Skip to content


RedHat security patching for AIX administrator

Hi, this is a “reprint” from RedHat Knowledge base” that today I had found very useful.

• Red Hat Enterprise Linux 6.x
• Red Hat Enterprise Linux 5.1 and later
• Red Hat Network Hosted
• Red Hat Satellite

,Resolution

• Install the yum-security plugin. It is now possible to limit yum to install only security updates (as opposed to bug fixes or enhancements) using Red Hat Enterprise Linux 5 and 6. To do so, simply install the yum-security plugin:

For Red Hat Enterprise Linux 6

 # yum install yum-plugin-security

For Red Hat Enterprise Linux 5

 # yum install yum-security

Alternatively, download the yum-security package from the Red Hat Network (RHN) and manually install it on the system.

For Red Hat Enterprise Linux 6 using yum-security plugin:

• To list all available erratas without installing them, run:

# yum updateinfo list available

• To list all available security updates without installing them, run:

 # yum updateinfo list security all
 # yum updateinfo list sec

• To get a list of the currently installed security updates this command can be used:

 # yum updateinfo list security installed

For Red Hat Enterprise Linux 5 using yum-security plugin

• To list all available erratas without installing them, run:

# yum list-sec

• To list all available security updates without installing them, run:

 # yum list-security --security

For both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 5:

• To list all available security updates with verbose descriptions of the issues they apply to:

 # yum info-sec

• Run the following command to download and apply all available security updates from Red Hat Network hosted or Red Hat Network Satellite:

 # yum -y update --security

NOTE: It will install the last version available of any package with at least one security errata thus can install non-security erratas if they provide a more updated version of the package.
• To only install the packages that have a security errata use

 # yum update-minimal --security -y

• yum-security also allows installing security updates based on the CVE reference of the issue. To install a security update using a CVE reference run:

 # yum update --cve <CVE>

e.g.

 # yum update --cve CVE-2008-0947

Viewing available advisories by severities:

 # yum updateinfo list
This system is receiving updates from RHN Classic or RHN Satellite.
RHSA-2014:0159 Important/Sec. kernel-headers-2.6.32-431.5.1.el6.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-devel-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
RHSA-2014:0164 Moderate/Sec.  mysql-server-5.1.73-3.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-sysinit-3.15.3-6.el6_5.x86_64
RHBA-2014:0158 bugfix         nss-tools-3.15.3-6.el6_5.x86_64

If you want to apply only one specific advisory:

 # yum update --advisory=RHSA-2014:0159

However, if you would like to know more information about this advisory before to apply it:

 # yum updateinfo RHSA-2014:0159

For more commands consult the manual pages of yum-security with

 # man yum-security

If you face any missing dependency issue while applying security patches on system then refer to yum update --security fails with missing dependency errors.

Posted in Real life AIX.


reboot after patching?

The procedure described bellow applied to Linux (RedHat).
Even withing the same environment, patching done due to security concerns or something else has different meaning for different hosts. Some must be rebooted immediately to activate the “fixes”, while some may wait for a more appropriate occasion.

How to decide if a reboot can wait? Well, it depends (among others) on the location of the hosts. Is it in DMZ on not? Still, even if it is in DMZ a reboot may be delayed depending on the libraries effected by the “fix” (errata) and services using them.

For example, let’s say that we need to upgrade the glibc rpms due to just published errata CVE-2015-0235. To identify what services are using its functionality you could execute the following command:

$ lsof +c 15 | grep libc- | awk '{print $1}' | sort -u

From the resulting list, identify the public-facing services and restart them. Remember that while this process may work as a temporary workaround, it is not supported by Red Hat and, should a problem arise, you will be requested to reboot the system before any troubleshooting begins.

Posted in Linux.


How to monitor telnet traffic in AIX

1. Create /etc/security/authlog file containing the following lines:

#!/usr/bin/ksh
/usr/bin/logger -t tsm -p auth.info "`/usr/bin/tty` login from $@ " 

2. Make it executable

# chmod +x /etc/security/authlog 

3. Modify the "/etc/security/login.cfg" file adding the following two lines just under the default: stanza.

authlog:
program = /etc/security/authlog 

4. Modify the field "auth2" in the "/etc/security/user" file:

default:
...
auth2 = authlog
...

The above can be done for all the users by the default: or for a specific user modifying only the correspondent user stanza.

5. Configure syslogd to log the information:

# vi /etc/syslog.conf
...
*.info /var/adm/authinfo.log
...

6. Create the logfile

# touch /var/adm/authinfo.log

7. Restart syslogd

# stopsrc -s syslogd 

# startsrc -s syslogd

8. Log in and check the authinfo.log:

# cat authinfo.log 

You should see the successful logins.

Posted in AIX.

Tagged with , , .


executing commands remotely from Satellite server

to be able to execute commands on clients of RedHat Satellite server you have to equip them with the following rpm

# yum -y install rhncfg-actions

Next, execute the following command on the host:

# rhn-actions-control -enable-all

Finally, check if this directory structure exists /etc/sysconfig/rhn/allowed-actions/script and that it contains an empty file called run

# ls -l /etc/sysconfig/rhn/allowed-actions/script
total 0
-rw-r--r-- 1 root root 0 Jan 29 08:27 run 

Posted in LINUX.


Satellite server – syncing and cloning

Satellite server is something like a NIM server plus much more… Satellite server has “Base” channels and associated with them “Clone” channels. The latter ones are the sources of operating system (RedHat Linux) images (rpms) that a system administrator uses to patch his/hers hosts. Usually, clone channels are not updated automatically – the Base channels, on the other had are usually synchronized with the RedHaNetwork automatically (cron).
There are many possible ways to synchrinise Clone with its Base channel. One way which result is a new Clonned channel syncronized up to a specific date (that you provieded) is shown bellow.

First make sure you have the latest packages in the already existing on yout Satellute server Red Hat channel (in this case called rhel-86_64-server-6), to sync this channel with the latest packages execute the next command.

# satellite-sync -c rhel-86_64-server-6

Once the packages are synced, run the spacewalk-clone-by-date utility to create its clone as of today.

# spacewalk-clone-by-date -u satadmin \
                   -l rhel-x86_64-server-6
                   prod-rhel6u6-clone1224 \
                   -d 2014-12-24

The last command creates the new channel with name prod-rhel6u6-clone1224 containing the latest errata as of today.

Now, you have to associate your host with this particular clone and patch it with yum -y update .

In another post, I will show you how to synchronize an existing clone channel.

Posted in LINUX.

Tagged with , , , .


scp and hidden files

Today, I recognized that scp does not copy hidden files……. or that I do not know how to use this command to copy hidden files (directories).
Today, I also recognized that rsync is a very handy tool I have to learn how to use.

For example, to copy contents of one file system form one host to another file system on another machine, do:

# rsync -av /source_fs/ loginName@targetHostName:/target_fs/

Posted in AIX, Linux.

Tagged with , , .


uploading files to RedHat

Today, I had to attach files to my case (PMR) and doing it with my web browser kept failing so I had to use command lines to deliver the files.

# redhat-support-tool addattachment -c 01285064 ./spacewalk-debug.tar.bz2

were -c defines the case (PMR) number and the last argument specifies path/file to be uploaded to RH support.
One more thing, your host may not have this tool installed. In this case, execute

# yum install redhat-support-tool

Posted in LINUX.


Editing crontab from a script

Several ORACLE LINUX “unbreakable” kernel (patching requires no reboot) need their root crontab file modified to allow scheduled and “unattended” monthly patching.
The file containing the effected hosts (one host per line) is called eSOA.list.
The script, called Crons.bsh does the job. Here it is:

#! /bin/bash
CronFile='/tmp/RootCron.txt'             # define storage file

chkconfig crond on                       # make sure cron starts at boot
crontab -u root -l > $CronFile           # extract root crontab into the file
crontab -u root -l > RootCrontabSaved    # saved copy, just in case

echo "MAILTO=UnixTeam" >>$CronFile       # add this line
echo "0 5 1 * * yum -y update" >>$CronFile # add this line too

crontab -u root /tmp/RootCron.txt         # replace root crontab
/etc/init.d/crond restart                 # restart crond
rm $CronFile                              # remove storage file

# create a new alias to receive "patching" emails
echo "UnixTeam: duszyk@wmd.edu, admin1@wmd.edu" >> /etc/aliases
newaliases                                # activate new aliases

With the above in Crons.bsh, the process of implementing this change on the selected hosts is trivial.

# for h in `cat eSOA.list`
do
scp Crons.bsh $h:/root/
ssh $h '/root/Crons.bsh'
ssh $h 'rm /root/Crons.bsh'
done

The last step, was of course executed from the host that has the "password-less" priviledge to all other UNIX hosts in my data centers.

Posted in Real life AIX.

Tagged with , , .


AD/KRB authentication for RedHat

Yesterday, I had to do it from scratch….. Start with making sure these rmp‘s are loaded.

# rpm -qa | grep krb
krb5-libs-1.10.3-33.el6.x86_64
pam_krb5-2.3.11-1.el6.x86_64
# rpm -qa | grep ldap
nagios-plugins-ldap-1.4.16-10.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pam_ldap-185-11.el6.x86_64
nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64
openldap-2.4.39-8.el6.x86_64
php-ldap-5.3.3-38.el6.x86_64

Some packages are optional, like for example the nagios-plugin-ldap

# rpm -qa | grep nscd
nscd-2.12-1.149.el6.x86_64
# rpm -qa | grep fprintd
fprintd-0.1-21.git04fd09cfa.el6.x86_64
fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64

Verify and disable sssd if present:

# chkconfig sssd off
# service sssd stop
# yum remove sssd

Now, generate KERBEROS environment. Keep in mind that the lower/upper case shown bellow is really IMPORTANT!

# authconfig --enableshadow --passalgo=sha512 \
                  --enableldap --ldapserver=ldap://wmddc.wmd.edu \
                  --ldapbasedn="dc=chop,dc=edu" \
                  --disablefingerprint --enablekrb5 \
                  --krb5kdc=WMDDC.WMD.EDU \
                  --krb5adminserver=WMDDC.WMD.EDU \
                  --krb5realm=WMD.EDU \
                  --enablemkhomedir --update

Edit file /etc/nslcd.conf to add/activate these lines:

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (&(objectClass=group)(gidNumber=*))
# filter group  (objectClass=group)
map    group  uniqueMember     member

## the next lines are your site specific:
binddn CN=aixldapquery,OU=ServiceAccounts,OU=Corporate Servers,DC=wmd,DC=edu
bindpw Ch0p2011$
uri ldap://wmddc.wmd.edu/
base dc=wmd,dc=edu

Edit the file /etc/pam.d/system-auth to look like below (order matters!). There is a post on this blog which explains what this setup does in relation to login process.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Edit file /etc/pam.d/password-auth to look alike

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Start the nscf service.

# chkconfig nscd on
# service nscd start

Now, you should be able to pull users data from AD. Use either the id user_login or the getent passwd user_login commands/

Posted in Real life AIX.


dlnkmgr and mksysb

AIX host built from a mksysb image of another AIX host with HITACHI luns and disk drivers may have issues with its storage…. which apparently is a “well” known fact which is easily fixed executing the following command (results in the host reboot).

# >/usr/DynamicLinkManager/bin/dlmpostrestore
KAPL10555-I Executing the dlmpostrestore utility will reboot the host. Is this OK? [y/n]:y
KAPL10551-I The dlmpostrestore utility completed successfully. 

It worked like a charm!

Posted in HDS, Real life AIX.

Tagged with , , , .




© 2008-2015 www.wmduszyk.com - best viewed with your eyes.