Jaime Frutos Morales's blog

31/08/2009

How to purge removed DEB packages

Filed under: SysAdmin, Ubuntu — acidborg @ 12:55

When you remove a package in a DEB-based system using apt-get remove package-name (or dpkg -r package-name), if that package has config files, they usually remain in your system.

The best way to remove a package and its config files is using this command: apt-get --purge remove package-name (or dpkg -P package-name).

You can check whether you have removed DEB packages with installed config files using this command: dpkg -l | grep '^rc' (the ‘r’ means ‘removed’ and the ‘c’ means that it has config files installed)

So, if you want to get rid of these config files, just type: dpkg -l | grep '^rc' | awk '{print $2;}' | xargs dpkg --purge

Advertisements

28/08/2009

Book: GREP Pocket Reference

Filed under: Books, Linux, SysAdmin — acidborg @ 13:39

I’ve just finished reading this book:

Grep book

It makes quite a complete review of grep, its parameters and the four kinds of regular expressions that it supports (and it only has 82 pages).

I totally recommend it!

27/08/2009

How to install and configure AppArmor in Ubuntu Server 9.04

Filed under: SysAdmin, Ubuntu — acidborg @ 11:42

Description: “AppArmor (“Application Armor”) is security software for Linux, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program’s typical behavior.

AppArmor is implemented using the Linux Security Modules kernel interface.

AppArmor was created in part as an alternative to SELinux, which critics consider difficult for administrators to set up and maintain.[1] Unlike SELinux, which is based on applying labels to files, AppArmor works with file paths. Proponents of AppArmor claim that it is less complex and easier for the average user to learn than SELinux.[2] They also claim that AppArmor requires fewer modifications to work with existing systems:[citation needed] for example, SELinux requires a filesystem that supports “security labels”, and thus cannot provide access control for files mounted via NFS. AppArmor is file-system agnostic.

Installation: Run this command to install it: apt-get install apparmor-profiles apparmor-utils

Configuration (all processes in enforce mode):

  • To show AppArmor’s status use this command: aa-status
  • Output example:

    apparmor module is loaded.
    18 profiles are loaded.
    6 profiles are in enforce mode.
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/sbin/avahi-daemon
    /usr/lib/connman/scripts/dhclient-script
    /usr/sbin/tcpdump
    /sbin/dhclient3
    /sbin/dhclient-script
    12 profiles are in complain mode.
    /usr/sbin/traceroute
    /bin/ping
    /usr/sbin/mdnsd
    /usr/sbin/ntpd
    /usr/sbin/identd
    /usr/sbin/nmbd
    /usr/sbin/dnsmasq
    /sbin/klogd
    /usr/sbin/smbd
    /sbin/syslogd
    /sbin/syslog-ng
    /usr/sbin/nscd
    2 processes have profiles defined.
    0 processes are in enforce mode :
    0 processes are in complain mode.
    2 processes are unconfined but have a profile defined.
    /sbin/klogd (2100)
    /sbin/syslogd (2080)

  • To set enforce mode to all available AppArmor’s profiles use this command: aa-enforce /etc/apparmor.d/*
  • Output example:

    Setting /etc/apparmor.d/bin.ping to enforce mode.
    Setting /etc/apparmor.d/sbin.dhclient3 to enforce mode.
    Setting /etc/apparmor.d/sbin.klogd to enforce mode.
    Setting /etc/apparmor.d/sbin.syslogd to enforce mode.
    Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.avahi-daemon to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.identd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.mdnsd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.nmbd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.nscd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.ntpd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.smbd to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.tcpdump to enforce mode.
    Setting /etc/apparmor.d/usr.sbin.traceroute to enforce mode.

  • Execute aa-status again to check the changes:
  • Output example:

    apparmor module is loaded.
    18 profiles are loaded.
    18 profiles are in enforce mode.
    /usr/sbin/traceroute
    /bin/ping
    /usr/sbin/mdnsd
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/sbin/avahi-daemon
    /usr/lib/connman/scripts/dhclient-script
    /usr/sbin/ntpd
    /usr/sbin/identd
    /usr/sbin/tcpdump
    /usr/sbin/nmbd
    /usr/sbin/dnsmasq
    /sbin/klogd
    /usr/sbin/smbd
    /sbin/syslogd
    /sbin/syslog-ng
    /usr/sbin/nscd
    /sbin/dhclient3
    /sbin/dhclient-script
    0 profiles are in complain mode.
    2 processes have profiles defined.
    0 processes are in enforce mode :
    0 processes are in complain mode.
    2 processes are unconfined but have a profile defined.
    /sbin/klogd (2100)
    /sbin/syslogd (2080)

  • Restart processes which are unconfined but have a profile defined. Following my example, these commands should be run:

  • /etc/init.d/klogd restart
    /etc/init.d/sysklogd restart

  • Finally, execute aa-status again and make sure all processes with a defined profile are in enforce mode:
  • Output example:

    apparmor module is loaded.
    18 profiles are loaded.
    18 profiles are in enforce mode.
    /usr/sbin/traceroute
    /bin/ping
    /usr/sbin/mdnsd
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/sbin/avahi-daemon
    /usr/lib/connman/scripts/dhclient-script
    /usr/sbin/ntpd
    /usr/sbin/identd
    /usr/sbin/tcpdump
    /usr/sbin/nmbd
    /usr/sbin/dnsmasq
    /sbin/klogd
    /usr/sbin/smbd
    /sbin/syslogd
    /sbin/syslog-ng
    /usr/sbin/nscd
    /sbin/dhclient3
    /sbin/dhclient-script
    0 profiles are in complain mode.
    2 processes have profiles defined.
    2 processes are in enforce mode :
    /sbin/syslogd (24416)
    /sbin/klogd (24147)
    0 processes are in complain mode.
    0 processes are unconfined but have a profile defined.

24/08/2009

How to install and configure munin server and nodes in Ubuntu Server 9.04

Filed under: SysAdmin, Ubuntu — acidborg @ 09:22

Description: “Munin the monitoring tool surveys all your computers and remembers what it saw. It presents all the information in graphs through a web interface. Its emphasis is on plug and play capabilities. After completing a installation a high number of monitoring plugins will be playing with no more effort.

Using munin you can easily monitor the performance of your computers, networks, SANs, applications, weather measurements and whatever comes to mind. It makes it easy to determine “what’s different today” when a performance problem crops up. It makes it easy to see how you’re doing capacity-wise on any resources.

Munin uses the excellent RRDTool (written by Tobi Oetiker) and the framework is written in Perl, while plugins may be written in any language. munin has a master/node architecture in which the master connects to all the nodes at regular intervals and asks them for data. It then stores the data in RRD files, and (if needed) updates the graphs. One of the main goals has been ease of creating new plugins (graphs).

Due to its client-server architecture, at least one munin server is needed. You can install as many nodes as you want (one per computer or virtual machine you want to monitor).

To install the munin server: apt-get install munin

To configure the munin server, edit /etc/munin/munin.conf and add an entry like the following one for each node (replacing 127.0.0.1 for the IP of the node):

[nodename.domain]
address 127.0.0.1
use_node_name yes

After editing this file, reload your web server to read the changes (usually: /etc/init.d/apache2 restart ).

To install a munin node: apt-get install munin-node

To configure a munin node, edit /etc/munin/munin-node.conf . Use munin as user and group to reduce default permissions:
user munin
group munin

Add a line allowing connections from your munin server’s IP (127.0.0.1 in this example):

allow ^127\.0\.0\.1$

After editing this file, restart your munin node to finish its configuration: /etc/init.d/munin-node restart

03/08/2009

How to disable IPv6 support on Red Hat and Fedora

Filed under: SysAdmin — acidborg @ 13:24

IPv6 support can be disabled on Red Hat and Fedora following these simple steps:

  • Add this line to /etc/sysconfig/network :
  • NETWORKING_IPV6=no

  • Add these two lines to /etc/modprobe.conf :
  • alias net-pf-10 off
    alias ipv6 off

After the next reboot, IPv6 support will be disabled.

Create a free website or blog at WordPress.com.