I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.

Download the latest Java 7 JDK RPM, in my case 7u67, and install it.

rpm -i jdk-7u67-linux-x64.rpm

Next download and install Apache Tomcat and Apache Maven.

The first log that I wanted to parse with our new Splunk Enterprise system was catalina.out log from our CAS server. CAS, or Central Authentication Server, is a web-based, federated, single sign-on service available at http://www.jasig.org/cas/. We use it for, among other things, our authentication for Google Apps for Education.

Configuring the universal forwarder on the CAS server was fairly straight forward. However, although CAS logs are log4j formatted, the defaults in Splunk will cause the multi-line entries to split into separate events since there are some timestamps in the middle of events. As such I needed to create a new source type to deal with this. So I created a new file at ‘/opt/splunk/etc/system/local/props.conf’ and added the following contents.

HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers.

In the httpd.conf I add the following directives to the document root <Directory> section.

 Header always append X-Frame-Options DENY
 Header always append X-XSS-Protection "1; mode=block"
 Header always append X-Content-Type-Options nosniff
 Header always append Strict-Transport-Security max-age=16070400
 Header always append Content-Security-Policy "default-src 'self'; script-src 'self' https://ajax.googleapis.com"

In addition I make sure that ServerTokens is set to Prod. This prevents Apache from publishing it’s version and other information web users do not need to know.