Wednesday 27 February 2013

Useful trick for sending HTML email

Sometimes you want to send an email as HTML from a script or from script output anyhow.  There's a couple ways to get the HTML page to the recipient.  You can attach the HTML page or you can set your Content-Type to HTML.  In my case, we're looking at scraping a web page as a cron job and sending it to some recipient(s) - the mainstay is:

curl 'http://server/web/page.html'
Attaching an HTML file is safe, but recipients may not like "opening attachments".  For HTML email, the security risk is the same, but there's a perception that "opening attachments is bad" which I wouldn't discourage as a general practice.  Rambling aside, "uuencode" will encode an attachment, any attachment, and can be used in general (word doc, zip file, etc).

curl 'http://server/web/page.html' | uuencode attachmentname.html

The other way is to set the content type to HTML and the HTML becomes the body of the email.  On some operating systems, namely Debian and Ubuntu, the mail / mailx command can add a header with the -a switch.  This is pretty simple.

curl 'http://server/web/page.html' | mail -a "Content-Type: text/html" -s "An HTML email" some-recipient@example.com

However if you are on a Red Hat / Fedora / CentOS system, your mail command does not support the -a switch.  Here you can use mutt and the mutt method will work in general.

curl 'http://server/web/page.html' | mutt -e "my_hdr Content-Type:text/html" -e "set charset=\"utf-8\"" -s "An HTML emailsome-recipient@example.com

There you have it.  Personally not a fan of HTML email (since it opens the doors to a lot of malware attacks), but if you've got to generate HTML email, using standard tools instead of writing your own perl script to wrap the scraping of a web page and generating an email is going to be much simpler.

Thanks to the "telinit q" blog for helping with this answer.  http://blog.telinitq.com/?p=137

Tuesday 19 February 2013

Blocking applications with AppLocker

I've just been in a situation where there was a particular user whom we wanted to give some access to but needed to limit their general access which in Windows 7 and Windows Server 2008 R2 you can do with "AppLocker" in a very clear way.  AppLocker sets rules that look much like firewall rules allowing or denying access to run different programs and this can be controlled either locally or through Group Policy Objects.

For example, you have a consultant helping you with your new ERP system (just saying).  They need to launch the ERP application but you really don't want them firing up a browser or the RDP client and checking things out on your network.

Getting started with AppLocker is pretty simple:

  • Launch the local group policy management tool
  • Enable auditing only initially for exe/dll control
  • Create the default rules to allow basic or general access (if applicable)
Then you want to create your specific allow / deny rules.  The AppLocker rules are going to be a collection of rules saying if they are allow or deny rules, who they apply to, what type of matching they use (path, or publisher), and then actual match.  So you might have a rule like
  • Allow
  • Consultants
  • Path
  • Program Files\ERP\bin\*
If the consultant only matches this one rule, they will be allowed to launch binaries in the ERP's installation path and will be blocked from anything else.

The first thing to do is set your rules in audit-only which creates event logs for all access that is controlled by AppLocker.  You can test out your rules very easily this way as there will be two types of events to look for: "access granted" and "access granted BUT applocker rules will block this when set to enforcing".  Once you are satisfied you are not going to can all access to your regular users and that you are locking down the consultant sufficiently, switch to enforcing and you're golden.


Or for another example, maybe you just want to block an out of date version of Acrobat Reader from running on your network.  You can set a rule to deny "Acrobat" publisher's "Acrobat Reader" program from running "9.0 or older".  Again, easy to test using "audit only" before setting enforcing.

Looks like a dummy apparmor or selinux maybe?  Honestly, I never made too much progress selinux.  I would figure out how to get something working then wouldn't use it for a while and forget out how to work with selinux and have to start all over again.

Popular Posts