SELinux on Amazon AMI Linux

This took a little digging into; in order to get SELinux to function on Amazon AMI Linux you must carry out the following steps.

yum -y install policycoreutils selinux-policy-targeted

Now edit /etc/grub.conf and ensure your kernel line looks something like the following:

title Amazon Linux 2013.XX (3.XX.XX-XX.XX.amzn1.x86_64)
root (hd0)
kernel /boot/vmlinuz-3.XX.XX-XX.XX.amzn1.x86_64 root=LABEL=/ console=hvc0 selinux=1 security=selinux enforcing=1 LANG=en_US.UTF-8 KEYTABLE=us
initrd /boot/initramfs-3.XX.XX-XX.XX.amzn1.x86_64.img

Note the addition of “selinux=1 security=selinux enforcing=1”

Now: touch /.autorelabel

And: /sbin/new-kernel-pkg --package kernel --mkinitrd --make-default --dracut --depmod --install 3.XX.XX-XX.XX.amzn1.x86_64 || exit $?

Replacing the XX portions with your running kernel or you can use substitute in the uname -r output; this one liner script was obtained from: rpm -q --scripts kernel and is required to rebuild the initrd image such that the selinux settings can take effect.

Alternatively if there are updates outstanding a yum -y update will acheive the same thing (selinux settings should persist); after all of this you can now reboot and wait.

This will take a while to start back up as an selinux relabel is running (this is what the touch /.autorelabel achieves.

All being well selinux should now be running enforcing in targeted mode; if not check your /etc/selinux/config file.


Percona Live UK 2013

Percona Live London 2013 drew to a close yesterday, following some truely great talks.

I myself presented a talk on security which it appears was very well received, and I am hopeful this talk will make it into the line up for percona live 2014.

My talk was well received and there was a lot of great Q&A both during and after the session … though I did run 15 minutes over sorry Tim I’ll have to buy you a beer by way of appology at the next confernece.

Ryan H also gave a great talk on backups, I’ll update this blog post with a link to the slides once tey become available.

I’ve posted some photos of the event aswell.

More to come.


Tor Gains 1.2M Users in Wake of NSA Scandal Ironically Making It Easier for the NSA

So … TOR is supposed to have gains 1.2 Million users following all the fanfare around the NSA.

If I were to facepalm at this point I fear my face would pushed out the back of my skull, so let me relay a small bit of insight.

TOR is an anonymizing proxy so long as every node along the chain is “behaving”, let’s say fo sake for argument somene sets up a malicious exit node, Jackin’ TOR shows just such a setup used to inject content into http requests.

  • inject javascript
  • javascript executed by browser, makes request to malicious host
  • identifying the browser if exploit exits this can now be used
  • malicious payload send back in request
  • malicious program now running makes direct request to C&C server (this does not go out via TOR, rquest is no longer anonymous)
  • we can pretty much do anything we want now with the system

And if the above does not work?

  • inject javascript
  • steal cookies
  • steal users accounts with banking, email, other services.

I Am Alive, the Last 8 Months in Review

Well, where to begin.

2013 has been a year of change for myself, after a long consideration period spanning several months in 2012 I felt that it was time to move on from Psycle Interactive as their Systems Administrator; the new roles “on the table” were as follows:

  • Percona - Systems Admin role which later became a Remote DBA role
  • Rackspace - Systems Admin
  • Google - Systems engineer
  • Facebook - Systems engineer

I accepted the offer from Percona becoming part of the Remote DBA team; the growth over the last 8 months has in my opinion been very rapid; the team and client list has more than doubled in size.

So some highlights on what I have been up to this year (well what I can talk about at least).

There’s so much more which I can not talk about with it being IP / NDA related.

Expect more security focused posts soon as I work on their content.

Openstack - Deploying Windows 8

Despite a never ending well of hate for windows, sometimes I have to work with it.

In this case I needed to create a glance image that could be deployed to a openstack cluster … and that is where the fun stops.

First things first, if you can do a clean install (if you paid the extra £20 and actually received your dvd media that is!) do so, the upgrade process from Windows 7 took the best part of 2 days to complete.

Secondly to create your glance image you’re going to have to do the installation on the same type of hypervisor that you have openstack running upon, in this case I will be covering deployment of Windows 8 onto Linux KVM with virtio drivers.

The kludge

You can not start the instance using virtio for the hard disk, it simply puts itself into a never ending recovery mode, instead set the bus type to SATA or IDE.

Attach a second drive that uses virtio bus, why you may ask? Windows 8 will now boot and in turn have a device attached which it can not recognize.

Before booting you will also need to attach this iso as a cdrom, at the time of writing you can use the Win7 drivers for Windows 8. (iso version 0.1-30)

Square peg, round hole == Bigger hammer

I opted to first install all the drivers by opening up the virtual cdrom, navigating to the Win7 folder and: right click -> install on all the “Setup Information” files.

My “fun” did not end here however … because it would appear the attached virtio device was not formatted Windows8 decided to ignore it.

In this case the device manager needs to be launched to resolve the issue a laborious task in itelf.

  1. Open desktop, and click the windows explorer tray icon.
  2. Right click “Computer” and click properties.
  3. Click “Device Manager”.
  4. Expand the “Disk Drives” section, (if you did not install the drivers and reboot, you may be prompted to install the device, or it will show up as an unknown device instead of a disk drive)
  5. Right click properties on the “RedHat VirtIO SCSI Device”
  6. Click the volumes tab and click populate.
  7. Close all windows leaving the Explorer window open.
  8. Right click computer, select Manage.
  9. Select disk management, partition and format the Virtio device as you would any other hard drive.
  10. You should now have a new volume, this is running with the virtio drivers.
  11. Shutdown windows.
  12. Reconfigure the KVM instance, remove the VirtIO disk, change the primary disk bus to VirtIO
  13. Start windows, and wait … and wait …
  14. Once the start menu has booted you will begin to notice performance picks up after a while, I assume this is due to background tasks running.
  15. Run any updates that may be outstanding and shutdown the instance. I would also advise configuring remove desktop
  16. Convert to qcow2 (if you want), and import into glance as you would any other image.
  17. Create or modify a security group if you have opted to allow Remote Desktop.

And boot the image as normal, ensuring that the selected “flavor” has enough disk space to start the instance.

As for meta data injection, for say account setup I have no idea at this time, please feel free to post in the comment or email me with methods for doing so.


this blog for noting the ‘dirty hack’ workaround in Windows 8 R2

and James P for having way more patience with windows than I will ever have.