Welcome to my website. I am always posting links to photo albums, art, technology and other creations. Everything that you will see on my numerous personal sites is powered by the formVistaTM Website Management Engine.

icon.linkedin.jpgicon.twitter.jpg

  • Redirect only STDERR to tee
    07/19/2019 5:03PM

    If you want to just redirect STDERR to tee, run the following command.

    <some-command> 2> >(tee /var/tmp/output)

  • Mocking an HTTPS RESTful endpoing with Netcat
    06/12/2019 2:20PM
    Netcat is generally known as a TCP/IP Swiss Army Knife and is incredibly helpful for both debugging and mocking up network services

    Following is an example on how to setup a mock RESTful service that communicates over HTTPS.

    On the "server" side, run the following command.  The -l command instructs Netcat to listen.

    while true; do { echo -e "HTTP/1.1 200 OK\r\n$(date)\r\n\r\n<h1>hello world from $(hostname) on $(date)</h1>" |  nc -vl --ssl 8080; } done

    On the "client" side, run the following to PUT a sample json document.

    curl https://localhost:8080/foo/blah -k -XPUT -d @sample.json
  • Test Network Speed of Ethernet Ports
    03/30/2019 8:33AM

    If you have just bought a new (to you) nic card or other networking device and want to test that all of the ports can pass traffic at the expected rate, as long as you have nc and the firewall ports open on a "server" with a known good nic and have nc installed on your "client" device that you want to test it is very easy to test.

    Of course, if you are testing a switch itself, then it is just a matter of having two known good machines to act as the client and the server and to insert the switch between them.

    Ensure that you have a high port that is allowed by your firewall.  On the server side run the following to set up a listening service

    nc -l -k <port> > /dev/null

    Then on the client run the following:

    $ dd if=/dev/zero bs=1M count=1K | nc -vn <server-ip-addr> <port>
    Connection to <server-ip-addr> <port> port [tcp/*] succeeded!
    1024+0 records in
    1024+0 records out
    1073741824 bytes (1.1 GB) copied, 9.0998f s, 118 MB/s

    Then, just remember to multiply the MB copied to the server by 8 to get the rate in megabits/s.

  • Creating, Updating Expiration of and Posting PGP Keys
    02/17/2018 8:10AM

    Following are some of my notes and how-tos on creating, and managing PGP keys.

    Here is a link to a website with some very good information and best practices for managing keys:
    https://help.riseup.net/en/security/message-security/openpgp/best-practices

    Most of this article deals with the concept of setting a expiration date on a set of keys to a reasonable time and how you can update that key as time goes by.  Separate to the creation and publishing of your public key, you should set a reminder in whatever calendar system you are using to remind you to update the expiration date BEFORE it does actually expire a couple of weeks ahead of time.  I typically set my keys to expire in 13 months and set my calendar to remind me after 12 or so months.

    1) Creating a key set and distributing your public key:

    As mentioned, and when prompted, set a reasonable expiration time.  Also create a revocation cert.  See the aforementioned link for details.

    - To create a key:
    $ gpg2 --gen-key

    - List keys:
    $ gpg2 --list-keys
    /data/home/rchapin/.gnupg/pubring.gpg
    -------------------------------------
    pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
    uid                  Ryan Chapin <rchapin@nbinteractive.com>
    sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

    - Distribute Public Key (use hkps, encrypted connection)
    $ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8


    2) Searching for keys and verifying that they have been posted to a public keyserver:

    - List your keys
    $ gpg2 --list-keys
    /data/home/rchapin/.gnupg/pubring.gpg
    -------------------------------------
    pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
    uid                  Ryan Chapin <rchapin@nbinteractive.com>
    sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

    The public key for this user is E5170CE8.  The 4096R indicates that it is 4096 bits.

    - Searching for the key:
    To search for the key via a key server such as https://pgp.mit.edu/ enter the following in the search string

      0xE5170CE8

    Make sure to prefix the hex value of the key with 0x to indicate to the keyserver that is a hex value and not an ASCII string.


    3) Update the expiration date of a key:

    - List the keys:

    - List your keys
    $ gpg2 --list-keys
    /data/home/rchapin/.gnupg/pubring.gpg
    -------------------------------------
    pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
    uid                  Ryan Chapin <rchapin@nbinteractive.com>
    sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

    - Edit the key:
    $ gpg2 --edit-key E5170CE8


    - Select the key to edit, and then run the expire command.  Select the amount of time afterwhich the key will expire and follow the prompts to enter your passphrase.

    gpg> key 0
    gpg> expire
    Changing expiration time for the primary key.
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 13m
    Key expires at Thu 14 Mar 2019 08:42:22 AM EDT
    Is this correct? (y/N) y

    You need a passphrase to unlock the secret key for
    user: "Ryan Chapin <rchapin@nbinteractive.com>"
    4096-bit RSA key, ID E5170CE8, created 2015-03-26


    - Select the sub-key (1) and repeat the process

    - Save the key
    gpg> save

    - Send the updated key to a keyserver
    $ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8

    - Or you can export an ASCII-armored PGP key and upload it via a trusted https keyserver.

    $ gpg2 --armor --export <your-email-address>

  • HowTo Compile and Install New SELinux Plicy Modules
    02/02/2018 4:31PM
    Following is a quick how-to on compiling and adding addition SELinux modules.

    When configuring and deploying new and/or custom services on systems that are enforcing SELinux you will likely have to compile addition SELinux modules.

    This how-to includes how to go through each step of compiling a new module one-by-one; similar to the model of breaking down the compilation of C and C++ into it's composite steps.

    Step 1:  Gather the audit.log entries

    You will need to determine which action(s) that SELinux is blocking.  To do so, you can tail the /var/log/audit/audit.log file.  You will see something similar to the following

    type=AVC msg=audit(1517605342.101:88032): avc:  denied  { write } for  pid=7236 comm="check_zookeeper" path="/tmp/sh-thd-1517587323" dev="dm-0" ino=308042 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
    type=SYSCALL msg=audit(1517605342.101:88032): arch=c000003e syscall=2 success=no exit=-13 a0=1e2df10 a1=2c1 a2=180 a3=0 items=0 ppid=7232 pid=7236 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="check_zookeeper" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
    type=PROCTITLE msg=audit(1517605342.101:88032): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F6E6167696F732F706C7567696E732F636865636B5F7A6F6F6B65657065722E7368002D2D73746174

    Take that output and save it into a file.


    Step 2: Generate the Type Enforcement (te) File From the Log Output

    audit2allow -m new-module > new-module.te < audit-log-output


    Step 3:  Check and Compile the SELinux Security Policy Module (mod) File From the .te File

    checkmodule -M -m -o new-module.mod new-module.te


    Step 4:  Create the SELinux Policy Module Packet (pp) File From the .mod File

    semodule_package -o new-module.pp -m new-module.mod


    Step 5:  Install the SELinux Policy Module

    semodule -i new-module.pp
Advanced Search

Categories

Archives