J Wolfgang Goerlich's thoughts on Information Security
Matriux - Upgrade to 2.6.32-7 and install the GPL Hyper-V integration

By wolfgang. 14 December 2009 20:59

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the network and storage adapters.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and 
install onto the local vhd



Configure apt-get to download the Lucid (2.6.32-7) kernel.

 

sudo bash

nano /etc/apt/sources.list

 

# added by -JWG- for Hyper-V integration

# The Lucid repository contains the 2.6.32-7 kernel

deb http://archive.ubuntu.com/ubuntu/ lucid main

 

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.32

apt-get install linux-image-2.6.32-7-generic linux-headers-2.6.32-7-generic build-essential

 

nano /etc/apt/sources.list

Comment out the #deb line

 

Validate the kernel after rebooting to ensure we are on 2.6.32-7.

 

uname -r

 

Enable the GPL integration components.

 

uname -r

sudo bash

cd /lib/modules/2.6.32-7-generic/kernel/drivers/staging/hv

insmod hv_vmbus.ko

insmod hv_blkvsc.ko

insmod hv_netvsc.ko

insmod hv_storvsc.ko

 

Add the modules to the startup file.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

hv_vmbus

hv_blkvscb

hv_netvsc

hv_storvsc

 

update-initramfs -u

reboot

 

 

Confirm that the modules are loaded. You will have full network and disk integration. The mouse integration (Inputvsc) is currently provided by Citrix Project Satori and has not yet been patched to 2.6.32-7.

 

lsmod | grep vsc

 

Tags:

Hyper-V | Security | Virtualization

Matriux - Downgrade to 2.6.18 and install Hyper-V's integration components

By wolfgang. 14 December 2009 20:55

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the mouse, network adapter, and storage adapter.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd
Download the 
Linux Integration components for Windows Server 2008 R2 (LinuxIC v2.iso).
Download the
Citrix Project Satori mouse driver (Inputvsc.iso)

Configure apt-get to download the previous version of the kernel, which includes first flushing and renewing the encryption keyring.

 

sudo bash

 

apt-key list

apt-key del 437D05B5

apt-key del FBB75451

 

apt-key list should now return an empty list.

 

Install the keyring

apt-get install debian-archive-keyring

 

Load the key for the ftp.us.debian.org and security.debian.org.

 

cd /home/tiger/.gnupg/

mv gpg.conf gpg.con~

 

gpg --keyserver wwwkeys.eu.pgp.net --recv 9AA38DCD55BE302B

gpg --list-keys 9AA38DCD55BE302B

gpg --export 9AA38DCD55BE302B > 9AA38DCD55BE302B.gpg

apt-key add ./9AA38DCD55BE302B.gpg

apt-key list

 

Add the repositories to the end of the sources list, and update the apt list.

 

nano /etc/apt/sources.list

 

# Repository for older kernel versions

# added by -JWG- for Hyper-V integration

deb http://ftp.us.debian.org/debian etch main

deb http://security.debian.org/debian-security etch/updates main

 

cd /usr/src/

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.18

apt-get install linux-image-2.6.18-6-amd64 linux-headers-2.6.18-6-amd64 build-essential

 

nano /etc/apt/sources.list

Comment out the two #deb lines.

 

Modify the menu.lst file so it defaults to the 2.6.18-6 and reboot.

 

nano /boot/grub/menu.lst

default 2

reboot

 

Validate the kernel after rebooting to ensure we are on 2.6.18-6.

 

uname -r

Insert the LinuxIC v2.iso disk, copy locally, and install the drivers.

 

sudo bash

 

mkdir /opt/linux_ic

cd /opt/linux_ic

cp -R /media/CDROM/* /opt/linux_ic/

./setup.pl drivers

cat drvinstalls.err

 

The only error should be "make: udevcontrol: command not found" and "make: *** [install] Error 127". These simply indicate that we will need to manually add the services to the init modules file.

 

Insert the Inputsvc.iso disk.

 

mkdir /opt/inputvsc

cd /opt/inputvsc

cp -R /media/CDROM/* /opt/inputvsc/

./setup.pl drivers

cat drvinstall.err

 

Again, the only errors should be related to the modules. Edit that file now.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

netvsc

blkvsc

storvsc

inputvsc

 

update-initramfs -u

reboot

 

Confirm that the modules are loaded. Then it is play time.

 

lsmod | grep vsc

Tags:

Hyper-V | Security | Virtualization

Matriux - Penetration Testing from Hyper-V

By wolfgang. 13 December 2009 20:18

Matriux is a vulnerability assessment / penetration testing Linux distribution. The team's beta release was the beginning of this month, and I have been playing around with the distro for the past couple weeks. What can I say? I am a sucker for Latin motto's ("Aut viam inveniam aut faciam" or "I shall find a way or make one") and for cleanly laid out VA/PT toolsets.

The bonus, for those running Hyper-V, is that Matriux is a Kubuntu based and comes with the Jaunty kernel (2.6.28-13-generic). Setting up a Hyper-V security appliance is as simple as creating a vm, using the legacy network adapter, skipping the hard drive, and booting off the downloadable ISO. Matriux works right out of the box within Hyper-V.

You can compare this to the Slax VA/PT distros, which do not support the network adapter. Often times, these distros do not even support the mouse. Using the Matriux Live CD in Hyper-V is a breeze. For an environment to support a demo or an occassional vulnerability assessment, you cannot ask for more.

If you are doing regular assessments, there are a couple limitations with Hyper-V. The legacy network adapter performs at 100 Mbps (significantly slower than the 10 Gbps speed of the standard network adapter.) The Live ISO is read-only, too. The mouse integration is present, but it is not the seamless integration one is used with Windows vms. Oh, and the mouse integration does not work when connected to Hyper-V over RDP. To get full functionality, you will need to install Matriux into a vhd and install the Hyper-V integration components.

The Jaunty kernel does not support integration. You have two options: (1) downgrade Matriux's kernel to 2.6.18 and install Hyper-V's integration components; or (2) upgrade Matriux to the Lucid kernel (2.6.32-7) and enable the Hyper-V GPL code. Option (2) provides faster performance and is in-line with the Matriux planned Beta 2, but it does not support the full mouse integration.

Detailed steps for both options are in the links above. For those who want to skip to the chase and simply try out Matriux under Hyper-V, I have done the steps for you. You can download the security appliance from SimWitty's website. Enjoy!

Matriux beta (0.9.4) with 2.6.18-6 kernel
Matriux beta (0.9.4) with 2-6-32-7 kernel

Thank you to the Matriux team for a smooth, well done security distribution beta. Thanks goes, too, to Tom Houghtby for providing the Linux knowledge and guidance that made the integration possible.

jwg

Tags:

Hyper-V | Operations Security | Security | Virtualization

Virtualization and the physical security boundary

By wolfgang. 8 July 2009 04:52

There are several laws of information security. Ask ten InfoSec pros and you will likely get ten different lists of laws, but I wager every one of them will agree on a couple fundamentals. If an attacker can gain physical access to the computer, or if an attacker can modify the operating system, then the attacker can compromise the computer. The reason is physical access allows an attacker to bypass the OS and directly access the data, and bypass the security controls.

 

Now, switch gears and picture a virtual environment. The physical analog is the hypervisor. If an attacker can gain access to the hypervisor, he has the same abilities as if he had access to the physical computer. If an attacker can exploit the Windows or Linux server hosting Hyper-V or XenServer, then the attacker can compromise all virtual computers on the host.

 

It is a subtle shift in the way of thinking. In the past, only one server ran on one piece of hardware, and the security boundary was the server itself. Thus you would place a physical web server in the DMZ and physically wire it to the firewalls. Computers with different security postures (e.g., domain controllers) would be on separate physical hardware and wired into separate physical networks.

 

Thus the hypervisor should host servers that have relatively the same security posture. One should not, for instance, host domain controllers and public-facing web servers on the same hypervisor. Even if the public-facing web server is on a separate virtual network, you still run the risk of its compromise affecting the domain controllers.

 

The security boundary is the physical hardware, not the computer itself.

Tags:

Hyper-V | Security | Virtualization

Installing ARCserve on Hyper-V Core

By wolfgang. 28 June 2009 10:04

Hyper-V Core, or the Hyper-V role running on a Server Core installation of Windows Server 2008, provides only a command line interface. This makes installing management apps a bit tricky.

 

Take CA ARCserve Backup agent, for example. You cannot simply logon and run the installer. Rather, you need to use the management console that comes with ARCserve (r12.5). Use the management console to push out the agent to the Server Core.

 

The normal caveats apply to push installations. Both the management console and the Server Core computers should be on the same network. Both computers should be in the same Windows domain (or have a domain trust relationship setup.) Ensure the Windows firewall on the Hyper-V Core is accepting inbound file (CIFS) and procedure (RPC) requests. Once those are accomplished, pushing the agent is straightforward.

 

Similar procedures apply to Diskeeper and anti-virus software.

Tags:

Hyper-V | Virtualization

Virtualization Webinar next Monday

By wolfgang. 13 April 2009 16:44

As I mentioned before, I have played around a bit with Hyper-V and virtualized my production and recovery systems. CA did a case study on the project.  This coming Monday, April 20 at 12:00 pm Eastern, I am doing a joint webcast with CA and Microsoft. The topic is still virtualization with the focus on disaster recovery. I doubt I will say anything new during the talk, excepting the talk will be much briefer than some others I have given on DR. CA’s going to talk a bit about their CDP, however, which is pretty cool stuff.

http://www.windowsitpro.com/go/seminars/CA/infrastructure_through_virtualization

Tags:

Business Continuity | Hyper-V | Virtualization

Delegating management in Hyper-V

By wolfgang. 11 March 2009 19:27

Separation of duties is a concept we keep coming back to. One individual (or one group) should not have full authority to complete a process. This goes hand-in-hand with least privilege. Any one individual (or group) should have just enough system privileges to complete their portion of the process, and no more. In the realm of server virtualization, this means dividing up duties between those who manage the hypervisor, those who manage the vms, and those who manage the guest computers.

 

In Hyper-V, you can delegate permission to manage or monitor the vms separately from managing the hypervisor. To do so, use the Authorization Manager console (AzMan.msc) to edit the \ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml configuration file. Create a Windows security group first, then use AzMan.msc to create a role, specify tasks, and assign the role to the security group.

 

For step-by-step instructions, please see Microsoft’s documentation.

 

Configure Hyper-V for Role-based Access Control

http://technet.microsoft.com/en-us/library/dd283076(WS.10).aspx

 

Tags:

Hyper-V | Security

CA Case Study on our use of ARCserve and Hyper-V

By wolfgang. 10 February 2009 21:36

After looking at several P2V-V2P solutions, we chose CA ARCserve. The choice has several benefits. The primary one is that it allows us to use a single tool for both data protection and for physical/virtual conversions. Essentially, this means a flat learning curve for my team. The other benefit is that CA ARCserve is significantly less expensive that dedicated P2V tools. CA did a case study on how we use their product and it is now online.

http://www.ca.com/us/success/collateral.aspx?cid=201041

Tags:

Business Continuity | Hyper-V

Microsoft Case Study on Virtualization

By wolfgang. 10 December 2008 06:04

Tags:

Hyper-V

Hyper-V Disk Issues

By wolfgang. 16 October 2008 18:17

I am seeing an odd issue with Hyper-V vms on pass-thru disks. Say an event occurs on the storage array that causes the disks on the Hyper-V server go offline momentarily. They can be brought back online afterwards. Hyper-V then loses the handle on the disk. There are four broad categories of symptoms that then occur:

1) Very broadly speaking, if the disk contains server-specific information such as a paging file, then the server behaves erratically when it goes offline.

2) If the disk in question goes offline and it contains the vm definition files (.bin, .vsv), then the vm disappears from the Hyper-V console.

3) If the disk goes offline and it contains vm disks (.vhd), then the vm in question crashes.

4) If the disk is directly mapped to a vm as a host resource, then the vm is shutdown. Sometimes the state is saved. The settings show that the physical disk cannot be found. The vm’s saved state has to be deleted and then the physical disks reselected in the vm settings dialog.

I am still troubleshooting. More details to follow.

Tags:

Troubleshooting | Hyper-V | Virtualization

    Log in