Auditando e restringindo aplicativos no Windows

Este post mostra como auditar e restringir aplicativos no Windows para criar ambientes um pouco mais seguros.

Artigo em inglês
Updated: June 27, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
The Audit only enforcement setting helps you determine which applications are used in an organization. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced. When a user runs an application that would have been affected by an AppLocker rule, information about that application is added to the AppLocker event log.
noteNote
This scenario assumes that you completed Automatically Generating Executable Rules from a Reference Computer. However, you can complete the procedures in this scenario to test any rules that you already defined on the reference computer. If you are working with a predefined AppLocker rule set, ensure that the default rules were created.
If you did not create the default rules and are prevented from performing administrative tasks, restart the computer in Safe Mode, add the default rules, delete any deny rules that are preventing access, and then restart the computer in normal mode.
This scenario includes the following steps:
Step 1: Configure the audit enforcement setting

Step 2: Start the Application Identity service

Step 3: Refresh Group Policy settings on the computer

Step 4: Review the AppLocker log in Event Viewer

Step 1: Configure the audit enforcement setting
There are three AppLocker enforcement modes. When AppLocker policies are merged, both the rules and the enforcement modes are merged. The closest GPO setting is used for the enforcement mode while all rules from linked GPOs are applied, except for the Not configured setting, which is overwritten by any other linked setting.
The following table details the enforcement modes.

Enforcement mode Description
Not configured
Default. If linked GPOs contain a different setting, that setting is used. Otherwise, if any rules are present in the corresponding rule collection, they are enforced.
Enforce rules
Rules are enforced.
Audit only
Rules are audited but not enforced.
Before turning on rule enforcement, test the rules first by using the Audit only enforcement setting.
To configure the enforcement setting for the Executable Rules collection to Audit only
To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
In the details pane, scroll down to the Configure Rule Enforcement heading, and then click Configure rule enforcement.
In the AppLocker Properties dialog box, under Executable Rules, click Audit only, and then click OK.
After creating the default rules and enabling the auditing mode, deploy the test policy to test the GPO and determine which applications are being used.
Step 2: Start the Application Identity service
The Application Identity service performs all of the rule conversion for the AppLocker policy. For AppLocker policy to be evaluated on a computer, the Application Identity service must be started.
To start the Application Identity service
Click Start, type services.msc , and then press ENTER.
In the Services snap-in console, right-click Application Identity, and then click Properties.
On the Start type menu, click Automatic, and then click OK.
In the Services snap-in console, right-click Application Identity, and then click Start to start the service for the first time.
noteNote
Consider using Group Policy to start the service automatically on all computers where you plan to deploy AppLocker. For information about configuring Group Policies, see How to Configure Group Policies to Set Security for System Services.
Step 3: Refresh Group Policy settings on the computer
After you create new AppLocker rules, you must refresh the Group Policy settings on the computer to ensure that the AppLocker rules are applied.
To refresh Group Policy settings
At the command prompt, type gpupdate /force, and then press ENTER.
Wait for the messages confirming that the user and computer policies are updated, and then close the window.
Step 4: Review the AppLocker log in Event Viewer
The AppLocker log contains information about all of the applications that are affected by AppLocker rules. You can use the log to determine which applications are affected by a rule. Each event in the AppLocker operational log contains detailed information about:
Which file is affected and the path of that file.

Whether the file is allowed or blocked.

The rule type (path, file hash, or publisher).

The rule name.

The security identifier (SID) for the targeted user or group.

To review the AppLocker log in Event Viewer
Click Start, type eventvwr.msc, and then press ENTER.
In the Event Viewer console tree, double-click Application and Services Logs, double-click Microsoft, double-click Windows, double-click AppLocker, and then click EXE and DLL.
Review the entries in the results pane to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business applications are installed to non-standard locations, such as the root of the active drive (C:\).
The following table describes the event levels that you may find in the log.
noteNote
New logs and new events have been added in Windows Server 2012 and Windows 8. For more information, see Using Event Viewer with AppLocker.

Event ID Event level Event text Description
8000
Error
Application Identity Policy conversion failed. Status <%1>
The policy was not applied correctly to the computer. The Status message is provided for troubleshooting purposes.
8001
Informational
The AppLocker policy was applied successfully to this computer.
The AppLocker policy was applied successfully to this computer.
8002
Informational
was allowed to run.
Specifies that the .exe or .dll file is allowed by an AppLocker rule.
8003
Warning
was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Specifies that the file would have been blocked if the Enforce rules enforcement mode were enabled. You see this event level only when the enforcement mode is set to Audit only.
8004
Error
was not allowed to run.
The file cannot run. You see this event level only when the enforcement mode is set directly or indirectly through Group Policy inheritance to Enforce rules.
8005
Information
was allowed to run.
Specifies that the .msi file or script is allowed by an AppLocker rule.
See Also
Concepts
AppLocker Step-by-Step Scenarios

Link de referência: http://technet.microsoft.com/en-us/library/dd723693(v=ws.10).aspx

Como habilitar e desabilitar processos no Suse Enterprise Linux

Para gerenciar os serviços no Suse utilize o comando chkconfig. Veja o exemplo abaixo

server-tendencia:/etc/init.d # chkconfig –list
Makefile 0:off 1:off 2:off 3:off 4:off 5:off 6:off
SuSEfirewall2_init 0:off 1:off 2:off 3:off 4:off 5:off 6:off
SuSEfirewall2_setup 0:off 1:off 2:off 3:off 4:off 5:off 6:off
aaeventd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
acpid 0:off 1:off 2:on 3:on 4:off 5:on 6:off
alsasound 0:off 1:off 2:on 3:on 4:off 5:on 6:off
atd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
auditd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
autoyast 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cron 0:off 1:off 2:on 3:on 4:off 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:off 5:on 6:off
cupsrenice 0:off 1:off 2:off 3:off 4:off 5:on 6:off
dbus 0:off 1:off 2:off 3:on 4:off 5:on 6:off
earlygdm 0:off 1:off 2:off 3:off 4:off 5:on 6:off
earlykbd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
earlysyslog 0:off 1:off 2:off 3:off 4:off 5:on 6:off
esound 0:off 1:off 2:off 3:off 4:off 5:off 6:off
evms 0:off 1:off 2:off 3:off 4:off 5:off 6:off
fam 0:off 1:off 2:off 3:off 4:off 5:off 6:off
fbset 0:off 1:on 2:on 3:on 4:off 5:on 6:off
gpm 0:off 1:off 2:off 3:off 4:off 5:off 6:off
gssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
haldaemon 0:off 1:off 2:off 3:on 4:off 5:on 6:off
idmapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ipmi 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ipxmount 0:off 1:off 2:off 3:off 4:off 5:off 6:off
irq_balancer 0:off 1:on 2:on 3:on 4:off 5:on 6:off
joystick 0:off 1:off 2:off 3:off 4:off 5:off 6:off
kbd 0:off 1:on 2:on 3:on 4:off 5:on 6:off S:on
lm_sensors 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mdadmd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
microcode 0:off 1:on 2:on 3:on 4:off 5:on 6:off S:on
multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:off 5:on 6:off
nfs 0:off 1:off 2:off 3:on 4:off 5:on 6:off
nfsboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
nfsserver 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
novell-zmd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nscd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
ntp 0:off 1:off 2:off 3:off 4:off 5:off 6:off
openct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
oracle 0:off 1:off 2:off 3:on 4:off 5:on 6:off
pcscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
portmap 0:off 1:off 2:off 3:on 4:off 5:on 6:off
postfix 0:off 1:off 2:off 3:on 4:off 5:on 6:off
powerd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
powersaved 0:off 1:off 2:on 3:on 4:off 5:on 6:off
pure-ftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
random 0:off 1:off 2:on 3:on 4:off 5:on 6:off
raw 0:off 1:off 2:on 3:on 4:off 5:on 6:off
resmgr 0:off 1:off 2:on 3:on 4:off 5:on 6:off
rpasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpmconfigcheck 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyncd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
running-kernel 0:off 1:off 2:on 3:on 4:off 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
skeleton.compat 0:off 1:off 2:off 3:off 4:off 5:off 6:off
slpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off
smbfs 0:off 1:off 2:off 3:on 4:off 5:on 6:off
smpppd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
splash 0:off 1:on 2:on 3:on 4:off 5:on 6:off S:on
splash_early 0:off 1:off 2:on 3:on 4:off 5:on 6:off
sshd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
suseRegister 0:off 1:off 2:off 3:on 4:off 5:on 6:off
svcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
syslog 0:off 1:off 2:on 3:on 4:off 5:on 6:off
sysstat 0:off 1:off 2:off 3:off 4:off 5:off 6:off
teamviewerd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xdm 0:off 1:off 2:off 3:off 4:off 5:on 6:off
xfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd based services:
chargen: off
chargen-udp: off
cups-lpd: off
cvs: off
daytime: off
daytime-udp: off
echo: off
echo-udp: off
fam: off
netstat: off
pure-ftpd: off
rsync: off
servers: off
services: off
swat: off
systat: off
time: off
time-udp: off
vnc: off

Habilitando serviço
Para habilitar um determinado daemon use

chkconfig smb on

Desabilitando serviço
Para desabilitar um serviço

chkconfig smb off

Para conhecer mais sobre o chkconfig acesse:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-services-chkconfig.html

Trabalhando com datas no Python

Artigo em Inglês

Here is an example of how to get the current date and time using the datetime module in Python:

import datetime

now = datetime.datetime.now()

print
print “Current date and time using str method of datetime object:”
print str(now)

print
print “Current date and time using instance attributes:”
print “Current year: %d” % now.year
print “Current month: %d” % now.month
print “Current day: %d” % now.day
print “Current hour: %d” % now.hour
print “Current minute: %d” % now.minute
print “Current second: %d” % now.second
print “Current microsecond: %d” % now.microsecond

print
print “Current date and time using strftime:”
print now.strftime(“%Y-%m-%d %H:%M”)

Results:
Current date and time using str method of datetime object:
2008-06-26 11:33:15.309236

Current date and time using instance attributes:
Current year: 2008
Current month: 6
Current day: 26
Current hour: 11
Current minute: 33
Current second: 15
Current microsecond: 309236

Current date and time using strftime:
2008-06-26 11:33

Directly from the time module documentation, here are more options to use with strftime:
Directive Meaning Notes
%a Locale’s abbreviated weekday name.
%A Locale’s full weekday name.
%b Locale’s abbreviated month name.
%B Locale’s full month name.
%c Locale’s appropriate date and time representation.
%d Day of the month as a decimal number [01,31].
%H Hour (24-hour clock) as a decimal number [00,23].
%I Hour (12-hour clock) as a decimal number [01,12].
%j Day of the year as a decimal number [001,366].
%m Month as a decimal number [01,12].
%M Minute as a decimal number [00,59].
%p Locale’s equivalent of either AM or PM. (1)
%S Second as a decimal number [00,61]. (2)
%U Week number of the year (Sunday as the first day of the week) as a decimal number [00,53]. All days in a new year preceding the first Sunday are considered to be in week 0. (3)
%w Weekday as a decimal number [0(Sunday),6].
%W Week number of the year (Monday as the first day of the week) as a decimal number [00,53]. All days in a new year preceding the first Monday are considered to be in week 0. (3)
%x Locale’s appropriate date representation.
%X Locale’s appropriate time representation.
%y Year without century as a decimal number [00,99].
%Y Year with century as a decimal number.
%Z Time zone name (no characters if no time zone exists).
%% A literal “%” character.

Abrindo aplicativos remotamente via SSH

O OpenSSH é um protocolo de comunicação seguro no qual possibilita que seja aberto remotamente ambientes com servidor gráfico em ambiente seguro.

Para possibilitar isto é necessário que as configurações do seu /etc/ssh/sshd_config esteja configurada corretamente. Veja o exemplo de configuração necessária:

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

Caso seu sshd_config esteja configurado corretamente pule esta parte.

Abra um terminal no computador no qual está usando e entre com o seguinte comando

ssh -X user@machine xterm

Caso não funcione entre na máquina de destino e adicione e execute o seguinte comando

xhost + machine

( geralmente o endereço de ip da máquina que se deseja acessar )

Pronto feito isto você conseguirá abrir qualquer aplicativo remotamente

Lixeira Global no Samba 3

Veja em um exemplo rápido e prático como utilizar uma lixeira em um servidor Samba

Adicione no global do samba as linhas abaixo:

vim /etc/samba/smb.conf

## Config da Lixeira no Global do Samba

vfs objects = recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:repository = /var/samba/lixeira/%U
recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso
recycle:exclude_dir = tmp, cache

Agora criar o diretório /var/samba/lixeira onde será armazenado o lixo.

mkdir -p /var/samba/lixeira
chmod 777 /var/samba/lixeira

Criar na seção de compartilhamento a lixeira

## Configuração a Lixeira como um Compartilhamento

[lixeira]
path = /var/samba/lixeira

browseable = yes
writable = yes
public = yes

depois e so reiniciar o samba..

#
service smb restart

Ninja Tel:: Imagine um celular usando uma rede de telefonia móvel alternativa

Já imaginou você comprar um celular livre de Vivo, TIM, Claro, Oi etc ?? A ideia de um grupo de hackers no USA foi criar uma rede “Pirata” onde é possível acessar a internet, falar e enviar SMS sem estar conectado com uma operadora própriamente.

Conheça o Ninja Tel rs, assista ao vídeo feito na Defcon e entenda como funciona