HOWTO Remove /home logical volume and add that space to the root partition

07 Sunday Aug 2022

Tags

You have a host with too much space allocated to /home and you need to remove and reallocate it to the root partition. This may be because there are no human users on this server and you just have or need service accounts. Backup any files you need from /home before you start.

1) Get the list of mounted file systems.
> df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.8G 0 1.8G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 9.1M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/rl-root 37G 27G 11G 71% /
/dev/mapper/rl-home 19G 189M 18G 2% /home
/dev/sda1 1014M 342M 673M 34% /boot
vboxshare 477G 104G 373G 22% /media/sf_vboxshare
tmpfs 374M 12K 374M 1% /run/user/42
tmpfs 374M 0 374M 0% /run/user/0

2) Get the filesystem type. In this case it’s xfs. This informs a later step.
> lsblk -f | grep home
└─rl-home xfs 9fd41fcd-e123-40b8-8461-7500b9aaa023 /home

3) Get the volume details. Note the values for LV Path and LV Size.
> lvdisplay /dev/rl/home
— Logical volume —
LV Path /dev/rl/home
LV Name home
VG Name rl
LV UUID z2Kg70-xYsg-Cx11-ROoj-Fl5T-g0Pb-wuksJ9
LV Write Access read/write
LV Creation host, time ryl8, 2022-07-29 14:57:34 -0400
LV Status available
# open 1
LV Size 18.05 GiB
Current LE 4622
Segments 1
Allocation inherit
Read ahead sectors auto
– currently set to 8192
Block device 253:2

4) Copy any files you need out of /home. Then unmount it as root, not su – root from another user.
> umount /home

5) Using the LV PATH value from lvdisplay above, remove the logical volume for /home.
> lvremove /dev/rl/home
Do you really want to remove active logical volume rl/home? [y/n]: y
Logical volume “home” successfully removed.

6) Make sure the volume is free in the VFree column.
> vgs -v
VG Attr Ext #PV #LV #SN VSize VFree VG UUID VProfile
rl wz–n- 4.00m 1 2 0 <59.00g 18.05g l6h9Zk-Ue9m-7oPJ-iPJK-XdRy-yfqD-zI56bB

7) Extend the free space to the root partition.
a) Extend the root logical volume to take up the free space you just made available.
> lvextend -l +100%FREE /dev/mapper/rl-root
Size of logical volume rl/root changed from 36.98 GiB (9467 extents) to <55.04 GiB (14089 extents).
Logical volume rl/root successfully resized.

b) Grow the filesystem onto the new lv space.
> xfs_growfs /dev/mapper/rl-root
xfs_growfs /dev/mapper/rl-root
meta-data=/dev/mapper/rl-root isize=512 agcount=4, agsize=2423552 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1 bigtime=0 inobtcount=0
data = bsize=4096 blocks=9694208, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=4733, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
data blocks changed from 9694208 to 14427136

8) df -h to see the changes.
Filesystem Size Used Avail Use% Mounted on
devtmpfs 1.8G 0 1.8G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 9.1M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/rl-root 56G 27G 29G 48% /
/dev/sda1 1014M 342M 673M 34% /boot
vboxshare 477G 104G 373G 22% /media/sf_vboxshare
tmpfs 374M 12K 374M 1% /run/user/42
tmpfs 374M 0 374M 0% /run/user/0

9) Edit /etc/fstab and remove or comment out /home and reboot.
> vi /etc/fstab
#/dev/mapper/rl-home /home xfs defaults 0 0

10) Reboot to seat the changes.
> reboot

11) Create new users as needed. Use /home as a folder on the root volume and not a space wasting logical volume as before.

Patch Rocky Linux 8.6 on an Offline or Air-Gapped System

30 Saturday Jul 2022

Posted by Slice2 in Linux, Security

≈ Leave a comment

Tags

Linux, Security

So you’ve successfully switched from CentOS to Rocky Linux and your hosts are on an isolated network. This post demonstrates how to patch a Rocky Linux 8.6 host when it doesn’t have internet access or is an isolated system with no access to a yum repo.

On a host with internet access (Public facing host), perform the following steps. I used a Rocky Linux 8.6 VM running on Windows 11 and VirtualBox 6.1.36. As long as you have internet access, any rpm based Linux distro will do as long as it has rsync, genisoimage, and yum-utils.

1) Make sure you have rsync, genisoimage and yum-utils installed. If not install them.

> sudo rpm -q genisoimage-*
genisoimage-1.1.11-39.el8.x86_64

> sudo rpm -q yum-utils
yum-utils-4.0.21-11.el8.noarch

> sudo rpm -q rsync
rsync-3.1.3-14.el8_6.2.x86_64

a) If not, install them.

> sudo yum install genisoimage
> sudo yum install yum-utils
> sudo yum install rsync

2) On your internet facing host, create folders for the repos and packages you need. You can specify any folder(s) you require. I require the repos below, but you may need packages installed from other repos so create those folders. Most people only need BaseOS and AppStream. The “updates” repo is no longer used in 8x and has been removed. Updated packages are just placed in their regular repo and not separated. The full list can be found on a mirror site like this one I use: https://mirrors.rit.edu/rocky/8.6/

a) Create the folders locally and harvest the data from the mirror site using rsync. Note that these folders will create an approx 19 Gig ISO file in step 3. You need a Blu-ray burner or USB drive to move the file to your air-gapped hosts. Also make sure the filesystem you write the ISO to has enough space. Note that there are two dashes before “- -“progress below, not one. It renders as one dash so make sure you have two dashes before progress or just remove that option from your cli.

> sudo mkdir -pv /repo/BaseOS
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/BaseOS/x86_64/os/ /repo/BaseOS

> sudo mkdir -pv /repo/AppStream
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/AppStream/x86_64/os/ /repo/AppStream

> sudo mkdir -pv /repo/PowerTools
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/PowerTools/x86_64/os/ /repo/PowerTools

> sudo mkdir -pv /repo/extras
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/extras/x86_64/os/ /repo/extras

> sudo mkdir -pv /repo/Devel
> sudo /usr/bin/rsync -avrt – -progress rsync://mirrors.rit.edu/rocky/8.6/Devel/x86_64/os/ /repo/Devel

3) Use genisoimage to create an ISO of the whole set. Note that in the command below, I write this ISO image to a VirtualBox shared folder mounted at /media/sf_vboxshare. Use any path you like as long as its big enough. The syntax is: genisoimage cli options – location and name of ISO file to be created and files/folders to be included in the ISO.

> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /media/sf_vboxshare/rocky8.6.repo.2022JUL29.iso /repo

4) Burn the ISO (as a file, not as an extracted image) to a Blu-ray, or copy to a USB drive and move it to the offline or air-gapped host. Since I have VMs, I will automount the ISO to the VM. If you need to mount the ISO on a host with a Blu-ray, USB drive, or from the local filesystem, the next three steps outline how to do it.

a) Mount the ISO. You have options if you don’t automount ISOs. If your host is a VM, mount it as your hypervisor dictates. You can copy the ISO to the local filesystem and mount it. Or, manually mount the ISO from a local or USB attached Blu-ray or USB drive.

b) If copied to the local file system:

> sudo mkdir /mnt/iso
> sudo mount -t iso9660 -o loop /home/repouser/rocky8.6.repo.2022JUL29.iso /mnt/iso/

c) If mounted via usb drive or if automount is not enabled:

> sudo mkdir /mnt/iso
> sudo blkid (to find your cd/dvd device, chances are its /dev/sr0)
> mount /dev/sr0 /mnt/iso/

d) Verify your mount. The “Mounted on” path is important because it is used below when you create the local.repo file.

> sudo df -h /dev/loop0
Filesystem Size Used Avail Use% Mounted on
/dev/loop0 19G 19G 0 100% /mnt/iso

> sudo df -h /dev/sr0
Filesystem Size Used Avail Use% Mounted on
/dev/sr0 19G 19G 0 100% /mnt/iso

If automounted it could look like this:
> sudo df -h /dev/sr0
Filesystem Size Used Avail Use% Mounted on
/dev/sr0 19G 19G 0 100% /run/media/root/CDROM

e) List the repos that will be used to create the local.repo file. Depending on how you mounted the ISO above (manual or automount), your /dev/sr0 mountpoint will be different. You simply need to adjust the baseurl path in local.repo in the next step.

> sudo ls -l /mnt/iso
or….
> sudo ls -l /run/media/repouser/CDROM

dr-xr-xr-x. 4 root root 2048 Jul 28 23:35 AppStream
dr-xr-xr-x. 7 root root 2048 Jul 28 23:30 BaseOS
dr-xr-xr-x. 4 root root 2048 Jul 28 23:14 Devel
dr-xr-xr-x. 4 root root 2048 Jul 28 23:13 extras
dr-xr-xr-x. 2 root root 2048 Jul 29 15:41 PowerTools

5) Create a repos archive folder if it doesn’t already exist. Move existing *.repo files to the archive folder for safe keeping and create the new local.repo file.

> sudo mkdir -pv /etc/yum.repos.d/archive
> cd /etc/yum.repos.d/
> sudo /bin/mv *.repo archive/
> cd /etc/yum.repos.d/
> sudo vi local.repo

Copy/paste everything below between the # Custom local.repo file # header and footer into the local.repo and wq! to save the file. Note the baseurl= file path. Edit this path based on how you mounted in step 4d above. Since I automounted the ISO, I used the ///run/media/root/CDROM/repo name/ path format.

If automounted, its baseurl=file:///run/media/root/CDROM/repo name/
If manually mounted, its baseurl=file:///mnt/iso/repo name/

# Custom local.repo file #
[appstream]
name=Rocky Linux $releasever – AppStream
baseurl=file:///run/media/root/CDROM/AppStream/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[baseos]
name=Rocky Linux $releasever – BaseOS
baseurl=file:///run/media/root/CDROM/BaseOS/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[devel]
name=Rocky Linux $releasever – Devel WARNING! FOR BUILDROOT AND KOJI USE
baseurl=file:///run/media/root/CDROM/Devel/
gpgcheck=1
enabled=0
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[extras]
name=Rocky Linux $releasever – Extras
baseurl=file:///run/media/root/CDROM/extras/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[powertools]
name=Rocky Linux $releasever – PowerTools
baseurl=file:///run/media/root/CDROM/PowerTools/
gpgcheck=1
enabled=0
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
# Custom local.repo file #

6) Update the host and reboot. If you get errors trying to run yum update due to gpg checks, just comment out gpgkey and change gpgcheck to 0 in the local.repo file, and then run yum update again. Or, you can download the keys here: https://rockylinux.org/keys/

a) Verify if you have the keys installed. The green key below is the one used in the gpgkey= path above in local.repo. If not installed, comment out gpgkey= and set gpgcheck to 0 in the local.repos file above or download the keys and copy to /etc/pki/rpm-gpg/.

> sudo gpg –quiet –show-keys /etc/pki/rpm-gpg/*
pub rsa4096 2009-10-22 [SC]
567E347AD0044ADE55BA8A5F199E2F91FD431D51
uid Red Hat, Inc. (release key 2) <security@redhat.com>

pub rsa4096 2021-02-14 [SCE]
7051C470A929F454CEBE37B715AF5DAC6D745A60
uid Release Engineering <infrastructure@rockylinux.org>

pub rsa4096 2021-02-14 [SCE]
091A44047C3D8B7A331F5E185489E42BBBE2C108
uid Release Engineering <infrastructure@rockylinux.org>

> yum update
> reboot

b) After reboot, eject the ISO.
> umount /dev/sr0

HOWTO Install the Splunk Universal Forwarder on FreeBSD

24 Sunday Apr 2022

Posted by Slice2 in Splunk

≈ Leave a comment

Tags

FreeBSD

The following steps were tested on FreeBSD x64 11.4, 12.3, 13.0 and 13.1.

1) There are a few required adjustments before installing the forwarder on FreeBSD. This ensures the forwarder functions properly.

a) As root, add the following to loader.conf.
> vi /boot/loader.conf

kern.maxdsiz=”2147483648″ # 2GB
kern.dfldsiz=”2147483648″ # 2GB
machdep.hlt_cpus=0

b) Add the following to sysctl.conf.
> vi /etc/sysctl.conf

vm.max_proc_mmap=2147483647

c) Restart for the changes to take effect.
> reboot

2) If you have a Forwarder installed, remove it. If you don’t, skip to step 3.

a) Check if running and if so stop it.
> /opt/splunkforwarder/bin/splunk status
> /opt/splunkforwarder/bin/splunk version
> /opt/splunkforwarder/bin/splunk stop

b) Get the package name and delete the older release. And yes, that is a \ before the * as you have to escape it. In this example, splunkforwarder-8.1.6 is being removed.
> pkg info -g splunkforwarder\*
> pkg delete -y splunkforwarder-8.1.6
> rm /etc/rc.d/splunk
> rm -R /opt/splunkforwarder

3) If a new install, check to see if /opt exists. If not, create it.
> ls -l /opt

If not there, create it.
> mkdir /opt

3) Move the Forwarder package to /tmp on your FreeBSD host and install it.
> cd /tmp
> pkg install splunkforwarder-8.2.3-cd0848707637-freebsd-11.3-amd64.txz

Updating FreeBSD repository catalogue…
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity… done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
splunkforwarder: 8.2.3

Number of packages to be installed: 1

The process will require 64 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing splunkforwarder-8.2.3…
Extracting splunkforwarder-8.2.3: 100%
complete

a) Start the Forwarder and accept the license.
> /opt/splunkforwarder/bin/splunk start –accept-license –answer-yes

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: splunkadmin
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

b) Enable the Forwarder to start when the system is booted.
> /opt/splunkforwarder/bin/splunk enable boot-start

Init script installed at /etc/rc.d/splunk.
Init script is configured to run at boot.

4) If you don’t use a Deployment server, skip this step. If you use a Deployment server, set the deployment server configuration. Typically this comes from your Splunk team so this is an example only.
> vi /opt/splunkforwarder/etc/system/local/deploymentclient.conf

[deployment-client]

[target-broker:deploymentServer]
targetUri=192.168.1.100:8089

5) Restart the Forwarder and verify the configuration.
> /opt/splunkforwarder/bin/splunk restart
> /opt/splunkforwarder/bin/splunk status

a) Verify that its set in rc to start at boot and that the process is running.
> service -e | grep splunk
/etc/rc.d/splunk

> ps -x | grep splunkd
1494 – S 0:02.54 splunkd -p 8089 restart
1495 – Is 0:00.04 splunkd: [splunkd pid=1494] splunkd -p 8089 restart [process-runner] (splunkd)

> cat /etc/rc.conf | grep splunk
splunk_enable=”YES”

6) Installation is complete.

HOWTO install a Splunk Universal Forwarder on Solaris 11 SPARC and x64 Using pkg(p5p) and tar

05 Saturday Mar 2022

Posted by Slice2 in Solaris, Splunk

≈ 2 Comments

Tags

Solaris

I recently had to get the Forwarders installed and there are no detailed steps in the Splunk docs for Solaris 11. If you need Solaris 10 steps, see my post here.

1) There are two installation options and platforms supported by Splunk; using pkg and tar on SPARC and x64 CPUs. The platform/CPU type is at the end of the filename shown below. The steps below cover both types of installation scenarios. Choose the steps for the way in which you want to install and the platform you have. There is a Universal Forwarder for SPARC and x64 (Intel/AMD) CPUs. Be sure to su – root before you start, or use sudo in front of the commands.

a) Native pkg (as in .p5p) formatted binary – easy to manage and upgrade, software included in inventory and vuln scans. Installed using pkg:
splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
splunkforwarder-8.2.3-cd0848707637-solaris-sparc.p5p

b) Extracted via tar – software not seen by inventory and vuln scans, only the running splunkd process identifies it in scans (but not the version running). Installed using tar:
splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar.Z
splunkforwarder-8.2.3-cd0848707637-SunOS-sparc.tar.Z

2) Verify that you have the required libc installed.
> pvs /usr/lib/libc.so.1 | grep SUNW_1.22.7
> pvs /usr/lib/libc.so.1 (to get a list of all libc versions)

3) Backup your files. If you have any locally customized .conf files in the following folders, save a copy now. Note that some older forwarders
may not use upper case letters in the path.

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
/opt/splunkforwarder/etc/system/local/

4) If an existing Forwarder is running, identify your Splunk index. You will need this value along with your hostname, IP address and platform later.
> cat /opt/splunkforwarder/etc/system/local/inputs.conf | grep index
> hostname
> ifconfig -a | grep inet (or just ifconfig -a if you have multiple NICs plumbed)
> uname -a

5) Check for existing version and state.
If the existing Forwarder was installed with pkg:
> pkg list | splunk
> pkg info -r splunkforwarder | egrep -i “Summary|Version”
> /opt/splunkforwarder/bin/splunk status
> ps aevx | grep splunkd

If the existing Forwarder was installed with tar:
> /opt/splunkforwarder/bin/splunk version
> /opt/splunkforwarder/bin/splunk status
> ps aevx | grep splunkd

6) Stop the currently installed Universal Forwarder and then remove it.
> /opt/splunkforwarder/bin/splunk stop

If installed via pkg:
> pkg uninstall splunkforwarder
> rm /etc/init.d/splunk

If installed via tar:
> cd /opt/
> rm -r splunkforwarder
> rm /etc/init.d/splunk

7) Make sure the Splunk sockets are no longer in use or locked. Copy/paste each line below one at a time and press enter.
> PORT=8089; for PID in /proc/*; do pfiles ${PID} |grep “port: ${PORT}” && echo ${PID}; done
> PORT=9997; for PID in /proc/*; do pfiles ${PID} |grep “port: ${PORT}” && echo ${PID}; done

a) If the commands above return anything (and they shouldn’t), you need to kill the process.
> pfiles process_id (from the output of the commands above to get process details)
> pkill process_id

8) Move the package to your host. Based on your CPU type (SPARC or x64) and the installation method you chose (pkg or tar), copy the Universal Forwarder to your server using scp, Filezilla, WinSCP or your preferred file transfer method.

If installing with tar:
> cp splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar.Z /opt/
> cd /opt
> uncompress splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar.Z
> tar xvf splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar
> chown -R root:root splunkforwarder

If installing with pkg:
> cp splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p /opt/
> cd /opt/
> pkg list -g file:////opt/splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
> pkgrepo info -s /opt/splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
> pkg set-publisher -p /opt/splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p splunk
> pkg install -nv splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
> pkg install -g ./splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p splunkforwarder

a) For both pkgadd and tar, start and accept the license.
> /opt/splunkforwarder/bin/splunk start –accept-license –answer-yes

This appears to be your first time running this version of Splunk.

Please enter an administrator username: splunkadm (<– you can use any account name you want here, its for splunkd, not an OS account)
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

b) For both pkgadd and tar, enable auto-start when the server is rebooted.
> /opt/splunkforwarder/bin/splunk enable boot-start

c) For both pkgadd and tar, copy the deploymentclient.conf file (provided by the Splunk team) to the path listed below. Note that if a Deployment server is not being used, skip this step.
> cp deploymentclient.conf /opt/splunkforwarder/etc/system/local/
> /opt/splunkforwarder/etc/system/local/
> chown root:root deploymentclient.conf

8) Restart the Forwarder, verify that its running and contact your Splunk team via email. Send them your index, hostname, ip and platform so they can associate your new Forwarder with the proper inputs.
> /opt/splunkforwarder/bin/splunk restart
> /opt/splunkforwarder/bin/splunk status
> ps aevx | grep splunkd

9) Connectivity issues? See if the Solaris firewall is on and has any rules for Splunk ports 8089 and 9997. Adjust rules as needed.
> svcs -x firewall:default
> pfbash pfctl -s rules

HOWTO install a Splunk Universal Forwarder on Solaris 10 SPARC and x64 Using pkgadd and tar

13 Sunday Feb 2022

Posted by Slice2 in Solaris, Splunk

≈ 1 Comment

OK, OK, I know. Solaris 10 is old and dusty. Extended support has been pushed out to January 2024 so there are still plenty of systems in use out there. I recently had to get the Forwarders installed and there are no detailed steps in the Splunk docs. This covers installing via pkgadd and tar. Also, the last available Forwarder I could find on their site that supports Solaris 10 is v7.3.9.

1) There are two installation options and platforms supported by Splunk; using pkgadd and tar on SPARC and x64 CPUs. The platform/CPU type is at the end of the filename shown below. The steps below cover both types of installation scenarios. Choose the steps for the way in which you want to install and the platform you have. There is a Universal Forwarder for SPARC and x64 (Intel/AMD) CPUs so simply insert the Forwarder filename you need in the steps listed below. This HOWTO was done using Solaris 10 x64 so if you have a SPARC host, use the sparc Forwarder filename.

a) Native pkg formatted binary – easy to manage and upgrade, software included in inventory and vuln scans. Installed using pkgadd:
splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-intel.pkg.Z
splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-sparc.pkg.Z

b) Extracted via tar – software not seen by inventory and vuln scans, only the running splunkd process identifies it in scans (but not the version running). Installed using tar:
splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar.Z
splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-sparc.tar.Z

2) Verify that you have the required libc installed.
> pvs /usr/lib/libc.so.1 | grep SUNW_1.22.7
> pvs /usr/lib/libc.so.1 (to get a list of all libc versions)

a) Solaris 10 hosts must be updated to libc SUNW_1.22.7 or later. See the Oracle Support page that lists patches that include libc changes (Oracle Support required): https://support.oracle.com/rs?type=doc&id=2069855.1

SUNW_1.22.7
SPARC: Patch 144500-19
X64: Patch 144501-19

3) Backup your files. If you have any locally customized .conf files in the following folders, save a copy now. Note that some older forwarders
may not use upper case letters in the path.

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
/opt/splunkforwarder/etc/system/local/

4) Identify your Splunk index. You will need this value along with your hostname, IP address and platform later.
> cat /opt/splunkforwarder/etc/system/local/inputs.conf | grep index
> hostname
> ifconfig -a | grep inet (or just ifconfig -a if you have multiple NICs plumbed)
> uname -a

5) Check for existing version and state.
If the existing Forwarder was installed with pkgadd:
> pkginfo -l | grep splunk
> pkginfo -l splunkforwarder* | grep VERSION
> /opt/splunkforwarder/bin/splunk status
> ps -ef | grep splunkd

If the existing Forwarder was installed with tar:
> /opt/splunkforwarder/bin/splunk version
> /opt/splunkforwarder/bin/splunk status
> ps -ef | grep splunkd

6) Stop the currently installed Universal Forwarder and then remove it.
> /opt/splunkforwarder/bin/splunk stop

If installed via pkgadd:
> pkgrm splunkforwarder
> rm /etc/init.d/splunk

If installed via tar:
> cd /opt/
> rm -r splunkforwarder
> rm /etc/init.d/splunk

a) If the commands above return anything (and they shouldn’t), you need to kill the process.
> pfiles process_id (from the output of the commands above to get process details)
> pkill process_id

8) Move the package to your host. Based on your CPU type (SPARC or x64) and the installation method you chose (pkgadd or tar), copy the Universal Forwarder to your server using scp, Filezilla, WinSCP or your preferred file transfer method.

If installing with tar:
> cp splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar.Z /opt/
> cd /opt
> uncompress splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar.Z
> tar xvf splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar
> chown -R root:root splunkforwarder

If installing with pkgadd:
> pkgadd -d splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-intel.pkg all

Do you want to continue with the installation of <splunkforwarder> [y,n,?] y

a) For both pkgadd and tar, start and accept the license.
> /opt/splunkforwarder/bin/splunk start –accept-license –answer-yes

This appears to be your first time running this version of Splunk.

Please enter an administrator username: splunkadm (<– you can use any account name you want here, its for splunkd, not an OS account)
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

b) For both pkgadd and tar, enable auto-start when the server is rebooted.
> /opt/splunkforwarder/bin/splunk enable boot-start

c) For both pkgadd and tar, copy the deploymentclient.conf file to the path listed below. Note that if a Deployment server is not being used, skip this step.
> cp deploymentclient.conf /opt/splunkforwarder/etc/system/local/
> /opt/splunkforwarder/etc/system/local/
> chown root:root deploymentclient.conf

9) Connectivity issues? See if the Solaris firewall is on and has any rules for Splunk ports 8089 and 9997. Adjust rules as needed.
> svcs | egrep ‘(pfil|ipfilter)’
> ipfstat -io

Recover Files from a Windows NTFS partition using Linux based SystemRescue

11 Tuesday Jan 2022

Posted by Slice2 in Linux, Security, Windows

≈ 2 Comments

SystemRescue (formerly named SystemRescueCd) is a bootable Linux rescue toolset for repairing or manipulating your partitions and data on a disk. This post shows how to quickly mount a Windows NTFS file system to recover files.

1) Download the ISO and burn it to CD. Or, if you are rescuing a Windows VM, you will just mount the ISO.
https://www.system-rescue.org/Download/

2) Boot to SystemRescue. If you are working on a physical host, you may need to change you BIOS setting to boot the CD/DVD drive first. If a VM, make sure you attach the ISO and modify your boot order if needed. When presented to you, select “Boot SystemRescue using default options.” The Live CD option will load and when prompted, enter:

[root@sysrescue ~]# startx

3) The desktop will load and provide access to various tools. When the desktop is loaded, you can either enable the network or mount a USB drive to insert a file (drivers, tweaks, etc.) or retrieve files from the file system. Depending on the method you choose, see Network Access or USB Drive Access below for the steps.

a) Network Access. In the lower right corner, right-click the rotating swoosh and green dots icon and select edit connections. Select Wired Connection 1 and click the gear icon at the bottom. On the IPv4 Settings tab, select Method, then Manual, click Add and enter an IP address, Mask, Gateway, DNS (if DNS is needed) and click Save. It can take about 10 seconds for the settings to apply and the network service to restart. Ping to verify that it is up.

b) To quickly enable SSH/SCP/SFTP and securely harvest files over the network:
[root@sysrescue ~]# systemctl enable sshd
[root@sysrescue ~]# systemctl start sshd
[root@sysrescue ~]# systemctl disable iptables
[root@sysrescue ~]# systemctl stop iptables
[root@sysrescue ~]# passwd (to reset the root password)

c) Launch an Xterm, Putty or Powershell on a remote host to verify access. For example in an xterm or Powershell:
> ssh root@ip.you.assigned.above

d) If using Filezilla: to drag and drop/copy files to or from, enter these parameters and click QuickConnect.
Host: sftp://ip.you.assigned.above
Username: root
Password: root’s password
Port: 22

e) USB Drive Access. Insert a USB drive to the physical host or attach a USB device to a VM. In this case, the device ID below a simple 2 GB, vfat formatted PNY USB stick.
[root@sysrescue ~]# blkid (to find your USB device such as the one listed below on /dev/sdb1)

/dev/sdb1: LABEL=”SYSRCD-5″ UUID=”90BB-72F0″ BLOCK_SIZE=”512″ TYPE=”vfat” PARTUUID=”04aa1751-01″

f) Mount the USB device. Once mounted, you can move or copy files to or from the /usbdrive mount point.
[root@sysrescue ~]# mkdir /usbdrive
[root@sysrescue ~]# mount /dev/sdb1 /usbdrive
[root@sysrescue ~]# ls -l /usbdrive
drwxr-xr-x 2 root root 4096 Nov 22 2019 ‘System Volume Information’

4) Check for the Windows partition.
[root@sysrescue ~]# blkid | grep ntfs
/dev/sda2: BLOCK_SIZE=”512″ UUID=”ECF28F77F28F44B4″ TYPE=”ntfs” PARTUUID=”03fdd544-02″
/dev/sda1: LABEL=”System Reserved” BLOCK_SIZE=”512″ UUID=”240E8ECC0E8E9688″ TYPE=”ntfs” PARTUUID=”03fdd544-01″

a) See /dev/sda1 in the list? The partition with LABEL=”System Reserved” is not the one you want to mount. In this case, /dev/sda2 is the Windows OS partition with all of your files, logs, registry, etc.

b) Create a mountpoint and mount the Windows partition.
[root@sysrescue ~]# mkdir -pv /mnt/windows
[root@sysrescue ~]# ntfs-3g /dev/sda2 /mnt/windows

c) Check the new mountpoint.

[root@sysrescue ~]# cd /mnt/windows
[root@sysrescue /mnt/windows]# ls -l
drwxrwxrwx 1 root root 0 Aug 22 2013 ‘$Recycle.Bin’
-rwxrwxrwx 1 root root 427680 Aug 22 2013 bootmgr
-rwxrwxrwx 1 root root 1 Jun 18 2013 BOOTNXT
lrwxrwxrwx 2 root root 23 Aug 22 2013 ‘Documents and Settings’ -> /mnt/windows/Users
-rwxrwxrwx 1 root root 2147483648 Dec 17 20:51 pagefile.sys
drwxrwxrwx 1 root root 0 Aug 22 2013 PerfLogs
drwxrwxrwx 1 root root 4096 Dec 16 19:07 ProgramData
drwxrwxrwx 1 root root 4096 Dec 16 18:37 ‘Program Files’
drwxrwxrwx 1 root root 4096 Apr 16 2021 ‘Program Files (x86)’
drwxrwxrwx 1 root root 0 Nov 27 2020 ‘System Volume Information’
drwxrwxrwx 1 root root 0 May 24 2021 temp_share
drwxrwxrwx 1 root root 4096 Nov 27 2020 Users
drwxrwxrwx 1 root root 0 Nov 27 2020 vboxshare
drwxrwxrwx 1 root root 24576 Dec 17 20:52 Windows

d) You can also launch the GUI File Manager (Thunar) and simply double-click into the /mnt/windows folder. Click the blue X where the Windows Start icon would normally be > select File Manager. Under Devices select File System and then double-click the “mnt” folder and then the “windows” folder. Launch another File Manager window and you can simply drag and drop between the “windows” and “usbdrive” folders.

5) Files of interest. For troubleshooting a broken system, check the following locations.

a) User and log files.
/mnt/windows/Users/<your_username>/Documents
/mnt/windows/Users/<your_username>/Downloads
/mnt/windows/Windows/debug
/mnt/windows/Windows/Logs
/mnt/windows/Windows/Prefetch (useful if it was enabled)
/mnt/windows/Windows/System32/drivers (to remove a buggy driver)
/mnt/windows/Windows/System32/drivers/etc/hosts (to see if IPs were defined)
/mnt/windows/Windows/System32/LogFiles
/mnt/windows/Windows/System32/winevt/Logs (for all of the Windows Event Viewer Logs)

b) Registry files:
/mnt/windows/Windows/System32/config

6) When done, unmount the folders and reboot/shutdown. Change your directory first and umount.
[root@sysrescue /mnt/windows]# cd /
[root@sysrescue ~]# umount /mnt/windows
[root@sysrescue ~]# umount /usbdrive

a) Shutdown the host. Click the blue X in the lower left > Log out > Shutdown.

Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access

20 Saturday Nov 2021

Posted by Slice2 in Security, Splunk

≈ Leave a comment

Tags

Security, Splunk, Sysmon

When using Sysmon to monitor processes in Splunk, you can exclude the chattiest processes that eat away at your license and indexing I/O. Splunk recommends excluding its own Universal Forwarder as well as antivirus products.

1) Splunk’s Sysmon Add-on docs list a few options for the sysmon config file. I used the SwiftOnSecurity template and simply added the UF and McAfee executables.

Splunk Add-on for Sysmon Doc:
https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/ConfigureSysmon

Ready to run Sysmon config file:
https://github.com/SwiftOnSecurity/sysmon-config

Sysmon:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

2) Open your Sysmon xml config file with Notepad++ or VSCode. Use Notepad++ or VSCode when editing xml on Windows. They recognize UNIX newline format and XML syntax highlighting so your file will be easier to read. Don’t use Notepad.exe. Under the heading <!–SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]–> enter the text below and save the file.

3) When done editing, reload the active config.

> sysmon -c c:\path\to\your_sysmon_config_file_v2.xml

<!–SECTION: Splunk:Universal Forwarder–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image> <!–Splunk:Universal Forwarder: binary that accesses, processes, and indexes streaming data–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\btool.exe</Image> <!–Splunk:Universal Forwarder: cli util used to troubleshoot config file issues–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image> <!–Splunk:Universal Forwarder: the control application for the Windows version of Splunk–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Image> <!–Splunk:Universal Forwarder: runs whenever you configure an Active Directory monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you monitor performance data–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure Splunk to monitor network information–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a Registry monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe</Image> <!–Splunk:Universal Forwarder: event log collections, outputs events as they are collected–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostmon</Image> <!–Splunk:Universal Forwarder: runs when you configure a Windows host monitoring input–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a Windows print monitoring input –>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a performance monitor–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Image> <!–Splunk:Universal Forwarder: runs when you configure a PowerShell command or script monitor–>
<Image condition=”is”>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image> <!–Splunk:Universal Forwarder: this input monitors files without using Windows file handles.–>
<!–SECTION: McAfee:AntiVirus–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\CommonBuild\McCBEntAndInstru.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\McPltCmd.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MQS\QcShm.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee.com\Agent\mcupdate.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\MSGSDK\msgrunner.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\TaskScheduler\McAMTaskAgent.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\UPDMGR\8.1.149.1\mcupdatemgr.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\CSP\4.1.106.0\McCSPServiceHost.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\mcinfo.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\MSM\McSmtFwk.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\OOBE\mcocrollback.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\McInstru.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\UPDMGR\8.1.149.1\mcupdutl.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\DynamicAppDownloader\DADUpdater.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\HackerWatch\hwupdchk.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MSC\mcsync.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\Common Files\McAfee\ChromiumContainer\delegate.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\VUL\McVulCtr.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\VUL\McVulCon.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\MfeAV\MfeAVSvc.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee\CoreUI\Launch.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>
<Image condition=”is”>C:\Program Files\McAfee.com\Agent\mcagent.exe</Image> <!–McAfee:AntiVirus: no description – TBD–>

Upgrading CentOS 7.2003 to 7.2009 on an Offline or Air-Gapped System

01 Friday Jan 2021

Posted by Slice2 in Linux

≈ Leave a comment

This post demonstrates how to patch or upgrade a CentOS 7 host when it doesn’t have internet access or is an isolated system with no access to a yum repo. On a host with internet access (Public facing host) or a local repo, perform the following steps.

1) Make sure you have genisoimage and yum-utils installed. If not install them.

> sudo rpm -q genisoimage-*
genisoimage-1.1.11-25.el7.x86_64

> sudo rpm -q yum-utils
yum-utils-1.1.31-54.el7_8.noarch

> sudo yum install genisoimage
> sudo yum install yum-utils

2) On your internet facing host create folders for the packages you need. You can specify any folder(s) you require. I only require os, extras and updates but you may have packages installed from other folders. The full list is listed below.

atomic/
centosplus/
cloud/
configmanagement/
cr/
dotnet/
extras/
fasttrack/
isos/
messaging/
nfv/
opstools/
os/
paas/
rt/
sclo/
storage/
updates/
virt/

a) Create the folders.

> sudo mkdir -pv /repo/os
> sudo mkdir -pv /repo/updates
> sudo mkdir -pv /repo/extras

b) Use rsync to harvest the rpms and repo data. Note that these folders will create a 17.1 Gig ISO file in the next step. You need a Blu-ray burner or USB drive to move the file.

> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/os/x86_64/ /repo/os
> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/updates/x86_64/ /repo/updates
> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/extras/x86_64/ /repo/extras

c) Use genisoimage to create an ISO of the whole set. Note. In the command below, I write this ISO image to a VirtualBox shared folder mounted at /vboxshare. Use any path you like. The syntax is: genisoimage cli options – location and name of ISO file to be created and files/folders to be included in the ISO.
> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /vboxshare/centos7.9.2009repo.20210101.iso /repo

3) Burn the ISO (as a file, not as an extracted image), or copy to a USB drive and move it to the offline host. Since I have VMs, I will mount the ISO to the VM. If you need to mount the ISO on a host with a Blu-ray player or on the local filesystem, see the manual mount section below.

a) Mount the ISO. You have options if you don’t automount ISOs. If your host is a VM, mount it as your hypervisor dictates. You can also copy the ISO to the local filesystem and mount it. Or, manually mount the ISO from a local or USB attached DVD/blu-ray.

> sudo mkdir /mnt/iso
> sudo mount -t iso9660 -o loop /home/repouser/centos7.9.2009repo.20210101.iso /mnt/iso/
— or
> sudo mkdir /mnt/iso
> sudo blkid (to find your cd/dvd device, chances are its /dev/sr0)
> mount /dev/sr0 /media/iso/

b) Once the ISO is mounted, verify the contents. In my case the path is shown below. If your mounted path is different, you need to adjust the baseurl path in local.repo in upcoming step 5.
> df -h
/dev/sr0 17G 17G 0 100% /run/media/root/CDROM

> ls -l /run/media/root/CDROM
dr-xr-xr-x. 4 root root 2048 Jan 1 10:30 extras
dr-xr-xr-x. 8 root root 2048 Jan 1 05:23 os
dr-xr-xr-x. 4 root root 2048 Jan 1 15:42 updates

Note: Each path location listed above must have a Packages and repodata folders inside. If they don’t, it won’t work.

4) On the CentOS host, create an archive folder if it doesn’t already exist. Move existing *.repo files to the archive folder.

> sudo mkdir -pv /etc/yum.repos.d/archive
> cd /etc/yum.repos.d/
> sudo /bin/mv *.repo archive/

5) Create the local.repo file in /etc/yum.repos.d/ and paste in the contents below.

> cd /etc/yum.repos.d/
> sudo vi local.repo (add the lines below and issue a wq! to save the file)

[base]
name=CentOS-$releasever – Base
baseurl=file:///run/media/root/CDROM/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever – Updates
baseurl=file:///run/media/root/CDROM/updates/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever – Extras
baseurl=file:///run/media/root/CDROM/extras/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

6) Mount the CentOS rsync’d update ISO is not already done and update the OS.

> yum update
> reboot

Note: If you get errors trying to run yum update due to gpg checks, just comment out gpgkey and change gpgcheck to 0 in the local.repo file, and then run yum update again.

a) Login and check the release file to confirm the new version.

> cat /etc/centos-release

b) Mount the ISO again (if done manually). Install these packages on the offline system and then clean up old kernels to prevent your /boot from filling up. The – -count=2 leaves two kernels. Also, there are two dashes (- -) in front of oldkernels and count.

> sudo yum install genisoimage
> sudo yum install yum-utils
> package-cleanup – -oldkernels – -count=2

c) Move the new OS default repos to the archive folder.

> cd /etc/yum.repos.d/
> sudo /bin/mv CENTOS-*.repo archive/
> ls -l (and you should only have local.repo listed)

7) After you are done updating to the new OS release, comment out all of the [base] and [extras] sections in the local.repo file. All future patches will be in the [updates] repo. When a new OS version is released, just un-comment [base] and [extras].

a) Now that you are updated to 7.9.2009, you only need to rsync the updates folder and create the ISO with only the updates folder. For example, on the internet facing server you would only need to run these commands.
> /usr/bin/rsync -avrt rsync://mirror.umd.edu/centos/7.9.2009/updates/x86_64/ /repo/updates
> genisoimage -U -r -v -J -joliet-long -allow-multidot -allow-lowercase -iso-level 4 -o /vboxshare/centos7.9.2009repo.20210101.iso /repo/updates

HOWTO Easily Resize the Default LVM Volume on Ubuntu 18.04

05 Saturday Dec 2020

Posted by Slice2 in Linux

≈ 15 Comments

Say you have a 40 Gig disk. When the installer creates the encrypted volume during initial OS installation, it partitions the whole disk but only creates a 20 GB logical volume. You should resize the default volume group to increase the usable disk from 20 to 40 GB.

1) You will run a test first to verify that it can resize properly before you actually modify the partition.
a. Change to root and gather a few details. Points of interest are in bold red. You can see that the partition (type=part) for sda3 is 39G and the logical volume (type=lvm) is only 20 G.
> sudo -s (or su – root)
> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 89.1M 1 loop /snap/core/8268
loop1 7:1 0 96.5M 1 loop /snap/core/9436
sda 8:0 0 40G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 1G 0 part /boot
└─sda3 8:3 0 39G 0 part
└─dm_crypt-0 253:0 0 39G 0 crypt
└─ubuntu–vg-ubuntu–lv 253:1 0 20G 0 lvm /
sr0 11:0 1 1024M 0 rom

> df -h | grep “ubuntu–vg-ubuntu–lv”

/dev/mapper/ubuntu–vg-ubuntu–lv 20G 15G 4.0G 79% /

b. Now that we know the logical volume is only 20 Gigs, we can resize it to the remaining open free space. First, we will test this command using the -t switch (for test) and view the output for errors. If clean, proceed.
> lvresize -t -v -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv

TEST MODE: Metadata will NOT be updated and volumes will not be (de)activated.
Converted 100%FREE into at most 4862 physical extents.
Test mode: Skipping archiving of volume group.
Extending logical volume ubuntu-vg/ubuntu-lv to up to 38.99 GiB
Size of logical volume ubuntu-vg/ubuntu-lv changed from 20.00 GiB (5120 extents) to 38.99 GiB (9982 extents).
Test mode: Skipping backup of volume group.
Logical volume ubuntu-vg/ubuntu-lv successfully resized.
Test mode: Wiping internal cache
Wiping internal VG cache

2) Once you see that the test was successful, remove the -t switch (for test) from the previous command to actually increase the logical volume.
> lvresize -v -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv

Converted 100%FREE into at most 4862 physical extents.
Archiving volume group “ubuntu-vg” metadata (seqno 2).
Extending logical volume ubuntu-vg/ubuntu-lv to up to 38.99 GiB
Size of logical volume ubuntu-vg/ubuntu-lv changed from 20.00 GiB (5120 extents) to 38.99 GiB (9982 extents).
Loading ubuntu–vg-ubuntu–lv table (253:1)
Suspending ubuntu–vg-ubuntu–lv (253:1) with device flush
Resuming ubuntu–vg-ubuntu–lv (253:1)
Creating volume group backup “/etc/lvm/backup/ubuntu-vg” (seqno 3).
Logical volume ubuntu-vg/ubuntu-lv successfully resized.

> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 89.1M 1 loop /snap/core/8268
loop1 7:1 0 96.5M 1 loop /snap/core/9436
sda 8:0 0 40G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 1G 0 part /boot
└─sda3 8:3 0 39G 0 part
└─dm_crypt-0 253:0 0 39G 0 crypt
└─ubuntu–vg-ubuntu–lv 253:1 0 39G 0 lvm /
sr0 11:0 1 1024M 0 rom

3) Now that the logical volume is 39G, get the FS type and resize the filesystem on the newly acquired space. We can see that it’s using ext4.
> df -h -T |grep vg
/dev/mapper/ubuntu–vg-ubuntu–lv ext4 20G 15G 4.0G 79% /

a. Since the file system is ext4, we will use the resize2fs command.
> resize2fs -p /dev/mapper/ubuntu–vg-ubuntu–lv

resize2fs 1.44.1 (24-Mar-2018)
Filesystem at /dev/mapper/ubuntu–vg-ubuntu–lv is mounted on /; on-line resizing required
old_desc_blocks = 3, new_desc_blocks = 5
The filesystem on /dev/mapper/ubuntu–vg-ubuntu–lv is now 10221568 (4k) blocks long.

b. Now verify the new size of your root volume to confirm that it has increased in size.
> df -h -T |grep vg
/dev/mapper/ubuntu–vg-ubuntu–lv ext4 39G 15G 22G 41% /

Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates

23 Monday Nov 2020

Posted by Slice2 in Cisco

≈ Leave a comment

This process demonstrates how to use a Docker container to update your Cisco ESA and SMA (and WSA) appliances.

This HOWTO assumes you have a functioning Docker environment, the Cisco ESA/SMA (or WSA) Offline Content license, the Cisco Offline Content Public internet facing server and the 20200302-123456789_ipServer-v1.tar file from Cisco.

1) On your Public internet facing Cisco Offline Content server, run the ipClient –apps command to update the Content folders.
> sudo perl ipClient-v9.0.pl –apps
a. The command above creates the /cisco/offline/ipclient/transferPackage/applications.tar file with all of the updates bundled inside.

2) On the Docker server, create the new working directory for your Dockerfile. In this case, the admin user’s home folder is /home/admin and the new folder is ciscooffct.
> sudo mkdir –p ciscooffct
> cd ciscooffct

3) Inside the ciscooffct folder, create a file named Dockerfile and copy/paste the section below into that file and save it. Note, you can edit (or remove) the label section below to whatever you want. It’s just for informational purposes.
> vi Dockerfile (in vi, enter wq! when done pasting in the text below to save)

# Base OS.
FROM ubuntu:18.04

# Update the OS and install perl and apache2 packages.
RUN apt-get update && apt-get install -y \
libconfig-tiny-perl \
libanyevent-dbi-perl \
liblwp-protocol-https-perl \
libxml-opml-simplegen-perl \
libdbd-csv-perl \
libanyevent-dbd-pg-perl \
libwww-perl \
apache2 \
vim-tiny \
vim \
inetutils-ping \
&& rm -rf /var/lib/apt/lists/*

# Create the apache folders and enable it.
RUN mkdir -pv /cisco/offline/ipclient
RUN mkdir -pv /cisco/offline/ipclient/files
RUN mkdir -pv /cisco/offline/ipclient/logs
RUN mkdir -pv /cisco/offline/ipclient/cert
RUN mkdir -pv /cisco/offline/ipclient/httpd
RUN mkdir -pv /cisco/offline/ipclient/httpd/manifests
RUN mkdir -pv /cisco/offline/ipclient/DATABASE
RUN mkdir -pv /cisco/offline/ipclient/transferPackage

RUN mkdir -pv /cisco/offline/
RUN mkdir -pv /cisco/offline/ipclient/updater
RUN mkdir -pv /cisco/offline/ipclient/updater/logs
RUN mkdir -pv /var/www/html/asyncos
RUN mkdir -pv /cisco/offline/ipServer

# Copy the modified processUploads.pl script to the image.
COPY 20200302-123456789_ipServer-v1.tar /cisco/offline/ipServer/
COPY applications.tar /cisco/offline/ipclient/transferPackage/
RUN ls -l /cisco/offline/ipServer/
RUN cd /cisco/offline/ipServer/ && tar -xf 20200302-123456789_ipServer-v1.tar
RUN chmod -R 755 /cisco/offline/ipServer

# Set one or more individual labels
LABEL version=”0.1-beta”
LABEL vendor1=”Cisco”
LABEL created-by=”slice2″
LABEL release-date=”2020-NOV-23″

# Apache ports
EXPOSE 80
EXPOSE 443

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2

# Run Apache
CMD [“/usr/sbin/apache2ctl”, “-D”, “FOREGROUND”]

# Get a shell after you run the container.
CMD [“/bin/bash”]

4) When you purchased the Offline Content support contract from Cisco, you received the ipClient, ipServer and Certificate files. Locate the server side file 20200302-123456789_ipServer-v1.tar (or whatever your version string is) as you will need it for this to work.
a. Extract the tar file and edit the processUploads.pl script.
b. The sections below should be modified. For the $LOCAL_UPDATE_SERVER value, enter the IP address of your Docker container. This is usually 172.17.0.2 for the first container and increments by 1 for each container. Run the docker ps –a command to see how many containers are running (see the STATUS header). If it doesn’t say Exited, it’s running.

my $UPLOAD_PATH = “/cisco/offline/ipclient/transferPackage”;
my $HTTPD_PATH = “/var/www/html”;
my $LOCAL_UPDATE_SERVER = “your internal or private server IP or FQDN”;
open(LOG, “/cisco/offline/ipclient/updater/logs/cleanup.log”);

c. After you have edited the file, tar it back up using the same file name.

5) Move your files. Copy both files, 20200302-123456789_ipServer-v1.tar and /cisco/offline/ipclient/transferPackage/applications.tar (from the Public server), to the /home/<your username>/ciscooffct folder on your Docker server. It should look like this.
admin@lab01 ciscooffct]$ pwd

/home/admin/ciscooffct

[admin@lab01 ciscooffct]$ ls -l

-rwxr-xr-x. 1 admin admin 28160 Nov 5 15:06 20200302-123456789_ipServer-v1.tar
-rwxr-x—. 1 admin admin 1123635200 Nov 5 16:45 applications.tar
-rw-rw-r–. 1 admin admin 2362 Nov 5 17:36 Dockerfile

6) On the Docker server, build the image. The image name is ciscooffct and the tag is ESA-SMA.

> docker build -t ciscooffct:ESA-SMA .

7) Run the image now that it has been built.

> docker run -ti -p80:80 –name ciscooffct ciscooffct:ESA-SMA

a. You will notice that you have a new prompt inside the container.

root@d33c4054c299:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 36G 27G 8.9G 75% /
tmpfs 64M 0 64M 0% /dev
tmpfs 3.8G 0 3.8G 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/mapper/centos_lab01-root 36G 27G 8.9G 75% /etc/hosts
tmpfs 3.8G 0 3.8G 0% /proc/asound
tmpfs 3.8G 0 3.8G 0% /proc/acpi
tmpfs 3.8G 0 3.8G 0% /proc/scsi
tmpfs 3.8G 0 3.8G 0% /sys/firmware

b. Open a new xterm or new xterm tab to get a prompt on the Docker host, not inside the container. On the Docker terminal, enter the command below to find the IP address of the container and ping it.

> docker exec ciscooffct cat /etc/hosts | grep 172
172.17.0.2 d33c4054c299

> ping 172.17.0.2

c. Next, get the running status of the container.

> docker ps -a | grep ciscooffct
d33c4054c299 ciscooffct:ESA-SMA “/bin/bash” 18 minutes ago Up 18 minutes
0.0.0.0:80->80/tcp, 443/tcp ciscooffct

d. Back in the container terminal (the one with the root@d33c4054c299:/# prompt), run the perl script and start Apache.
> cd /cisco/offline/ipServer/20200302-123456789_ipServer-v1

> perl processUploads.pl

> apachectl start

e. If you have one, launch a browser on your Docker server and test access to the update content. If not, simply launch a browser on another host and point it to the IP address of the Docker server (not the container).

8) Commit your changes and prepare the image for export. Keep the container running during this process.
a. Find the container ID (in Red)

> docker ps -a | grep cisco
42f04b35318a ciscooffct:ESA-SMA “/bin/bash” About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 443/tcp ciscooffct

b. Commit your changes before saving the image. This captures the new content updates. For the “-a” value, just enter the person’s name or initials that committed the changes.

> docker commit -a “Slice2” 42f04b35318a ciscooffct:ESA-SMA
sha256:c2c51d8936a0f0fa3101057101df43e3fb0084ad017669fd20a97666634fa194

c. Save a copy of the image and increment the name by one using the v1 (v2, v3, etc.) method. Check the size of the file when done.

> docker save -o ciscooffctv1.tar ciscooffct:ESA-SMA
> du -h ciscooffctv1.tar
2.4G ciscooffctv1.tar

d. Transfer the file to the production Docker server on your internal (Private) network and place it in /tmp (or the location of your choice) and load it. Make sure the ownership/permissions on the .tar file are correct before you load it. Check with the Docker server admin and adjust accordingly with chown/chmod. By default, the .tar file is created with 0600 (rw——-).

> docker load < /tmp/ciscooffctv1.tar
Loaded image: ciscooffct:ESA-SMA

> docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ciscooffct ESA-SMA c1c51d8936a0 22 minutes ago 2.5GB

> docker image ls | grep cisco (use this if you have a lot of images)
ciscooffct ESA-SMA c1c51d8936a0 23 hours ago 2.5GB

e. Start the Container using the incremented name (v1, etc.) so you know it’s new, start apache in the Container terminal and verify that it’s running.

> docker run -ti -p80:80 –name ciscooffctv1 ciscooffct:ESA-SMA

root@8ef4161ddfc5:/# apachectl start
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ef4161ddfc5 ciscooffct:ESA-SMA “/bin/bash” 4 minutes ago Up 4 minutes 0.0.0.0:80->80/tcp, 443/tcp ciscooffctv1

9) Make sure your Cisco appliances are pointing to this Container (the Docker server IP). When done updating the ESA/SMA appliances (using the updatenow command on each ESA/SMA via ssh or serial terminal), stop the container and remove the image. The image is obsolete after updating because Cisco releases new Content Updates every 4 hours or so. There is no need to keep this image on the Docker server.

> docker stop ciscooffctv1
> docker rm ciscooffctv1

10) Consider a daily or weekly schedule for updates. The next time you need to update content on the appliances, simply move in a new applications.tar file from the Public offline content server and run steps 6, 7, 8 and 9. The distilled steps are.

Start of Public side:
a. Add the new applications.tar file to the working folder.
b. build
c. run
d. perl processUploads.pl and apachectl start
e. commit
f. save (burn ciscooffctv1.tar file to DVD, move to Private network)

Start of Private side:
g. load (check ownership/permissions before load)
h. run
i. apachectl start
j. updatenow (on the ESA/SMA)
k. stop
l. rm