What file integrity monitor are you using?
We've tried a few of the bigger options, and aside from being resource intensive, they don't really provide a simple alerting system.
I'm a big fan of AIDE, but I also want to see diffs of changes. Are there any projects that are using something like AIDE for FIM and git for diff inspection?
In my previous thread from yesterday, I asked for your input on authorization services and I like to thank everyone who contributed.
I'm a bit further in now and have a FreeIPA test setup going that seems to be working great. The only issue I have with it so far (after quite a bit of bugfixing - I will contribute bug reports) is that I have a problem with one of my requirements. In case the FreeIPA server is offline, I want to use regular sshd and have it check the local authorized_keys file.
Since FreeIPA requires
AuthorizedKeysCommand sss_ssh_authorizedkeys to be set in the sshd_config, only users set up in LDAP can sign in using their key. Also, FreeIPA does not allow root / UID 0 to be configured. I understand the security concerns and share them, but I'm just a cog in the wheel and won't be able to change how my organization handles this.
I need to have a fallback method in the sense that I can ssh into my machine as root and I want sshd (or sssd, doesn't matter) to check the local authorized_keys file first before checking LDAP. I know sssd has a local cache, but that is not the solution I'm looking for.
Does anyone have an idea how I could achieve this?
I was not satisfied with any of the exiting backup scripts because they did not do what I wanted. I wrote my own little script and wanted to share with the community for feedback/thoughts.
https://github.com/imthenachoman/nBackup
nBackup is a simple bash script for making versioned backups of your data where versions are browsable as current backups, snapshot-in-time folders, and running file versions
The GitHub page has more details including an example of the end result.
Feedback, thoughts, criticism welcomed!
I posted this on Ask Ubuntu the other day and haven’t had any response: https://askubuntu.com/questions/1134115/kvm-guest-cant-access-internet
I have a KVM host whose guests can’t access the internet after a recent host reboot and installing Docker.
The host and guest can ping each other, but I can’t escape the host from the guest, or access the guest from anywhere else on the local network.
I think it’s most likely a problem with the bridge on the host, but I can’t figure it out.
All details are in the linked post. If anyone can give any advice it would be greatly appreciated.
I hope the title doesn't cause too much cringing. But basically I have always had a web development sever running on my personal computer, going back as far as the late 1990's. So a few years ago I finally threw in the towel on windows and made Linux my daily OS. On windows I had been using AMPPS, as it was very easy to work with. But on Linux its a royal headache. I currently have a file with 15 steps (none of it is on their wiki), spelled out in detail, that I have go through to get it running and even then you can't easily access the software GUI (web ui is accessible).
I just upgraded the hardware on my PC, so I took the opportunity to remove all of my noob install mistakes, and reinstalled Linux. I don't want to use AMPPS this time around. And besides it is fairly easy to install each part of a LAMP server stack separately on Linux. So what I am looking for is the GUI, for easy configuration. I know I can edit the config files manually, but the headach is I have to do that so infrequently that I always have to go look up how to do it. And most search engines are getting very bad about returning good results for professionals. So finding what config file and how to change them in the future maybe nearly impossible, so a GUI is much preferred. And based on how AMPPS works I think it could just be a web interface that runs when I type "localhost" into a browser. Temped to build it myself but I am guessing someone else already has and probably has though of several things that I have not.
How to make the process of ssh login more effective, convenient and faster?
It is not an issue when you have 7-10 servers but if you have a llot of them especially distributed all over the world - it becomes a mess!!
Guys please advice
thank you!
I am trying to create an rsync command that will move the OLDEST 15 files in a directory to a remote server, erase everything that is in the destination, then erase the copied files from the source. It doesn't seem too difficult but I cannot figure out how to tell rsync to pull the oldest 15 files. Also, which --delete arguments can accomplish the second part of the job?
Help Desk / Field Tech here hoping to one day move up to admin one day was tossed my first task and running into some issues with it and hoping for some help or being thrown in the right direction.
We have some systems that have lost sync to red hat and are showing unregistered. When we try and re-run subscription manager we're getting the following error. Goal is to get these re-registered with limited to no downtime.
Traceback (most recent call last):
File "/usr/sbin/subscription-manager", line 9, in <module>
load_entry_point('subscription-manager==1.21.10', 'console_scripts', 'subscription-manager')()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/subscription_manager.py", line 29, in <module>
if six.PY2:
AttributeError: 'module' object has no attribute 'PY2'
After some initial googling we tried updating subscription manager, python rhsm and python rhsm certificates. Packages werent accepted as we already had them or newer running.
Right now we're losing tunnels due to keepalive packets being starved, so we need to setup traffic shaping. PM me, i can pay like $100-200 via paypal/btc for something that is literally a 5min convo...
So I'm in a group in engineering that is heavily linux focused. The company norm is Windows, and most policies are around that. But linux is allowed, there's just not any standards in place around it. We've been using linux desktops for a while, which I talked to IT and got approval for. No one ever cared, awesome. We had a guy get a Dell 7730 because he works remote mostly. I built it Ubuntu 18.04, LUKS encryption with a yubikey. It has AV on it, and of course the firewall enabled. I got approval from a "corporate" IT security manager, and our division IT security guy. That was a year or so ago. Fast forward to now, and apparently some network guys noticed the linux VPN traffic and don't like it. So they found some random Joe in security, and he's pissed that we use a linux laptop. He basically said he didn't agree with the guy that approved it, and was going to take it to every manager he could to fight it. The engineering management I have is obviously on our side, and they're ready to take it up their chain to our VP if need be. So we have a fight on our hands. Them saying that we can't do a linux laptop as securely as their Windows 10 bitlocker laptops. How would you guys tackle this? Is LUKS not good enough? Is there some better, more secure encryption commercial product we could purchase? Or other ways we could ratchet up the security on the laptop? How would you guys approach this fight?
I am interested in how you folks manage your own personal, not work, ssh keys. I generally make a key per machine per install and it's getting to be a pain in the ass, because I like to reinstall the OS on my systems frequently(I took the trouble to make a full yadm automated system bootstrap script for all my dotfiles and programs, you bet I'm gonna use it, why keep an old crufty system around when I can have a full new install up in like 20 minutes all automated?)
I have an haproxy box on Centos 7.6.1810 core that went from proof-of-concept to production in the usual way and now I have a 16G haproxy.log file. I thought I had logrotate working but I was wrong.
In my logrotate config for haproxy, I have the following:
/var/log/haproxy/haproxy.log { daily missingok rotate 28 maxsize 500M compress delaycompress notifempty create 640 root root sharedscripts postrotate reload rsyslog >/dev/null 2>&1 || true endscript } The issue here is everything runs ok and a new haproxy.log file is created (other one is compressed and renamed) but instead of haproxy writing logs to a fresh "haproxy.log" file, I end up writing to an haproxy.log.1 file -- until I restart rsyslog.
I would seem to me that "reload rsyslog >/dev/null 2>&1 || true" isn't doing anything. When I replace "reload rsyslog >/dev/null 2>&1 || true" with "systemctl restart rsyslog" everything seems to function as I'd expect. I have two questions:
*Can someone tell me exactly what this is supposed to do (I feel like I see it regularly):
reload rsyslog >/dev/null 2>&1 || true *Is there a better way than this to accomplish what I'm trying to do without issuing a restart?
The goal here is to rotate logs and not lose any data/log entries in the process.
Can someone help me understand this a bit better?
I have been using passwords to login to manage my vps/ dedis. I know it's not the most secure way.
I am trying to brush off my laziness and move to ssh keys based authentication.
I would like to get access to my servers from my android phone/ laptop (windows).
What is the ideal way to setup the keys?
A. Per server different private key? B. Per server same private key? C. What if my private key is compromised?
How do I safeguard my private keys and keep them available on my devices?
What is an alternative way to keep access if I have to login from a different system that does not have my private key? Is it advisable to have one login available to login via password?
All of these are hosted on different providers.
Any suggestions welcome to help me transition to keys based authentication.
Thank you
At work we have two scenarios and I’m trying to best understand how/why if one method is better than the other. I walked into the organization with the following configurations between similar servers.
Both options below are SAN disk being presented to servers running RHEL 7.2.
config 1
sdb
sdb1
/dev/myvg1/mylv1/
config 2
sdc
/dev/myvg2/mylv2/
With config 1, we have to unmount, delete partition and recreate to use new size, expand, growfs, etc. another option I suppose would be to add a new disk, add it to the vg and then go from there? I can imagine this would make keeping track of the disks more complex?
The convenience with config 2 is that we can easily expand the sdc disk from the SAN, rescan the disk (d /sys/class/scsi_device; for i in $(ls); do echo 1 > $i/device/rescan; done) and then expand the vg and then the lv. In my opinion, this is the better option.
What is the most common/best way to manage LVM?
My father was a sensitive, rather depressive, intellectual, and highly skilled computer security/Linux specialist. He lived off-grid doing no harm and was almost a ghost. He had a bitcoin mining operation that was newly running when he was murdered. About 10 years ago he was called by a CIA agent asking him to “come in for questioning” he essentially said “no, thanks, and good luck finding me”. In 2017 he bought land in New Mexico under his name and was found murdered (multiple gunshot wounds to his back and neck) in his front yard a few months later. He had no mortal enemies, and after a year and a half there are still no official suspects.
Did anyone know my father Kyle Amon? He often went by “amonk” and “fleshenough”. Thank you for reading and your kind responses.
I'm looking to set up a local mirror using this guide. I saw that the script provided syncs up with the current repositories and builds a mirror from those, but I don't see where it removes distro packages as they become EOL. What would be a good way of cleaning up distro packages locally as they become EOL?
Hi.
I am starting to go through Michael Jang's book RHCSA/RHCE Red Hat Linux Certification Study Guide and I am a little confused about how to set up my test system. I have read Chapter 1 twice and like other posters on Reddit have said it says a lot without saying anything at all - it's pretty oblique as a guide.
My main PC is a Ryzen 1700 with 16GB Ram. This will be my host system. I will dual boot CentOS with Windows 10. From the book what I can glean is that this test system should be 80GB in size if I want 3 VM's of 16GB each with a 10GB root partition. The partitioning scheme for these VM's should be /boot (500MB), / (10GB), /home (1GB) and swap (1GB). When I install these 3 VM's I should choose 'Server with GUI'.
Now onto the host system. Obviously before I create these VM's I need a host system to put them on. This is the 80GB system I mentioned previously. When I install the host system I chose 'Virtualization Host'. Now when it comes to partition / Volumes I am confused. The book doesn't mention what sort of partitioning scheme I need for this host system. Being new to RHEL/CentOS I am not sure how to proceed from here in order to create my host system.
From what I can gather from the book I need half my RAM for swap so that is 8GB for /swap. I take it /home will be 1GB like the VM's and /boot will be 500MB like the VM's, so that leaves the rest of the space for root? So 75-80GB for root? Is this correct?
The book talks about creating a RHEL install with no separation between the host and the VM's so it's really confusing. Everyone raves about this book and I chose it over Ghori's from all the internet chatter but TBH the first chapter is a mess and I hope it improves from here.
Hey all,
I'm working with distributed software and was wondering if anybody could help me with the following problem.
I would like to create a testbed where a user can create a template file defining multiple VM's and their resources. Additionally, they should be able to define the commands that should be run on the VM at boot.
Next to this, the networks between the VM's should also be defined by the user, in order to create an entire network of communicating VM's.
This template should then start all the defined VM's and networks, allowing developers to test distributed software on the VM's before going to a hardware testbed.
Does anybody know of existing software for this goal? I found kcli so far, but it feels quite unstable and the networking part doesnt work for me.
Thanks in advance!
So there's a script I have to scrape account info, last login, etc, and part of it is a for loop with tabs (for sanity).
On all servers (so far) except one, I paste it into console, and it truncates the tabs to no spaces (okay, wtvr, but it works). Just on this one server, it instead adds a period (".") to the beginning of every line that previously had a tab.
I've gone through so much testing I really am lost.
I'm out of ideas as to what to look up or even test. You guys got any keen ideas? D: