Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:linux [2024/02/12 13:22] – [Welche Branches gibt es ?] cc
+++ know-how:linux [2024/05/29 12:44] (aktuell) – [Debian 10 to Debian 11 Upgrade] cc
@@ Zeile 1: / Zeile 1: @@
+~~ODT~~
 ====== Read Only Root ======
   * Getestet mit Debian Buster
@@ Zeile 1056: / Zeile 1057: @@
 md manage:   INFO:2023-08-07 10h40.13 utc:1147: update_scap: Updating data
 ...
+</code>
+  * Upgrade Cluster von 15 auf 16 - ohne Neuinstallation (gvmd kann nicht gestartet werden) / Vorsicht über SSH !
+  * https://bugs.kali.org/view.php?id=8549
+<code>
+root@pentest:~# pg_lsclusters
+Ver Cluster Port Status Owner    Data directory              Log file
+  main    5432 online postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
+  main    5433 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
+root@pentest:~# pg_dropcluster 16 main --stop
+root@pentest:~# pg_upgradecluster 15 main
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Stopping old cluster...
+Restarting old cluster with restricted connections...
+Notice: extra pg_ctl/postgres options given, bypassing systemctl for start operation
+Creating new PostgreSQL cluster 16/main ...
+/usr/lib/postgresql/16/bin/initdb -D /var/lib/postgresql/16/main --auth-local peer --auth-host scram-sha-256 --no-instructions --encoding UTF8 --lc-collate en_GB.UTF-8 --lc-ctype en_GB.UTF-8 --locale-provider libc
+The files belonging to this database system will be owned by user "postgres".
+This user must also own the server process.
+The database cluster will be initialized with locale "en_GB.UTF-8".
+The default text search configuration will be set to "english".
+Data page checksums are disabled.
+fixing permissions on existing directory /var/lib/postgresql/16/main ... ok
+creating subdirectories ... ok
+selecting dynamic shared memory implementation ... posix
+selecting default max_connections ... 100
+selecting default shared_buffers ... 128MB
+selecting default time zone ... Europe/Vienna
+creating configuration files ... ok
+running bootstrap script ... ok
+performing post-bootstrap initialization ... ok
+syncing data to disk ... ok
+Copying old configuration files...
+Copying old start.conf...
+Copying old pg_ctl.conf...
+Starting new cluster...
+Notice: extra pg_ctl/postgres options given, bypassing systemctl for start operation
+Running init phase upgrade hook scripts ...
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Roles, databases, schemas, ACLs...
+WARNING:  database "postgres" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+WARNING:  database "gvmd" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE gvmd REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+WARNING:  database "postgres" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+ set_config
+------------
+(1 row)
+ set_config
+------------
+(1 row)
+ set_config
+------------
+(1 row)
+ set_config
+------------
+(1 row)
+Fixing hardcoded library paths for stored procedures...
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Upgrading database template1...
+WARNING:  database "template1" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE template1 REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Fixing hardcoded library paths for stored procedures...
+WARNING:  database "gvmd" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE gvmd REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Upgrading database gvmd...
+WARNING:  database "gvmd" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE gvmd REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Fixing hardcoded library paths for stored procedures...
+WARNING:  database "postgres" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Upgrading database postgres...
+WARNING:  database "postgres" has a collation version mismatch
+DETAIL:  The database was created using collation version 2.36, but the operating system provides version 2.37.
+HINT:  Rebuild all objects in this database that use the default collation and run ALTER DATABASE postgres REFRESH COLLATION VERSION, or build PostgreSQL with the right library version.
+Stopping target cluster...
+Stopping old cluster...
+Disabling automatic startup of old cluster...
+Starting upgraded cluster on port 5432...
+Running finish phase upgrade hook scripts ...
+vacuumdb: processing database "gvmd": Generating minimal optimizer statistics (1 target)
+vacuumdb: processing database "postgres": Generating minimal optimizer statistics (1 target)
+vacuumdb: processing database "template1": Generating minimal optimizer statistics (1 target)
+vacuumdb: processing database "gvmd": Generating medium optimizer statistics (10 targets)
+vacuumdb: processing database "postgres": Generating medium optimizer statistics (10 targets)
+vacuumdb: processing database "template1": Generating medium optimizer statistics (10 targets)
+vacuumdb: processing database "gvmd": Generating default (full) optimizer statistics
+vacuumdb: processing database "postgres": Generating default (full) optimizer statistics
+vacuumdb: processing database "template1": Generating default (full) optimizer statistics
+Success. Please check that the upgraded cluster works. If it does,
+you can remove the old cluster with
+    pg_dropcluster 15 main
+Ver Cluster Port Status Owner    Data directory              Log file
+  main    5433 down   postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
+Ver Cluster Port Status Owner    Data directory              Log file
+  main    5432 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
+root@pentest:~# pg_dropcluster 15 main
+root@pentest:~# pg_lsclusters
+Ver Cluster Port Status Owner    Data directory              Log file
+  main    5432 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
 </code>
@@ Zeile 1739: / Zeile 1886: @@
 </code>
-  * Anpassen von **/usr/lib/nagios/plugins/check_dht.py** auf python3 u. adafruit_dht / Daten PIN ist GPIO 2 - siehe: https://www.elektronik-kompendium.de/sites/raspberry-pi/2002191.htm **quick and dirty**
+  * Anpassen von **/usr/lib/nagios/plugins/check_dht.py** auf python3 u. adafruit_dht / Daten PIN ist GPIO 2 - siehe: https://www.elektronik-kompendium.de/sites/raspberry-pi/2002191.htm **quick and dirty** / Hin und wieder wirft er eine Exception beim lesen der Sensorwerte deshalb der erneute Aufruf von main mit dem try catch block
 <code>
@@ Zeile 1779: / Zeile 1926: @@
 def main():
-    parser = argparse.ArgumentParser(description='Nagios plugin to check DHT sensors using Adafruit DHT driver')
+    try:
-    parser.add_argument('-s', '--sensor', required=False, help='Sensor to use (supported sensors: 11, 22, 2302)', default='22')
+      parser = argparse.ArgumentParser(description='Nagios plugin to check DHT sensors using Adafruit DHT driver')
-    parser.add_argument('-p', '--pin', required=False, help='GPIO pin number (example: -p 4)', default='4')
+      parser.add_argument('-s', '--sensor', required=False, help='Sensor to use (supported sensors: 11, 22, 2302)', default='22')
-    parser.add_argument('-w', '--warning', required=False, help='warning threshold for temperature and humidity (example: -w 25,80)', default='25,80')
+      parser.add_argument('-p', '--pin', required=False, help='GPIO pin number (example: -p 4)', default='4')
-    parser.add_argument('-c', '--critical', required=False, help='warning threshold for temperature and humidity (example: -c 30,85)', default='30,85')
+      parser.add_argument('-w', '--warning', required=False, help='warning threshold for temperature and humidity (example: -w 25,80)', default='25,80')
-    args = parser.parse_args()
+      parser.add_argument('-c', '--critical', required=False, help='warning threshold for temperature and humidity (example: -c 30,85)', default='30,85')
+      args = parser.parse_args()
-    sensor = args.sensor
-    #Predefined position of PIN
-    pin = 'D2'
-    warningTemp = args.warning.split(',')[0]
-    warningHum = args.warning.split(',')[1]
-    criticalTemp = args.critical.split(',')[0]
-    criticalHum = args.critical.split(',')[1]
-    dhtboard = getattr(board,pin)
+      sensor = args.sensor
-    dhtDevice = adafruit_dht.DHT22(dhtboard,use_pulseio=False)
+      #Predefined position of PIN
+      pin = 'D2'
+      warningTemp = args.warning.split(',')[0]
+      warningHum = args.warning.split(',')[1]
+      criticalTemp = args.critical.split(',')[0]
+      criticalHum = args.critical.split(',')[1]
-    hum, temp = dhtDevice.humidity, dhtDevice.temperature
+      dhtboard = getattr(board,pin)
+      dhtDevice = adafruit_dht.DHT22(dhtboard,use_pulseio=False)
+      hum, temp = dhtDevice.humidity, dhtDevice.temperature
+    except RuntimeError:
+      time.sleep(5)
+      main()
     if not re.match("\d+\.\d+", str(temp)):
         exitCheck(3, 'could not read temperature and humidity values')
@@ Zeile 3530: / Zeile 3681: @@
 ====== Debian 10 to Debian 11 Upgrade ======
+  * Achtung bei **qemu-kvm** Paket - wird deinstalliert / qemu-system-x86 für die Binaries installieren !!
+<code>
+apt-get install qemu-system-x86
+</code>
   * **Pfad** des ipset binaries ist anders ( ln -s /usr/sbin/ipset /sbin/ipset ) **nicht mehr /sbin/ipset  sondern /usr/sbin/ipset** Grundsätzlicher Change on the horizont siehe ** https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html **
@@ Zeile 4234: / Zeile 4391: @@
 Apr 03 09:35:28 firewall clamd[50896]: WARNING: Ignoring deprecated option ScanOnAccess at /etc/clamav/clamd.conf:60
 </code>
-====== Notification mail nach Login via SSH ======
+====== NetworkManager ======
+  * Getestet auf Debian 12 Bookworm
+  * Ich möchte alle dns queries loggen - mit dnsmasq  (man NetworkManager.conf)
+  * /etc/NetworkManager/NetworkManager.conf
+<code>
+[main]
+...
+dns=dnsmasq
+...
+</code>
+  * Nach einem restart vom NetworkManger startet er eine eigene dnsmasq Instanz als **nobody** e.g.
+<code>
+/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 --cache-size=400 --clear-on-reload --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
+</code>
+  * Fürs logging erstellen wir ** /etc/NetworkManager/dnsmasq.d/queries.conf **
+<code>
+log-queries=extra
+log-async
+</code>
+  * Auf meiner Maschine erhalte ich nun alle queries unter zB: **tail -f /var/log/syslog | grep dnsmasq**
+<code>
+Feb 26 11:41:43 mrWhiteGhost dnsmasq[7898]: 1788 127.0.0.1/40860 query[A] doku.pannoniait.at from 127.0.0.1
+Feb 26 11:41:43 mrWhiteGhost dnsmasq[7898]: 1788 127.0.0.1/40860 cached doku.pannoniait.at is 188.40.28.234
+Feb 26 11:42:10 mrWhiteGhost dnsmasq[7898]: 1789 127.0.0.1/53721 query[A] safebrowsing.googleapis.com from 127.0.0.1
+Feb 26 11:42:10 mrWhiteGhost dnsmasq[7898]: 1789 127.0.0.1/53721 forwarded safebrowsing.googleapis.com to 192.168.179.2
+Feb 26 11:42:10 mrWhiteGhost dnsmasq[7898]: 1789 127.0.0.1/53721 reply safebrowsing.googleapis.com is 142.250.184.202
+</code>
+====== openssh ======
+  * Notification mail nach Login via SSH
 <code>
 root@firewall:~# cat /etc/ssh/sshrc
@@ Zeile 4242: / Zeile 4436: @@
 </code>
+  * Ausführen von bestimmten Skript nach Login über SSH
+<code>
+...
+Match User username123
+ ForceCommand /usr/local/bin/script.sh
+...
+</code>
 ====== XRDP Remote Desktop Server mit Kerberos im AD - terminalserver ======
       * Wir wollen in einer Active Directory Umgebung einen Open Source Remote Desktop Server bei dem sich alle Mitglieder der Domäne mit ihren gewohnten Zugangsdaten einloggen können
@@ Zeile 7084: / Zeile 7286: @@
 {{:know-how:4-zabbix-custom-item-create-config-oid-preprocessor.png?400|}}
 {{:know-how:5-zabbix-custom-item-create-config-oid-test-values.png?400|}}
+===== Auto Provisioning/Registering =====
+  * Um zB: Workstations als aktiven Agent einzubinden , da sie nicht immer laufen
+{{:know-how:0_zabbix_active_autoregistration_psk.png?400|}}
+  * GPO Auto Installation: https://doku.pannoniait.at/doku.php?id=know-how:windows#zabbix_deployment
+  * Scratchpad:
+<code>
+https://www.zabbix.com/documentation/current/en/manual/discovery/auto_registration
+Secure autoregistration
+A secure way of autoregistration is possible by configuring PSK-based authentication with encrypted connections.
+The level of encryption is configured globally in Administration → General → Autoregistration. It is possible to select no encryption, TLS encryption with PSK authentication or both (so that some hosts may register without encryption while others through encryption).
+Authentication by PSK is verified by Zabbix server before adding a host. If successful, the host is added and Connections from/to host are set to 'PSK' only with identity/pre-shared key the same as in the global autoregistration setting.
+To ensure security of autoregistration on installations using proxies, encryption between Zabbix server and proxy should be enabled.
+-----
+Using host metadata
+When agent is sending an auto-registration request to the server it sends its hostname. In some cases (for example, Amazon cloud nodes) a hostname is not enough for Zabbix server to differentiate discovered hosts. Host metadata can be optionally used to send other information from an agent to the server.
+Host metadata is configured in the agent configuration file - zabbix_agentd.conf. There are 2 ways of specifying host metadata in the configuration file:
+HostMetadata HostMetadataItem
+See the description of the options in the link above.
+<note:important>An auto-registration attempt happens every time an active agent sends a request to refresh active checks to the server. The delay between requests is specified in the RefreshActiveChecks parameter of the agent. The first request is sent immediately after the agent is restarted. :::
+Example 1
+Using host metadata to distinguish between Linux and Windows hosts.
+Say you would like the hosts to be auto-registered by the Zabbix server. You have active Zabbix agents (see "Configuration" section above) on your network. There are Windows hosts and Linux hosts on your network and you have "Template OS Linux" and "Template OS Windows" templates available in your Zabbix frontend. So at host registration you would like the appropriate Linux/Windows template to be applied to the host being registered. By default only the hostname is sent to the server at auto-registration, which might not be enough. In order to make sure the proper template is applied to the host you should use host metadata.
+Agent configuration
+The first thing to do is configuring the agents. Add the next line to the agent configuration files:
+HostMetadataItem=system.uname
+This way you make sure host metadata will contain "Linux" or "Windows" depending on the host an agent is running on. An example of host metadata in this case:
+Linux: Linux server3 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2 i686 GNU/Linux Windows: Windows WIN-0PXGGSTYNHO 6.0.6001 Windows Server 2008 Service Pack 1 Intel IA-32
+Do not forget to restart the agent after making any changes to the configuration file.
+Frontend configuration
+Now you need to configure the frontend. Create 2 actions. The first action:
+    Name: Linux host autoregistration
+    Conditions: Host metadata like Linux
+    Operations: Link to templates: Template OS Linux
+You can skip an "Add host" operation in this case. Linking to a template requires adding a host first so the server will do that automatically.
+The second action:
+---
+Install Client on Windows
+https://www.zabbix.com/documentation/current/en/manual/installation/install_from_packages/win_msi
+Examples
+To install Zabbix Windows agent from the command-line, you may run, for example:
+SET INSTALLFOLDER=C:\Program Files\Zabbix Agent msiexec /l*v log.txt /i zabbix_agent-6.4.0-x86.msi /qn^  LOGTYPE=file^  LOGFILE="%INSTALLFOLDER%\zabbix_agentd.log"^  SERVER=192.168.6.76^  LISTENPORT=12345^  SERVERACTIVE=::1^  HOSTNAME=myHost^  TLSCONNECT=psk^  TLSACCEPT=psk^  TLSPSKIDENTITY=MyPSKID^  TLSPSKFILE="%INSTALLFOLDER%\mykey.psk"^  TLSCAFILE="c:\temp\f.txt1"^  TLSCRLFILE="c:\temp\f.txt2"^  TLSSERVERCERTISSUER="My CA"^  TLSSERVERCERTSUBJECT="My Cert"^  TLSCERTFILE="c:\temp\f.txt5"^  TLSKEYFILE="c:\temp\f.txt6"^  ENABLEPATH=1^  INSTALLFOLDER="%INSTALLFOLDER%"^  SKIP=fw^  ALLOWDENYKEY="DenyKey=vfs.file.contents[/etc/passwd]"
+You may also run, for example:
+msiexec /l*v log.txt /i zabbix_agent-6.4.0-x86.msi /qn^  SERVER=192.168.6.76^  TLSCONNECT=psk^  TLSACCEPT=psk^  TLSPSKIDENTITY=MyPSKID^  TLSPSKVALUE=1f87b595725ac58dd977beef14b97461a7c1045b9a1c963065002c5473194952
+If both TLSPSKFILE and TLSPSKVALUE are passed, then TLSPSKVALUE will be written to TLSPSKFILE.
+</code>
+===== HPE 1950 OfficeConnect =====
+  * Grundsätzlich ein H3C Switch - Template: **HP Comware HH3C by SNMP**
+  * **Achtung** , Anpassung bei Network Interface Discovery notwendig für Bits sent / Bits received
+  * **snmpwalk** ist dein Freund :)
+{{:know-how:0_zabbix_comware_snmp.png?400|}}
+{{:know-how:1_zabbix_comware_bits_received.png?400|}}
+{{:know-how:2_zabbix_comware_bits_sent.png?400|}}