Koozali.org: home of the SME Server

Government content filtering/categorization blocks SME 10 update

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Government content filtering/categorization blocks SME 10 update
« on: February 01, 2024, 10:53:42 AM »
Over the last 3 months my organization has upgraded to a more recent version of a government WAN. Now, systems are required (for example) to have a government issued root cert in order for a Cisco WSA cluster to do stuff like URL content filtering, threat prevention via reputation etc.

On my production SME 10 box things went well regarding the cert. But some days ago I've run into the following problem, one of the update files is impossible to download:
Code: [Select]
# yum update
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: repo.boun.edu.tr
 * smeaddons: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: mirror.radoreservers.com
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-1160.108.1.el7 will be installed
---> Package kernel-headers.x86_64 0:3.10.0-1160.105.1.el7 will be updated
---> Package kernel-headers.x86_64 0:3.10.0-1160.108.1.el7 will be an update
---> Package net-snmp.x86_64 1:5.7.2-49.el7_9.3 will be updated
---> Package net-snmp.x86_64 1:5.7.2-49.el7_9.4 will be an update
---> Package net-snmp-agent-libs.x86_64 1:5.7.2-49.el7_9.3 will be updated
---> Package net-snmp-agent-libs.x86_64 1:5.7.2-49.el7_9.4 will be an update
---> Package net-snmp-libs.x86_64 1:5.7.2-49.el7_9.3 will be updated
---> Package net-snmp-libs.x86_64 1:5.7.2-49.el7_9.4 will be an update
---> Package smeserver-dovecot.noarch 0:1.6.0-19.el7.sme will be updated
---> Package smeserver-dovecot.noarch 0:1.6.0-21.el7.sme will be an update
---> Package smeserver-mysql.noarch 0:2.7.0-17.el7.sme will be updated
---> Package smeserver-mysql.noarch 0:2.7.0-18.el7.sme will be an update
---> Package smeserver-php.x86_64 0:3.0.0-46.el7.sme will be updated
---> Package smeserver-php.x86_64 0:3.0.0-47.el7.sme will be an update
--> Processing Dependency: php83-php-xmlrpc for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-xml for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-tidy for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-soap for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-snmp for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-process for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-pecl-zip for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-pear for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-pdo for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-opcache for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-mysqlnd for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-mbstring for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-ldap for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-json for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-intl for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-imap for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-gd for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-fpm for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-enchant for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-cli for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php-bcmath for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Processing Dependency: php83-php for package: smeserver-php-3.0.0-47.el7.sme.x86_64
--> Running transaction check
---> Package php83-php.x86_64 0:8.3.2-1.el7.remi will be installed
--> Processing Dependency: php83-php-sodium(x86-64) = 8.3.2-1.el7.remi for package: php83-php-8.3.2-1.el7.remi.x86_64
---> Package php83-php-bcmath.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-cli.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-common.x86_64 0:8.3.2-1.el7.remi will be installed
--> Processing Dependency: php83-runtime for package: php83-php-common-8.3.2-1.el7.remi.x86_64
---> Package php83-php-enchant.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-fpm.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-gd.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-imap.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-intl.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-ldap.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-mbstring.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-mysqlnd.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-opcache.x86_64 0:8.3.2-1.el7.remi will be installed
--> Processing Dependency: libcapstone.so.4()(64bit) for package: php83-php-opcache-8.3.2-1.el7.remi.x86_64
---> Package php83-php-pdo.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-pear.noarch 1:1.10.14-1.el7.remi will be installed
---> Package php83-php-pecl-xmlrpc.x86_64 0:1.0.0~rc3-3.el7.remi will be installed
---> Package php83-php-pecl-zip.x86_64 0:1.22.3-1.el7.remi will be installed
---> Package php83-php-process.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-snmp.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-soap.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-tidy.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-php-xml.x86_64 0:8.3.2-1.el7.remi will be installed
--> Running transaction check
---> Package capstone.x86_64 0:4.0.2-5.el7 will be installed
---> Package php83-php-sodium.x86_64 0:8.3.2-1.el7.remi will be installed
---> Package php83-runtime.x86_64 0:8.3-1.el7.remi will be installed
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-1160.99.1.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================================================================
 Package                                                         Arch                                           Version                                   Repository                 Size
=============================================================================================================================================================================================================================================
Installing:
 kernel                                                          x86_64                                           3.10.0-1160.108.1.el7                                   smeupdates                 52 M
Updating:
 kernel-headers                                                  x86_64                                           3.10.0-1160.108.1.el7                                   smeupdates                9.1 M
 net-snmp                                                        x86_64                                           1:5.7.2-49.el7_9.4                                   smeupdates                325 k
 net-snmp-agent-libs                                             x86_64                                           1:5.7.2-49.el7_9.4                                   smeupdates                707 k
 net-snmp-libs                                                   x86_64                                           1:5.7.2-49.el7_9.4                                   smeupdates                752 k
 smeserver-dovecot                                               noarch                                           1.6.0-21.el7.sme                                   smeupdates                 38 k
 smeserver-mysql                                                 noarch                                           2.7.0-18.el7.sme                                   smeupdates                 58 k
 smeserver-php                                                   x86_64                                           3.0.0-47.el7.sme                                   smeupdates                223 k
Removing:
 kernel                                                          x86_64                                           3.10.0-1160.99.1.el7                                   @updates                 66 M
Installing for dependencies:
 capstone                                                        x86_64                                           4.0.2-5.el7                                   smeupdates                1.1 M
 php83-php                                                       x86_64                                           8.3.2-1.el7.remi                                   remi-safe                2.1 M
 php83-php-bcmath                                                x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 93 k
 php83-php-cli                                                   x86_64                                           8.3.2-1.el7.remi                                   remi-safe                4.2 M
 php83-php-common                                                x86_64                                           8.3.2-1.el7.remi                                   remi-safe                732 k
 php83-php-enchant                                               x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 77 k
 php83-php-fpm                                                   x86_64                                           8.3.2-1.el7.remi                                   remi-safe                2.2 M
 php83-php-gd                                                    x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 99 k
 php83-php-imap                                                  x86_64                                           8.3.2-1.el7.remi                                   remi-safe                103 k
 php83-php-intl                                                  x86_64                                           8.3.2-1.el7.remi                                   remi-safe                220 k
 php83-php-ldap                                                  x86_64                                           8.3.2-1.el7.remi                                   remi-safe                100 k
 php83-php-mbstring                                              x86_64                                           8.3.2-1.el7.remi                                   remi-safe                538 k
 php83-php-mysqlnd                                               x86_64                                           8.3.2-1.el7.remi                                   remi-safe                198 k
 php83-php-opcache                                               x86_64                                           8.3.2-1.el7.remi                                   remi-safe                406 k
 php83-php-pdo                                                   x86_64                                           8.3.2-1.el7.remi                                   remi-safe                142 k
 php83-php-pear                                                  noarch                                           1:1.10.14-1.el7.remi                                   remi-safe                365 k
 php83-php-pecl-xmlrpc                                           x86_64                                           1.0.0~rc3-3.el7.remi                                   remi-safe                 48 k
 php83-php-pecl-zip                                              x86_64                                           1.22.3-1.el7.remi                                   remi-safe                 60 k
 php83-php-process                                               x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 98 k
 php83-php-snmp                                                  x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 90 k
 php83-php-soap                                                  x86_64                                           8.3.2-1.el7.remi                                   remi-safe                198 k
 php83-php-sodium                                                x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 96 k
 php83-php-tidy                                                  x86_64                                           8.3.2-1.el7.remi                                   remi-safe                 88 k
 php83-php-xml                                                   x86_64                                           8.3.2-1.el7.remi                                   remi-safe                202 k
 php83-runtime                                                   x86_64                                           8.3-1.el7.remi                                   remi-safe                1.1 M

Transaction Summary
=============================================================================================================================================================================================================================================
Install  1 Package  (+25 Dependent packages)
Upgrade  7 Packages
Remove   1 Package

Total size: 77 M
Total download size: 60 k
Is this ok [y/d/N]:
Downloading packages:
php83-php-pecl-zip-1.22.3-1.el FAILED
http://rpms.famillecollet.com/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm: [Errno 14] HTTP Error 403 - Forbidden                           ]  0.0 B/s |    0 B  --:--:-- ETA
Trying other mirror.
To address this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/.



Error downloading packages:
  php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64: [Errno 256] No more mirrors to try.

If I try to get http://rpms.famillecollet.com/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm via a browser, I'm blocked with the following notification:
Code: [Select]
This Page Cannot Be Displayed

Based on your organization's access policies, this web site ( http://rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm ) has been blocked because it has been determined to be a security threat to your computer or the organization's network. Malware in the category Unscannable has been found on this site.

If you have questions, please contact your organization's network administrator and provide the codes shown below.

Date: Tue, 30 Jan 2024 07:41:14 EET
Username:
Source IP: <my client IP>
URL: GET http://rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm
Category: Software Updates
Reason: BLOCK-MALWARE
Notification: MALWARE_SPECIFIC

Note that the link redirects to the rpms.remirepo.net site from where I can download other RPMs with no issues :(

After raising a ticket with the central gov IT I got the following response (translated from Greek):
Quote
Following the engineers' update we received information that the file being blocked by the proxy ( http://rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm ) has no reputation on Cisco and the file is identified as malware.

In order to allow this traffic you will either (a) have to use another repository, (b) change the reputation on Cisco itself (on your part) or (c) pass a proxy bypass for this site as it violates the current security policy.

Option (b) means to submit a reputation dispute at Cisco Talos (possibly at https://support.talosintelligence.com/docs/submit-ticket/ ). Not certain here on what I should select.

In the meantime I'll go with option (c), meaning I'll have to submit an exception request for the URL. Can't really describe how painful that is, but that's one I know how to do...

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Government content filtering/categorization blocks SME 10 update
« Reply #1 on: February 01, 2024, 12:56:19 PM »
Just adding that https://talosintelligence.com/reputation_center/web_reputation might be of use here. But since I do not know what to write exactly, I'm leaving that part to you guys.

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Government content filtering/categorization blocks SME 10 update
« Reply #2 on: February 02, 2024, 02:00:02 AM »
all core php remi updates ends up in our repo at one moment. if you get some extra then they might miss. 

probably the best place to discuss this would be Remi’s forum. He os quite reactive.

also quite funny it was able to get the repodata but not the actual rpm…

have tried updating from one url to another in your sme config? famille vs remirepo

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Government content filtering/categorization blocks SME 10 update
« Reply #3 on: February 02, 2024, 09:11:33 AM »
Quote
have tried updating from one url to another in your sme config? famille vs remirepo
Trying wget on both fails.

also quite funny it was able to get the repodata but not the actual rpm…
My thoughts exactly.

Yesterday I took the plunge and made a report to Talos, asking for the following 3 (2 domains + 1 URL) to be whitelisted:
* rpms.remirepo.net
* rpms.famillecollet.com
* rpms.remirepo.net/enterprise/7/safe/x86_64/php83-php-pecl-zip-1.22.3-1.el7.remi.x86_64.rpm

Got a response that "this looks like an AV block, and not specific to reputation.  Please reach out to TAC for assistance."

The Cisco WSA cluster does not have a malware module (it can be bought as an option, but we do not have it installed). I also lack access to Cisco TAC. There seems to be some sort of transparent AV here at play, but I'm at a loss where.

I'll be pursuing this with the gov IT support. Since November half of my day is spent beta-testing a network that should be production ready ffs...