Configuring rsyslog on Solaris 11

By default, Solaris uses its native syslog as the default log manager:

svcs system-log
STATE          STIME    FMRI
disabled       12:07:34 svc:/system/system-log:rsyslog
online         12:08:10 svc:/system/system-log:default

If you want to use rsyslog, check if the package is installed (on my machine it’s already there):

pkg info system/rsyslog

To install it:

pkg install system/rsyslog

Now, to use rsyslog, first you have to disable the native syslog:

svcadm disable system/system-log:default

Then enable and refresh the service:

svcadm enable system/system-log:rsyslog
svcadm refresh system/system-log:rsyslog

To check the status:

svcs -p rsyslog
STATE          STIME    FMRI
online         12:10:04 svc:/system/system-log:rsyslog
               12:10:04      1199 rsyslogd

SOCKS Proxy via SSH reverse tunnel

I was working on some test servers on which access is highly restricted (only SSH over VPN) and I couldn’t ask for proxy permissions for outbound HTTP connections so I wasn’t able to use any repo needed to install or upgrade software.

My laptop can access the Internet so it could act as proxy but I didn’t know how to redirect traffic from the remote server to my local machine.

And here’s where I “met” the SSH reverse tunneling, which allows to connect via SSH to a remote server and tell it to forward all the TCP connections received on a specific port, to another host.

Continue reading “SOCKS Proxy via SSH reverse tunnel”

Rundeck on openSUSE Leap

Yum RPM install is not supported on openSUSE and, if you want to use Rundeck on a openSUSE/SLES server, you must use the self contained launcher (.war).

Issuing the java command (even if you’re just testing it) it’s a bit annoying for me so I opted for an handy systemd service to manage Rundeck.

[Unit]
Description=Rundeck

[Service]
WorkingDirectory=/home/thinkhel/lab/rundeck
ExecStart=/usr/bin/java \
         -Xmx2g \
         -jar rundeck-systemd.war
Type=simple
Restart=on-failure
RestartSec=30

[Install]
WantedBy=multi-user.target

The -Xmx2g is used to set the maximum heap size.

Git: creating a new branch and disabling push

To create a new branch:

git checkout -b [newbranch_name]

To disable pushes only for a branch:

git config branch.branch_name.remote no_push

If the branch is a local dev branch, it won’t be pushed by default; git push (no arguments) pushes only branches that exist locally and on the remote. If you try to push it, you’ll only create a new branch.

If you want to completely disable pushes (but still be able to pull):

git remote set-url --push origin no_push

To check you config:

git config -l

Enforcing password complexity on CentOS

The pam_pwquality (previously pam_cracklib) module is used to check password complexity against a set of rules. It checks if the password is found in a dictionary; if not, it will continue with additional checks.

The config file is /etc/security/pwquality.conf but, if in use, it can be configured in /etc/pam.d/system-auth.

To add the password policies, just add the options you need in system-auth, on pam_pwquality.so line:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=16 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
  • minlen – minimum password lenght
  • lcredit – minimum number of lowercase letters
  • ucredit – minimun numer of uppercase letters
  • dcredit – minium number of digits
  • ocredit – minimum number of special characters

In this case, -1 means that the password must have at least one character of that type. You can change this number as you prefer.

If you need to enforce the policies even for the root user, use the enforce_for_root option.

You can also add policies using the authconfig command:

authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --update