Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

maxlogins value includes tmux sessions, can lock user out of SSH #214

Closed
mmguero opened this issue Jun 15, 2023 · 0 comments
Closed

maxlogins value includes tmux sessions, can lock user out of SSH #214

mmguero opened this issue Jun 15, 2023 · 0 comments
Assignees
@mmguero
Labels
bug Something isn't working iso relating to the ISO-installed environment for Malcolm and/or Hedgehog security Related to issues with bearing on the security of Malcolm itself sensor For issues dealing with the Hedgehog OS capture sensor
Milestone
v23.07.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Jun 15, 2023

Due to hardening configuration, there's an entry in /etc/security/limits.d/limits.conf that looks like this:

* hard maxlogins 10

This limits the number of logins into the box to 10. This normally sounds like enough, but the issue is if you're running tmux (like when you run sensormonitor or malcolmmonitor and it creates a bunch of panels, each of them counts as a login.

This means when you go to SSH into the box or whatever, you end up locked out because your 10 are all used up.

I've done this to myself multiple times. I think we should either allow this to be configurable number, just remove the limit altogether (and document the exception in the hardening requirements), or figure out how to make tmux sessions not count towards that total (if that's possible).
@mmguero mmguero added bug Something isn't working iso relating to the ISO-installed environment for Malcolm and/or Hedgehog sensor For issues dealing with the Hedgehog OS capture sensor security Related to issues with bearing on the security of Malcolm itself labels Jun 15, 2023
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jun 15, 2023
@mmguero
fix idaholab#214, set limits.conf maxlogins to unlimited (as these ar…
364effd 
…e not regular user accounts, claim a STIG exception)
@mmguero mmguero added this to the v23.06.0 milestone Jun 15, 2023
@mmguero mmguero self-assigned this Jun 15, 2023
@mmguero mmguero closed this as completed Jun 15, 2023
This was referenced Jul 18, 2023
Merged
Closed
Merged
mmguero added a commit to cisagov/Malcolm that referenced this issue Jul 19, 2023
@mmguero
Merge pull request #267 from cisagov/v23.07.0_merge_cisagov
432a90a 
Malcolm v23.07.0 is a feature release with a number of improvements, bux fixes and component updates.

v23.05.1...v23.07.0

* New features
    - scan docker images built via GitHub actions for vulnerabilities using Trivy (idaholab#218)
    - document building and deplolying Malcolm with an AWS AMI image (idaholab#205)
    - handle Arkime field actions (idaholab#200)
    - kubernetes: document how to get running on Amazon EKS (idaholab#194)
    - Populate NetBox inventory via passively-gathered network traffic metadata (basic functionality, work in progress) (idaholab#135)

* Enhancements
    - use .tar.xz instead of .tar.gz for packaging Malcolm docker images for better compression (and smaller ISO file size)
    - Malcolm documentation edits (idaholab#204)
    - add option to enable SSH via password in hedgehog's configure-interfaces.py script (idaholab#158)
    - updated "Network Traffic Analysis with Malcolm" slides
    - use an init container in Kubernetes container startup to ensure necessary directories get created under PersistentVolume objects before startup
    - improvements to identifying source of third-party logs sent via fluent bit
    - don't do unnecessary clone of Zeek plugins, just install using URL
    - parse [bacnet_device_control.log](https://github.com/cisagov/icsnpp-bacnet/#device-control-log-bacnet_device_controllog) produced by the icsnpp-bacnet parser for Zeek

* Bug fixes
    - maxlogins value includes tmux sessions, can lock user out of SSH (idaholab#214)
    - curl rc file for connecting to external OpenSearch without auth enabled causes logstash startup to fail (idaholab#209)
    - failure to parse some suricata alerts due to integer type which should be indexed as long (idaholab#206)
    - netbox-restore doesn't work in Kubernetes (idaholab#202)
    - PCAP File with no `-` in pcapng Fails to Upload (#265)
    - disable NetBox telemetry

* Component version updates
    - Alpine (docker container image base) to [v3.18.0](https://www.alpinelinux.org/posts/Alpine-3.18.0-released.html)
    - Arkime to [v4.3.2](https://github.com/arkime/arkime/blob/8bd9d1ccaf3214eeb07da910c45d6172f9ff4ca8/CHANGELOG#L40-L55)
    - capa to [v6.0.0](https://github.com/mandiant/capa/releases/tag/v6.0.0)
    - filebeat to [v8.8.2](https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.8.2.html)
    - NetBox to [v3.5.4](https://github.com/netbox-community/netbox/releases/tag/v3.5.4)
    - OpenSearch and OpenSearch Dashboards to [v2.8.0](https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-2.8.0.md)
    - Supercronic to [v0.2.25](https://github.com/aptible/supercronic/releases/tag/v0.2.25)
    - YARA to [v4.3.2](https://github.com/VirusTotal/yara/releases/tag/v4.3.2)
    - Zeek to [v5.2.2](https://github.com/zeek/zeek/releases/tag/v5.2.2)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from [https://malcolm.fyi/](https://malcolm.fyi/docs/download.html).
mmguero added a commit that referenced this issue Jul 19, 2023
@mmguero
Merge pull request #224 from idaholab/v23.07.0_merge_idaholab
924431d 
Malcolm v23.07.0 is a feature release with a number of improvements, bux fixes and component updates.

v23.05.1...v23.07.0

* New features
    - scan docker images built via GitHub actions for vulnerabilities using Trivy (#218)
    - document building and deplolying Malcolm with an AWS AMI image (#205)
    - handle Arkime field actions (#200)
    - kubernetes: document how to get running on Amazon EKS (#194)
    - Populate NetBox inventory via passively-gathered network traffic metadata (basic functionality, work in progress) (#135)

* Enhancements
    - use .tar.xz instead of .tar.gz for packaging Malcolm docker images for better compression (and smaller ISO file size)
    - Malcolm documentation edits (#204)
    - add option to enable SSH via password in hedgehog's configure-interfaces.py script (#158)
    - updated "Network Traffic Analysis with Malcolm" slides
    - use an init container in Kubernetes container startup to ensure necessary directories get created under PersistentVolume objects before startup
    - improvements to identifying source of third-party logs sent via fluent bit
    - don't do unnecessary clone of Zeek plugins, just install using URL
    - parse [bacnet_device_control.log](https://github.com/cisagov/icsnpp-bacnet/#device-control-log-bacnet_device_controllog) produced by the icsnpp-bacnet parser for Zeek

* Bug fixes
    - maxlogins value includes tmux sessions, can lock user out of SSH (#214)
    - curl rc file for connecting to external OpenSearch without auth enabled causes logstash startup to fail (#209)
    - failure to parse some suricata alerts due to integer type which should be indexed as long (#206)
    - netbox-restore doesn't work in Kubernetes (#202)
    - PCAP File with no `-` in pcapng Fails to Upload (cisagov#265)
    - disable NetBox telemetry

* Component version updates
    - Alpine (docker container image base) to [v3.18.0](https://www.alpinelinux.org/posts/Alpine-3.18.0-released.html)
    - Arkime to [v4.3.2](https://github.com/arkime/arkime/blob/8bd9d1ccaf3214eeb07da910c45d6172f9ff4ca8/CHANGELOG#L40-L55)
    - capa to [v6.0.0](https://github.com/mandiant/capa/releases/tag/v6.0.0)
    - filebeat to [v8.8.2](https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.8.2.html)
    - NetBox to [v3.5.4](https://github.com/netbox-community/netbox/releases/tag/v3.5.4)
    - OpenSearch and OpenSearch Dashboards to [v2.8.0](https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-2.8.0.md)
    - Supercronic to [v0.2.25](https://github.com/aptible/supercronic/releases/tag/v0.2.25)
    - YARA to [v4.3.2](https://github.com/VirusTotal/yara/releases/tag/v4.3.2)
    - Zeek to [v5.2.2](https://github.com/zeek/zeek/releases/tag/v5.2.2)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from [https://malcolm.fyi/](https://malcolm.fyi/docs/download.html).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
bug Something isn't working iso relating to the ISO-installed environment for Malcolm and/or Hedgehog security Related to issues with bearing on the security of Malcolm itself sensor For issues dealing with the Hedgehog OS capture sensor
Projects
Malcolm
Status: Released
Milestone
v23.07.0
Development

No branches or pull requests
1 participant
@mmguero