Log rotation for rsyslog using fixed size

We’ll follow the documentation from here.

Changes are made to the /etc/rsyslog.conf config file.

For this example, we will be configuring our named.log file to not exceed 50MiB, and then we’ll have a rotated log “.1” that is also 50MiB. Total it should not exceed 100BMiB.

First we need to create an out channel, and then we assign the out channel to a logging channel. We also need a script that rotates the logs.

Create the Output Channel

$outchannel log_rotation,/var/log/named.log, 52428800,/home/user/log_rotation.sh

Assign Output Channel to Logging Channel

On our line that is logging named, at the end add :$log_rotation

Example:

local0.*                   /var/log/named.log:$log_rotation

Script to Rotate Log

Somewhere on the system, create a rotate.sh script. Name it whatever you want, just be sure the path and name in the rsyslog.conf is the same.

Add the following one line to move the current log to a rotate log.

mv -f /var/log/named.log /var/log/named.log.1

As the log fills up and hits ~50MiB, the named.sh script will run which rotates(moves) the log file to logfile.log.1. This will keep our usage for named.log to 100MiB.

Mongo “illegal hardware instruction mongo” on Linux

While trying to install and run mongo on Kali Linux, I encountered the following error.

zsh: illegal hardware instruction mongo

Using a Bash shell it returns the following instead.

Illegal instruction

It appears that the issue is from running mongo in a virtual machine.

https://www.mongodb.com/community/forums/t/mongodb-community-5-0-12-illegal-instruction-core-dumped-ubuntu-20-04-5-lts/204332

https://askubuntu.com/questions/699077/how-to-enable-avx2-extensions-on-a-ubuntu-guest-in-virtualbox-5

Resolution? Run on bare metal or find a way to enable avx2 in the virtual machine.

Running Node App as systemd Service

In this post we will be using systemd to run a node application. This is helpful as it will automatically start the app when the server starts so we don’t have to manually. These steps can easily be modified to run a bash script, or any other application.

  • Create systemd file
  • Customize systemd file
  • Enable systemd file

We’ll be creating a service for the Simple Whisper Web Interface as an example. Chang things as needed.

Create systemd file

This is super simple. We create a .service file in /lib/systemd/system. When we enable the service, it will create a symlink to this file.

sudo vim /lib/systemd/system/whisperweb.service

Customize systemd file

Change the settings as appropriate. It would be a good idea to run any service as a limited user that only has the rights needed to get the job done. Do note that you will need to have any prerequisites installed and available for that user to use. I.e. libraries installed with npm etc.

[Unit]
Description=Simple Whisper Web Interface Service File
After=network.target

[Service]
Type=simple
User=whisperuser
ExecStart=/usr/bin/node mainssl.js
WorkingDirectory=/home/whisperuser/
Restart=on-failure

[Install]
WantedBy=multi-user.target

Enable systemd file

Enabling the service will create a symlink that will then run this service file on system boot.

sudo systemctl enable whisperweb.service

And now we can start the service.

sudo systemctl start whisperweb.service

We can verify that the service is running by running

sudo systemctl status whisperweb.service

The following article has some great explanations on what different options in the unit file mean and do.

https://nodesource.com/blog/running-your-node-js-app-with-systemd-part-1/

Creating a Simple systemd Service to Launch Shell Script on System Boot

We will setup a simple systemd service to automatically run a bash script on system boot.

Create systemd file

Create the service file with

vi /etc/systemd/system/multi-user.target.wants/bashscript.service

Now fill out the file. Change the Description and ExecStart. After= means only start this unit after the other units have finished. This is needed if we need to make a network connection. If our script runs before the network is up, the connection will fail.

[Unit]
Description=systemd Unit File to Launch Bash Script on System Boot
After=network.target
After=syslog.target

[Install]
WantedBy=multi-user.target

[Service]
ExecStart=/home/user/script.sh

Change the ExecStart to your bash script and save the file

Enable systemd file

Now that the file is created, we need to enable the service so it starts on system boot

systemctl enable bashscript.service

You should get the following output.

Created symlink /etc/systemd/system/multi-user.target.wants/bash.service → /etc/systemd/system/bash.service.

Now to test, reboot your system, or start the service with

systemctl start bashscript.service

How to Bypass NVIDIA NVENC Limits on RTX Cards on Linux

It appears that NVIDIA has limited the number of NVEncoding streams on consumer GPUs. Guess it is so people have to buy the more expensive professional cards.

Fortunately, the limit is only applied to the driver, and there is a patch available that let’s us bypass the limiter.

https://github.com/keylase/nvidia-patch

Install Patch

This assumes you already have the driver installed. If you do not, or run into issues with the commands below, refer to the above link.

Download the tool

https://github.com/keylase/nvidia-patch/archive/refs/heads/master.zip

wget https://github.com/keylase/nvidia-patch/archive/refs/heads/master.zip

Unzip the file

unzip nvidia-patch-master.zip

Run the patch script

cd nvidia-patch-master
sudo bash ./patch.sh

And we are finished!

Further reading

NVIDIA has a matrix of which cards support how many streams etc.

https://developer.nvidia.com/video-encode-and-decode-gpu-support-matrix-new

And while we are on the topic of artificial limits, check out the vGPU license bypass

https://github.com/KrutavShah/vGPU_LicenseBypass

How to POST a message to a Telegram Channel

It’s fairly easy to send a message to a Telegram Channel using curl. Copy and paste the following command in, replacing the API_TOKEN, chat_id, and test_message, with the appropriate items.

curl -s -o /dev/null -X POST -H "Content-Type: application/json" -d "{\"chat_id\": \"-100XXXXXXXXXX\", \"text\": \"test_message\", \"disable_notification\": true}" https://api.telegram.org/bot{API_TOKEN}/sendMessage

https://stackoverflow.com/questions/68213124/telegram-example-of-how-to-use-curl-for-windows-10-to-message-myself-with-a-bot

Need to send a message to Teams? Check out the following post.

Bash script to send messages to Microsoft Teams

How to Read git Object File Without git?

Git object files are a zlib compressed data file type.

We can check this by running the file command. “6ae4147121f0165e7c0e309bad649c2c4d3a55” is our git file of interest.

$ file 6ae4147121f0165e7c0e309bad649c2c4d3a55
6ae4147121f0165e7c0e309bad649c2c4d3a55: zlib compressed data

https://stackoverflow.com/questions/1532405/how-to-view-git-objects-and-index-without-using-git

The above link has helpful information. Easiest way I found was to install zlib-flate by installing qpdf with apt.

sudo apt install qpdf

We can now use the zlib-flate command with the -uncompress option to decompress the file and print the contents.

$ zlib-flate -uncompress < 6ae4147121f0165e7c0e309bad649c2c4d3a55
var b64 = ("");
console.log(b64);

Redirect website HTTP to HTTPS using the .htaccess file

The following can be added to the .htaccess file to redirect all http request to https.

RewriteEngine On
RewriteCond %{HTTPS} off  
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteEngine On – Allows the rewrite capabilities. If it was off, the last rule “RewriteRule” would not work.
RewriteCond – This is a conditional that says if the current request is using HTTPS, don’t rewrite. If this option was not here, we would get an infinite redirect loop.
RewriteRule – This is the actual rule that rewrites or redirects any HTTP request to HTTPS. the R=301 means that it redirects using a 301 status code.

The following links provide more detail and info on htaccess redirects.

https://linuxize.com/post/htaccess-force-https/

https://www.redhat.com/sysadmin/beginners-guide-redirects-htaccess

Raspberry Pi – Blink Light – Python

A Simple Python script to blink a Raspberry Pi LED.

import RPi.GPIO as GPIO
from time import sleep

GPIO.setwarnings(False)
GPIO.setmode(GPIO.BOARD)  # Uses the physical pin numbering
GPIO.setup(7, initial=GPIO.LOW)  # Set GPIO pin to off

while True:
    GPIO.output(7, GPIO.HIGH)
    sleep(0.2)
    GPIO.output(7, GPIO.LOW)
    sleep(0.2)

Change pin numbers as needed.

We can also do this with BASH.

Control LED using BASH

SELinux Audit Commands and Links

You can install audit2why by installing the policycoreutils package

sudo dnf install policycoreutils-python-utils

Show what and why something is failing

audit2why < /var/log/audit/audit.log

Search with ausearch

ausearch -m avc --start recent

Create and apply a module to fix the failure

This creates two files, a .pp and .te. The .pp is the compiled version of the .te

audit2allow -M mymodule < /var/log/audit/audit.log
semodule -i mymodule.pp

Note that “mymodule.pp” will replace any previous “mymodule.pp”. If your needing to create multiple modules/allow multiple exceptions, you can change the name of each module.

You can also add the rules together then manually compile it. Refer to the first link for more details.

Links with more info

https://danwalsh.livejournal.com/24750.html

http://selinuxgame.org/tutorials/ausearch/index.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow