LinuxAdmin: Expanding Linux SysAdmin knowledge

Subscribe to LinuxAdmin: Expanding Linux SysAdmin knowledge feed
Expanding Linux SysAdmin knowledgelinuxadmin: Expanding Linux SysAdmin knowledge
Updated: 17 min 13 sec ago

Reading through the CIS RHEL7 benchmark - they switched from recommending firewalld to recommending iptables, why?

4 hours 22 min ago

Hi all,

I'm going through the CIS Red Hat Enterprise Linux 7 benchmark documentation, implementing anything relevant. I noticed in the latest version, v2.2, they recommend using iptables. This piqued my interest as we've been using firewalld since the RHEL7 release.

Going back, they recommended firewalld in the v1.x documentation but switched to iptables in v2.x.

Anyone have any idea why this might be?

Thanks in advance.

submitted by /u/andrewrmoore
[link] [comments]

Scanning new servers - get a conflict message

Thu, 01/17/2019 - 15:56

I get the following message when scanning a group of new servers:

You have already added computer 10.0.1.21 with name 10.0.1.132. Please choose how to resolve this conflict once the job has completed.

Both ip addresses exist in the pool but one is a Windows Server instace while the other is a RHEL instance.

submitted by /u/Emersumbigens
[link] [comments]

.htaccess FilesMatch not finding files with angularjs

Thu, 01/17/2019 - 14:10

I'm fairly new to configuring this, and I'm trying to understand what's going on and what I should do.

I have an app built on angularjs, and it's authenticated by shibboleth.

Part of the app is public, and part of the app needs shib authentication. In my .htaccess file, I have this:

Options +FollowSymLinks RewriteEngine on Options -Indexes IndexIgnore * AuthType Shibboleth require shibboleth ShibRequireSession off <FilesMatch "^(admin|secure)$"> AuthType Shibboleth ShibRequireSession on require shibboleth require valid-user </FilesMatch> # with some rewrite rules below

Now, FilesMatch should be matching files that is being requested from the server, based on regex matching, and before the matched file is served, it will require a shibb session and valid user, as I understand it.

And in this case, it should do that for every file that has 'admin' or 'secure' in the name, right? However, because in part due to angularjs (I suppose), for some reason this is working for whenever the server is requested files in an admin directory (presumable because one or more of them have 'admin' in the name), but it is not working at all for any file that has 'secure' in the name. I was trying to make it work for a file named add.secure.js.

I have tried numerous combinations (and I am not the best at regex), but I've tried directly reference the file name while escaping dots: "^add\.secure\.js$" and the like.

Does anyone have any familiarity with this or could point me in the right direction?

Thanks!

submitted by /u/machine3lf
[link] [comments]

How to serve .sh files that remain executable after being downloaded?

Thu, 01/17/2019 - 09:51

Howdy,

I am serving installer files (.sh self-executable) and the permissions on my server are +x.

Whenever I download these files in my Firefox I find them without executable permissions in the ~/Downloads folder.

Now I thought this would be a browser thing (due to security reasons) but I've found that when I download e.g. installer files from GOG they end up in the same place and are marked as executable?

What do I have to take into consideration wrt my apache config to provide users with executable installers? To me it means a big difference usability-wise especially for non-experienced users.

submitted by /u/caetydid
[link] [comments]

Looking for an identity management system

Thu, 01/17/2019 - 06:32

It needs to be able to support ssh keys, google apps and atlassian.

So far I've come up with freeIPA as a solution but it looks to hard to configure and I can't even get it to install.

submitted by /u/ionix0
[link] [comments]

VRRP Netlink error

Thu, 01/17/2019 - 05:41

When I turn off the eth0 of my master server, server 2 becomes master. Then when I turn eth0 back on on server 1 I get the error message below and can't connect to the virtual IP anymore.

Netlink: error: No such device, type=(20), seq=1547719361, pid=0 submitted by /u/Roally
[link] [comments]

Cron/lfd etc. notify (per e-mail?)

Thu, 01/17/2019 - 04:19

Hi,

I have a Proxmox cluster with Ceph, on which I run a few VM's, (gitlab, Zabbix, that kind of stuff).

I currently receive notifications from cron, lfd and such which I send via Postfix to a relay server, and from the relay server I send it to my DirectAdmin server with a catch-all. I send it via the relay server so I don't have to setup a SPF, DKIM etc. record for all my VM's. The catch-all is to make sure I receive bounce e-mails in case I setup a hostname or something wrong. The relay server is setup with an allowed ip range via mynetworks, and no further authentication. I have CSF in place to make sure only my IP addresses are allowed to access the relay server as extra security. Though this all doesn't seem to be the most ideal way at all...

I was wondering what the 'best practice' way is of doing this. Any and all advice is much appreciated! Thank you.

submitted by /u/Ramshield
[link] [comments]

Thread iowait

Thu, 01/17/2019 - 02:47

Hi, i have a server with Centos 7.5 (1804) where load is about a constant 12 (16 threads) and currently when using top i see 99% wa for CPU 6 & 7 out of 16 threads, and nothing stands out in iotop or iostat so my question is how can i trace what is using thread 6 & 7 specifically ?

submitted by /u/Diablo2050
[link] [comments]

Recommendations for educational videos for RHEL7?

Wed, 01/16/2019 - 20:13

Hi,

My new job leads to a role that requires a working knowledge in Linux. We generally use RHEL7 so that is what I am most interested in learning but any general Linux knowledge will be beneficial. What do you guys recommend for videos? I am watching this on my daily commute so it needs to be videos. I will definitely be practicing at home on a VM as well. Should I just study course material for something like the RHCSA?

submitted by /u/strokin3
[link] [comments]

Studying for Linux essentials exam

Wed, 01/16/2019 - 14:53

Been taking the courses at Linux academy. Can't help but feel like I'm just studying to complete their test and worried the real rest will have a bunch of stuff on it I've overlooked.

Any other tests or material you'd recommend I review before dropping cash for the essentials quiz/cert?

submitted by /u/TONKAHANAH
[link] [comments]

Centos7 DHCP server changes its MAC and ssh keys but it's not a MiM?

Wed, 01/16/2019 - 14:06

I have a Centos 7 vm (qemu) acting as a DHCP server for a site and when I connect to it remotely it always has 1 of 2 sets of MAC and SSH key and it seems to happen randomly (anywhere from seconds to connecting to several hours). From what I understand (I inherited this VM) my supervisor has said it's always happened since they set it up (at least according to the guy who originally set it up that is no longer around to ask)

Practically, I'm just going to blow it out and redo it, but I'm curious as to what could causes a machine to act the way it has been thats not because of a MiM attack. It's possible the physical machine has 2 NICs (again according to hearsay; I've not seen the physical machine the vm is hosted on yet) but nothing is listed in /dev and ip a only ever shows lo and eth0 so I don't see any evidence that the VM even sees the 2nd NIC let alone why a 2nd NIC would interfere with anything since it doesn't seem to even be interacting (and it shouldn't be) with the VM. Maybe it really is a MiM left by the last guy?

submitted by /u/Tech4dayz
[link] [comments]

Linux Engineer Opportunities with Amazon Web Services

Wed, 01/16/2019 - 12:33

Hey all,

Hope I'm posting this in the right place as a new user.

I'm a recruiter with Amazon Web Services focusing on hiring Linux Engineers with a variety of levels of experience. More specifically I work in the cleared/Intelligence Community space, hiring engineers with current govt clearance or the ability to gain clearance.

We have roles available in Seattle, WA and Herndon, VA (relocation assistance provided). I'd love to engage with this community to offer opportunities for career growth with AWS.

Here's a sample of some of the opportunities we have available. Feel free to reach out if you have any questions or interest.

Support Engineer-https://amazon.jobs/en/jobs/771614/support-engineer-aws-storage-services

Systems Engineer-https://amazon.jobs/en/jobs/771611/systems-engineer-aws-storage-services

Systems Development Engineer- https://amazon.jobs/en/jobs/694967/systems-development-engineer-pyxis-devops

Looking forward to connecting!!!

submitted by /u/clearedrecruiter
[link] [comments]

SELinux Chage Issue CentOS7

Wed, 01/16/2019 - 10:06

Hi there, for the life of me I cannot figure out why the zabbix agent cannot successfully execute a chage (or a sudo chage) command when SELinux is enforcing. It's not a denial..

type=USER_MGMT msg=audit(1547650943.743:183): pid=2440 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:zabbix_agent_t:s0 msg='op=change-age id=1250 exe="/usr/bin/chage" hostname=? addr=? terminal=? res=failed'

It works if setenforce is set to 0, and it also works if the zabbix agent is started from the command line versus systemd. I can't find any insights online about this, and audit2allow has no denials for anything.

Any ideas?

submitted by /u/bdgscotland
[link] [comments]

lvmetad[656]: vg_lookup vgid $id name $name found incomplete mapping uuid none name none

Wed, 01/16/2019 - 08:46

Dunno if this is against the rules, but I have this problem for a while and I can't figure out the problem/solution. Maybe I'll have more success in this subreddit. If the moderater thinks it's not appropriate, then please let me know what the appropriate action is. Thank you.

submitted by /u/AquaL1te
[link] [comments]

Install Java8

Wed, 01/16/2019 - 01:05

` sudo apt-get install oracle-java8-installer` fails after connecting to download.oracle.com. I've sees some Stackoverflow posts about using `sed` to update the debs but those seem to be outdated.

Can someone point me in the right direction?

submitted by /u/Engineer-of-Stuff
[link] [comments]

Migrate VM from esxi5.0 to 6.5

Wed, 01/16/2019 - 00:00

I need some advice for migrate VM from esxi5.0 to 6.5. Which options are safer.

Thanks!

submitted by /u/daler86
[link] [comments]

Pam_pkcs11 not reading correct CN when doing mapping

Tue, 01/15/2019 - 21:07

Using pam_pkcs11 for mapping users via certificate I have on a Yubikey acting as a smartcard. Authentication is working but when I do a pklogin_finder it reports back the user is "Users" when the mapping on the certificate shows ("DC=com, DC=example, CN=Users, CN=btown").

I've tried using different mappers but none of them seem to correctly pull the right username out of the cert. Anyone found a way around this? I generated the certificate on my Windows AD using smartcard login template and it properly works on all Windows hosts.

I have not tested with a second user + their cert yet and i'm worried if it's mapping as "Users" for both there might be some issues, I would also just not like it to say "Welcome Users!" constantly.

submitted by /u/bfrown
[link] [comments]

Smart card login with Active Directory

Tue, 01/15/2019 - 17:37

I've been searching for information on this, and it seems that there is hardly any? I've got a requirement to come up with 2FA and we have an AD environment. For our unix boxes we use Redhat 6.9 and powerbroker to authenticate to AD. I'm needing to turn that into a smart card login. The Windows side you can do completely using built in windows tools and certmgr, but for the unix side.....idk? Has anyone done this? Is it even possible?

submitted by /u/r0fL_57ompT
[link] [comments]

Radius server - find radius software name/version

Tue, 01/15/2019 - 06:47

I'm currently working on a way to distinguish different versions of radius software used by various organisations. I work with a company that provides a policy framework for the education sector to enable federated roaming across multiple sites utilising each sites infrastructure & radius servers.

However, in order to best support these various organisations I need to know what radius server they are running, whether it is Radiator, freeRadius etc etc etc. When they have initially signed up it is part of the process to ask this question as to what they are using, however this is quite a big list of organisations and they don't always tell us when they change etc. The end goal is to have a sandbox environment so we can check that any changes we do in the future will work across all the different radius vendors software, but first we would like a comprehensive list of whats out there. I was wondering if any of you cold hearted individuals could come into the light and point me in the right direction of how I could go about doing this or what I should be reading into. Thanks for any help!

Disclaimer - I'm the apprentice and learning as I go

submitted by /u/Linux-Student
[link] [comments]

Pages