Comments for Qcode Software http://www.qcode.co.uk Tcl Web Applications Mon, 18 Nov 2013 12:43:28 +0000 hourly 1 http://wordpress.org/?v=3.8 Comment on PCI DSS Requirement 10: Part 4 – Log File Monitoring (and more) with OSSEC by david http://www.qcode.co.uk/pci-dss-requirement-10-part-4-log-file-monitoring-and-more-with-ossec/#comment-16038 Mon, 18 Nov 2013 12:43:28 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part-4-log-file-monitoring-and-more-with-ossec/index.html#comment-16038 Hi Artur,

All logs are continuously streamed to a central logserver so an attack that modified the local log files would not be reflected on the central log server.
We roll logs on the central log server at regular intervals and then apply file integrity monitoring of the archived files.

Our PCI compliance requirement was a level D SAQ so no QSA audit was required. We did consult with some QSA’s but our experience was far from satisfactory at the technical level. Also discussion of PCI compliance on Linux and on Debian in particular is very thin.

We are looking at AIDE as another way to check a growing logfile:
http://aide.sourceforge.net/stable/manual.html

We would be very interested to hear how you solve the issue to your QSA’s satisfaction.

]]>
Comment on PCI DSS Requirement 10: Part 4 – Log File Monitoring (and more) with OSSEC by Artur http://www.qcode.co.uk/pci-dss-requirement-10-part-4-log-file-monitoring-and-more-with-ossec/#comment-15923 Sun, 17 Nov 2013 19:51:43 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part-4-log-file-monitoring-and-more-with-ossec/index.html#comment-15923 This is not fulfilling requirement 10.5.5 according to our QSA:

Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

Anyone with enough rights can tamper with current, growing logfiles, overwriting content however one pleases. No alerts will be generated.

I am really stuck on this, such log record-based integrity checking is not a simple, easy thing. Did you really pass the audit?

]]>
Comment on Formatting XML In An Emacs Buffer by Eric http://www.qcode.co.uk/formatting-xml-in-an-emacs-buffer/#comment-12763 Tue, 22 Oct 2013 17:55:12 +0000 http://www.qcode.co.uk/formatting-xml-in-an-emacs-buffer/index.html#comment-12763 Oh, very handy, and now I’ve learned about shell-command-on-region to boot. Thanks!

]]>
Comment on Tcl Regular Expressions – Greedy or Non-greedy? by Justin Carvalho http://www.qcode.co.uk/tcl-regular-expressions-greedy-or-non-greedy/#comment-8687 Mon, 19 Aug 2013 20:07:42 +0000 http://www.qcode.co.uk/tcl-regular-expressions-greedy-or-non-greedy/index.html#comment-8687 This helped me a lot, thank you.

]]>
Comment on Using checkinstall generated .deb files with reprepro by Jordi http://www.qcode.co.uk/using-checkinstall-generated-deb-files-with-reprepro/#comment-6592 Wed, 24 Jul 2013 10:14:09 +0000 http://www.qcode.co.uk/using-checkinstall-generated-deb-files-with-reprepro/index.html#comment-6592 Fantastic job, works on ubuntu 12.04

Thanks

]]>
Comment on PCI DSS Requirement 10: Part1 – Logging with Rootsh by david http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/#comment-6198 Thu, 18 Jul 2013 11:39:52 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/index.html#comment-6198 What sort of error do you get when doing “ssh -vvv blade-x ls”?
It rootsh installed in the /etc/profile of both source and target blades?
We can quite happily run remote commands between machines without problems.

On auditd:
1. The requirement doesn’t explicitly ask us to record the output of the command, simply “Success or failure indication”. So the recorded exit code should, in theory, be enough. We found it fairly hard to piece together what was happening though especially given how verbose the logging is.

2. Our inclination was that sub-shell commands would need to be logged separately. eg. Auditd would show who started psql sessions, but it would be up to our Postgresql config to log connections, statements, and errors so we could then work out what happened within the psql session, and whether it was successful or not.

We would need to enforce this for all sub-shell commands separately which is a fairly major administrative overhead.

Would be interested in how others tackled this.

But, in all, we found rootsh to be a far more administratively concise solution.

]]>
Comment on PCI DSS Requirement 10: Part1 – Logging with Rootsh by Christian http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/#comment-6126 Wed, 17 Jul 2013 11:33:17 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/index.html#comment-6126 Nice article!

I have also tried out rootsh for our system, but I have some problems maybe because it’s distributed over several blades.

It seems that I can not execute commands non-interactively, e.g. executing “ssh blade-x ls” from within the cluster give an SCP error.

Not sure if there is any way around it.

Regarding the LINUX auditing that you claim could also meet your requirements, how do you
1. record the output of the commands
2. record commands and output given in a sub-shell like psql?

Is there a good help page that covers those issues?

]]>
Comment on PCI DSS Requirement 10: Part1 – Logging with Rootsh by david http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/#comment-5822 Thu, 11 Jul 2013 11:44:12 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/index.html#comment-5822 You need to be careful not to use the -i rootsh option which starts a login shell, and that would indeed create a loop.
Calling rootsh using exec and with only –no-logfile as an option should just replace the login shell once.

]]>
Comment on PCI DSS Requirement 10: Part1 – Logging with Rootsh by bela http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/#comment-5577 Fri, 05 Jul 2013 12:15:18 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/index.html#comment-5577 A very detailed and clean article. Nice work.

But how can you specify the line in /etc/profile without making an infinite loop at login?

]]>
Comment on PCI DSS Requirement 10: Part1 – Logging with Rootsh by david http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/#comment-4173 Tue, 21 May 2013 13:00:43 +0000 http://www.qcode.co.uk/pci-dss-requirement-10-part1-logging-with-rootsh/index.html#comment-4173 Yes, auditd absolutely would fulfil the requirement also.
For us pam_loginuid.so was required to ensure auid values were still set when auditing commands executed via sudo – otherwise auditd would not record who executed the command.

When it came down to it, we found the rootsh logs to be far more concise than the rather verbose logging from auditd.

]]>