Tom Ritter's questions

I am a developer on a browser (Firefox) and I am working with Restricted Tokens to lock down our sandbox further than it is currently. I am removing a SID from our content process, and it breaks things. Identifying the specific thing it breaks would be much easier if Windows could just tell me (with as much detail as possible) any function call the application made that failed due to not having permission to do the [whatever].

Is it possible to have Event Viewer spit out every failed access control check an application makes?

(I have looked at the Application/Security Logs under 'Windows' in Event Viewer, but they did not contain anything.)

Let's say I have a policy file, such as

fw         net    ACCEPT
net        fw     DROP

trusted    fw     ACCEPT
trusted    net    ACCEPT

untrusted  fw     DROP*
untrusted  net    ACCEPT

all        all    REJECT

What I'd like to do is send all the traffic from the untrusted network that is destined to the firewall (marked with a *) to a packet capture utility like tcpdump or tshark for analysis.

It seems like the QUEUE or NFQUEUE actions might do the trick, or I could use actions... But I've not played with either of those components of shorewall, so I'm not sure the way forward with them.

First 6to4:

6to4 allows IPv6 Packets to be transmitted over IPv4. It's used to connect two IPv6 'islands' - not enable IPv4 to talk to IPv6 or vice versa. IPv6 address 2002:AABB:CCDD:: becomes IPv4 address AA.BB.CC.DD and you slap a IPv4 packet header onto the IPv6 header, and forward that sucker off through the IPv4 network.

If I send a packet from one IPv6 Island in the 2002:AABB:CCDD:: space to another, my local 6to4 border router will recieve it, wrap it in IPv4 to AA.BB.CC.DD and forward it there. AA.BB.CC.DD is another 6to4 border router on an island who unwraps the IPv4 and sends it to the IPv6 address.

If I send a packet from an IPv6 Island in 2002:AABB:CCDD:: to a native IPv6 address like 2054::45, it will go to my border router who wraps it in IPv4 to 192.88.99.1 - the IPv4 anycast 6to4 Relay Router address. The nearest relay router (which could be run by anyone) will get it and unwrap it and forward it to the IPv6 address specified. To reply, 2054::45 will reply to my 2002:: address, which will be routed to the nearest relay router (who advertises it handles 2002::/16). The relay router will then wrap it in IPv4 to the AA.BB.CC.DD address where it goes to my border router, is unwrapped and sent to me.

I think I understand that right. It's 6rd I'm having problems with.

Sending a packet from my IPv6 Island to another 6rd island is the same as sending to a native IPv6 address - right? Because the ISP's 6rd router is in its assigned IPv6 address space, the IPv6 routers don't know it's a 6rd island.

If the 6rd island I'm trying to contact isn't connected to the broader IPv6 Internet - there's no way to reach it, right? It would need to go over IPv4, but my 6rd border router doesn't know how to turn an arbitrary IPv6 address into an IPv4 address... does it? And on the reverse trip, there's no 6rd relay router in the IPv6 internet to translate an IPv6 packet to what looks like a normal IPv6 address into IPv4 and send it to the right location.

Inside a single ISP:

6rd island - [6rd Border Router] - IPv4 ISP Internet - [6rd Border Router] - 6rd Island 

This works fine, because the ISP controls the routes and can add routes to the 6rd Routers saying "If you're trying to reach 2054::something, send it over IPv4 to a.b.c.d. But I don't understand how 6rd routes over the broader IPv4 or IPv6 Internet.

On linux you can use lm_sensors to expose CPU temperature to snmp, and use your tool of choice to graph it. I'd like to do the same with Windows.

I found SNMP-Informant which offers two free agents that plug into Windows SNMP service. I'm using the standard one to export Disk, Network, CPU, and Memory info to a linux box running Cacti. It's perfect.

And their Motherboard Monitor is exactly what I'm looking for (exporting temperature, fan speeds, voltages) - except it requires 6-year-old MBM5 that doesn't even run, let alone list my new Gigabyte board in the motherboards to pick.

Anyone know how to do this?

So let's say one typoed something in their .bashrc that prevents him (or her) from logging in via ssh (i.e. the ssh login exits because of the error in the file). Is there any way that person could login without executing it (or .bashrc since the one runs the other), or otherwise delete/rename/invalidate the file?

Suppose you don't have physical access to the machine, and this is the only user account with the ability to ssh in.

For Reference: .bash_profile includes .bashrc:

[[ -f ~/.bashrc ]] && . ~/.bashrc

Edit: Things I have tried:

ssh user@host "rm ~/.bashrc"

scp nothing user@host:/RAID/home/tom/.bashrc

ssh user@host  "/bin/bash --norc"

All give the error:

/RAID/home/tom/.bashrc: line 16: /usr/local/bin/file: No such file or directory
/RAID/home/tom/.bashrc: line 16: exec: /usr/local/bin/file: cannot execute: No such file or directory

I'm currently using gentoo and have the following method of knowing when anyone logs into my server (it's really just me, but if anyone were to gain access, I'd want to know about it)

1) Use sec to monitor logfiles

type=SingleWithScript
ptype=RegExp
pattern=Accepted keyboard-interactive/pam for ([a-z]+) from ([0-9|\.]+) port
script=/root/scripts/userLogin.pl $1 $2
desc=User Login
action=write /var/log/sec/sec.log User Login: $1 has logged in from $2
action2=write /var/log/sec/sec.log Script Failed: User Login: $1 has logged in from $2

2) Script:

#!/usr/bin/perl -w
use Net::SMTP::TLS;

my $smtp;
if (not $smtp = Net::SMTP::TLS->new('smtp.gmail.com',
                            Port => 587,
                            User => '',
                            Password => '',
                            Debug => 1)) {
    die "Could not connect to server\n";
}

$smtp->mail('');
$smtp->to('');
$smtp->data();
$smtp->datasend('To: ' . "\n");
$smtp->datasend('From: ' . "\n");
$smtp->datasend("Subject: User Login: $ARGV[0]\n");
$smtp->datasend("\n");
$smtp->datasend("$ARGV[0] has logged in from $ARGV[1]\n");
$smtp->dataend();
$smtp->quit;

But I'm worried that my regex isn't broad enough. "Accepted keyboard-interactive/pam" - can logins generate logs that don't match that format?

I like SpeedTest.net, but what I'd really like to do is put a graph in cacti, run a speed test every half-hour, and graph the results (maybe running it three times each time and averaging it).

I can do the cacti part, but I need a script (perl, python, php, bash, ruby, whatever) that can produce speed results. Does anyone know a script that does this, or a webpage that would be script-friendly I could hit and parse?

I'm using cacti, and I accidentally set my clock set ahead. Cacti updated, storing new data in the rra's - and now that I've fixed my clock, I can't get cacti to update again. What do I do?

• I have a server running apache with a self-signed certificate (the server) with subversion hooked in
• It requires a username to checkout or update from the repo.
• I have a checkout from the repo that I am trying to update on a cron job on two servers: server and client. Neither cron job will work for the same reason (I have almost the same setup on both, but the client is simpler).
• The following are on client, where there is only one login: root (I know, please spare me the ridicule)
• they are both gentoo if you think that matters

error

Error validating server certificate for 'https://server:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
 - The certificate hostname does not match.
Certificate information:
 - Hostname: Tom
 - Valid: from Sun, 01 Feb 2009 03:51:25 GMT until Tue, 01 Feb 2011 03:51:25 GMT
 - Issuer: Fake Company, NYC, New York, US
 - Fingerprint: fingerprint here

   (R)eject, accept (t)emporarily or accept (p)ermanently? 
svn: OPTIONS of 'https://server/svn/repo': Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted (https://server)

I know all this. That's why I followed all the guides to get svn to automatically accept the certificate:

/root/.subversion/servers

[global]
ssl-authority-files = /root/scripts/server.crt

/root/scripts/server.crt

-----BEGIN CERTIFICATE-----
MIIDejCCAmICCQDibo0twimetjANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzERMA8GA1UECBMITmV3IFlvcmsxDDAKBgNVBAcTA05ZQzEjMCEGA1UEChMaSGFw
et al
-----END CERTIFICATE-----

/root/scripts/backup.sh

svn up /BACKUP/checkouts/server/ --username tom

And the command runs fine as root (no sudo, directly as root) with no prompting for confirming a certificate (it had previously, but I chose p for accept permanently).

Does anyone know why my script won't work? It's been annoying me for the past several months.

**Edit:**It's taken me a bit to get back to this, and I followed David's advice, but it still doesn't work. Now the error is:

Error validating server certificate for 'https://server:443':
 - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: server
 - Valid: from Sat, 20 Jun 2009 14:10:45 GMT until Mon, 20 Jun 2011 14:10:45 GMT
 - Issuer: Fake Company, New York, US
 - Fingerprint: 1a:c6:9c:eb:62:9e:e1:05:d9:d3:ac:01:f4:35:dc:00:14:48:e5:39
(R)eject, accept (t)emporarily or accept (p)ermanently? svn: OPTIONS of 'https://server/svn/folder': Server certificate verification failed: issuer is not trusted (https://server)

Can anyone help me find out what is going on here? I have some rules set up tracking packet counts. When I run the following script as root:

#!/bin/bash
iptables -t mangle -xnvL

I get the output I expect:

//snip
233203 199929802 MARK  //blah blah blah
//snip

However, I want to run this as part of cacti, which runs as apache. Now apache can't run iptables, which is why I have the script. I set it up as SUID root:

-rwsr-sr-x 1 root root   37 May 14 23:06 iptables_packet_report.sh

But then I get this output:

server # sudo -u apache ./iptables_packet_report.sh
iptables v1.4.2: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Obviously my kernel is fine, and the fact that I'm running it as non-root is messing something up, but I don't understand why. I did double check the SUID with [the demonstration](http://en.wikipedia.org/wiki/Setuid#Demonstration and confirmed it was working.

server # sudo -u apache ./printid
Real UID  = 81
Effective UID = 0
Real GID  = 81
Effective GID = 0

My end goal is to get the output of iptables -t mangle -xnvL while running as apache so I can use cacti to graph it all nicely.

My external network interface on a gentoo box will produce these errors intermittently (maybe 3-4 a week). It is hooked up to Optimum online, and gets its IP via DHCP. It's always-on, and it almost never loses connection (when it does usually I or one of my roommates notices it).

eth1: failed to renew, attempting to rebind

I'm trying to understand what might produce these errors.