Author: mark_user

  • Generic Outline for Writing a Policy or Procedure

    Generic Outline for Writing a Policy or Procedure

    Initial Thoughts

    Polices are global in nature. All company employee’s are expect to follow the guidelines. Examples of polices include: the Acceptable Use Policy (AUP), Memorandum of Understanding (MOU), or Bring Your Own Device (BYOD) to work. These a often generic guidelines that all employees must adhere to. On the other hand, procedures are typically at the department or team level. They are a step-by-step guide book. Many departments will have multiple Standard Operating Procedure (SOP) for a wide variety of topics.

    When writing either, they follow a general outline. Here is some generic language to get you started.

    General Outline

    1. Purpose – Define the purpose of the policy.

    “The purpose of this procedure is to set forth the process for investigating, evaluating, and recovery from a security Breach to comp[any information assets, data, or other resources.”

    2. Requirements – Why is this required? What standards are to be followed? PCI data security standard (PCI DSS)? What other Legal or regulatory rules apply?

    “Payment Card Industry Data Security Standards (PCI DSS) were developed specifically to provide a baseline of technical and operational requirements designed to protect account data, to protect against threats, and secure elements in the payment ecosystem. The company adheres to all PCI DSS standards.”

    “Standards & Organizational Controls (SOC 2) was developed to audit internal controls. Compliance helps provide information and assurances to customers of how you process users’ data and keep it private. The company will conduct a SOC2 audit bi-annually based on the published schedule.

    “The company adheres to all PCI DSS standards. HIPPA standards, CISA hardening requirements, and SOC2 audit requirements. Specifically, this procedure is mandated by PCI Standard 12.10.1, 10.10.3, 12.10.5, 12.10.06. See the PCI standards listed in the Appendix.”

    3. Definitions – Define any terms or definitions used in the document.

    4. Process & Procedure – Typically a flow chart. Also, what data is to be evaluated (input), what results are expected (output). Are any records created ? Any reports generated?

    5. Role Responsibilities – Who is to do what? Who is to use this procedure?

    • Computer end user will notify security in the event of a suspected event.
    • Security analyst will gather the PC and any data necessary for an analyst.
    • Forensic analysts will analyze the collected data and conduct the investigation.
    • Any communication to the executive committee will be conducted by the CISO.
    • A member of the executive committee will be responsible for speaking on the company’s behalf to law enforcement, legal, and the public.

    7. Communication, Exceptions, & Sanctions – Who is this procedure to be communicated to? All employees? Who is exempt from following the policy? Who should they contact to get an exemption? What is the penalty if it is not followed?

    “Any training about this procedure will be provided by the security team. Any modifications to this procedure is the responsibility of the oversight committee.  If a user needs to request an exemption to this policy, or the policy needs to be updated, please contact the HR department.”

    “Any employee, contractor, or user who willfully violates this procedure is subject to disciplinary action up to and including termination. Company reserves the right to pursue legally permissible action it deems necessary to protect its interest and the interests of its customers. Further information, see Employee Handbook”.

    8. Document Control – Who is the owner of the document, how often is it reviewed (annually?), Revision history chart is needed.

    “This document is maintained by the Human Resources Department.  Content owner is responsibly for identifying circumstances that might warrant out-of-cycle reviews (such as process changes, regulatory changes, etc.). A review should be initiated no more than 12 months after the last review.

    “This document is maintained by the Human Resources Department.  This document is available online in the SharePoint Library and it published for viewing by all employees. Version 1.6 is the current approved version of this document.”

    Create a Bordered Table with the following columns: Revision date, description, approved by, version #

    9. Appendix – A written copy of the PCI standards that the document references. A URL or other notes or documents.

  • Test your DNS Proxy using a PowerShell Script

    Test your DNS Proxy using a PowerShell Script

    Introduction

    Most company’s have a policy to block dangerous websites for employees. Pornography, hate, gambling, social media are all categories that should be blocked. Either, they are big time wasters, or may be required by law to be blocked.

    Although you may have your proxy turned on correctly, that does not mean the bill got paid. Usually, a proxy will default to open for all users. You may be asked by outside 3rd party auditor’s or a senior manager to provide proof that the DNS proxy is actually working and blocking non-approved content.

    The script

    This PowerShell script will run as the current logged on user and send an email with the results. It will print the email in HTML format and each URL that it tests will be color coded. Red means site was blocked, green for site was successfully accessed, and gray for error.

    You will need to provide a list of websites in text document with one URL per line. I have included one below, as an example.

    # test-web-proxy.ps1
# Set location of the URL text file
$URLListFile = "C:\users\user1\Desktop\websitelist.txt"
$URLList = Get-Content $URLListFile -ErrorAction SilentlyContinue
$Result = @()
$LocalProxy = "Web Proxy: WebSense"
$date = Get-Date -Format "yyyy-MM-dd"
$user = $env:USERNAME

# Loop through each URL and gather needed info
foreach ($Uri in $URLList) {
    try {
        # Setting TLS version for compatibility
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls
        $request = Invoke-WebRequest -Uri $Uri -UseDefaultCredentials
        $time = (Measure-Command { $request }).TotalMilliseconds
    }
    catch {
        $request = $_.Exception.Response
        $time = -1
    }

    # Create Results
    $Result += [PSCustomObject] @{
        Time = Get-Date
        Uri = $Uri
        StatusCode = [int]$request.StatusCode
        StatusDescription = $request.StatusDescription
        TimeTakenMilliseconds = $time
    }
}
# Create Report
if ($null -ne $Result) {
    $Outputreport = @"
    <HTML>
    <TITLE>Web Access Audit</TITLE>
    <BODY style="background-color:peachpuff;">
    <font color ="#0000ff" face="Microsoft Tai le">
    <H2>Web Access DNS Policy Audit</H2></font>
    <ul>
    <li><font color = black><B>Date: $date</B></li>
    <li><font color = black><B>$LocalProxy</B></li>
    <li><font color = black><B>Access Policy: General user.  Access to the identified sites is restricted.</B></li>
	<li><font color = black><B>Account Tested: <font color="red">$user</font></B></li>
    </ul>
    <ul>
    <li><font color = green><B>Green = Blocked!</B></li>
    <li><font color = red><B>Red = NOT Blocked!</B></li>
    <li><font color = gray><B>Gray = Header or NOT Found!</B></li>
    </ul>
    <Table border=1 cellpadding=0 cellspacing=0>
    <TR bgcolor="#787878" align=center><TD><B>URL</B></TD><TD><B>StatusCode</B></TD><TD><B>StatusDescription</B></TD></TR>
"@
    foreach ($Entry in $Result) {
        $bgColor = switch ($Entry.StatusCode) {
            200 { "#F68B8B" }
            403 { "#93F072" }
            default { "#787878" }
        }
        $Outputreport += "<TR bgcolor='$bgColor'><TD>$($Entry.Uri)</TD><TD align=center>$($Entry.StatusCode)</TD><TD align=center>$($Entry.StatusDescription)</TD></TR>"
    }
    $Outputreport += "</Table>"
    $Outputreport += "</BODY>"
    $Outputreport += "</HTML>"
}

# send email with results
$smtpServer = "exchange.company.com"
$smtpFrom = "hostname@company.com"
$smtpTo = "user@company.com"
$subject = "Web-Access-Audit - $date"
$body = $Outputreport

Send-MailMessage -SmtpServer $smtpServer -From $smtpFrom -To $smtpTo -Subject $subject -Body $body -BodyAsHtml

    Save this file as a ‘websitelist.txt’ file.

    *Chat & Instant Messaging*
https://messenger.yahoo.com/
https://www.aim.com/
https://web.whatsapp.com
*Web-Based Email*
https://gmail.com/
https://hotmail.com/
https://mail.yahoo.com/
*Gambling*
https://onlinegambling.com/
https://www.draftkings.com/
https://www.fanduel.com/
*Photo Search & Images*
https://www.shutterfly.com/
https://photoshack.com/
https://www.smugmug.com/
*Peer File Transfer (P2P)*
https://utorrent.com/
https://www.vuze.com/
*Online Storage and Backup*
https://carbonite.com/
https://drive.google.com/
https://www.dropbox.com/login
*Filter Avoidance (Proxy Avoidance)*
https://torproject.org/
https://xroxy.com/
https://ultrasurf.us/
*Personal VPN*
https://surfshark.com/
https://www.hotspotshield.com/
https://expressvpn.com
*Social Networking*
https://www.facebook.com/
https://tiktok.com/
https://www.instagram.com/
*Illegal Activities*
http://www.ekran.no
http://pyrobin.com
*Illegal Downloads*
http://www.keygenninja.com
http://www.rootscrack.com
*On-Line Document Sharing*
https://pastebin.com 
https://docs.google.com
*DNS over HTTPS* 
https://cloudflare-dns.com
https://dns.google.com
*File Transfer Services*
https://filetransfer.io
https://www.sharefile.com
http://www.wetransfer.com
  • Ping Multiple Hosts using PowerShell

    Ping Multiple Hosts using PowerShell

    Are you are working in a windows environment and need to check if a large number of hosts are online? The below ps1 script may be what you are looking for. Place all hostnames to be checked in a text file called computer.txt and on one per line. Modify the script as necessary, then ‘run’ .

    # ping-report.ps1
# Limited to < 100 assets in the computerlist.txt file or this will not run!

clear-host
$list = get-content C:\Users\user1\Desktop\computerlist.txt
$UpList = @()
$DownList = @()
$count=0


Foreach($computer in $list) {
    $testhost = Test-Connection -ComputerName $computer -count 1 -ErrorAction SilentlyContinue
    If ($testhost) {
        $UpList += $computer
        #Write-Host $computer $testhost.IPV4Address -Foregroundcolor Cyan 
        $count ++
        }
    Else {
        #Write-Host $computer $testhost.IPV4Address -Foregroundcolor Red
        $DownList += $computer
        $count ++
        }
Write-Progress -Activity "Progess" -Status "$computer Complete:" -percentcomplete $count
};""


#computers that are up
foreach ($computer in $UpList){

    Write-Host $computer $list.IPV4Adress -ForegroundColor Cyan 
};""

#computers that are down
foreach ($computer in $DownList){
   Write-Host $computer -ForegroundColor Red 
}
  • Backup Files to S3 using Bash

    Backup Files to S3 using Bash

    Description

    A bash script will be used to copy a file from a Linux server to an S3 bucket. Next, it will run a checksum on the results to verify the upload. Finally, it will output the local file size, the local etag , the aws file size, and the aws etag value for easy comparison. This should give the end user enough confidence that the uploaded file has maintained it’s integrity.

    The script assumes you have an account in AWS with a login credentials. You have the cli AWS tools and credentials downloaded to /home/user/.aws/config and /home/user/.aws/credentials. These two files are needed to successfully authenticate to the s3 bucket.

    Amazon Web Service S3 Bucket

    AWS is a flat file system. There are no folders or directories. The “full” name of a file includes all the subdirectories as well. i.e. “/file1/file2/file3.txt” is the file name and not “file3.txt”. AWS will show all subdirectories as folders in the console, for ease of human navigate.

    Begin

    Start the script by defining that it will run as bash and add any notes to the head.

    #!/bin/bash
# 04/18/23, backup.sh
# created by mbb

    Send any log output to a custom log file and code to exit the script if any commands in a pipeline fails. 

    exec 2>> /var/log/backups/aws.log
set -euo pipefail

    Get the number of processing units available and add it to a variable.

    NUM_PARALLEL=$(nproc)

    Define the remaining local variables.

    HOSTNAME=`hostname`
DATE=`date "+%F %T"`

DAY=$(date -d "1 day ago" +%d)
MONTH=$(date -d "1 day ago" +%b)
YEAR=$(date -d "1 day ago" +%Y)

LOG="/var/log/backups/aws.log"

src_dir="/mnt/logs/$YEAR/$MONTH"
src_file="log-$DAY.log.gz"

    Define the AWS variables. 

    aws_dir="s3://bucket01/folder1/$YEAR/$MONTH" 

s3_bucket="bucket01"
s3_dir="folder1/$YEAR/$MONTH"
s3_key="$s3_dir/$src_file"     # name of the file in s3 
s3_body="$src_dir/$src_file"   # the location of the data to be uploaded

    When a file is uploaded to AWS, it will calculate what is called an ETAG value. This is the checksum value of the upload file. To verify file integrity, we will compare the uploaded aws calculated ETAG against the local file’s calculated ETAG.

    The ETAG will match a true md5 hash value if the file size is < 5 GB. If the file is > 5 GB, the aws ‘cp’ command will automatically break the file into 8 MB chunks and upload 4 threads of data simultaneously, until the upload is complete. Each uploaded thread will have an md5 calculated. The resulting ETAG will be a sum of all the uploaded data chunks, rather than a true md5 hash against the completed file.

    In order to compare the ETAG’s and verify they match, we must calculate the local file’s ETAG value. Then compare that value to the value calculated by AWS. The script contains two methods to calculate the ETAG value, you will need to review and consider what is needed. In my case, I always know the value I will upload will be > 5 GB.

    To calculate the local files ETAG value, for files < 5GB. use:

    # calculate ETAG value of local file, if < 5GB.
md5_hash="$(md5sum "$src_dir/$src_file" | awk '{ print $1 }')"

    For files > 5 GB, we can use the code from https://gist.github.com/rajivnarayan/1a8e5f2b6783701e0b3717dbcfd324ba. 

    # ---------- Begin Code ---------------
MULTIPART_MINSIZE=$((8*1024*1024))

file="$src_dir/$src_file"
partSizeInMb=8

if [[ ! -f "$file" ]]; then
   echo "$DATE Error: $file not found to compute hash." >> $LOG
   exit 1;
fi

# Calculate checksum for a specified file chunk
# inputs: file, partSizeInMb, chunk
# output: chunk md5sum
hash_chunk(){
   file="$1"
   partSizeInMb="$2"
   chunk="$3"
   skip=$((partSizeInMb * chunk))
   # output chunk + md5 (to allow sorting later)
   dd bs=1M count="$partSizeInMb" skip="$skip" if="$file" 2> /dev/null | echo -e "$chunk $(md5sum)"
}

# Integer quotient a/b after rounding up 
div_round_up(){
   echo $((($1 + $2 - 1)/$2))
}

partSizeInB=$((partSizeInMb * 1024 * 1024))
fileSizeInB=$(du -b "$file" | cut -f1 )
parts=$(div_round_up fileSizeInB partSizeInB)

if [[ $fileSizeInB -gt $MULTIPART_MINSIZE ]]; then
   export -f hash_chunk
   etag=$(seq 0 $((parts-1)) | \
       xargs -P ${NUM_PARALLEL} -I{} bash -c 'hash_chunk "$@"' -- "$file" "$partSizeInMb" {} | \
       sort -n -k1,1 |tr -s ' '|cut -f2,3 -d' '|xxd -r -p|md5sum|cut -f1 -d' ')"-$parts"
else
   etag=$(md5sum $file|cut -f1 -d' ')
fi
# ---------------- end of code ----------------------
# Calculate ETAG Value of local file, if > 5GB
md5_hash=$etag

    Next, we will copy the files to the s3 bucket using the ‘cp’ command. We will be using the CLI copy command, rather than the s3api command, as the api can not handle file’s large then 5 GB. Copy the content to S3 and tell AWS that the data is just a plain text file. 

    aws s3 cp $src_dir/$src_file s3://$s3_bucket/$s3_dir/$src_file --content-type=text/plain

    Get the ETAG value that AWS calculated during the upload. 

    s3_md5_hash=$(aws s3api head-object --bucket "$s3_bucket" --key "$s3_key" --query ETag --output text | sed 's/"//'g)

    Next, we will get both the local file size and the uploaded file sizes.

    aws_list=`aws s3 ls "$aws_dst_dir/$src_file" --human-readable --output text`
local_list=`ls -alhF "$src_dir/$src_file"`

    Finally, display the file sizes and the ETAG values of both the uploaded file and the local file side by side for comparison. 

    echo "File size check:"
echo "$HOSTNAME: $local_list"
echo "s3.amazon: $aws_list"
echo ""
echo "ETAG check (md5 sum):"
echo "$HOSTNAME: $src_file  ETAG: $md5_hash"
echo "s3.amazon: $src_file  ETAG: $s3_md5_hash"
  • Validate the Integrity of a File Backup using Ansible

    Validate the Integrity of a File Backup using Ansible

    Introduction

    Running nightly file backups is a common task for administrators. How do we know the file was copied successfully with no errors? In this post, we will set up an ansible script and it will run a file integrity check using MD5 on both the source and the destination files to verify it was not corrupted during the copy process. In this process the Ansible server is assumed to be a separate server from both the source server and the designation server.

    Specifically, we will tell Ansible to execute a bash script on the source and destination servers, gather the results and store them in a temp text file, then it will output the text file to the body of an email and send it to interested parties for review.

    Create the Ansible Script

    Add comments to the head of the script. I like to include an example of the command, so that it can be easily copied to the command line.

    # Ansible script, validate.yml
# cmd: ansible-playbook -i inventory.ini validate.yml

    Add the variables to the script. All ansible scripts start with three dashes. Also note the Ansible is very sensitive to the placement of the columns. The names, hosts, and tasks columns must be lined up exact or the script will not execute. 

    ---
- name: Verify integrity using md5 checksums 
  hosts: server1.company.com:server2.company.com
  gather_facts: False

    Add the tasks that must be executed.

      tasks:
    - name: Check file integrity
      script: /home/user1/validate.sh   
      ignore_errors: False 
      register: results
    - name: Make a header for the results txt file.
      shell: echo '<-- results -->'
      register: title
      delegate_to: localhost
      run_once: true
    - name: Create new results txt file. 
      local_action: copy content={{ title.stdout }}
      dest=/home/user1/validate.txt
    - name: Append results to txt file. 
      lineinfile:
         dest: /home/user1/validate.txt
         line: "{{ results.stdout }}"
         insertafter: EOF
      delegate_to: localhost
    - name: get the date
      shell: "date +%Y-%m-%d"
      register: tstamp
      delegate_to: localhost

    Finally we will send an email to interested parties. 

    - name: Sending email
      mail:
         host: exchange.company.com
         port: 25
         from: hostname@company.com
         to: 
         - user1@company.com
         - user2@company.com	
         subject: Copied to backup server.
         body: "Date: {{ tstamp.stdout }}\n\n
               NOTE: The below results are for yesterday's files.\n\n
               {{ lookup('file','/home/user1/validate.txt') }}"
      delegate_to: localhost
      run_once: True

    Build the Bash Script

    In Ansible, it will execute the code on all servers simultaneously. So, we don’t know what server’s results will be returned to Ansible first. That is why we need the server hostname.

    Create the headers.

    #!/bin/bash
# validate.sh

    Create the variables.

    date=`date -d yesterday +%Y-%m-%d`
host=`hostname | awk '{print tolower($0)}'`
day=`date -d yesterday +%d`
month=$(date -d yesterday +%b)
year=`date +%Y`

src_dir1="/var/ossec/logs/$year/$month"
dst_dir1="/mnt/storage/logs/$year/$month"
file="filename-$day.log"

    Execute the comamnds, to gather the needed data.

    # Get source file results
results1=$(ls -alhF "$src_dir1/$file")
md5sum1=$(md5sum "$src_dir1/$file" | awk '{ print $1 }' )
# Get destination file results
results2=$(ssh backupserver "ls -alhF $dst_dir1/$file")
md5sum2=$(ssh backupserver "md5sum $dst_dir1/$file" | awk '{ print $1 }')

    Output the results. Remember these results will be returned to Ansible.

    # output results, compare file file size and MD5 hash.
echo " $host File: $results1"
echo "Backup File: $results2"
echo ""
echo " $host MD5_Sum: $md5sum1"
echo "Backup MD5_Sum: $md5sum2"

    This is my own method for verifying files were copied correctly. I hope you find it useful.

  • Update, Reboot, & Get the Health of Remote Servers

    Update, Reboot, & Get the Health of Remote Servers

    Introduction

    Ansible was designed to remotely manage multiple Linux servers simultaneously. Scripts can be used for many common tasks like updating, rebooting, or to the check health of your Linux servers . Ansible scripts are very format sensitive, so be sure that all columns match up, as below, or it will not run.

    Notice that some scripts call sudo and you need the ‘-K’ switch in the command. You can tell if the script calls sudo by the line ‘become: yes’.

    Update & Reboot all Servers

    This will updated, upgrade, remove unnecessary files, and clear the local repository cache. Finally, it will send an email when completed. It will run against all servers, in the ini file, listed in the group called ‘all_servers’. 

    # Ansible script, update.yml
# Update all servers. 
# cmd: ansible-playbook -K -i inventory.ini update.yml

---
- name: Update Servers
  hosts: all_servers
  gather_facts: no
  become: true
  tasks:
  - name: Run apt update
    apt:
       update_cache: yes
  - name: Run apt upgrade.
    apt:
       name: "*"
       state: latest
  - name: Run apt autoremove.
    apt:
       autoremove: yes 
  - name: Run apt autoclean. Clean the /var/cache/apt/archive file
    apt:
       autoclean: yes
  - name: Reboot servers.
    reboot:
 - name: Send email that task was completed.
   hosts: localhost 
   gather_facts: false
   become: false

   tasks:
     - mail:
         host: exchange.company.com
         port: 25
         from: hostname@company.com
         to: user1@company.com
         subject: Servers have been updated
         body: All servers have been successfully updated and rebooted.
       delegate_to: localhost
       run_once: True

    Reboot Specific Servers

    # Ansible script, reboot.yml
# Use to reboot multiple specific servers.
# cmd: ansible-playbook -K -i inventory.ini reboot.yml

---
- name: Reboot specified servers
  hosts: server01.company.com:server02.company.com:server03company.com
  gather_facts: no
  become: true

  tasks:
   - name: Reboot servers.
     reboot:

    Check the Health of the Remote Servers

    The check health script gathers basic information about the remote servers. Is the hard disk drive full? Does the server need a reboot? How long has the server been up?

    The ansible script calls a bash script, that is then executed on all remote hosts. The results are returned and printed to a text file. An email copies the contents of the text file to the body of the email and results are emailed. Be sure to save the inventory.ini, bash scripts, and the ansible scripts in the same directory.

    # Ansible script, health.yml
# Get hostname, uptime, reboot state, & disc space of each server.
# cmd: ansible-playbook -i inventory.ini health.yml 
---
- name: Run health check of servers.
  hosts: all_servers
  gather_facts: false

  tasks:
    - name: Get health of security servers
      script: /home/user1/svr_health.sh 
      ignore_errors: False
      register: results      
    - name: Make a header for a txt file.
      shell: echo '<--- SERVERS DAILY REPORT --->'
      register: title
      delegate_to: localhost
      run_once: true
    - name: Create a new txt file.
      local_action: copy content={{ title.stdout }} dest=/home/user1/svr_health.txt
    - name: Append results to txt file.
      lineinfile:
        dest: /home/user1/svr_health.txt
        line: "{{ results.stdout }}" 
        insertafter: EOF
      delegate_to: localhost      
    - name: Sending email.
      mail:
         host: exchange.company.com
         port: 25
         from: hostname@company.com
         to:
         - user1@company.com
         - user2@company.com
         subject: Servers Health Status
         body: "Expected Server Cnt: 18 \nActual Total Cnt: {{ ansible_play_hosts | length }}\n\n {{ lookup('file','/home/user1/svr_health.txt') }}"
      delegate_to: localhost
      run_once: True
    #!/bin/bash

date=`date`
uptime=`uptime | grep -ohe 'up .*' | sed 's/,//g' | awk '{ print $2" "$3 }'`
hostname=`hostname`
file="/var/run/reboot-required"
# Note: Assumes all servers have a logical volume drive.
diskspace=`df -h | grep /dev/mapper/`

echo
echo "Date:     $date"
echo "Hostname: $hostname"
echo "Space:    $diskspace"
echo "Uptime:   $uptime"

if [[ -f $file ]];then
	echo "Reboot:   *** Reboot Required ***"
else
	echo "Reboot:   No Reboot Required"
fi