VMWare hardening guide

I found this after doing my last ESXi install and I thought it would be worth sharing, it’s always handing to have a document to follow.
Enjoy.
Happy B-Day PacMan

Tomorrow PacMan will be 30 years young and still played.
If you have seen google today you will be able to play a version in the graphic!
One of the things I found most interesting is the level 256 bug in the pacman game. The level you are playing is stored in a single byte ( 1 byte = 8 bits = 255 Dec). So what happens when you finish level 255? The byte rolls over of course to a zero and that does not play so well with the programming and you end up with this.
http://en.wikipedia.org/wiki/Pac-Man#Split-screen
You can get a longer explanation of what happens at that link.
Biba explained – Part 5

This is where things can get confusing, learning how labels and the levels work was pretty easy. The compartments work differently, here is an example.
process1 biba/50:5+6+7 process2 biba/50:5+6 process3 biba/50
Here we have three processes, all level 50. In this example process3 would not be able to read anything from process1 or process2. Process1 would be able to read from process2 but process2 would not be able to read from process1 because it’s not in level 7 and it does not trust that. Also for writing even though process2 cannot read from process1 it can write to it.
This will take practice and if you just set it up on your own I am sure it will click quickly.
Biba explained – Part 4

In the last section we left off on compartments and labels. I think we have explained what and how the label works with the files and processes in a system, compartments have a good chance at making your head hurt.
Here is an example label with a compartment.
process biba/50:5+6+7
Ok so what is this? With the biba stuff in FreeBSD you can use ‘ps’ to report on the label that is applied to processes using the flag “-Z”. The biba/ on the end is the actual label, I will break it down.
biba/50:5+6+7
The 50 ( between the / and the : ) is the level of the process, the numbers following the ‘:’ are the compartments that the process is assigned to. ( These are 0 – 255 )
In the next part we will go into how this effects how biba operates.
Biba explained – Part 3

Now we can put some context around biba running on a FreeBSD system and some things you could do with it.
There is 65,535 levels that can be assigned to a process or file, with 3 special levels.
low – It is lower than any other process.
equal – It is equal it any other process, it’s almost like excluding it from the label system.
high – higher than any other process.
There is also something called compartments that can be applied to the label, so a file can have a level and a compartment. There is a max of 256 compartments ( 0 – 255 ) , processes and files can be part of multiple compartments and it can get a bit confusing if you don’t plan it out well.
Biba explained – Part 2

In a Integrity setting the model would play out like this.
The General can only see his Top Secret document, the other two are not visible to him. Why?
The General has high integrity, the documents rated below him have a lower integrity so the information contained in them cannot be trusted, so he cannot see them. Even though he cannot read the low integrity documents he is able to write to them and change them. This is because of his integrity level again, his information is more trust worthy then that in the documents so he can write down but not read down.
The Commander is in the middle again, but in this case he can read the Top Secret document, because the document has a higher integrity level then him, he can read it. ( This would also apply to documents at the same integrity level as a user ).
The Civilian at the bottom again can see all of the documents, but just like the Commander cannot change any documents with a higher level then himself.
Biba explained – Part 1

A quick explanation of biba should be done before we continue just so you can know what is going on. What is biba? biba is a data integrity model.
A quick way to explain this is with a data confidentiality model and a simple military example. If you have 3 people, one is a general, one is a commander and the last is a civilian. Along with the 3 people we have 3 documents, one is Top Secret, one is Secret and the last is unclassified.
The General being at the top of the pile can do what he likes with all three documents, his level of authority is Top Secret so he can do what ever he likes.
The Commander is in the middle, he has access to the Secret document and the Unclassified one, but he cannot even see the Top Secret one. ( I will get a little more into this at some point ).
The Civilian can only see the Unclassified document and does not know that the other two even exist.
Part 2 is this example in a integrity model.
Building a FreeBSD MAC Kernel – Part 2

Once the sync is completed go to /usr/src
cd /usr/src/
There is a sys/ dir in under src/ in sys/ there is a listing of possible architectures you can build a kernel for, inside the one you select there is a conf/ dir.
If you do a ‘ls’ in the conf/ dir you will see the possible pre-built kernel configs you can select from. In the MAC config you will see a few options to uncomment. Remove the # from infront of ‘options MAC_BIBA’.
options MAC options MAC_BIBA # BIBA data integrity policy
Once you are done that go back to /usr/src/ and you can start to make the kernel.
make buildkernel KERNCONF=MAC make installkernel KERNCONF=MAC
That’s the build completed but there is a few more steps to configuring biba on your system to come.
Building a FreeBSD MAC Kernel – Part 1

No not a Mac as in Apple, a MAC as in mandatory access control kernel with biba!
To build your own MAC kernel or any FreeBSD kernel you will need to get the source tree, you can do this by using cvsup and a config file.
Mine is called supfile, and it looks like this.
*default tag=RELENG_7_2_0_RELEASE *default host=cvsup3.jp.FreeBSD.org *default prefix=/usr *default base=/var/db *default release=cvs delete use-rel-suffix compress src-all
You will have to change the release as needed and you may want to pick another host. Once you have the file install cvsup.
pkg_add -rv cvsup-without-gui
Or you can use the ports tree if you want to, its under /usr/ports/devel/
Now run cvsup to download the tree.
cvsup /usr/supfile
And wait.
Automating system tasks with Perl – Part 2

Here is a more complicated example that I created for Expect.
Set up the connection again.
my $ssh = Net::SSH::Expect->new ( host => "myserver.com", password=> 'pass87word', user => 'bnegrao', raw_pty => 1 ); my $login_output = $ssh->login(); if ($login_output !~ /Welcome/) { die "Login has failed. Login output was $login_output"; }
We have a prompt now ( if it did not die ). So here is a little snippit of code,
$ssh->send("su - oracleuser"); $ssh->waitfor('password:',2); $ssh->send("password"); $ssh->waitfor('$',1); # you could get a little more error control here but I have not had a problem. $ssh->send("sqlplus /nolog"); #Login to the DB $ssh->waitfor('SQL',5); # wait 5 seconds for the prompt.
I am not going to take that any further, you should see where that is going. You can also do other things just you were like at the prompt.
Send ‘cd /path/to/something’, then you can execute something from in the context of the that dir, ‘./execute.bin’.
You can also do SIGNALS over the connect to pids. You can send a ‘kill -STOP pid’ or a ‘kill – CONT pid’, so you can mess with and create background pids, ( You may need to use disown for this to work properly ).
Enjoy.