I was reading through Jim Perrin’s CentOS hardening article, and saw one super interesting use of read-only bourne shell variables. If you have users that are frequently logging in and staying idle for days and or weeks, you can add a readonly TMOUT variable to /etc/profile:
$ echo "readonly TMOUT=3600" >> /etc/profile /etc/profile.d
The TMOUT variable controls the amount of time a user can be idle before the system logs them out. Since the variables in /etc/profile will be applied to the environment before a users .bash* and .profile files, you can be sure that users can’t override (this doesn’t address users who use C shells, but that can be addresses similarly) the read-only TMOUT variable and stay idle for longer periods of time. This also works well for HISTFILE environment variable, which is mentioned in the article. Great article Jim!
I recently played around with keepalived, and documented my experiences in an article titled Deploying Highly Available Virtual Interfaces With Keepalived. If you are interested in deploying highly available Linux routers, or just looking to failover IP addresses between servers, you may find the article useful.
I just saw the following putback notice come over the wire:
Author: Matty
<adam.leventhal@sun.com>
Repository: /hg/onnv/onnv-gate
Latest revision: 17811c723fb4f9fce50616cb740a92c8f6f97651
Total changesets: 1
Log message:
6854612 triple-parity RAID-Z
This is pretty sweet, and with the introduction of 2TB+ drives, using multiple parity drives will become essential to ensuring that your data is safe when a drive failures occur.
I have been converting a number of hosts to LDAP authentication. I’m currently creating user home directories on each server, which has a number of pros and cons. One of the cons is that a newly provisioned user won’t have a home directory, all will be assigned “/” as their home directory when they login. This is less than ideal, since most users will need a place to modify files and customize their environment. To simplify my life, I have been playing around with autodir and pam_mkhomedir. Both solutions provide an automated way to create user home directories, and are pretty easy to set up.
To configure pam_mkhomedir, you can add add the following line to the session management section of /etc/pam.d/system-auth:
session optional pam_mkhomedir.so
After the module is enabled, users should see a “Creating directory” line when they login to a server for the first time:
$ ssh test@foo
test@foo's password:
Creating directory '/home/test'.
In addition to creating the home directory specified in the passwd file (or in the homeDirectory attribute if you are using LDAP), the mkhomedir module will also populate the user’s home directory with the files in /etc/skel:
$ ls -la /etc/skel
total 40
drwxr-xr-x. 4 root root 4096 2009-07-07 13:56 .
drwxr-xr-x. 113 root root 12288 2009-07-16 11:08 ..
-rw-r--r--. 1 root root 18 2009-04-08 06:46 .bash_logout
-rw-r--r--. 1 root root 176 2009-04-08 06:46 .bash_profile
-rw-r--r--. 1 root root 124 2009-04-08 06:46 .bashrc
drwxr-xr-x. 2 root root 4096 2009-03-17 20:54 .gnome2
drwxr-xr-x. 4 root root 4096 2009-07-07 13:44 .mozilla
-rw-r--r--. 1 root root 658 2009-03-02 12:18 .zshrc
Adding to the base set of files that are placed in each user’s home directory is as simple as copying one or more files into /etc/skel, or modifying the existing files. I will touch on the autodir module in a follow up post.
Vijay Avarachen posted a great tip on Linux Journal’s website. In the article Vijay posted, he shows how to use rpm along with the verify option to list files that have changed:
$ rpm -qa | xargs rpm --verify --nomtime | less
S.5...... c /etc/yum.repos.d/fedora.repo
..5...... c /etc/pki/nssdb/secmod.db
S.5...... /etc/cron.d/smolt
....L.... c /etc/pam.d/fingerprint-auth
....L.... c /etc/pam.d/password-auth
....L.... c /etc/pam.d/smartcard-auth
....L.... c /etc/pam.d/system-auth
prelink: /usr/lib64/libopenrawgnome.so.1.4.0: prelinked file was modified
S.?...... /usr/lib64/libopenrawgnome.so.1.4.0
....L.... /usr/lib64/libbind9.so.50
....L.... /usr/lib64/liblwres.so.50
.M....G.. /var/cache/ccache
Yum has a similar capability, which can be accessed through yum-plugin-verify plugin. This plugin adds the verify-all and verify-rpm options, which can be used to list files that have changed (you will need to edit /etc/yum/pluginconf.d/verify.conf to make the plugin as useful as the rpm –verify option). Good stuff!