So far I've sunk sixty hours into making a functional PoC, which installs and configures a properly running BoKS client. I would like to thank Mark Lambiase for offering me the chance to work on this project as a research consultant for FoxT. I'd also like to thank Ger Apeldoorn for his coaching and Ken Deschene for sparring with me.
I want to configure my alarm logs to email a specific set of users each time there are specific events that come through the BoKS system. I have set my alarm logs to capture the relevant events and I have configured my email server so that I am able to send the mail to the users from a command line interface. In the Domain Settings on the BoKS Control Center GUI, under Audit log configuration, Alarm log command: |/bin/mail -s "Alarm Logs" [email protected][email protected] etc. I am still not receiving any alarm logs through email. I am using postfix and have confirmed correct configuration of the smtp settings. Does anyone have any idea what I might be missing? Thanks.
Post by Thomas Sluyter on Feb 24, 2016 19:59:44 GMT
Well, good news I'm working with FoxT to build a proof-of-concept module for them!
Like you new2unix, I've first built an RPM file to install the BoKS client software. Now I've got a basic module up and running that installs the package, which puts a bcastaddr in place and which keeps the service running. It's certainly a start! I'll be working on improving the module over the next few weeks.
It's our full intention to share all this information with FoxT's customers, but it'll take a little while to prepare it all in a nicely legible form.
As a sneak preview that stuff is doing "stuff": [[email protected] ~]# /opt/boksm/sbin/boksadm -S Boot -k
Okay so since my last post I have been doing a little bit of research on the possibility of installing BoKS with Puppet... Does not seem like this is going to be a trivial task at all unfortunately. I am trying to create an RPM package right now for the BoKS install and keep tripping over links and pathing issues. Rather frustrating!!!
Post by Thomas Sluyter on Jan 20, 2016 18:55:52 GMT
You are absolutely correct Pawel, that this is only the very first step to proper integration between BoKS and Yubikey. It was more a proof of concept.
Without saying too much on these forums, you are best served asking your FoxT representative about their plans with regards to authenticators (third party and otherwise). What we're used to from v6.x and before is going to change for the better.
Hi Thomas, good work, however it's not a true integration, you miss a lot of functionality of BoKS sshd (as mentioned). Just wonder, BoKS does well with SecurId. What protocol does BoKS use for this communication? I would like to see more user-friendly interface in BoKS like client to Radius service, where you can do all MFA stuff and not to face MFA vendor lock-in.
Post by Thomas Sluyter on Nov 17, 2015 9:49:16 GMT
I'm in-between assignments at the moment, so I've jumped at the chance to learn new things. Among others, I recently visited the Blackhat Europe convention, where I was gifted a Yubikey Neo by the Yubico team.
After learning how to build my own Yubikey validation services (see here) and after integrating those with LDAP, I push forward in building a new BoKS 7.0 infra on the same test environment.
And after some puzzling and tweaking, I've made one proof-of-concept on how Yubikey MFA tokens may work in a BoKS environment.
We are working on a puppet module for the client installation of 6.7, bit the big problem is the package format. We are using Linux, and I had to build a custom rpm. The problem is to get the right scrips running in the right order. Some scripts needs BOKS-environment (setup_selinux.sh) and some of them needs to have them unset. Puppet will not handle the ENV file because of wrong syntax for variables.
The new group file management is really working very well. I like the feature that I can assign the secondary groups to a userclass and the user is automatically assigned to the appropriate secondary groups simply by being a member of the userclass. this makes management so much easier.
Post by Thomas Sluyter on Oct 3, 2015 19:38:25 GMT
I can certainly see both sides to the story. In my test environments I would certainly prefer pre-packaged RPMs etc, using Puppet or some other configuration management tool to setup the config files. But in the practical situations I've worked with, the customer usually chose to roll their own installation packages, including the required config.
mikem: I for one would very much like my partner-login to be reinstated so I can give BoKS 7.0 a whirl in my testlab. I'll have to contact support about that issue, again