Getting Firefox and Java to work with jnlp files

If you are having trouble opening a jnlp file (e.g., for IPMI console access) you can try some of these steps.

Tell Firefox to allow pop-up windows for this site

Tell Firefox how to handle the filetype .jnlp

Tell it to open it with /usr/bin/javaws

Tell Java to allow the site to run applications

If you get “Application Blocked by Java Security” you can fix that by editing an exceptions list.

Modify file ~/.java/deployment/security/exception.sites

Each line in this file should be a protocol and domain name or IP address for the exception, e.g.:

http://172.20.0.19
http://172.20.0.20

References

  1. https://java.com/en/download/faq/java_webstart.xml
  2. https://stackoverflow.com/questions/25949651/openjdk-how-to-add-site-to-exception-list#25950032
Advertisements

Audit sudo docker usage

tl;dr

grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)"
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'

Explanation

One way to secure docker is to allow users to run it with sudo. Alternatively, you can add users to a group named “docker,” but this doesn’t provide the auditing that sudo has by default.

So you can whip up a nice, neat little sudoers.d file similar to:

User_Alias CONT_POC_USERS = %container_sudoers@ADDOMAIN
Runas_Alias CONT_POC_RUNAS = root
Host_Alias CONT_POC_HOSTS = cn-node-5*, cn-node-5*.example.com
Cmnd_Alias CONT_POC_CMNDS = /usr/bin/docker *
CONT_POC_USERS CONT_POC_HOSTS=(CONT_POC_RUNAS) CONT_POC_CMNDS

With a security posture where you will not allow anything to run in a container as root, you can audit compliance with a few regular expressions.

grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)"
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'

I haven’t figured out how to have the negative and positive searches in one string, so any input there would be appreciated!

Also, I have not figured out how to actually enforce running the docker exec command only with a -u username flag, without writing a much more complicated whitelist of docker build *, docker commit *, docker container *, docker cp * et al statements which seems like a lot of work but might ultimately be necessary.

sshd_config match negate address

tl;dr

Match Address *,!192.168.1.0/24

Negating address in match statement in sshd_config

I was locking down my ssh server configuration on a host, so that it will not accept password auth from outside a certain IP address range.
I had to learn how to get the Match Address directive to work with a negation. To make it work, you need to insert a wildcard before you then state the exclusion.

Match Address *,!192.168.1.0/24

And then I added the directives for this matched IP address range.

   AuthenticationMethods publickey
   PubkeyAuthentication yes
   PasswordAuthentication no
   X11Forwarding no

References

Weblinks

  1. https://serverfault.com/questions/408284/how-can-the-address-condition-in-a-match-conditional-block-in-sshd-config-be-neg

Man pages

  1. sshd_config
  2. ssh_config