Phil's Notes

  • Cipher/Mode
  • Key length
  • Master Boot Record
  • Volume boot sectors
  • Partition table
  • INT 13
  • Questions From Administrator's Guide
    • P 5 - Boot viruses/debugging program detection
    • P 4 - Self tests
  • +Remote helpdesk unlock
  • +automatic l ockout from invalid loggout
  • + audit log
    • ? Syslog

Questions

   System: RHEL4 U5 2.6.9-55.EL
   Manual:
      (Note: The section Deploying Pointsec on page 22 has no content.)

   The disk appears to be encrypted with AES-CBC-PLAIN.  Will Pointsec use
   CBC-ESSIV, LRW, or any of the other modes suggested for disk encryption
   with a newer kernel?

   What tokens are supported for dynamic passwords?

   Are there any issues with using lilo rather than grub?  It does not
   appear anything but initrd is modified in /boot.

   What happens if the initial encryption of the disk is interrupted
   (e.g. power failure)?

   Assuming the root partition is not encrypted, is there any option
   to mount an encrypted filesystem at user login rather than boot?

   It appears all remote control type activity (updates, profiles) depends
   on files placed in the file system and no realtime network connectivity
   (except maybe NFS configured by the system administrator) is used
   on Linux.  Correct?

   Password/Key Storage

     The manual has no information, but I am assuming that a key is derived
     for each user and the master encryption key is encrypted and decrypted
     with these keys.  The manual provides no useful information on this.

     The manual says that the system providing remote help must have access
     to /var/p4l/backup/<hostname>.db to generate the recovery scripts.
     Is this also true for remote help?  If not, exactly how is the master
     key decrypted on the client?

     Are any password strengthening techniques used for protection of user
     keys, e.g. PBKDF2/PKCS#5?

     Can the master encryption key be exported?

   Is there any support for file-backed file systems (i.e. dm-crypt and
   loopback device)?  If so, are there any issues with the use of journalized
   file systems?

   Is there a command-line tool to display/export/import the profile and
   configuration information?  Where is the documentation on the format
   of these files?

   Comment: GUI should support standard cursor keys.

Linux Installation

Distribution

$ unzip -t pointsec_linux.zip
Archive:  pointsec_linux.zip
[pointsec_linux.zip] Pointsec_for_Linux_2[1].0/ password:
    testing: Pointsec_for_Linux_2[1].0/   OK
    testing: Pointsec_for_Linux_2[1].0/p4l_admin_install-2.0.0-11-redhat4.sh   OK
    testing: Pointsec_for_Linux_2[1].0/p4l_admin_install-2.0.0-11-suse10.0.sh   OK
    testing: Pointsec_for_Linux_2[1].0/p4l_admin_install-2.0.0-11-suse9.3.sh   OK
    testing: Pointsec_for_Linux_2[1].0/Pointsec_for_Linux_2.0_QRG_A.pdf   OK
    testing: Pointsec_for_Linux_2[1].0/Pointsec_for_Linux_2.0_Release_Notes.pdf   OK
No errors detected in compressed data of pointsec_linux.zip.

p4l_admin_install-2.0.0-11-redhat4.sh

  • Self-extracting compressed tar file.
  • After extracting the tar file, executes: "./p4l-package/bin/p4l_installrpm.sh" -d "p4l-package"
  • Files: 
    $ find p4l-package/
p4l-package/
p4l-package/data
p4l-package/data/p4l-2.0.0-11.i386.rpm
p4l-package/eula.txt
p4l-package/bin
p4l-package/bin/p4l_installrpm.sh

p4l-package/bin/p4l_installrpm.sh

  • Options:
    • -h help
    • -d <install_dir>
  • Check running as root
  • Check distribution, RedHat or SuSE
  • display and verify EULA
  • Test for current install: /bin/rpm -q --queryformat=%{NAME} $package_name`" = "$package_name"
    • Set upgrade if found
  • Test RPM: rpm --test -Uh "$install_folder/data/p4l-*.rpm" || exit 1
  • /bin/rpm -U --nopreun --nopostun "$install_folder/data/p4l-*.rpm" || exit 1
    • Note: --nopreun and --nopostun are only used if the currently installed version is old, otherwise they are allowed to run.
  • /sbin/p4linstall -cu note: -u only used if upgrading

RPM install

RPM contents

analon:~/Pointsec/Pointsec_for_Linux_2[1].0/p4l-package/bin (2)
$ rpm -ql -p ../data/p4l-2.0.0-11.i386.rpm
/bin/p4l_buildrpm.sh
/bin/p4ladmin
/bin/p4lsupport
/bin/p4lsupport.pl
/etc/init.d/p4l
/etc/p4l
/etc/p4l/vendor
/lib/libp4ladminutils.a
/lib/libp4lcommon-2.0.0-11.so
/lib/libp4lcommon-2.0.0-12.so
/lib/libp4lcommon.a
/lib/libp4lcommon.la
/lib/libp4lcommon.so
/lib/libp4ldaemon.a
/lib/libp4ldb-2.0.0-11.so
/lib/libp4ldb-2.0.0-12.so
/lib/libp4ldb.a
/lib/libp4ldb.la
/lib/libp4ldb.so
/lib/libp4llogon.a
/lib/libp4lprofile-2.0.0-11.so
/lib/libp4lprofile-2.0.0-12.so
/lib/libp4lprofile.a
/lib/libp4lprofile.la
/lib/libp4lprofile.so
/lib/libp4ltoken-2.0.0-11.so
/lib/libp4ltoken-2.0.0-12.so
/lib/libp4ltoken.a
/lib/libp4ltoken.la
/lib/libp4ltoken.so
/sbin/mkinitrd.P4L
/sbin/p4l_mkfs.sh
/sbin/p4l_patch.pl
/sbin/p4l_update_bm.pl
/sbin/p4ldaemon
/sbin/p4linstall
/sbin/p4llogon
/sbin/p4lrecovery
/sbin/p4lsplash
/usr/share/locale/en_US/LC_MESSAGES/p4l.mo
/usr/share/p4l
/usr/share/p4l/bootsplash
/usr/share/p4l/bootsplash/p4lbg-1024x768.jpg
/usr/share/p4l/bootsplash/p4lbg-1280x1024.jpg
/usr/share/p4l/bootsplash/p4lbg-640x480.jpg
/usr/share/p4l/bootsplash/p4lbg-800x600.jpg
/var/p4l/recovery/p4lrecovery.sh
/var/p4l/rpm
/var/p4l/rpm/packages
/var/p4l/rpm/packages/BUILD
/var/p4l/rpm/packages/RPMS
/var/p4l/rpm/packages/SOURCES
/var/p4l/rpm/packages/SPECS
/var/p4l/rpm/packages/SPECS/p4l-client.spec
/var/p4l/rpm/packages/SRPMS

RPM scripts

  • preinstall scriptlet (using /bin/sh): 
    if [ "$1" = "1" ] ; then  # first install
    if [ -d /dev/mapper ]; then
        for file in /dev/mapper/*; do
            if test "$file" != "/dev/mapper/control"; then
                echo "You are using device-mapper now."
                echo "Please stop using it before installation/de-installation"
                exit 1
            fi
        done
    fi
fi
  • postinstall scriptlet (using /bin/sh): 
    /sbin/ldconfig
/bin/mkdir -p /var/p4l
/bin/chmod 0755 /var/p4l
/bin/mkdir -p /var/p4l/admin
/bin/chmod 0755 /var/p4l/admin
/bin/mkdir -p /var/p4l/admin/install
/bin/chmod 0755 /var/p4l/admin/install
/bin/mkdir -p /var/p4l/admin/update
/bin/chmod 0755 /var/p4l/admin/update
/bin/mkdir -p /var/p4l/admin/backup
/bin/chmod 0755 /var/p4l/admin/backup
/bin/mkdir -p /var/p4l/admin/log
/bin/chmod 0755 /var/p4l/admin/log

if [ "$1" = "1" ] ; then  # first install
        # PB: p4l_patch patches files in /etc/udev/rules.d
        # PB: If the line
        # PB:  {{KERNEL="dm-[0-9]*", PROGRAM="/sbin/udev.devmap_name.sh %M %m | /bin/sed 's.--._.;s.-./.;s._.-.'", SYMLINK="%c"}}
        # PB: if found, it is commented out and a marker line is inserted.
        /sbin/p4l_patch.pl -i
        /sbin/chkconfig --add p4l
        # will copy mkinitrd.P4L
        /bin/mv /sbin/mkinitrd /sbin/mkinitrd.GENERIC
else
        # upgrade
        echo "Prepare databases for upgrade software"
        /sbin/p4linstall -b
fi

# Setting up the P4L's mkinitrd
/bin/rm -rf /sbin/mkinitrd
/bin/ln -s /sbin/mkinitrd.P4L /sbin/mkinitrd

# Filling /etc and /etc/p4l folders
# Set version info
echo -n "2.0.0-11" > /etc/p4l/version
/bin/cp /etc/fstab /etc/p4l/fstab
if [ -f /etc/SuSE-release ]; then
        number=`/bin/awk -F' ' '{ if ($1=="VERSION") printf $3 }' /etc/SuSE-release`
        if [ "$number" == "9.1" -o "$number" == "9" ]; then
                echo "Target platform is SuSE 9.1"
        elif [ "$number" == "9.2" ]; then
                echo "Target platform is SuSE 9.2"
        elif [ "$number" == "9.3" ]; then
                echo "Target platform is SuSE 9.3"
        elif [ "$number" == "10.0" ]; then
                echo "Target platform is SuSE 10.0"
        else
                echo "Unsupported SuSE distribution"
                exit 1;
        fi
elif [ -f /etc/redhat-release ]; then
        echo "Target platform is RedHat Enterprise Linux 4"
else
        echo "Unknown Linux distribution"
        exit 1;
fi
  • preuninstall scriptlet (using /bin/sh): 
    if [ "$1" = "0" ] ; then # last uninstall
        if [ -d /dev/mapper ]; then
                for file in /dev/mapper/*; do
                        if test "$file" != "/dev/mapper/control"; then
                                echo "You are using device-mapper now."
                                echo "Please stop using it before installation/de-installation"
                                exit 1
                        fi
                done
        fi
        /sbin/p4l_patch.pl -u
        /etc/init.d/p4l stop
        /sbin/chkconfig --del p4l
fi
  • postuninstall scriptlet (using /bin/sh): 
    /sbin/ldconfig
if [ "$1" = "0" ] ; then # last uninstall
        /bin/rm -rf /usr/share/p4l
        /bin/rm -f /sbin/mkinitrd
        /bin/mv /sbin/mkinitrd.GENERIC /sbin/mkinitrd
        if [ -f /etc/SuSE-release ]; then
                /sbin/mkinitrd >/dev/null 2>&1
        elif [ -f /etc/redhat-release ]; then
            #kernels=`rpm -q --qf "2.0.0-11\n" kernel kernel-smp kernel-hugemem | grep -v package`
            #kernels=`ls /lib/modules`
            kernels=`ls /boot | grep "^initrd-.*\.img$" | sed "s/^initrd-\(.*\)\.img$/\1/g"`
            for kver in $kernels; do
                    /sbin/mkinitrd -f /boot/initrd-$kver.img $kver
            done
        else
                exit 1;
        fi
        /bin/rm -rf /etc/p4l
        /bin/rm -rf /p4lshare
fi

Email

Date: Tue, 29 May 2007 12:18:05 -0400
From: Barb Quinn <BQuinn@MACOMPUTERS.COM>
To: benchoff@vt.edu, frankg@vt.edu
Subject: Pointsec Software Eval
Cc: Lou Caccamo <LCaccamo@MACOMPUTERS.COM>,
        Robert Schneeweis <Robert.Schneeweis@MACOMPUTERS.COM>,
        Chris Ward <Cward@MACOMPUTERS.COM>,
        Barb Quinn <BQuinn@MACOMPUTERS.COM>

Dear  Frank and Phil,

Thank you for your interest in the Pointsec product, Gartner's choice
for the magic quadrant for the last six years.

Please click the link below to download the evaluation product. The
package that you download contains an evaluation version of Pointsec
preconfigured for your convenience. Inside the archive is a file called
P4PC EW 6.1 Evaluation Guide v1.1.pdf. Please read the P4PC EW 6.1
Evaluation Guide v1.1.pdf file  first as it will explain the
installation procedure for Pointsec, as well as have the username and
logins, you will need them to access the product.

This archive contains a preconfigured copy of Pointsec, If you wish to
follow the document, and install it manually, you will need to remove
the ProfileEncryptv4.isp file from the 1_Pointsec for pc folder.

Please be advised that you need to have Microsoft .NET v1.1 (or higher)
installed.

(obtain it here, )
http://www.microsoft.com/xxxx
<blocked::http://www.microsoft.com/downloads/xxxx>

If you have any problems with the installation or using the product feel
free to contact me, and I will assist you in any way I can.

URL : http://www.macomputers.com/xxxx
<blocked::http://www.macomputers.com/xxxx>  (File name:
pointsec_eval.zip) The Archive password is xxxx

Robert Schneeweis  |  Pointsec SE  |  Mid-Atlantic Computers, Inc.
Office: 610.935.5570  |  Fax: 610.935.5787  |  Email:
robs@macomputers.com  |  Website: www.macomputers.com
<http://www.macomputers.com/>

[root@oanalon pointsec]# /sbin/cryptsetup -v status hda7
/dev/mapper/hda7 is active:
  cipher:  aes-plain
  keysize: 256 bits
  device:  /dev/hda7
  offset:  0 sectors
  size:    12572721 sectors
  • No labels