December 17, 2018

PAM account management error

Following the RHEL7.6 / CentOS7.6 upgrade, we started having issues sudo-ing up on a box.

FreeIPA is in place as the central authentication mechanism which handles logins and privilege management.

So, upon SSH’ing to a server

sudo: PAM account management error: Permission denied

In /var/log/secure, you’ll see something like

pam_sss(sudo:account): Access denied for user

The Redhat support portal offers the advice that you need to add sudo to the list of services in the HBAC role definition. In our case, we only had sshd listed as an allowed service.

Open IPA web interface
Policies tab
HBAC rules
Select a rule
Under the section Via Service, add sudo to the list

December 7, 2018

Get Cert Details From IP Address

Some days all you’re presented with is an IP address and you need to get some details from the SSL certificate that’s at the other end. Fear not, openssl (as always), is your friend.

openssl s_client -connect foo.bar:443

November 14, 2018

Disable gpgcheck for yum & Spacewalk

When using Spacewalk as a yum repo, if you’re not signing packages yum may refuse to install them.

To disable the gpgcheck:

sudo sed -i 's/gpgcheck = 1/gpgcheck = 0/' /etc/yum/pluginconf.d/rhnplugin.conf

This is needed as the repo list is taken from Spacewalk, not the files in /etc/yum.repos.d/*.repo where gpgcheck can be disabled on a per repo/file basis.

August 2, 2018

dhparams, openssl and speed

When creating diffie-hellman parameters this can often take huge amounts of time with openssl.

openssl dhparam -out ~/dhparams.pem 4096

Some people like to install entropy generators to help reach the prime number, but instead there is a better solution. If you add the switch -dsaparam it speeds up the whole process to a couple of seconds. This is considerably faster because it does not need to nest the primality tests, and thus only thousands, not millions, of candidates will be generated and tested.

openssl dhparam -dsaparam -out ~/dhparams.pem

April 18, 2017

Nagios Postgres And SELinux

Using the RHEL standard check_pgsql nagios plugin (with Icinga2), SELinux was not letting the plugin run.

CRITICAL – no connection to ‘schemaname’ (could not connect to server: Permission denied

Is the server running locally and accepting connections on Unix Domain socket “/tmp/.s.PGSQl.123”?
).

Whilst the command would run locally as any user that had permission to run the plugin, when it was done via NRPE it would fail.

Checking the context of the files, they were correct.

ls -lZ /usr/lib64/nagios/plugins/check_pgsql
-rwxr-x-r root root system_u:object_r:nagios_servers_plugin_exec_t:s0 /usr/lib64/nagios/pluginss/check_pgsql

So looking at /var/log/audit/audit.log, there was the entry:

type=AVC msg=audit(1492518731.184:9097): avc: denied { write } for
pid=8985 comm=”check_pgsql” name=”.s.PGSQL.5432″ dev=dm-0 ino=521504
scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

audit2allow is your friend for sorting this sort of thing out.

audit2allow -a type=AVC msg=audit(1492518731.184:9097): avc: denied { write } for
pid=8985 comm=”check_pgsql” name=”.s.PGSQL.5432″ dev=dm-0 ino=521504
scontext=unconfined_u:system_r:nagios_services_plugin_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

# audit2allow -a

#============= nagios_services_plugin_t ============== allow nagios_services_plugin_t tmp_t:sock_file write; allow nagios_services_plugin_t tomcat_t:unix_stream_socket connectto; [root@spacewalk audit]# audit2allow -a -M nagios_services_plugin_t

******************** IMPORTANT *********************** To make this policy package active, execute:

semodule -i nagios_services_plugin_t.pp

[root@spacewalk audit]# semodule -i nagios_services_plugin_t.pp

Job done.

February 22, 2017

Cognos Email Report Default From Address

We had a situation where all scheduled reports from Cognos were being sent from the email address of notifications@cognos.ibm.com.

This out to be happening because the report the user was being ‘Run As’ did not have an email address set in Active Directory that we were using for authentication.

October 11, 2016

Collectd and conntrack plugin

Collectd is great, however we’d seen quite a few errors in logs saying that it was having problems with the conntrack plugin.

"read-function of plugin `conntrack' failed"

Fear not. This turned out to be caused because the kernel didn’t have the nf_conntrack module loaded.

modprobe nf_conntrack

Don’t forget to set the module to load at start time so that it survives a reboot. Job done.

I tracked this error down after looking at the source code and noticed that there were no corresponding entries in:

#define CONNTRACK_FILE "/proc/sys/net/netfilter/nf_conntrack_count"
#define CONNTRACK_MAX_FILE "/proc/sys/net/netfilter/nf_conntrack_max"
#define CONNTRACK_FILE_OLD "/proc/sys/net/ipv4/netfilter/ip_conntrack_count"
#define CONNTRACK_MAX_FILE_OLD "/proc/sys/net/ipv4/netfilter/ip_conntrack_max"

To survive a reboot, as root create a file in /etc/sysconfig/modules/nf_conntrack.modules

#!/bin/bash
modprobe nf_conntrack
exit 0

Set the file to be executable and away you go.

August 15, 2016

Perl & SNMP

Who’d have thought that the two packages perl-Net-SNMP and net-snmp-perl were different? Not me until I was using a couple of nagios plugins.

So if you’re getting the error message of “Can’t locate Net/SNMP.pm”, you’ll need:

yum install perl-Net-SNMP

June 1, 2016

Leading Zero In IPv4 Addresses

Bit of a strange one to stumble across this morning. If you have a leading zero on an IP address, it is automatically converted to octal and can lead to some rather unexpected results. Eg:

10.16.0.040 -> 10.16.0.32

010.16.0.40 -> 8.16.0.40

10.16.0.0170 -> 10.16.0.120

What makes it even strange in my opinion is that not all of the IP address is affected, it’s only on a per octet basis meaning you can have a mix of decimal and octal. As shown in the last example, you can even have an octet that’s 4 digits.

I’m sure there’s plenty of scope for confusing people with this when handing out direct links to thinks (use DNS…).

From a quick test on a CentOS install, it is possible to use this behaviour in host files.

A bit of trial and error and it looks like ActiveDirectory DNS and bind don’t allow the use of leading zeros in DNS records.

Could this be used for malicious purposes? Possibly, but I doubt it’s worth the effort. It’s more of an annoyance which could be combined with a bit of social engineering to make people think they’re at the right correct IP address.

May 31, 2016

Ansible sudo deprecated

Since the release of Ansible 2.0, the sudo: tag has been deprecated in favour of the
become: structure.

Before

- name: Do A Task
  sudo: True

After

- name: Do A Task
  become: yes
  become_user: root

There’s also an additional setting in ansible.cfg to set the become_method depending on how your environment is setup.