Allow a port range with firewalld

Managing iptables gets a lot easier with firewalld. You can manage rules for the IPv4 and IPv6 stacks using the same commands and it provides fine-grained controls for various “zones” of network sources and destinations. Quick example Here’s an example of allowing an arbitrary port (for netdata) through the firewall with iptables and firewalld on Fedora: ## iptables iptables -A INPUT -j ACCEPT -p tcp --dport 19999 ip6tables -A INPUT -j ACCEPT -p tcp --dport 19999 service iptables save service ip6tables save ## firewalld firewall-cmd --add-port=19999/tcp --permanent In this example, firewall-cmd allows us to allow a TCP port through the firewall with a much simpler interface and the change is made permanent with the --permanent argument....

2019-01-04 · 2 min · Major Hayden

Install testing kernels in Fedora

If you’re on the latest Fedora release, you’re already running lots of modern packages. However, there are those times when you may want to help with testing efforts or try out a new feature in a newer package. Most of my systems have the updates-testing repository enabled in one way or another. This repository contains packages that package maintainers have submitted to become the next stable package in Fedora. For example, if there is a bug fix for nginx, the package maintainer submits the changes and publish a release....

2018-02-28 · 3 min · Major Hayden

Ensuring keepalived starts after the network is ready

After a recent OpenStack-Ansible (OSA) deployment on CentOS, I found that keepalived was not starting properly at boot time: Keepalived_vrrp[801]: Cant find interface br-mgmt for vrrp_instance internal !!! Keepalived_vrrp[801]: Truncating auth_pass to 8 characters Keepalived_vrrp[801]: VRRP is trying to assign ip address 172.29.236.11/32 to unknown br-mgmt interface !!! go out and fix your conf !!! Keepalived_vrrp[801]: Cant find interface br-mgmt for vrrp_instance external !!! Keepalived_vrrp[801]: Truncating auth_pass to 8 characters Keepalived_vrrp[801]: VRRP is trying to assign ip address 192....

2017-12-15 · 2 min · Major Hayden

Changes in RHEL 7 Security Technical Implementation Guide Version 1, Release 3

The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) was published last week. This release is Version 1, Release 3, and it contains four main changes: V-77819 - Multifactor authentication is required for graphical logins V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled V-77823 - Single user mode must require user authentication V-77825 - Address space layout randomization (ASLR) must be enabled Deep dive Let’s break down this list to understand what each one means....

2017-11-02 · 3 min · Major Hayden

Import RPM repository GPG keys from other keyservers temporarily

I’ve been working through some patches to OpenStack-Ansible lately to optimize how we configure yum repositories in our deployments. During that work, I ran into some issues where pgp.mit.edu was returning 500 errors for some requests to retrieve GPG keys. Ansible was returning this error: curl: (22) The requested URL returned error: 502 Proxy Error error: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x61E8806C: import read failed(2) How does the rpm command know which keyserver to use? Let’s use the --showrc argument to show how it is configured:...

2017-09-20 · 2 min · Major Hayden

RHEL 7 STIG v1 updates for openstack-ansible-security

DISA’s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) came out a few weeks ago and it has plenty of improvements and changes. The openstack-ansible-security role has already been updated with these changes. Quite a few duplicated STIG controls were removed and a few new ones were added. Some of the controls in the pre-release were difficult to implement, especially those that changed parameters for PKI-based authentication....

2017-04-05 · 1 min · Major Hayden

Display auditd messages with journalctl

All systems running systemd come with a powerful tool for reviewing the system journal: journalctl. It allows you to get a quick look at the system journal while also allowing you to heavily customize your view of the log. I logged into a server recently that was having a problem and I found that the audit logs weren’t going into syslog. That’s no problem - they’re in the system journal. The system journal was filled with tons of other messages, so I decided to limit the output only to messages from the auditd unit:...

2017-01-05 · 3 min · Major Hayden

augenrules fails with “rule exists” when loading rules into auditd

When I came back from the holiday break, I found that the openstack-ansible-security role wasn’t passing tests any longer. The Ansible playbook stopped when augenrules ran to load the new audit rules. The error wasn’t terribly helpful: /usr/sbin/augenrules: No change Error sending add rule data request (Rule exists) There was an error in line 5 of /etc/audit/audit.rules A duplicated rule? I’ve been working on lots of changes to implement the Red Hat Enterprise Linux 7 Security Technical Implementation Guide (STIG) and I assumed I put in the same rule twice with an errant copy and paste....

2017-01-03 · 2 min · Major Hayden

Automated security hardening with Ansible: May updates

Lots of work has gone into the openstack-ansible-security Ansible role since I delivered a talk about it last month at the OpenStack Summit in Austin. Attendees asked for quite a few new features and I’ve seen quite a few bug reports (and that’s a good thing). Here’s a list of the newest additions since the Summit: New features Ubuntu 16.04 LTS (Xenial) support The role now works with Ubuntu 16.04 and its newest features, including systemd....

2016-05-27 · 3 min · Major Hayden

Updating Dell PowerEdge BIOS from Linux

Updating Dell PowerEdge firmware from Linux is quite easy, but it isn’t documented very well. I ended up with a set of PowerEdge R710’s at work for a lab environment and the BIOS versions were different on each server. Downloading the latest firmware Start by heading over to Dell’s support site and enter your system’s service tag. You can use lshw to find your service tag: # lshw | head lab05 description: Rack Mount Chassis product: PowerEdge R710 () vendor: Dell Inc....

2016-01-18 · 3 min · Major Hayden