Typically after a Linux Kernel update, you will want to reboot your machine to take advantage of the new kernel. But how do you know if you need to reboot?
Fortunately, there is a simple way to check.
cat /var/run/reboot-requiredIf it returns
*** System restart required ***
Then we should reboot the machine.
https://www.cyberciti.biz/faq/how-to-find-out-if-my-ubuntudebian-linux-server-needs-a-reboot/
Install and enable auditd with
sudo dnf install auditd sudo systemctl enable auditd sudo systemctl start auditd
Add a file or directory to monitor with
auditctl -w /etc/passwd -k password
-w is watch path
-k is a filter key we can use later to search through logs
Now we can search with ausearch
ausearch -k password
There are already some preconfigured rules in /usr/share/audit/sample-rules/
We can copy those to /etc/auditd/rules.d/ and use them.
cd /usr/share/audit/sample-rules/ cp 10-base-config.rules 30-stig.rules 31-privileged.rules 99-finalize.rules /etc/audit/rules.d/ augenrules --load
Note on the 31-privileged.rules file. You’ll need to run the commands in the file which will create a new file. Then we can copy that to “/etc/auditd/rules.d/”
find /bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' > priv.rules
#find /sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#filecap /bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
And Copy priv.rules to /etc/audit/rules.d/31-privileged.rules. Overwrite the file there if needed.
cp ./priv.rules /etc/audit/rules.d/31-privileged.rules
Load the rules.
augenrules --load
Sounds like this could be from a potential scan. The record is useless as 0.0.0.0 doesn’t go to anything.
We can block this type of behavior by blocking inbound DNS request. Change in-interface to your interface or change to an interface list.
ip firewall filter add chain=input protocol=6 dst-port=53 in-interface=ether1 action=drop ip firewall filter add chain=input protocol=17 dst-port=53 in-interface=ether1 action=drop
Here is a quick way to create a self signed certificate in Linux.
Run the following command. Fill out the required info.
openssl req -x509 -sha256 -nodes -days 3652 -newkey rsa:4096 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
chmod 400 /etc/pki/tls/private/localhost.key
Now in your Apache or Nginx files, specify the path to the Key and the Certificate.
Note that if you’ll need to add the
https://www.linode.com/docs/guides/create-a-self-signed-tls-certificate/
If you are getting the following error
“Couldn’t create temporary archive name.”
Check if you are out of disk space.
df -h
After freeing up some space, you should be able to continue increasing the disk size
lvextend -l +100%FREE /dev/redhat/root xfs_growfs /dev/redhat/root
UISP runs inside of a docker container. To copy out the backup files we need to use the “docker cp” command.
sudo docker cp unms:/home/app/unms/data/unms-backups ./uisp-backups
This will copy the backups into ./uisp-backups directory.
On an Ubuntu system, docker needs sudo permissions. If you copy the backups with the above command, the backup files will be assigned to the root user and you will not be able to use your normal user to manipulate the files.
You can either add your current user to the Docker group, or change the files owner
sudo chown username:username -R ./uisp-backups/
We can now copy all the automatic backups with rsync
sudo rsync -a ./uisp-backups -e "ssh -p 22" backupuser@backuphost:/backups
You can also automate this with Cron by doing something like
1 1 * * 1 docker cp unms:/home/app/unms/data/unms-backups ~/uisp-backups && rsync -a ~/uisp-backups -e "ssh -p 22" backupuser@backuphost:/backups
Every Monday at 1:01AM, copy the current UISP automatic backups, then use rsync to copy them to a remote server.
This expects that the current user has permissions to call Docker without sudo.
By default on Debian based systems, Docker needs the sudo command to run. We can add a normal user to the Docker group so we don’t have to.
sudo usermod -aG docker username
Change out the username to your Ubuntu username.
The -a option means append the group to the username. It does not remove the user from current groups.
the -G option means add the specified group.
What do you do when all your devices disappear from the web interface?
Everything still appears to be working. Alerts work.
Running a MySQL command to check if the devices are in the database returns all the devices
mysql -u librenms -p librenms -e 'use librenms ; select hostname,sysName,status from devices where status=1'
If we try going to /addhost we are greeted with an Error You have insuffecient permissions to view this page.
Running ./validate.php returns everything good
Potentially it could be an issue with SElinux or with Apache/NGinx
Running
audit2why < /var/log/audit/audit.log
Doesn’t return anything
No errors pop up in the Logs
Could be something happened with the LibreNMS user.
Test a different LibreNMS user and all the devices show up.
We’ve now isolated the issue to being something with out user.
Note that there are a couple of limitations of using the Cloud Hosted Router (CHR). The main issue is that the default license doesn’t allow for more than 1Mbps on each interface.
Download the VDI version of CHR from the Mikrotik downloads page.
Mikrotik has instructions for installing CHR in VirtualBox, so this post is more of just a summary.
https://wiki.mikrotik.com/wiki/Manual:CHR_VirtualBox_installation
The easiest way to spin up more vm’s to right click on the VM and Clone.
The testing methodology was practically the same as our LineageOS test.
Testing methodology.
Screenshot of Wireshark with DNS filter.
Total bandwidth sent and received for each IP
Some of the IP’s are used for different services. For instance the apps and releases sub domains use the same IP address.
After turning on the GPS toggle, there was a DNS query for
qualcomm.psds.grapheneos.org
This will download the files needed to speed up the GPS speed and accuracy. You can turn this off in the Settings -> Location -> Predicted Satellite Data Service (PSDS)
You can also enable/disable the Secure User Plan Location (SUPL)
You can read more about PSDS and SUPL on the GrapheneOS website https://grapheneos.org/faq#other-connections