Topics: Security, System Admin

Entropy

If you run this command on Linux:

# cat /proc/sys/kernel/random/entropy_avail
it returns a number that indicates how much "entropy" is available to the kernel. But what exactly is "entropy", and what unit is this entropy measured in? What is it used for? You may have heard that a low number of entropy is not good. How low is "low" and what "bad" things will happen if it is? What's a good range for it to be at? How is it determined?

Entropy is similar to "randomness". A Linux system gathers "real" random numbers by keeping an eye on different events: network activity, hard drive rotation speeds, hardware random number generator (if available), key-clicks, and so on. If feeds those to the kernel entropy pool, which is used by /dev/random. Applications which use crypto functions, use /dev/random as their entropy source, or in other words, the randomness source.

If /dev/random runs out of available entropy, it's unable to serve out more randomness and the application waiting for the randomness may stall until more random bits are available. On Red Hat Enterprise Linux systems, you can see that RPM package rng-tools is installed, and that a rngd - random nubmer generator deamon - is active. This deamon feeds semi-random numbers from /dev/urandom to /dev/random in case /dev/random runs out of "real" entropy. On Ubuntu based systems, there is no rngd. If more entropy is needed you can install haveged, which can achieve the same. Note that haveged is not available for Red Hat Enterprise Linux based systems, because these systems already have rngd.

Some applications (such as applications using encryption) need random numbers. You can generate random numbers using an algorithm - but although these seem random in one sense they are totally predictable in another. For instance if I give you the digits 58209749445923078164062862089986280348253421170679, they look pretty random. But if you realize they are actually digits of PI, then you may know the next one is going to be 8.

For some applications this is okay, but for other applications (especially security related ones) people want genuine unpredictable randomness - which can't be generated by an algorithm (i.e. program), since that is by definition predictable. This is a problem in that your computer essentially is a program, so how can it possibly get genuine random numbers? The answer is by measuring genuinely random events from the outside world - for example gaps between your key strokes and using these to inject genuine randomness into the otherwise predictable random number generator. The "entropy pool" could be thought of as the store of this randomness which gets built up by the keystrokes (or whatever is being used) and drained by the generation of random numbers.

The value stored in /proc/sys/kernel/random/entropy_avail is the measure of bits currently available to be read from /dev/random. It takes time for the computer to read entropy from its environment. If you have 4096 bits of entropy available and you "cat /dev/random" you can expect to be able to read 512 bytes of entropy (4096 bits) before the file blocks while it waits for more entropy. For example, if you "cat /dev/random" your entropy will shrink to zero. At first you'll get 512 bytes of random garbage, but it will stop and little by little you'll see more random data trickle trough.

This is not how people should operate /dev/random though. Normally developers will read a small amount of data, like 128 bits, and use that to seed some kind of PRNG algorithm. It's polite to not read any more entropy from /dev/random than you need to, since it takes so long to build up entropy, and it is considered valuable. Thus if you drain it by carelessly catting the file like above, you'll cause other applications that need to read from /dev/random to block.

A good number of available entropy is usually between 2500 and 4096 bits. Entropy is considered to be low when it is below 1000.

Topics: System Admin

Sending emails with attachments

If you wish to send a file from a Linux or UNIX system, you can cat the file and pipe it into an email. For example, if you wish to send the contents of the /etc/hosts file in an email:

# cat /etc/hosts | mailx -s "subject goes here" your@email-address.com
This may not always be what you want, though. Sometimes, the file may be too large, or you may rather attach the file to an email.

To attach a file to an email, run it like this using -a option:
# echo "your message goes here" | \
mailx -s "your subject goes here" -a /etc/hosts your@email-address.com
Most email applications, like Microsoft Outlook, will put you text ("your message goes here") into the body of the email, and will attach /etc/hosts as a hosts.txt file for easy reading.

To attach larger files to an email (or for mail applications that handle zip files better as attachments), zip the file first before attaching it to an email message:
# zip /tmp/myzipfile.zip /etc/hosts
# echo "your message goes here" | \
mailx -s "your subject goes here" -a /tmp/myzipfile.zip your@email-address.com

Topics: Hardware, Red Hat / Linux, System Admin

Determining memory DIMMs for Linux systems

If you wish to determine how much memory is installed in a Linux system, or perhaps the maximum amount of memory configurable on a system and the exact number and size of the memory DIMMs installed in the system, then you should use the dmidecode command.

The dmidecode command has a type option ( -t ), that can be used to indicate the type of device you wish to see detailed information for, like bios, system, baseboard, chassis, processor, cache, connector, slot and ... memory.

To retrieve the memory information, run the following command:

# dmidecode -t memory
You should get an output similar like the one below, but it can obviously differ per Linux system, depending on the hardware (model) and the installed memory.
# dmidecode -t memory
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.7 present.

Handle 0x0047, DMI type 16, 23 bytes
Physical Memory Array
        Location: System Board Or Motherboard
        Use: System Memory
        Error Correction Type: None
        Maximum Capacity: 16 GB
        Error Information Handle: Not Provided
        Number Of Devices: 2

Handle 0x0048, DMI type 17, 34 bytes
Memory Device
        Array Handle: 0x0047
        Error Information Handle: Not Provided
        Total Width: 64 bits
        Data Width: 64 bits
        Size: 4096 MB
        Form Factor: SODIMM
        Set: None
        Locator: DIMM A
        Bank Locator: Not Specified
        Type: DDR3
        Type Detail: Synchronous
        Speed: 1600 MT/s
        Manufacturer: Hynix/Hyundai
        Serial Number: 3248A01B
        Asset Tag: 9876543210
        Part Number: HMT351S6CFR8C-PB
        Rank: 2
        Configured Memory Speed: 1600 MT/s

Handle 0x004A, DMI type 17, 34 bytes
Memory Device
        Array Handle: 0x0047
        Error Information Handle: Not Provided
        Total Width: 64 bits
        Data Width: 64 bits
        Size: 4096 MB
        Form Factor: SODIMM
        Set: None
        Locator: DIMM B
        Bank Locator: Not Specified
        Type: DDR3
        Type Detail: Synchronous
        Speed: 1600 MT/s
        Manufacturer: Kingston
        Serial Number: BA33020F
        Asset Tag: 9876543210
        Part Number: KFYHV1-HYC
        Rank: 2
        Configured Memory Speed: 1600 MT/s
In the output above you can see that this particular system has a "Maximum Capacity" of 16 GB, and up to two "Number of Devices" can be installed.

Below it, you see the currently installed Memory Devices, the first one with a size of 4096 MB in slot DIMM A, with the exact Manufacturer and the Part Number listed. In slot DIMM B, you can also see another DIMM of 4096 MB installed, which is of a different vendor.

This information tells you, that the system shown above can be configured up to 16 GB of memory, but currently has two 4 GB memory DIMMs, thus 8 GB installed. In this case, upgrading the system to 16 GB of memory would mean replacing the two 4 GB memory DIMMs with two 8 GB memory DIMMs.

Topics: Security, System Admin

Using a proxy for wget

If you need to use a proxy for wget, this can be configured as follows:

Either create a file $HOME/.wgetrc (for a specific user) or /etc/wgetrc (to set the proxy configuration for the entire system), and add in the following lines, while replacing the entries below with your HTTP proxy URL and port information:

# You can set the default proxies for Wget to use for http and https.
# They will override the value in the environment.
https_proxy = http://proxy.yoyodyne.com:3128
http_proxy = http://proxy.yoyodyne.com:3128

# If you do not want to use proxy at all, set this to off.
use_proxy = on
Alternatively, you may also use the -e option for wget:
# wget ... -e https_proxy=http://proxy.yoyodyne.com:3128 ...

Topics: Red Hat / Linux, System Admin

XRDP

XRDP is an Open Source Remote Desktop Protocol server, very similar to what is used on Windows Server systems, but XRDP is meant for Linux. Once installed on Linux, you can set up a RDP (or Remote Desktop Connection) session from a Windows system directly to a Linux system.

Here's how you install and configure it on RHEL or CentOS 7:

First of all, we need to install the EPEL repository and XRDP server:

# yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum -y install xrdp
Next, we need to start and enable the service:
# systemctl start xrdp.service 
# systemctl enable xrdp.service
To check if its running, run:
# netstat -an | grep 3389 
tcp   0    0 0.0.0.0:3389   0.0.0.0:*   LISTEN
That's all. Now you can connect to your server from any Windows machine using RDP.

Topics: Red Hat / Linux, System Admin

Linux Screen

The screen utility on Linux allows you to:

  • Use multiple shell windows from a single SSH session
  • Keep a shell active even through network disruptions
  • Disconnect and re-connect to a shell sessions from multiple locations
  • Run a long running process without maintaining an active shell session
First, let's install screen on a CentOS system:
# yum -y install screen
Once it's installed, screen can be easily started:
# screen
You are now inside of a window within screen. This functions just like a normal shell except for a special control command: "Ctrl-a".

Screen uses the command "Ctrl-a" (that's the control key and a lowercase "a") as a signal to send commands to screen instead of the shell.

For example, type "Ctrl-a", let go, and then type "?". You should now see the screen help page, showing you all the available key binding. Key bindings are the commands the screen accepts after you hit "Ctrl-a". You can reconfigure these keys to your liking using a .screenrc file, if you like.

To create a new window, you can use "Ctrl-a" and "c". This will create a new window for you with your default prompt. Your old window is still active.

For example, you can be running top and then open a new window to do other things. Top will remain running in the first window.

Screen allows you to switch between screens, by using "Ctrl-a" and "n". This command switches you to the next window. If you were to open more windows in screen, then "Ctrl-a" and "n" will allow you to cycle through all the windows, by repating the "Ctrl-a" and "n" commands. The windows work like a carousel and will loop back around to your first window. You can create several windows and toggle through them with "Ctrl-a" and "n" for the next window or "Ctrl-a" and "p" for the previous window. Each process in a window will keep running until you exit out of that window by typing "exit".

Anoter feature of screen is that you can detach from a screen, by typing "Ctrl-a" and "d". Screen allows you to detach from a window and reattach later. If your network connection fails, screen will automatically detach your session! If you detach from screen, you will drop back into your shell. All screen windows are still there and you can re-attach to them later.

If your connection drops or you have detached from a screen, you can re-attach by just running:
# screen -r
This will re-attach to your screen.

Screen will also allow you to create a log of the session, by typing "Ctrl-a" and "H". When you do that, you'll see in the Putty titlebar of your session the name of the log file being created, usually in the form of "screenlog.0". Screen will keep appending data to the file through multiple sessions. Using the log function is very useful for capturing what you have done, especially if you are making a lot of changes. If something goes awry, you can look back through your logs. Locking Your Screen Session

If you need to step away from your computer for a minute, you can lock your screen session using "Ctrl-a" and "x". This will require a password to access the session again.

When you are done with your work, you can stop screen by typing exit from your shell. This will close that screen window. You have to close all screen windows to terminate the session. You should get a message about screen being terminated once you close all windows. Alternatively, you can use "Ctrl-a" and "k". You should get a message if you want to kill the screen.

Topics: Red Hat / Linux, System Admin

Multi-user VNC setup on RHEL 7.5

Here's how to set up VNC on Red Hat 7.5, combined with the Gnome desktop, Firefox and TigerVNC.

The goal is to install a Linux desktop, Firefox and TigerVNC on a system with just a base (minimal) Red Hat 7.5 install (without a desktop), and to set up the VNC service for 2 users, in this case for user root, and for user oracle. The VNC port to use for user root will be 5901, and it will be 5092 for user oracle.

Note: This procedure will also work on older RHEL 7 versions, like RHEL 7.2 through RHEL 7.4, with a few minor changes as there are a few differences between these RHEL releases. Please see below.

Install the GUI first (based on: https://access.redhat.com/solutions/5238):

# yum -y groupinstall "Server with GUI"
# yum install xterm xorg-x11-xinit
Install TigerVNC:
# yum -y install tigervnc tigervnc-server
There is no need to specifically install Firefox - it is installed as part of the GUI installation.

If here, you are not using RHEL 7.5, but an older version of RHEL 7, then please make sure to (at least) update the following packages to the latest available versions. These latest package versions are needed to make this work:
# yum -y update xterm xorg-x1-xinit tigervnc tigervnc-server
Start the GUI:
# systemctl set-default graphical.target
# systemctl start graphical.target
Configure VNC (based on https://access.redhat.com/solutions/966063):

Configure the VNC password for both root and user oracle (repeat for both users - log in as each user, and run the following command):
# vncpasswd
You will be asked if you would like to enter a view-only password. You may answer "n" for no.

Set up the VNC service on the system:

For user root:
# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service
Edit the new file, and replace all entries in the files of "<USER>" with "root"; ensure the home directory of user root is also set to /root, not /home/root.

For user oracle:
# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:2.service
Edit the new file, and replace all entries of "<USER>" with "oracle".

Edit the xstartup user file in ~root/.vnc/xstartup and ~oracle/.vnc/xstartup. Replace the contents of the xstartup file with this:
#!/bin/sh

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
  [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
  vncconfig -iconic &
  dbus-launch --exit-with-session gnome-session &
Note here: Create the xstartup file, if it does not exist. And make sure to enable the execution bit on the xstartup file, by running:
# chmod +x xstartup
If necessary, if the firewall is in use, add the ports in the firewall.

First check if the firewall daemon is running right now, and enabled at boot time:
# systemctl status firewalld
If so, then add the ports used by VNC to the firewall configuration:
# firewall-cmd --permanent --zone=public --add-port 5901/tcp
# firewall-cmd --permanent --zone=public --add-port 5902/tcp
# firewall-cmd --reload
Run the following command as changes were made to systemd files:
# systemctl daemon-reload
Enable and start the TigerVNC service:
# systemctl enable vncserver@:1.service
# systemctl enable vncserver@:2.service
# systemctl start vncserver@:1.service
# systemctl start vncserver@:2.service
If, at this point, when starting either VNC service, you get an error about not available resources, it may be that either VNC was already running, or that there are old VNC files in /tmp. In this case, first search for any running VNC processes:
# ps -ef | grep vnc
If any VNC processes are still running, then kill them, by using "kill -9". Then move over to the /tmp folder and clear out any old files used by VNC:
# cd /tmp
# rm -rf .X*
And then, try starting the VNC services again:
# systemctl start vncserver@:1.service
# systemctl start vncserver@:2.service
That should work. If so, then proceed with the next steps:

Check if the VNC services are listening on the ports 5901 and 5902:
# netstat -an | grep ::590
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5902            0.0.0.0:*               LISTEN
tcp6       0      0 :::5901                 :::*                    LISTEN
tcp6       0      0 :::5902                 :::*                    LISTEN
Now, it's time to test the VNC connections. A good way to test, without having to install a VNC client (usually requiring admin privileges on your Windows desktop), use realVNC VNC viewer, from https://www.realvnc.com/en/connect/download/viewer/windows/. In the dropdown list on this website, make sure to select the "Standalone" version that applies to your operating system version. The regular EXE file on this site is a VNC viewer that requires admin privileges on Windows to install. This "standalone" VNC viewer can be used without having to install any software, and does not require admin-level access on Windows.

Open the screen for user root, by typing the following string, assuming the IP address of the server is 172.29.126.210:
172.29.126.210:5901
And for user oracle:
172.29.126.210:5902
And type the password provided earlier through the vncpasswd command.

That's it. You should be presented with desktop screens for both users root and oracle, and you should be able to run Firefox within those desktops.

Topics: Red Hat / Linux, Security, System Admin

Resetting the root password for a KVM guest image

Red Hat provides you the opportunity to download a KVM guest image, that you can use within virt-manager to start immediately. This saves you the trouble and time of having to install the operating system.

However, the root password is not known, and so, it may be difficult to log in as root when using the KVM guest image provided by Red Hat.

Luckily, there is an easy solution to changing the root password on a KVM guest image.

Start by installing guestfish:

# yum -y install guestfish
Guestfish is a tool that can be used from the command line to access guest virtual machine file systems.

Next, update the image file as follows, assuming the image file is located in /var/lib/libvirt/images, and the image file is called "rhel7.5.beta1.qcow2", and you want to set the password to "PASSWORD":
# cd /var/lib/libvirt/images
# virt-customize -a rhel7.5.beta1.qcow2 --root-password password:PASSWORD

Topics: Red Hat / Linux, System Admin

Keystrokes used in top

The top command is quite useful in Red Hat Enterprise Linux. This is a list of common keystrokes that can be used in top:

Key Purpose
? or h Help for interactive keystrokes.
l, t, m Toggles for load, threads, and memory header lines.
1 Toggle showing individual CPUs or a summary for all CPUs in header.
s or d Change the refresh (screen) rate, in decimal seconds (e.g., 0.5, 1, 5).
b Toggle reverse highlighting for Running processes; default is bold only.
B Enables use of bold in display, in the header, and for Running processes.
H Toggle threads; show process summary or individual threads.
u, U Filter for any user name (effective, real).
M Sorts process listing by memory usage, in descending order.
P Sorts process listing by processor utilization, in descending order.
k Kill a process. When prompted, enter PID, then signal.
r Renice a process. When prompted, enter PID, then nice_value.
W Write (save) the current display configuration for use at the next top restart.
q Quit.

Topics: Red Hat / Linux, System Admin

Processes

A process is a running instance of a launched, executable program. A process consists of:

  • an address space of allocated memory,
  • security properties including ownership credentials and privileges,
  • one or more execution threads of program code, and
  • the process state.
The environment of a process includes:
  • local and global variables,
  • a current scheduling context, and
  • allocated system resources, such as file descriptors and network ports.
An existing (parent) process duplicates its own address space (fork) to create a new (child) process structure. Every new process is assigned a unique process ID (PID) for tracking and security. The PID and the parent's process ID (PPID) are elements of the new process environment. Any process may create a child process. All processes are descendants of the first system process, which is systemd(1) on a Red Hat Enterprise Linux 7 system.


Through the fork routine, a child process inherits security identities, previous and current file descriptors, port and resource privileges, environment variables, and program code. A child process may then exec its own program code. Normally, a parent process sleeps while the child process runs, setting a request (wait) to be signaled when the child completes. Upon exit, the child process has already closed or discarded its resources and environment; the remainder is referred to as a zombie. The parent, signaled awake when the child exited, cleans the remaining structure, then continues with its own program code execution.

In a multitasking operating system, each CPU (or CPU core) can be working on one process at a single point in time. As a process runs, its immediate requirements for CPU time and resource allocation change. Processes are assigned a state, which changes as circumstances require.


The Linux process states are illustrated in the previous diagram and described in the following table.

Name Flag Kernel-defined state name and description
Running R

TASK_RUNNING: The process is either executing on a CPU or waiting to run. Process can be executing user routines or kernel routines (system calls), or be queued and ready when in the Running (or Runnable) state.

Sleeping S

TASK_INTERRUPTIBLE: The process is waiting for some condition: a hardware request, system resource access, or signal. When an event or signal satisfies the condition, the process returns to Running.

D

TASK_UNINTERRUPTIBLE: This process is also Sleeping, but unlike S state, will not respond to delivered signals. Used only under specific conditions in which process interruption may cause an unpredictable device state.

K

TASK_KILLABLE: Identical to the uninterruptible D state, but modified to allow the waiting task to respond to a signal to be killed (exited completely). Utilities frequently display Killable processes as D state.

Stopped T

TASK_STOPPED: The process has been Stopped (suspended), usually by being signaled by a user or another process. The process can be continued (resumed) by another signal to return to Running.

T

TASK_TRACED: A process that is being debugged is also temporarily Stopped and shares the same T state flag.

Zombie Z

EXIT_ZOMBIE: A child process signals its parent as it exits. All resources except for the process identity (PID) are released.

X

EXIT_DEAD: When the parent cleans up (reaps) the remaining child process structure, the process is now released completely. This state will never be observed in process-listing utilities.

Number of results found for topic System Admin: 244.
Displaying results: 1 - 10.