Tag Archives: disable

Mac OS X Mac OS X Server Mac Security Mass Deployment Windows XP

Scripting PGP Whole Disk Encryption On A Mac (or Windows, really)

The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:

  • –enum – show the disks available
  • –disk-status – show the encryption status disk indicated with the –disk option
  • –stop – stop the encryption or decryption process of a –disk using –passphrase
  • –instrument – Install BootGuard using the –disk option followed by the number of the disk
  • –uninstrument – Remove BootGuard using the –disk option followed by the number of the disk
  • –add-user – Add a PGP user (include a user name followed by –passphrase and the passphrase, as well as –disk and the number of the disk)
  • –change-passphrase – Change the password on –disk for user specified with -u on –domain with the -i to make it interactive (with an option to include a –recovery-token if you don’t have the password)
  • –list-user – List the PGP users with access to a –disk
  • –encrypt – Manually enable encryption on a –disk using a –passphrase
  • –decrypt – Disable encryption by decrypting the disk at –disk using a –passphrase
  • –recover – allow a user to recover a –disk when BootGuard is unavailable using the –passphrase

symc_pgp_wholedisk_0So let’s put these in motion. First, let’s just look at all the disks available using the –enum option:

pgpwde --enum

OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status:

pgpwde --disk-status --disk 0

Now, let’s see who’s got access to that disk:

pgpwde --list-user --disk 0

Then, let’s enable BootGuard on our volume:

pgpwde --instrument --disk 0

And then add user cedge to be able to unlock that volume, with a passphrase of krypted:

pgpwde --add-user cedge --passphrase krypted --disk 0

And then let’s encrypt it:

pgpwde --encrypt --passphrase krypted --disk 0

And finally, to change the password of that cedge account to something more secure:

pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z"

To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token).

Note: No passwords were hurt in the writing of this article.

Network Infrastructure

APIPA, Not Just An Acronym Palindrome

The acrodrome (yes, I just made that up, although I wasn’t sure if palinym was a better choice – decided on acrodome because I wasn’t as afraid of Tea Party snipers coming to murder me as I would have been if I used palinym) APIPA stands for Automatic Private IP Addressing. APIPA is in every version of Windows since NT and all versions of Mac OS X. APIPA is a dhpc mechanism that provides dhcp clients with self-assigned IP addresses when DHCP servers are not available. When there isn’t a DHCP server available, APIPA assigns IPs from 169.254.0.1 to 169.254.255.254 with a default mask of 255.255.0.0. Clients leverage arp to verify their address doesn’t conflict with another on the network.

APIPA is enabled on all interfaces of all dhcp clients in pretty much all modern operating systems. Add the IPAutoconfigurationEnabled key and set to 0 in Services\Tcpip\Paramters to disable on Windows, or set any client to a static IP and the system won’t attempt to self assign if a DHCP server is not available.

Mac OS X Server Ubuntu Unix WordPress

WordPress Site Stuck In Maintenance Mode

When doing updates in WordPress, upgrading the WordPress version or the Plug-Ins causes the site to enter into Maintenance Mode. While in Maintenance Mode, a message appears that says ”Briefly unavailable for scheduled maintenance. Check back in a minute.” rather than the actual site. Sometimes, especially if you’re using the automatic updating functions, an update might fail and the site may be stuck in Maintenance Mode.

WordPress looks at the root level of a directory for some hidden files that can tell a site to operate in a different manner. If there’s a file called “.maintenance” then the site will display the message above. When an update of a Plug-in fails, the .maintenance file is never deleted and the site is stuck in Maintenance Mode. To correct the error, simply ftp into the root of the site and delete the file. It’s hidden, so make sure your ftp software isn’t suppressing the ability to see a hidden file.

Whatever Plug-in or update failed likely also broke something. Usually, if it’s a Plug-in then you’ll need to re-install that plug-in, as the update process removes the old Plug-in and then adds it back. If it’s a Theme, you might need to re-install the Theme.

Programmatically, you can also enable Maintenance Mode by creating this file and then disabling Maintenance Mode by deleting (or renaming) the file again.

Mac OS X Server Mass Deployment

Allow Diskless NetBoot From the Command Line

Client systems don’t have to have drives. Nor should they, in certain circumstances. Therefore, diskless NetBoot has been a part of OS X since the early beginnings. And it’s great provided you have the Server Admin application handy. But if you want to enable/control diskless NetBoot without Server Admin then you’re going to need to use the command line.

Each of your NetBoot images will be stored in an array, which can be seen by running the serveradmin command, along with the settings option and then the net boot service, as follows:

serveradmin settings netboot

Locate the netBootImagesRecordsArray, which shows the images that are served up on the server. Find the appropriate one (most people tend to only have one) and then make sure that the SupportsDiskless option is set to yes.

serveradmin settings netboot:netBootImagesRecordsArray:_array_index:0:SupportsDiskless = yes

You can also set DisabledSystemIdentifiers, EnabledSystemIdentifiers, Type (type of file share), pathToImage, Architecture and use IsEnabled to enable and disable images programatically. This allows administrators to programmatically control NetBoot and therefore build custom imaging workflows that, for example, update the NetBoot set for NetRestore at the time of generating the NetRestore NetBoot set. It would also come in handy if any of these features were ever removed from the GUI…

Mac OS X

Lion's Versions Feature

In Mac OS X Lion, applications can make use of a feature to auto-save and version files. This feature locks files that are inactive for editing and when the file is unlocked then starts automatically saving versions. If you have a problem with the file you can then always step back to a previous version of the file. The feature is manifested in the title bar and the file menu of applications that make use of it. When you open a file, it can be locked. Viewing the file in the Finder also shows that it is locked. Clicking on locked provides the option to unlock. Once unlocked you can make changes as you normally would. The next time you save the file, a version is created. Hovering the mouse over the title of a file results in a disclosure triangle. clicking that results in some options otherwise located in the file menu.

Clicking on the Lock option again locks the file. Files inactive can automatically be locked as well. The Duplication option is similar to that of Save As. You are asked where you want to duplicate the file to. No versioning information is sent with the file. These same options are in the File menu as well.

The command-S will still save a file, and in fact now it does more and it saves a new version of the file (also done as part of the auto-save routine). The Revert to Saved options in the File menu and title bar menu will bring up an interface similar to that of Time Machine. You can navigate through here to find a version that you want to restore and restore your data.

Versioning information is persistent across a restore. In fact, once restored, you can revert back to a more recent save than that which was restored. In my testing so far, versioning information is not always persistent across restores of files (works with Time Machine, doesn’t work with 3 other applications I’ve tested). But YMMV there as patches are introduced in (hopefully) the next few weeks. Versions data is stored in /.DocumentRevisions-V100. In the /.DocumentRevisions-V100/db-V1 directory is a sqlite database with information and pages files are stored in containers by UID of local users in the /.DocumentRevisions-V100/PerUID directory. Permissions here are owner of root, group of wheel and d–x–x–x.

bash-3.2# cd /.DocumentRevisions-V100/
bash-3.2# ls -al
total 0
d--x--x--x   7 root  wheel   238 Jul 18 22:39 .
drwxr-xr-x  36 root  wheel  1292 Jul 28 23:24 ..
drwx------   5 root  wheel   170 Jul 28 23:27 .cs
drw-------   2 root  wheel    68 Jul 18 22:39 ChunkTemp
d--x--x--x   3 root  wheel   102 Jul 18 22:39 PerUID
drwx------   4 root  wheel   136 Jul 28 23:27 db-V1
drwx--x--x   2 root  wheel    68 Jul 18 22:39 staging

Changing the permissions to 000 causes the feature to report no versions for the files but then you also cannot save changes to files. If you remove the .DocumentRevisions-V100 directory altogether it does not automatically recreate itself at the creation of a new document; however, it does not create itself initially until the first time you’re saving a document. Putting the directory structure back in place resolves any saving problems (is all this sounding a bit like how Spotlight indexes work to anyone???). Versioning is saved locally for files that are stored on network volumes. If you move a file that was versioned locally to a network volume and back then it will loose versioning information. If you open a file from a network share there is no versioning information in the file unless the local computer you are using had been used to make those versions. When you save a file stored on a network volume you are informed that the volume does not support permanent version storage. If you open the file and start editing it on another host and changes occur on both hosts (which the system will allow to happen) then at the next save you will get an alert that states that the file has been changed by another application. Clicking Save Anyway will overwrite changes from the other computer and Revert will revert to the last saved document or more likely error out with a complaint about permissions (even if those permissions are 777). Continuing to make changes on both hosts will eventually cause a “GSLibraryErrorDomain error 1″ error code; however, the file will remain open so you can copy your changes off into another file. A few other points of information:

  • Initially I had read that Time Machine was required to make use of this feature. That is incorrect. It works perfectly well with Time Machine disabled. Having said this, the app does report a message about Time Machine but this can safely be disregarded.
  • Initially I had read that it saves data into the ~/Library/Saved Application State directory. That too is incorrect. The state of versions-enabled applications is saved there but not the data
  • Large (> 500 page files) will auto-save very slowly if you have made a lot of changes in them. This is due to the fact that versioning results in copy operations.
  • Root can traverse into other users version files.
  • I have found no way thus far to change the auto-save interval (will hopefully update this when I do).
  • Pasting graphics into large files is much slower than previous versions (but likely offset by the new ability to flip through versions of files).
  • Not all applications have built-in Versions options yet (e.g. Office) but I think most will at some point in the future.

You can still mv a file to a .zip, unzip it and extract images and raw index data; however the versioning information is not actually saved there. Scanning the file system for changes during a version change only nets the file itself and the temp file (nested within /tmp) as having been altered. The Apple Developer Library explains Versioning as follows:

In the applications that ship as part of Mac OS X v10.7, users no longer need to save documents explicitly or be concerned about losing unsaved changes. Document-based Cocoa applications can opt into this autosaving behavior with a simple override. With automatic saving enabled, the system automatically writes document data to disk as necessary so that data displayed in a document window is, in effect, always the same as the document data on disk. A file coordination mechanism maintains sequential access to files. (See “Mac OS X File Coordination.”) Applications that support automatic saving also support document version history browsing. To browse previous versions of a document, choose Browse All Versions from the pull-down menu at the right end of the menu bar.

For more on NSDocumentController here’s Apple’s page for that.

Overall, Versions has taken me a little while to get used to. Especially in TextEdit. But I’ll take the latency in exchange for the ability to roll back changes. If you are rolling out Lion in a larger environment, you’re going to want to check out whether or not users expect this to persist across network shares, copying files to additional computers or even backups in many cases.

iPhone Mac Security

Finding iOS Device PINs

Each time you sync an iOS based device, a backup is made (unless you disable the option). These are stored in ~/Library/Application Support/MobileSync/Backup. Here you will find a number of folders, each beginning with the UDID of the iPhone, iPad or iPod Touch that has been backed up. The contents of these folders can be used to restore a device in the event that the device falls outside your control. Within the folders are a bunch of files with alphanumeric names that look garbled, even though some can be viewed using a standard text or property list editor (while others are binary). But there are also a bunch of other files in here. These can be parsed using a script, such as this one (which parses the database files), or you can use a GUI tool to put Humpty Dumpty back together again, such as iPhone Backup Extractor.

When you open iPhone Backup Extractor, click on the Read Backups button and you will be shown a list that should correspond (albeit using prettier names) to the entries in the Backup directory. Select the one that you would like to extract and then click on Choose. From here, click on iOS Files and then click on Extract. You will then be asked where to extract the file to. Choose a location.
Once extracted you can find out a lot of information about the apps you use and how they interact with your data. Most useful applications are going to cache your data (that’s what makes most of them useful) so don’t be surprised to see data such as conversations, contacts and even passwords in raw text or sqlite databases that you might not have thought so easily accessed (even without your phone). Keep in mind, the iTunes backup is considered secure to your iOS based device and if a user profile shouldn’t be considered secure then there is an Encrypt iPhone backup option available in iTunes that makes this whole process a moot point…

Anyway, back to finding that pincode… Next, browse into the extracted iOS Files and then into the Library/Preferences directory. Here you will find a file called com.apple.springboard.plist with a SBParentalControlsPin key. I extracted my files on my test device to my desktop, so I can see this with a quick defaults command:

defaults read /Users/seldon/Desktop/iOS Files/Library/Preferences/com.apple.springboard SBParentalControlsPIN

If a iPhone backup has been encrypted then it can be decrypted only if you know the correct password to decrypt. Once you have the passcode, you can safely manage the device again. There are also a lot of other things that you can enjoy playing around with if you’re interested to see what kind of data is stored where, either in the operating system or for each application (eg – com.apple.mobilephone.speeddial.plist is why I can never seem to remember my wifes phone number).

While much of the data for an iOS based device is stored in property lists, some is also stored in a sqlite database (typically in .sqlitedb files). You can interact with these via the sqlite3 command, built into Mac OS X or using a tool such as http://sourceforge.net/projects/sqlitebrowser if you’re not into SELECT commands in sqlite3. Overall, there is a lot of information that can be learned playing around with this stuff. If you haven’t given it a shot yet, I’d recommend it. However, again, don’t be alarmed about any of the security impacts of this stuff, just encrypt the backups and it’s not an issue.

Ubuntu Unix

Ubuntu and Firewalling

Using the firewall in Ubuntu can be as easy or as hard as you want to make it. BSD variants all basically use the ipfw command whereas most of the rest of the *nix world will use netfilter. Netfilter has a number of front ends; the one that comes pre-installed in Ubuntu is ufw, short for ‘uncomplicated firewall’. Ufw is good for basic port management: allow and deny type of stuff. It’s not going to have the divert or throttling options. So let’s look at some basic incantations of ufw (you need to have elevated privileges to do all of this btw).

Initial Configuration

First you need to enable ufw, which is done using the ufw command (no need to apt-get this to install it or build it from source) followed by the enable option:

ufw enable

You can also use the disable option to turn the firewall back off:

ufw disable

And to see rules and the status of the firewall, use the status option:

ufw status

The ufw Configuration File

The ufw configuration file is /etc/default/ufw. Here, you can manage some basic options of ufw. These include:

  • IPV6 – Set to YES to enable
  • DEFAULT_INPUT_POLICY – Policy for how to handle incoming traffic not otherwise defined by a rule. Defaults at DROP but can be changed to ACCEPT or REJECT
  • DEFAULT_OUTPUT_POLICY – Same as above but for handling outgoing traffic not otherwise defined by a rule.
  • DEFAULT_FORWARD_POLICY – Same as above but for forwarding packets (routing).
  • DEFAULT_APPLICATION_POLICY – I’d just leave this as the default, SKIP.
  • MANAGE_BUILTINS – when set to yes, allows ufw to manage default iptables chains as well.
  • IPT_MODULES – An array of iptables modules that can be added

To restart ufw after you make changes to the configuration file, use the services command:

service ufw reload

Or:

service ufw restart

Creating Rules

The first thing most people will want to do is enable a port. And of the ports, 22 is going to be pretty common, since without it you can’t ssh back into the box. For this, you’ll use the allow option followed by the name of the service (application profile):

ufw allow ssh

You can use numbers instead (since ufw isn’t going to know every possible combination and you might be running some on custom ports):

ufw allow 22

You can also deny traffic using the same structure, just swapping allow with deny:

ufw deny http

Beyond a basic allow and deny, you can also specify what IP addresses are able to access each port. This is done using ufw followed by the proto option, which is the followed by the actual protocol (tcp vs udp, etc) which is then followed by the from option and then the source then the to option then the IP to accept traffic (or the any option for all IPs on your box) and finally the port option followed by the actual port. Sounds like a lot until you see it in action. Let’s say you actually want to allow traffic for port 10000 but only from 192.168.210.2. In that case, your rule would be:

ufw allow proto tcp from 192.168.210.2 to any port 10000

Or if you only wanted 10000 to be accessible on one IP of your system (theoretically you have two in this scenario) that has an address of 192.168.210.254:

ufw allow proto tcp from 192.168.210.2 to 192.168.210.254 port 10000

Using ufw

Once you have your rules configured, you are invariably going to have to troubleshoot issues with the service. Obviously, start with log review to perform a hypothesis of what the problem is. To enable logging use the logging option and specify the on parameter for it:

ufw logging on

Once enabled I usually like to view both /var/log/messages and /var/log/syslog for entries:

cat /var/log/syslog | grep UFW ; cat /var/log/messages | grep UFW

One of the best troubleshooting tools to prove any hypothesis that has to do with a rule is to simply delete the rule. To delete the deny http rule that we made earlier, just use the ufw command along with the delete option specifying the deny 22 rule as the rule to remove:

ufw delete deny http

Additionally, just disabling ufw will usually tell you definitively whether you are looking at a problem with a rule, allowing you to later look into disabling each rule until you find the offending rule.

iptables

Ubuntu also comes with iptables by default. iptables is the ipchains replacement introduced a number of years ago and is much more complicated and therefore flexible than ufw, although using one does not mean you cannot use the other. To get started, let’s look at the rules:

iptables -L

You will then see all of the rules on your host. If you have been enabling rules with ufw these will be listed here. You can then configure practically anything for how each chain (a chain is a series of rules for handling packets) functions. You can still do basic tasks, such as enabling ssh, but iptables will need much more information about what specifically you are trying to do. For example, to accept incoming traffic you would need to define that the chain will add an input (by appending it to the chain using -A INPUT) for tcp packets (-p tcp) on port 22 (–dport ssh) and accepting those packets (-j ACCEPT):

iptables -A INPUT -p tcp –dport ssh -j ACCEPT

That is about as simple as iptables get. I’ll try and write up more on dealing with it later but for now you should have enough information to get a little wacky with some basic firewall functionality on Linux. Enjoy.

Mac OS X

Disable Caps Lock in Mac OS X

I don’t think I’ve actually used the caps lock key in years. Well, scratch that, I’ve frustratingly used it by accident. I did a post a couple of years back with a couple of ways to disable it for Windows. But recently I’ve been doing a lot of work and have accidentally made the amount of work a little more by enabling the caps lock key and typing entire paragraphs. So to disable, open the Keyboard & Mouse Preference Pane from System Preferences and then click on Modifier Keys. From here, change the Caps Lock Key value to No Action. Check out com.apple.systempreferences.plist and the com.apple.preference.keyboard.config array within it for doing so programatically.

Windows XP

Disable Auto-Run

When you plug a disk into a drive (er, mount a volume) in Windows the autorun.inf will automatically be processed. You can disable this by holding down the shift key when you plug it in.