čtvrtek 22. května 2008

SSL LDAP Search

ssl ldap search without a base (eg. to get a base):

$ ldapsearch -h servername -p port_number -b "" -s base -D "uid=proxy" -Z -P /opt/DSRK6.3/etc/cert7.db -K /opt/DSRK6.3/etc/key3.d objectclass=* | grep ldap:

netscapemdsuffix: cn=ldap://dc=servername,dc=some_ds,dc=some_dc:389

ldapsearch
-h [server name]

myserver.mydomain.org

-p [server port]

123

-b [base name]

ou=people,ou=common,c=cz,o=mydomain,o=org

-s [Specify the scope of a search. The scope parameter
may have one of the following values:

# base - For searching only the base entry.
# one - For searching only the children of the base entry.
# sub - For searching the base entry and all its descendants (default)]

one

-D [account which performs a search]

"uid=proxy"

-w [password for the account]

blabla

-Z [make an SSL-encrypted connection]

-P [path to cert]

/opt/DSRK6.3/etc/cert7.db

-K [path to key]

/opt/DSRK6.3/etc/key3.db]

-v [run in verbose mode (diagnostics to standard output)]

-T [don't fold (wrap) long lines (default is to fold)]

-e [minimize base-64 encoding of values]

-1 [omit leading "version: 1" line in LDIF output]

[filter expression]

"(&(objectclass=posixaccount)(uid=username))"]

[which fields values]

"uid cn uidNumber gidNumber homeDirectory loginShell"



ssl ldap modify

cat > /tmp/change_shell

dn: uid=username,ou=people,ou=Common,l=***,c=***,o=***
changetype: modify
replace: loginShell
loginShell: /bin/bash

[ctrl+d]

ldapmodify -h servername -p ssl_port_number -D uid=some_user_or_proxy,ou=***,l=***,c=***,o=***k -w password \
-Z -P -K -f /tmp/change_shell


*A DN is typically composed of an ordered set of attribute type/attribute value pairs. Most DNs are composed of pairs in the following order:

* common name (cn)
* organization (o) or organizational unit (ou)
* country (c)

The following string-type attributes represent the set of standardized attribute types for accessing an LDAP directory. A DN can be composed of attributes with an LDAP syntax of Directory String, including the following:

* CN - CommonName
* L - LocalityName
* ST - StateOrProvinceName
* O - OrganizationName
* OU - OrganizationalUnitName
* C - CountryName
* STREET - StreetAddress

*(from IBM: http://publib.boulder.ibm.com/infocente ... gref11.htm)

syntax explained in more detail:

http://docs.sun.com/source/816-6400-10/lsearch.html

linux ldap basics (Czech)

http://hps.mallat.cz/view.php?cisloclanku=2004101401

Vista & XP Profile Directory Locations

The easiest way to access your profile on Windows is to use the environment variable %appdata%. Here are the details.

Auditd configuration on Linux to track activity of users

If you would be asked to track user activity on your system, ie: to log user's commands; you will probably start to think about native Linux auditing facility - auditd. Auditd is capable to do such a thing and even more. Auditd can also look for the changes to specific files/directories and track almost all the system actions. Auditing facility can be hooked before and/or after any system call.

The example will show you how to configure auditd to watch for commands issued by user. To read the log easilly you can use my script audit_report.

Linux auditing is provided by the auditd daemon. The basic components of the auditd package:

configuration files:
/etc/auditd.conf - configuration file, general behavior of the program
/etc/audit.rules - audit rules, filters applied in kernel

tools:
ausearch - to query logs
aureport - to produce summary reports
auditctl - to modify audit rules interactively
autrace - to trace a process similar to strace

How the Linux audit works?

Auditing rules could be be based on task or entry (simplified):

audit task - audit event generated only at the time a task is created
audit entry - event is generated upon entry to a system call

The major disadvantage of the auditing based on the "task" is the demandingness to system resources (cpu, io, fs size). When task is used, all the time when process calls fork() or clone(), audit event filtering is invoked. The other problem is, filtering could only only be made through the fields already known at task creation time, such – issuer’s uid, gid... Auditing based on entry to “syscall”, if properly configured, has acceptable system resource requirements and allows tracking all the user’s actions. The syscall table could be found at:

http://docs.cs.up.ac.za/programming/asm ... calls.html or http://asm.sourceforge.net/syscall.html

User command auditing on Linux systems

The configuration files for auditd, which tells the auditd to log all syscall 11 (execve) to track the user activity looks like:

/etc/audit.rules

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events
-b 256

# Audit all execve calls
-a entry,always -S execve
-a entry,never


The configuration file, which controls the auditd behavior:

/etc/auditd.conf

#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 1
max_log_file = 80
max_log_file_action = IGNORE
space_left = 240
space_left_action = SYSLOG
admin_space_left = 160
admin_space_left_action = EMAIL
action_mail_acct = root
disk_full_action = SUSPEND
disk_error_action = SUSPEND


Explanation:
max_log_file = 80 tells the system to keep max log size to 80 mb when we would like to rotate logs, because we don't logrotate, the value here is not important and auditing runs on until space is available on local disk. space_left = 240 tells the system to write warning to syslog (space_left_action = SYSLOG) when less than 240 mb of filesystem is avalable for collecting audit data. When less than admin_space_left is on the appropriate device, mail warning (root) is issued.

After this configuration, just run
# service auditd start

Basic search within log files (search for my_user, within interval)

# ausearch -ge my_user -ts 10:00:00 -te 12:49:00

time->Thu Apr 5 10:58:25 2007
type=PATH msg=audit(1175767105.483:74858): flags=101 inode=229501 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1175767105.483:74858): name="/bin/rm" flags=101 inode=49200 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1175767105.483:74858): cwd="/tmp"
type=EXECVE msg=audit(1175767105.483:74858): argv[0]="rm" argv[1]="-f" argv[2]="/tmp/abc.txt"
type=SYSCALL msg=audit(1175767105.483:74858): arch=40000003 syscall=11 success=yes exit=0 a0=9cbb1e8 a1=9cbacf8 a2=9cba490 a3=9cbacf8 items=2 pid=4864 auid=15382 uid=15382 gid=15382 euid=15382 suid=15382 fsuid=15382 egid=15382 sgid=15382 fsgid=15382 comm="rm" exe="/bin/rm"

Search for command 'rm' issued by user my_user

# ausearch -ge my_user -x rm

RedHat/CentosOS version 4 or 5 check in bash


grep -i 'release 4' /etc/redhat-release > /dev/null && DISTRO=RHEL4
grep -i 'release 5' /etc/redhat-release > /dev/null && DISTRO=RHEL5


case $DISTRO in
RHEL4)
echo "verison 4"
;;
RHEL5)
echo "version 5"
;;
*)
echo "this is no CentOS4/CentOS5 or RedHat4/RedHat5"
exit
;;
esac

Simple use of test command

Check if the file /etc/auditd.conf exists, if not, create empty one

test ! -f /etc/audit.conf && touch /etc/audit.conf

Check if the folder exists:

test ! -d /ora1 && echo "/ora1 doesn't exist" && exit 13

ILOM - Quick

ILOM - Sun(TM) Integrated Lights Out Manager. ILOM is designed for managing SUN AMD based servers via network. You can access ILOM text console (via ssh) or WWW based ILOM frontend (via http/https).

What you can do with ILOM text console? Mostly you will use commands such as:

start /SP/console
reset /SYS
start /SYS
stop /SYS



The commands above are self explanatory. The first command runs the console and the others perform reset/start/stop operation on the box.

What you can't do with text ILOM console? You cannot change BIOS settings (as for example boot device priority). If you need to do that, launch ILOM WWW frontend (the same IP address as for the ILOM ssh access) and issue JAVA console redirection plug-in.

The Java console will show you whole booting process as you were sitting in front of the server. Java based console is capable of graphic redirection also (no problem with X-Windows installation then).

The ILOM (text) interface itself is some sort of UNIX shell. After you logon to the console you can use the UNIX commands as ls and cd. To begin with ILOM just issue ls on / (root).

-> ls /

/
Targets:
SYS
SP

Properties:


Commands:
cd
show


There are so called TARGETS. You will use them as the ordinary directories. Just go to target (cd) and issue ls. The ls output tells you what you can do in each specific directory/target (or namespace - as the SUN sometime calls it).

-> cd /SYS
/SYS

-> ls

/SYS
Targets:
FP
SP
FT0
FT1
MB
PDB
PS0
PS1
SASBP
FAN_FAULT
LOCATE
POWER
PSU_FAULT
SERVICE
TEMP_FAULT

Properties:
type = Host System
power_state = On

Commands:
cd
reset
set
show
start
stop


We can go to other targets or issue commands available for that directory. In this case, reset, start/stop etc.

-> cd /SP
/SP

-> ls

/SP
Targets:
alert
cli
clients
clock
console
logs
network
serial
services
sessions
users

Properties:


Commands:
cd
load
reset
show
version



We went to /SP and here we can go to console - or change some ILOM settings. Let's say we would like to change the network IP address for ILOM management card.

To change the IP address for the ILOM interface change the pending addresses first, then check and commit them.


cd /SP/network
set pendingipaddress=nnn.nn.nn.nn
set pendingipnetmask=nnn.nn.nn.nn
set pendingipgateway=nnn.nn.nn.nn
set commitpending=true



The rest you can find here:

http://dlc.sun.com/pdf/820-0280-12/820-0280-12.pdf

How to escape from ILOM issued console session? Try [ESC] + [(] .

Simple Solaris iptraf like script

How to monitor interface throughput on Solaris machine? I was looking for some sort of Linux's IPtraf (which is a great ip traffic monitor which can show you more than just interface traffic throuput) for Solaris. Seems no IPtraf port or similar text utility for Solaris so far. The script below should help you a bit and show the interface throughput.

It only prints out througput of the interface in 5 second intervals. If your system's interface is named ce0 instead of hme0, you need to change the script 'hme:0:hme0:*bytes' to 'ce:0:ce0:*bytes'.

#!/usr/bin/bash
WAIT=5
# traffic monitor
# writes total number of bytes (traffic) per interval

I_BYTES_OLD=`kstat -p 'hme:0:hme0:*bytes' | grep rbytes | awk -F" " '{ print $2}'`
O_BYTES_OLD=`kstat -p 'hme:0:hme0:*bytes' | grep obytes | awk -F" " '{ print $2}'`

while true
do
DATE=`date +%m/%d/%y" "%H:%M:%S`

I_BYTES=`kstat -p 'hme:0:hme0:*bytes' | grep rbytes | awk -F" " '{ print $2}'`
O_BYTES=`kstat -p 'hme:0:hme0:*bytes' | grep obytes | awk -F" " '{ print $2}'`

I_BYTES_DIFF=`echo $I_BYTES - $I_BYTES_OLD | bc`
O_BYTES_DIFF=`echo $O_BYTES - $O_BYTES_OLD | bc`

I_BYTES_OLD=$I_BYTES
O_BYTES_OLD=$O_BYTES

T_BYTES=`echo $I_BYTES_DIFF + $O_BYTES_DIFF | bc`

sleep $WAIT
clear
echo "$DATE interface: hme0 input: $I_BYTES_DIFF output: $O_BYTES_DIFF totalBytes: $T
_BYTES"
done