Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on Apache Tomcat, which leaves a system administrator little room for configuration of these features. Enter HAProxy. Continue reading Raise your MASSACRE Score with HAProxy
We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy for the front-end so we could switch back-end services seamlessly. Continue reading Using HAProxy with CAS
I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.
Earlier this year I attended the Educause Security Professional Conference in St. Louis. I went to a session at which Nick Hannon from Swarthmore College explained how Splunk could combine MaxMind GeoIP data with authentication logs to detect credential theft. I couldn’t find an exact tutorial online, so this is my execution of his idea. I based much of the syntax on another Splunk report I found here.
First we will need to get CAS sending its authentication logs to Splunk, see this post for details.
Next we can use the MaxMind database included in the Google Maps app for Splunk. Get that here: http://apps.splunk.com/app/368/. This will give us access to the “geoip” command which provides (among other things) the longitude and latitude of an IP address. Continue reading Detecting Credential Theft Using Splunk Geographic Information
We need to add a new field extraction for service_url like I did below.
Then I started with the following query: Continue reading Finding popular CAS services with Splunk
The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education.
Configuring the universal forwarder on the CAS server was fairly straight forward. However, although CAS logs are log4j formatted, the defaults in Splunk will cause the multi-line entries to split into separate events since there are some timestamps in the middle of events. As such I needed to create a new source type to deal with this. So I created a new file at ‘/opt/splunk/etc/system/local/props.conf’ and added the following contents.
The main difference is that the RegEx for BREAK_ONLY_BEFORE is more strict than the default log4j configuration, so timestamps in the middle of an entry will not cause a new entry to start. Continue reading Mapping CAS Logins with Splunk