Working With Extended Filesystem Attributes in Linux

GarfatIn my previous post I went over standard filesystem attibutes in Linux, and how to set and view those attibutes with lsattr and chattr. You can view that post here if you are interested.

In this post we are going to go over extended filesystem attibutes. Now there is not much to this as you are probably not going to ever have to use these settings. That being said, its not a bad thing to be aware of.

Attribute names are strings that can be set and configured at will using the setfatr command. They can be viewed with the getfattr command. There are 4 namespaces of attibutes, security, system, trusted, and user.

When using getfattr ( which I pronounce as getfatter) the -d option dumps only user namespace attibutes. The rest of the namespace attributes can be viewed by using the -m option along with the namespace name. In the example below you can see that there are no user namespace attibutes set on my anaconda-ks.cfg file, however there are attibutes set in the security namespace.

[root@localhost ~]# getfattr -d anaconda-ks.cfg
[root@localhost ~]# getfattr -d -m security anaconda-ks.cfg
# file: anaconda-ks.cfg
security.selinux="unconfined_u:object_r:admin_home_t:s0"

 

Using setfattr you can define and set custom attributes. See the useless example below.

[root@localhost ~]# setfattr -n user.example -v example anaconda-ks.cfg
[root@localhost ~]# getfattr -d anaconda-ks.cfg
# file: anaconda-ks.cfg
user.example="example"

However this could be cool if you got an md5 sum on a file and dumped it into a file attibute. You could, in theory, use this process to see if someone has messed with one of your config files.

 

[root@localhost ~]# md5sum anaconda-ks.cfg
fda1aa550d3cf82423d1b1ad1ae53a13  anaconda-ks.cfg
[root@localhost ~]# setfattr -n user.md5sum -v fda1aa550d3cf82423d1b1ad1ae53a13 anaconda-ks.cfg
[root@localhost ~]# getfattr -d anaconda-ks.cfg
# file: anaconda-ks.cfg
user.example="example"
user.md5sum="fda1aa550d3cf82423d1b1ad1ae53a13"

 

Related articles

Why Extended Attributes are Coming to HDFS
Advanced Filesystem Attributes in Linux
How to create a file that root user also can't delete?
Advertisements

Quick and Dirty Yum Security Plugin Overview

Maneki-neko-mountain-tummy-13745890The YUM security plugin is a package that allows you to search specifically for security patches applicable to a Redhat/Centos server.  This functionality comes in very handy when having to cross reference CVEs to Redhat Security Advisories (RHSAs). If you work closely with anyone in an information security role, you already know how vital functionality is.

Before you can begin you need to make sure that you have the plugin installed.  Use the command below to install it.

# yum -y install yum-plugin-security

 

Then you can use the plugin to get a overview of the security updates availible for your system.

# yum updateinfo
    
Updates Information Summary: available
3 Security notice(s)
         1 Important Security notice(s)
         2 Moderate Security notice(s)
12 Bugfix notice(s)
1 Enhancement notice(s)

 

You can get a specific list of updates, sorted by security advisories, bug fixes, and enhancement advisories.

# yum updateinfo list

 

To get more specific information on a RHSA and the CVEs that it applies to, you can search by RHSA as seen below.

# yum updateinfo RHSA-2014:0771

 

Need to see what patches are required to address a certain CVE, then this next command is for you. Trust me this one is useful as it gives you a list of all required packages that address that CVE.

# yum updateinfo list –cve=CVE-2013-6378
Loaded plugins: amazon-id, rhui-lb, security
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64

 

Want to see a list of all fixes by severity. Then you can use the command below. Note that I am using important as my severity as there are no critical updates that are applicable to my test system at this time.

yum updateinfo list –sec-severity=Important
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64

 

You can also search for security fixes by package name as shown below.

# yum updateinfo list kernel
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64

 

You can also use YUM to apply only security related updates. See below. This is useful if you are in a pinch and need to quickly apply all security updates to make your Infosec Team happy.

# yum –security update

Related articles

Using Yum Update to Apply Security Patches Only
SCAP CVE Audit
YFD plugin updated

HomeLab: Upgrading Cisco IOS Via tftp on RHEL

0012fbf7_mediumSo I was planning on blogging about this process simply because I keep forgetting it. Being that I am in the middle of building out my lab, and have a ton of old cisco hardware with ancient images, I have found myself going through the process of updating firmware quite a bit as I tinker with different IOS images.

The first thing that you are going to need is a tftp server, which I am running on my Fedora 18 desktop. Its a very easy setup, and has been simply documented on the link below. Note the article below is specfically about how to setup a tftp server on RHEL, however the process is pretty much the same.

How to Install a tftp Server on RHEL

Now if you are looking to setup a tftp server on Windows, well I cannot help you there. If I recall you just download and install a server app, and away you go.

Below is another link that I have found that also does a fine job of explaining the Cisco side of the process simply, without getting too technical and long winded.

How to Upgrade Cisco IOS Images

 

Related articles

HomeLab: The Cisco 3560G
HomeLab: Configuring the NTP Client on a Cisco Catalyst Switches
Configuring TFTP in Linux
Best Cisco IOS switch for home use
Cisco IOS: Basic Configuration of a Switch.
Cisco IOS : How to configure passwords.

Ubuntu Linux- Locate Failed Dimms without Pain

Cartoon_ramSo I have recently made the switch to Kubuntu 12.10 on my new desktop. Basically I am building a monster workstation and I ran into issue running Fedora 18. Since I wanted Steam support too I decided not to try to move to an earlier Fedora version, but rather, I chose to  give Ubuntu another try (its been years since I have run Ubuntu).

Anyway, I am building this hoss of a work station that has 12 Dimm slots, which I fully populated with 4GB dims. However when I booted my new monster, I found that I was 8GB short in the Memory department.

So, how do I figure out which two dimms are bad? I certainly dont want to have to pull all of them out and boot the machine and test each dimm one by one.

So this is where lshw comes to the rescue. Which I blogged about back in 2010 here.

Anyway. Here is how you find the empty slots.

# lshw -short -C memory

which output what you see below.

0/14                           memory      System Memory
/0/14/0                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/14/1                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/14/2                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/14/3                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/14/4                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/14/5                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/22                           memory      System Memory
/0/22/0                         memory      DIMM DDR3 [empty]
/0/22/1                         memory      DIMM DDR3 [empty]
/0/22/2                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/22/3                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/22/4                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)
/0/22/5                         memory      4GiB DIMM DDR3 1066 MHz (0.9 ns)

Basically this is telling me that my first two dimms on CPU two are dead and are the ones that need to be replaced.

Now all I have to do is powerdown and pull and replace two dimms.. which will save my fingers from much discomfort.

RHEL6 – How to Setup a Caching-Only DNS Server


26868_1First off lets get this straight, all DNS Servers cache. However, some DNS Servers intended to only provide the caching function. Which is what we are going to configure today.

A Caching-only DNS server does not contain zone information or a zone database. Its cache only contains information based on the results of queries that it has already performed. In this case, the cache takes the place of the zone database file for the lookups that you are already doing.

Here’s how its done

First step you need to install bind via yum.

# yum install bind && chkconfig bind

Now configure named to start at boot and start it up

# chkconfig named on && service named start

Then modify /etc/named.conf and change these two lines

listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };

to this

listen-on port 53 { any; };
listen-on-v6 port 53 { any; };

then change this the dnssec-validation line to no as seen below.

dnssec-validation no;

Then configure named to accept lookups from its local network by changing the line below

allow-query     { localhost; };

To what you see below, note that 10.1.224.0 is my local network

allow-query     { localhost; 10.1.224.0/24; };

Now don’t forget to insert a forwarders entry to forward requests to your local dns server. Look in your resolv.conf for this info.

forwarders { 10.100.4.16; };

Then modify your /etc/resolv.conf so that your machine uses itself for name lookups, you do this by adding the line below as the first nameserver.

nameserver localhost

Now start named and do an nslookup, the server and address should point back to local host.

# nslookup fatmin.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   fatmin.com
Address: 64.202.189.170

RHEL6 – Managing Swap Space

54af9-6a00e551c39e1c8834017ee46a8c54970d-piSwap space on a Linux box is an area on disk that is used to hold inactive memory pages. This occurs when the system needs more memory then is currently available, so it swaps these inactive memory pages to disk.

To create additional swap space on the fly you are either going to need a spare disk or free partition on a disk that you can use.

First, using fdisk,  you will need to make sure that the partition type for the disk (or partition) is set to 82.

Then setup the swap area using mkswap. In this example I am using /dev/sdb2, but your setup is bound to be different.

>mkswap /dev/sdb2

Then determine the UUID of the new swap space.

>blkid /dev/sdb2

Then add an entry to the /etc/fstab, so that the swap space is mounted at boottime. The show in the example below is the output of the blkid command above.

>UUID=7b05f0a9-18d5-42e5-b259-78ba3a8cc1b7 swap                    swap    defaults        0 0

Then activate your new swap space

>swapon -a

Then check to make sure everything worked by checkign for your new swap partition in the output of the command below.

>swapon -s

/dev/sdb2                             partition       4193276 7480    0

RHEL6 – Using ACLs to Grant and Restrict FIle Access.

RangerRick

Access Control Lists or ACLs provide more controll over file permissions than standard linux file permissions (UGO — user, group, other). For example lets say that you want all members of the group "students" to have the ability to read a file, however you want to allow one user in that group the ability to write to the file, well ACLs can help you do this.

First thing that you need to know is that you cannot just start using ACLs right away, first you have to make sure that your filesystem is mounted so that ACLs are availible. This means adding ACL to the mount options in /etc/fstab.

UUID=3fa4603e-9874-4f47-ae1c-3f7715a54238 /                       ext4    defaults,user_xattr

So in my fstab, I change the line above to the line below. I know, exciting right?

UUID=3fa4603e-9874-4f47-ae1c-3f7715a54238 /                       ext4    defaults,user_xattr.acl

Now to view the permissions and ACLs on a file use the getfacl command, below i am checking the file RangerRick.jpg in /root/Pictures.  In the example below there are no ACLs assigned, btw.

[root@fedora15 Pictures]# getfacl RangerRick.jpg
# file: RangerRick.jpg
# owner: root
# group: root
user::rw-
group::r–
other::r–

So lets allow the user "chris" to write to the file, just just read it.

[root@fedora15 Pictures] setfacl -m u:chris:w RangerRick.jpg

Now run getfacl again and check out the difference

[root@fedora15 Pictures]# getfacl RangerRick.jpg
# file: RangerRick.jpg
# owner: root
# group: root
user::rw-
user:chris:-w-
group::r–
mask::rw-
other::r–

Additonal Examples:

Lets give all users in the group "students" the ability to write to the file, since they may want to modify it and add a photochop their faces over the dear old racoon's face.

[root@fedora15 Pictures] setfactl -m g:students:w RangerRick.jpg

But oh no, user "bert" in the group "students", has decided to modify the file RangerRick.jpg in an in appropriate way, so lets remove his permissions altogether.

[root@fedora15 Pictures] setfacl -x u:bert

Lets say that we want to allow the user "chris" to be able to modify all existing and newly created files in the Pictures directory where the Ranger Rick picture lives.

[root@fedora15 Pictures] setfacl -m d:u:chris:rw /root/Pictures

Note that when a file has ACLs assigned to it, a plus "+" sign will appear in the output of an 'ls-l'

-rw-rw-r–+ 1 root root 148011 Oct 12 15:06 RangerRick.jpg

Honestly you will probably never need to use ACLs, but they are handy to have availible if you run into some sort of situation where you need to grant very particular permissions to files and directories.