sssd and the sudo alerts

So… I kept getting a message like this every. single. time. I. used. sudo. Subject: *** SECURITY information for server.domain.example.com *** Message: server.domain.example.com : Oct 19 14:17:50 : yaleman : problem with defaults entries ; TTY=pts/0 ; PWD=/home/yaleman ; USER=root ; Doing some searching, it turns out it’s some issue with local accounts and an interaction between sudo and sssd where defaults aren’t being presented to sssd from FreeIPA/LDAP. [Read More]

Cleaning Up CrowdStrike Linux Files

Sometimes on Linux hosts, CrowdStrike has a bit of a weird issue with filling up /opt/CrowdStrike with old versions. The fix they gave us was… a bit special, so I came up with my own. sudo find /opt/CrowdStrike -type f -name "KernelModuleArchive*" -not -wholename "$(readlink -f /opt/CrowdStrike/KernelModuleArchive)" -exec rm "{}" \; sudo find /opt/CrowdStrike -type f -name "falcond*" -not -wholename "$(readlink -f /opt/CrowdStrike/falcond)" -exec rm "{}" \; sudo find /opt/CrowdStrike -type f -name "falconctl*" -not -wholename "$(readlink -f /opt/CrowdStrike/falconctl)" -exec rm "{}" \; sudo find /opt/CrowdStrike -type f -name "falcon-sensor*" -not -wholename "$(readlink -f /opt/CrowdStrike/falcon-sensor)" -exec rm "{}" \; For each of the different file types it makes, there’s a “versioned” file, such as falcon-sensor7303 which is symlinked as /opt/CrowdStrike/falcon-sensor. [Read More]

Ninebot Kickscooter MAX Beeping

Turns out, reading the manual in full is handy. If you’re wondering why your Segway Ninebot Kickscooter MAX is beeping constantly, it’s because you have to activate it. Open the app, connect via Bluetooth and then click the little gear icon. Click “Activate” and then hit yes. It should make one more long beep and shut up after that. They also limit the speed on the device until you’ve activated it, which makes sense, I guess? [Read More]

Controlling my hot water

Yesterday I had a solar system and storage battery installed into my house. As part of that, inspired by Jon Oxer’s great SuperHouse series, I had the electrician install some high current relays for me to control the hot water system. My plan has two intended control options: with an automated timer. directly with my own code and controller. The Timer K3 is a Finder “Digital Astro Time Switch” with NFC connection support (12. [Read More]

Google Comic About Machine Learning

This Comic from the Google Comic Factory is a great “starter” introduction to machine learning, its applications and methods. Well worth a read! [Read More]

Blocking DoH With BIND RPZs

Xavier Mertens’ new post on the ISC Blog about blocking DNS over HTTPS with BIND RPZ was posted today, and it provides some really useful and actionable information on how to do it. BIND RPZs are a very useful tool for whole-of-network security actions. And before you reach for your angry typing keyboard, yes - DoH is a great idea - until you want to be able to take the skills and tools of your corporate security team to secure them and respond to threats and incidents. [Read More]

Retroactively Setting a Whole S3 Bucket to Public

I uploaded a bunch of files to an s3 bucket, then needed to update the permissions. aws s3 ls --profile <profile> --recursive s3://<bucket> | awk '{print $NF}' \ | xargs -I{} -n1 aws s3api put-object-acl --profile <profile> --acl public-read --bucket <bucket> --key {} There’s two replacements in the above code you need to make: bucket - the name of the bucket profile - the profile configured in ~/.aws/credentials There’s a better explanation here, in the AWS support documentation [Read More]

ESP32 Micropython and the Memory Address

I was writing MicroPython to a new ESP32 board I got, and it was acting weird… looping the following over and over: rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) flash read err, 1000 ets_main.c 371 ets Jun 8 2016 00:22:57 Turns out, if I’d read the documentation instead of just doing the same thing I’d been doing on the ESP8266’s, I’d have known I need to write it starting at 0x1000 instead of 0x0000. [Read More]

crontab, ufw and the missing path

I’ve got a server with a web site which sits behind Cloudflare, so I have a daily script in root’s cron that grabs the current list of Cloudflare IPs and updates the ufw config so only Cloudflare can get to apache2. It’s a wordpress site so I’m a little scared of idiots doing idiot things. Ever since I ran it, for some reason it throws an error ERROR: problem running sysctl when it runs ufw status verbose. [Read More]

Pastebin Grabbing Badness

While doing some threat hunting I found a server reaching out to pastebin (this was over an hour): src_ip=<ip> url=hxxp://pastebin[.]com/raw/<snip> count=34 It wasn’t a long running process, but it certainly happened a lot. The paste content was 127.0.0.1:80, which looked like a typical CNC control message. netstat wasn’t doing it, so lsof to the rescue! I ran this on the server: sudo watch -n1 lsof -n -i:80 -i:8080 -r1 -sTCP:^LISTEN | grep -v <ip>:http | tee -a ~/pastebin-find. [Read More]