My Dad wrote an email asking the following:

Dear Folks,

Does anyone know the position of a second flag on a common halyard?
I fly the US flag on top and the POW MIA flag beneath.
A few years back, I wrote a letter to the Flag Code organization in Pittsburgh and did not get an answer.
I have heard various comments relative to that positioning. I can not find it in my code booklet.
I heard originally that it should be a flag height break between flags. I also heard that the flag below the US flag should not be touched by the hanging US flag. I cannot find anything in print with either of those comments.
I was also told that you were not to fly any other flag with the US flag. I know that is bogus according to the flag code. All I could find in the code is that the US flag flies on the top. It just does not seem to specify details of separation. That is what I am looking for!

If you had a beefy Linux box with plenty of storage hanging on to your border router that can see all of your network’s ingress/egress traffic, what would you put on it? Why?

Let me know in the comments or via twitter!

I’m thinking some sort of netflow collector, maybe a layer 7 re-assembler. Full packet capture/logging perhaps?

My wife and I went out for a grown-up night. We planned on hitting up the Brass Tap, but they were way too crowded. We decided to try Prime Bar instead. Prime Bar is located in the Wiregrass Shops in New Tampa across from the Brass Tap.

We both just wanted a beer, but the menu had a few unique items. After looking it over a few times, we finally settled on the Habanero Shrimp Tempura. I expected to receive a paper-lined plastic basket with some soggy battered/fried shrimp with some wing sauce on them. I was pleasantly surprised.

The shrimp was plated on a large tortilla on a bed of lettuce. There was a separate bowl for the ranch sauce, and a few carrots and celery sticks. I took a bite of the shrimp expecting a mediocre flavor. I was immediately wowed. This was the spiciest dish I had at a restaurant in recent memory. The sauce was super spicy with the perfect balance of tangy. The tempura was delicate and very crispy.

I ordered a Rogue Dead Guy ale at the same time as the shrimp. It turned out to be the perfect compliment to the dish, both for flavor as well as cooling down the experience.

Altogether, the atmosphere at Prime Bar was kind of dead, but the food and beer were spot on. The decor and furniture arrangement reminded me of a hotel bar. If they work at bringing in the customers while at the same time not compromising the bold flavors, I think they might have a good thing going.

I thought I’d share a cookie recipe I’ve been baking for a few years. My grandma used to make these. It’s a sweet, buttery cookie that crumbles apart.

Fourteen Ingredient Cookies

Ingredients

• 1 cup butter
• 1 cup oil
• 1 cup brown sugar
• 1 cup granulated sugar
• 1 egg
• 1 cup oatmeal
• 1 cup Rice Krispies
• 1 tsp cream of tartar
• 1/2 tsp baking soda
• 1/2 tsp salt
• 1 cup coconut
• 1 tsp vanilla
• 1/2 cup chopped nuts
• 3 1/2 cups flour

Instructions

Preheat oven to 350 degrees F.

Cream together the butter, eggs, and sugar. Add the oil & mix well.

Add dry ingredients.

Drop onto ungreased cookie sheet.

Bake for 12-15 minutes

Yield: 4-5 Dozen

I’ve been trying to stick to strictly SCAP-related posts, but there’s so much more to write about. Having recently deleted my FaceBook account due to the new privacy policies, I will now use this blog as my general purpose outlet. I’ll be using my new domain http://chrisam.net/blog from now on. The old domain will still work.

My colleague Aharon was recently published in SC Magazine with an article on SCAP and Vulnerability Management.

… A fortuitous byproduct of implementing the Security Content Automation Protocol (SCAP) within the organization is that we no longer have to rely on tracking security patches to address vulnerabilities. …

Check it out!

http://www.scmagazineus.com/The-best-way-to-remediate/article/151843/

I’m deviating from my SCAP posts a bit. I was looking at better ways to secure sites when I stumbled on this.

What is suPHP?

suPHP will execute php scripts as the user you specify. This enhances security by not running scripts as the web server user (nobody) or as root (really bad idea). So even if there is a vulnerable php script installed, it can at most execute with the permissions of the non-privileged user you choose for it to use.

How does it work?

PHP scripts are interpreted by suPHP and suPHP then calls the php interpreter as the specified user and interprets the scripts as that user.

Why am I writing this How-To?

I have found several guides that *almost* get it done, but then there are a few details that you have to go hunt for. Hopefully this guide is easy to use and can get you set up on the first try.

Installation and Configuration

First Steps

There is an suPHP package in the RPMForge repository. You will need this installed. Follow the guide on the CentOS Wiki: http://wiki.centos.org/AdditionalResources/Repositories/RPMForge
If you follow each step for CentOS 5, it will work. I guarantee it.

The RPMForge package you will need is called “mod_suphp” and as of this writing, here are the package details:
Name       : mod_suphp
Arch       : i386
Version    : 0.7.0
Release    : 1.el5.rf
Size       : 597 k
Repo       : rpmforge
Summary    : Apache module that enables running PHP scripts under different users

Install The Package

yum install mod_suphp

This will install a few configuration files:
/etc/suphp.conf – This is the configuration file for suPHP itself
/etc/httpd/conf.d/suphp.conf – This is the configuration file for the suPHP Apache module

Edit the suPHP Config file – /etc/suphp.conf

There are a few lines that need changd to make this work.

webserver_user=apache

Depending on what user you run your web server as, you may need to change this line.

x-httpd-php=php:/usr/bin/php

This line must be modified to put double quotes around the value. suPHP will not work without it. You must also change it to use the PHP commandline interpreter, php-cgi. It should look like this:

 x-httpd-php="php:/usr/bin/php-cgi"

x-suphp-cgi=execute:!self

The same applies with this line. Put double quotes around the value, so it looks like this:

x-suphp-cgi="execute:!self"

Edit the suPHP Apache Module Configuration File – /etc/httpd/conf.d/suphp.conf

This file loads the suPHP Apache module as well as sets global configuration for the module. On my server, different sites (VirtualHosts) on my server have files owned by different users. To allow each user/VirtualHost to run PHP as their user, we do not enable nor configure suPHP globally. To skip global configuration, I comment out every line in /etc/httpd/conf.d/suphp.conf except the LoadModule line.

Configuration of the suPHP module will be handled on a per-VirtualHost basis in the httpd.conf.

Edit the httpd config file to set up individual VirtualHosts – /etc/httpd/conf/httpd.conf

suPHP usage is defined per VirtualHost. An unchanged VirtualHost directive will still execute PHP, but as the web server user. You can change this so PHP will not execute at all unless it uses suPHP, but I don’t do that in my config.

Below is my unchanged VirtualHost directive for http://www.packetsense.net:

<VirtualHost *:80>

ServerName packetsense.net

ServerAlias www.packetsense.net

DocumentRoot /home/packetsense/www/

ScriptAlias /cgi-bin/ /home/packetsense/cgi-bin/

ScriptAlias /cgi-sys/ /home/packetsense/cgisys/

SetEnv PHPRC /home/packetsense/etc/

ErrorDocument 404 /404.html

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fchris@packetsense.net"

ServerAdmin chris@packetsense.net

php_admin_flag allow_url_fopen off

</VirtualHost>

You may not have all those directives defined in your config, but that doesn’t really matter.
To set a VirtualHost to work with suPHP, you only need to add 4 lines.

suPHP_Engine on

suPHP_UserGroup username groupname

AddHandler x-httpd-php .php .php3 .php4 .php5

suPHP_AddHandler x-httpd-php

In my case, my files are owned by User: packetsense, and Group: packetsense.

My modified VirtualHost directive now looks like this:

<VirtualHost *:80>

ServerName packetsense.net

ServerAlias www.packetsense.net

DocumentRoot /home/packetsense/www/

suPHP_Engine on

suPHP_UserGroup packetsense packetsense

AddHandler x-httpd-php .php .php3 .php4 .php5

suPHP_AddHandler x-httpd-php

ScriptAlias /cgi-bin/ /home/packetsense/cgi-bin/

ScriptAlias /cgi-sys/ /home/packetsense/cgisys/

SetEnv PHPRC /home/packetsense/etc/

ErrorDocument 404 /404.html

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fchris@packetsense.net"

ServerAdmin chris@packetsense.net

php_admin_flag allow_url_fopen off

</VirtualHost>

Finally: All that’s left is to restart the web server service.

Now: Test It

To see which user your PHP is running as, create a file in your web directory called whoami.php. Include this code:

<?php

echo "Output of the 'whoami' command:<br /><br />\n";

echo exec('/usr/bin/whoami');

?>

You should see something like this:
Output of the ‘whoami’ command:

packetsense

Common Problems

500 Internal Server Error

Check your /var/log/httpd/error_log. You might see something like this:

[Sun Oct 11 11:27:47 2009] [error] [client 72.185.236.25] SoftException in Application.cpp:249:
File "/home/packetsense/www/whoami.php" is writeable by group

[Sun Oct 11 11:27:47 2009] [error] [client 72.185.236.25] Premature end of script headers: whoami.php

In this case, just chmod 644 the file you’re working with. Alternatively, you can adjust the tolerance for file permissions by editing the /etc/suphp.conf file. Look at this section:

; Security options

allow_file_group_writeable=false

allow_file_others_writeable=false

allow_directory_group_writeable=false

allow_directory_others_writeable=false

Change them to true.

Another cause of the internal server error might be if you did not change the interpreter line in /etc/suphp.conf from:
x-httpd-php=”php:/usr/bin/php” to x-httpd-php=”php:/usr/bin/php-cgi”

Your PHP source code displays in the browser in Plain Text

Check your /etc/suphp.conf for proper quote marks and the php-cgi interpreter specified.

Problems with Sessions

If your scripts use PHP sessions, you may run into failures when PHP attempts to write to the /var/lib/php/session directory. By default, it is chmod 770, and owner is root, group is apache. I recommend adding your users to a phpsession group and then to chgrp the /var/lib/php/session directory to the phpsession group. I ran into this problem when trying to run PHPMyAdmin

Please let me know if this is helpful to you. Also, please leave any comments, corrections, or suggestions.

So we’ve run into a small snag with our automation: Automatically assigning remediation owners. It’s easy for our UNIX pilot. The same group fixes all the OS vulnerabilities. When we start adding Windows into the mix, it gets a little harder.

When a vulnerability is discovered for, let’s say Adobe Reader, we have different assignment teams that remediate it depending on the device. We have a separate group of engineers for Windows Servers, Windows Workstations, and for our Citrix remote access applications. (Luckily, we’re not running Adobe Reader on our UNIX platforms)

Tomorrow, I will start working on the logic to automatically determine remediation ownership and assign it correctly. It will be a complicated process mapping Application Owners to Applications, and Applications to Platforms to Devices. There will be multiple application owners per application CPE (Common Platform Enumeration), but one application owner per Application CPE per Device CPE.

Do any of you already have a solution for this?

This is just an example. I have no idea how you store your data. This is the method that works for my database framework. You can see where it queries the DB and then calls the classes I posted earler. This code loops through all the vulnerability scan records in the database for the current day. You would need to print the arrays somewhere to make it useful.

//I keep all my DB Login details in a separate file
include_once 'includes/db.php';
 
$myCvss = new cvss_details();
 
//Get Info From DB:
$result = mysql_query("SELECT vulns.server, vulns.cve_number, assets.business_risk, assets.data_risk, assets.location_risk, nvd_cve.cvss_score, nvd_cve.cvss_access_vector, nvd_cve.cvss_access_complexity, nvd_cve.cvss_authentication, nvd_cve.cvss_confidentiality_impact, nvd_cve.cvss_integrity_impact, nvd_cve.cvss_availability_impact FROM `vulns` LEFT JOIN (assets,nvd_cve) ON (assets.server=vulns.server AND nvd_cve.cve=vulns.cve_number) WHERE vulns.report_date = CURDATE()");
 
while ($row = mysql_fetch_array($result))
{
	$myCvss = new cvss_details();
 
	//debug defines
	$myCvss->set_cve_number($row['cve_number']);
	$myCvss->set_nist_cvss($row['cvss_score']);
	$myCvss->set_server($row['server']);
 
	//Define Base Score Details
	//Exploitability Metrics
	$myCvss->set_access_vector($row['cvss_access_vector']);
	$myCvss->set_access_complexity($row['cvss_access_complexity']);
	$myCvss->set_authentication($row['cvss_authentication']);
	//Impact Metrics
	$myCvss->set_conf_impact($row['cvss_confidentiality_impact']);
	$myCvss->set_integ_impact($row['cvss_integrity_impact']);
	$myCvss->set_avail_impact($row['cvss_availability_impact']);
 
	//Environmental Score Metrics
	//General Modifiers
	$myCvss->set_collateral_damage_potential("");
	$myCvss->set_target_distribution("");
	//Impact Subscore Modifiers
	$myCvss->set_conf_req($row['data_risk']);
	$myCvss->set_integ_req($row['location_risk']);
	$myCvss->set_avail_req($row['business_risk']);
 
	//Temporal Score Metrics
	$myCvss->set_exploitability("");
	$myCvss->set_remediation_level("");
	$myCvss->set_report_confidence("");
 
	$server_name[] = $row['server'];
	$cve_number[] = $row['cve_number'];
	$cvss_base_score[] = $row['cvss_score'];
 
	$calc = new calculate_cvss();
	$cvss_overall_score[] = round($calc->calculate($myCvss),1);	
}

Did I mention that I wasn’t a programmer? If you can make improvements to this code, I’d love to hear from you. This is my hackjob of code for doing what I need to do. Anyway, here’s my calculator. The DB call code will be in another post.

class calculate_cvss {
	function calculate($cvssDetail)
	{
		$adjustedImpact = $this->adjusted_impact($cvssDetail->conf_impact,$cvssDetail->conf_req,$cvssDetail->integ_impact,$cvssDetail->integ_req,$cvssDetail->avail_impact,$cvssDetail->avail_req);
		$adjustedImpactFunction = $this->adjusted_impact_function($adjustedImpact);
		$exploitabilitySubScore = $this->exploitability_subscore($cvssDetail->access_complexity,$cvssDetail->authentication,$cvssDetail->access_vector);
		$adjustedBaseScore = $this->adjusted_base_score($adjustedImpact,$exploitabilitySubScore,$adjustedImpactFunction);
		$adjustedTemporalScore = $this->adjusted_temporal_score($adjustedBaseScore,$cvssDetail->exploitability,$cvssDetail->remediation_level,$cvssDetail->report_confidence);
		$adjustedTemporalScore = round($adjustedTemporalScore,1);
		$environmentalScore = $this->environmental_score($adjustedTemporalScore,$cvssDetail->collateral_damage_potential,$cvssDetail->target_distribution);
		$impact = $this->impact($cvssDetail->conf_impact,$cvssDetail->integ_impact,$cvssDetail->avail_impact);
		$impact = round($impact,1);
		$impactFunction = $this->impact_function($impact);
		$baseScore = $this->base_score($impact,$exploitabilitySubScore,$impactFunction);
		$baseScore = round($baseScore,1);
		$temporalScore = $this->temporal_score($baseScore,$cvssDetail->exploitability,$cvssDetail->remediation_level,$cvssDetail->report_confidence);
		$overallScore = $this->overall_score($environmentalScore,$temporalScore,$baseScore);
 
		//Debug Printing
		print "CVE Number: $cvssDetail->cve_number<br />";
		print "Server:	$cvssDetail->server<br />";
		print "Impact SubScore: $impact<br />";
		print "Exploitability SubScore: $exploitabilitySubScore<br />";
		print "CVSS Temporal Score: $temporalScore<br />";
		print "CVSS Environmental Score: $environmentalScore<br />";
		print "--Adjusted Temporal Score: $adjustedTemporalScore<br />";
		print "--Collateral Damage Potential: $cvssDetail->collateral_damage_potential<br />";
		print "--Target Distribution: $cvssDetail->target_distribution<br />";
		print "NIST CVSS Score: $cvssDetail->nist_cvss<br />";
		print "CVSS Base Score: $baseScore<br />";
		print "Overall CVSS Score: $overallScore<br />";
 
		return "$overallScore";				
	}
	function adjusted_impact($confImpact,$confReq,$integImpact,$integReq,$availImpact,$availReq)
	{
		$adjustedImpact = min(10,10.41*(1-(1-$confImpact*$confReq)*(1-$integImpact*$integReq)*(1-$availImpact*$availReq)));
		return $adjustedImpact;
	}
	function adjusted_impact_function($adjustedImpact)
	{
		if ($adjustedImpact = 0)
		{
			$adjustedImpactFunction = 0;
		}
		else
		{
			$adjustedImpactFunction = 1.176;
		}
		return $adjustedImpactFunction;
	}
	function exploitability_subscore($accessComplexity,$authentication,$accessVector)
	{
		$exploitabilitySubScore = 20*$accessComplexity*$authentication*$accessVector;
		return $exploitabilitySubScore;
	}
	function adjusted_base_score($adjustedImpact,$exploitabilitySubScore,$adjustedImpactFunction)
	{
		$adjustedBaseScore = (0.6*$adjustedImpact+0.4*$exploitabilitySubScore-1.5)*$adjustedImpactFunction;
		return $adjustedBaseScore;
	}
	function adjusted_temporal_score($adjustedBaseScore,$exploitability,$remediationLevel,$reportConfidence)
	{
		$adjustedTemporalScore = $adjustedBaseScore*$exploitability*$remediationLevel*$reportConfidence;
		return $adjustedTemporalScore;
	}
	function environmental_score($adjustedTemporalScore,$collateralDamagePotential,$targetDistribution)
	{
		$environmentalScore = ($adjustedTemporalScore+(10-$adjustedTemporalScore)*$collateralDamagePotential)*$targetDistribution;
		return $environmentalScore;
	}
	function overall_score($environmentalScore,$temporalScore,$baseScore)
	{
		if(!defined($environmentalScore))
		{
			if(!defined($temporalScore))
			{
				$overallScore = $baseScore;	
			}
			else
			{
				$overallScore = $temporalScore;
			}
		}
		else
		{
			$overallScore = $environmentalScore;
		}
		return $overallScore;
	}
	function impact($confImpact,$integImpact,$availImpact)
	{
		$impact = 10.41*(1-(1-$confImpact)*(1-$integImpact)*(1-$availImpact));
		return $impact;
	}
	function impact_function($impact)
	{
		if ($impact = 0)
		{
			$impactFunction = 0;
		}
		else
		{
			$impactFunction = 1.176;
		}
		return $impactFunction;
	}
	function base_score($impact,$exploitabilitySubScore,$impactFunction)
	{
		$baseScore = (.6*$impact+.4*$exploitabilitySubScore-1.5)*$impactFunction;
		return $baseScore;
	}
	function temporal_score($baseScore,$exploitability,$remediationLevel,$reportConfidence)
	{
		$temporalScore = $baseScore*$exploitability*$remediationLevel*$reportConfidence;
		return $temporalScore;
	}
}