If you are going to be using RT, you need to get the “RT Essentials” book written by Jesse Vincent, Robert Spier, Dave Rolsky, Darren Chamberlain, and Richard Foley. It is a good reference and a quick read. For up-to-date information, see the RT Wiki and the Best Practical Solutions blog site.

Prerequisites

To start, please review the following posts:

1. An Apache Implementation
2. Apache and OpenSSL
3. PHP Implementation
• PHP as a Module
• PHP as a CGI
• PHP Configuration Modifications
4. Introduction to MySQL
5. Setting Up and Securing MySQL: References
6. Implementing a Web Application Firewall with ModSecurity

Install Software

With Apache, MySQL, PHP, OpenSSL, and ModSecurity installed, we are now ready to focus on software packages required by RT.

1. Installing expat.

Different operating systems will vary on whether expat, the XML parser, is installed. Expat is needed to complete the cpan install for XML::RSS. Check your particular operating system.

 root# cd /usr/local/src
 /usr/local/src root# wget http://downloads.sourceforge.net/expat/expat-2.0.1.tar.gz
 /usr/local/src root# tar xzf expat-2.0.1.tar.gz
 /usr/local/src root# cd expat-2.0.1
 /usr/local/src/expat-2.0.1 root# ./configure
 /usr/local/src/expat-2.0.1 root# make
 /usr/local/src/expat-2.0.1 root# make check
 /usr/local/src/expat-2.0.1 root# make install

2. Install FastCGI

For RT, you can install mod_perl or mod_fastcgi. In this posting, we are going to walks through the installation of FastCGI. Information concerning mod_perl will be provided below so the reader can chose what fits best in their environment. FastCGI is much simpler to install and allows the core Apache process to stay small in size. With FastCGI, RT runs as a separate process from Apache allowing RT to be stopped and restarted without affecting the Apache server. In general, FastCGI programs are easier to manage.

The Apache module mod_fastcgi allows a web server to run CGI scripts via a separate, persistent program. PHP comes with FastCGI support compiled in by default, so nothing needs to be done to the PHP installation.

You can have the Apache program call FastCGI, and have it run as the same user as the Apache server or use suexec to have FastCGI switch to a different user. Under some operating systems, suexec may not get compiled and installed when installing Apache. Check if suexec is installed, and if not go back to the Apache source, compile it, and install it. Initially, we are not going to use the suexec program. Instead we will create the group “rt”, add user httpd to group rt, and set permissions that way. You may choose later to use suexec.

 root# ls -la /usr/local/apache/bin/suexec
ls: /usr/local/apache/bin/suexec: No such file or directory
 root# cd /usr/local/src/httpd-2.2.8
 /usr/local/src/httpd-2.2.8 root# make suexec
 /usr/local/src/httpd-2.2.8 root# cp ./support/suexec /usr/local/apache/bin/suexec

Now, we are ready to get mod_fastcgi installed.

 root# cd /usr/local/src
 /usr/local/src root# wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz
 /usr/local/src root# tar xzf mod_fastcgi-2.4.6.tar.gz
 /usr/local/src root# cd mod_fastcgi-2.4.6
 /usr/local/src/mod_fastcgi-2.4.6 root# cp Makefile.AP2 Makefile
 /usr/local/src/mod_fastcgi-2.4.6 root# make top_dir=/usr/local/apache
 /usr/local/src/mod_fastcgi-2.4.6 root# make top_dir=/usr/local/apache install
 /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl stop
 /usr/local/src/mod_fastcgi-2.4.6 root# vi /usr/local/apache/conf/httpd.conf

Add the following lines to the Apache httpd.conf file:

# Load the mod_fastcgi module.
LoadModule fastcgi_module modules/mod_fastcgi.so

Check if installation and configuration is working.

 /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl configtest
Syntax OK
 /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl start
 /usr/local/src/mod_fastcgi-2.4.6 root# cat /var/www/logs/error_log | grep -i fastcgi
[Fri Aug 01 12:17:22 2008] [notice] FastCGI: process manager initialized (pid 15221)
[Fri Aug 01 12:17:22 2008] [notice] Apache/2.2.8 (Unix) mod_ssl/2.2.8
OpenSSL/0.9.7a mod_fastcgi/2.4.6 configured -- resuming normal operations

For in depth coverage of mod_perl, Stas Bekman and Eric Cholet have written the book, “Practical mod_perl.” They have made the complete book available online in both HTML and PDF format under the Creative Commons Attributes Share-Alike License. Stas Bekman and Jim Brandt have also written the “mod_perl2 User’s Guide Book” where 50% of the book’s proceeds go to The Perl Foundation.

If you are installing under Mac OS X, mod_perl may complain about Perl 5.8.8 being built without threads and you will get a message about building perl with -Duserthreads. If you are determined to use mod_perl, consider dropping back to Apache 1.3.x and using mod_perl 1.x. While Apache 1.3.x is legacy code, and I tend to want to use the code that is being actively developed, there is an argument for using Apache 1.3.x. One major feature of Apache 2.x is threading. On Windows, where most basic libraries are and must be threadsafe, Apache 2 is really the only choice. Earlier Mac OS X releases did not include a completely thread-safe libc, so threading is still not fully supported in Perl. This is why the Perl version that comes with Mac OS X is not compiled to use threads. To use Apache2.x, Perl will need to be configured to use threads. The code is available from the Perl web site.

Rather than getting bogged down in compiling Perl to use thread, we will move ahead and use FastCGI. By the time this post, I will have worked on getting RT installed under Linux, Mac OS X, and FreeBSD. Figuring out what software works best in a multi OS environment can be challenging.

3. Configure RT

Let us start by adding the group RT. Under many operating systems, this would be done with the simple command “groupadd rt.” Things are always more interesting under Mac OS X, where you would have to first look at what group ids (gid), choose an unused gid, and then create the rt group using that gid. Under Mac OS X Leopard, group rt would be created with the commands:

 root# dscl . list /groups PrimaryGroupID | sort -k 2,2 -n
 root# dscl . create /groups/rt gid gid-of-rt
 root# dscl . create /groups/rt passwd '*'
 root# dscl . read /groups/rt
AppleMetaNodeLocation: /Local/Default
Password: *
PrimaryGroupID: gid-of-rt
RecordName: rt
RecordType: dsRecTypeNative:groups

RT’s primary maintenance and documentation site is http://www.bestpractical.com. Documentation can be found at the Best Practical Solutions RT Wiki located at http://wiki.bestpractical.com/. The latest TAR/GZ is located at http://download.bestpractical.com/pub/rt/release/rt.tar.gz. The lack of any version numbers means the version can be updated at any time. The latest version, as of this writing, is 3.8.0.

The following are the steps for downloading and configuring RT:

 root# cd /usr/local/src
 /usr/local/src root# wget http://download.bestpractical.com/pub/rt/release/rt.tar.gz
 /usr/local/src root# tar xzf rt.tar.gz
 /usr/local/src root# cd rt-3.8.0
 /usr/local/src/rt-3.6.5 root# ./configure \
  --with-web-user="httpd" \
  --with-web-group="httpd" \
  --with-rt-user="httpd" \
  --with-rt-group="rt"

4. Install Apache::TEST

Perl module Apache::TEST will not allow you to run the test check as root. You can download the module separately as a non root user and after configuring, compiling, and testing the program, you install it as root.

 root# su - goofy
 ~$ cd src
 ~/src goofy$ wget http://search.cpan.org/CPAN/authors/id/P/PH/PHRED/Apache-Test-1.30.tar.gz
 ~/src goofy$ tar xzf Apache-Test-1.30.tar.gz
 ~/src goofy$ cd Apache-Test-1.30
 ~/src goofy$ perl Makefile.PL
 ~/src goofy$ make
 ~/src goofy$ make test
 ~/src goofy$ sudo su root
 root# make instal

5. Run fixdeps Command and Install Perl Modules

Now you are ready to utilize the fixedeps utility that comes with RT to install required Perl modules. There is also the testdeps utility to test if all dependencies are installed and RT is ready to be installed. You may need to run fixdeps multiple times before testdeps reports that you have all required software packages. The first time through, it can take awhile (depending on your installation). Be aware that some perl modules may need to be installed manually. It various depending on OS and your environment. You will be able to tell which modules need manual installation by the final message provided by the fixdeps program.

 root# cd /usr/local/src/rt-3.8.0
 /usr/local/src/rt-3.8.0 root# make fixdeps
 /usr/local/src/rt-3.8.0 root# make fixdeps
 /usr/local/src/rt-3.8.0 root# make testdeps

6. Install RT

The final installation of RT is the easy part.

 /usr/local/src/rt-3.8.0 root# make install

7. Configure RT_SiteConfig.pm

We now will configure /opt/rt3/etc/RT_SiteConfig.pm. In the next step a database user and a database will be setup. We are only adding those values to the configuration file in this step. I am going to set up a hostname (rt.securitymonks.com) for my current machine. Please do not copy blindly. Change this to your environment. We will create the hostname so it only exists locally by adding an entry into the machines /etc/hosts file. Right now, I am only going to access the Apache server from this machine. In other words, the client and server will be on the same box.

 /usr/local/src/rt-3.8.0 root# vi /etc/hosts

Add the following line, adapting it to your organization:

 /usr/local/src/rt-3.8.0 root# vi /etc/hosts
##
127.0.0.1       localhost
10.1.218.202   rt.securitymonks.com

We are now ready to modify the RT_SiteConfig.pm file.

 /usr/local/src/rt-3.8.0 root# vi /opt/rt3/etc/RT_SiteConfig.pm

At minimum, add the following linesto /opt/rt3/etc/RT_SiteConfig.pm:

Set($rtname, 'BRORT');
Set($Organization, 'securitymonks');

Set($CorrespondAddress , 'john@securitymonks.com');
Set($CommentAddress , 'john@securitymonks.com');

Set($Timezone , 'US/Eastern'); # obviously choose what suits you

# THE DATABASE:

Set($DatabaseType, 'mysql'); # e.g. Pg or mysql

# These are the settings we used above when creating the RT database,
# you MUST set these to what you chose in the section above.

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'secret');
Set($DatabaseName , 'rtdb');

# THE WEBSERVER:

Set($WebPath , '');
Set($WebBaseURL , 'https://rt.securitymonks.com');

# Logging
Set($LogToSyslog, '');
Set($LogToFile, 'debug');
Set($LogDir, '/opt/rt3/var/log');
Set($LogToFileNamed, "rt.log");

8. Initialize the Database

RT needs to create the rtdb database, the rt db users, and initialize some tables. This can be done with the command initialize-database, which should be run only once.

 /usr/local/src/rt-3.8.0 root# make initialize-database
 /usr/local/bin/perl sbin/rt-setup-database --action init --dba root --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql
instance on localhost as root.  Please specify that user's database password below. If the
user has no database

password, just press return.

Password:
Working with:
Type:   mysql
Host:   localhost
Name:   rtdb
User:   rtuser
DBA:    root
Now creating a mysql database rtdb for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs
Granting access to rtuser@'localhost' on rtdb.
Done.
Now inserting RT core system objects
Done.
Now inserting data
Done inserting data
Done.

Check the MySQL database out.

 /usr/local/src/rt-3.8.0 root# mysql -u rtuser -p
mysql> use rtdb;

9. Modify Apache Configuration File

Edit the /usr/local/apache/conf/httpd.conf file.

 /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl stop
 /usr/local/src/rt-3.8.0 root# vi /usr/local/apache/conf/httpd.conf

We are going to have the RT server run under our secure web server. Find the “<virtualhost _default_:443>” line, change it to “<virtualhost 10.1.218.202:443>“. Add the following lines to that section (adjusting to your environment):

   ServerName rt.securitymonks.com
   DocumentRoot /opt/rt3/share/html
   ErrorLog /usr/local/apache/logs/rt.error
   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
   CustomLog /usr/local/apache/logs/rt.access_log combined
   AddHandler fastcgi-script fcgi
   ScriptAlias / /opt/rt3/bin/mason_handler.fcgi/

Add the user the Apache server runs as (httpd by default), to the RT group. For non Mac OS X, modify group membership by editing the file /etc/group (vi /etc/group). Mac OS X users need to user the dscl command.

 root# dscl . append /groups/rt GroupMembership httpd
 root# dscl . read /groups/rt

Change the group and permission on the log area if you have told RT to log to /opt/rt3/var/log.

 root# chgrp rt /opt/rt3/var/log
 root# chmod g+w /opt/rt3/var/log

Test the configuration of the file, and if everything checks out start up Apache.

 /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl configtest
Syntax OK
 /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl start

Remember there are now three files to check for problems with RT.

• /opt/rt3/var/log/rt.log
• /usr/local/apache/logs/rt.error
• /usr/local/apache/logs/rt.access_log

There are many configuration operations. The options chosen in this post represents only the minimal to get RT running. Please see the RT Wiki’s FastCGIConfiguration page for additional information.

10. Access RT and Change the Default Password

Now it is time to log in and change the default password. Using the entry we made in our /etc/hosts file, we can now access the site by going to https://rt.securitymonks.com. This URL should be different for your site. You will see a login screen similar to the image on the left.

Log in using the username “root” and password “password“. Once logged in, you will see the screen similar to the image below (click on the image if you need to enlarge):

Over on the left menu bar, select “Configuration.” That will bring you to the “RT Administration” screen:

Select, “Users.” That will bring you to the “Select a user” screen:

Select the user “root,” which will bring you to the “Modify the user root” screen. If you look at the lower left of the screen, there is a “Access Control area.” There is a place to enter “New Password.” Do so. The screen looks like:

Make sure to hit the “Save Changes” button at the bottom of the screen. With a working copy of RT, you are not ready to start adjusting configurations and working with the program. For additional information, Please check out the “RT Essentials” and the RT Wiki and the Best Practical Solutions blog site. Look for future posts to build upon the RT installation and database.

The crime landscape is shifting. Attacks are moving up the network stack. Network-based attacks are not the prime source of security problems anymore. The attacks today are moving into the application layer: Web 2.0, instant messenger attacks, fraud, information theft, and crime-ware are just some examples of new types of attacks that generate a load of data to be collected and analyzed. Beware! Applications are really chatty and generate alot of data.

While my current post is not about security visualization (see earlier post “Security Data Visualization“), I would like to point out that DAVIX, a live CD for data analysis and visualization, is expected to be released August 6th. That should be really cool and fun.

Since application security is a topic of interest for me, I ran into the problem of having too many topics I wanted to discuss when I started trying to write a post on ModSecurity, an open source, free WAF Apache module. Today, rather than waiting for me to integrate the information, I decided to move ahead and do the post while limiting myself to only pointing out the various sources. The reader can follow the links for a more in-depth discussion and understanding on the topic.

Why You Should Care

The Risky Business podcast has come to be one of my favorite podcasts. The host, Patrick Gray and regular guest Munir Kotadia, just cracks me up. Plus the show is informative and features great guests. This week’s show had an interview with H D Moore talking about the DNS bug. Timely and informative; what else can one ask for? The 68th episode, done at the beginning of this month, had an interview with Jeremiah Grossman concerning web application firewalls. As Patrick writes in the show notes, “it takes typical organizations around 130 days to fix sequel injection bugs in code. But you can mitigate these sorts of things with a Web app firewall, and you won’t even have to deal with the development team! Hooray!.”

In Grossman’s blog post “Can WAFs protect against business logic flaws?“, he pointed out that “WAFs don’t defend against every logic flaw, or even every crazy form of SQLi or XSS. Just as white/black box scanners can’t identify every vulnerability and neither can expert pen-testers or source code auditors.” Stuart King, in his article, “Larry David and Web Application Firewalls“, builds upon this idea when he wrote:

Back to the CSO article where the point is made that we are sitting on a huge legacy of insecure code and that “we can’t rewrite history.” So, the argument is that a web application firewall mitigates the risk – note: does not solve the problem – until the code can be replaced.

How much of the risk is mitigated is open to debate, but there are lots of other things to consider too. For instance the cost of redeveloping code against the cost of purchasing and supporting a WAF. We also need to consider the value and risk profile of the product.

Today’s world consist of attackers adjusting focus from network-based attacks to the application layer. Grossman in his post “Website Security Strategies that Work” makes the claim that “9 out of 10 (or more) websites have vulnerabilities as a result of being built by those who didn’t know or appreciate the severity of today’s attacks.” There is no arguing that many organizations are sitting on a huge legacy of insecure code, much of which may have been written before the discovery of prevalent vulnerabilities such as XSS, SQL Injection, CSRF, etc. Even worse, organization often have their security groups focused on network or system security, leaving application level security to developers. Unfortunately, these developers are receiving little or no training, while remaining under pressure to produce code under short deadlines.

Andre Gironda series, starting with “Week of War on WAF’s: Day 1 — Top ten reasons to wait on WAF’s,” provides important reasons why WAFs should not be viewed as a silver bullet solution. Rich Mogull in his post “Web Application Security: We Need Web Application Firewalls To Work. Better” makes the important point:

With old school vulnerabilities we know the details of the specific vulnerability and (usually) exploit mechanism. With WAFs, we are trying to block vulnerability classes instead of specific vulnerabilities. This is a HUGE difference. The WAF doesn’t know the details of the application or any application-specific vulnerabilities, and thus is much more limited in what it can block.

Mogull goes on to state that WAFs can:

no longer be merely external boxes protecting against generic vulnerabilities; they need tighter integration into our applications. In the long term, I’ve branded this Application and Database Monitoring and Protection (ADMP) as we create a dedicated application and database security stack that links from the browser on the front end, to the DB server on the back.

ADMPs, or if you prefer WAFs + Database Activity Monitoring (WAFs+DAM), would be another step in the evolution of WAFs. As Ivan Ristic, creator of ModSecurity, points out in his blog post “What’s the Score of the Game?“:

I feel that one of areas where organizations are failing, with regards to web application security, is that there is a lack of communication between the following three groups: Development teams (who are running source code reviews), InfoSec teams (who are running vulnerability scans) and Operational Security teams (who are running web application firewalls). These three teams each have unique perspectives on the vulnerabilities of the webapps and they should share their data with each other.

Nicely stated. No one is arguing that writing secure code is not the answer. If organization began adapting secure systems development lifecycle (SDLC) models into their business operation, many security problems would go away. Building secure software will require changes in the current development culture, which will include people, processes, and technology. No small task.

Gunnar Peterson has a nice post, “WAF and XSG Risk and Effectiveness at 20,000 feet” where he discusses modeling of combination of risk and effectiveness to identify areas of focus. As Peterson points out in another post, “WAFs are not as static as network firewalls…Instead WAFs collaborate much more directly with development, which is another growth opportunity for security industry.”

This post is going to stay focused on WAFs. With it taking on average 130 days to fix sequel injection bugs, organizations need something they can implement today. WAFs have an important role to play in adding a layer of security and monitoring to a defense in depth security approach. WAFs will evolve. They are in the process of evolving now. Understanding the fundamental ideas and going through the implementation of an open source solution starts us on the path of better understanding of future technologies.

An Implementation Using ModSecurity

Building on previous posts concerning “An Apache Implementation“, “PHP Implementation“, and “Apache and OpenSSL“, we have an Apache web server setup to build upon. For additional details, please get Ivan Ristic’s book, “Apache Security.” It really is a must have book for anyone serious about running an Apache web server. Ristic also maintains the ModSecurity website and blog, which serves as a great source for up-to-date information on ModSecurity.

The Apache module mod_unique_id needs to be installed for ModSecurity to work properly. This module was not installed when we configured Apache. At that time, we did not know we needed it. While it can be somewhat inconvenient, for security reasons it is best not to install modules not needed.

1. Stop Apache Server.

# /usr/local/apache/bin/apachectl stop

2. Install mod_unique_id Module.

For non Mac OS X, do the following:

root# cd /usr/local/src/httpd-2.2.8
/usr/local/src/httpd-2.2.8 root# make clean
/usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
./configure --prefix=/usr/local/apache \
--enable-rewrite \
--enable-so \
--disable-imap \
--disable-userdir --with-mpm=worker --enable-ssl --enable-unique-id --enable-unique-id
/usr/local/src/httpd-2.2.8 root# make
/usr/local/src/httpd-2.2.8 root# make install

For Mac OS X, please do:

root# cd /usr/local/src/httpd-2.2.8
/usr/local/src/httpd-2.2.8 root# make clean
/usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --prefix=/usr/local/apache --enable-rewrite \
--enable-so --disable-imap --disable-userdir \
--with-mpm=worker --enable-ssl --enable-unique-id
/usr/local/src/httpd-2.2.8 root# make
/usr/local/src/httpd-2.2.8 root# make install

3. Install PCRE.

Only under Mac OS X did I have to install Perl Compatible Regular Expressions (PCRE). You may be able to skip this step, depending on your OS.

root# cd /usr/local/src
/usr/local/src root# wget http://downloads.sourceforge.net/pcre/pcre-7.7.tar.gz
/usr/local/src root# tar xzf pcre-7.7.tar.gz
/usr/local/src root# cd pcre-7.7
/usr/local/src/pcre-7.7 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure
/usr/local/src/pcre-7.7 root# make
/usr/local/src/pcre-7.7 root# make test
/usr/local/src/pcre-7.7 root# make install

4. Install the latest version of libxml2 or Lua.

To quote wikipedia, libxml is “a library for parsing XML documents” and Lua is “a lightweight, reflective, imperative and procedural programming language, designed as a scripting language with extensible semantics as a primary goal.” ModSecurity requires dynamic libraries which are not built by default in the source distribution. Binary distribution is recommended.

I will go through configuration and installation of libxml2 from source and the binary installation of lua under Mac OS X. There is a good chance if you are running a different OS, the libraries will have already been installed.

root# cd  /usr/local/src/
/usr/local/src root# wget ftp://xmlsoft.org/libxml2/libxml2-2.6.32.tar.gz
/usr/local/src root# tar xzf libxml2-2.6.32.tar.gz
/usr/local/src root# cd libxml2-2.6.32
/usr/local/src/cd libxml2-2.6.32 root#  CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
/usr/local/src/cd libxml2-2.6.32 root# ./configure
/usr/local/src/cd libxml2-2.6.32 root# make
/usr/local/src/cd libxml2-2.6.32 root# make install
/usr/local/src/cd libxml2-2.6.32 root# cd ..
/usr/local/src root# wget http://luaforge.net/frs/download.php/3097/lua5_1_3_Darwin811x86_lib.tar.gz
/usr/local/src root# mkdir lua
/usr/local/src root# cd lua
/usr/local/src/lua root# tar xzf lua5_1_3_Darwin811x86_lib.tar.gz
/usr/local/src/lua root# cp liblua5.1.* /usr/local/lib
/usr/local/src/lua root# cp include/* /usr/local/include

5. Download, unpack, configure, and compile ModSecurity.

If you are interested in connecting a ModSecurity sensor to the central audit log repository, you will want to build the ModSecurity Log Collector below with the command “make mlogc”. Install instructions can be found under apache2/mlogc-src directory. That step will not be included below.

root# cd  /usr/local/src/
/usr/local/src root# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.5.tar.gz
/usr/local/src root# tar xzf modsecurity-apache_2.5.5.tar.gz
/usr/local/src root# cd modsecurity-apache_2.5.5
/usr/local/src/modsecurity-apache_2.5.5 root# cd apache2

For non Mac OS X, configure with the command:

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# ./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--with-apr=/usr/local/apache/bin \
--with-apu=/usr/local/apache/bin

For Mac OS X, use the command:

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --with-apxs=/usr/local/apache/bin/apxs

Continue to compile and install with the commands:

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# make
/usr/local/src/modsecurity-apache_2.5.5/apache2 root# make test
/usr/local/src/modsecurity-apache_2.5.5/apache2 root# make install
/usr/local/src/modsecurity-apache_2.5.5/apache2 root# ls -la /usr/local/apache/modules

6. Configure Apache and ModSecurity.

We must now edit the httpd.conf file in order to load libxml2 or lua5.1 modules before the ModSecurity module.

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# vi /usr/local/apache/conf/httpd.conf

Add the lines for non Mac OS X:

#
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
#
LoadModule security2_module modules/mod_security2.so

For Mac OS X, add the lines:

#
LoadFile /usr/local/lib/libxml2.2.dylib
LoadFile /usr/local/lib/liblua5.1.so
#
LoadModule security2_module modules/mod_security2.so

Create the ModSecurity configuration file. There is a file modsecurity.conf-minimal present in the /usr/local/src/modsecurity-apache_2.5.5 that can be used. There is also a a Core Rule Set that was included in the /usr/local/src/modsecurity-apache_2.5.5/rules directory courtesy of Breach Security Inc. To quote the README file, “The Core Rule Set provides generic protection from unknown vulnerabilities often found in web application that are in most cases custom coded. The Core Rule Set is heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.” Under the rules subdirectory, there a directory “optional” which contains additional possible rules. It is left to the reader which configuration files they may want to include, though it might be wise to start with the minimal and make sure the Apache runs without problems. Then add configurations files as desired.

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# cd ..
/usr/local/src/modsecurity-apache_2.5.5 root# cp  modsecurity.conf-minimal /usr/local/apache/conf/modsecurity.conf
/usr/local/src/modsecurity-apache_2.5.5 root# cp  rules/*.conf /usr/local/apache/conf/

Include the modsecurity.conf, and additional ModSecurity configurations file, in the Apache httpd.conf file.

/usr/local/src/modsecurity-apache_2.5.5 root# vi /usr/local/apache/conf/httpd.conf

Add the line:

Include /usr/local/apache/conf/modsecurity.conf
#Include /usr/local/apache/conf/modsecurity_crs_10_config.conf
#Include /usr/local/apache/conf/modsecurity_crs_21_protocol_anomalies.conf
#Include /usr/local/apache/conf/modsecurity_crs_23_request_limits.conf
#Include /usr/local/apache/conf/modsecurity_crs_30_http_policy.conf
#Include /usr/local/apache/conf/modsecurity_crs_35_bad_robots.conf
#Include /usr/local/apache/conf/modsecurity_crs_40_generic_attacks.conf
#Include /usr/local/apache/conf/modsecurity_crs_45_trojans.conf
#Include /usr/local/apache/conf/modsecurity_crs_50_outbound.conf

Edit /usr/local/apache/conf/modsecurity.conf. The modifications will be very dependent on your environment. See resources listed in the Additional Information section to help with configuration. The default configuration saves the log files relative to the configuration file directory. Change this to where the apache logs are currently being saved.

/usr/local/src/modsecurity-apache_2.5.5 root# vi /usr/local/apache/conf/modsecurity.conf

Change the values to:

SecAuditLog /var/www/logs/modsec_audit.log
SecDebugLog /var/www/logs/modsec_debug.log

Let’s create null files with the correct permissions for Apache.

/usr/local/src/modsecurity-apache_2.5.5 root# touch  /var/www/logs/modsec_audit.log
/usr/local/src/modsecurity-apache_2.5.5 root# chown httpd.httpd /var/www/logs/modsec_audit.log
/usr/local/src/modsecurity-apache_2.5.5 root# touch  /var/www/logs/modsec_debug.log
/usr/local/src/modsecurity-apache_2.5.5 root# chown httpd.httpd /var/www/logs/modsec_debug.log

7. Start Apache.

Check that the configuration file is correct and start up Apache.

/usr/local/src/modsecurity-apache_2.5.5 root# /usr/local/apache/bin/apachectl configtest
Syntax OK
/usr/local/src/modsecurity-apache_2.5.5 root# /usr/local/apache/bin/apachectl start

Check if ModSecurity if configured into running Apache server.

/usr/local/src/modsecurity-apache_2.5.5 root# cat /var/www/logs/error_log | grep ModSecurity
[Thu Jul 31 18:24:59 2008] [notice] ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/) configured.

Additional Information

This post is only to get the basics down. The above information was taken from the ModSecurity documentation install section for version 2.5.5. A great deal more information is available at the ModSecurity blog site and in the book “Apache Security“.

Concluding Remarks

Ivan Ristic and Ofer Shezaf are working on an interesting paper, “Enough With Default Allow in Web Applications!” This paper demonstrates how WAFs are evolving. To quote the paper:

The default allow deployment model, which is commonly used to implement and deploy web applications, is the cause of numerous security problems. We propose a method of modeling web applications in a platform-agnostic way to adopt a default deny model instead, removing several classes of vulnerability altogether and significantly reducing the attack surface of many others. Our approach is best adopted during development, but can be nearly as efficient as an afterthought, or when used at deployment time. What they are looking to do is create a protection layer between the web servers and applications which would increase security and turn applications into verifiable components with external contracts that can be enforced.

Ristic mentions in his post the planned release of “an open source profiling tool (which I will announce next week) to help with the third use case and automate the creation of positive security models (also known as the learning feature of web application firewalls).” Breach Security has also teamed up with WhiteHat Security to add the ability to their Sentinel scanning service to automatically create custom ModSecurity rules for certain classes of vulnerabilities that are found in your web applications. This is the kind of evolution that is required in security and makes ModSecurity such an interesting software package.

In honor of ApacheCon Europe, held this past week, we will be going over a very basic implementation of an Apache web server. Ivan Ristic, author of “Apache Security” spoke at ApacheCon where he presented “Web Intrusion Detection with ModSecurity.” Rich Bowen, author of “The Definitive Guide to Apache mod_rewrite” (and a few other titles) on his blog DrBacchus Journal did a post titled “ApacheCon EU 2008 so far.” Rich had this to say about Ivan’s talk, “His talk was fabulous.” He goes on to elaborate, “I’m sure that everything Ivan talked about is in the docs, but his talk was amazingly valuable anyway, since it showed me things in one hour that would probably have taken me months to discover. And I’ve been using mod_security for years already, and wasn’t aware of them, or didn’t quite understand the syntax.” Nick Kew agrees with Rich. On Nick’s blog NIQ’s Soapbox, his posting “Putting ones money where ones mouth is ….” had this to say, “The highlight of today was Ivan Ristic’s mod_security talk: that module is getting seriously interesting.”

If you are interested in hearing more about ApacheCon, the keynote sessions have been made available for free off the Linux Magazine web site. The available presentations consist of:

• Jim Jagielski, Chairman of the Apache Software Foundation, starts off with his talk “State of the Feather.” To quote from the program, “Join ASF Chairman Jim Jagielski for a review of events and progress over the last 12 months within the Apache Software Foundation. Jim will detail the growth of the ASF, both in members as well as projects, discuss the noteworthy achievements of the ASF during that time period, and preview what the next 12 months likely hold for the pre-eminent open source foundation.“
• Cliff Schmidt, Executive Director of Literacy Bridge, discusses “Using Audio Technology and Open Content to Reduce Global Illiteracy.” To quote from the program, “During this talk, Cliff will share his observations from Ghana and discuss Literacy Bridge’s Talking Book Project. Literacy Bridge was founded to empower children and adults with tools for scalable knowledge sharing and literacy learning. The Talking Book Project is Literacy Bridge’s major program, developing new and affordable digital audio technology to provide vital, locally generated information and literacy training to people with limited access to either.”
• Rishab Aiyer Ghosh, Open Source Initiative Board Member, presents “Apache and Steam Engines: the Magic of Collaborative Innovation.” To quote from the program, “Rishab looks at collaborative model of creativity, from 18th century steam engines to the human genome project and discusses why and how collaborative creativity works. Using data from the FLOSS studies, he shows how this makes free software a continuing source of economic value and innovation around the world.”
• Roy Fielding, Co-founder of The Apache Software Foundation, and Vice President, Apache HTTP Server, discussed “Apache 3.0 (a Tall Tale)”. To quote from the program, “Thirteen years ago, the Apache Group founders finished the first beta release of Apache httpd, having reached the end of their initial pile of small improvements, and began to look forward to a complete rewrite of the server architecture. Suddenly, our forward progress slowed to a trickle, mailing list traffic dropped by two-thirds, and our focus diverged…Today, we face a new chasm, and our past successes have only made it wider and deeper than before. This talk is about the other side.“

I am with Rich and Nick, Ivan’s work with ModSecurity is extremely interesting and we will build towards implementing it. First, we need to start simple for there are many steps in the process. This post will provide references for setting up an Apache server, followed by a simple implementation. For additional information, particularly in the area of security, see my previous post “Securing Apache: References.”

Some folks might ask, “why not simply install XAMPP or MAMPP (depending on your system)?” Installing binaries is one way to go. With something as important as the web server, taking the easiest path is not necessary the best option. Compiling from source provides the most power and flexibility to change things according to your priorities. You gain control over such issues as compile time options, modules, and when to upgrade (verses waiting for security patches and upgrades to come out in binary format). While it might not be the easiest path, it is vital in learning what is going on with your system and helping avoid integration problems in the future.

Documents and Articles

Below are a few documents and articles that are most helpful when setting up Apache.

• Apache Security by Ivan Ristic. When it comes to the Apache web server, Ivan is the man to listen to. His book, truly is the complete guide to securing your Apache web server. It is an excellent resource.
• Compiling and Installing document created by The Apache Software Foundation. A great deal of information on Apache is available, not surprisingly, off the Apache HTTP server site.
• Securing Apache 2: Step-by-Step by Ivan Ristic. This is a shorter, more compact article appearing in SecurityFocus.
• Security Tips document created by The Apache Software Foundation. A very good source of information on securing the Apache HTTP server. The best place to go to ensure you have the most up-to-date information on securing the server.

Benchmarks

The Center for Internet Security is a non-profit enterprise that helps develop security configuration benchmarks. The stated mission of CIS is to “reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.” They have created the document “CIS Level 1 & 2 Benchmark and Scoring Tool for the Apache Web Server.” The document was last updated, as of this writing, on January 2008. The download file consists of:

• CIS_Apache_Benchmark_v2.1.pdf – the Benchmark document contains detailed instructions for implementing the steps necessary for CIS Level 1 and Level 2 sec.
• cis_score_tool_apache_v2.10.sh.gz – a Host-based Scoring Tool scores the security of a system against the Benchmark and creates a variance report.

Additional information is available off the site.

Forums and Blogs

Most of the forums and blogs that I am familiar with deal with security issues involved with web servers. See my “Securing Apache: References” post for those links.

Installing Apache

If Apache was not installed with your operating system, or if you wish to compile from source, you will need to download the latest Apache from the Apache web site. For this document, I will go through pulling down Apache version 2.2. Please consult the Apache HTTP Server Version 2.2 Compiling and Installing documentation for additional information.

 root# cd /usr/local/src
 /usr/local/src root# wget http://mirrors.isc.org/pub/apache/httpd/httpd-2.2.8.tar.gz
 /usr/local/src root# tar xzf httpd-2.2.8.tar.gz

At this point, you need to check the integrity. There as two ways to do this. First, is by calculating the MD5 sum of the source and comparing it to the signature file. Mac OS X users, please note use the command /sbin/md5 instead of md5sum.

 /usr/local/src root# md5sum httpd-2.2.8.tar.gz
39a755eb0f584c279336387b321e3dfc  httpd-2.2.8.tar.gz

 /usr/local/src root# wget -O - -q http://www.apache.org/dist/httpd/httpd-2.2.8.tar.gz.md5
39a755eb0f584c279336387b321e3dfc  httpd-2.2.8.tar.gz

The second method, uses public-key cryptography to verify the integrity of the files. This is more complicated, but more secure. The MD5 sums can be circumvented if an intruder compromises the main distribution site and replaces the signature files. Using public-key cryptography can be done using GnuPG, the free software version of the OpenPGP. Most Unix systems has it installed by default. The installation is fairly straight forward, no matter what OS you are using:

1. Install GnuPG. For Mac OS X, you would want to install Mac GnuPG. For Windows, you will need WinPT.
2. Optionally, under Unix you might want to install a graphical front-end for GnuPG.
3. Generate a pair of keys.

Apache developers use their cryptographic keys to sign the distributions digitally. We are going to download the PGP signature, fetch the GnuPG unique key ID (DE885DD3), and then check the signature.

 /usr/local/src root# wget http://www.apache.org/dist/httpd/httpd-2.2.8.tar.gz.asc
 /usr/local/src root# gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key DE885DD3: public key "Sander Striker " imported
gpg: Total number processed: 1
gpg:               imported: 1

 /usr/local/src root# gpg httpd-2.2.8.tar.gz.asc
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker "
gpg:                 aka "Sander Striker "
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3

 /usr/local/src root# gpg --fingerprint DE885DD3
pub  1024D/DE885DD3 2002-04-10 Sander Striker 
     Key fingerprint = 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
uid                            Sander Striker 
sub  2048g/532D14CA 2002-04-10

To verify DE885DD3 was created by the real Sander Striker, download public keys for the Apache HTTP Server developers from the Apache HTTP Server Project website. Officially, you should validate by face-to-face communication with multiple government-issued photo identification confirmations. Trust can be a complicated issue. For more information on determining what level of trust, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

Let us get back to compiling Apache.

 /usr/local/src root# cd httpd-2.2.8
 /usr/local/src/httpd-2.2.8 root# ./configure --prefix=/usr/local/apache
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

There is more to be done. The above configuration was to help in determining the Apache modules that are compiled be default. The following modules, should not be used unless needed:

The following modules will be require for use with later postings. If you are sure you do not need theses modules, do not include them, and make sure not to include them in the below configuration.

To determine which modules would be installed by default, issue the following command.

 /usr/local/src/httpd-2.2.8 root# ./httpd -l
Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_include.c
  mod_filter.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c

Now, we are going to change the modules that get installed. We are going to add Secure Sockets Layer (SSL) support with the “–enable-ssl” switch. In a later post, we will discuss how to use this cryptographic protocols to provide secure communications between clients and our web browser. Unless you are sure you do not want SSL support, include the “–enable-ssl” switch.

For folks compiling on Mac OS X 10.5, the “–enable-ssl” switch will give you problems. As of this writing, Leopard is using OpenSSL version 0.9.71 from September 2006. There have been some changes made since then. You could upgrade, but as mentioned before, you do not know what installed software is dependent on that library. It would be nice if Apple had upgraded with the release of a new OS, but you have to play the cards Steve Jobs has dealt. The MacPorts Project have the latest version of OpenSSL, 0.9.8g from October 2007. In order to get Apache to compile, I would recommend using the most recent OpenSSL library. If you need help with MacPorts, please see my posting “MacPorts Under Mac OS X Leopard.” Special Mac OS X installation instruction follow.

For non Mac OS X operating systems, do the following to configure, compile and install Apache:

 /usr/local/src/httpd-2.2.8 root# make clean
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache
 /usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
./configure --prefix=/usr/local/apache \
--enable-rewrite \
--enable-so \
--disable-imap \
--disable-userdir --with-mpm=worker --enable-ssl
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

For Mac OS X, you need to tell the compiler which libraries to use so the more recent OpenSSL is used. Do that with the following commands:

 /usr/local/src/httpd-2.2.8 root# make clean
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache
 /usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --prefix=/usr/local/apache --enable-rewrite \
--enable-so --disable-imap --disable-userdir \
--with-mpm=worker --enable-ssl
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

Configuration

It is time to configure and make the Apache server more secure. Ivan Ristic have made available “Chapter 2: Installation and configuration.” Follow the chapter, do not just copy. For demonstration purposes, I’ll be using what is written in that chapter to configure the Apache web server. There are various configuration options and you want to configure the server for your environment. It is very important to understand what is contained in your configuration file.

Create the user and group httpd, from which the Apache web server will run. Under most versions of Unix (not Mac OS X), this is a simple matter of executing the following commands:

 /usr/local/src/httpd-2.2.8 root# cd /usr/local/apache
 /usr/local/apache root# /usr/sbin/groupadd httpd
 /usr/local/apache root# /usr/sbin/useradd httpd -g httpd -d /dev/null -s /sbin/nlogin

Under Mac OS X, there is no groupadd or useradd command. Things are always more interesting under Mac OS X. Prior to Leopard (10.5), you would have to determine which group ids (gid) have been used, choose an unused gid, and then create the httpd group using that gid. This would be accomplished with the commands:

 root# nireport . /groups gid name
 root# nicl . -create /groups/httpd
 root# nicl . -append /groups/httpd unique-gid
 root# nicl . -append /groups/httpd passwd "*"
 root# nireport . /groups gid name

Once creating the group, you would need to create a new user by finding an unused uid, create the user, fill in the user attributes, add a password, create a home area, and finally set permissions. This would be accomplished with the commands:

 root# nireport / /users name uid
 root# niutil -create / /users/httpd
 root# niutil -createprop / /users/httpd uid uid-from-above
 root# niutil -createprop / /users/httpd gid gid-from-above
 root# niutil -createprop / /users/httpd realname "Web Server"
 root# niutil -createprop / /users/httpd home "/dev/null"
 root# niutil -createprop / /users/httpd shell "/sbin/nologin"
 root# niutil -createprop / /users/httpd passwd "*"

NetInfo, the system configuration database, no longer exists in Mac OS X 10.5 (Leopard). The entire structure for managing local users, groups, and other such things has been completely replaced by Local Directory Services. In Leopard, the DirectoryService daemon does the job of the DirectoryService, lookupd, and the memberd daemons. Please see previous posting, “Backing Up Using Amanda on Mac OS X Leopard Part I” for additional details. There is now a command line utility dscl to perform some advanced functions formerly covered by NetInfo Manager. Creating the group httpd and user httpd would be done with the following commands:

 root# dscl . list /groups PrimaryGroupID | sort -k 2,2 -n
 root# dscl . create /groups/httpd gid gid-of-httpd
 root# dscl . create /groups/httpd passwd '*'
 root# dscl . read /groups/httpd
AppleMetaNodeLocation: /Local/Default
Password: *
PrimaryGroupID: gid-of-httpd
RecordName: httpd
RecordType: dsRecTypeNative:groups

 root# dscl . list /users UniqueID | sort -k 2,2 -n
 root# dscl localhost -create /Local/Default/Users/httpd
 root# dscl localhost -create /Local/Default/Users/httpd RecordName httpd
 root# dscl localhost -create /Local/Default/Users/httpd UserShell /sbin/nologin
 root# dscl localhost -create /Local/Default/Users/httpd RealName "Web Server"
 root# dscl localhost -create /Local/Default/Users/httpd UniqueID a-unique-uid
 root# dscl localhost -create /Local/Default/Users/httpd PrimaryGroupID gid-of-httpd
 root# dscl localhost -create /Local/Default/Users/httpd NFSHomeDirectory /dev/null
 root# dscl . read /users/httpd
AppleMetaNodeLocation: /Local/Default
GeneratedUID: generated-unique-id
NFSHomeDirectory: /dev/null
PrimaryGroupID: gid-of-httpd
RealName:
 Web Server
RecordName: httpd
RecordType: dsRecTypeNative:users
UniqueID: a-unique-uid
UserShell: /sbin/nologin

As part of the installation, the file /usr/local/apache/conf/httpd.conf is created. Move that configuration for safe keeping and start with an empty configuration file. Add the required functionality to ensure only the needed directives and modules are included. Also, adjust file permissions. Mac OS X users note that there is no group “root.” Please use the group “admin” instead.

 /usr/local/src/httpd-2.2.8 root# cd /usr/local/apache
 /usr/local/apache root# mv /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.orig
 /usr/local/apache root# chown -R root:root /usr/local/apache
 /usr/local/apache root# find /usr/local/apache -type d | xargs chmod 755
 /usr/local/apache root# find /usr/local/apache -type f | xargs chmod 644
 /usr/local/apache root# chmod u+x  /usr/local/apache/bin/*
 /usr/local/apache root# mkdir -p /var/www/logs
 /usr/local/apache root# mv /usr/local/apache/htdocs /var/www/htdocs
 /usr/local/apache root# find /var/www/ -type d | xargs chmod 755
 /usr/local/apache root# find /var/www/ -type f | xargs chmod 644
 /usr/local/apache root# chmod -R go-r /usr/local/apache/conf
 /usr/local/apache root# chmod -R go-r /usr/local/apache/logs
 /usr/local/apache root# chmod -R go-r /var/www/logs
 /usr/local/apache root# vi /usr/local/apache/conf/httpd.conf

Create a configuration file /usr/local/apache/conf/httpd.conf similar to the following file (adjust to your requirements):

# Location of the web server files
ServerRoot /usr/local/apache
# Location of the wev server tree
DocumentRoot /var/www/htdocs
# Listen on which port
Listen 80
# Store the PID of the main Apache process
PidFile /var/www/logs/httpd.pid
# Do not enables DNS lookups on client IP addresses
HostNameLookups Off
#
User httpd
Group httpd
# Deny access to the complete filesystem and then allow access
# to the document root.
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/htdocs>
Order Allow,Deny
Allow from all
</Directory>
# Enable CGI Scripts
<Directory /var/www/cgi-bin>
Options ExecCGI
SetHandler cgi-script
</Directory>
# Logging
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /var/www/logs/access_log combined
LogLevel info
ErrorLog /var/www/logs/error_log
# Setting Server Configuration Limits
# wait up to 300 seconds for slow clients
TimeOut 60
# allow connections to be reused between requests
KeepAlive On
# allow a maximum of 100 requests per connection
MaxKeepAliveRequests 100
# wait up to 15 seconds for the next
# request on an open connection
KeepAliveTimeout 15
# impose no limits on the request body
LimitRequestBody 64000
# allow up to 100 headers in a request
LimitRequestFields 100
# each header may be up to 8190 bytes long
LimitRequestFieldsize 8190
# the first line of the request can be
# up to 8190 bytes long
LimitRequestLine 8190
# limit the XML request body to 1 million bytes(Apache 2.x only)
LimitXMLRequestBody 1000000
# the maximum number of processes
ServerLimit 16
# how many processes to start with
StartServers 2
# how many threads per process to create
ThreadsPerChild 25
# minimum spare threads across all processes
MinSpareThreads 25
# maximum spare threads across all processes
MaxSpareThreads 75
# maximum clients at any given time
MaxClients 150
# Preventing Information Leaks
ServerSignature Off
ServerTokens ProductOnly
<FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)">
Order Allow,Deny
Deny from all
</FilesMatch>

At this point, you are ready to bring up the Apache web server. Clean up any unnecessary files.

 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache/cgi-bin
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache/manual
 /usr/local/src/httpd-2.2.8 root# /usr/local/apache/bin/apachectl configtest
 /usr/local/src/httpd-2.2.8 root# /usr/local/apache/bin/apachectl start

If you have any problems, take a look at /var/www/logs/error_log. This is a very basic and clean Apache web server configuration. It is a starting point from which we will build upon in future postings.

Conclusion

I started this post with a quote from William Faulkner concerning how “only when the clock stops does time come to life.” Or if you prefer the despair.com quote, “Get to work: You aren’t being paid to believe in the power of your dreams.” I’ll be honest with you, doing a post on Apache implementation is not my idea of an exciting post. I would much rather jump ahead and start talking about securing web applications at a higher level. Sometimes, one has to build up to the more exciting stuff in order to demonstrate that one is not just selling pipe dreams with no real way to make those ideas a reality. That is the difference between science and science fiction. Bernard of Chartres once wrote, “We are like dwarfs standing upon the shoulders of giants, and so able to see more and see farther than the ancients.” Only the hard work of the ancients has allowed us to see further and dream bigger. At some point, to make those dreams a reality, getting to work in the annoying details of life is a requirement.

Normally, I would recommend against using a recently released operating system and the latest beta version of a software package. Since I was tasked with looking for problems that might arise with Mac OS X 10.5 (Leopard), I figured I would also test out the beta release of Amanda 2.6. I will be doing a couple follow ups to this posted. Today, we will only focus on the initial setup. Later posts will deal with:

• Directions on how to use Kerberos with Amanda
• Amanda-server-side gpg-encrypted backups
• Set up transport encryption with SSH
• Doing Backup & Recovery
• MySQL Backup and Recovery

One factor that slowed me down in finishing this post was the changes made in Leopard. Simply put, I ran into more problems than I expected. I wish I had started off by finding NetMojo’s fantastic series titled “Tiger to Leopard Server Migration” (part 1, part 2, part 3, part 4). Part 4, changes its title to “Kerberos and Single Sign-on in Leopard Server.” This is great material that anyone planning on migrating to Leopard needs to read.

Getting back to Amanda, there is an excellent installation guide, “Installation/OS Specific Notes/Installing Amanda on Mac OS X,” which I followed when doing the below setup.

Prerequisites

First, if you have not installed Apple’s Xcode 3, you need to do so. Xcode is Apple’s suite of tools for developing software on Mac OS X. Without it, you will not be able to even compile a file. It is not installed by default, but is available for free from Apple Developer Connection. The good news for Leopard users is that X11 is installed by default. Prior Mac OS Xs had X11 as an optional add-on to Xcode.

Second, MacPorts will make software installation much easier. The MacPorts Project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the Mac OS X operating system. While I tend to like to configure software to my specific environment and needs, for many software packages such as awk, glib, etc., most peple would simply go with the default configuration options anyway. MacPorts makes life considerably easier. It is similar to the FreeBSD ports collection. Please refer to the MacPorts Guide for additional information on how to use the ports command.

If you have upgraded to Max OS X Leopard, please check your /usr/lib directory for any libraries ending with a ” 1″ (that is a space followed by 1). For example, “/usr/lib/ruby 1” and “/usr/X11R6 1“. These files are created, possibly as a backup copy, when Leopard or Xcode 3 is installed. If you fail to remove those libraries, you will get an error “i686-apple-darwin9-gcc-4.0.1: 1/lib: No such file or directory.”

I also ran into problems with an existing copy of MacPorts where ports were installed under Tiger. You may want to do a fresh install of MacPorts. Just move /opt/local under another directory (so you have it in case you need to switch back) and reinstall MacPorts. It took care of the problems I was having. Of course, from what I read, many problems are bypassed if you are working on a server with a clean install of Leopard. For many of us, upgrades are a fact of life that have to be dealt with.

Where I work, the firewall block rsync access. To configure MacPorts to use some other method than rsync, do the following:

1. Check out a working copy of the ports tree to some place on your hard disk, such as to your home directory:
   

   root # svn co http://svn.macports.org/repository/macports/trunk/dports dports

2. Edit the file /opt/local/etc/macports/sources.conf. Comment out the line starting with “rsync://” and add a new line pointing to your working copy, in URL form. For example: file:///Users/msmart/dports

Below are a few port commands to help with basic operation and navigation:

list

The list option is used to get a list of all available ports.

 root # port list

search

The search option is very useful to find port names by partial matches.

 root # port search glib2
glib2   devel/glib2   2.14.0   Library with data structure functions and other constructs

deps

The deps option shows you the dependencies of a port.

 root # port deps glib2
glib2 has build dependencies on:
	pkgconfig
glib2 has library dependencies on:
	gettext
	libiconv

install

The option install is used to install a port.

 root # port install glib2
Skipping org.macports.activate (glib2 ) since this port is already active
--->  Cleaning glib2

contents

The contents option displays the files that have been installed by a given port. Uninstalled ports will always show no contents.

 root # port contents glib2
Port glib2 contains:
  /opt/local/bin/glib-genmarshal
  /opt/local/bin/glib-gettextize
etc.

installed

The installed option displays all installed ports.

 root # port installed

Additional software prerequisites are:

• GNU-tar – Use GNU tar 1.15 or later version on Amanda clients. Mac OS X 10.5 comes with GNU tar 1.15.1.
• Perl – Requires Perl 5.6.0 or later. Mac OS X 10.5 comes with Perl version 5.8.8.
• glib2 – Upcoming versions of Amanda incorporating the Device API will require that glib2 version 2.2.0 or later be installed. Use macports to install with the command “port install glib2“.
• Awk – Will come Mac OS X.
• GNUplot – Use macports to install with the command “port install gnuplot“.
• readline library – Use macports to install with the command “port install readline“.
• GnuPG – The free software version of the OpenPGP privacy standard. This will be covered in later postings and can be skipped for now. For Mac OS X, you would want to install Mac GnuPG.
• sharutils – For the tool uuencode, use macports to install sharutils with the command “port install sharutils“.

In a later post, we will go through installation of GnuPG to do gpg-encrypted backups. In the meantime, why not check out my posting “FireGPG, GnuPG, and WebMail Services“? The post will provide information on setting up a way to send encrypted emails through your favorite mailer, such as Google and Yahoo.

While I am pointing to useful links, TrueCrypt has released a new version of their encryption software, 5.0, that supports Mac OS X and full drive encryption. You will still want to encrypt your backup files. It is great to have an encrypted hard drive in case anyone walks off with it. While that drive is connected to your host, the host has access to the encrypted area. Which means, someone hacks in and the encryption will not help. If you dump out the files to tape, having the files encrypted will help if any of those tapes go missing.

Setup Accounts

NetInfo, the system configuration database, no longer exists in Mac OS X 10.5. The entire structure for managing local users, groups, and other such things has been completely replaced by Local Directory Services. In Leopard, the DirectoryService daemon does the job of the DirectoryService, lookupd, and the memberd daemons. This should reduce unnecessary lookups and interprocess communication. The Netinfo Database is now a series of XML files living in /var/db/dslocal/. This gives you the ability to manipulate that database in just about any scripting language. There is now a command line utility dscl to perform some advanced functions formerly covered by NetInfo Manager. The dscl command does not do everything. Below are some of Leopard’s new and enhanced tools:

• dsenableroot – enables or disables the root account. This has been on OS X for a while now, but it may be more useful now that NetInfo Manager is gone.
• dseditgroup – group record manipulation tool. Also present in 10.4, but will get more usage now.
• dscacheutil – gather information, statistics and initiate queries to the Directory Service cache. New in Leopard allowing you to look into the Directory Service cache and flush it if necessary. Semi-analogous to lookupd -d.
• dserr – prints a description for an error code.
• dsmemberutil – various operations for the membership APIs, including state dump, check memberships, UUIDs, etc. Allows you to check group membership and do some debugging on what groups the system thinks a user is in.

In the example below, for this document I am going to use the hostname “amanda.securitymonks.com” as the backup server. There is no such server. Please modify this hostname for your installation.

 root# sudo dscl localhost -create /Local/Default/Users/amandabackup
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup RecordName amandabackup
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup UserShell /bin/bash
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup RealName "Backup User"
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup UniqueID 5000
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup PrimaryGroupID 0
 root# sudo dscl localhost -create /Local/Default/Users/amandabackup NFSHomeDirectory \
          /Users/amandabackup
 root# sudo ditto -rsrcFork '/System/Library/User Template/English.lproj/' /Users/amandabackup
 root# sudo sh -c "echo 'amanda.securitymonks.com amandabackup' \
          > /Users/amandabackup/.amandabackuphosts"
 root# sudo chown -R amandabackup:wheel /Users/amandabackup
 root# sudo passwd amandabackup

Since you may have some pre-Leopard servers and desktops that need backing up, here is how to create the required accounts and groups in NetInfo:

 root# sudo niutil -create / /users/amandabackup
 root# sudo niutil -createprop / /users/amandabackup shell /bin/bash
 root# sudo niutil -createprop / /users/amandabackup realname "Backup User"
 root# sudo niutil -createprop / /users/amandabackup uid 5000
 root# sudo niutil -createprop / /users/amandabackup gid 0
 root# sudo niutil -createprop / /users/amandabackup home /Users/amandabackup
 root# sudo ditto -rsrcFork '/System/Library/User Template/English.lproj/' /Users/amandabackup
 root# sudo sh -c "echo 'amanda.securitymonks.com amandabackup' > /Users/amandabackup/.amandahosts"
 root# sudo chown -R amandabackup:wheel /Users/amandabackup
 root# sudo passwd amandabackup

System Settings

Since we plan on later using Kerberos authentication, we will add the following lines at the appropriate place in /etc/services:

 root# vi /etc/services

Add the following lines:

kamanda         10081/tcp   # amanda backup services (Kerberos)
kamanda         10081/udp   # amanda backup services (Kerberos)
amandaidx       10082/tcp   # amanda backup services
amidxtape       10083/tcp   # amanda backup services

Create /etc/amandates:

 root# sudo touch /etc/amandates
 root# sudo chmod 660 /etc/amandates
 root# sudo chown -R amandabackup:wheel /etc/amandates

Create directories where Amanda can store data:

 root# sudo mkdir -p /usr/local/lib/amanda
 root# sudo touch /usr/local/lib/amanda/exclude.gtar
 root# sudo mkdir -p /usr/local/var/amanda/gnutar-lists/
 root# sudo chown -R amandabackup:wheel /usr/local/lib/amanda /usr/local/var/amanda/

Software Setup

If you are using MacPorts, and have not added it to your path, do so now with the command:

 root # PATH="$PATH:/opt/local/bin"

Now configure, make, and install the Amanda software. Be warned, under Leopard, there maybe be warnings concerning “rm: conftest.dSYM: is a directory.” It appears passing -g and any flavor of -O (even -O0) to the Leopard built-in gcc will result in one of these .dSYM directories. I have been told that when you do cc -o foo foo.c, because temporary object files are deleted, and DWARF stores its debugging information in the temporary object files, Apple’s gcc runs the ‘dsymutil’ command before deleting the object file to create a file that will hold the application debugging information. Unfortunately, they chose to use, not a file, but a “bundle” directory structure. In the end, it is safe for our purposes to ignore the warning.

 root# wget http://superb-west.dl.sourceforge.net/sourceforge/amanda/amanda-2.6.0b2.tar.gz
 root# tar xzf amanda-2.6.0b2.tar.g
 root# cd amanda-2.6.0b2
 amanda-2.6.0b2 root# ./configure --with-user=amandabackup --with-group=admin
 amanda-2.6.0b2 root# make
 amanda-2.6.0b2 root# make install

In Mac OS X 10.4 (Tiger), Apple introduced launchd, replacing init and xinetd. While init and xinetd still existed, launchd had superseded them in many instances. In Leopard, init and xinetd have been dropped completely. To get Amandad to run when packets from the server arrive, you’ll need a launchd script. Apple’s Getting started with launchd provides background on launchd. Jaharmi, over on his blog Irreality has written several postings involving new keys, and different behavior of keys under Leopard. Jaharmi has provided some very valuable information. Macavenger has posted, “10.5: Use launchd to restart crashed apps,” which is another interesting read. There is freeware software for Leopard that offers a graphical user interface for launchd, Lingon. Lingon is a very valubale tool that greatly simplifies using launchd.

Steven Karel created the original property list which we will modified for our specific paths. Amanda supports “bsd”, “bsdudp”, “bsdtcp”, “ssh” and Kerberos authentication between Amanda server and the client. The authentication is used for backup process (amdump) as well as recovery process (amrecover). I am going to post later how to setup SSH and Kerberos authentication. For now, we will use bsdtcp authentication where the TCP protocol is used between Amanda server and client. On the client, two reserved ports are used. On the server, all data streams are multiplexed to one port. Add the following to the /Library/LaunchDaemons/org.amanda.amandad.bsdtcp.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"

     "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>org.amanda.amandad.bsdtcp</string>
	<key>UserName</key>
	<string>amandabackup</string>
	<key>GroupName</key>
	<string>wheel</string>
	<key>InitGroups</key>
	<true/>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/libexec/amandad</string>
		<string>-auth=bsdtcp</string>
	</array>
	<key>Sockets</key>
	<dict>
		<key>ipv4</key>
		<dict>
			<key>SockFamily</key>
			<string>IPv4</string>
			<key>SockServiceName</key>
			<string>amanda</string>
			<key>SockType</key>
			<string>stream</string>
		</dict>
		<key>ipv6</key>
		<dict>
			<key>SockFamily</key>
			<string>IPv6</string>
			<key>SockServiceName</key>
			<string>amanda</string>
			<key>SockType</key>
			<string>stream</string>
		</dict>
	</dict>
	<key>inetdCompatibility</key>
	<dict>
		<key>Wait</key>
		<false/>
	</dict>
</dict>
</plist>

Now we launch amandad with BSDTCP authentication with the following command:

 root # launchctl load -w /Library/LaunchDaemons/org.amanda.amandad.bsdtcp.plist

To confirm that it is running, we can check with the netstat or lsof command:

 root # netstat -na | grep 10080
tcp6       0      0  *.10080                *.*                    LISTEN
tcp4       0      0  *.10080                *.*                    LISTEN
 root# lsof | grep amanda
launchd       1     root   44u     IPv4 0x5016a68        0t0       TCP *:amanda (LISTEN)
launchd       1     root   60u     IPv6 0x3bb6984        0t0       TCP *:amanda (LISTEN)

To stop Amanda, issue the command:

 root # launchctl unload -w /Library/LaunchDaemons/org.amanda.amandad.bsdtcp.plist

There is still much work to be done, but we are well on our way to setting up a backup system under Mac OS X 10.5 (Leopard). If you want to move ahead, I have given you some links at the start of this post. Lois Garcia and Pavel Pragin have written the “The 15-Minute Backup Solution.” W. Curtis Preston, author of the must-read “Backup & recover” maintains a blog Backup Central full of invaluable information. I will end here, heeding the words of the great showman P.T. Barnum, “Give people what they want, but leave them wanting more and they are yours forever.”

Linux creator Linus Torvalds talked with Nick Miller from the Sydney Morning Herald about his work and ambitions for his operating system. Linux expressed his preference for Mac OS X over Windows. The part that I found most entertaining was when he described the Mac OS X file system HFS+ as “complete and utter craps.” When asked, what he thought about the regular hype about the release of a new version of Microsoft Windows or Apple OS X, Linus responded:

An o/s should never have been something that people (in general) really care about: it should be completely invisible and nobody should give a flying f*** about it except the technical people.

It’s stupid – when you make a big deal about something like Vista or Leopard a lot of it is about things I don’t consider to be the operating system. It’s about the visual shell around it. The fact Microsoft tied the two together so much actually caused them problems, not just the legal problems. If you manage a thousand clients, or a hundred thousand clients which is not at all unheard of, you sure as hell don’t want to point and click at them. In many ways Microsoft has had to fix the design mistakes they made when they thought the graphical approach should be a very intimate part of (Windows).

To Microsoft and Apple the o/s is important as a way to control the whole environment, from a marketing and money-making standpoint, to force people to upgrade their applications, and your hardware

When asked, if he had a favorite between Leopard and Vista, Linus responded:

I don’t think they’re equally flawed. I think Leopard is a much better system. On the other hand, (I’ve found) OS X in some ways is actually worse than Windows to program for. Their file system is complete and utter crap, which is scary. I think OS X is nicer than Windows in many ways, but neither can hold a candle to my own (Linux). It’s a race to secondplace!

In my last post “Bro on FreeBSD 7: Should You Care?”, ZFS was listed as one of the improvements of FreeBSD 7. The posts “The Advantages of Sun’s ZFS Filesystem” and “Ten Reasons to Reformat Your Hard Drives” discuss some of the advantages of ZFS. Blogger jamesd_wi posted a very nice collection of links concerning ZFS titled “Interested in ZFS.” Paul Venezia’s article in InfoWorld titled, “Sun ZFS breaks all the rules” does a real nice job of hitting the high points.

To address Linus comment on HFS+, Apple is developing ZFS for Mac OS X. Noel Dellofano, who is part of the ZFS development team, did release binaries and source code of ZFS for Mac OS X on the MacOSForge site. Noel cautioned in his post, “As I mentioned, ZFS is still BETA, so there are (and likely will be) some issues turn up with compatibility with the upper layers of the system if that’s what you’re referring to.” The Mac OS forge has created a “Known Issues and Features in the Works” area to help keep people apprised of the development of ZFS under Mac OS X.

What does Linus have to say about recent file system development, and in particular ZFS? Swapnil Bhartiya talked to Linus in his article,”Linus Torvalds: I Have Never Really Talked To Microsoft!” On the question of ZFS, Linus responed

Actually, just yesterday we had a git performance issue, where ZFS was orders of magnitude slower than UFS for one user (not under Linux, but git is gaining a lot of traction even outside of kernel development). So I think a lot of the ‘new file system’ mania is partly fed by knowing about the issues with old file systems, and then the (somewhat unrealistic) expectation that a ‘new and improved’ file system will make everything perfect.

In the end, this is one area where you just let people fight it out. See who comes out the winner — and it doesn’t need to be (and likely will not) be a single winner. Almost always, the right choice of file system ends up depending on the load and circumstances.

One thing that I’m personally more excited about than any of the file systems you mention is actually the fact that Flash-based hard disks are quickly becoming available even for ‘normal’ users. Sure, they’re still expensive (and fairly small), but Flash-based storage has such a different performance profile from rotating media, that I suspect that it will end up having a large impact on file system design. Right now, most file systems tend to be designed with the latencies of rotating media in mind.

A very interesting point concerning technological innovation. Linus does in a post state that ZFS is “one of their very very few bright spots.” By “their” he means Sun. Linus problem with ZFS is that “ZFS and the other things that people are drooling about in a way that lets Linux use them on an equal footing. I can pretty much guarantee that. They don’t like competition on that level. They’d *much* rather take our drivers and _not_ give anything back, or give back the stuff that doesn’t matter.” Linus goes on to say, “And yes, maybe ZFS is worthwhile enough that I’m willing to go to the effort of trying to relicense the kernel. But quite frankly, I can almost guarantee that Sun won’t release ZFS under the GPLv3 even if they release other parts. Because if they did, they’d lose the patent protection.”

Jonathan Schwartz, Chief Executive Officer and President Sun Microsystems, Inc., responded in his blog post “An OpenSolaris/Linux Mashup.” Jonathan writes, “We want to work together, we want to join hands and communities – we have no intention of holding anything back, or pulling patent nonsense. And to prove the sincerity of the offer, I invite you to my house for dinner. I’ll cook, you bring the wine. A mashup in the truest sense.” We will leave Jonathan and Linus to settle their issues. If you are interested, you can listen to Linus on the Linux Foundation Podcast. They have two part interview (part 1, part 2) where Linus comments on a variety of topics including patents, internal and external competition, the broader adoption of Linux, Microsoft and much more. If you want to know more about GPLv3, Eben Moglen, a leading advocate of open source rights, gives the talk “The Renaissance of Invention: Free Software and the Next American Century” on the IT Conversations podcast. In the talk, Eben addresses the controversy about GPLv3 and Linux, and whether software patents are more dangerous than other patents. To some, licensing issues might not be the most exciting topic, but it is important to be aware of the issues. Development and adoption of projects, such as ZFS, can be affected.

Drew Thaler has a few things to say about ZFS compared to HFS+. Drew worked in Apple’s CoreOS filesystems group. Before that, he worked on DiscRecording.framework, and singlehandedly created the content subframework that streamed out HFS+, ISO-9660, and Joliet filesystems. Before that, he worked on the same thing for Mac OS 9. And before that, he worked on mass storage drivers for external USB/FireWire drives and internal ATA/ATAPI/SCSI drives. Currently he works on a file I/O subsystem for PlayStation 3 games. In short, Drew knows what he is talking about. He wrote the post, “Don’t be a ZFS Hater” and a follow up post “ZFS Hater Redux” which contain some amazing information. Drew’s makes a very important point when he writes:

Some very smart people at Sun started the ball rolling by putting an awful lot of thought into the future of storage, and they came up with ZFS.

After they announced it and started talking about it, other brilliant people at Apple (and FreeBSD, and NetBSD) paid attention to what they were doing. And they listened, and thought about it, and looked at the code, and wound up coming around to the side of ZFS as well.

The original HFS design is twenty years old. It has had a good run, but so much has changed in the world of computers. As Linus pointed out, technology changes and file systems need to be redesigned for these changes. Some brilliant folks have worked on ZFS . It is not a patched file system trying to handle the latest requirements of computers. ZFS is a file system designed with the flexibility to handle data requirements for the next ten years. It will not be the final word in file systems. The world continues to innovate and change. The point is, ZFS is here now after seven years of development. It sets a new standard for future file systems. I look forward to seeing ZFS implemented in the latest Mac and FreeBSD operating systems.

It warms my heart this holiday season to see the Mac and PC guy exchanging a hug in the spirit of cooperation. That is what this post is about; bringing Macs and PCs together. Andy Greenberg, Senior Reporter at Forbes.com, reports in an article, “Apples For The Army,” that the US Army is shifting more of its IT infrastructure towards the Mac to thwart hacking attempts. The article quotes Lieutenant Colonel C.J. Wallington, a division chief in the Army’s office of enterprise information systems, as saying that the military is quietly working to integrate Macintosh computers into its systems to make them harder to hack. That’s because fewer attacks have been designed to infiltrate Mac computers, and adding more Macs to the military’s computer mix makes it tougher to destabilize a group of military computers with a single attack, Wallington says. To quote the article:

The Army’s push to use Macs to help protect its computing corps got its start in August 2005, when General Steve Boutelle, the Army’s chief information officer, gave a speech calling for more diversity in the Army’s computer vendors. He argued the approach would both increase competition among military contractors and strengthen its IT defenses.

Apple Mac OS X is not new to the army. Apple’s Xserves have been running army.mil for a couple years now. The reason this story is getting press is because of an upcoming release of software that will allow Mac OS X machines to work with the Army’s Common Access Card (CAC) smart card system. Wallington reports, “[The Army's Xserves] are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off.”

Not to give the false impression that there is an Apple on every desk in the army. In fact, Wallington estimates around 20,000 of the Army’s 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army’s ranks during each of its bi-annual hardware buying periods. The development of the software should help clear one barrier to Apple desktop deployment.

Jonathan Broskey, a former Apple employee who now heads the Army’s Apple program, argues that the Unix core at the center of the Mac OS makes it easier to lock down a Mac than a Windows platform. Whether you accept Broskey’s statement or not, it is certain that the Mac OS will face growing targeted attacks. A end-of-year data security wrapup by F-Secure highlights the growing number of attacks targeting Apple systems with malicious software. To quote from the report, “at the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.” This graph demonstrates the rise:

The report goes on to state:

Windows Vista was on the horizon at the end of 2006 and the question was — would Vista be the end to malware threats? Not this year at least — The year 2007 ends with Windows XP still dominating the world’s installed base leaving Vista little opportunity to make an impact. The potential strength of Vista has not yet been tested in full force. And much of the malware in the wild running on XP machines is stronger than ever. We predict that the situation will not change very soon looking at Vista’s current sales.

The article does go on to state, “In the past two years, until this October, F-Secure found only a small handful of malicious programs targeting Macs. In the past two months, the company has found more than a hundred specimens of Mac-targeted malicious code.”

The article quotes Charlie Miller, a software researcher with Independent Security Evaluators, as stating that the Army’s diversification plan isn’t enough to thwart the bad guys. He sees a two-platform system as a “weakest link” scenario, in which a determined cyber-intruder will seek out the more vulnerable of the two targets. “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house,” he says.

Now, neither Windows or Apple could be considered a straw house. Both operating systems have their strengths and weaknesses. In the end, the question comes down to whether you believe diversification is a valid security tactic. This is a debate that has existed for a long time in security. Two often quotes papers argue this point: “CyberInsecurity: The Cost of Monopoly” (PDF) and its counterpoint “The Flaw of Security Through Diversification.”

Generally the arguments against diversification is over the difficulties of the complexities involved to mitigate risks. Could not this same argument be applied to many approaches in security? Practicing defense in depth adds layers of complexity, which in turn adds to the level of security. With Christmas just past, maybe we all want to believe in Santa and an operating systems that will never have any security flaws. Kids read no further. In the world I live in there will be flaws. We can sit around hoping that some company will secure our operating systems and our networks so we can go back to the days when we could telnet in as root to our systems thinking we had no security concerns. Or we can face reality. Apple and Microsoft can help, but they can only be part of the solution. As we wage the war to secure our systems against very clever adversaries (not script kiddies!), our solutions become ever more complex. The only way to avoid is not to play, and that is not really an option. We can say “No!” to the latest IT technological advancements. In so doing, we fail to capitalize on technology that can help our company/government be more productive. In a competitive world, that is not an acceptable solution. Life is complex and my prediction for 2008 is that it is only going to get worse.

I wish all good security professionals the best in 2008. May your future consist of understanding managers that realize mitigating risk is tied to complexity. For it will be the top managers that will determine what level of risk is acceptable. These wise men will know the true meaning of risk; mainly that risk is “the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization“. With that determination of acceptable risk will come responsibility. My only other prediction for 2008 is that it’s going to be an interesting year. Happy New Year to all.

Today, I did some hacking. Not as in “hacking into systems,” but as in “hacking to get things to work.” Sometimes in life things do not work as they should and you just have to keep hacking away. Did I say “sometimes”? A good day is when you get the software to work before the sun rises. I still have a few hours to go. As with most die hard hackers, I am eternally optimistic. If we weren’t, we would never attempt anything.

Today, I had to get some software running under Mac OS X. I am old time UNIX person. I am use to pulling down source, configuring, compiling, and installing. Mac OS X can make life a little more challenging. For anyone struggling with installation problems, I figured I would provide one way to get things working. Not my preferred way, but sometimes we have to do what works.

In the end, I had to install MacPorts. MacPorts was formerly DarwinPorts. To catch new users up to speed, let me provide the Wikipedia description:

MacPorts, formerly called DarwinPorts, is a free/open source software project to simplify installation of other free/open source software on the Mac OS X and Darwin operating systems. Similar to Fink and the BSDs’ ports collections, DarwinPorts was started in 2002 as part of the OpenDarwin project, with the involvement of a number of Apple Computer employees including Landon Fuller, Kevin Van Vechten, and Jordan Hubbard.

If you are confused because you thought Mac OS X is just a slight variation on the BSD kernel, please check out Amit Singh book, Mac OS X Internals. The book describes the architecture and design of Apple’s operating system. If you don’t want that much details, go over to IT Conversations and listen to Mr. Singh discuss Mac OS X Internals. Mr. Singh’s personal website is over at kernelthread.com.

Please, do not misunderstand me. MacPorts is a great help to anyone who has to develop on Mac OS X. It is just that I like to keep things as close to the OS as possible. This means, when installing software, I like running configuration commands and compiling the software myself. While I know using packages/RPMs make administration easier, it also makes the person installing the packages less aware of how the packages were configured and installed. Frequently, the packages are installed with the configuration that will work in most environments. Generally, that will not be the most secure way of configuring the package.

In the case of installing a package like MacPorts, you are installing a whole new sets of libraries. If you want to install Perl modules under MacPorts, it will install its own version of Perl. When you install a Perl packages, it pulls down the dependencies and handles everything. Most people installing the packages have no idea what they have put on their system.

I am going to pull the instructions from the MacPorts site, as far as its installation instructions. Then I will add to those instructions.

1. Install Xcode Tools

1. Download the latest verson of Xcode Tools from Apple’s developer site —do not install an older version from the OS X 10.4 install disk or some ports may fail to install.
2. Run the binary installer.

Notes:
Xcode Tools is neither installed nor updated via the Software Update utility. You will want to makre sure you keep it up to date.

2. Install X Windows (X11)

On OS X 10.4, Apple’s X11 is an optional install (MacPorts’ X11 package is not recommended at this time). If the application X11 is not present in /Applications/Utilities:

1. Insert the OS X 10.4 installation DVD and run the package named Additional Software.
2. At the software selection window expand the Applications category and click the checkbox beside X11 (and nothing else).
3. Click Install to install X11.
4. Drag the /Applications/Utilities/X11 icon to your dock —you must open X11 before launching an X11 application.

Notes:

• X Windows (X11) is required for many MacPorts apps and it is highly recommended that you install it even if you don’t plan to run X11 apps immediately.
• The X11SDK is also required to run X11 software, but it is installed by default during the Xcode Tools install above. If you wish to check to see if X11 (X11User) and X11SDK are installed, look in /Library/Receipts for the files X11User.pkg and X11SDK.pkg.

3. Set the shell environment

Setting the Unix shell environment is critical for MacPorts to function.
Requirements for the MacPorts’ shell environment

You will want to make the ~/.profile file adds the MacPorts paths in front of the standard UNIX paths for the default BASH shell. This is done so that if you have utilities or libraries from both MacPorts and OS X’s standard install, the MacPorts libraries will be run instead of the ones provided by Apple. You can change the PATH via the command line with the command:

export PATH=/opt/local/bin:/opt/local/sbin:$PATH

You’ll need to add this variable to your ~/.profile to run X11 applications:

export DISPLAY=:0.0

So a ~/.profile file might look like this:

export PATH=/opt/local/bin:/opt/local/sbin:$PATH
export DISPLAY=:0.0

Note:

• Changes to ~/.profile do not take effect on the current shell session — they take effect on new sessions so open a new shell session and type ‘env’ to see the path and variable changes.
• Other profile files may take precedence over ~/.profile. If you are using one of the following profile files in your home directory, you will need to merge the contents of it into ~./profile, or vice versa because the shell will ignore one of them:
  • ~/.bash_login
  • ~/.bash_profile

Verify the shell environment

To verify that your ~/.profile has set your shell environment:

• Open a new terminal window
• Type the command: env

Check to make sure the reported path begins with the MacPorts’ paths as show above.

Sample output of command env:

TERM_PROGRAM=Apple_Terminal
TERM=xterm-color
SHELL=/bin/bash
PATH=/opt/local/bin:/opt/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin

4. Install MacPorts

Install MacPorts using the binary installer (to /opt/local/ only)

1. Download the latest MacPorts .dmg disk image, currently version 1.4.0.
2. Run the binary installer.
3. Perform the default “easy” install.

Note:

• A MacPorts’ selfupdate (see below) will automatically update to the latest release if the binary .dmg image is behind the latest released tarball.

Install MacPorts from source (to any path except /usr/local/)

1. Download and unzip the latest MacPorts tarball from the MacPorts download area.
2. Perform these commands in a terminal window.

   cd ~/MacPorts-1.4.0/
   ./configure
   make
   sudo make install
   

Note:

• To see why /usr/local is not a viable install location for MacPorts, see the MacPorts FAQ

Note: Developer releases contain untested code and may have bugs. Use at your own risk.

5. Update MacPorts via selfupdate

The ‘port selfupdate’ command must be run after a new MacPorts install, and frequently thereafter. The command updates MacPorts with the latest port revisions, and, if necessary, updates MacPorts to the latest release.

1. Open a terminal window.
2. Execute the MacPorts selfupdate command.

   sudo port selfupdate
   

or for verbose output:

sudo port -d selfupdate

6. Installing Packages

Now you are going to start installing packages under MacPorts. A good place to see what packages have been ported over to MacPorts is to go to the main Darwin Ports Repository. It still has the old name, but it is the MacPorts site. It has a search area where you can enter the package name and find installation instructions.

For example, if you wanted to install the GNU multiple precision arithmetic library (GMP), you would execute the MacPorts install command for GMP.

sudo port install gmp

At this point, you should see the following output:

--->  Fetching gmp
--->  Attempting to fetch gmp-4.2.1.tar.bz2 from http://ftp.gnu.org/gnu/gmp
--->  Verifying checksum(s) for gmp
--->  Extracting gmp
--->  Configuring gmp
--->  Building gmp with target all
--->  Staging gmp into destroot
--->  Running ranlib on static libraries
--->  Installing gmp 4.2.1_4+test
--->  Activating gmp 4.2.1_4+test
--->  Cleaning gmp

I started this post to explain how to install another package, not listed above. It ended up getting hung during the installation of the package. So everything is not sunshine and rainbows even when using MacPorts. I found a solution that did not use MacPorts. Still, the next project I worked on involved an IDS solution using Bro. While I initially installed the packages without MacPorts, I ran into some results I did not trust. The nice thing with MacPorts is that with a change of your PATH, you can include or exclude the libraries and executables. MacPorts can be most useful, even if you do not use it that frequently.

From the National Institute of Standards and Technology:

• Guide to Integrating Forensic Techniques into Incident Response
• Guide to Secure Web Services (DRAFT)
• Guide to Intrusion Detection and Prevention (IDP) Systems (DRAFT)
• Guide for Developing Performance Metrics for Information Security
• Recommended Security Controls for Federal Information Systems

From ISACA:

• COBIT Mapping: Mapping of ITIL with COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 with COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0
• IT Control Objectives for Sarbanes-Oxley

Concerning Securing Mac OS X:

• A Corsaire White Paper: Securing Mac OS X
• Mac OS X Server Security Configuration for Version 10.4 or Later
• CIS Mac OS X Tiger Level I Security Benchmark
• NSA Apple Mac OS X v10.3.x “Panther” Security Configuration Guide
• SANS SCORE: Mac OS X Checklist 1.0
• SANS CIS Benchmark Tool
• Bastille Linux Mac OS X Beta
• DISA Mac OS X Security Technical Implementation Guide

Concerning Web Application Security:

• OWASP Testing Guide 2007 V2
• A Guide to Building Secure Web Applications and Web Services
  

Just for Fun:

• The Pragmatic CSO
• Optaros: Open Source Catalogue 2007 U.S. Version 1.1

It sure would be nice to retreat to a monastery and spend a few days just reading this material. A quote from Doug Larson sums it up nicely, “For disappearing acts, it’s hard to beat what happens to the eight hours supposedly left after eight of sleep and eight of work.”