, you will not want to enter every postcode, and in fact this module
has NOT BEEN DESIGNED TO ENCOMPESS MANY POSTCODES. If a postcode is not
listed, then the module will add a $0.00 shipping charge and will
indicate that shipping is not available to that destination.
PLEASE NOTE THAT THE ORDER CAN STILL BE COMPLETED AND PROCESSED!

It appears that the osC shipping system automatically rounds the
shipping weight up to the nearest whole unit. This makes it more
difficult to design precise shipping tables. If you want to, you
can hack the shipping.php file to get rid of the rounding.

Lastly, there is a limit of 255 characters on each of the Zipcode
Shipping Tables and Zone Countries. This limits you to 255/6 = 42
MAX zipcodes per zone. DO NOT ENTER MORE THAN 42 POSTCODES PER ZONE!!

:wq
Released under the GNU General Public License
*/

class zipshipbyorderamount{
var $code, $title, $description, $enabled, $num_zones;

// class constructor
function zipshipbyorderamount() {

$this->code = ‘zipshipbyorderamount’;
$this->title = MODULE_SHIPPING_HOMEZIPSHIP_TEXT_TITLE;
$this->description = MODULE_SHIPPING_HOMEZIPSHIP_TEXT_DESCRIPTION;
$this->sort_order = MODULE_SHIPPING_HOMEZIPSHIP_SORT_ORDER;
$this->icon = ”;
$this->tax_class = MODULE_SHIPPING_HOMEZIPSHIP_TAX_CLASS;
$this->enabled = ((MODULE_SHIPPING_HOMEZIPSHIP_STATUS == ‘True’) ? true : false);

// CUSTOMIZE THIS SETTING FOR THE NUMBER OF ZONES NEEDED
$this->num_zones = 6;
}
// class methods
function quote($method = ”) {
//internet-goods.com global $order, $shipping_weight, $shipping_num_boxes;
global $order, $cart, $shipping_weight, $shipping_num_boxes;
//from freeamount.php, get order total and use that instead of weight
$cart_total = $cart->show_total();

$dest_zipcode = $order->delivery[’postcode’];

$dest_zone = 0;
$error = false;

// iterate through all the zones first
$reg = array();
for ($i=1; $i<=$this->num_zones; $i++) {
$zipcode_table = constant(’MODULE_SHIPPING_HOMEZIPSHIP_CODES_’ . $i);
$zipcode_zones = split(”[,]”, $zipcode_table);
for ($j = 0; $j < count($zipcode_zones); $j++) {
if (ereg(trim(strtoupper($zipcode_zones[$j])), trim(strtoupper($dest_zipcode)), $reg)) {
$dest_zone = $i;
break;
}
}
}

if ($dest_zone == 0) {
$error = true;
} else {
$shipping = -1;
$zipcode_cost = constant(’MODULE_SHIPPING_HOMEZIPSHIP_COST_’ . $dest_zone);
//find the rate for this zip and weight
//except we hack it to check against order cost not weight
$zipcode_table = split(”[:,]” , $zipcode_cost);
$size = sizeof($zipcode_table);
for ($i=0; $i<$size; $i+=2) {
// if ($shipping_weight <= $zipcode_table[$i]) {
if ($cart_total <= $zipcode_table[$i]) {
$shipping = $zipcode_table[$i+1];
//internet-goods.com commented out $shipping_method = MODULE_SHIPPING_HOMEZIPSHIP_TEXT_WAY . ‘ ‘ . $dest_zipcode . ‘ : ‘ . $shipping_weight . ‘ ‘ . MODULE_SHIPPING_HOMEZIPSHIP_TEXT_UNITS;
$shipping_method = MODULE_SHIPPING_HOMEZIPSHIP_TEXT_WAY . ‘ ‘ . $dest_zipcode;
$feecounter = $tableIdx;
$tableIdx = $i + 1;
break;
}
}

if ($shipping == -1) {
$shipping_cost = 0;
$shipping_method = MODULE_SHIPPING_HOMEZIPSHIP_UNDEFINED_RATE;
} else {
$shipping_cost = ($shipping * $shipping_num_boxes) + constant(’MODULE_SHIPPING_HOMEZIPSHIP_HANDLING_’ . $dest_zone);
}
}

$this->quotes = array(’id’ => $this->code,
‘module’ => MODULE_SHIPPING_HOMEZIPSHIP_TEXT_TITLE,
‘methods’ => array(array(’id’ => $this->code,
‘title’ => $shipping_method,
‘cost’ => $shipping_cost)));

if ($this->tax_class > 0) {
$this->quotes[’tax’] = tep_get_tax_rate($this->tax_class, $order->delivery[’country’][’id’], $order->delivery[’zone_id’]);
}

if (tep_not_null($this->icon)) $this->quotes[’icon’] = tep_image($this->icon, $this->title);

if ($error == true) $this->quotes[’error’] = MODULE_SHIPPING_HOMEZIPSHIP_INVALID_ZONE;

return $this->quotes;
}

function check() {
if (!isset($this->_check)) {
$check_query = tep_db_query(”select configuration_value from ” . TABLE_CONFIGURATION . ” where configuration_key = ‘MODULE_SHIPPING_HOMEZIPSHIP_STATUS’”);
$this->_check = tep_db_num_rows($check_query);
}
return $this->_check;
}

function install() {
tep_db_query(”insert into ” . TABLE_CONFIGURATION . ” (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES (’Enable Zipcode Method’, ‘MODULE_SHIPPING_HOMEZIPSHIP_STATUS’, ‘True’, ‘Do you want to offer Zipcode rate shipping/delivery?’, ‘6′, ‘0′, ‘tep_cfg_select_option(array(\’True\’, \’False\’), ‘, now())”);
tep_db_query(”insert into ” . TABLE_CONFIGURATION . ” (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, use_function, set_function, date_added) values (’Tax Class’, ‘MODULE_SHIPPING_HOMEZIPSHIP_TAX_CLASS’, ‘0′, ‘Use the following tax class on the shipping/delivery fee.’, ‘6′, ‘0′, ‘tep_get_tax_class_title’, ‘tep_cfg_pull_down_tax_classes(’, now())”);
tep_db_query(”insert into ” . TABLE_CONFIGURATION . ” (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values (’Sort Order’, ‘MODULE_SHIPPING_HOMEZIPSHIP_SORT_ORDER’, ‘0′, ‘Sort order of display.’, ‘6′, ‘0′, now())”);
for ($i = 1; $i <= $this->num_zones; $i++) {
$default_zipcodes = ”;
if ($i == 1) {
$default_zipcodes = ‘32903,32937′;
$default_dlvtable = ‘4:5,10:6,99:10′;
} else if ($i == 2) {
$default_zipcodes = ‘32901,32935′;
$default_dlvtable = ‘4:7,10:10,99:13.50′;
} else if ($i == 3) {
$default_zipcodes = ‘32951,32940′;
$default_dlvtable = ‘4:10,10:15,99:17.50′;
}
tep_db_query(”insert into ” . TABLE_CONFIGURATION . ” (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values (’Zone ” . $i .” Zipcode(s)’, ‘MODULE_SHIPPING_HOMEZIPSHIP_CODES_” . $i .”‘, ‘” . $default_zipcodes . “‘, ‘Comma separated list of 5-diget zipcodes that are part of Zone ” . $i . “.’, ‘6′, ‘0′, now())”);
tep_db_query(”insert into ” . TABLE_CONFIGURATION . ” (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values (’Zone ” . $i .” Shipping/Delivery Fee Table’, ‘MODULE_SHIPPING_HOMEZIPSHIP_COST_” . $i .”‘, ‘” . $default_dlvtable . “‘, ‘Shipping rates to Zone ” . $i . ” destinations based on a group of maximum order weights. Example: 4:5,8:7,… weights less than or equal to 4 would cost $5 for Zone ” . $i . ” destinations.’, ‘6′, ‘0′, now())”);
tep_db_query(”insert into ” . TABLE_CONFIGURATION . ” (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values (’Zone ” . $i .” Handling Fee’, ‘MODULE_SHIPPING_HOMEZIPSHIP_HANDLING_” . $i.”‘, ‘0′, ‘Handling Fee for this Zipcode’, ‘6′, ‘0′, now())”);
}
}

function remove() {
tep_db_query(”delete from ” . TABLE_CONFIGURATION . ” where configuration_key in (’” . implode(”‘, ‘”, $this->keys()) . “‘)”);
}

function keys() {
$keys = array(’MODULE_SHIPPING_HOMEZIPSHIP_STATUS’, ‘MODULE_SHIPPING_HOMEZIPSHIP_TAX_CLASS’, ‘MODULE_SHIPPING_HOMEZIPSHIP_SORT_ORDER’);

for ($i=1; $i<=$this->num_zones; $i++) {
$keys[] = ‘MODULE_SHIPPING_HOMEZIPSHIP_CODES_’ . $i;
$keys[] = ‘MODULE_SHIPPING_HOMEZIPSHIP_COST_’ . $i;
$keys[] = ‘MODULE_SHIPPING_HOMEZIPSHIP_HANDLING_’ . $i;
}

return $keys;
}
}
?>

#!/bin/sh
#this script is meant to be run from a slave node, it will create a slave relationship to a master node
#the master node is defined as MASTER_HANDLE using the shmysql scripts to execute sql
#you will need shmysql installed for any of this to work
MASTER_HANDLE=`shmysql host=masterhost.com dbname=example_db user=repl_user password=password`

#lock tables before getting master settings keep session open with shellsql
shsql $MASTER_HANDLE “FLUSH TABLES WITH READ LOCK”
echo “locked”

#while locked, dump master info, create and dump database into slave
echo “creating example_db”
echo create database example_db | mysql -uroot
echo starting dump
mysqldump –skip-opt example_db -h masterhost.com -urepl_user -ppassword –databases | mysql -uroot
echo “aquire master nfo”
MASTER_LOG_FILE=`echo SHOW MASTER STATUS | mysql -h masterhost.com -urepl_user -ppassword -N | awk ‘ {print $1} ‘`
MASTER_LOG_POS=`echo SHOW MASTER STATUS | mysql -h masterhost.com -urepl_user -ppassword -N | awk ‘ {print $2} ‘`
echo $MASTER_LOG_FILE
echo $MASTER_LOG_POS
#EXAMPLE ROWS=`shsql $HANDLE “select count(*) from SERVER”`
cat << EOF
CHANGE MASTER TO MASTER_HOST=’masterhost.com’, MASTER_USER=’repl_user’, MASTER_PASSWORD=’password’, MASTER_LOG_FILE=’$MASTER_LOG_FILE’, MASTER_LOG_POS=$MASTER_LOG_POS;
EOF

#echo $ENSLAVE_SQL

shsql $MASTER_HANDLE “UNLOCK TABLES”
echo “unlocked”
shsqlend $MASTER_HANDLE

echo SHOW MASTER STATUS | mysql -uroot
#TODO: script to add [mysqld] server-id=2 log-bin=mysql-binentry on slave my.cnf

Some old notes I took on integrating these tools:

Samba, winbind, and openldap for Idmaping storage on Redhat 9.0
7/12/2004

Software versions:
Samba 3.0.4
Openldap 2.1
Redhat 9.0
Also I recommend gq or ldapbrowser to see gui representations of the openldap database.

This document covers howto setup an OpenLDAP server as a backend for a Samba client doing
idmappings with winbind, to allow Linux workstations to log into a windows 2003 domain.

Step 1: Get winbind and samba working as per the document:
“Configuring Samba for Active Directory Logins”
The configuration options listed in the previous document for samba 3.0.2 work with the newer samba 3.0.4 just fine.

After you successfully are able to run getent passwd and see all the domain users listed, we must configure the Samba server to use openldap as a backend. Without openldap, samba will store the idmappings to the following file:
/var/lib/samba/winbindd_idmap.tdb

Samba uses this file as a cache, even when configured to use openldap as a backend, so if your server seems to not be looking to the openldap backend, delete this file and restart winbind, and that will force it to do a lookup instead of just looking to its cached copy.

Step 2: Download, and install OpenLDAP 2.1

Read OpenLDAP 2.1 Administrator’s Guide:
http://www.openldap.org/doc/admin21/

Download openldap 2.1 source:
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.1.30.tgz

uncompress the sources
# tar zvxf openldap-2.1.30.tgz

go into the sources directory
# cd openldap-2.1.30

Setup the nessicary environment variables to insure configure finds SSL/TLS libraries:
# export CPPFLAGS=”-I/usr/include/openssl -I/usr/kerberos/include”
# export LDFLAG=”-L/usr/include/openssl”

run configure on the sources, with options laid out in the OpenLDAP SSL/TLS howto
openldap-2.1.30# ./configure –prefix=/usr –with-tls –enable-slapd –enable-ldbm –disable-bdb
Enter the following command to build dependencies and look for errors:
#make depend
Enter the following command to build the system and look for errors:
#make
Enter the following command to install the binaries and man pages.
#make install

Step 3) configure openldap

The configure option –prefix=/usr will install the openldap binaries into a directory most users will have a default path to, which is good. However samba will not look in the correct directory for the openldap configuration file it needs, so we also make a symlink to redirect it.

Samba will look in here: /usr/local/etc/openldap/ldap.conf
but our ldap.conf file is configured to reside in here: /usr/etc/openldap/ldap.conf
so we make the directories and a symlink to redirect samba to the correct file:
#mkdir /usr/local/etc
#mkdir /usr/local/etc/openldap
#cd /usr/local/etc/openldap
openldap]# ln -s /usr/etc/openldap/ldap.conf ldap.conf

Also delete the directory /etc/openldap, and /etc/ldap.conf and then make a symlink to where our openldap config files actualy live as installed by the source:
# rm -rf /etc/openldap/
#rm -rf /etc/ldap.conf
#ln -s /usr/etc/openldap/ldap.conf /etc/ldap.conf
#ln -s /usr/etc/openldap/ /etc/openldap

This should help reduce confusion as redhat rpms setup the /etc/openldap directory but we are not using rpms for neither samba nor openldap.

Openldap has 2 configuration files that need changes:
/usr/etc/openldap/ldap.conf <--client settings
/usr/etc/openldap/slapd.conf <--server settings
Note that any reference to dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
should contain the functional dns name of the openldap server. It is very important that lines that refernce a domain name go to a name that actualy works with dns, even if just by a corresponding entry in /etc/hosts, for example:
140.192.40.103 voyager.research.cti.depaul.edu

/usr/etc/openldap/ldap.conf should contain these lines and nothing else:
(changing the BASE and HOST lines to reflect your servers actual DNS resolvable hostname)
BASE dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
HOST voyager.research.cti.depaul.edu

Copy the samba.schema into the openldap schema directory, openldap needs this file inorder to understand the data samba will be storing.

# cp /root/samba-3.0.4/examples/LDAP/samba.schema /usr/etc/openldap/schema/

/usr/etc/openldap/slapd.conf should look like this:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/etc/openldap/schema/core.schema
include /usr/etc/openldap/schema/cosine.schema
include /usr/etc/openldap/schema/inetorgperson.schema
include /usr/etc/openldap/schema/nis.schema
include /usr/etc/openldap/schema/samba.schema

pidfile /usr/var/slapd.pid
argsfile /usr/var/slapd.args

# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix “dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu”
rootdn “cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu”
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret2
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. Mode 700 recommended.
directory /usr/var/openldap-data
# Indices to maintain
index objectClass eq

The preceeding slapd.conf sets the rootdn’s password to secret2, which is what is provided along with the BIND dn=”cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu“
in order to have full access to the openldap database, sort of like a login and password for a root user in linux.

In order to setup a logfile used by syslog, add this line to the end of /etc/syslog.conf

local4.* /var/log/openldap.log

and restart syslog:
#/sbin/service syslog restart
Now you should be able to watch the server accept connections and requests which are logged to /var/log/openldap.

First we will test the openldap server though, to make sure it is working in a plaintext mode.
Run the following command in a terminal windows as root to start the openldap server:
# /usr/libexec/slapd -4 -d9 -h “ldap:///”
-4 tell it to use ipv4 only
-d9 is the debugging level, 9 gives useful information on tls/ssl which we’ll need later
-h “ldap:///” tells it which urls to service

you should see a bunch of output and then it stops at:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

Now the server is listening on port 389 (ldap), it will log to the console at the level if detail specified by -d#

Try to connect and run a search, watching for output to /var/log/openldap.log and the console window where openldap was started:

# ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts

You should see something like result:
dn:
namingContexts: dc=linuxlab1,dc=research,dc=cti,dc=depaul,dc=edu

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Now we can setup the entries openldap needs. Make a file, entries.ldif containing this:

dn: dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
objectclass: dcObject
objectclass: organization
dc: voyager
o: Example Company
description: example corp

dn: cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
objectclass: organizationalRole
cn: Manager
description: Directory Manager

Save the file, making sure to replace dc: voyager with your servers name, and the dn: listings with equivelents that match your server’s full dns name. While the openldap server is still running, run this command, which should take the contents of the .ldif file and create corresponding entries in the openldap database.

# ldapadd -f entries.ldif -x -D “cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu” -w secret2

You should see something like this:
adding new entry “dc=linuxlab1,dc=research,dc=cti,dc=depaul,dc=edu”

adding new entry “cn=Manager,dc=linuxlab1,dc=research,dc=cti,dc=depaul,dc=edu”

If you don’t get an error, run the ldapsearch command mentioned before again to check that it was added.

# ldapsearch -x -b ‘dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu’ ‘(objectclass=*)’

You should see something that ends with:
# Manager, linuxlab1.research.cti.depaul.edu
dn: cn=Manager,dc=linuxlab1,dc=research,dc=cti,dc=depaul,dc=edu
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Now we want to add the ldap OU that samba will use to store idmappings. Taken from the samba howtos, create a file idmap.ldif that contains these lines:

dn: ou=Idmap,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
objectClass: organizationalUnit
ou: idmap

Then load it in with this command:
ldapadd -f idmap.ldif -x -D “cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu” -w secret2

you should see a similar result to this:

adding new entry “ou=Idmap,dc=linuxlab1,dc=research,dc=cti,dc=depaul,dc=edu”

Run a ldapsearch command or use gq to make sure the OU=idmap was added, then we must edit the /etc/samba/smb.conf file to tell samba to store its idmap in the openldap server.

Step 4: Configure samba to use the openldap backend to store its Idmap

Add the following lines (again changed to reflect your actual hostname) after “winbind separator = +” :

ldap suffix = dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
ldap idmap suffix = ou=Idmap
ldap admin dn = “cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu”
idmap backend = ldap:ldap://voyager.research.cti.depaul.edu

And set the password samba uses to connect to the openldap server:
# smbpasswd -w secret2
then you should see:
Setting stored password for “cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu” in secrets.tdb

This stores the password in /etc/samba/secrets.tdb, make sure this file is only readable by root! Also note that the password must be set for every client computer as well.

Now restart smb and winbind:
#/sbin/service smb restart; /sbin/service winbind restart

If winbind connects sucessfuly, you should see the following in your /var/log/openldap.log

Jul 12 15:24:32 voyager slapd[19300]: conn=2 fd=8 ACCEPT from IP=140.192.40.103:39137 (IP=0.0.0.0:389)
Jul 12 15:24:33 voyager slapd[19300]: conn=2 op=1 BIND dn=”cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu” method=128
Jul 12 15:24:33 voyager slapd[19300]: conn=2 op=1 BIND dn=”cn=Manager,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu” mech=SIMPLE ssf=0
Jul 12 15:24:33 voyager slapd[19300]: conn=2 op=1 RESULT tag=97 err=0 text=
Jul 12 15:24:33 voyager slapd[19300]: conn=2 op=2 SRCH base=”ou=Idmap,dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu” scope=2 filter=”(objectClass=sambaUnixIdPool)”
Jul 12 15:24:33 voyager slapd[19300]: conn=2 op=2 SRCH attr=uidNumber gidNumber objectClass
Jul 12 15:24:34 voyager slapd[19300]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Now,winbind will use the openldap server to lookup any SID->uid/gid mappings not already stored in /var/lib/samba/winbindd_idmap.tdb.

After you see the previous logs signifying a sucessful connection between samba/winbind and openldap, stop smb and winbind, delete the winbindd_idmap.tdb file, then restart smb and winbind.

# /sbin/service smb stop; /sbin/service winbind stop
# rm /var/lib/samba/winbindd_idmap.tdb
# /sbin/service smb start; /sbin/service winbind start
# getent passwd RESEARCH+user (or any other user you have in the domain)

This should output the specific user’s (RESEARCH+user for example) passwd information, as well as do a lookup to the openldap server for the correct UID and GID. If winbindd_idmap.tdb has been deleted, Winbind will recreate the winbindd_idmap.tdb file with the information it gets from openldap. You should also see entries in /var/log/openldap.log showing the SID -> UID/GID mappings being stored in the openldap server. Like this for example:

Jul 14 16:56:19 linuxlab1 slapd[3629]: conn=2 op=9 ADD dn=”sambaSID=S-1-5-21-1513915784-205087697-1902910507-513,ou=Idmap,dc=linuxlab1,dc=research,dc=cti,dc=depaul,dc=edu”

If you have gotten this far, you have a functional openldap server holding idmappings for your windows domain accounts. The configurations up until now reflect a samba/winbind server which also runs a openldap backend.

In order to setup a client, configure it so winbind is functioning, and make the same additions to /etc/samba/smb.conf that you did on the server. Then stop smb and winbind, and delete the winbindd_idmap.tdb cache. and restart smb and winbind, watching the logs on the server to see the client is connecting. If you see only err=0 in the logs, and wbinfo -u works, your client is now using the openldap server for its idmappings!

Step 5: Securing Openldap via TLS/SSL

Openldap by default is sending its password in the clear, using a sniffer you can actualy see it transmit “secret2″. This is not good, so we will be enabling TLS encryption. This allows the server to create certificates to enable clients to connect, afterwards only clients with the correct certificates will be able to connect the the openldap server.

In order to get a feel for how this all works, read this document:
Read OpenLDAP SSL/TLS How-To: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

The area of interest to us is section 4.2 “CA Issue Certificate”
The openldap server will be acting as a Openssl “certificate authority” which makes both the server certificates, as well as the client certificates.

Follow these steps to create a CA and some certificates:

Create any directory for creating and signing your certificates.
For example, /var/myca.

# mkdir /var/myca
# cd /var/myca

now run the OpenSSL CA script:
# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate …
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
……………………..++++++
…………………….++++++
writing new private key to ‘./demoCA/private/./cakey.pem’
Enter PEM pass phrase: <---remember this password, you will need it!
Verifying password - Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
Organizational Unit Name (eg, section) []:Example Unit
Common Name (eg, YOUR name) []:example.com <--make sure this matchs what youve been using
Email Address []:.
#

This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).

Now we make your server certificate signing request (CSR):
# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
…………..++++++
……………………..++++++
writing new private key to ‘newreq.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
Organizational Unit Name (eg, section) []:Example Org Unit
Common Name (eg, YOUR name) []:myserver.com <--make sure this is your full DNS name!
Email Address []:ldap@myserver.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:

<--just hit ENTER here don't set a password
An optional company name []:.
#

The result is newreq.pem.

Have the CA sign the CSR:

# /usr/share/ssl/misc/CA -sign

Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase: <-- the password you set while making the CA
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’Texas’
localityName :PRINTABLE:’Austin’
organizationName :PRINTABLE:’Example Org’
organizationalUnitName:PRINTABLE:’Example Org Unit’
commonName :PRINTABLE:’myserver.com’
emailAddress :IA5STRING:’ldap@myserver.com’
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0×2)
Serial Number: 1 (0×1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit, CN=example.com
Validity
Not Before: Apr 11 18:58:58 2003 GMT
Not After : Apr 10 18:58:58 2004 GMT
Subject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit, CN=myserver.com/Email=ldap@myserver.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
< ... >
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61
X509v3 Authority Key Identifier:
keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1
DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/CN=example.com
serial:00

Signature Algorithm: md5WithRSAEncryption
< ... >
—–BEGIN CERTIFICATE—–
< ... >
—–END CERTIFICATE—–
Signed certificate is in newcert.pem
#

This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem.

5. Now the certificates can be moved to the desired certificate repository and renamed.
I prefer /usr/var/openldap-data as my certificate directory.

# cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem
# mv newcert.pem /usr/var/openldap-data/servercrt.pem
# mv newreq.pem /usr/var/openldap-data/serverkey.pem
# chmod 400 /usr/var/openldap-data/serverkey.pem

The last command makes the private key read-only by the user who runs slapd. A ‘chown’ command will be necessary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable.

6. Make the CA certificate available to your LDAP clients.
If the client is on the same machine, copy cacert.pem to a location accessible by the client. If clients are on other machines, then cacert.pem will have to be copied to those machines and also made accessible.

What this means is each client is going to need a copy of the “cacert.pem” file.
So use scp:
# scp /usr/var/openldap-data/cacert.pem root@clienthost:/usr/var/openldap-data/

Next from the openldap server, we have to make each client’s certs, we follow similar steps:

/var/myca# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
(hit enter for the password, and make SURE:

Common Name (eg, YOUR name) []:myserver.com

Is set to the hostname of the client.

Then sign the certs:
/var/myca# /usr/share/ssl/misc/CA -sign
again enter the CA password.
and say Yes to sign them.

If the client is running from the server, these steps work. Else run these steps on the client machine and copy the newcert.pem and newreq.pem to the client via scp and rename them to match the names in your ldap.conf and ldaprc files.

# mkdir /root/certs
# mkdir /root/certs/keys
/var/myca# mv newcert.pem /root/certs/ldap.client.pem
/var/myca# mv newreq.pem /root/certs/keys/ldap.client.key.pem
# chmod 400 /root/certs/keys/ldap.client.key.pem

So each client needs client.pem, client.key.pem, and cakey.pem. cakey.pem is the same on all clients, but the openldap server with the CA will need to create each clients client.key.pem and client.pem and somehow get them to the correct directory on the clients (I recomend using scp).

next we create a file on each client, /root/ldaprc which contains:

TLS_REQCERT demand
TLS_CERT /root/certs/ldap.client.pem
TLS_KEY /root/certs/keys/ldap.client.key.pem

and edit your /usr/etc/openldap/ldap.conf, adding the TLS lines below:

BASE dc=voyager,dc=research,dc=cti,dc=depaul,dc=edu
HOST voyager.research.cti.depaul.edu
TLS_CACERT /usr/var/openldap-data/cacert.pem
TLS_REQCERT demand

Next edit your /usr/etc/openldap/slap.conf and add the following lines about the “rootdn can always write” line:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
TLSVerifyClient demand

Also, edit /etc/init.d/winbind and change the line daemon winbindd to daemon –user root winbindd

This makes the service script use the ldaprc and find the correct client keys in order to establish a TLS connection.

Now stop slapd, and restart it with this:
#/usr/libexec/slapd -4 -d9 -h “ldap:///”

The -d9 will give TLS/ssl debugging information that will help if there are problems establishing a secure connection.

Then restart winbind:
# /sbin/service smb restart; /sbin/service/winbind restart

Now look at the /var/log/openldap.log, if you see a successful connection and bind, the openldap server is now encrypting the communications with samba. Note that this setup requires all clients to have certificates to connect, else the server will not allow any connection.

Thats all!

How Mutant Exploits Defeat IDS

Based on the ACM paper:
“Testing Network-based Intrusion Detection Signatures Using Mutant Exploits”
Downloaded from:
http://portal.acm.org/browse_dl.cfm?linked=1&part=series&idx=SERIES320&coll=portal&dl=ACM via a search for “mutant”.

A well known network security concept, Intrusion detection systems function by listening on the network for suspicious activity. This paper explores some of their weaknesses and shows that they are not very effective when exploit mutations are applied.

According to the authors the tested IDS’s are “network-based misuse detection systems”. An example of network misuse could be running an exploit against a server, scanning the entire network for hosts, or sending traffic which results in a Denial of Service attack.

The authors preform rigorous tests of 2 IDS systems, ISS RealSecure and Snort. These were chosen because they “represent the leading products in the open-source and commercial worlds” and “possess excellent attack detection capabilities and correctly manage many different types of evasion”. Both of these IDS systems are reliant on “signatures” of known attacks. At first glance this seems a very effective way of detecting network-misuses, however this paper shows that in reality, doing this is much more difficult.

It is difficult because “attacks that exploit a certain vulnerability may do so in completely different ways”. While it is easy to write IDS signatures for publicly known exploits, realistically not all exploits are going to be released, nor will all versions of a specific exploit be released. One would think “well how am I supposed to detect misuses that I don’t even know exist?”. A valid question, however the problem gets even worse.

IDS systems typically have signatures for thousands of exploits. These signatures are very static, effectively searching for a specific packet or set of packets sent across the network. Problems arise however, when an exploit is modified or “mutated” in ways that allow it to still function in compromising a host, yet in a way which obfuscates the network traffic. The paper breaks down such “Mutation Mechanisms” into a number of groups.

Network Layer Mutations include using Ipv6 to evade Ipv4 only IDSs, and IP Packet Splitting to evade IDS systems that are not smart enough to reassemble packets before checking them against attack signatures.
Application Layer Mutations include Protocol Rounds, FTP Evasion Techniques, HTTP Evasion Techniques, and SSL NULL Record Evasion Techniques. All of these mutations change the data sent to the application by the exploit, in a way which the application can still understand the attackers message however the message does not match the IDS signature for the attempted exploit. Also, “examples of HTTP protocol evasion techniques include neglecting the use of carriage returns, random insertion of whitespace characters, and inserting junk characters into parsed numerical fields”. While RFCs strictly specify protocols, often times real products are more lax in regards to them, allowing for the strange behavior which makes such mutations possible.

Exploit Layer Mutations are the newest of the group. They include polymorphic shellcode, and Alternate Encodings. ADMmutate “generates self-decrypting exploit payloads that will defeat most popular NIDS shellcode detectors, including “XOR-encoded payloads, randomized NOP generation, and support for banned characters”.

The shellcode part of the exploit is easily added to IDS signatures. Since many exploits use predefined shellcode. IDS check for shellcode because regardless of the exploit some shellcode usually has to be pushed onto the compromised host in order to run some command for the attacker. Encoding the shellcode in a different format works as does the “insertion of non-destructive junk instructions and the reordering/substitution of code”. In this way you have a functional shellcode which does not match any IDS signatures.

Alternate Encodings work by encoding the exploit into some format the server can decode and execute, but the IDS does not. Examples include TAR, ZIP, or url encoding via hex.

The paper tested 10 exploits mutated in various ways. The exploits were run against the server. Detection results were collected from the IDS systems. Success results were collected from an “oracle” application which they used to check whether the exploit was successful.

The exploits were chosen to represent the range of target operating systems, protocols, and categories of attacks. Linux, Windows, OpenBSD, FTP, HTTP, IMAP, RPC, and SSL were tested, along with buffer overflow and directory traversal attacks.

The following specific exploits were tested:
IIS Escaped Characters Double Decoding
WU-ftpd Remote Format String Stack Overwrite
Microsoft DCOM-RPC aka blaster
IIS Extended Unicode Directory Traversal
NSIISlog.DLL Remote Buffer Overflow
IIS 5.0 .printer ISAPI Extension Buffer Overflow
WS-FTP Server STAT Buffer Overflow Denial-Of-Service
Apache HTTP Chunked Encoding Overflow
OpenSSL SSLv2 Client Master Key Overflow

Each exploit was run through the authors’ “mutation engine” to generate mutant exploit combinations. Once a particular exploit was found which evaded the IDS systems yet still functioned, the authors moved on to the next exploit. One point made by the authors is that for some exploits the number of functional mutations could be quite large, leading to “an unmanageable number of mutant exploits”. The mutation engine tried using a variety of the previously mentioned methods.

The results of all these tests were quite sobering. Snort only detected 4 out of 10 of the mutant exploits, and IIS RealSecure only detected one. So what does this tell us? That a determined attacker could probably easily evade most commercial signature based IDS systems. I would say that signature based IDS are good for detecting “canned” exploits run at the “script kiddie” level. However, for someone who understands how they work, they seem to be rather trivial to defeat with automated tools such as ADMmutate.

Security means defense in depth, and signature-based IDS systems are only one layer. Another type of IDS system is based on Cisco’s netflow technology. While I am not aware of any commercial products which do this, it is possible to correlate the data from Cisco router’s netflows, in order to detect suspicious patterns such as port scans. Professor Skwarek touched on this briefly in his network security class.

Another layer of IDS that should not be over looked is host based IDS systems. Often exploits create anomalies in the log files which can be watched for and reported, possibly even before the attacker explores enough of the compromised system to discover the alarm message has been sent. Attackers can modify logs, change configuration files, or replace system binaries with trojaned “rootkits”.

Such changes can be detected with programs like tripwire, chkrootkit and rkhunter. Tripwire keeps a database of the hashes of the system files it protects. Chkrootkit and rkhunter act similar to network based IDS systems except they scan the system files for suspicious names, rootkit strings and configuration changes. However, these also are reliant on signatures and thus vulnerable to mutations of the known rootkits.

I wrote this as a report on programming and using SELinux Mandatory Access Control policies.

SELinux: An Introduction
by Nate, 6/11/2005

SELinux is an implementation of a Mandatory Access Control architecture called
Flask, using the Linux Kernel. Up until its release such systems were not very
widespread. Currently however, Fedora Core 3 comes with SELinux installed,
and many other distributions such as Debian and Slackware are adopting it.

According to the NSA, a MAC is needed when “protection decisions must not be
decided by the object owner, and the system must enforce the protection
descisions over the wishes or intentions of the object owner”.

Flask evolved from a long line of NSA research on such MAC systems.
Mandatory Access Controls were originally built to enforce security clearances
given to users for objects in the system. SELinux takes the concept one step
farther, applying such restrictions to almost every definable object a system could
have.

Non SELinux systems use a Discretionary Access control system which is
“vulnerable to tampering and bypass, and malicious or flawed applications can
easily cause failures in system security.” This is due to the fact that actions are
limited only by user identity and ownership, not by role.

For example, an attacker gaining control of a program in a DAC system is
allowed to do anything with that control, and can access anything the user the
process runs as can access. This is often not a good thing, as it allows the
corrupted process to do malicious things regardless of what role the program
originally was meant for.

SELinux policy helps solve this problem by allowing for very fine grained access
control. Some policies are separation policies to enforce legal and classification
restrictions on data, containment policies to restrict process access to data and
files, integrity policies to protect against modifications to data, and invocation
policies to control how processes run on the system.

In order for SELinux to function on Fedora Core 3, install libselinux, selinux-
policy-strict, setools, checkpolicy, and policycoreutils rpms.
The system-config-securitylevel and setools-gui rpms are also helpful to see
some good examples of policies assignable to a user. In order to compile some
of the later examples, you will need a also need the libselinux-devel and selinux-
policy-strict-sources rpms.

SELinux accomplishes Mandatory Access Control with Flask and a “combination
of a Type Enforcement (TE) model and a Role-Based Access Control (RBAC)
model.” The TE model is implemented by “binding a security attribute called a
type to each object”.

Classes of objects are defined in the
/etc/selinux/strict/src/policy/flask/security_classes file.
A class is a kind of object such as a filesystem, file, directory, or socket. Classes
each have an access vector defining what functions they preform. Access
vectors are defined here:
/etc/selinux/strict/src/policy/flask/access_vectors
The file class can read, write, create, and append for example, while the socket
class can also read and write along with the bind, listen and connect. Types
given to processes are also known as domains.
The second part of flask, Role-Based Access Control, assigns roles to users.
The roles are then allowed some access vectors to various types. The
combination of user, role and type is a security “context”.
The SELinux policy determines which security contexts are allowed.
If SELinux is enabled on a Linux kernel, security contexts will be available for
viewing.
View the context of a file:
[root@xoci ~]# ls –context /etc/passwd
-rw-r–r– root root system_u:object_r:etc_t /etc/passwd
View the context of a sshd process:
[root@xoci ~]# ps ax –context | grep sshd
2886 system_u:system_r:kernel_t /usr/sbin/sshd

You can also view information on the current policy with the seinfo program. This
also seems to be hard coded to the strict policy. Try it with a few settings:
seinfo -t show types, seinfo -u show users, seinfo -r show roles
SELinux is configured in the /etc/selinux/config file. For testing purposes use the
following settings:
SELINUX=permissive #(logs but does not enforce)
SELINUXTYPE=strict
Permissive mode will print warnings but not deny access, and is very useful
when writing your policy or debugging a program. On fedora research only
seemed to have success compiling policies of the strict type, as it seems setools
on fedora has a path hard coded to the strict policy.
Once SELinux is configured, try to compile and install a policy from source. This
is done from the /etc/selinux/strict/etc/policy directory.
The following make commands work:
make policy will make the policy but not install it
make load will make and load the policy
make relabel will relabel the type of any files to match the policy.
make load takes the files in the policy source directory, and attempts to process
them with the m4 macro processor into a policy.conf file. This file is then passed
to the SELinux policy compiler checkpolicy, which creates the the binary policy
/etc/selinux/strict/policy/policy.18 for loading into the kernel.
After running a make load try rebooting the machine and login as root.
Create a new user account, setest. Login with this account.
setest@pc-00071 ~]$ id -Z
user_u:user_r:user_t
The SILinux policy assigns the above context by default to undefined users.
Add the user_r and staff_r roles to setest by editing
/etc/selinux/strict/src/policy/users.
user setest roles { user_r staff_r };
Save the file and run make load again. Then login setest and check the context.
[setest@pc-00071 home]$ id -Z
setest:user_r:user_t
Try changing roles to staff_r
[setest@pc-00071 ~]$ newrole -r staff_r
Authenticating setest.
Password:
setest@pc-00071 ~]$ id -Z
setest:staff_r:staff_t

SELinux allows for the creation of new types as well. Create a new file here:
/etc/selinux/strict/src/policy/types/custom.te
Add a new type declaration to this file:
type setestfile_t, file_type, sysadminfile;
This adds a new type to the policy, setestfile_t with the attributes of file_type and
sysadminfile.
The different attributes for types are listed in /etc/selinux/strict/src/policy/attrib.te.
Adding a new role requires modifying
/etc/selinux/strict/src/policy/domains/user.te.
To add the setest_r role, add these to the user.te file:
full_user_role(setest)
priv_user(setest)
Then modify /etc/selinux/strict/src/policy/macros/user_macros.te by adding:
role setest_r types $1;
Run make load again, and then do a seinfo -t | grep setest_t
You should see a list of types starting with setest_t, including setest_home_dir_t
and setest_home_t for examples. What happened was the macro processor
created all the default types to go along with the role.
Next add setest_r:setest_t to /etc/selinux/strict/src/policy/appconfig/default_type.
This ensures that SELinux knows what domain to place a user in when first
logging in.

Now allow some access to the new setestfile_t, edit custom.te again and add:
allow user_t setestfile_t:file { read };
allow setest_t setestfile_t:file { read write execute };
Then add setest_r to the list of roles granted to the user setest in the users file.
Now that a new user, type and role have been created, run some tests to see if
the kernel is actualy using them. Logged in as setest:
[setest@pc-00071 ~]$ touch afile
[setest@pc-00071 ~]$ ls –context afile
-rw-rw-r– setest setest setest:object_r:user_home_t afile
Try to chang the context of afile: chcon -t setestfile_t.
This works because we are in permissive mode, but it leaves the following log:
Jun 11 06:01:12 pc-00071 kernel: audit(1118487672.558:0): avc: denied {
relabelto } for pid=22595 exe=/usr/bin/chcon name=afile dev=dm-0 ino=2142232
scontext=setest:user_r:user_t tcontext=setest:object_r:setestfile_t tclass=file

What this means is the kernel noted that the context setest:user_r:user_t
executed a relabelto on a user_home_t object. Since this was not explicitly
allowed in the policy an error message is generated.
The user_r can only read this file, so cat afile is allowed but echo “test” >> afile
creates an error message for the “append” attribute.
SELinux also has C libraries which can be used in programs. The following code
shows how to manipulate security contexts and print out SELinux information.
#include
#include
#include
#include
//this code prints selinux related information
int main (int argc, char **argv)
{
printf(”Checking if selinux is enabled…\n”);
if(is_selinux_enabled())
{printf(”this program is running on a SELinux kernel\n”);}
else
{printf(”this program is not running on a SELinux kernel\n”);}
int permissive = 0;
int enforcing = 1;
if(security_getenforce() == permissive)
{printf(”SELinux is running in permissive mode\n”);}
if(security_getenforce() == enforcing)
{printf(”SELinux is running in enforcing mode\n”);}
int rcc;
typedef char* security_context_t;
security_context_t scon;
printf(”getting this program’s current context…\n”);
rcc = getcon(&scon);
if (rcc < 0)
{
perror("getcon");
return -1;
}
printf("this program's security_context_t is: = %s\n",scon);
context_t newcon;
//creat a new context_t from the contents of scon
newcon = context_new(scon);

//free the memory used by scon
freecon(scon);
//display context attributes
char* newcontexttype;
newcontexttype = context_type_get(newcon);
printf("this program's context_t type is: %s\n",newcontexttype);
char* newcontextrole;
newcontextrole = context_role_get(newcon);
printf("this program's context_t role is: %s\n",newcontextrole);
char* newcontextuser;
newcontextuser = context_user_get(newcon);
printf("this program's context_t user is: %s\n",newcontextuser);
rcc = context_type_set(newcon, "faketype_t");
rcc = context_role_set(newcon, "fakerole_r");
rcc = context_user_set(newcon, "fakeuser_u");
printf("context after setting fake type, role and user:
%s\n",context_str(newcon));
//check if context selinux is enabled and the context is valid
printf("Verifing security context...\n");
if(security_check_context(newcon) < 0)
{printf("invalid context: %s\n",context_str(newcon));}
else
{printf("valid context: %s \n",context_str(newcon));}
return 0;
}

Compile this code with the following options:
gcc -lselinux -o print_selinux_status print_selinux_status.c
The code should output the following:

[n00m@pc-00071 final]$ ./print_selinux_status
Checking if selinux is enabled...
this program is running on a SELinux kernel
SELinux is running in permissive mode
getting this program's current context...
this program's security_context_t is: = setest:user_r:user_t
this program's context_t type is: user_t
this program's context_t role is: user_r
this program's context_t user is: n00m
context after setting fake type, role and user: fakeuser_u:fakerole_r:faketype_t
invalid context: fakeuser_u:fakerole_r:faketype_t

The kernel also prints a check_context error:
Jun 11 06:38:50 pc-00071 kernel: audit(1118489930.704:0): avc: denied {
check_context } for pid=22934
exe=/home/n00m/final/print_selinux_statusscontext=setest:user_r:user_t
tcontext=system_u:object_r:security_t tclass=security

This is because the user_r role does not have access to run functions using the
check_context attribute. Specifically, the security_check_context() function
requires the calling process context be allowed to check_context on the
system_u:object_r:security_t context.
Programs can change the context of their next exec by using the execve funtion.
Here is a simple example which runs less, allowing you to see what context the
process was run as.
#include
#include
#include
#include
#include

//http://www.frech.ch/man/man3p/execve.3p.html

int main (int argc, char **argv)
{
typedef char* security_context_t;
security_context_t scon;
int rcc;
printf(”getting this program’s current context…\n”);
rcc = getcon(&scon);
if (rcc < 0)
{
perror(”getcon”);
return -1;
}
printf(”this program’s security_context_t before setexeccon is: = %s\n”,scon);
int ret;
char *cmd[] = { “less”, “/etc/passwd”, (char *)0 };
char *env[] = { “HOME=/usr/home”, “LOGNAME=home”, “TERM=vt220″,(char *)0
};
setexeccon(”setest:setest_r:setest_t”);
ret = execve (”/usr/bin/less”, cmd, env);
}

Running this code with the setest:user_r:user_t context of the command shell
prints a kernel error. This is due to the transition not being explicitly allowed in
the SELinux policy. When set to enforcing mode the power of selinux can be
harnessed to defeat attacks which use a corrupted process to launch other
processes. SELinux could prevent or log any such attempts to operate outside
the normal conditions needed for the service. Here is an example log of a context
transition being denied.

Jun 11 06:58:15 pc-00071 kernel: audit(1118491095.820:0): avc: denied {
transition } for pid=23006 exe=/home/setest/execve_example path=/usr/bin/less
dev=dm-0 ino=1348733 scontext=setest:user_r:user_t
tcontext=setest:setest_r:setest_t tclass=process

In order to allow transitions between types, add this to the custom.te file:
allow user_t setest_t:process transition;

Once the transition is allowed, run the program again:
setest@pc-00071 ~]$ ./execve_example
then check the running processes with ps ax –context

After the setexeccon gives a new context, execve executes its arguments with
that context.
Running in memory: 23118 setest:setest_r:setest_t less /etc/passwd
but the user who called execve_example only had setest:user_r:user_t context.

SELinux seems to be the future of security with Linux. Using SELinux allows for
greater control over every aspect of the operating system, to a degree never
before seen in a publicly available operating system which can operate on
commodity hardware. These two facts combined should make a powerful
combination which will continue to attract developers and administrators to
SELinux. SELinux being included in Fedora Core 3 shows that the ideas
proposed are mature enough for mainstream adoption.

References:

Stephen Smalley, “Configuring the SELinux Policy”, January 2003
http://www.nsa.gov/selinux/papers/policy2.pdf (11 June 2005)

Peter Loscocco and Stephen Smalley, “Integrating Flexible Support for Security
Policies into the Linux Operating System”, June 2001
http://www.nsa.gov/selinux/papers/freenix01/freenix01.html (11 June 2005)

Redhat, “Bugzilla Bug 125737 setools Makefile has incorrect policy install
location defined” June 2004,
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125737 (11 June 2005)

Mayank Sharma, “SELinux: Playing with fire” (January 2005)
http://security.linux.com/security/05/01/25/1423211.shtml?tid=124&tid=123&tid=113&t
id=35 (11 June 2005)

Faye Coker, “Getting Started with SE Linux HOWTO” (March 2004)
http://www.lurking-grue.org/GettingStartedWithNewSELinuxHOWTO.pdf (11 June
2005)

Faye Coker, “Writing SE Linux Policy HOWTO” (March 2004)
http://www.lurking-grue.org/WritingSELinuxPolicyHOWTO.pdf (11 June 2005)

Kerry Thompson, “SELinux” (March 2003)
http://www.samag.com/documents/s=7835/sam0303a/0303a.htm (11 June 2005)

Ram Varma, “SELinux Programming” (April 2005)
http://www.ensl.cs.gwu.edu/resources/SELinux_20Programming (5 June 2005)

Susan Douglas and Korry Douglas, 2004, “Linux Timesaving Techniques for
Dummies” , John Wiley & Sons.

Russel Coker, “SE Linux API Documentation” (January 2004)
Also, irc conversations with him in #selinux of irc.freenode.net (June 2005)

John Barkley, “Security in Open Systems” (July 1994)
http://csrc.nist.gov/publications/nistpubs/800-7/main.html (June 11 2005)

Kismet OSSIM Plugin 0.1

by nate@bedkings.com and internet-goods.com

GNU GENERAL PUBLIC LICENSE

First release 0.1

6.22.2009

This plugin watches /var/log/kismet/kismet.log

It reports the four kismet ALERTs I have seen so far in the wild.

When it detects one it creates an OSSIM event.

Installing On Debian:

1) Load the kismet.sql files into your ossim database.
2) copy kismet.cfg to Agent Plugins Directory
3) edit kismet init file to work with your network card
4) edit kismet agent config.cfg to enable kismet plugin
add this to its own line:
kismet=/etc/ossim/agent/plugins/kismet.cfg
5) restart the ossim agent. Kismet should come online.

TODO:
The rest of the kismet ALERT types I havn’t seen yet need to be codified into OSSIM events.
Someone send me logs of other kismet alerts than the four I’ve done so far.
Some sort of Network Access Point detection/storage
A page to configure the kismet settings with php/form/dropdowns creating the configs for kismet wouldnt be bad either.

Code snippets:

/etc/ossim/agent/plugins# cat kismet.cfg
#http://www.ossim.net/dokuwiki/doku.php?id=documentation:agent
[DEFAULT]
plugin_id=9000

[config]
type=detector
enable=yes
process=kismet_server
start=yes ; launch plugin process when agent starts
stop=yes ; shutdown plugin process when agent stops
startup=/etc/init.d/kismet start
shutdown=/etc/init.d/kismet stop
source=log
location=/var/log/kismet/kismet.log
# create log file if it does not exists,
# otherwise stop processing this plugin
create_file=true

[Suspicious Client]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sSuspicious client\s(?P\w{1,2}\:\w{1,2}\:\w{1,2}\:\w{1,2}\:\w{1,2}\:\w{1,2})’
date={normalize_date($date)}
plugin_sid=1

[Out-of-sequence BSS timestamp]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sOut-of-sequence BSS timestamp’
date={normalize_date($date)}
plugin_sid=2

[Channel Change possible AP spoofing]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sBeacon on’
date={normalize_date($date)}
plugin_sid=3

[Data within seconds of disassociate]
event_type=event
regexp=’^ALERT\s+\S+\s+(?P\S+\s+\S+\s+\S+\s+\S+)\sSuspicious traffic’
date={normalize_date($date)}
plugin_sid=4

For now I have put together a quick /etc/init.d/kismet script for the plugin to use, something like this:

# Function that starts the daemon/service.
#
d_start() {
##$DAEMON $OPTS
/usr/bin/kismet_server -c rt2500,wlan0,pciwifi &> /var/log/kismet/kismet.log &

}

#
# Function that stops the daemon/service.
#
d_stop() {
killall kismet_server
}

then when ossim starts, so does the kismet plugin.

SQL for the plugins tables in OSSIM:

INSERT INTO plugin (id, type, name, description) VALUES( 9000, 1,
‘kismet’, ‘Kismet IDS’);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9000, 2, NULL, NULL, ‘Out-of-sequence BSS timestamp’, 0, 3);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9000, 1, NULL, NULL, ‘Suspicious client’, 0, 3);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9000, 4,NULL,NULL,’Data within seconds of disassociate’,0,3);

add this line to /etc/ossim/agent/config.cfg
kismet=/etc/ossim/agent/plugins/kismet.cfg

We use a 4 port video capture card ($150) and a computer to create a Linux zoneminder security platform.

04:08.0 Multimedia video controller: Brooktree Corporation Bt878 Video Capture (rev 11)
04:08.1 Multimedia controller: Brooktree Corporation Bt878 Audio Capture (rev 11)
04:09.0 Multimedia video controller: Brooktree Corporation Bt878 Video Capture (rev 11)
04:09.1 Multimedia controller: Brooktree Corporation Bt878 Audio Capture (rev 11)
04:0a.0 Multimedia video controller: Brooktree Corporation Bt878 Video Capture (rev 11)
04:0a.1 Multimedia controller: Brooktree Corporation Bt878 Audio Capture (rev 11)
04:0b.0 Multimedia video controller: Brooktree Corporation Bt878 Video Capture (rev 11)
04:0b.1 Multimedia controller: Brooktree Corporation Bt878 Audio Capture (rev 11)

This is the card I use.
I find it locks if I define zoneminder monitors above about 7fps, probably due to the limitations in the old PCI buffer this card uses. I run it in a server with mostly pci-e cards so these old slots are getting hard to find.

First cam: Tinycam
SourceType Local Function Monitor eneabled Maxumum FPS 7 Alarm Maxium FPS 7
source /dev/video0 device channel 0 device format ntsc capture palette rgb24
384×288
Normal orientation
timestamp: %%s - %y/%m/%d %H:%M:%S
ZM FAQ

Zone Minder Manual

• Monitor
• modect
• record
• mocord
• nodect

TODO:
. find pci-e capture cards this inexpensive
. figure out various zoneminder monitor modes
. remote rsync of various video incase of onsite disastor