Linux session audit 
Zapnutí logování činnosti uživatele root:

1) přilášení root přes konzoli
2) přihlášení root přes ssh
3) použití příkazu su na root
4) použití příkazu sudo na root

relace, které pro session využijí include systém-auth nepotřebují specifickou řádku v definici pam stacku. při default by byl posup následující:

[root@myczsl0bl0clcs1 pam.d]# grep system-auth * | grep session
atd:session include system-auth
chfn:session include system-auth
chsh:session include system-auth
crond:session include system-auth
ekshell:session include system-auth
gssftp:session include system-auth
kshell:session include system-auth
login:session include system-auth
ppp:session include system-auth
remote:session include system-auth
run_init:session include system-auth
sshd:session include system-auth
su:session include system-auth


doplnění řádku:

[root@myczsl0bl0clcs1 pam.d]# cat /etc/pam.d/system-auth | grep session | grep tty

session required pam_tty_audit.so disable=* enable=root open_only


login, sshd a su použijí pam_tty_audit, volají totiž include system-auth, ale sudo system-auth nevolá, proto by mělo být použití modulu pam_tty_audit doplněno separátně

[root@myczsl0bl0clcs1 pam.d]# cat /etc/pam.d/sudo | grep session | grep tty_audit

session required pam_tty_audit.so disable=* enable=root open_only


[ add comment ] ( 1 view )   |  [ 0 trackbacks ]   |  permalink
Add ext4 to RHEL/Centos 
yum install e4fsprogs


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
RedHat/Centos lifecycle, RHEL3, RHEL4, RHEL5 
http://www.redhat.com/security/updates/errata/






[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Installing NRPE via RPM 
Install RPM Forge repo

http://wiki.centos.org/AdditionalResour ... 92d1398e01


http://nagioswiki.com/wiki/index.php/In ... RE_via_RPM

nrpe RPM: http://packages.sw.be/nagios-nrpe/
plugins RPM: http://packages.sw.be/nagios-plugins/


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
XEN networking, network wrapper 
the default network-bridge will be commented out and replaced by our script

[root@xen xen]# cd /etc/xen
[root@xen xen]# vi xend-config.sxp
# It is possible to use the network-bridge script in more complicated
# scenarios, such as having two outgoing interfaces, with two bridges, and
# two fake interfaces per guest domain. To do things like this, write
# yourself a wrapper script, and call network-bridge from it, as appropriate.
#
#(network-script network-bridge) <- commented out
(network-script network-wrapper) <- added


the interfaces bridged for xen will be:

[root@xen xen]# cd scripts/
[root@xen scripts]# cat network-wrapper
#!/bin/bash
dir=$(dirname "$0")
"$dir/network-bridge" "$@" vifnum=1
"$dir/network-bridge" "$@" vifnum=2
"$dir/network-bridge" "$@" vifnum=3
"$dir/network-bridge" "$@" vifnum=4
"$dir/network-bridge" "$@" vifnum=5
"$dir/network-bridge" "$@" vifnum=6
"$dir/network-bridge" "$@" vifnum=7
"$dir/network-bridge" "$@" vifnum=8
"$dir/network-bridge" "$@" vifnum=9



[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Linux RHEL/Centros change timezone to Prague 
[root@fw zoneinfo]# rm /etc/localtime
rm: remove symbolic link `/etc/localtime'? y
[root@fw zoneinfo]# ln -s /usr/share/zoneinfo/Europe/Prague /etc/localtime


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Linux bond failover quick reference 
# cat /etc/modprobe.conf | grep bond
alias bond0 bonding
options bond0 miimon=100 mode=active-backup

# cat /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
IPADDR=
NETMASK=
BROADCAST=
NETWORK=
TYPE=Ethernet
USERCTL=no
PEERDNS=no
ONBOOT=yes

cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
USERCTL=no
ONBOOT=yes

# cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
HWADDR=
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
USERCTL=no
ONBOOT=yes


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
DSEE7: design 


- The command line management and monitoring tools, dsconf(1M) and dpconf(1M), require only LDAP access to the servers that you manage.

- DSCC is a web application. DSCC runs inside the framework known as Sun Java Web Console. You typically install DSCC on only one system in your deployment. You then manage all your servers from that installation of DSCC.

- DSCC requires LDAP access to the servers for online management operations. DSCC also requires Java Management Extension (JMX) access to agents installed alongside the servers. The agents perform server process management operations on behalf of DSCC, operations that cannot be performed through LDAP on a running server. DSCC contacts the agents over the network using a specific port number.

- The agents run inside a common agent container on the server system. This common agent container provides its agents with a single external port for management applications. The common agent container also consolidates resources to save resources on systems where multiple local agents share the container. For troubleshooting purposes, a common agent container can be managed independently using the cacaoadm command.

- When you install DSCC you also install Directory Server software. DSCC uses its own private instance of Directory Server to store configuration information.

- When you install DSCC on the administration host, you must be root. However, you can then use DSCC installed on the administration host to manage server hosts installed as non-root.



Directory Service Control Center not initialized: App server was runnig as a non-root user and directory server was runnig as a different non-root user. It worked when both these non-root users are set to identical. Sun Java System Directory Server Discussion Thread.


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
http://www.temnokomornik.com/ 
http://www.temnokomornik.com/

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
DSEE7: query LDAP aci (ACL) records with ldapsearch 
* show all ACLs in dc=example,dc=com

[root@dhcppc2 ~]# ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "dc=example,dc=com" -s sub "(objectClass=*)" aci 


* show all objectclassed available in schema

ldapsearch -h localhost -p 3200 -D "cn=Directory Manager" -w dsInstanceEXAMPLE -b "cn=schema" -s sub "(objectClass=*)" objectClasses


[ add comment ]   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | Next> Last>>