When executing from Linux, is it possible to have RNGCryptoServiceProvider read from /dev/random pool? This is a requirement given to me. I am new to this and I have tried looking this up; not able to find any information on this sorry.
No, you cannot change that class (which doesn’t actually use Windows CAPI on Linux, despite the name) to use the blocking random pool (short of building .NET Core yourself and changing how the class works).
There are no knobs and switches to do what you want. If you want to read from /dev/random you can just open it as a file...
Related
I would like to create something like "file honeypot" on Windows OS.
The problem I would like to answer is this:
I need to detect that file is accessed (Malware wants to read file to send it over internet) so I can react to it. But I do not know how exacly tackle this thing.
I can periodically test file - Do not like this sollution. Would like some event driven without need to bother processor every few ms. But could work if file is huge enought so it cannot be read between checks.
I could exclusively open file myselve and somehow detect if file is accessed. But I have no idea how to do this thing.
Any idea about how to resolve this issue effectively? Maybe creating specialized driver could help but I have little experience in this.
Thanks
Tracking (and possibly preventing) filesystem access on Windows is accomplished using filesystem filter drivers. But you must be aware that kernel-mode code (rootkits etc) can bypass the filter driver stack and send the request directly to the filesystem. In this case only the filesystem driver itself can log or intercept access.
I'm going to assume that what you're writing is a relatively simple honeypot. The integrity of the system on which you're running has not been compromised, there is no rootkit or filter driver installation by malware and there is no process running that can implement avoidance or anti-avoidance measures.
The most likely scenario I can think of is that a server process running on the computer is subject to some kind of external control which would allow files containing sensitive data to be read remotely. It could be a web server, a mail server, an FTP server or something else but I assume nothing else on the computer has been compromised. And the task at hand is to watch particular files and see if anything is reading them.
With these assumptions a file system watcher will not help. It can monitor parts of the system for the creation of new files or modification or deletion of existing ones, but as far as I know it cannot monitor for read only access.
The only event-driven mechanism I am aware of is a filter driver. This is a specialised piece of driver software that can be inserted into the driver chain and monitor access to files. With the constraints above, it is a reliable solution to the problem at the cost of being quite hard to write.
If a polling mechanism is sufficient then I can see two avenues. One is to try to lock the file exclusively, which will fail if it is open. This is easy, but slow.
The other is to monitor the open file handles. I know it can be done because I know programs that do it, but I can't tell you how without some research.
If my assumptions are wrong, please edit your question and provide additional information.
I am writing some webservices in Go on a linux machine, so the Go executable needs to keep running
which is the best way to do it?
should I setup the Go executable as a service on the linux machine?
many thanks
The short answer: use the system service manager if you want to keep things super-simple. CentOS currently uses Upstart, and it's well documented and can handle most Go applications without too many problems. There are some good examples of Upstart + Go here and here
The long answer: personal preference. Supervisord, Monit and Circus are good options as well, but bring differing levels of complexity. I personally like supervisord, since it has a fairly clear syntax and a good heap of options.
There's also a good run-down here: http://tech.cueup.com/blog/2013/03/08/running-daemons/
I created a server using c++ and want to run this server as daemon on linux..
How do I do this?
Thanks in advance...
There are many ways to daemonize a process. It is quite common that server implementations provides a switch to daemonize it at startup.
If you do not wish to implement such a feature, command-line tools exists such as this one : http://software.clapper.org/daemonize/.
I don't mean to sound condescending but did you try a google search, there is a heap of info on this out there, the first link I found: (http://www.enderunix.org/docs/eng/daemon.php)
You can use dup2() on Linux to make the FD's a bit easier to handle.
You may also want to look into using something like inetd to manage your server
I have a UI app (uses GTK) for Linux that requires to be run as root (it reads and writes /dev/sd*).
Instead of requiring the user to open a root shell or use "sudo" manually every time when he launches my app, I wonder if the app can use some OS-provided API to get root permissions. (Note: gtk app's can't use "setuid" mode, so that's not an option here.)
The advantage here would be an easier workflow: The user could, from his default user account, double click my app from the desktop instead of having to open a root terminal and launch it from there.
I ask this because OS X offers exactly this: An app can ask the OS to launch an executable with root permissions - the OS (and not the app) then asks the user to input his credentials, verifies them and then launches the target as desired.
I wonder if there's something similar for Linux (Ubuntu, e.g.)
Clarification:
So, after the hint at PolicyKit I wonder if I can use that to get r/w access to the "/dev/sd..." block devices. I find the documention quite hard to understand, so I thought I'd first ask whether this is possible at all before I spend hours on trying to understand it in vain.
Update:
The app is a remote operated disk repair tool for the unsavvy Linux user, and those Linux noobs won't have much understanding of using sudo or even changing their user's group memberships, especially if their disk just started acting up and they're freaking out. That's why I seek a solution that avoids technicalities like this.
The old way, simple but now being phased out, is GKSu. Here is the discussion on GKSu's future.
The new way is to use PolicyKit. I'm not quite sure how this works but I think you need to launch your app using the pkexec command.
UPDATE:
Looking at the example code on http://hal.freedesktop.org/docs/polkit/polkit-apps.html, it seems that you can use PolicyKit to obtain authorization for certain actions which are described by .policy files in /usr/share/polkit-1/actions. The action for executing a program as another user is org.freedesktop.policykit.exec. I can't seem to find an action for directly accessing block devices, but I have to admit, the PolicyKit documentation breaks my brain too.
So, perhaps the simplest course of action for you is to separate your disk-mangling code that requires privileges into a command-line utility, and run that from your GUI application using g_spawn_[a]sync() with pkexec. That way you wouldn't have to bother with requesting actions and that sort of thing. It's probably bad practice anyway to run your whole GUI application as root.
Another suggestion is to ask the author of PolicyKit (David Zeuthen) directly. Or try posting your question to the gtk-app-devel list.
I'd like advice on choosing a method to collect file access statistics on NTFS volumes under Windows Vista and Windows 7 (32 & 64-bit). I'd like to count file create/open, delete, read/write accesses for every file.
API hooking is out. I need system-wide counts, and both 32 and 64-bit OS without mucking up the OS. Also, I don't think Shell Notification would work.
I know I could do it by installing a file system filter driver. The Windows DDK has a samples, and that's how Mark Russinovich's FileMon (Sysinternals) works.
I think I might also accomplish this using WMI, but I'm not sure. That is one crazy messed up API. But if Microsoft will gather the stats for me, I'll use it.
So the question is, which method would be best & why. Am I missing another possibility, and would WMI do it?
In windows Vista you can try Reliability and Performance Monitor with User Defined Data Collector Set. Click "New", then go custom, add System counter for file control operations.
The Windows Change Journal should do the job:
http://msdn.microsoft.com/en-us/library/aa363798%28VS.85%29.aspx
It gives you exacly what you need.
Getting the full filename is a bit of a problem but there is a nice article around that describes exacly how to do that.