Comments for linsec.ca blog http://linsec.ca/blog You can have it right, or you can have it now. But you can't have it right now. Wed, 25 Jan 2012 20:33:14 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on rpm -V and prelinked binaries by vdanen http://linsec.ca/blog/2012/01/23/rpm-v-and-prelinked-binaries/comment-page-1/#comment-6408 vdanen Wed, 25 Jan 2012 20:33:14 +0000 http://linsec.ca/blog/?p=1051#comment-6408 No problems with -R being used by default. Since prelink doesn't run when it detects the rpmdb hasn't been changed, nothing changes (might get some odd results when running aideupdate after prelink in do-updates, but I've not noticed anything overly strange). As for AIDE 0.14... interesting. On my el5 box I'm still using 0.13. Wow that's old now; I'll have to look at 0.14 one of these days. No problems with -R being used by default. Since prelink doesn’t run when it detects the rpmdb hasn’t been changed, nothing changes (might get some odd results when running aideupdate after prelink in do-updates, but I’ve not noticed anything overly strange).

As for AIDE 0.14… interesting. On my el5 box I’m still using 0.13. Wow that’s old now; I’ll have to look at 0.14 one of these days.

]]> Comment on rpm -V and prelinked binaries by Tomas http://linsec.ca/blog/2012/01/23/rpm-v-and-prelinked-binaries/comment-page-1/#comment-6406 Tomas Tue, 24 Jan 2012 09:10:56 +0000 http://linsec.ca/blog/?p=1051#comment-6406 If your system is important / exposed enough to have AIDE running and its reports actually being reviewed, you may prefer to disable prelink to trade speed-up benefits for ASLR benefits prelink takes away, at least to some degree: https://lwn.net/Articles/190139/ prelink can be disabled via /etc/sysconfig/prelink on Red Hat Enterprise Linux and Fedora systems. It also seems that recent versions (since 0.14) of AIDE should have prelink support too, though I do not know if that helps with timestamp changes in any way: http://aide.git.sourceforge.net/git/gitweb.cgi?p=aide/aide;a=commitdiff;h=4e906d97488d30747a4d903a888ee88bc9af2086 http://aide.git.sourceforge.net/git/gitweb.cgi?p=aide/aide;a=commitdiff;h=b838f91e0431dfb74d5324d5fea4ee51e6d505a5 Out of curiosity, how well does do-update work with -R being used by default? If your system is important / exposed enough to have AIDE running and its reports actually being reviewed, you may prefer to disable prelink to trade speed-up benefits for ASLR benefits prelink takes away, at least to some degree:

https://lwn.net/Articles/190139/

prelink can be disabled via /etc/sysconfig/prelink on Red Hat Enterprise Linux and Fedora systems.

It also seems that recent versions (since 0.14) of AIDE should have prelink support too, though I do not know if that helps with timestamp changes in any way:

http://aide.git.sourceforge.net/git/gitweb.cgi?p=aide/aide;a=commitdiff;h=4e906d97488d30747a4d903a888ee88bc9af2086
http://aide.git.sourceforge.net/git/gitweb.cgi?p=aide/aide;a=commitdiff;h=b838f91e0431dfb74d5324d5fea4ee51e6d505a5

Out of curiosity, how well does do-update work with -R being used by default?

]]> Comment on My adventure upgrading RHEL5 to RHEL6 by Charlie http://linsec.ca/blog/2011/02/23/my-adventure-upgrading-rhel5-to-rhel6/comment-page-1/#comment-6395 Charlie Fri, 13 Jan 2012 19:35:02 +0000 http://linsec.ca/blog/?p=937#comment-6395 Has Red Hat silently dropped support for non-caching LDAP user authentication? I'm trying to find a way to bring our extremely high-performance OpenLDAP infrastructure from RHEL5 to RHEL6 and the insistence on caching is killing me. nlscd/nscd/sssd are all major performance and reliability downgrades for us, and they introduce cache update latency issues that we have (up till now) avoided. If you run a tuned, syncrepl'd slave node on every host you get a much stronger, more resilient, more bandwidth-efficient infrastructure than you can with caching - NSS/PAM caching is a crappy hack to work around poor system architecture and we don't need it. Has Red Hat silently dropped support for non-caching LDAP user authentication?

I’m trying to find a way to bring our extremely high-performance OpenLDAP infrastructure from RHEL5 to RHEL6 and the insistence on caching is killing me. nlscd/nscd/sssd are all major performance and reliability downgrades for us, and they introduce cache update latency issues that we have (up till now) avoided. If you run a tuned, syncrepl’d slave node on every host you get a much stronger, more resilient, more bandwidth-efficient infrastructure than you can with caching – NSS/PAM caching is a crappy hack to work around poor system architecture and we don’t need it.

]]> Comment on Nagios XI wizards make setup a snap for network monitoring by Steven Kent http://linsec.ca/blog/2011/07/08/nagios-xi-wizards-make-setup-a-snap-for-network-monitoring/comment-page-1/#comment-6392 Steven Kent Mon, 09 Jan 2012 01:27:40 +0000 http://linsec.ca/blog/?p=1005#comment-6392 Friend gave this to me a while ago. Just used it, so it still works for 10% off of Nagios XI: http://www.nagios.com/nagiosxi10?ref=JB10 Friend gave this to me a while ago. Just used it, so it still works for 10% off of Nagios XI: http://www.nagios.com/nagiosxi10?ref=JB10

]]> Comment on Kerberos support in OS X 10.6 is a huge step backward by Yeechang Lee http://linsec.ca/blog/2009/09/03/kerberos-support-in-10-6-is-a-huge-step-backward/comment-page-2/#comment-6390 Yeechang Lee Sat, 07 Jan 2012 01:51:33 +0000 http://linsec.ca/blog/?p=569#comment-6390 Following up on my comments, I am now able to log in with my Kerbos credentials from the screensaver when on my non-Active Directory home network setup, by editing /etc/pam.d/screensaver. In place of auth required pam_opendirectory.so nullok insert auth sufficient pam_opendirectory.so nullok auth sufficient pam_krb5.so default_principal auth required pam_deny.so (These are the same steps used in my /etc/pam.d/sudo to permit Kerberos authentication there. I don't know why I didn't try this with screensaver sooner.) I still have to use the local account password in System Preferences and elsewhere where the OS X GUI asks for authentication, as PAM isn't used there. Following up on my comments, I am now able to log in with my Kerbos credentials from the screensaver when on my non-Active Directory home network setup, by editing /etc/pam.d/screensaver. In place of

auth required pam_opendirectory.so nullok

insert

auth sufficient pam_opendirectory.so nullok
auth sufficient pam_krb5.so default_principal
auth required pam_deny.so

(These are the same steps used in my /etc/pam.d/sudo to permit Kerberos authentication there. I don’t know why I didn’t try this with screensaver sooner.)

I still have to use the local account password in System Preferences and elsewhere where the OS X GUI asks for authentication, as PAM isn’t used there.

]]> Comment on Converting Maildir to mbox via mutt by szarpaj http://linsec.ca/blog/2010/01/04/converting-maildir-to-mbox-via-mutt/comment-page-1/#comment-6388 szarpaj Fri, 06 Jan 2012 23:52:48 +0000 http://linsec.ca/blog/?p=663#comment-6388 Yeah, and i found bunch of stupid scripts and here it is — i can convert my maildirs with mutt! Thanks, awesome tip. Yeah, and i found bunch of stupid scripts and here it is — i can convert my maildirs with mutt! Thanks, awesome tip.

]]> Comment on Kerberos support in OS X 10.6 is a huge step backward by EISBOX » Magic Triangle w/Kerberos in OS X 10.6 http://linsec.ca/blog/2009/09/03/kerberos-support-in-10-6-is-a-huge-step-backward/comment-page-2/#comment-6364 EISBOX » Magic Triangle w/Kerberos in OS X 10.6 Sun, 04 Dec 2011 06:35:19 +0000 http://linsec.ca/blog/?p=569#comment-6364 [...] quick search on Google yielded a long discussion on Kerberos support (or not) in Mac OS X 10.6 on RedHat Engineer Vincent Danen’s blog, and eventually to a his Wiki discussing Kerberos on [...] [...] quick search on Google yielded a long discussion on Kerberos support (or not) in Mac OS X 10.6 on RedHat Engineer Vincent Danen’s blog, and eventually to a his Wiki discussing Kerberos on [...]

]]> Comment on Still frustrated with Apple Mail searching by vdanen http://linsec.ca/blog/2011/01/30/still-frustrated-with-apple-mail-searching/comment-page-1/#comment-6355 vdanen Wed, 16 Nov 2011 00:17:58 +0000 http://linsec.ca/blog/?p=925#comment-6355 You probably need to point configure to it. Use ./configure --help to see all the options, and then you probably want to use "./configure --with-bdb=/path/to/the/include/files". I don't use MacPorts so I don't know where that would be (/usr/local/ something-or-other?). You probably need to point configure to it. Use ./configure –help to see all the options, and then you probably want to use “./configure –with-bdb=/path/to/the/include/files”. I don’t use MacPorts so I don’t know where that would be (/usr/local/ something-or-other?).

]]> Comment on Still frustrated with Apple Mail searching by Dekel http://linsec.ca/blog/2011/01/30/still-frustrated-with-apple-mail-searching/comment-page-1/#comment-6353 Dekel Mon, 14 Nov 2011 23:28:16 +0000 http://linsec.ca/blog/?p=925#comment-6353 Hi. I was trying to follow your mutt compiling guide but I get the following error: checking for gdbm_open... no checking for BerkeleyDB > 4.0... no configure: error: You need Tokyo Cabinet, QDBM, GDBM or Berkeley DB4 for hcache I have installed db47 using macports but it still gives the same error.. Any idea how to workaround this? Thanks, Dekel Hi.

I was trying to follow your mutt compiling guide but I get the following error:
checking for gdbm_open… no
checking for BerkeleyDB > 4.0… no
configure: error: You need Tokyo Cabinet, QDBM, GDBM or Berkeley DB4 for hcache

I have installed db47 using macports but it still gives the same error..

Any idea how to workaround this?

Thanks,
Dekel

]]> Comment on My adventure upgrading RHEL5 to RHEL6 by vdanen http://linsec.ca/blog/2011/02/23/my-adventure-upgrading-rhel5-to-rhel6/comment-page-1/#comment-6348 vdanen Fri, 11 Nov 2011 02:18:47 +0000 http://linsec.ca/blog/?p=937#comment-6348 Ah, yes, that would be the package. Glad you got it figured out. =) Ah, yes, that would be the package. Glad you got it figured out. =)

]]>