Raspberry Pi for Christmas

I finally got a chance to open up my Christmas present to myself a few months late. I was excited all the same because it was a Raspberry Pi 400.

This is an incredible form factor for the raspberry Pi. It’s an all in one unit that fits into a keyboard. The keyboard is the computer. Just incredible.

Once you plug in power, the mouse and an HDMI monitor you have a working Linux computer running Raspbian. What to do next? Install Tailscale of course !!

Tailscale is a mesh VPN and allows you to link up all your devices in a private network no matter where they are. I’ve blogged about it here. So far I’ve linked up macOS, iOS, windows, Linux centos as well as Synology and QNAP NAS so now let’s add a raspberry Pi.

First things first let’s update the raspberry Pi because it’s been sitting in its box for a while. I didn’t have much luck with the add / remove software gui app (maybe because it was still getting on wifi) but after getting on the network I fired up apt to update all the things.

sudo apt list --upgradeable

Using apt you can get a list of what is upgradeable. This was my first step the gui app didn’t list any software that had updates. A few months in a box and there should be a lot of updates. This is Linux we are talking about.

 sudo apt update

Then it is just a matter of upgrading everything.

The next step is to install Tailscale. Read the instructions for Raspberry Pi on the Tailscale website. Before installing Tailscale we have to install other needed components and we have to tell Linux where to find the software. Similar to my adventures with CentOS Linux and yum you have to tell Raspbian Linux what to do with apt.

First we fetch the signing key and tell it where the repo is. Note: Always be mindful when using curl to download and install items or scripts.

   curl -fsSL https://pkgs.tailscale.com/stable/raspbian/buster.gpg | sudo apt-key add -

curl -fsSL https://pkgs.tailscale.com/stable/raspbian/buster.list | sudo tee /etc/apt/sources.list.d/tailscale.list

Just a few more steps now. Install the needed https components. Check with apt for updates then we can finally install Tailscale.

sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install tailscale

The next step is to authorize Tailscale which is usually done with a login to our account we created the Tailscale network with. But this time I wanted to try a pregenerated keys from the Tailscale admin panel.

sudo tailscale up --authkey tskey-gh37374737292a4847382

Now to test the new secure Tailscale mesh VPN set up I wanted to login to my MunkiReport web server.

Using the Tailscale cli to list all devices on my private network I found the IP.

tailscale status

Find the ip of the server or device from the status list and connect.

Next I outputted the raspberry Pi cli history to a file and sent it to my iPhone where I edited this blog post with the WordPress app.

history > raspberry-history.txt

tailscale file cp raspberry-history.txt iPhone:

I am looking forward to working on many fun projects with my raspberry Pi. After Tailscale is on there then it is easy to connect from my iPhone or from anywhere Tailscale is installed.

In the example below I used ssh shellfish app on my iPhone to connect.

Tailscale has great documentation and despite this I had a small misstep when I went to look at the install instructions. It defaulted to Ubuntu or misdetected my raspbian linux so I wondered for a second why it wasn’t working. I soon realized I’d copy pasted the wrong thing. Checked the drop down install menu for the raspberry Pi instructions and voila happy times.

Zoom in on Privacy and Security

Recent attention on video conferencing app Zoom and security exploits brings attention to the various Privacy and Security settings on your Mac. Currently macOS 10.14.5 Mojave defines microphone and camera settings which should be verified periodically if they’re not being managed by MDM (mobile device management) and even in those case, just to verify.

Zoom update

If you’ve ever had Zoom installed you must launch it and then update it manually, unless you have Munki or other patching solution to manage your Mac.

 

Zoom Enable camera access

If you want Zoom to have access to your camera (useful for video conferencing) then enable it or leave it disabled until the moment you actually need it.

Privacy-Camera-OFF-Settings.pngMaybe this is a good time to review what apps have previously been granted access and disable them or not after you review the situation.

Privacy-MIC2-Settings.png

Check your microphone access as well. What apps are in your list?

Further research:

Check out Objective See’s excellent security tools such as Oversight to protect yourself from unwanted access to your camera.

Also check out this past talk at MacDevOps:YVR 2018 by Kolide’s Zach Wasserman about osquery and at the 11min mark where he talks about another app BlueJeans and how to investigate it with osquery.

The MacDevOps:YVR videos from past talks contain many security related talks as well as other awesome troubleshooting tech talks.

 

 

Root Me Baby One More Time!

UPDATE: Apple has posted a security update. 2017-001

Root-a-pocalyse. Root down. Root a toot toot. Many funny tweets today about a very serious issue. A bug was discovered in macOS 10.13 that enabled anyone to login with a root account. With no password. Wow. Seriously. Yeah, that’s bad.

Bug discovered by Lemi Orhan Ergin.

I tested by clicking on the lock icon in System Preferences. Normally this requires an admin account. I was able to authenticate with “root” and no password. This actually also set root to no password. You can choose a password here and this makes it for you. How convenient. You can also login to the Mac via the login window. With root. And no password. Crazy.

If your Mac is off it’s safe. Not joking. If your FileVault protected drive is encrypted and your mac is turned off then you’re good. If you Mac is turned on and you’ve logged in at least once (or at least decrypted the drive on boot) then you’re not safe.

What can you do? Change the root password and set the shell to false. Until Apple fixes this. Should be anytime now. Or soon.

dscl . -passwd /Users/root “random or very secure password here”

dscl . -create /Users/root UserShell /usr/bin/false

Read a comprehensive explanation on Rich Trouton’s site:  Der Flounder blog

 

Setting up Secure Munki

So you’ve set up Munki to deploy software to your Macs by following the basic set up here: Set up Munki, and now you want to set it up more securely.

You need two things. 1) a cert and 2) a secure repo

  • TRUST US

The optimal situation is a trusted secure certificate for your server from a reputable certificate authority, if you don’t have that, or want to use the self-signed certificate your server has then your Munki Mac clients will need to trust this certificate.

Export out the cert from Server Admin if you’re using that to manage your Mac mini server. Place this cert file on your clients (using ARD, or other methods) then use the security command to get the Mac clients to trust this cert.

security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/name-of-server.cer”

REFERENCE: Rich Trouton’s blog goes into more detail and details a way to script this.

  •  SECURE IT

Use htpasswd to add a password to your Munki repo.

htpasswd -c .htpasswd munki

Edit the htaccess info

AuthType Basic
AuthName "Munki Repository"
AuthUserFile /path/to/your/munki/repo_root/.htpasswd
Require valid-user

Encode this password for Munki:

python -c 'import base64; print "Authorization: Basic %s" % base64.b64encode("USERNAME:PASSWORD")'
Authorization: Basic VVNFUk5BTUU6UEFTU1dPUkQ=

Push out this password to your Munki clients with ARD (or use some other method)

defaults write /Library/Preferences/ManagedInstalls.plist AdditionalHttpHeaders -array “Authorization: VVNFUk5BTUU6UEFTU1dPUkQ=”

Change the Munki RepoURL on all your clients to use the new secure URL

defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL “https://munkiserver/munki_repo”

REFERENCES:

Consult the Munki Wiki for: Basic authentication setup for Munki 

Ala Siu’s excellent write on securing munki

Notes:

Consider using a server made for securing Munki, like the Squirrel server from the MicroMDM project. More on this in another blog post.

Consider using certificate from a known reputable certificate authority such as Let’s Encrypt (the Squirrel server above automates the setup with Let’s Encrypt).

Further:

Another project which seeks to combine all these open source projects in the Munki ecosystem is Munki in a Box. There’s a secure branch of this project which setups a basic authentication as well but while it aims to simplify setting up a secure Munki it may be a bit confusing to set up at first glance. Test, and test again.