Tuesday 17 November 2009

Tripwire generating too big report files

Tripwire was generating big report files in one of our boxes, almost 12MB, compared to 60KB for the others.
I found the problem is that there were many changes applied to this server, and files copied/moved,
so the tripwire DB holding the changes grew up a lot.
The only command to run and update the tripwire DB is:
tripwire --update -Z low

This command will compare your database against your current file system and then launch an editor so that you can choose to make changes to your database.

If you try this command but get an error message about a missing report file, the reason is most likely that the last check was not run immediately prior to the update. The report file in the /var/lib/tripwire/report directory is named by hostname, then date (yyyymmdd) then time. If you have recently run a check and want the update to proceed using your most recent report file, then use the -r option and provide the report filename that you want the update to use.
tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr

If it asks for a password, you'll have to set it up first, unless you already know the password:

tripwire --local-passphrase mypassword

Then, run the sync again, now you know the password.

Converting Ext2 Filesystems to Ext3

This is one of those tips that are handy when you upgrade or have a partition already formatted and with data, and you realize that it is ext2!, there is no need to re-format it, or erase the data, just convert it !

When you see the partition type, 83 is used for a Linux partition, no matter if it is ext2 or ext3.

The Ext3 filesystem is an Ext2 filesystem with a journal file and some filesystem driver additions making the filesystem journalized.

Converting from Ext2 to Ext3
The conversion procedure is simple enough. Imagine /dev/sdb1 mounted as /data – the procedure would be as follows:

Log in as root
Make sure /etc/fstab has /dev/sdb1 mounted to /data as ext2, read write
umount /dev/sdb1
If you can't unmount it, then remount it read only (mount -o remount,ro /dev/sdb1)
tune2fs -j /dev/sdb1
Edit /etc/fstab, and for /dev/sdb1, change ext2 to ext3
mount /dev/sdb1 /data, or mount -a
Check if the partition was correctly mounted:
mount | grep /dev/sdb1
If it's not shown as ext3, reboot (shutdown -r now)
if still not, troubleshoot ...
Otherwise, you're done.
A few explanations are in order.
The tune2fs command creates the journal file, which is kept in a special inode on the device (by default). You then must change the /etc/fstab entry to reflect it's a journalling filesystem, and then mount it.

You can check a full article describing other procedures in:
http://www.troubleshooters.com/linux/ext2toext3.htm

Monday 16 November 2009

Accurate Date and Time in Linux using ntp step by step instructions

First, a little bit of theory. Read it all, so you will understand how time works, and why setup needs some steps.

Why do We Need a Precise Clock?
If our computer never connects to other computers (or other devices that use a clock), the precision of the clock is not critical itself, it depends on the need of the user. However, programs that some way use the net are dependent on a precise date and time. Some examples, when you may need precise clock:

Softwares that deal with transactions

Commercial applications (e.g. eBay)

Mail and messaging-related client and servers

Websites that use cookies

Distributed web applications

Web services

Distributed component-based applications as J2EE, .NET, etc

Advanced modern and paralel filesystems, as AFS, DFS, GFS, GPFS, etc

And of course, to use the computer to adjust our wristwatch clock.




Computer Global Date and Time Concept
To determine the current time for some planet region, a computer needs exactly these two pieces of information:

Correct UTC (universal time as in Greenwich, but not GMT) time

Region's current Time Zone

For computers, there is also the hardware clock, which is used as a base by the OS to set its time.

OS date and time (we'll use only date or time from now on) is set on boot, by some script that reads the hardware clock, makes Time Zone calculations (there is no time zone data stored in BIOS) and sets the OS. After this synchronization, BIOS
and OS time are independent from each other. So after a while they may have some seconds of difference. Which one is correct?
If you don't make any special configuration, none of them.

We'll discuss here how to make them both globally 100% accurate.




Time Zones
Time Zones are a geographical world globe division of 15o each, starting at Greenwich, in England, created to help people know what time is it now in another part of the world.

Nowadays it is much more a political division than geographical, because sometimes people needs to have the same time as other people in not-so-far locations. And for energy savings reasons, we have today the Daylight Savings Time, that are also a Time
Zone variation.

Time Zones are usually defined by your country government or some astronomical institute, and is represented by 3 or 4 letters.

Use the timezoneconverter.com to know what time is it now at any part of the globe.



Daylight Savings Time
For energy savings reasons, governments created the Daylight Savings Time. Our clocks are forwarded one hour, and this makes our days look longer. In fact, what really happens is only a Time Zone change. The primitive time (UTC) is still, and will always be, the same.



Time Zone Mechanism on Linux
Linux systems uses the GLIBC dynamic Time Zones, based on /etc/localtime. This file is a link to (or a copy of) a zone information file, usually located under /usr/share/zoneinfo directory.
To make it effective, you only have to link (or copy) the zoneinfo file to /etc/localtime. In some distributions, there is a higher level (and preferred) way to set the Time Zone, described later.

After making /etc/localtime pointing to the correct zoneinfo file, you are already under that zone rules and DST changes are automatic -- you don't have to change time manually.


Accurate Global Time Synchronization
To have accurate time in all your systems is as important as having a solid network security strategy (achieved by much more than simple firewall boxes). It is one of the primary components of a system administration based on good practices, which leads to organization and security. Specially when administering distributed applications, web-services, or even a distributed security monitoring tool, accurate time is a must.


NTP: The Network Time Protocol
We won't discuss here the protocol, but how this wonderful invention, added to the pervasivenes of the Internet, can be useful for us. You can find more about it at www.ntp.org.

Once your system is properly setup, NTP will manage to keep its time accurate, making very small adjustments to not impact the running applications.

People can get exact time using hardware based on atom's electrons frequency. There is also a method based on GPS (Global Positioning System). The first is more accurate, but the second is pretty good also. Atomic clocks require very special and
expensive equipment, but their maintainers (usually universities and research labs) connect them to computers, that run a NTP daemon, and some of them are connected to the Internet, that finally let us access them for free. And this is how we'll
synchronize our systems.

Building a Simple Time Synchronization Architecture
You will need:

1) A direct or indirect (through a firewall) connection to the Internet, to syncrhonize our servers with a public accurate NTP server.

2) Choose some NTP servers. You can use the public server pool.ntp.org, or choose some from the stratum 2 public time servers on NTP website. If you don't have an Internet access, your WAN administrator (must be a clever guy) can provide you some internal addresses.

3) Have the NTP package installed in all systems you want to synchronize. You can find RPMs in your favorite Linux distribution CD, or make a search on rpmfind.net.

Local Relay Servers for NTP

If you have several machines to synchronize, do not make them all access the remote NTP servers you chose. Only 2 of your server farm's machines need access remote NTP servers, and the other machines will sync with these 2. We will call them the Relay Servers.

Your Relay Servers can be any machine already available in your network. NTP consumes low memory and CPU. You don't need a dedicated machine for it.



The Correct Settings for Your Linux Box
For any OS installation, you must know your Time Zone. This is expressed in terms of a city, a state or a country. You must also decide how to set BIOS time, and we may follow two strategies here:

Linux Only Machine
In this case you should set BIOS time to UTC time. DST changes will be dynamically managed by Time Zone configurations.

Dual Boot Linux and MS Windows Machine
Windows handles time in a more primitive way than Linux. For Windows, BIOS time is allways your local time, so DST changes are more aggressive because they directly change hardware clock. And since both Linux and Windows initially get and set time from the hardware, when they are together, Linux must handle it in the same way. So set BIOS time to your localtime.


Step 1, Setting the Zone Info file:

Your time zone is defined by /etc/localtime

If you are unsure of the file you have is the correct one, you can check if its the same as your time zone:
diff -b /usr/share/zoneinfo/America/Vancouver /etc/localtime
If it doesn't, you will have to remove it and create the link:
#rm /etc/localtime
#ln -s /usr/share/zoneinfo/America/Vancouver /etc/localtime
Alternatively, instead of creting the symbolic link, you can just copy the file:
#rm /etc/localtime
#cp /usr/share/zoneinfo/America/Vancouver /etc/localtime

Step 2, Setting the Time Zone:

On Red Hat Linux and derived systems, you can set the hardware clock strategy and Time Zone using the timeconfig command:
#timeconfig
that shows a user-friendly dialog to select your time zone, and apply the changes.

You can also use it non-interactively:
#timeconfig "America/Vancouver" # set HC to localtime, and TZ to America/Vancouver
or
#timeconfig --utc "America/Vancouver" # set HC to UTC, and TZ to America/Vancouver

In any case, this utility changes /etc/sysconfig/clock file that is read at boot time.
You can edit it by hand, and that is how it looks:

#cat /etc/sysconfig/clock
ZONE="America/Vancouver"
UTC=true
ARC=false

Step 3, Setting the Hardware Clock

I encourage you to set your hardware clock only after understanding how to get accurate time.

The hwclock command reads and sets the hardware clock, based on several options you give to it, documented in its man page.
But you don't have to use it if you have a modern Linux distribution. After defining your hardware clock strategy and Time Zone, you can use the high level setclock command to correctly set your hardware clock.
You don't need to pass any parameters because setclock intelligently calls hwclock to set the BIOS based on your OS current date and time. So you should always use the setclock command.

#hwclock --systohc --utc # set HC with UTC time based on OS current time (I personally use this one)

You can also use any of these options:

#setclock # The easy way to set HC
#hwclock # reads HC
#hwclock --systohc # set HC with local time based on OS current time
#hwclock --set --date "21 Oct 2004 21:17" # set HC with time specified on stringSince the OS time is independent from the hardware clock, any BIOS change we make will take place in the next boot.


Another option to change HC is rebooting and accessing your computer BIOS screens, but as you see, there is no need to do it in Linux!

Step 4, Configure NTP protocol

Of course, as a prerequisite, you need to install the ntp package.

The only file to configure is /etc/ntp.conf, doesn't matter if you are configuring a client, or a server (like a local relay server to serve your local network), you will only need an additional keyword.

Change the following parameters in /etc/ntp.conf:

To make it a local relay server:

1) First we specify the servers you're interested in:

server otherntp.server.org # A stratum 1 server at server.org
server ntp.research.gov # A stratum 2 server at research.gov

2) Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.

restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery

The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

3) As this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a
modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

4) We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:

restrict 127.0.0.1

5) Save the file and restart NTP for these settings to take effect.

6) To get NTP configured to start at boot, use the line:

# chkconfig ntpd on



You can now configure other Linux hosts on your network to synchronize with this new master NTP server in a similar fashion.
To make it a client accessing your brand new local relay server:

1) First we specify the servers you're interested in, you can use a host name or an ip address; it is recommended to use a host name, if later you have to change their ip address, you don't have to change anything in your client computers:

server ntp1.mynetwork.com # Your first local ntp server
server ntp2.mynetwork.com # Your second local ntp server

2) Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.

restrict ntp1.mynetwork.com mask 255.255.255.255 nomodify notrap noquery
restrict ntp2.mynetwork.com mask 255.255.255.255 nomodify notrap noquery

The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

3) As this server is NOT going to provide time for other computers, there is no need to allow others to query it, then include the noquery statement:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap noquery

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

4) We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:

restrict 127.0.0.1

5) Save the file and restart NTP for these settings to take effect.

6) To get NTP configured to start at boot, use the line:

# chkconfig ntpd on


Step 5: First sync:

It's a good practice to syncronize manually the first time, because if the time difference is too big, it will not be synchronized automatically.

For your local ntp server:

#service ntpd stop
#ntpdate otherntp.research.gov
#service ntpd start


For the rest of your servers/guests ntp clients:

#service ntpd stop
#ntpdate ntp1.mynetwork.com
#service ntpd start


To check the sync status, you can use:

#ntpq -p


Enjoy, and have A GOOD TIME !!!