Categories
Linux

Vi reminders

Cursor movement

  • h – move left
  • j – move down
  • k – move up
  • l – move right
  • w – jump by start of words (punctuation considered words)
  • W – jump by words (spaces separate words)
  • e – jump to end of words (punctuation considered words)
  • E – jump to end of words (no punctuation)
  • b – jump backward by words (punctuation considered words)
  • B – jump backward by words (no punctuation)
  • 0 – (zero) start of line
  • ^ – first non-blank character of line
  • $ – end of line
  • G – Go To command (prefix with number – 5G goes to line 5)

Note: Prefix a cursor movement command with a number to repeat it. For example, 4j moves down 4 lines.

Insert Mode – Inserting/Appending text

  • i – start insert mode at cursor
  • I – insert at the beginning of the line
  • a – append after the cursor
  • A – append at the end of the line
  • o – open (append) blank line below current line (no need to press return)
  • O – open blank line above current line
  • ea – append at end of word
  • Esc – exit insert mode

Editing

  • r – replace a single character (does not use insert mode)
  • J – join line below to the current one
  • cc – change (replace) an entire line
  • cw – change (replace) to the end of word
  • c$ – change (replace) to the end of line
  • s – delete character at cursor and subsitute text
  • S – delete line at cursor and substitute text (same as cc)
  • xp – transpose two letters (delete and paste, technically)
  • u – undo
  • . – repeat last command

Marking text (visual mode)

  • v – start visual mode, mark lines, then do command (such as y-yank)
  • V – start Linewise visual mode
  • o – move to other end of marked area
  • Ctrl+v – start visual block mode
  • O – move to Other corner of block
  • aw – mark a word
  • ab – a () block (with braces)
  • aB – a {} block (with brackets)
  • ib – inner () block
  • iB – inner {} block
  • Esc – exit visual mode

Visual commands

  • > – shift right
  • < – shift left
  • y – yank (copy) marked text
  • d – delete marked text
  • ~ – switch case

Cut and Paste

  • yy – yank (copy) a line
  • 2yy – yank 2 lines
  • yw – yank word
  • y$ – yank to end of line
  • p – put (paste) the clipboard after cursor
  • P – put (paste) before cursor
  • dd – delete (cut) a line
  • dw – delete (cut) the current word
  • x – delete (cut) current character

Exiting

  • :w – write (save) the file, but don’t exit
  • :wq – write (save) and quit
  • :q – quit (fails if anything has changed)
  • :q! – quit and throw away changes

Search/Replace

  • /pattern – search for pattern
  • ?pattern – search backward for pattern
  • n – repeat search in same direction
  • N – repeat search in opposite direction
  • :%s/old/new/g – replace all old with new throughout file
  • :%s/old/new/gc – replace all old with new throughout file with confirmations

Working with multiple files

  • :e filename – Edit a file in a new buffer
  • :bnext (or :bn) – go to next buffer
  • :bprev (of :bp) – go to previous buffer
  • :bd – delete a buffer (close a file)
  • :sp filename – Open a file in a new buffer and split window
  • ctrl+ws – Split windows
  • ctrl+ww – switch between windows
  • ctrl+wq – Quit a window
  • ctrl+wv – Split windows vertically

thanks to Tim at https://www.worldtimzone.com

Categories
Dell Linux

iDrac 6, Linux, Firefox & Natively Unsupported Virtual Console

So after a couple of hours toying and reading online (links to other pages which aided me in this assessment at the end of this post) I’d like to record the specific binaries and config changes I needed to make to access an elderly iDrac6 Virtual Console session from Firefox.

My environment:
Client:
Fedora 32
Firefox 80

Elderly Dell Server:
iDrac 6
Firmware 3.75 (Build 5)

  1. Downloaded, verified & installed the latest Oracle Java version in a .rpm format from
    https://www.java.com/en/download/linux_manual.jsp
  2. Run the /usr/java/latest/bin/jcontrol to open the Oracle Java control panel.
    Navigate to the “Security” tab, ensure “High” is the selected security level and then add your iDrac website address to the “Exception Site List” as shown in the example image below:
Oracle Java Control Panel Site Exception Example

3. Next, for my version of iDrac which uses the MD5 algorithm for security I needed to permit this, it is disabled by default in modern Java.
Edit /usr/java/jre1.8.0_261-i586/lib/security/java.security (your version may vary of course) and locate the following line, around about line number 612:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024

4. Copy and paste this line below itself, comment out the original and then edit the copy to read as follows (removing the MD5 entry)

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024

5. That’s it, now visit the iDrac web interface, download the .jnlp file and run it with the following command:

javaws /path/to/the/downloaded/filename.jnlp

Do remember to restore the commented line and comment the edited line in your /usr/java/jre1.8.0_261-i586/lib/security/java.security file after use – not good to leave insecure algorithms available to a commonly exploited platform!

References:
https://velenux.wordpress.com/2017/06/07/workaround-for-javaws-jnpl-error-cannot-grant-permissions-to-unsigned-jars/

https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code

Categories
Linux

Dell Perc RAID CLI

The following are a few commands using the Dell perccli64 tool which can be downloaded from Dell (https://www.dell.com/support/home/en-uk/drivers/driversdetails?driverId=F48C2)

/opt/MegaRAID/perccli/perccli64 /c0 show 
/opt/MegaRAID/perccli/perccli64 /c0 /e32 show

Categories
Linux Software

OSSEC Rule Examples

Direct copy from the blog https://akmalhisyam.my/blog/ossec-creating-custom-rules for my reference – thanks Akmal!

When parsing log, OSSEC will look at level 0 first, and then highest level -> lowest levelOSSEC will not produce alert for rules with level 0It is best to put custom rules in local_rules.xml or other file to avoid being overwritten during upgradeossec-logtest is a very useful tool to test your rules & decoder

Example

Silencing certain rules

<rule id="100030" level="0">
  <if_sid>503,502</if_sid>
  <description>List of rules to be ignored.</description>
</rule>

OSSEC will not produce any alert when rule 502 and 503 is triggered


Ignore alert if rules triggered by certain IP

<rule id="100225" level="0">
  <if_sid>40101</if_sid>
  <srcip>127.0.0.1</srcip>
  <description>Ignore this</description>
</rule>

If rule 40101 triggered by 127.0.0.1, dont produce any alert


Ignore alert if contains certain strings

<rule id="100223" level="0">
  <if_sid>1002</if_sid>
  <match>terrorist|terror|femmefatale|heart-attack</match>
  <description>Ignore 1002 false positive</description>
</rule>

OSSEC is using OS_match/sregex syntax in <match>


Ignore alert if contains certain strings (using regex)

<rule id="100207" level="4">
  <if_sid>1002,1003</if_sid>
  <regex>^WordPress database error You have an error in your SQL syntax(\.*)functionName$</regex>
  <description>Unescaped SQL query, known issue</description>
</rule>

OSSEC is using OS_regex/regex syntax in <regex>


Trigger custom rule when certain field match certain value in cdb list

<rule id="100215" level="5">
  <if_sid>31101</if_sid>
  <list lookup="match_key" field="url">rules/badurl</list>
  <description>URL is in badurl</description>
</rule>

Trigger custom rule when certain rules is fired x time within n second from same srcip

<rule id="100216" level="10" frequency="4" timeframe="90">
  <if_matched_sid>100215</if_matched_sid>
  <same_source_ip />
  <description>Multiple badurl access </description>
  <description>from same source ip.</description>
  <group>web_scan,recon,</group>
</rule>

Overriding rules

<rule id="1003" level="13" overwrite="yes" maxsize="2000">
  <description>Non standard syslog message (size too large).</description>
</rule>

Original rule 1003 have 10245 as its maxsize. Using overwrite=”yes” will make OSSEC overwrite certain field in original rule


Custom rule group

<group name="app_error">
  <rule id="100207" level="4">
    <if_sid>1002,1003</if_sid>
    <regex>^WordPress database error You have an error in your SQL syntax(\.*)functionName$</regex>
    <description>Unescaped SQL query, known issue</description>
  </rule>

  <rule id="100218" level="0">
    <if_sid>1003</if_sid>
    <match>WUID | WTB</match>
    <description>ignorance is bliss</description>
  </rule>
</group>
Categories
Linux

Linux firewall-cmd

A few useful firewall-cmd syntax examples:

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" service name="https" source address="<<CIDR SUBNET HERE>>"  accept'
Categories
Linux

RHEL Subscription Manager Useful Commands

The following was copied from <https://access.redhat.com/discussions/3312101?tour=8> and provides a method of cleaning all subscription manager configuration and re-subscribing – you’ll need an active account with Red Hat to complete this though they do offer free developer accounts (use your account name and not your email address as the username!)

sudo subscription-manager remove --all
sudo subscription-manager unregister
sudo subscription-manager clean

sudo subscription-manager register
sudo subscription-manager refresh
sudo subscription-manager attach --auto
Categories
Linux

verifying RPM files

The following command will report back the signing key and other useful details for an rpm package:

rpm -qp1 <rpm package name>

Categories
Linux

Linux Ubuntu Kernel Management

To revert to the latest recommended kernel:

sudo apt-get install --install-recommends linux-generic-hwe-18.04

To maintain the kernel and cleanse the unused:

You should check partially removed kernels with

dpkg -l linux-image-\* | grep ^rc

and remove them with for example sudo apt-get purge linux-image-4.4.0-101-generic.

Purging will remove initramfs generation rules from /var/lib/initramfs-tools/.

If it does not help, you can remove them manually from initramfs list:

sudo rm /var/lib/initramfs-tools/3.13.0-39-generic
sudo rm /var/lib/initramfs-tools/4.4.0-101-generic
sudo rm /var/lib/initramfs-tools/4.4.0-103-generic
sudo rm /var/lib/initramfs-tools/4.4.0-38-generic
sudo rm /var/lib/initramfs-tools/4.4.0-45-generic
sudo rm /var/lib/initramfs-tools/4.4.0-59-generic
sudo rm /var/lib/initramfs-tools/4.4.0-77-generic
sudo rm /var/lib/initramfs-tools/4.4.0-78-generic
sudo rm /var/lib/initramfs-tools/4.4.0-81-generic

Usually I run purge-old-kernels followed by sudo apt-get autoremove to have only 2 recent kernels.

You can reinstall installed kernels with their initramfses:

sudo apt-get install --reinstall \
$(dpkg -l linux-image-\* | grep ^ii | awk '{print $2}')

ref: https://askubuntu.com/questions/1001285/why-are-old-initrd-files-of-uninstalled-kernels-filling-up-boot-partition

Categories
Linux

Linux du folder sizes

List all folders in the /path/to/parent directory along with their size in (h)uman readable (m)egabytes

du -mh /path/to/parent --max-depth=1

Categories
Linux Virtualization

VMWare Workstation 14 Ubuntu

I recently encountered a  minor issue attempting to create additional VMs in VMWare Workstation 14 on Ubuntu. The error I received suggested there wasn’t enough memory free to power on an additional VM but the host has 32GB of RAM and I’d allocated 20GB across all VMs.

Inspecting the /etc/vmware/config file revealed the value:

prefvmx.allVMMemoryLimit = "12954"

Which is a hard upper limit for all VMs, adjusting it to the following with VMWare closed and then start VMWare resolved the problem:

prefvmx.allVMMemoryLimit = "20480"