Clear fmadm or FMA fault logs

If the System Administrator doesn't have log rotation setup, logs fill up on the server from time to time. Usually the system or audit logs are the root cause, but sometimes the Fault Management Architecture (FMA) logs are the cause. On Solaris or if installed on Linux, there is a utility called fmd (Fault Manager Daemon) that checks for issues with the system hardware. This program is managed by the fmadm program. Follow the steps below to clear out the logs.

Clear error fmadm reports

root@earth> fmadm repair  UUID

The UUID is the event code that is shown when you run the fmadm faulty command.

* Note: If the above command doesn't clear the error then, there is a real issue hardware that needs to be addressed.

Clear reports and resource cache

root@earth> cd /var/fm/fmd
root@earth> rm e* f* c*/eft/* r*/*

Clearing out FMA files without rebooting.

root@earth> svcadm disable -s svc:/system/fmd:default
root@earth> cd /var/fm/fmd
root@earth> find /var/fm/fmd -type f -exec ls {} \;
root@earth> find /var/fm/fmd -type f -exec rm {} \;
root@earth> svcadm enable -s svc:/system/fmd:default

Reference
blogs.oracle.com: How to clear fmadm log or FMA faults log
Fault Management Architecture

Manpage:
fmadm(1M)
fma

Symantec Training

I found some free Symantec training. All you need to do is register for a account. The free classes are listed as Symantec eLibrary. Select this item and go to the checkout.

http://techcenter.symantec.com/ecampus/enterprise

Unlock locked accounts

These are my notes no unlocking user accounts, below I go over a few ways to get a user account back up and running. Such as changing the expiration date on an expired account and resetting the PAM Tally for a user.

In keeping with the space theme, I will be using earth as the server's hostname and man as the name of the user account.

This the most common way to unlock your account.

root@earth> passwd -u man

Change the expiration date of the user account

root@earth> usermod --expire 9999 man

This works on some systems

root@earth> ipa user-unlock man

This resets the account if all else fails.

root@earth> pam_tally --user=man --reset

References.
www.cyberciti.biz
From RHEL user-unlock command
SuperUser pam command

Disable VRFY for Postfix (Retina ID 146)

The Retina Network Security Scanner from BeyondTrust, Inc was run against my servers and ID 146 was a hit or finding on one of my servers. Retina can give good results on network security vulnerabilities, but false finds are also common. The problem with that the scanner is that it doesn't show you how it finds the vulnerability or how to fix it. I did some research and it turns out that you need to disable the VRFY command in postfix. Below I have posted the security vulnerability from Retina, with instructions on how to fix the issue.

What Retina says about the vulnerability 

Retina ID or vID 146
Description The VRFY command can lead to a remote attacker gaining the first and last name registered to any given email account. This can aid an attacker in social engineering attacks.

Discussion - fix Follow your SMTP server's manual on how to disable the VRFY command. If no instructions are provided contact your SMTP server's vender.

Severity = Low to Med
SevCode = III
Port = TCP:25
IA Controls = Mail Server

Retina scan Version 5.19.9.2802
Expected "252" and found "252 2.0.0. administrator"

Test for this issue.

man@earth> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost
Escape character is '^]'.
220 earth.planet.com ESMTP Postfix
VRFY
502 5.51.1 VRFY command is disabled

If the VRFY command does not come back as "VRFY command is disabled" then this is a finding.

Remediation
Add this line below to the /etc/postfix/main.cf.

disable_vrfy_command = yes

Reference section

Ref for fix:
cyberciti.biz

Ref for Security issue:
iss.net
xforce.iss.net

Manpages
Sendmail
Postfix

See Cyber Attacks on Global Scale

I found this website that claims to show live cyber attacks.

http://map.ipviking.com/

Brocade Training

It appears that Brocade has some free training on their website. I don't know about you but I love free training. You will need to register on the site to get these benefits.



http://community.brocade.com/t5/Brocade-University/Brocade-University-At-a-G
lance-Schedule/ta-p/3063

I hope someone finds this useful.

How to install or upgrade Java in Linux

These are my notes on how to install or update Java on a Linux server. In this how to, I will be using the Java from Oracle and not the operating systems or distros repository. You can download and install either a rpm or a tar file, from Oracle's site.

When using the Java provided on Oracle's website, they give you a choice of downloading rpm or tar file.

You can download Java here.
http://www.java.com/en/download/linux_manual.jsp

Installing Java with using RPM

Find the current version of Java on the system.

root@earth> find / -name java -type f
/usr/java/jre1.7.0_55/bin/java

Note If you use which or java -version commands to find Java on you system. This will only show your the system's main java. You may have additional versions installed.

Now take each line of output and paste it at the end of this command. This gives you the name of the rpm package that installed this file and version of Java.

root@earth> rpm -qf    /usr/java/jre1.7.0_55/bin/java
jre-1.7.0_55-fcs

Uninstall the old package.

root@earth> rpm -e  jre-1.7.0_55-fcs

Note- Do not run the above command for java that is part of an application. If the file was in /usr/bin/ you should be fine.

Install Java

root@earth> rpm  -ivh    jre-7u65-linux-x64.rpm

You can alternately upgrade Java instead.

root@earth> rmp   -Uvh    jre-7u65-linux-x64.rpm

Install Java using a tar file
Change directory to where Java is going to be installed. Usually it will be /user/java.

root@earth> cd  /usr/java

Move the tar file to /usr/java.

Unpack the tarball and install Java

root@earth> tar  zxvf   jre-7u65-linux-i586.tar.gz

Delete the tar file after you test Java and your done.

Reference:
Java.com

Related posts on this Blog
How to install Java 7 & 8 on Solaris
Access the Java Control Panel
Updating Java on Solaris

How to Manually Remove the NetBackup Client on Linux

These are my notes on removing a NetBackup client on a Linux system. This how to is based on the Symantec Tech Note, which is referenced at the bottom of this post. This is for the most part the recommended way of removing NetBackup. I have added a few more steps so that your logs are not filled with error messages.

Shut down running NetBackup processes. (optional)

man@earth> sudo netbackup stop
stopping the NetBackup client daemon
stopping the NetBackup network daemon

Or you can use this command.

man@earth> sudo bp.kill_all

Looking for NetBackup processes that need to be terminated.

Looking for more NetBackup processes that need to be terminated.
Stopping bpcd...
Stopping vnetd...

Check for running processes. (optional)

man@earth> sudo bpps -x
NB Processes
------------

Shared Symantec Processes
-------------------------
root 2827 1 0 Apr22 ? 00:00:00
/opt/VRTSpbx/bin/pbx_exchange

If you see more then what is list above then than NetBackup didn't shut down. If the commands didn't work then move to the next step.

Remove the NetBackup client.

man@earth> rm -r /usr/openv

Look for NetBackup files in xinet.d

man@earth> ls -l /etc/xinetd.d/

Look for the bpcd, bpjava-msvc, ventd and vopied files. If the file is found remove it.

Edit the services file.
Backup the /etc/services file. Remove all NetBackup services, such as the ones listed above.

Restart xinetd 
For Susie run this command

man@earth> sudo /etc/rc.d/xinetd restart

For all others run this command

man@earth> sudo /etc/rc.d/init.d/xinetd restart

Reference:
Tech Note 71923

If you have any questions or comments post they below.

Checking Java Versions Remotely

This is the script I use to find instances of Java, on the servers I manage. To do this I use two scripts, check-java and stig-java. The check-java script logs in to each server listed in the server-list file and acts  as the control for the other script. The check-java script also combines the output of the stig-java script from each server and combines the output into a single file. The stig-java script looks for Java on the servers and sends the output to a file.

I order for this script to work you will need to setup your SSH clients for auto login. If you don't know how to do this please refer to my post How to setup SSH Keys. This script doesn't needs the automount in order to work.

What the scripts do.
First off you need to put both script in the same location. Put the scripts in your home directory in a folder called scripts. The main script, check-java copies the stig-java script to /tmp on all the servers. Then logs into all the servers, one at a time, and runs the stig-java script and sends the output to a file with the servers name. The check-java script then deletes stig-java form /tmp on all the servers. All those output files are then combined into a single file with extra lines removed.


The check-java script

#!/bin/bash
# This script is for running the stig-java script on the servers.

for s in `cat  server-list`
scp stig-java $s:/tmp 2>&1 2>/dev/null
ssh -q $s /tmp/stig-java &> ~/scripts/outputJ/$s
ssh -q $s rm /tmp/stig-java
done
cat ~/scripts/outputJ/* |egrep -v '(Runtime|HotSpot)' > ~/scripts/outputJ/solM

# Finishing up
echo -e "\e[1m ------------------------ Servers -------------------------  \033[0m" > ~/scripts/outputJ/output
echo -e " "
cat ~/scripts/outputJ/solM >> ~/scripts/outputJ/output
more ~/scripts/outputJ/output

The stig-java script

#!/bin/bash
# This script is for finding versions of Java on a server.
#
host=$HOSTNAME
echo -e "\e[1m <<<<<<<<<<<<<<<<<<<<<<<<<<<<< $host >>>>>>>>>>>>>>>>>>>\033[0m "
sudo find / \( -name 10_Recommended* -o -name scratch -o -name zones -o -name mnt  \) -prune -o -type f -name java -print 2>/dev/null >/tmp/joutput
for s in `cat /tmp/joutput`
do echo -e "\e[1m  $s \033[0m "
sudo $s -version
done
echo -e " "
rm /tmp/joutput

Let me know if this script is helpful in anyway. If you need more details or have questions let me know, by posting below.

Setting up Email Alerts for an ILOM

This is how to setup email alerts an Integrated Lights Out Manager (ILOM). This is a two set process,  first step is setup the SMTP client and then step up the Alerts.

Part I Setting up SMTP 

The SMTP client sends the email. There are two ways to get there in the web ILOM.
1) Go to the configuration tab and then the SMTP sub tab, to get to the SMTP setting.
2) On newer ILOMS go go to menu on the right and expand the ILOM Administration menu. Then click on Notifications. In the main area click on SMTP Client.

Make sure that the SMTP State is checked and add the IP or hostname of the SMTP server.
Put something meaning full in the Custom Sender field. This field sets the from field in the email that is sent to you. In the example above, if the servers name is mars the the email will come from alert@mars. Don't forget to save.

Not shown above, enter your email into the last field and press send to send a test email. Make adjustments as you see fit. This set is optional and can be skipped.


Part II Setting the Alert

Click on the alert tab to get to the alert area.

Click on the radio button and click on the Edit button to edit or create a rule. A pop up window will appear similar to one below.

Change the Level to Major or Minor. Set the Type drop down to Email. Put in your email in the Email Address field and your done. None of the other fields are needed.

Please comment below if you have anything to add.

Reimporting Tapes into NetBackup.

These are my notes on reimporting old tapes. These tapes were shipped off site after NetBackup vaulted the tapes. They are still listed in NetBackup as vaulted. In order to reuse these tapes, they will need to be expired. The steps list below will allow you to reuse the tapes.

Steps
1) Put the old tapes into the MAP.

2) In NetBackup run, inventory tape.

3) Run the command below to expire the tape.
Syntax: bpexpdate -m -d 0 -force

root@earth> bpexpdate -m E00154 -d 0 -force

On UNIX and Linux systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/
On Windows systems, the directory path to this command is \NetBackup\bin\admincmd\

4) Back in the GUI refresh your display.

5) Check to see if the imported tapes are in the scratch volume pool. Make sure all the details match the existing tapes in the library.

Reference
bpexpdate man page at Symantec.

Check for a blank SSH key passphrase

I found out one of my co-workers was not using a passphrase to secure his SSH keys. This is very insecure way to do business. Many people leave passphrase blank because they do not know how to setup a SSH agent, or can't be bothered with setting up the SSH agent. If you don't know to set up a SSH agent refer to my How to setup SSH Keys post. I came up with a way to check all the accounts on the servers I manage. I wanted to know how many other people where not practicing good security. I have tested this script on Solaris 10, Red Hat Linux (RHEL 5) and SuSe (SLES 11.2).

What the script does.
The script mounts the share that all the users home directories auto-mount from.  This way the user needs not to be logged in for me to check there keys. I then copy all the names of the users home directories into a file. The script checks then checks for the word  ENCRYPTED in the id_rsa file. If the word ENCRYPTED is in the file then the passphrase is set. The temp files are then removed and the share unmounted.

This my script I came up with.

#!/bin/bash
# This script is for checking for a blank passphrase. Meaning no passphrase
to secure your SSH file.
# Script most be run as root.
# Example: sudo ./check-sshkeys

mount share:/vol/home /mnt
ls /mnt >/tmp/ls
for s in `cat /tmp/ls`
do echo -e "\e[1m User $s \033[0m "
if ls /mnt/$s/.ssh/id_rsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_rsa || echo -e "No RSA
passphrase"
        else echo "RSA key not found"
fi
if ls /mnt/$s/.ssh/id_dsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_dsa || echo -e "No DSA
passphrase"
        else echo "DSA key not found"
fi
done
rm /tmp/ls
umount /mnt

Draw backs
Now there are ways that a user can get around this, like putting the word ENCRYPTED in the right file. But most users will not do this, so this should still work for most users. The script above will need to be modified in order to check users who don't have their home directories auto-mounted.

I can't take all the credit for this, I had some help. Below I have posted the link to the forum were I  asked for help on this script.

Ref:
Is there a way to check a users SSH key to see if the passphrase is blank

Using SCP on Windows Command Prompt

In this post, I show how to move files between a Windows machine and a UNIX machine, using the command line. When I say a UNIX machine, I mean all UNIX based operating systems such as UNIX, Linux, FreeBSD and Mac OS. In this post I will be using the free PuTTY utility called PSCP.

As you know SSH is not supported in Windows, you will need to download a 3rd party program.
The People who make PuTTY, which gives SSH terminal emulation on Windows machines, has a program called PSCP. PSCP gives you the ability to use SCP or SFTP form the Windows command prompt.

You could use a GUI program that lets you SCP or SFTP the files. The issue with this approach is that an application with a GUI has limitations. If you use a command line tool, like PSCP, to move the files then you can also put it in a script. A script that can be used by the Windows Task manager or the UNIX crontab. PSCP is free and doesn't need to be installed.

Download pscp from  PuTTY download page.

After you download PSCP move it to your My  Documents folder. As the program doesn't need to be installed, It is ready to use as soon as you download it. All you need to do, to use PSCP is follow the examples below.

Run the command as shown below to move files from the Windows machine to a UNIX machine

Command Prompt

C:\> pscp.exe files man@earth:/path

Run the command as shown below to move files form a UNIX machine to a Windows machine.

Command Prompt

C:\> pscp.exe man@earth:/path/files  C:/path/

In the example above, man is the user name and earth is the name of the UNIX server. The user name can be left off if the user account in Windows have the same name as the user account on the UNIX server. I would highly recommend that you use the same user name on both systems.

Some options
If you want to force the use of ether SCP or SFTP add -scp or -sftp right after pscp.exe. If you want to use a SSH agent to manage you SSH Keys add the -agent option. I will go more into how to use SSH Key with PSCP in a future post.

Draw Back
In the method I shown here, you must start the SCP or SFTP session from the Windows machine. The Windows machine can't accept incoming requests, because there is no SSH sever running on the the Windows machine.

References
PuTTY documention

Set the Default Route on Solaris

Every once in awhile you need to change the default route for a server in Solaris. Follow the steps below are my notes on how to do that.




Run the route add command

root@earth> route add default 10.10.0.1

To make the default route persistent, you will need to update or create the /etc/defaultrouter file.

root@earth> echo 10.10.0.1   >  /etc/defaultrouter

Solaris Zones
If you need to do this on a Solaris zone then it depends how the zone has it's network interfaces configured. If the interfaces are configure as IP-Exclusive then the zone is configure the same way are the global zone. The same way a show above, so run the commands above for the zone. If the zone shares there interfaces with the global zone then you have to use the zonecfg command.

Run the command below to find out if the zone uses ip-exclusive or shared interfaces.

root@earth> svcadm list -cv

ID NAME	STATUS	PATH	BRAND	IP
global	running	/	native	shared
moon	running	/export/zones/moon	native	shared

The example above shows the zone moon as having shared interfaces.

Follow the steps below to change the default route on a zone with shared interfaces.

root@earth> zonecfg -z moon
zonecfg:moon> select net address=10.10.0.20
zonecfg:moon:net> set defrouter=10.10.0.1
zonecfg:moon:net> end
zonecfg:moon> verify
zonecfg:moon> commit
zonecfg:moon> exit

You will need to restart the zone to get the new default route.

If you need to also change your ip address then refer to my other post.
How-to change the IP address on a Solaris server

Links to other sites with similar info
Set the Default Route on Solaris
Solaris: How do I setup a default static route / static router IP address?


I hope this helps. Please leave a comment below if you have comments or questions.

My BASH profile

These are notes on how I like to have my command prompt set up. I'm a BASH user so I will be updating the .profile and the .bashrc files. Both files are located in the users home directory.


This what my prompt looks like. It is a two line prompt, I find that it helps break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt.

earth:~

man@earth
< 

The basic bash prompt don't look all the great, as seen below. To get it look like the example above run the command below.

bash

bash$

export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

Below I have posted my .profile file.

earth:~

man@earth
< more .profile

PATH=/usr/xpg4/bin:/usr/bin:/bin:/usr/sbin:/usr/local/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ucb:/etc:/usr/X11/bin:/sbin:/usr/openv/netbackup:/usr/openv/netbackup/bin:/usr/openv/netbackup/bin/admincmd:/usr/openv/netbackup/bin/goodies:/usr/openv/volmgr/bin:/usr/sfw/bin/:$HOME

MANPATH=/usr/share/man:/usr/dt/man:/usr/openwin/share/man:/usr/X11/man:/usr/man:/usr/sfw/man:/usr/local/man:

EDITOR=/usr/bin/vi
TMOUT=0
TIMEOUT=0

#alias xterm="xterm -sl 1000 &"
#export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u@\e[0;32m\h\e[0;34m\]>\[\e[0m\] "
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

The PATH statement is used to store the paths of the commands you want to use. This way you don't need to provide the full path for each command you want to run. The MANPATH statement is basically the same thing, but used to help you access the man pages.