SSL LDAP Search

ssl ldap search without a base (eg. to get a base):

$ ldapsearch -h servername -p port_number -b "" -s base -D "uid=proxy" -Z -P /opt/DSRK6.3/etc/cert7.db -K /opt/DSRK6.3/etc/key3.d objectclass=* | grep ldap:

netscapemdsuffix: cn=ldap://dc=servername,dc=some_ds,dc=some_dc:389

ldapsearch 
 -h [server name]   
 
 myserver.mydomain.org

 -p [server port]   
 
  123

 -b [base name]  

 ou=people,ou=common,c=cz,o=mydomain,o=org

 -s [Specify the scope of a search. The scope parameter 
     may have one of the following values:

            # base - For searching only the base entry.
     # one - For searching only the children of the base entry.
            # sub - For searching the base entry and all its descendants (default)]

 one 
  
 -D [account which performs a search] 

 "uid=proxy"
 
 -w [password for the account] 

 blabla

 -Z [make an SSL-encrypted connection]

 -P [path to cert] 

  /opt/DSRK6.3/etc/cert7.db
 
 -K [path to key] 

 /opt/DSRK6.3/etc/key3.db] 
 
 -v [run in verbose mode (diagnostics to standard output)]
 
 -T [don't fold (wrap) long lines (default is to fold)]
 
 -e [minimize base-64 encoding of values]

 -1 [omit leading "version: 1" line in LDIF output]

 [filter expression]  

 "(&(objectclass=posixaccount)(uid=username))"] 

 [which fields values] 

 "uid cn uidNumber gidNumber homeDirectory loginShell"

ssl ldap modify

cat > /tmp/change_shell

dn: uid=username,ou=people,ou=Common,l=***,c=***,o=***
changetype: modify
replace: loginShell
loginShell: /bin/bash

[ctrl+d]

ldapmodify -h servername -p ssl_port_number -D uid=some_user_or_proxy,ou=***,l=***,c=***,o=***k -w password \
   -Z -P  -K  -f /tmp/change_shell

*A DN is typically composed of an ordered set of attribute type/attribute value pairs. Most DNs are composed of pairs in the following order:

* common name (cn)
* organization (o) or organizational unit (ou)
* country (c)

The following string-type attributes represent the set of standardized attribute types for accessing an LDAP directory. A DN can be composed of attributes with an LDAP syntax of Directory String, including the following:

* CN - CommonName
* L - LocalityName
* ST - StateOrProvinceName
* O - OrganizationName
* OU - OrganizationalUnitName
* C - CountryName
* STREET - StreetAddress

*(from IBM: http://publib.boulder.ibm.com/infocente ... gref11.htm)

syntax explained in more detail:

http://docs.sun.com/source/816-6400-10/lsearch.html

linux ldap basics (Czech)

http://hps.mallat.cz/view.php?cisloclanku=2004101401

Vista & XP Profile Directory Locations

The easiest way to access your profile on Windows is to use the environment variable %appdata%. Here are the details.

Auditd configuration on Linux to track activity of users

If you would be asked to track user activity on your system, ie: to log user's commands; you will probably start to think about native Linux auditing facility - auditd. Auditd is capable to do such a thing and even more. Auditd can also look for the changes to specific files/directories and track almost all the system actions. Auditing facility can be hooked before and/or after any system call.

The example will show you how to configure auditd to watch for commands issued by user. To read the log easilly you can use my script audit_report.

Linux auditing is provided by the auditd daemon. The basic components of the auditd package:

configuration files:
/etc/auditd.conf - configuration file, general behavior of the program
/etc/audit.rules - audit rules, filters applied in kernel

tools:
ausearch - to query logs
aureport - to produce summary reports
auditctl - to modify audit rules interactively
autrace - to trace a process similar to strace

How the Linux audit works?

Auditing rules could be be based on task or entry (simplified):

audit task - audit event generated only at the time a task is created
audit entry - event is generated upon entry to a system call

The major disadvantage of the auditing based on the "task" is the demandingness to system resources (cpu, io, fs size). When task is used, all the time when process calls fork() or clone(), audit event filtering is invoked. The other problem is, filtering could only only be made through the fields already known at task creation time, such – issuer’s uid, gid... Auditing based on entry to “syscall”, if properly configured, has acceptable system resource requirements and allows tracking all the user’s actions. The syscall table could be found at:

http://docs.cs.up.ac.za/programming/asm ... calls.html or http://asm.sourceforge.net/syscall.html

User command auditing on Linux systems

The configuration files for auditd, which tells the auditd to log all syscall 11 (execve) to track the user activity looks like:

/etc/audit.rules

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events
-b 256

# Audit all execve calls
-a entry,always -S execve
-a entry,never

The configuration file, which controls the auditd behavior:

/etc/auditd.conf

#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 1
max_log_file = 80
max_log_file_action = IGNORE
space_left = 240
space_left_action = SYSLOG
admin_space_left = 160
admin_space_left_action = EMAIL
action_mail_acct = root
disk_full_action = SUSPEND
disk_error_action = SUSPEND

Explanation:
max_log_file = 80 tells the system to keep max log size to 80 mb when we would like to rotate logs, because we don't logrotate, the value here is not important and auditing runs on until space is available on local disk. space_left = 240 tells the system to write warning to syslog (space_left_action = SYSLOG) when less than 240 mb of filesystem is avalable for collecting audit data. When less than admin_space_left is on the appropriate device, mail warning (root) is issued.

After this configuration, just run
# service auditd start

Basic search within log files (search for my_user, within interval)

#  ausearch -ge my_user -ts 10:00:00 -te 12:49:00

time->Thu Apr 5 10:58:25 2007
type=PATH msg=audit(1175767105.483:74858): flags=101 inode=229501 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1175767105.483:74858): name="/bin/rm" flags=101 inode=49200 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1175767105.483:74858): cwd="/tmp"
type=EXECVE msg=audit(1175767105.483:74858): argv[0]="rm" argv[1]="-f" argv[2]="/tmp/abc.txt"
type=SYSCALL msg=audit(1175767105.483:74858): arch=40000003 syscall=11 success=yes exit=0 a0=9cbb1e8 a1=9cbacf8 a2=9cba490 a3=9cbacf8 items=2 pid=4864 auid=15382 uid=15382 gid=15382 euid=15382 suid=15382 fsuid=15382 egid=15382 sgid=15382 fsgid=15382 comm="rm" exe="/bin/rm"

Search for command 'rm' issued by user my_user

# ausearch -ge my_user -x rm

RedHat/CentosOS version 4 or 5 check in bash

grep -i 'release 4' /etc/redhat-release > /dev/null && DISTRO=RHEL4
grep -i 'release 5' /etc/redhat-release > /dev/null && DISTRO=RHEL5


case $DISTRO in
        RHEL4)
             echo "verison 4"
                ;;
        RHEL5)
                echo "version 5"
                ;;
        *)
                echo "this is no CentOS4/CentOS5 or RedHat4/RedHat5"
                exit 
                ;;
esac

Simple use of test command

Check if the file /etc/auditd.conf exists, if not, create empty one

test ! -f /etc/audit.conf && touch /etc/audit.conf

Check if the folder exists:

test ! -d /ora1 && echo "/ora1 doesn't exist" && exit 13

ILOM - Quick

ILOM - Sun(TM) Integrated Lights Out Manager. ILOM is designed for managing SUN AMD based servers via network. You can access ILOM text console (via ssh) or WWW based ILOM frontend (via http/https).

What you can do with ILOM text console? Mostly you will use commands such as:

start /SP/console
reset /SYS               
start /SYS               
stop  /SYS     

The commands above are self explanatory. The first command runs the console and the others perform reset/start/stop operation on the box.

What you can't do with text ILOM console? You cannot change BIOS settings (as for example boot device priority). If you need to do that, launch ILOM WWW frontend (the same IP address as for the ILOM ssh access) and issue JAVA console redirection plug-in.

The Java console will show you whole booting process as you were sitting in front of the server. Java based console is capable of graphic redirection also (no problem with X-Windows installation then).

The ILOM (text) interface itself is some sort of UNIX shell. After you logon to the console you can use the UNIX commands as ls and cd. To begin with ILOM just issue ls on / (root).

-> ls /

 /
    Targets:
        SYS
        SP

    Properties:


    Commands:
        cd
        show

There are so called TARGETS. You will use them as the ordinary directories. Just go to target (cd) and issue ls. The ls output tells you what you can do in each specific directory/target (or namespace - as the SUN sometime calls it).

-> cd /SYS
/SYS

-> ls

 /SYS
    Targets:
        FP
        SP
        FT0
        FT1
        MB
        PDB
        PS0
        PS1
        SASBP
        FAN_FAULT
        LOCATE
        POWER
        PSU_FAULT
        SERVICE
        TEMP_FAULT

    Properties:
        type = Host System
        power_state = On

    Commands:
        cd
        reset
        set
        show
        start
        stop

We can go to other targets or issue commands available for that directory. In this case, reset, start/stop etc.

-> cd /SP
/SP

-> ls

 /SP
    Targets:
        alert
        cli
        clients
        clock
        console
        logs
        network
        serial
        services
        sessions
        users

    Properties:


    Commands:
        cd
        load
        reset
        show
        version

We went to /SP and here we can go to console - or change some ILOM settings. Let's say we would like to change the network IP address for ILOM management card.

To change the IP address for the ILOM interface change the pending addresses first, then check and commit them.

cd /SP/network
set pendingipaddress=nnn.nn.nn.nn
set pendingipnetmask=nnn.nn.nn.nn
set pendingipgateway=nnn.nn.nn.nn
set commitpending=true

The rest you can find here:

http://dlc.sun.com/pdf/820-0280-12/820-0280-12.pdf

How to escape from ILOM issued console session? Try [ESC] + [(] .

Simple Solaris iptraf like script

How to monitor interface throughput on Solaris machine? I was looking for some sort of Linux's IPtraf (which is a great ip traffic monitor which can show you more than just interface traffic throuput) for Solaris. Seems no IPtraf port or similar text utility for Solaris so far. The script below should help you a bit and show the interface throughput.

It only prints out througput of the interface in 5 second intervals. If your system's interface is named ce0 instead of hme0, you need to change the script 'hme:0:hme0:*bytes' to 'ce:0:ce0:*bytes'.

#!/usr/bin/bash
WAIT=5
# traffic monitor
# writes total number of bytes (traffic) per interval

        I_BYTES_OLD=`kstat -p  'hme:0:hme0:*bytes' | grep rbytes | awk -F" " '{ print $2}'`
        O_BYTES_OLD=`kstat -p  'hme:0:hme0:*bytes' | grep obytes | awk -F" " '{ print $2}'`

        while true
        do
                DATE=`date +%m/%d/%y" "%H:%M:%S`

                I_BYTES=`kstat -p  'hme:0:hme0:*bytes' | grep rbytes | awk -F" " '{ print $2}'`
                O_BYTES=`kstat -p  'hme:0:hme0:*bytes' | grep obytes | awk -F" " '{ print $2}'`

                I_BYTES_DIFF=`echo $I_BYTES - $I_BYTES_OLD | bc`
                O_BYTES_DIFF=`echo $O_BYTES - $O_BYTES_OLD | bc`

                I_BYTES_OLD=$I_BYTES
                O_BYTES_OLD=$O_BYTES

                T_BYTES=`echo $I_BYTES_DIFF + $O_BYTES_DIFF | bc`

                sleep $WAIT
                clear
                echo "$DATE     interface: hme0 input: $I_BYTES_DIFF    output: $O_BYTES_DIFF   totalBytes: $T
_BYTES"
        done

Allow vsftpd to use passive mode

The design of the FTP protocol relies on two channels. One channel is dedicated to ftp commands (ls, pwd, get, bi, ha) and the other for data transfer only.

FTP protocol originally required ( after the command channel from client to server established - client conneced to port 21 ) server to connect from it's port ( 20 ) to the client's assigned data port ( above 1024 ). This mode nowadays called as "active mode" had problems with various network masquerades and client firewalls as well (because server issues CONNECTion to CLIENT).

Therefore, the other, PASSIVE mode was added to the FTP, which doesn't require server to send syn packet to client. The process works the way the client issues connection from some high-port ( > 1024 ) to FTP server ( to the data port 21 ), then for data transfer client will again sends ack to the FTP server to some of the server's high ports.

When your FTP server is firewalled, you will need to allow both modes, as some clients still have some firewalls in the way which prevent the active mode access.

To allow passive mode in vfstpd (which is the default ftpd in CentOS) you should add lines below to the vsftpd.conf. Vsftpd will use the port range specified to assign data channels in passive mode. One port to one client data connection.

pasv_enable=yes
pasv_max_port=20000
pasv_min_port=20050

Plus, if you host has the standard CenOS/RedHat firewall on you should add the lines which will allow client to connect the server's high port. The required port range in iptables is specified by colon ( 20000:20050 ).

Disable yum kernel updates on CentOS Linux

echo "exclude = kernel*" >> /etc/yum.conf

Audit report - script to format output (similar to Solaris audit)

If you do audit user actions (commands) on a Linux box via auditd, then following script could help you to go through the logged data. It will show you user actions in Linux system in human-readable form.

The example below shows the common user "chick" who switched to root and then created and deleted file "somefile" in the /etc/directory. As you can see, the auid is persistent across su command, so the user is still seen as "chick" under authentic auid even he/she switched to root to perform the touch and remove on file.

# audit_report /var/log/audit/audit.log | grep somefile

time="02/29/2008 09:21:31" cwd=/root syscall=execve success=yes exit=0 pid=17695 auid=chick gid=root euid=root suid=root fsuid=root egid=root sgid=root comm=touch exe=/bin/touch argv[0]="touch" argv[1]="/etc/somefile"
time="02/29/2008 09:21:32" cwd=/root syscall=execve success=yes exit=0 pid=17697 auid=chick gid=root euid=root suid=root fsuid=root egid=root sgid=root comm=rm exe=/bin/rm argv[0]="rm" argv[1]="-i" argv[2]="/etc/somefile"

Here is the script:

#!/bin/bash
# @(#) audit_report 1.1@(#) 25/05/07
# ---------------------------------------------------
#
# audit_report: prints out specified input audit file
#               archieved or actual log in sol format
#
# warning: this parser works with audit-1.0.14-1.EL4
#          future version of the autitd may have
#          different output field naming or order
# ---------------------------------------------------

FSPEC="${1}"
TMP_FILE="/tmp/audit_log_tmp"

# check valid argument
if [ "$FSPEC" = "" ]; then
        echo "parameters: audit_report input_file" 1>&2
        exit
fi

# check if file exists
if [ ! -f "$FSPEC" ]; then
        echo "error: can't access $FSPEC" 1>&2
        exit
fi

# check, if $TMPFILE exists
if [ -f ${TMP_FILE} ]; then
        echo    "info: ${TMP_FILE} exists, someone can be using audit_report or process terminated" 1>&2
        echo -n "do you want me to delete the file to proceed? (y/n): " 1>&2
        read INPUT
        if [ "${INPUT}" = "y" ]; then
                /bin/rm ${TMP_FILE}
        else
                exit
        fi
fi

# ausearch path
if [ -x /sbin/ausearch ]; then
        AUSEARCH=/sbin/ausearch
else
        AUSEARCH=ausearch
fi

# sed path
if [ -x /bin/sed ]; then
        SED=/bin/sed
else
        SED=sed
fi

# extract filename, remove path
FNAME="`basename $FSPEC`"

# check if zipped
GZIP=`echo $FNAME | egrep ".gz$"`

if [ "$GZIP" = "" ]; then
        if [ "${FNAME}" = "audit.log" ]; then
                /bin/cp ${FSPEC} ${TMP_FILE}
                SRCFILE=${TMP_FILE}
        else
                SRCFILE=${FSPEC}
        fi
else
        echo "info: unzipping: ${FSPEC}"
        cp ${FSPEC} ${TMP_FILE}.gz
        gunzip ${TMP_FILE}.gz
        SRCFILE=${TMP_FILE}
fi

# parse plain text audit file
# 1) add text fields instead of numbers where possible
# 2) one record per line

# loop - processing audit file to sol format

${AUSEARCH} -i -if ${SRCFILE} | while read SHORT_LINE
do
        if [ "${SHORT_LINE}" != "----" ]; then

                SYMBOL=`echo ${SHORT_LINE} | tr '= ' ' ' | awk  '{ print $2 }'`

                case    ${SYMBOL} in

                        PATH)
                                ;;
                        CWD)
                                # $2 -                  date part
                                # $3 -                  time part
                                # $5 -                  actual working dir, cwd

                                # put the date-time into quotes
                                TIME_STAMP=`echo ${SHORT_LINE} | tr '(' '.'`
                                TIME_STAMP=`echo ${TIME_STAMP} | awk -F"." '{ print $2 }'`
                                TIME_STAMP="time=\"${TIME_STAMP}\" "

                                LINE1=`echo ${SHORT_LINE} | \
                                awk '{ print $5  }'`

                                ;;

                        EXECVE)
                                # $ 5 -                 argv[0]
                                # $ 6 -                 argv[1]
                                # $ 7 -                 argv[2]
                                # $ 8 -                 argv[3]

                                LINE3=`echo ${SHORT_LINE} | \
                                awk '{ print $5 " " $6 " " $7 " " $8 }'`
                                ;;

                        SYSCALL)
                                # $ 6 -                 syscall
                                # $ 7 -                 success
                                # $ 8 -                 exit code
                                # $ 9 to 12 -           pointers
                                # $13 -                 nr of args
                                # $14 -                 pid
                                # $15 -                 auid
                                # $16 -                 uid
                                # $17 -                 gid
                                # $18 -                 euid
                                # $19 -                 suid
                                # $20 -                 fsuid
                                # $21 -                 egid
                                # $22 -                 sgid
                                # $23 -                 fsgid
                                # $24 -                 command
                                # $25 -                 executable

                                LINE2=`echo ${SHORT_LINE} | \
                                awk '{ print $6 " " $7 " " $8 " " $14 " " $15 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " "
$24 " " $25 }'`
                                ;;
                        *)
                                ;;
                esac

        else

                echo -n "${TIME_STAMP} "
                echo -n "${LINE1} "
                echo -n "${LINE2} "
                echo -n "${LINE3} "
                echo

        fi

done

# cleanup temporary file

if [ "${SRCFILE}" = "${TMP_FILE}" ]; then
        /bin/rm ${TMP_FILE}
fi

# end

Determine processor type and speed (Solaris)

# psrinfo -v
Status of virtual processor 0 as of: 12/28/2007 09:41:56
  on-line since 12/14/2007 13:04:10.
  The sparcv9 processor operates at 1062 MHz,
        and has a sparcv9 floating point processor.
Status of virtual processor 1 as of: 12/28/2007 09:41:56
  on-line since 12/14/2007 13:04:10.
  The sparcv9 processor operates at 1062 MHz,
        and has a sparcv9 floating point processor.
Status of virtual processor 2 as of: 12/28/2007 09:41:56
  on-line since 12/14/2007 13:04:10.
  The sparcv9 processor operates at 1062 MHz,
        and has a sparcv9 floating point processor.
Status of virtual processor 3 as of: 12/28/2007 09:41:56
  on-line since 12/14/2007 13:03:45.
  The sparcv9 processor operates at 1062 MHz,
        and has a sparcv9 floating point processor.

Determine if the system is running in 32-bit or 64-bit mode (Solaris)

# isainfo -v
64-bit sparcv9 applications
        vis2 vis
32-bit sparc applications
        vis2 vis v8plus div32 mul32



Intel with 32bit version


# isainfo -v
32-bit i386 applications
        sse sse2 sse fxsr mmx cmov sep cx8 tsc fpu

Veritas Cluster - Links

http://www.darklab.net/resources/veritas-cluster-server-debug.html

Sun cluster commands (3.2)

Setup commands

scinstall
    install primary or next cluster node

clsetup
    menu driven re-configuration utility

cluster
    interactive command shell for cluster management

cluster status
    status for all cluster components

cluster list-cmds
    lists available commands


Quorum device commands

clq status
    quorum votes summary, quorum votes by node/device status
clq list
    list all the quorum elements (devices/hosts)
clq show
    cluster nodes (with reservation keys) and quorum device/s path/s


SCSI commands and devices

/usr/cluster/lib/sc/scsi -c inkeys -d /dev/did/rdsk/device
    shows reservation keys (all possible/available keys for device)
/usr/cluster/lib/sc/scsi -c inresv -d /dev/did/rdsk/device
    shows active reservation (server accessing quorum device)

cldev
    Administer Sun Cluster device instances

cldevice status
    status of disk devices


Server node commands

clnode list
    list servers in cluster
clnode show-rev
    cluster software version
clnode status
    shows status of the clustered servers (Online/Offline)


Heart-beat links

clintr
    HB endpoint status

scstat -W
    Cluster Transport Paths


Cluster resource commands

clrs status
    (rs as for for resource) resource status
clrs show -v resouirce-name
    shows values of all resource attributes for given resource-name (as Type/Group/Class)
clrs show -p NetIflist resource-name
    shows NetIflist resource attribute value
clrs set -p netiflist=primary@1,primary@3,primary@4 resource-name
    set attrinute value(s)


Resource group commands

clrg status
    (rg as for resource group) resource group status
clrg manage resource-group
    put resource group under cluster management
clrg online resource-group
    bring it online
clrg add-node -n hostnameX resource-group
    allow service/resource-group to migrate/failover even to hostnameX
clrg switch -n hostnameX resource-group
    fail-over resource group to hostnameX


Resource types

clrt list
    (rc as for resource types: SUNW.SharedAddress, SUNW.LogicalHostname ...) prints registered SUNW resource types


Checksum

/usr/cluster/lib/sc/ccradm -i infrastructure
   compute new checksum after changing cluster config in /etc/cluster/ccr/infrastructure file

Jak v LINUXu změnit nastavení jazyka (LOCALE)

# vi /etc/sysconfig/i18n

eng:
LANG="en_US.UTF-8"

czech:
LANG="cs_CZ.UTF-8"

Poznámky k Nagiosu (dokumentace)

Nagios - Dokumentace k verzi 3 (pdf)
http://nagios.sourceforge.net/docs/nagios-3.pdf

Nagios - NRPE (démon pro spouštění plugin na vzdáleném klientovi):
http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf

Nagios - pluginy
http://nagiosplugins.org/node/2

Nagios - kreslení grafů:
http://www.pnp4nagios.org/pnp/screenshots

MRTG log
http://oss.oetiker.ch/mrtg/doc/mrtg-unix-guide.en.html

Solaris 10 a příkazy CHOWN/CHGRP

Příkaz 'chown' pro změnu vlastníka souboru může být spuštěn jen uživatelem 'root'. Běžnému uživateli však může být použití příkazu chown povoleno tak, že v soubotu /etc/system bude nastaven parametr 'set rstchown=0'. Toto chování je však standardně v systému Solaris vypnuto.

Příkaz 'chgrp' může být spuštěn i běžným uživatelem. Uživateli je vždy povoleno změnit vlastnictví souboru (flag skupina) na skupinu, jíž je sám členem. Pokud běžný uživatel potřebuje změnit skupinu, které náleží soubor a není členem cílové skupiny, systém to opět z bezpečnostních důvodů nepodporuje. Toto chování lze změnit v /etc/system nastavením 'set rstchown=0'.

Obě výše uvedená nastavení pro /etc/system však zásadně degradují bezpečnost systému.

Problémy aktualizací Windows XP po instalaci SP3

Po instalaci SP3 na XP mi přestaly fungovat automaticke aktualizace (stahují se, ale jejich instalace skončí s chybou) a také mě začalo zlobit USB, kam jsou připojeny klávesy Yamaha. Tak jsem googlil a našel nějaké tipy, jak tyhle problémy vyřešit. Problém s updaty je nyní vyřešen, zda-li funguje USB se teprve ukáže.

Problém s updaty:

- najděte C:\Windows\System32\Wups2.dll
- pravým myšítkem vyberte "Open With" a zvolte "Choose Program"
- program, který vyberete pro spuštění dll: C:\Windows\System32\Regsvr32.

Pro zbytek se mrkněte sem nebo sem.