Let's Blog about IT

Thursday, May 18, 2017

Create Linux User with ssh key

If you are not using configuration automation tools like Puppet or Chef on simple Linux environment, script below will definitely simplify your Linux user creation process, especially when you have more than 10 new users to create in a row.

It will also take care of ssh key insertion to user profile, the most common issues I often encounter, during user creation with ssh key, was mixing up authorized_keys file permission and ownership between root and actual user itself since some account switch is needed.

I hope the script below would help some of you out there, making your daily sysadmin jobs simpler and more fun.

#/bin/bash

while getopts u:c:s: option

case "${option}"

u) USER=${OPTARG};;

c) CERT=${OPTARG};;

s) SUDO=${OPTARG};;

esac

done

echo "$CERT";

adduser $USER;

if [ "$SUDO" == "y" ]

then

touch /etc/sudoers.d/$USER;

echo "$USER ALL=(ALL:ALL) ALL" > /etc/sudoers.d/$USER;

echo User added to root;

su -c 'mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys' - $USER;

echo "$CERT" > /home/$USER/.ssh/authorized_keys

passwd $USER;

Sample command

./adduser.sh -u myuser -s y -c 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpjky6uTgUa9eRdG/hOxjQvWDbHzw/AVVsvJmMYxwwaLBgUtESRNXEMiF56qIxxxxxxxxxxxxlzbuOLmCrM29mlyujKdqkbr8z75aWYzhT+UIma5BuEX6kLyo9LYMm4RXGsbbnfHYrvTJo1FAnzRL/LYH8ewtmvzVTauHP/k1jYbp0Q3jQgf7p1ZDssAf5vDe1sMLwaXMGUNqNKCwjjePxOxIWzQksOCjHv/ myuser@gmail.com'

Note:
- Avoid creating user with the character dot ".", else system will fail to pickup sudoers file setting.
- Script above only tested on Redhat, Amazon Linux, CentOS but not on Debian platform.

Wednesday, March 22, 2017

Problem: You get this error message "chcon: can't apply partial context to unlabelled file '<file_name>'" when running "chcon -Rt svirt_sandbox_file_t <file_name>

One of a obvious reason but often been ignored, check is SELinux enabled or disabled. You will get the error message if SELinux is disabled.

Hope it will save you some time.

Friday, January 13, 2017

Linux on PCI DSS Requirement mapping

Linux and Malware

PCI DSS section 5.1 describes the need for an anti-virus solution. This subject is definitely controversial for Linux administrators(AV on Linux, you got to be kidding me), as viruses on Linux-based systems are rare. Still, the platform is not fully resistant to different forms of malware and the related threats. So depending on the particular goal of a system, one or multiple tools can be a good fit.

Open Source Tools

Generic: ClamAV
E-mail: ClamAV
PHP: LMD
Rootkit detection: chkrootkit, rkhunter

Shell

The shell is definitely one of the most common parts for Linux administrators. Like personal preferences, there are multiple shells available for Linux systems. First step is to ensure that all shells are accounted for. Determine which ones are installed and via /etc/shells which ones are allowed.

Session Timeout in Linux shells

Depending on the shells available on the system, a timeout should be configured with the appropriate value. PCI section 8.1.8 (session idle timeout) mandates that after 15 minutes, or 900 seconds, an idle session is being terminated.

One of the files to arrange this is /etc/profile. By using typeset together with the TMOUT variable, we can determine this idle session time, resulting in automatically logging out the user.

typeset -r TMOUT=900

Inactive accounts

Unused or inactive accounts on the system might be an unneeded security risk. This kind of accounts usually exists because there was a one-time need to log in, or simply forgotten after an employee left the company. PCI describes in section 8.1.4 that accounts older than 90 days and are unused, should be removed.

To determine the last time a user logged in, the last command can be used. Information is stored in /var/log/wtmp or rotated files like /var/log/wtmp.1.

Friday, December 30, 2016

Docker FAQ

Problem

You tried to delete an image but received the following error message
[root@centos7 docker]# docker rmi d0b4a01f1562
Error response from daemon: conflict: unable to delete d0b4a01f1562 (must be forced) - image is being used by stopped container 98f6a5df3226

Solution

Run the following command to list container with exited state
[root@centos7 docker]# docker ps --filter "status=exited"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
979e2873a16e 96f5373b33b7 "/bin/sh -c '$JBOSS_H" 2 hours ago Exited (127) 2 hours ago evil_fermi
e1c5ce9a8b9c ef5a0201b5c2 "/bin/sh -c 'yum -y u" 2 hours ago Exited (126) 2 hours ago boring_swanson
98f6a5df3226 d0b4a01f1562 "/bin/sh -c 'unzip /t" 2 hours ago Exited (127) 2 hours ago desperate_knuth
62db7be0cc59 7a69c0ca54ef "/bin/sh -c 'subscrip" 2 hours ago Exited (1) 2 hours ago naughty_carson
be10ff34189d 7a69c0ca54ef "/bin/sh -c 'subscrip" 2 hours ago Exited (1) 2 hours ago cocky_pare
65fd609bd328 7a69c0ca54ef "/bin/sh -c 'subscrip" 3 hours ago Exited (1) 3 hours ago suspicious_aryabhata
4793dd8fc355 e1e33a64e1f2 "/bin/sh -c 'apt-get " 20 hours ago Exited (127) 20 hours ago compassionate_hawking
4c810163a0eb registry.access.redhat.com/rhel7.3 "/bin/bash" 22 hours ago Exited (1) 21 hours ago loving_mayer
cd6bf1b1b154 395d9b3d55fe "/bin/sh -c 'subscrip" 22 hours ago Exited (1) 22 hours ago tender_gates
7badf972bc09 395d9b3d55fe "/bin/sh -c 'subscrip" 22 hours ago Exited (1) 22 hours ago amazing_liskov
790495e566fb 395d9b3d55fe "/bin/sh -c 'subscrip" 22 hours ago Exited (1) 22 hours ago furious_hopper
f7c1b9defc7c registry.access.redhat.com/rhel7.3 "/bin/bash"
92de70df12f0 395d9b3d55fe "/bin/sh -c 'apt-get " 22 hours ago Exited (127) 22 hours ago zen_jepsen
fe6e743a0ed0 395d9b3d55fe "/bin/sh -c 'yum upda" 23 hours ago Exited (1) 23 hours ago gigantic_agnesi
c00625480570 98776dd34e6d "/bin/sh -c 'yum upda" 23 hours ago Exited (1) 23 hours ago gloomy_shannon
02f74106ed39 registry.access.redhat.com/rhel7.3 "/bin/bash" 23 hours ago Exited (127) 23 hours ago stupefied_gates
d658f7182fcc e8e3aaf82af5 "/bin/bash" 23 hours ago Exited (0) 23 hours ago adoring_feynman

You can delete list of exited container with following commands
docker ps --filter "status=exited" | grep '2 hours ago' | awk '{print $1}' | xargs --no-run-if-empty docker rm
Take note take that condition will also delete container with x2hours ago status.

Monday, May 30, 2016

iPhone - How To Enable/Disable SIM PIN

1. From Home screen, navigate to Setting -> Phone and SIM PIN.

2. Tap on the SIM PIN switch to turn on(in green) or turn off(dimmed)

3. Enter SIM PIN for verification. Most of the time, default password would be 0123 or 1234. I do suggest you to get in touch with your telco should you need confirmation else SIM card will be locked after 5 password failure attempts.

Tuesday, April 5, 2016

Install Apache HTTPD 2.4 on centOS 6

Follow steps below:-

# 1. Install a package with repository for your system:
# On CentOS, install package centos-release-scl available in CentOS repository:
$ sudo yum install centos-release-scl

# On RHEL, enable RHSCL repository for you system:
$ sudo yum-config-manager --enable rhel-server-rhscl-7-rpms


[root@ip-10-129-10-192 yum.repos.d]# sudo yum install centos-release-scl

Loaded plugins: fastestmirror, presto

Setting up Install Process

Loading mirror speeds from cached hostfile

 * base: download.nus.edu.sg

 * epel: mirror.wanxp.id

 * extras: download.nus.edu.sg

 * remi: mirrors.thzhost.com

 * remi-safe: mirrors.thzhost.com

 * updates: download.nus.edu.sg

Resolving Dependencies

--> Running transaction check

---> Package centos-release-scl.noarch 10:6-6.el6.centos will be installed

--> Processing Dependency: centos-release-scl-rh for package: 10:centos-release-scl-6-6.el6.centos.noarch

--> Running transaction check

---> Package centos-release-scl-rh.noarch 0:2-1.el6.centos will be installed

--> Finished Dependency Resolution


# 2. Install the collection:
$ sudo yum install httpd24












[root@ip-10-129-10-192 yum.repos.d]# sudo yum install httpd24

Loaded plugins: fastestmirror, presto

Setting up Install Process

Loading mirror speeds from cached hostfile

 * base: download.nus.edu.sg

 * epel: mirror.smartmedia.net.id

 * extras: download.nus.edu.sg

 * remi: mirrors.thzhost.com

 * remi-safe: mirrors.thzhost.com

 * updates: download.nus.edu.sg

centos-sclo-rh                                                                                         | 2.9 kB     00:00     

centos-sclo-rh/primary_db                                                                              | 1.2 MB     00:03     

centos-sclo-sclo                                                                                       | 2.9 kB     00:00     

centos-sclo-sclo/primary_db                                                                            |  59 kB     00:00     

Resolving Dependencies

--> Running transaction check

---> Package httpd24.x86_64 0:1.1-5.el6 will be installed

# 3. Start using the software collection:
$ scl enable httpd24 bash

Conf file path - /opt/rh/httpd24/root/etc/conf
Web Code path - /opt/rh/httpd24/root/var/www/html

Tuesday, June 30, 2015

Laravel - Gotcha

Laravel composer update error:-
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

Problem 1
- laravel/framework v5.0.9 requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system.

Solution:-

On Ubuntu 14.04, the error message still shown even after installing the php5-mcrypt. The problem is that the package doesn't create a link for the php5 CLI (used by composer/artisan), so the correct thing to do is to run the following commands:

cd /etc/php5/cli/conf.d
sudo ln -s ../../mods-available/mcrypt.ini 20-mcrypt.ini
reload apache