SAML

SAML is an abbreviation of Security Assertion Markup Language and is called “Samuru”.

SAML is a standard of authentication information developed by OASIS for authenticating users between different Internet domains. In other words, it refers to a rule protocol that exchanges user credentials.

Idp (= Identify Provider) is a system that provides authentication information. Without SAML, it is necessary to convert the format and format of information when the IdP and SP exchange information. You can save the trouble of that work.

Convenient improvement
With SSO, you can log in to different services with or user authentication. Because you do not need to authenticate each time, you can use the service comfortably.

Security improvements
Some users may be uneasy about the availability of many services with one authentication system. However, considering that most users use the same ID and password for all services and that only one login information needs to be managed securely, it can be said that there are security advantages as well.

Hashing

Hashing is the generation of random numbers from certain data. The feature of this function is to output the same hashed value from any value, and it is impossible to derive the original data from the hashed value. The hash function is used for user authentication etc.

Know as a hash function, hash algorithms such as MD5 and SHA1 can now examine the output with brute force to get the original input.

$password = "password";
echo sha1($password) . "<br>";
echo md5($password) . "<br>";
echo hash('sha256', $password) . "<br>";

/etc/sysconfig/selinux

SELinux
SELinux(Security-Enhanced Linux) is a security extension module of the Linux kernel developed mainly by NSA(national security agency) in the united states. We will add the “secure OS” function to the Linux kernel. It is not the name of the distribution.

The biggest feature is that each process is designed to move with minimal authority considering the risk of root privilege.
The main functions are the following five. ref: security academy study meeting

1. MAC (Mandatory Access Control)
Only security administrator can set security

2. TE (Type Enforcement)
Access control for each process

3. Row Based Access Control(RBAC)
By assigning the administrative authority to the user, it is possible to avoid a mistake in operation with the conventional root

4. Domain transition
Allow only preset privilege escalation (deeply related to TE of 2)

5. Audit log
It is possible to logs of operations inside and outside the authority.

[vagrant@localhost tests]$ cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

disabled なので無効化されています。

getenforceでも見れるようです。

[vagrant@localhost tests]$ getenforce
Disabled

unix permission “r w x”

Permissions are represented by nine-character strings such as rwxr-xr-x and numeric values such as 755. The 9 character string consists of r(readable), w(writable), x(executable), and hyphen(-), which have the meanings.

The commonly used permission patterns are as follows.
644
normal HTML file etc. can read and write, but group members and others can only read.

666
files to be written by CGI script, etc. Both myself and group members and others can read and write.

755
Regular directories, commands, CGI script, etc. Everyone can read and execute, but write only oneself.

777
Directory for CGI scripts to create files. Anyone can do anything. Slightly dangerous on security.

AWS health check

Health check function checks whether the load balancer and the target server are connected. It check every certain time whether we can see the website via load balancer.

For AWS, it is judged whether it can access the health check URL set on the console screen. It is OK if the HTTP status 200 is returned from the URL. If inadvertent 404 comes back, even if you access the URL set by the load balancer, the the site will not displayed.

It seems that it becomes OutOfService somewhat when restarting the EC2 instance in the state attached to the ELB. Also, as it is said that 200 should be returned by health check, if you do not do BASIC certification naturally, it will be OutOfService. 401 error comes back. If you are using ELB and need to make Basic authentication, only URLs for health checks must be in a state where authentication is ineffective.

Create a read-only user with aws ec2

Create a read-only user on IAM.

Select IAM on the service list page

Select users from the left menu of the IAM dashboard

Click add user button

set username and programmatic access for access type

At this point the user has no permissions.

On the user detail page you just created, open the security crudential tab

Click Access keys to create a new access key and secret key.

Well, finally it’s coming to set permissions. Select add permissions button from the permission tab.

From add user to group, press create group.

In management console Create policy, chose service for EC2 and Access level should be Read.

Put name for read-only-ec2 and create policy.

finally attache user to just created read-only-ec2 policy.

Then, user permission has changed to access EC2.
I explained how to make ReadOnly IAM users using IAM. There are many things IAM can do, such as creating groups, writing policies in detail, and creating Role. I think that AWS is the only cloud that can control privilege so far. Want to make good and secure system.

セキュリティパッチとは何か?

セキュリティパッチとは、プログラムの脆弱性やセキュリティホールなどが発見された際に、それらの問題を修正するためのプログラムのこと。
ソフトウェアやOSなどの製品では、リリースされてから幾つか問題が発見されることがある。

SocketException: Connection reset

JavaとサーバサイドのSSL/TLSの使用プロトコルの差異

TLSとはなにか?
SSLはSecurity Sockets Layerで安全に通信するためのセキュリティプロトコル。
TLSはSSLの次世代規格。SSLと呼んでいるものは、実際TLSを指している場合もある
TLSはTransport Layer Securityの略

TLSが提供するチャネルでは
– 通信データ暗号化することで盗聴しても内容が分からないようにする
– 通信データが伝送される途中で改ざんされた時にそれを検出する
– 通信相手が正しいとこいうことを確認できる

最新バージョンはTLS1.3

Linuxのssh-add コマンドとは何か?

ssh-addって何?

ssh-add: 認証エージェントに秘密鍵(id_rsa)を登録すること。
引数なしで実行された場合、~/.ssh/id_rsaが追加される。
秘密鍵(id_rsa)を読み込んだ後、ssh-addはそれに対応する情報を、秘密鍵のファイル名にサフィックス-cert.pubを追加したファイルから読み込もうとする。

秘密鍵の登録状況の確認

ssh-add -l

秘密鍵の確認

ssh-add hoge/fuga