OS Security

22K

Solutions

23K

Contributors

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

Is there an exception or workaround for Windows 10 image 1607 to accept patch  CVE 2020-0601 without failing at >90 percent and reverting back.?
0
How can I disable "USB storage" on the
below #4 via gpedit.msc or something else ?

Details
  ** Operating System = Windows 10 Pro
  ** Location = Home
  ** Domain = NO

Steps
 1. I login as me
 2. USB storage works
 3. my 5 year old logs in
 4. no USB storage since I do NOT
    want child to copy data from
    bad USB drives onto PC
0
Hi Security Experts,

I've been using MSE and MBAM on W7 for many years, both with real-time protection enabled. They play nicely together and, as far as I can tell, they're providing good anti-virus/anti-malware protection.

My understanding is that Windows Defender in the current W10 (1909) is a significantly improved product. For home computers (not on a domain), do you think that WD by itself is sufficient protection or would it be better to run MBAM (with real-time protection), too?

Btw, while doing some web research before posting this, I saw that some folks are recommending MBAM without real-time protection, that is, run MBAM manually every so often (or when there's a problem) to check up on WD. But I'm wondering if it's OK to run MBAM with its real-time protection — will that conflict with WD? Thanks, Joe
0
I have a batch script setpwd.bat  that contains only 2 lines:

echo off
net user /domain  my_ADid  Myp@ssw0rd


However, when I ran it, I got an error & this is despite I'm changing my
own password which I have the privilege to change ie when Ctrl-Alt-Del,
& select "Change Password", I could change the password.

What was amissed?  I'm on Win 10 which is
connected to our

C:\tool>setpwd.bat

C:\tool>echo off
The request will be processed at a domain controller for domain abc.com.
System error 5 has occurred.  <==
Access is denied.    <==


I'm using a new complex password (that was never used before) that meet
the GPO requirement.  Command below works though:

net user /domain myADid
(to list out my AD Id's attributes)


I should not need a domain admin to do this, right?
0
I've come across a case where a Windows file that GPO synchronizes to
(in an IT auditor's laptop) was corrupted & GPO policy could not be
enforced on it.

Q1:
Anyone recall which file is this?

Q2:
With USB ports blocked by GPO enforcement, is there any way to
still bypass it to copy data/in out of USB port if the user does not
have admin rights to the PC?  I heard of registry editing (of certain
keys but not all keys) which could be done by non-admin users
so is this registry key for USB blocking editable by normal users?
If the user's PC doesn't join domain while he's outside, will this
USB enforcement loses its effect or it's still enforced?

Q3:
One other possibility is if the PC's HDD is not encrypted & the
BIOS is not password-protected, user can still go into BIOS to
make PC boots up from a special CD, load USB driver, mount
the HDD, (& even create an extra admin account) to copy
data out: this was an argument point with our auditor on
whether it's required to protect BIOS with password.
0
Q1:
For IT audit purposes, what are some of the questions that an auditor should ask
during the audit interview especially for Cyber, IT Infra, End-user computing  audit?

Q2:
What are some of the open-ended question like "Can you describe your
network architecture", "what's your patch procedure/policy like", "what are
your perimeter & endpoint defenses" ...  <pls add on>.

Q3:
Presume auditors should start with such open questions first before going
into more targetted questions?

Q4:
What are some of the more targetted questions?  
Eg: "how long is your backup retention for DB,  logs, ...", "share some of
      the recent patch logs", ...<pls add on> ...
1
Our auditors subscribe to Teammate SaaS Prod in the cloud.
Teammate also offers a QA/UAT SaaS in the cloud.

Q1:
Under what circumstances would sites out there subscribe
to QA/UAT  Teammate SaaS?

Q2:
What's Teammate QA/UAT used for?   Is there any development
work for Teammate that needs to be done in UAT 1st before
being ported over to Prod Teammate?

Q3:
I've heard of our parent company's  audit dept uses on-prem
Teammate & have both QA/UAT plus Prod environments?
not convenient to ask the auditors, but curious what it's for
0
refer to attached codes that we do input validation for
a reflected XSS:

we've increased the validations but each time a rescan
is done, there's new set of "pattern" that's not caught
& the same pentester conveys we just have to follow
Owasp recommendations:

Q1
can anyone help review the attached & enhance to
make it fully compliant?

Q2
pentester says they can't possibly provide all the
possible patterns, so what does this mean?  No
closure possible or we can reduce to a minimum?
Our apps team is getting tired & claims the pentester
fails to provide the full patterns while pentester says
we just need to adhere to Owasp, so which is which
as I'm confused who is right & what's best practice?
0
Anyone has a sample table (which I need to submit in monthly
ppt slide) for covering patching metrics?

I plan to have a column for virtual patches (as we use NIDS &
endpoint IPS) included, so columns like the following:

a) date vulnerability published by product principal
b) date virtual patch is released, tested in our UAT &
    implemented in Prod  (which I'll indicate as 'NA'
    if not available
c) date actual principal product (ie Oracle, , RHEL, Fwall
    vendor) release their patches & date scheduled to
    test in UAT & date to deploy in Prod

Any other information/columns that I miss?
 

In particular I have the following products to cover:
a) Solaris OS 10
b) Weblogic  middleware 12.2.1.3
c) Firewall
d) WAF
e) Oracle DB
f) RHEL 6
0
Audit mandated we must enable  password expiry for MS SQL accounts though we say they're service accounts:

from DBA: change cannot be implemented as it will expire service accounts
Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role

What's the practice out there?  
Can we automate changing the password quarterly & yet not affect service accounts (which I assume
do not need to know the password)?  One of them is nagios

Or set the accounts to non-interactive & how to do it for MS SQL?
0
Hi,

This may sound a bit crazy, but is there a way to protect sensitive data from programmers while there are developing the application? (sounds crazy because the programmers has to see the data).  For example,  we are compiling social data of staff like family components, relationships, members income, health issues, etc.  Management want to protect the data from IT support techs that will support this apps and from programmers that will be developing the apps.  If there is no way, and IT has to see all the data, what can a company do to manage this situation where very sensitive data is projected to in the system?

What we have come up with is using dumb data (not real data) for developers to create the applications.  We will use this data from creation up to validation stage.  In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data.

What u guys think? - any Experts with this type of experience fully appreciated you input
1
We got an audit finding that our Solaris (& possibly Linux as well but I haven't
verify) OS account used for Nagios monitoring do not have password expiry.

Q1:
However, when a Solaris account got expired, it'll cause service disruption
(just like root's cron jobs): is there any way around this?

Q2:
Can we set the SHELL for the nagios account to   /bin/false or no shell so
that it's deemed as non-interactive account & don't require password
expiry?   Will Nagios still work with no shell or a false shell??

Q3:
if we change the password of this nagios account periodically, do we
need to change it in nagios (script or settings) somewhere?
0
Picking your brain about password policy.

I was checking a few password management best practices and some of them discourage the "forcing users to change the password" policy, they advise that users change their passwords if they suspect it's been compromised. I still believe that forcing users to change their password coupled with other password policies can really make a password more secure. I was wondering if anyone out there  gave up on forcing users to change the password and what was the reason for that..

Thanks as always...
0
I've added the following settings in /etc/sysctl.conf  as well as
issued 'sysctl -w ...'  to make it effective as part of hardening.

My apps colleague rebooted the RHEL 7 VMs & now
the docker gave the error '503 Service Unavailable'.

How should I reverse them back: just by removing
those lines from sysctl.conf & reboot (sysctl.conf was
quite empty initially)
OR
re-issue "sysctl -w ..." with the  alternate value (ie if
it's 0, set it to 1 & if it's 1, set it to 0)?  But this doesn't
seem right as we don't know what's the default
value initially.  So how do we know what's the
initial default value before the change??


sysctl -w fs.suid_dumpable=0
sysctl -w kernel.randomize_va_space=2
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w …
0
refer to attached list of group/world writable folders:
many of them are under docker dir & some are owned by ftp.

Q1:
is it ok to remove  group writable  permission?

Q2:
Those files owned by ftp: can we amend to be owned by root?
gwrifold.zip
0
During hardening, found the following group or world writable files.
Any harm if I do  'chmod g-w  or o-w'  on them:

rw-rw-r--. 1 root utmp 1920 Nov 15 15:26 /run/utmp
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/member
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/user
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/relabel
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/create
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/access
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/context
--w--w--w-. 1 root root 0 Nov 12 22:18 /sys/fs/cgroup/blkio/docker/09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/docker/e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d/cgroup.event_control
--w--w--w-. 1 root root 0…
0
CIS RHEL7 doc recommends 1.2.3 GPG keys are configured according to site policy.

What's the best practice?

On my RHEL7, got the following, is it best-practice/compliant?
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
gpg-pubkey-2fa658e0-45700c69 --> gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)
gpg-pubkey-7668xxxx-58axxxxx --> gpg(Docker Release (EE rpm) <docker@docker.com>)
0
When verifying for RHEL7 CIS benchmark compliance item 1.2.1
"Ensure package manager repositories are configured", got the
message below:  is this an NC & what should be done to rectify?

All the CIS doc says is "Configure your package manager repositories
according to site policy" but currently we don't have one:

$ yum repolist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
repo id                                                     repo name                                         status
!docker-ee-stable-17.06/x86_64         Docker EE Stable 17.06 - x86_64     19
repolist: 19
0
I performed one of the CIS RHEL 7 hardening remediation.
Got the message with <== shown below, can someone advise:

$ cat  /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid

[root@mesopv1]:/etc/modprobe.d
$ systemctl unmask tmp.mount

[root@mesopv1]:/etc/modprobe.d
$ systemctl enable tmp.mount
Failed to execute operation: Invalid argument <==

[root@mesopv1]:/etc/modprobe.d
$
0
While hardening, I got logged out & can't ssh into the RHEL7 VM anymore:
 I'm not sure at which step of CIS hardening this took place but it appears
that when I delete a user account by issuing:   userdel  johndo

I gain access from vCenter console & reversed back the "sshd_config"
file & did "pkill -HUP sshd" but no joy.

From another RHEL VM in the same subnet (ie no firewalls in between)
& no iptable rules have been set up yet, I attempted verbose ssh:
[root@mesobootsp01.jp.com.sg]:/etc/audit
$ ssh -vvv root@10.121.0.51
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "10.121.0.51" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.121.0.51 [10.121.0.51] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1


I'll attach a log of the changes done shortly
0
Hi expert

Need help, I am not strong in Powershell.

I was task to automate the manual windows server patch by using powershell script.

For your information we don't have SCCM environment, let me share the use case show in the following;

Not sure is it possible to achieve the following;

1: Powershell script will get file from SFTP and deploy patch to the Windows Server 2016.
1
I wanted to set 'nosuid,noexec,nodev'  on /dev/shm partition
so that the settings stay across reboots.  However, can't see
this partition being listed in my fstab as shown below:

What should I add into fstab? Or this is done in another file?

$ cat fstab
# /etc/fstab
# Created by anaconda on Thu Nov  1 22:13:57 2018
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/rhel-root   /                       xfs     defaults        0 0
UUID=023c84eb-dcc5-4ea9-9841-fc936246dd98 /boot                   xfs     defaults        0 0
/dev/mapper/rhel-home   /home                   xfs     defaults,nodev,relatime        0 0
/dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0
/dev/mapper/rhel-var    /var                    xfs     defaults        0 0
/dev/mapper/rhel-swap   swap                    swap    defaults        0 0
# NFS Shared drive from Bootstrap node
10.121.0.43:/JPOM/efs    /efs   nfs    defaults 0 0

$ df
Filesystem            1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel-root  30254660 3818732  26435928  13% /
devtmpfs                8121512       0   8121512   0% /dev
tmpfs                   8133368       0   8133368   0% /dev/shm         <==
tmpfs                   8133368  786484   7346884  10% /run
tmpfs                   8133368       0   8133368   0% /sys/fs/cgroup
0
I followed CIS RHEL 7 benchmark hardening instructions to edit file below so as to make the
various settings (ie nosuid, noexec, nodev) permanent : guess this should stay across reboots:

However, after a reboot last Fri evening, those 'nosuid, noexec, nodev' settings are gone again:

[root@mesosph01]:/etc/systemd/system/local-fs.target.wants   <== this is the dir
$ more tmp.mount
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid

$ ls -lad tmp.mount
-rw-------. 1 root root 91 Nov  8 17:23 tmp.mount

I tried to start a certain service mentioned in CIS doc using root; there's an error:
$ systemctl unmask tmp.mount

[root@mesopubp01]:/root
$ systemctl enable tmp.mount
Failed to execute operation: Invalid argument  <==


The following command was done last week Thu & it worked but after
reboot, the settings are lost:
$ mount -o remount,rw,nodev,nosuid,noexec,relatime /tmp
$ mount | grep /tmp
/dev/mapper/rhel-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
0
Hi All,

In Mcafee EPO how can we identify the hash value of files and how to search and verify the malicious files with their hash values ?

Please advise

Best Regards,
Ganpat
0
I've searched the internet and I still don't understand what it means when NCA\ANONYMOUS LOGON locks and/or unlocks the domain administrator account.
Below is an extract from the event viewer in an easy to read format. Can anyone explain the best way to determine if it is an intrusion attempt or a process, application or service causing this?

An event has occurred in which you are on the notification list.
Time Stamp: 10/23/2019 11:56:45 PM
Perpetrator: CN=Anonymous Logon,CN=WellKnown Security Principals,CN=Configuration,DC=***,DC=local
Perpetrator Name: ***\ANONYMOUS LOGON
Event Source Type: Active Directory
Domain Name: ***
Policy Name: AD: User Account Lockouts
Event Name: Object Modified
Event Name Translated: Account unlocked
Originating Server: ***\***-DC01
Originating Server IP:   *.*.*.10
Target Host: n/a
Target Host IP: n/a
Class Name: user
DN: CN=Administrator,CN=Users,DC=***,DC=local
Affected Object SID: S-1-5-21-3359379490-2354048252-4260778802-500
Affected Object Account Name: ***\administrator
Operation Successful: True
Operation Status: Success
Blocked Event: False
Perpetrator Sid: S-1-5-7
Originating Client: AUTH:***-DC01
Originating Client Host: ***-DC01.****.LOCAL
Originating Client IP: x.x.x.10
Originating Client Protocol: AUTH
Originating Client MAC: **:**:**:**:**:FF
Events Count: 1

Open in new window

Thanks in advance.

David
0

OS Security

22K

Solutions

23K

Contributors

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.