Category: Security

ipa RSSを取得

<?php 
$target_day = date('Y/m/d', strtotime('-1 day'));
$xml = "https://jvndb.jvn.jp/ja/rss/jvndb_new.rdf";

$xmlData = simplexml_load_file($xml);
foreach ($xmlData->item as $entry){
  $dc = $entry->children('http://purl.org/dc/elements/1.1/');
  $day = date('Y/m/d', strtotime($dc->date));
  if($day == $target_day){
      $string.= date('Y/m/d h:i', strtotime($dc->date))."<br>";
      $string.= $entry->title."<br>";
      $string.= $entry->link."<br>";
  }
}
?>
<html>
<body>
	<?php echo $string; ?>
</body>
</html>

OK、次はslack webhook

ipa 脆弱性情報

脆弱性情報をcronで毎日取得したい。
ソースはipa(情報処理推進機構)
https://www.ipa.go.jp/secuirty/rss/alert.rdf

中身がどうなっているかというと、itemの中は、title, link, dc:creator, dc:dateの4つだ。creatorは全部ipaだから、title,link,dateだけでいいか。

 <item rdf:about="https://www.ipa.go.jp/security/ciadr/vul/20190717-jre.html">
  <title>Oracle Java の脆弱性対策について(CVE-2019-7317等)</title>
  <link>https://www.ipa.go.jp/security/ciadr/vul/20190717-jre.html</link>
  <dc:creator>情報処理推進機構(IPA)</dc:creator>
  <dc:date>2019-07-17T12:00:00+09:00</dc:date>
 </item>

Hoot24

Hoot24とは?
->「HOOT24」とはサイトロック社とクラメソで提供する、24時間365日AWS環境(EC2, ELB, RDS)の”有人”監視サービス

1)「AWS環境の監視体制」をご提供:お客様側で監視サーバーの準備が不要。必要なものは最小限のIAM権限とIPアクセス許可のみ
2)「通知手段の選択」をご提供:有人監視であることにより、「電話連絡」という手段が選択できる
3)「自動障害対応」をご提供:監視項目ごとに対応を決めることができる。インスタンス再起動などの個別アクションも指定可能
4)「監視設定の支援」をご提供:弊社オペレーションチームのサポートにより、容易に監視設定ができる

ref: https://dev.classmethod.jp/etc/cm-hoot24-intro/

有人の電話連絡といっても、まぁ、システムの稼働状況によるでしょう。
休日や深夜帯にユーザーが使用しなければ、そこまで優先度は高くないですが、深夜や営業時間外でも稼働が必須の場合は、重宝されそうですね。
クラメソの監視とのことですが、他のサービスの対応を見ていると、なんとなく、これも良さそうには見えますね。

WhiteListing

Whitelisting is one of the methods used to filter email and websites.
While the blacklisting method creates a list of dangerous users and websites, the whitelisting method creates a list of targets for which safety has been confirmed and excludes others. While it is possible to cut off dangerous objects completely, the contents of the list is arbitrary and limited to a part of safe objects, and it has the disadvantage of losing the user’s convenience.

AWS firewall manager

AWS Firewall Manager is a security management service that makes it easy to configure and manage AWS WAF rules centrally across multiple customers’ accounts and applications. With the Firewall Manager, you can easily roll out the AWS WAF rules for the Application Load Balancer and Amazon CloudFront distributions across many AWS Organizations accounts. In addition, every time a new application is created, Firewall Manager makes it easy for new applications and resources to meet compliance with common security rules from day one. Now that you have a consistent set of firewall rules across the Application Load Balancer and Amazon CloudFront infrastructure, hierarchically build firewall rules, create security policies, and get single service to apply them.


1. Name web ACL
2. Create condition
– IP match condition
– String match condition, bad bot user agent
– SQL injection match condition, sqli checks
3. Create rules
4. Review and create

Certificate and Key Store

A public key certificate, also called an electronic or identity certificate, contains a public key consisting of a public / private key pair, as well as other metadata (such as name and location) that identify the owner of the key. The certificate owner also owns the corresponding private key.

When you sign the APK, the signing tool attaches a public key certificate to the APK. The same is true if you signed the app bundle. A public key certificate acts as “fingerprint” that uniquely associates an APK or app bundle with the owner and the corresponding private key. This will allow Android to verify that subsequent app updates are genuine and have been released by the original author. The key used to create this certificate is called the app signing key.

A keystore is a binary file that contains one or more private keys. In order to allow users to install new versions as app updates, all apps must use the same certificate throughout the usage period.

SAML

SAML is an abbreviation of Security Assertion Markup Language and is called “Samuru”.

SAML is a standard of authentication information developed by OASIS for authenticating users between different Internet domains. In other words, it refers to a rule protocol that exchanges user credentials.

Idp (= Identify Provider) is a system that provides authentication information. Without SAML, it is necessary to convert the format and format of information when the IdP and SP exchange information. You can save the trouble of that work.

Convenient improvement
With SSO, you can log in to different services with or user authentication. Because you do not need to authenticate each time, you can use the service comfortably.

Security improvements
Some users may be uneasy about the availability of many services with one authentication system. However, considering that most users use the same ID and password for all services and that only one login information needs to be managed securely, it can be said that there are security advantages as well.

Hashing

Hashing is the generation of random numbers from certain data. The feature of this function is to output the same hashed value from any value, and it is impossible to derive the original data from the hashed value. The hash function is used for user authentication etc.

Know as a hash function, hash algorithms such as MD5 and SHA1 can now examine the output with brute force to get the original input.

$password = "password";
echo sha1($password) . "<br>";
echo md5($password) . "<br>";
echo hash('sha256', $password) . "<br>";

/etc/sysconfig/selinux

SELinux
SELinux(Security-Enhanced Linux) is a security extension module of the Linux kernel developed mainly by NSA(national security agency) in the united states. We will add the “secure OS” function to the Linux kernel. It is not the name of the distribution.

The biggest feature is that each process is designed to move with minimal authority considering the risk of root privilege.
The main functions are the following five. ref: security academy study meeting

1. MAC (Mandatory Access Control)
Only security administrator can set security

2. TE (Type Enforcement)
Access control for each process

3. Row Based Access Control(RBAC)
By assigning the administrative authority to the user, it is possible to avoid a mistake in operation with the conventional root

4. Domain transition
Allow only preset privilege escalation (deeply related to TE of 2)

5. Audit log
It is possible to logs of operations inside and outside the authority.

[vagrant@localhost tests]$ cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

disabled なので無効化されています。

getenforceでも見れるようです。

[vagrant@localhost tests]$ getenforce
Disabled

unix permission “r w x”

Permissions are represented by nine-character strings such as rwxr-xr-x and numeric values such as 755. The 9 character string consists of r(readable), w(writable), x(executable), and hyphen(-), which have the meanings.

The commonly used permission patterns are as follows.
644
normal HTML file etc. can read and write, but group members and others can only read.

666
files to be written by CGI script, etc. Both myself and group members and others can read and write.

755
Regular directories, commands, CGI script, etc. Everyone can read and execute, but write only oneself.

777
Directory for CGI scripts to create files. Anyone can do anything. Slightly dangerous on security.