February 23, 2018

Using Atom Text Editor for Python

In my previous blog Text Editor and IDE for Python I discussed different editors for Python. Here I will use Atom text editor and install plugin for Python.

From Atom open Settings and search for plugin script.

Now you can run python script inside Atom. First write something, save as a .py file. Then hit SHIFT+CTRL+B.

Next we can install autocomplete plugin: autocomplete-python

Text Editor and IDE for Python

Text Editor

Atom text editor for free, by the guys behind github - https://atom.io/.

Sublime text editor for free, but asks you to pay - https://www.sublimetext.com/.

Commercial IDE

Komodo IDE has great reviews - https://www.activestate.com/komodo-ide/python-editor.

The all mighty JetBrains PyCharm, offers debugging - https://www.jetbrains.com/pycharm/.

December 16, 2017

The Kerberos Protocol

Key Concepts

"Kerberos uses symmetric-key cryptography to authenticate users to network services" [1]

"The Authentication Server maintain a database of principals and their secret keys." [2]

"The secret key is derived from a password. ==> Opens for password guessing attacks" [2]

"Basing trust on host addresses." [2]

RFC 4120 "The Kerberos Network Authentication Service (V5)" obsoletes RFC 1510

Overview



Client Authentication

"3.1. The Authentication Service (AS) Exchange" [2]

Message direction Message type Section
1. Client to Kerberos KRB_AS_REQ 5.4.1
2. Kerberos to client KRB_AS_REP 5.4.2
  KRB_ERROR 5.9.1

KRB_AS_REQ: cname, realm, from, till, nonce, address, ...  **cleartext message**
    cname, client's principal.
    realm
    from and till, the expiration time
    nonce, Number used only ones
    address, client's network address
   
KRB_AS_REP: {K.c,tgs, realm, from, till, nonce, ...}K.c {T.c,tgs}K.tgs
    {...}K.c encrypted with the Client Secret Key
    K.c,tgs Client/TGS Session Key
    realm
    from and till, the expiration time
    same nonce as in request

    {...}K.tgs encrypted with TGS Secret Key
    T.c,tgs Client-to-TGS (Ticket-Granting Service) Ticket which includes:
        Client principal
        Client network address
        Client/TGS Session Key

Authentication "This is acceptable because nobody but the principal whose identity was given in the request will be able to use the reply." [2]

Client Service Authorization

"3.3. The Ticket-Granting Service (TGS) Exchange" [2]

Message direction Message type Section
1. Client to Kerberos KRB_TGS_REQ 5.4.1
2. Kerberos to client KRB_TGS_REP 5.4.2
  KRB_ERROR 5.9.1

KRB_TGS_REQ: {authenticator, ...}K.c,tgs {T.c,tgs}K.tgs, address, from, till, nonce
    {...}K.c,tgs encrypted with Client/TGS Session Key
    Authenticator (which is composed of the client principal and timestamp)
   
    {T.c,tgs}K.tgs from KRB_AS_REP
   
    address, Service network address
    from and till, the expiration time
    nonce, Number used only ones

KRB_TGS_REP: {K.c,s, address, from, till, nonce, ...}K.c,tgs {T.c,s}K.s
    {...}K.c,tgs encrypted with Client/TGS Session Key
    K.c,s, Client/Service Session Key
    address, Service network address
    from and till, the expiration time
    same nonce as in request

    {...}K.s encrypted with the Service Secret Key.
    T.c,s Client-to-Service-Ticket which includes:
        Client principal
        Client network address
        Validity period
        Client/Server Session Key

Client Service Request

"3.2. The Client/Server Authentication Exchange" [2]

Message direction Message type Section
1. Client to Application KRB_AP_REQ 5.5.1
2. Application server to client KRB_AP_REP 5.5.2
  KRB_ERROR 5.9.1

KRB_AP_REQ: {authenticator, ts, ...}K.c,s {T.c,s}K.s
    {...}K.c,s encrypted with K.c,s Client/Service Session Key
    authenticator, new Authenticator which includes client principal and timestamp
    ts, timestamp
   
    {T.c,s}K.s from KRB_TGS_REP

KRB_AP_REP [Optional]: {ts}K.c,s
    {...}K.c,s encrypted with Client/Service Session Key
    ts, timestamp

keytabs (Key Tables)

Used for service that typical runs as system service and hence have no login. Here keytabs contains K.s.

Reference

[1] Red Hat System-Level Authentication Guide Chapter 11. Using Kerberos
[2] RFC 4120
[3] Kerberos (protocol) - Wikiwand

December 8, 2017

Install and Configure Postfix

# yum install postfix mutt

# service postfix start

# adduser student

# su - student

$ mutt

1. Press m to create a new message.
2. In To write student@server1.example.com
3. In Subject write something
4. In Body write something. The default editor is vi, so:
    4.1 enter i for insert
    4.2 now write
    4.3 when finished writing, press ESC
    4.4 to save, press :wq
5. Now send, press y.

Print mail queue

# postqueue -p
Mail queue is empty

Flush mail queue
# postqueue -f

less /var/log/maillog

# netstat -tulpn | grep 25
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      17389/master       

# grep inet_interfaces /etc/postfix/main.cf 
# The inet_interfaces parameter specifies the network interface
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
# the address list specified with the inet_interfaces parameter.
# receives mail on (see the inet_interfaces parameter).
# to $mydestination, $inet_interfaces or $proxy_interfaces.
# - destinations that match $inet_interfaces or $proxy_interfaces,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
    

# vi /etc/postfix/main.cf 
...
inet_interfaces = all
...

# service postfix restart

# netstat -tulpn | grep 25
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      17558/master   

--------------------
Step 1: Install Packages
--------------------
# yum install sendmail sendmail-cf dovecot m4

--------------------
Step 2: Configure sendmail to receive external mails
--------------------

Edit /etc/mail/sendmail.mc

2.1 Comment out sendmail to listen to all network adresses. To comment out in sendmail, put 
'dnl' at the beginning of the line.

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

2.2 We will use our local hostname as mail domain, so change 'localhost.localdomain' to your 
hostname, mine is server1.example.com.

LOCAL_DOMAIN(`localhost.localdomain')dnl

--------------------
Step 3. Recompile Sendmail using m4
--------------------

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

--------------------
Step 4: Configure Dovecot to fetch emails
--------------------

4.1 Edit /etc/dovecot/dovecot.conf

#Protocols we want to be serving.
protocols = pop3

# A comma separated list of IPs or hosts where to listen in for connections.
listen = *, ::

4.2 Edit /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no

#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext

4.3 Add User

# echo "$USER:{PLAIN}password:$UID:$GROUPS::$HOME" > /etc/dovecot/users

Example:
magkar:{PLAIN}password:500:500::/home/magkar

Here I use an existing account on mail server, if you need to create a new user, use command 
useradd to create a new user and passwd to set password:

# useradd student1
# passwd student1

4.4 Last step. Verify installation by running 'dovecot -n'
# dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.14.1.el6.x86_64 x86_64 Red Hat Enterprise Linux Server release 6.4 (Santiago) 
disable_plaintext_auth = no
mbox_write_locks = fcntl
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = pop3
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}

--------------------
Step 5: Restart sendmail and dovecot service
--------------------

# service dovecot restart
# service sendmail restart

If this is a fresh installation, either of the services are started, so stopping them will fail. 
Verify this by restarting the services again.

--------------------
Step 6: Testing the installation
--------------------

Thunderbird

email: magkar@server1.example.com

POP3 
Host: server1.example.com
Port: 110
No SSL
username: magkar
password: password
Send password cleartext

SMTP
Host: server1.example.com
Port: 25
NO AUTHENTICATION

Add static dns to /etc/hosts
server1.example.com    192.168.1.10 


--------------------
Reference
--------------------

http://wiki2.dovecot.org/BasicConfiguration
http://wiki2.dovecot.org/FindMailLocation
http://www.telnetport25.com/2012/02/configuring-e-mail-notifications-in-nagios-core/

SELinux

------------
What is SELinux Boolean?
------------
"Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of 
SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, 
without reloading or recompiling SELinux policy." 
[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/
Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html]

------------
Install semanage
------------

# yum install policycoreutils-python

------------
Working with SELinux boolean
------------

Previously you could get all SELinux Boolean with

# getsebool -a

But with RHEL 6, there is a better way, that also returns a comment for each boolean

# semanage boolean -l

To permently change a SELinux boolean

# setsebool -P httpd_can_network_connect on

------------
Reference 
------------
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

SELinux te policy file
http://oss.tresys.com/repos/refpolicy/archive/strict/domains/program/unused/nrpe.te

============
SELinux Process
============

# ps auxZ | grep nrpe
unconfined_u:system_r:nrpe_t:s0 nrpe 1234 0.0 0.0 41320 1340 ? Ss Jan13 0:14 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

============
SELinux Files
============
# chcon -v --type=httpd_sys_content_t /html/index.html
context of /html/index.html changed to user_u:object_r:httpd_sys_content_t

Test

Make persistent

# semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?" 


# touch /.autorelabel
# reboot 

============
SELinux Ports
============
5.4. Allowing Access to a Port

We may want a service such as Apache to be allowed to bind and listen for incoming 
connections on a non-standard port. By default, the SELinux policy will only allow 
services access to recognized ports associated with those services. If we wanted to 
allow Apache to listen on tcp port 81, we can add a rule to allow that using the 'semanage' command:

# semanage port -a -t http_port_t -p tcp 81 

A full list of ports that services are permitted access by SELinux can be obtained with:

# semanage port -l 

op5

------------------
Download OP5
------------------

op5-monitor-6.2.0.1-20131024.tar.gz

[http://www.op5.com/download-op5-monitor/]

------------------
Query RPM Package
------------------

Det finns två rpm i denna tar boll

# ll *nrpe*
-rw-rw-r--. 1 500 500 23068 Oct 24 10:17 nrpe-2.13.3-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500 11992 Oct 24 10:17 nrpe-client-2.13.3-op5.1.x86_64.rpm

Filer som RPM innehåller

# rpm -qpl nrpe-2.13.3-op5.1.x86_64.rpm
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/etc/init.d/nrpe
/etc/nrpe.conf
/etc/nrpe.d
/etc/nrpe.d/op5_commands.cfg
/usr/sbin/nrpe

RPM Dependency/Requires [-R,--requires]

# rpm -qpR nrpe-2.13.3-op5.1.x86_64.rpm 
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/bin/sh  
/bin/sh  
config(nrpe) = 2.13.3-op5.1
libc.so.6()(64bit)  
libc.so.6(GLIBC_2.2.5)(64bit)  
libc.so.6(GLIBC_2.3)(64bit)  
libc.so.6(GLIBC_2.3.4)(64bit)  
libc.so.6(GLIBC_2.4)(64bit)  
libcrypto.so.10()(64bit)  
libnsl.so.1()(64bit)  
libssl.so.10()(64bit)  
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(VersionedDependencies) <= 3.0.3-1
rtld(GNU_HASH)  
rpmlib(PayloadIsXz) <= 5.2-1

RPM installation scripts

# rpm -qp --scripts nrpe-2.13.3-op5.1.x86_64.rpm
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add nrpe || :
/sbin/service nrpe stop || :
/sbin/service nrpe start || :

# Move command definitions to 'include_dir' if upgrading
if [ $1 -eq 2 ]; then
   grep -q '^command\[' /etc/nrpe.conf || :
   if [ $? -eq 0 ]; then
          echo "" >> /etc/nrpe.d/op5_commands.cfg
          echo "# Imported from /etc/nrpe.cfg" >> /etc/nrpe.d/op5_commands.cfg
          grep '^command\[' /etc/nrpe.conf >> /etc/nrpe.d/op5_commands.cfg || :
          sed '/^[\#]\?[ tab]\?command\[\[*/d' -i /etc/nrpe.conf || :
          echo "" >> /etc/nrpe.conf
          echo "# NOTE!" >> /etc/nrpe.conf
          echo "# Command definitions have meed moved to 'include_dir'." >> /etc/nrpe.conf
          echo "# Any commands defined in this file will be moved by future upgrades." >> /etc/nrpe.conf
          echo "" >> /etc/nrpe.conf
   fi

   grep -q '^include_dir' /etc/nrpe.conf || :
   if [ $? -ne 0 ]; then
          echo "# In order to make remote config with conf_nrpe work, you need to" >> /etc/nrpe.conf
          echo "# create the following directory. It needs to be read/writeable by" >> /etc/nrpe.conf
          echo "# nrpe_user specified above. " >> /etc/nrpe.conf
          echo "# All command definitions should be placed in the 'include_dir'" >> /etc/nrpe.conf
          echo "# NOTE: files in 'include_dir' must have a '.cfg' suffix." >> /etc/nrpe.conf
          echo "include_dir=/etc/nrpe.d" >> /etc/nrpe.conf
   fi
fi


------------------
NRPE RPM Installation
------------------
# rpm -ipvh nrpe-2.13.3-op5.1.x86_64.rpm
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
Preparing...                ########################################### [100%]
   1:nrpe                   ########################################### [100%]
nrpe doesn't seem to be running.
Starting nrpe in daemon mode ... done

Check process 

# ps auxZ | grep nrpe
unconfined_u:system_r:nrpe_t:s0 nobody 1271 0.0 0.0 39364 1364 ? Ss 13:27 0:00 /usr/sbin/nrpe -c /etc/nrpe.conf -d
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1274 0.0 0.0 103244 832 pts/0 S+ 13:27 0:00 grep nrpe

------------------
NRPE RPM Configuration
------------------

# vi /etc/nrpe.conf
...
allowed_hosts=127.0.0.1,192.168.122.93
...

Restart NRPE to let configuration changes take effect

# service nrpe restart

------------------
Test NRPE Installation
------------------

From server 

# /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.12
NRPE v2.13

------------------
Plugin RPM Installation
------------------

# cat /etc/nrpe.d/op5_commands.cfg 
################################################################################
#
# op5-nrpe command configuration file
#

# COMMAND DEFINITIONS
# Syntax:
# command[]=
#
command[users]=/opt/plugins/check_users -w 5 -c 10
...

# ll *plugins*
-rw-rw-r--. 1 500 500 417248 Oct 24 10:17 plugins-community-2.8.5-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500  47920 Oct 24 10:17 plugins-metadata-2.8.7-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500 594020 Oct 24 10:17 plugins-nagios-2.6.5.1-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500  94088 Oct 24 10:17 plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500   3160 Oct 24 10:17 plugins-op5-3.0.0-op5.1.el6.x86_64.rpm

# rpm -qpl plugins-community-2.8.5-op5.1.x86_64.rpm | grep check_users
warning: plugins-community-2.8.5-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY

# rpm -qpl plugins-nagios-2.6.5.1-op5.1.x86_64.rpm | grep check_users
warning: plugins-nagios-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY

# rpm -qpl plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm | grep check_users
warning: plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/opt/plugins/check_users

# rpm -qpl plugins-op5-3.0.0-op5.1.el6.x86_64.rpm | grep check_users
warning: plugins-op5-3.0.0-op5.1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY





# rpm -ipvh plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm
warning: plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
error: Failed dependencies:
 perl(Exporter) is needed by plugins-nagios-local-2.6.5.1-op5.1.x86_64


# rpm -qpR plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm
warning: plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/bin/sh  
libc.so.6()(64bit)  
libc.so.6(GLIBC_2.2.5)(64bit)  
libc.so.6(GLIBC_2.3)(64bit)  
libc.so.6(GLIBC_2.3.4)(64bit)  
libc.so.6(GLIBC_2.4)(64bit)  
libc.so.6(GLIBC_2.8)(64bit)  
libdl.so.2()(64bit)  
libm.so.6()(64bit)  
libm.so.6(GLIBC_2.2.5)(64bit)  
libpthread.so.0()(64bit)  
libpthread.so.0(GLIBC_2.2.5)(64bit)  
perl(Exporter)  
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rtld(GNU_HASH)  
rpmlib(PayloadIsXz) <= 5.2-1

Måste installera perl

# rpm -q --provides perl | grep Exporter
perl(Exporter) = 5.63
perl(Exporter::Heavy)  


-----------------------
Troubleshooting
-----------------------

# less /var/log/messages
...
nrpe[2703]: Error: Could not complete SSL handshake. 1
...

Från server enbart testa NRPE kommunikationen, genom att anropa NRPE utan kommando

# /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.12
NRPE v2.13

------------------
Plugin SELinux Problems
------------------

plugins does not seem to work with SELinux

On client set SELinux to Permissive

# setenforce 0

Double check that audit deamon is installed and running

# service auditd status
auditd (pid  983) is running...

sealert:

yum install setroubleshoot-server


semanage:
audit2allow:

yum install policycoreutils-python

check_log

-------------------
Introduction
-------------------

In mine previous blogs I have discussed how to setup the 

- Server [http://magnus-k-karlsson.blogspot.se/2014/01/install-nagios-core-35-on-rhel-6-from.html]
- Client/Agent [http://magnus-k-karlsson.blogspot.se/2014/01/install-nagios-agent-nrpe-on-rhel-6.html]

In this blog I will show you how to install and configure the check_log plugin. 

A good documentation overview site is https://www.nagios-plugins.org/doc/man/index.html.

-------------------
check_log
-------------------

#! /bin/sh
#
# Log file pattern detector plugin for Nagios
# Written by Ethan Galstad (nagios@nagios.org)
# Last Modified: 07-31-1999
#
# Usage: ./check_log   
#
# Description:
#
# This plugin will scan a log file (specified by the  option)
# for a specific pattern (specified by the  option).  Successive
# calls to the plugin script will only report *new* pattern matches in the
# log file, since an copy of the log file from the previous run is saved
# to .
#
# Output:
#
# On the first run of the plugin, it will return an OK state with a message
# of "Log check data initialized".  On successive runs, it will return an OK
# state if *no* pattern matches have been found in the *difference* between the
# log file and the older copy of the log file.  If the plugin detects any 
# pattern matches in the log diff, it will return a CRITICAL state and print
# out a message is the following format: "(x) last_match", where "x" is the
# total number of pattern matches found in the file and "last_match" is the
# last entry in the log file which matches the pattern.
#
# Notes:
#
# If you use this plugin make sure to keep the following in mind:
#
#    1.  The "max_attempts" value for the service should be 1, as this
#        will prevent Nagios from retrying the service check (the
#        next time the check is run it will not produce the same results).
#
#    2.  The "notify_recovery" value for the service should be 0, so that
#        Nagios does not notify you of "recoveries" for the check.  Since
#        pattern matches in the log file will only be reported once and not
#        the next time, there will always be "recoveries" for the service, even
#        though recoveries really don't apply to this type of check.
#
#    3.  You *must* supply a different  for each service that
#        you define to use this plugin script - even if the different services
#        check the same  for pattern matches.  This is necessary
#        because of the way the script operates.
#
# Examples:
#
# Check for login failures in the syslog...
#
#   check_log /var/log/messages ./check_log.badlogins.old "LOGIN FAILURE"
#
# Check for port scan alerts generated by Psionic's PortSentry software...
#
#   check_log /var/log/message ./check_log.portscan.old "attackalert"
#

-------------------
Agent/Client Configuration check_log for JBoss EAP 6 Standalone
-------------------

The standard log file for JBoss EAP 6 running in standalone mode is

# ll /var/log/jbossas/standalone/server.log

First let pay attention to the third prerequisites for check_log and create a new "old" log file for check_log.

# touch /var/log/jbossas/standalone/server.log.check_log

# chmod 640 /var/log/jbossas/standalone/*

In the NRPE configuration file we see that there is a configuration directory for NRPE

# cat /etc/nagios/nrpe.cfg
...
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).

include_dir=/etc/nrpe.d/

And there we will put our command for the check_log plugin.

# vi /etc/nrpe.d/check_jboss_log.cfg
command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log \
-O /var/log/jbossas/standalone/server.log.check_log -q "WARN"

Finally restart the nrpe deamon to make the new configuration take effect.

# service nrpe restart



http://mgrepl.fedorapeople.org/Blog/nagios.html

-------------------
Server Configuration
-------------------

# vi /etc/nagios/conf.d/virtual1.example.com.cfg