Will-bloggs-too

Swimming with a sea turtle

Will — Mon, 30 Apr 2012 01:21:58 +0000

I got to swim with a Sea Turtle during my recent visit in Hawaii. Though, I have been there several times, this was the first opportunity I had to do this, and it was absolutely amazing.

Simple Puppet environment if/else statement

Will — Wed, 11 Apr 2012 01:20:39 +0000

I’m playing around with Puppet environments. One thing that I want to do is manipulate the module templates based on their appropriate environment. This is a simple example of how that it is done. In my case, I’m simply printing a single line based on the environment.

< % if scope.lookupvar("::environment") == "ENV" then %>
# ENV
< % else %>
# BLAH!
< % end %>

Expanding on this, say, I want to change the ownership of the bits on an Apache directory based on the environment. Here is an example of how one might do it:

$user = $::operatingsystem ? {
  /RedHat|CentOS/ => $::environment ? {
    'production' => 'apache',
    'dev' => 'nobody',
  },
  /Debian|Ubuntu/ => 'www-data',
}

If you have any suggestions on how to make it more complex, let me know.

Custom mod_security RPM spec with Atomic Secured Ruleset (no rules included)

Will — Sun, 08 Apr 2012 23:25:27 +0000

I build a mod_security RPM that uses the ASL (Atomic ModSecurity Rules, ) which is a subscription based service. The rules are updated on daily basis to fix false positives and addressing false negatives. In my environment, I have a build server that downloads the latest rules from ASL, and then compiles the RPM. I use the recommended minimum of the rules to compile, and then the build host tests the RPM against itself to ensure the new rules aren’t going to break HTTPD. Once it passes the sanity check, it pushes the newly built RPM to the yum repository. I will update this post when I have fully tested the scripts.

%define asl 1
%define cvs rc2

Summary: Security module for the Apache HTTP Server
Name: mod_security
Version: 2.6.5
Release: 1%{?dist}
License: Apache
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
#Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}-%{cvs}.tar.gz
Source1: 00_mod_security.conf
Source2: modsecurity_crs_10_config-asl-default.conf
Source3: 10_asl_antimalware.conf
Source4: 10_asl_rules.conf
Source5: 20_asl_useragents.conf
Source6: 30_asl_antispam.conf
Source7: 50_asl_rootkits.conf
Source8: 60_asl_recons.conf
Source9: 61_asl_recons_dlp.conf
Source10: 99_asl_jitp.conf
Source11: malware-blacklist.txt
Source12: sql.txt
Source13: domain-blacklist.txt
Source14: mod_security
Patch0: asl3-logging.patch
Patch1: waf-label.patch
Patch2: modsecurity-2.6.4-collections-logging.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: httpd
#Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
#Requires: asl
BuildRequires: httpd-devel libxml2-devel pcre-devel libtool pkgconfig curl-devel
BuildRequires: curl

Requires: libxml2 pcre lua
#%if 0%{asl}
#Requires: asl-stream-client
#%endif

%if 0%{!?fc4}
BuildRequires: lua-devel
%endif

%description
ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting
as a powerful umbrella - shielding web applications from attacks.

%prep

%setup -n modsecurity-apache_%{version}
#%setup -n modsecurity-apache_%{version}-%{cvs}

%if 0%{asl}
%patch0 -p1
%patch1 -p1
#%patch2 -p1
%endif

%build
CFLAGS="%{optflags}"
export CFLAGS

%configure \
       --disable-pcre-match-limit \
       --disable-pcre-match-limit-recursion

# Legacy from LoadFile
#perl -pi.orig -e 's|LIBDIR|%{_libdir}|;' %{SOURCE1}

make  %{_smp_mflags}

%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/
mkdir -p %{buildroot}/%{_localstatedir}/log/mod_security
mkdir -p %{buildroot}/%{_localstatedir}/log/mod_security/audit
install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/00_mod_security.conf
install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_crs_10_config.conf
install -D -m644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/10_asl_antimalware.conf
install -D -m644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/10_asl_rules.conf
install -D -m644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/20_asl_useragents.conf
install -D -m644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/30_asl_antispam.conf
install -D -m644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/50_asl_rootkits.conf
install -D -m644 %{SOURCE8} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/60_asl_recons.conf
install -D -m644 %{SOURCE9} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/61_asl_recons_dlp.conf
install -D -m644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/99_asl_jitp.conf
install -D -m644 %{SOURCE11} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/malware-blacklist.txt
install -D -m644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/sql.txt
install -D -m644 %{SOURCE13} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/domain-blacklist.txt

mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
install -m 644 -p $RPM_SOURCE_DIR/mod_security \
       $RPM_BUILD_ROOT/etc/logrotate.d/mod_security

%clean
rm -rf %{buildroot}

%files
%defattr (-,root,root)
%doc CHANGES LICENSE README.* modsecurity* doc
%{_libdir}/httpd/modules/mod_security2.so
%config %{_sysconfdir}/httpd/conf.d/00_mod_security.conf
%dir %{_sysconfdir}/httpd/modsecurity.d
%dir %{_localstatedir}/log/mod_security
%dir %{_localstatedir}/log/mod_security/audit
%attr(0755, apache, apache) %{_localstatedir}/log/mod_security
%attr(0755, apache, apache) %{_localstatedir}/log/mod_security/audit
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/modsecurity_crs_10_config.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/10_asl_antimalware.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/10_asl_rules.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/20_asl_useragents.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/30_asl_antispam.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/50_asl_rootkits.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/60_asl_recons.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/61_asl_recons_dlp.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/99_asl_jitp.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/malware-blacklist.txt
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/sql.txt
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/domain-blacklist.txt
%config(noreplace) %{_sysconfdir}/logrotate.d/mod_security

%changelog
* Fri Apr 6 2012 William Gregorian
- Added log directories
- Added the bare minimum of the the require configs
- Added logrotate script
* Tue Apr 3 2012 William Gregorian
- Initial release

Random

Will — Sun, 25 Mar 2012 18:53:42 +0000

Linux kickstart lifecycle (diagram)

Will — Thu, 08 Mar 2012 21:37:12 +0000

A while back, I was asked to create a functional flow diagram of the Linux kickstart. I drew some inspiration from the other kickstart diagram online, but tried to improve on those. Here is the link to the file: Linux Kickstart Lifecycle

Peace

Will — Wed, 22 Feb 2012 20:29:51 +0000

I got this from someone on reddit not too long ago:

I bookmarked it because it represents a dream that I think everyone has. I don’t know you or anything about you. I don’t know what kind of worries you had or crises you may have been going through at that time. What I do know is this picture isn’t about you, your dog, the lake, or that day. This picture, to me, is only about one thing. Peace. The peace of not worrying about your mortgage, that project at work, issues with your family, diseases, politics, or anything.

Thankfully, I’m not dealing with any sorts of crises now, but I still look at that picture every now and then in hopes that I can one day feel at peace with everything as you did that day.

I thought it was an excellent analogy of how I felt about it. By far, my favorite.

/usr/bin/ld: cannot find -luuid

Will — Tue, 21 Feb 2012 22:41:17 +0000

I was compiling an RPM for the latest version of HTTPD (2.2.22) for CentOS 6.2 x86_64 when I ran into a build error:

/usr/lib64/apr/build-1/libtool --silent --mode=link gcc -pthread  -O2 -g -pie  -L/usr/lib6464   -o htpasswd  htpasswd.lo   -lm -lpcre -lselinux /usr/lib64/libaprutil-1.la /usr/lib64/libapr-1.la -lcrypt
/usr/lib64/apr/build-1/libtool --silent --mode=link gcc -pthread  -O2 -g -pie  -L/usr/lib6464   -o htdigest  htdigest.lo   -lm -lpcre -lselinux /usr/lib64/libaprutil-1.la /usr/lib64/libapr-1.la
/usr/bin/ld: cannot find -luuid
collect2: ld returned 1 exit status
/usr/bin/ld: cannot find -luuid
collect2: ld returned 1 exit status
make[2]: *** [htdigest] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [htpasswd] Error 1
make[2]: Leaving directory `/home/mock/rpmbuild/BUILD/httpd-2.2.22/prefork/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/mock/rpmbuild/BUILD/httpd-2.2.22/prefork/support'
make: *** [all-recursive] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.Ap5Hmy (%build)

Apparently, my build host was missing a few packages. Namely, the uuid packages To resolve the issue, I installed the following via Yum:

yum provides */libuuid.so – identify the package, and then proceed to installing it.

libuuid-2.17.2-12.4.el6.x86_64
uuid-1.6.1-10.el6.x86_64
REQUIRED: libuuid-devel-2.17.2-12.4.el6.x86_64
uuid-devel-1.6.1-10.el6.x86_64
uuid-c++-1.6.1-10.el6.x86_64

Happy compiling!

CentOS 6.x Zabbix dashboard show zabbix-server is not running

Will — Mon, 20 Feb 2012 08:48:07 +0000

Update: Upgrading to version 1.8.12 resolved this issue.

If you’re running Zabbix 1.8.10 server on a CentOS 6.x server that was installed from EPEL, then you will more than likely run into this issue. Apparently, the default Zabbix Linux template looks for the following:

proc.num[zabbix-server]

This is incorrect for the current EPEL installation (v1.8.10) since the correct proc is named zabbix_server_mysql. To correct the issue, adjust the configuration for your Zabbix Linux template to look for the aforementioned, and then change to the following:

proc.num[zabbix_server_mysql]

Problem solved.

Facter display eth{0-…} IP addresses

Will — Thu, 16 Feb 2012 07:44:32 +0000

I needed a way to display the IP addresses for all interfaces on a host. After some ruby, here is what I used:

< %= scope.to_hash.inject([]) { |acc, (k,v)| acc << v if k =~ /^ipaddress_/; acc }.join(', ') %>

Enjoy!

Visualize

Will — Thu, 09 Feb 2012 07:03:58 +0000