Forem: feng wei

Ubuntu 22.04: Browser Not Working After Hardening

feng wei — Thu, 05 Sep 2024 02:23:36 +0000

I notice that web browsers, like Firefox and Chrome, will cease functioning after applying Ubuntu security guide - level1_workstation in some Ubuntu 22.04.

Error is like as following:

snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks. Please make sure that the snapd.apparmor service is enabled and started.

I am pretty sure that "snapd.apparmor service is enabled and started" after a quick check. With some Google research, i believe the issue is caused by a Linux Security Module called AppArmor, which restricts applications' capabilities and permissions with profiles that are set per-program. You can find more info about it here.

In short, AppArmor profiles have two modes of operation:

Complaining/Learning: profile violations are permitted and logged. This is useful for testing and developing new profiles.

Enforced/Confined: enforces profile policy in addition to logging the violation.

To solve the issue, we can set all profiles modes to "Enforced".

sudo aa-enforce /etc/apparmor.d/*

To verify profiles status, fire command "sudo aa-status"

visudo and /etc/sudoers

feng wei — Thu, 15 Aug 2024 02:49:09 +0000

It may not be a good idea to grant full root-equivalent privilege to Unix-like OS users. Access should be granted based on actual needs.

You should not edit sudoers directly, by opening it in a text editor. Instead, edit it with visudo, which will verify its validity before saving the changes to disk.

/etc/sudoers

Host alias specification

User alias specification

Cmnd alias specification

User privilege specification

root ALL=(ALL:ALL) ALL

Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

Here, "root ALL=(ALL:ALL) ALL" states that the user root, logged in to any hostname, may run, as a user or group, any command. The general form of this directive is:

user hostname=(run-as-user:run-as-group) command

The special word ALL may be used for any of these values and means that any are allowed.

hope myhost=(mysqluser:mysqlusers) mysqldump

User hope, when logged in to host myhost, may run the command mysqldump as user mysqluser or a member of group mysqlusers. For example, this directive would allow user hope to run this command:

sudo -u mysqluser -g mysqlusers mysqldump

Case Sharing: temporary failure in name resolution

feng wei — Thu, 20 Jun 2024 09:44:48 +0000

A Linux user reported that his Ubuntu 20.04 machine could not be accessed via SSH after a reboot.

Initially, I suspected a hardware issue or boot error, so I checked the machine physically from the console. However, the system was fully operational and ready for console login. I then suspected an Internet connection issue. Strangely, I could SSH into the machine from another device on the same network segment as the Ubuntu machine.

The Ubuntu machine has two network connections: one for Internet access (DHCP) and another for direct connection to a storage server (static IP).

I ran the command "ping google.com" and received the error "temporary failure in name resolution." This indicated a DNS issue. Normally, DNS configuration should be managed by DHCP. I used the "sudo nmtui" command to check the properties of the two connections and discovered that the "Gateway" was incorrectly configured for the direct connection. The issue was resolved after I removed the incorrectly configured gateway and restarted the connection.

Summary:
The root cause was an incorrectly configured gateway for the direct connection, despite having an Internet connection via DHCP. The direct connection became the default route, causing the name resolution failure.

Commands used in troubleshooting:
1.ping #test Internet connection.
2.nmtui #network manager GUI
3.cat /etc/resolv.conf #check DNS server
4.systemctl status systemd-resolvd.service #check DNS resolver service status
5.systemd-resolve --status #DNS summary

First Glance at Ansible

feng wei — Fri, 31 May 2024 02:03:37 +0000

What is ansible

Ansible is an open-source IT automation tool that automates provisioning, configuration management, application deployment, orchestration, and many other IT processes. Ansible is written in Python and uses OpenSSH for transport.

Hands-on Ansible

Install ansible on a Linux machine, which is called control node. Use "ssh-keygen" and "ssh-copy-id"commands to generate ssh key and copy it to managed nodes for authentication
Playbooks are the simplest way in Ansible to automate repeating tasks in the form of reusable and consistent configuration files. Playbooks are scripts defined in YAML files and contain any ordered set of steps to be executed on managed nodes.

[My first playbook]

- hosts: webserver
  remote_user: whocare

  tasks:
  - name: make ~/whocare directory
    ansible.builtin.file:
      path: ~/whocare
      state: directory

  - name: Copy file 
    copy:
     src: /home/whocare.deb
     dest: /home/whocare.deb
     owner: whocare
     group: whocare
     mode: '0700'

  - name: install whocare
    become: true
    become_method: sudo
    ansible.builtin.apt:
      deb: /home/whocare.deb

  - name: copy dat file to /opt/Tanium/TaniumClient
    become: true
    become_method: sudo # need "-K" parameter, which is short form "--ask-become-pass". $ ansible-playbook <1.yaml> -K. 
    copy:
      src: /home/whocare.dat
      dest: /opt/whocare.dat

  - name: restart service
      become: true
      become_method: sudo
      service:
        name: whocare
        state: restarted

3.Ansible configuration file. Default location is /etc/ansible/ansible.cfg. However, you can customize your owner configuration file and put it in your ansible playbook folder to "overwrite" default config. My ansible config file, for example:

[defaults]
inventory = ~/ansible_code/inventory/inventory.ini
private_key_file = ~/.ssh/ansible #private key!!! I put public key wrong and took me sometime for troubleshooting SSH key login issue.
log_path = ~/ansible_code/ansible.log #Log file to save all output for recording and troubleshooting

Synology-Shared Folder Access Error

feng wei — Tue, 28 May 2024 06:02:24 +0000

Background:

A Synology NAS is connected two networks, N1 and N2, both are able to reach Domain X.
The NAS was joined Domain X via N1. Share folders access is configured for domain users.
The NAS was disconnected from N1 recently.

Issue:
Users reported shared folder is inaccessible due to "Network Error".

Actions(Done within N2):

Verify NAS OS status and test shared folder access. OS is normal but shared folder can't be accessed.
Restart SMB service then following by restarting NAS. Issue persists.
Check default gateway and domain status. Noticed that domain was unavailable. Issue is rectified after rejoining Domain X with N2.

Conclusion:
Domain availability will cause shared folder access issue due to authentication, possibly.

I also noticed the same error, which appears to be caused by a time synchronization issue. In this case, the NAS NTP server was invalid, leading to a time discrepancy of more than 5 minutes between the domain and the NAS itself.