An Elvis lawn gnome. Really?
Sony NEX6 remote app for headshots
I worked with the Sony Remote app for iphone while taking some headshots. Found out the app works okay, but the issue with it is it doesn’t allow you to shoot in ARW. Everything is shot in JPG, which doesn’t help if you are trying to take ARW shots to be edited later. I took these headshots thinking I would be able to clean up some stuff in post later. No such luck since there was just a JPG to work with. I did a little cropping, but that was it.
Using Mcafee Enterprise Security Manager to monitor Anyconnect Groups
We use Anyconnect for our Remote Access solution and one of the issues I have is with other admins not putting people into the right groups or not putting them into groups at all. So then what happens is they get stuck into the DfltGrpPolicy, which is definitely not where I want them since that doesn’t have the customization for each of the different groups.
Since Mcafee Enterprise Security Manager is monitoring my ASA and all of the logs are going to it, building an alert to notify me when people are in this group shouldn’t be an issue. Here is what we are going to do:
Identify the group, in this case I want to know when people get assigned the DfltGrpPolicy policy.
Now what we are going to do is build an alarm that fires when it sees DfltGrpPolicy in the object field. Since no one should be pulling this group for any reason anyone that is in it is misconfigured and needs to be moved to the appropriate group.
1. Go to System Properties and then click on Alarms
2. Choose an assignee and give the alarm a name.
3. Choose, Type: Field Match, Field: Object, Value: DfltGrpPolicy, Select your device of your Cisco ASA.
4. Choose your actions, in my case I am going to have it email when it sees that. I am also going to customize the template so it only sends me the relevant information, such as user misconfigured and group they are in.
5. I leave Escalation blank
6. Click Finish and you are done.
Now sit back and admire your work and you should now be alerted for people misconfigured.
Monitoring Domain Admin Password Changes with Nitro/Mcafee Enterprise Security
We had a requirement to monitor when Domain Admins changed their password so that we could pass our PCI Audit for this year. Mostly the issue came out of the fact that a hacker could just as easily change a domain admin password as they could create a new account in domain admins. I was already monitoring domain admins for new accounts getting added/removed, this just seemed like the next step.
I came up with this method to be able to monitor our Domain Controllers with Nitro and then send me a notification/report.
1. Create a Watchlist
call it whatever you want, but make it a destination user type and then choose an assignee.
2. Input all of your Domain Admins into the Watchlist
3. After creating the watchlist, then go into Alarms and create a new alarm.
Give it a name
choose an assignee
4. Go to the Condition tab and choose “specified event rate”, set the event count to “1”, and choose the time frame as 10 minutes. This is needed to trigger the alarm when you need it to fire.
5. then click on the filter icon, for your query filter choose the following:
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
Under select a device, choose all of your domain controllers. We have two domains so we are monitoring several machines.
6. Now here is where the magic comes in and the best alerting you can setup. Under actions, choose Generate Report and then click configure
Here you are going to create a new report that lists the userid field and any other information you want. You will also choose your email recipients here so that you can be notified when a domain admins password has changed. Since the parameters from the alarm will not be passed to the report you will need to choose a few things for the filter at the bottom to keep it to what you are looking for.
signature id: 43-211006270,43-211006280,43-263047230
destination user: WL:(name of watch lists)
set the time range to the last 10 minutes
7. click Finish, you now have an alarm that will be triggered when a domain admin changes their password.
Turn it off when you are done with it
I learned a lesson that I thought I knew and thought I actually exercised.
“Turn off whatever it is if you aren’t using it.”
I like most want to know what is going on with my network at all times. I especially want to know if someone is making a change to a key piece of infrastructure, not to mention it’s nice to show to the auditors when they ask. I have an alert setup on our Nitro appliance that notifies me when someone is making a change to our firewalls. Important since this device is what I use for segregation on my network and to keep my credit card data safe. Nitro does this by monitoring the syslog coming out of the firewall and looking for a particular message which relates to a signature ID. When it sees signature id it then sends a message to me and the other firewall admin so that we can look at each other and say yup we made that change.
I was noticing though over the last couple of weeks that when I would make a change I wasn’t always getting notified. I would get some alerts but not others. So I started with looking at the Nitro appliance to see if it was having a problem. As I was debugging it I noticed that it wasn’t getting all of the messages to be able to alert off of. Information is missing and I needed to find it.
I then started looking at my syslog config on my ASA, here it is for reference:
logging enable
logging console informational
logging buffered debugging
logging trap informational
logging host inside x.x.x.x
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 419002
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302014
no logging message 609002
no logging message 609001
no logging message 302018
Nothing out of the ordinary or so I thought. As I was using Google to look at stuff I came across some messages about the logging queue limit, which by default is 512. I decided to look at that and see if that could be causing my issue. When I looked I saw this:
sh logging queue
Logging Queue length limit : 512 msg(s)
-1123742434 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 512 msg on queue, 512 msgs most on queue
Definitely not good I am dropping messages and the queue is full. I thought well may be I can increase the queue and everything will be fine after that. So I did the following:
logging queue 1024
sh logging queue
Logging Queue length limit : 1024 msg(s)
-1123731334 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 1024 msg on queue, 1024 msgs most on queue
Immediately the queue jumped up and I was still dropping messages.
I thought okay may be I need to prune out the message I am logging on. These are minor messages and I hadn’t needed this data in any of my investigations so I decided to kill it.
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
sh logging queue
Current 1024 msg on queue, 1024 msgs most on queue
No change and I am still dropping messages. I then thought heck, may be I just need a bigger queue, that always solves the problem right. Bigger is better:
logging queue 4196
sh logging queue
Logging Queue length limit : 4196 msg(s)
-1123742651 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 4196 msg on queue, 4196 msgs most on queue
That didn’t help out so much. Immediately I am at a full queue and still dropping messages. Then I looked back through my config again:
sh run logging
logging enable
logging console informational
logging buffered debugging
logging trap informational
logging queue 4196
logging host inside x.x.x.x
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 419002
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302014
no logging message 609002
no logging message 609001
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
Hmm, I wonder if logging to the console and buffer are causing my issue. I am not using them currently and the last time I was troubleshooting I did turn them on. Could I really have not cleaned up after myself and could this be causing me an issue? I then did the following:
no logging console
no logging buffered
sh logging queue
Logging Queue length limit : 4196 msg(s)
-1123728024 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msg on queue, 4196 msgs most on queue
Immediately the queue dropped down and there was nothing in it. I then moved the queue back down to a smaller number.
logging queue 1024
sh logging queue
Logging Queue length limit : 1024 msg(s)
-1123728024 msg(s) discarded due to queue overflow
0 msg(s) discarded due to memory allocation failure
Current 0 msg on queue, 4196 msgs most on queue
No messages on queue and no dropped messages. Also all of my test alerts are now working correctly and everything seems to be fine.
Lesson relearned, when you turn on something make sure you turn it off. Even if at the time you don’t think it will cause you an issue it may come and cause you an issue later.
Must you father.
A post processing to the my underwater shots
Did a little bit of post processing to improve the color in my shots and this is what I came up with for a few of them:
RX100 Underwater
Diving Video from 6-15-13
Logitech iPad Folio Review
I was lucky enough to win the Logitech Keyboard Folio from TUAW. I can’t thank them enough for having the contest and being lucky enough to win it.
I wanted to write up a quick review of the unit for other people that are thinking about getting it. I am currently using it to type out this blog post on my ipad. I am finding that I am using my ipad more and more to do different things where I don’t want to carry my laptop. I have been using an Apple bluetooth keyboard previously and have adapted to that scenario.
I synced my ipad to the Logitech Keyboard Folio and then started to type on it. Thy typing on this keyboard is a treat to type on. I found the key response to be great and really enjoy using it. The biggest issue I had from a typing perspective was the where the 2 key is placed. I kept hitting the 1 key thinking I was hitting the 2 key. That seems to be really just an issue because of how much smaller the keyboard is.
I think by far the biggest issue I have with the unit is the weight and the size. It makes the ipad almost twice as tall and adds just an obscene amount of weight. For me if I am going to carry around that much weight I would rather take my 15″ MacBook Pro.
These are of course my observations and someone else may have a different opinion, but for me the weight and size of the tech matters to me as I am normally carrying it around on my back and like to travel light/slimmed down.
Joseph Jenkins 