Peter Q. | 28 Jun 19:17 2016
Picon

.NET on Centos.

Hi there, I was reading about it.
https://www.redhat.com/en/about/blog/net-core-now-available-and-supported-red-hat-enterprise-linux-and-red-hat-openshift

What will happen with Centos and .NET?
In the side of security and stability.
James B. Byrne | 28 Jun 15:46 2016
Picon

Re: UDP Constant IP Identification Field Fingerprinting Vulnerability


On Mon, June 27, 2016 12:29, Gordon Messmer wrote:
> On 06/26/2016 01:50 PM, James B. Byrne wrote:
>> However, all I am seeking is knowledge on how to handle this using
>> iptables.  I am sure that this defect/anomaly has already been
>> solved wherever it is an issue.  Does anyone have an example on
>> how to do this?
>
>
> I think the bit you're missing is that you don't have to address every
> detail that your auditors send you.  You can label an item a false
> positive.  You can respond that you are aware, and that you don't
> consider an item to be a security defect.  Fingerprinting is an
> excellent example thereof.  As was already noted, the IP ID field is
> just one of many aspects of IP networking that can be used to identify
> Linux systems.  If you don't address them all, addressing one is not a
> useful exercise.

I understand WRT false positive flagging.  And that is exactly what I
have done.  However, the PCI DSS report piqued my interest in this
matter and I thought to satisfy my curiosity.  The other stuff flagged
in the report seemed a little far-fetched to me. At least the
explanation of why they were flagged did.

As none of them affect our PCI status I have no interest in the rest.
This one however I was previously unaware and so I wanted to discover
more about it.

Thank you for the information and especially for the references.

(Continue reading)

Hersh | 28 Jun 12:09 2016
Picon

VNC server issue- Gnome - oh no! Something has gone wrong

Hi,

I have been using VNC on CentOS 7 server from last couple of months and it
was running all fine till last night. Unfortunately, there was an abrupt
power failure and system got restarted.  Now, when I try to login with
VNCviwer, it thrown an error message-  "*Gnome - oh no! Something has gone
wrong "*  with a logout option. When I click on logout, I see black/dark
gray screen with 3 check boxes.

I googled to figure out a solution and tried several solutions but could
not fix the problem. Any suggestion would be very helpful.

Regards
Hersh
raving Joker | 28 Jun 11:31 2016
Picon
Gravatar

Guest's Additions Virtual CD

Hello to everyone I'm a new italian member so I'm sorry if my english isn't
perfect.
I was thinking...
Why not (in CentOS 7) insert a tab in the installation phase that can
permit an automatic installation of guest's additions tools (I'm using
virtualbox, but it can be applied to other platforms with a menu), a little
system that reveals the guest addition's cd and if isn't inserted, displays
to the user a message with informations about how insert it and do the
installation automatically?

Thanks for all of people that want to reply, I know that this
virtualization platforms are in part in discordance with the ethical free
software's mindset...but why not in centos, with proper informative
messages?

Good afternoon

Raving
henimp | 28 Jun 03:55 2016

Errors on yum upgrade

During yum upgrade a couple days ago, I saw this:

   Cleanup    : kernel-3.10.0-229.20.1.el7.x86_64                       
                                                       35/64
warning: file /lib/modules/3.10.0-229.20.1.el7.x86_64/modules.softdep:  
remove failed: No such file or directory
warning: file /lib/modules/3.10.0-229.20.1.el7.x86_64/modules.devname:  
remove failed: No such file or directory

Should I be concerned about this? What could have caused it?

-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  
Mark LaPierre | 28 Jun 02:20 2016
Picon

Use USB2.0 Camera with KVM based VM

Hey All,

I've been googleing this issue for hours but I can't find a workable
solution.  I found a reply to a bug posting that said the USB hub on the
VM defaults to USB 1.1.  I see this is true when I lsusb on the CentOS 7
guest.

The reply to the bug post went on to say that the problem is that the
USB 2.0 camera will not work with the USB 1.1 default hub and that I
should change the hub from USB 1.1 to USB 2.0.

I see no way to do that.

Can anyone shed some light on this?  Is there a way to change the USB
hub from USB 1.1 to USB 2.0 inside the VM Manager?

Is there a better way to get my USB 2.0 web camera to appear in my
CentOS 7 guest?

--

-- 
    _
   °v°
  /(_)\
   ^ ^  Mark LaPierre
Registered Linux user No #267004
https://linuxcounter.net/
****
_______________________________________________
CentOS mailing list
CentOS <at> centos.org
(Continue reading)

James B. Byrne | 26 Jun 22:50 2016
Picon

Re: UDP Constant IP Identification Field Fingerprinting Vulnerability


On Fri, June 24, 2016 12:24, John R Pierce wrote:
> On 6/24/2016 9:20 AM, James B. Byrne wrote:
>> We received a notice from our pci-dss auditors respecting this:
>>
>> CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps
>> the
>> IP Identification field at 0 for all non-fragmented packets, which
>> could allow remote attackers to determine that a target system is
>> running Linux.
>
>
> 2.4 kernels are kinda old.   kinda really really old.    are you still
> running CentOS 4 on PCI audited systems ?!??
>
>

The CVE is from 2002 and the kernel mentioned refers to the original
report.  Linux core team said it was a non-problem and the issue
remains in the kernel found in CentOS-6.8.  Possibly the one in 7.
Perhaps it is still present in the development branch.

However, all I am seeking is knowledge on how to handle this using
iptables.  I am sure that this defect/anomaly has already been solved
wherever it is an issue.  Does anyone have an example on how to do
this?

--

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
(Continue reading)

Alexander Farber | 24 Jun 21:58 2016
Picon
Gravatar

haproxy + Apache + virtual hosts -> wrong host is displayed

Hello,

I hope my question is not off-topic here.

On CentOS 7.2.1511 I have installed:
haproxy-1.5.14-3.el7.x86_64
httpd-2.4.6-40.el7.centos.1.x86_64

The /etc/haproxy/haproxy.cfg binds HAProxy to
ports 80 and 443 and accepts HTTPS to slova.de:

defaults
    mode                    http
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
....
frontend public
    bind 144.76.184.151:80
    bind 144.76.184.151:443 ssl crt /etc/pki/tls/certs/slova.de.pem
    reqidel ^X-Forwarded-Proto:
    reqidel ^X-Forwarded-For:
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    option forwardfor
    default_backend apache

backend apache
    server domain 127.0.0.1:8080

The /etc/httpd/conf/httpd.conf binds Apache
(Continue reading)

James B. Byrne | 24 Jun 18:20 2016
Picon

UDP Constant IP Identification Field Fingerprinting Vulnerability

We received a notice from our pci-dss auditors respecting this:

CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the
IP Identification field at 0 for all non-fragmented packets, which
could allow remote attackers to determine that a target system is
running Linux.

The NVD entry for which contains this note:

 CHANGE> [Cox changed vote from REVIEWING to NOOP]
 Cox> So I asked some kernel guys about this - it's not considered
   an issue.  There are several other ways to identify Linux on
   the wire and people who care about this kind of thing rewrite
   their packets in various ways via firewall technology to trick
   the identifier programs.

So, what packet mangling may be done in iptables to solve this without
breaking udp transmission? I take it that we are talking about
something in the prerouting chain but what kind of mangelling is safe?
Is there an example somewhere?

--

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@...
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
(Continue reading)

Kaplan, Andrew H. | 23 Jun 14:51 2016

Re: sssd.conf file missing

Hello –

Thank-you for your e-mail. I corrected the syntax in the file, and I have confirmed the permissions are correct:

-rw-------. 1 root root 266 Jun 23 08:45 sssd.conf

Unfortunately, the error condition and messages listed in my initial e-mail are still present.



From: l <at> avc.su [mailto:l <at> avc.su]
Sent: Thursday, June 23, 2016 8:34 AM
To: CentOS mailing list; Kaplan, Andrew H.
Subject: Re: [CentOS] sssd.conf file missing

Hello Andrew.

The sssd.conf should be owned by root:root, mode 0600.
Also please note this line in your config:


[<domain>.org]
enumate = true
it's enumerate, not enumate.



23.06.2016, 15:24, "Kaplan, Andrew H." <ahkaplan <at> partners.org<mailto:ahkaplan <at> partners.org>>:

Hello --
(Continue reading)

Kaplan, Andrew H. | 23 Jun 14:23 2016

sssd.conf file missing

Hello --

We are running CentOS 7.2 on a virtual machine, and we are trying to set up LDAP authentication. The ldap
packages that are currently installed on the system are the following:

python-sss 1.13.0-40.el7_2.4
python-sssdconfig 1.13.0-40.el7_2.4
sssd 1.13.0-40.el7_2.4
sssd-ad 1.13.0-40.el7_2.4
sssd-client 1.13.0-40.el7_2.4
sssd-common 1.13.0-40.el7_2.4
sssd-common-pac 1.13.0-40.el7_2.4
sssd-dbus 1.13.0-40.el7_2.4
sssd-ipa 1.13.0-40.el7_2.4
sssd-krb5 1.13.0-40.el7_2.4
sssd-krb5-common 1.13.0-40.el7_2.4
sssd-ldap 1.13.0-40.el7_2.4
sssd-libwbclient 1.13.0-40.el7_2.4
sssd-libwbclient-devel 1.13.0-40.el7_2.4
sssd-proxy 1.13.0-40.el7_2.4
sssd-tools 1.13.0-40.el7_2.4

I ran the following commands to set up LDAP/AD authentication:

# ln -s /bin/bash /bin/PHSshell
# ln -s /home /PHShome
# authconfig --enablesssdauth --enablemkhomedir --enablesssd -update
# chkconfig sssd on
# service sssd restart

(Continue reading)


Gmane