DOCSLIB.ORG

Defense Security Service (Unix Security Guide) Solaris Workshop

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Defense Security Service (Unix Security Guide) Solaris Workshop Defense Security Service (Unix Security Guide) Solaris Workshop (Tito Cordero) (DSS Irving Field Office) (14 December 2005) December 2005 Solaris Workshop (Introduction) • Purpose – To provide descriptions on how to implement security features within the Solaris Unix platform – Implement systems certification of the National Security Information at Protection Level 1 or Protection Level 2 – Provide the Information System Security Manager with oversight of NISPOM and Chapter 8 requirements within the UNIX platform 2 (Audit) • Audit Capability – Set system time • #date mmddHHMM yy ( see Solaris manual pages for date command) • #man date • Master Time server and slaves: • Ensure that the system designated to act as master time server has the correct time. • To synchronize the time on a time slave system with the designated master system, issue the command • #rdate <designated_master> 3 (Audit) • To continually synchronize the slave system to the master, add the following lines to the crontab file: # each hour, on the hour, run rdate command to synchronize # 0 * * * rdate<designated_master> If system time is not set to US Cental Time Zone, what is the offset from Greenwich Mean Time (GMT -6. 4 (relevant logged events) • The following files and directories describe the location to security relevant logged events: – /var/adm/wtmpx, /var/adm/utmpx – Binary files recording all logins, logouts, and system reboots. The “last” command Is used to display the contents. – /var/adm/LOGINLOG – Failed login log. If this file exists, the login utility will log all failed logins here. – /var/adm/sulog – This file contains both successful and failed attempts to use the su (switch user) command. This will show persons accessing an account in which they are not authorized to access. 5 (relevant logged events) – /etc/security/audit – Directory contains all the auditing records gathered for denial of file access. – /etc/local/audit – Directory contains all the filtered auditing records gathered for denial of file access 6 (Basic Security Module) • To set up system auditing, perform the following steps: – Sun Solaris Basic Security Module (BSM) provides additional security features that are not supplied in standard SOLARIS. To enable BSM, perform the following steps: • Login as root – Bring the system into single-user mode by executing the following command: • # sync • # sync • # init 0 • # boot –s 7 (Basic Security Module) • Change directories to the /etc/security: – #cd /etc/security • Execute the bsmconv script: – #/bsmconv • After running the script, halt the system and reboot into multi-user mode: – #sync – #sync – # Init 6 or reboot 8 (Basic Security Module) • Auditing is enabled by starting the audit daemon (auditd). The existence of the /etc/security/audit_startup script, created during the BSM package installation, causes the daemon to run automatically when the system enters multi-user mode. This script automatically configures the event to class mappings and sets the audit policies. 9 (Basic Security Module) • Set the following flags in the /etc/security/audit_control file: – Flags:ad, -fa, -fr, -fw, -fm, -fc, -fd, -cl, lo • Flags are defined as: ad administrative admin actions: mount, exports, ,etc. fa fileattr_acc Access of object attributes:stat, pathconf etc. fr file_read Read of data, open for reading, etc. fw file_write Write of data, open for reading, etc. fm file_attr_mod Change of object attributes: chown, flock, etc. fc file_creation Creation of object fd file_deletion Deletion of object 10 (Basic Security Module) – cl file_close Close (2) system call – lo login_logout Login and Logout events • A minus in front of the flag only logs failures of the described flag, where no sin logs both successes and failures. • Make the new data available to the BSM service, by either rebooting the system or entering the following command: #audit -s 11 (logons &logoffs) • Successful logins, logouts, and system reboots are recorded in the binary files located at: – /var/adm/utmpx and /var/adm/wtmpx • The login command will log via the syslog facility all login successes and failures. To redirect these to file – /var/adm/LOGINLOG • add the following line to – /etc/syslog.conf 12 (logons &logoffs) • Auth.notice<TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG • Auth.info <TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG • Auth.debug <TAB><TAB><TAB><TAB><TAB>/var/adm/LOGINLOG • Create the LOGINLOG file to track these notices: – # touch /var/adm/LOGINLOG – # chown root:sys /var/adm/LOGINLOG – # chmod 600 /var/adm/LOGINLOG Restart the syslog daemon # /etc/inid./syslog stop # /etc/init.d.syslog start 13 (logons &logoffs) • Failed logins are logged after five failed attempts to the /var/adm/loginlog file. • Create the loginlog file to track failed logins – # touch /var/adm/loginlog – # chown root:sys /var/adm/loginlog – # chmod 600 /var/adm/loginlog • /var/adm/sulog: This is a file to record all successful and failed attempts to use the su (switch user) command. 14 (logons &logoffs) • BSM – Adding the flag “lo” to the /ect/security/audit_control file as described above configures the BSM to record both successful and unsuccessful logon/logoff events to the BSM log files in the /etc/security/audit directory 15 (Blacklist) • The blocking or blacklisting of a user ID, terminal or access port and the reason for the action. • In the file /etc/default/login set – RETRIES=5 • (Exits the login after RETRIES unsuccessful attempts.) – SYSLOG_FAILED_LOGINS=5 • (If there are SYSLOG_FAILED_LOGINS consecutive unsuccessful login attempts, each of them will be logged in /var/adm/loginlog, if it exits. Users get at most the minimum of (RETRIES, SYSLOG_FAILED_LOGINS) unsuccessful attempts.) 16 (Blacklist) – DISABLETIME=300 • (Disables the login for three hundred seconds after SYSLOG_FAILED_LOGINS or RETRIES unsuccessful attempts. This is set for 5 minutes by the 300.) (Note conflicts if environment variable TIMEOUT is also set.) • The five successive login failures will be logged in the /var/adm/loginlog which was configured in prior steps. This terminal port and failure will be logged in /var/adm/LOGINLOG which was also configured in a prior step. 17 (Blacklist) • Denial of access resulting from an excessive number of unsuccessful logon attempts. In SOLARIS, by default and as specifically configured in paragraph 2.1 e above, five attempts are allowed before an attempted login dies. Login failures are reported via the syslog facility. 18 (Audit Trail Protection) • The contents of audit trails will be protected against unauthorized access, modification, or deletion. Only authorized admin and support personnel will have permissions to access audit trail data. Log files should be owned by root and have a group of sys. With the exception of the messages files all files should be set to have permissions such that only root can read or write to the files. Read on the messages files is allowed for all users as valuable debugging messages are logged in this file. 19 (Audit Trail Protection) • /var/adm/messages: – # chown root:sys /var/adm/messages – # chmod 622 /var/adm/loginlog • /var/adm/loginlog: – # chown root:sys /var/adm/loginlog – # chmod 600 /var/adm/loginlog • /var/adm/LOGINLOG: – # chown root:sys /var/adm/LOGINLOG – # chmod 600 /var/adm/LOGINLOG • Sulog – # chown root:sys /var/adm/sulog – # chmod 600 /var/adm/sulog 20 (Audit Trail Protection) • /etc/password and /etc/shadow: – The passwd file should be “shadowed” by running the pwconv command. This removes the encrypted passwords from the /etc/passwd file that is readable by everyone and places them in /etc/shadow which is readable only by root. To implement this do the following: • # pwconv • # chmod 644 /etc/passwd • # chmod 600 /etc/shadow 21 (Audit Trail Protection) • Remove world permissions on the log directory: – #chmod 640 /etc/security/audit/<hostname> – #chmod root /etc/security/audit/<hostname> • BSM – Apply required permissions to the audit trail directory/subdir/files on the local machine: – #chmod 640 /etc/security/audit/<hostname> – #chmod root /etc/security/audit/<hostname> 22 (Audit Trail Analysis) • Audit analysis and reporting will be scheduled and performed at least weekly. • To review /var/adm/messages: – more /var/adm/messages • Or – view /var/adm/messages • To review /var/adm/loginlog: – more /var/adm/loginlog • Or – view /var/adm/loginlog 23 (Slide Title) • To review /var/adm/sulog: – more /var/adm/sulog • Or – view /var/adm/sulog • To review Locked accounts: – more /etc/shadow • Or – view /etc/shadow • To review login information: – # last – # more /var/adm/loginlog • Or – # view /var/adm/loginlog 24 (Slide Title) • Questions • Now a five minute recess • Test 25 .
Load more

Recommended publications
  • Chrooting All Services in Linux
    LinuxFocus article number 225 http://linuxfocus.org Chrooting All Services in Linux by Mark Nielsen (homepage) About the author: Abstract: Mark works as an independent consultant Chrooted system services improve security by limiting damage that donating time to causes like someone who broke into the system can possibly do. GNUJobs.com, writing _________________ _________________ _________________ articles, writing free software, and working as a volunteer at eastmont.net. Introduction What is chroot? Chroot basically redefines the universe for a program. More accurately, it redefines the "ROOT" directory or "/" for a program or login session. Basically, everything outside of the directory you use chroot on doesn't exist as far a program or shell is concerned. Why is this useful? If someone breaks into your computer, they won't be able to see all the files on your system. Not being able to see your files limits the commands they can do and also doesn't give them the ability to exploit other files that are insecure. The only drawback is, I believe it doesn't stop them from looking at network connections and other stuff. Thus, you want to do a few more things which we won't get into in this article too much: Secure your networking ports. Have all services run as a service under a non-root account. In addition, have all services chrooted. Forward syslogs to another computer. Analyze logs files Analyze people trying to detect random ports on your computer Limit cpu and memory resources for a service. Activate account quotas. The reason why I consider chroot (with a non-root service) to be a line of defense is, if someone breaks in under a non-root account, and there are no files which they can use to break into root, then they can only limit damage to the area they break in.
    [Show full text]
  • The Linux Kernel Module Programming Guide
    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
    [Show full text]
  • LM1881 Video Sync Separator Datasheet
    Product Sample & Technical Tools & Support & Folder Buy Documents Software Community LM1881 SNLS384G –FEBRUARY 1995–REVISED JUNE 2015 LM1881 Video Sync Separator 1 Features 3 Description The LM1881 Video sync separator extracts timing 1• AC Coupled Composite Input Signal information including composite and vertical sync, • >10-kΩ Input Resistance burst or back porch timing, and odd and even field • <10-mA Power Supply Drain Current information from standard negative going sync NTSC, • Composite Sync and Vertical Outputs PAL (1) and SECAM video signals with amplitude from • Odd and Even Field Output 0.5-V to 2-V p-p. The integrated circuit is also capable of providing sync separation for non- • Burst Gate or Back Porch Output standard, faster horizontal rate video signals. The • Horizontal Scan Rates to 150 kHz vertical output is produced on the rising edge of the • Edge Triggered Vertical Output first serration in the vertical sync period. A default vertical output is produced after a time delay if the • Default Triggered Vertical Output for Non- rising edge mentioned above does not occur within Standard Video Signal (Video Games-Home the externally set delay period, such as might be the Computers) case for a non-standard video signal. 2 Applications Device Information(1) • Video Cameras and Recorders PART NUMBER PACKAGE BODY SIZE (NOM) SOIC (8) 4.90 mm × 3.91 mm • Broadcasting Systems LM1881 • Set-Top Boxes PDIP (8) 9.81 mm × 6.35 mm • Home Entertainment (1) For all available packages, see the orderable addendum at the end of the data sheet. • Computing and Gaming Applications (1) PAL in this datasheet refers to European broadcast TV standard “Phase Alternating Line”, and not to Programmable Array Logic.
    [Show full text]
  • Data ONTAP® 8.2 Commands: Manual Page Reference for 7-Mode, Volume 1
    Data ONTAP® 8.2 Commands: Manual Page Reference For 7-Mode, Volume 1 NetApp, Inc. Telephone: +1 (888) 463-8277 Part Number: 215-07976_A0 495 East Java Drive Fax: +1(408) 822-4501 May 2013 Sunnyvale, CA 94089 Support telephone: +1(888) 4-NETAPP U.S. Web: www.netapp.com Feedback: [email protected] Table of Contents ...................... 1 About the Data ONTAP Commands: Manual Page Reference, Volume 1 .3.... Manual Pages by Section in This Volume and Complete Index of Both Volumes .5.. acpadmin ................... 18 aggr ..................... 20 arp ..................... 41 autosupport ................... 43 backup .................... 53 bmc ..................... 55 bootfs .................... 57 cdpd ..................... 58 cf ..................... 61 charmap .................... 64 cifs ..................... 66 cifs_access ................... 68 cifs_adupdate .................. 70 cifs_audit ................... 71 cifs_branchcache .................. 72 cifs_broadcast .................. 74 cifs_changefilerpwd .7................ 5 cifs_comment ............. ..... 76 cifs_domaininfo .................. 77 cifs_help .................... 79 cifs_homedir ................... 80 cifs_lookup ................... 81 cifs_nbalias ................... 82 cifs_prefdc ................... 83 cifs_resetdc ................... 85 cifs_restart ................... 86 cifs_sessions ................... 87 cifs_setup ................... 91 cifs_shares ................... 93 cifs_sidcache ................... 102 cifs_stat .................... 104 cifs_terminate
    [Show full text]
  • 26 Disk Space Management
    26 Disk Space Management 26.1 INTRODUCTION It has been said that the only thing all UNIX systems have in common is the login message asking users to clean up their files and use less disk space. No matter how much space you have, it isn’t enough; as soon as a disk is added, files magically appear to fill it up. Both users and the system itself are potential sources of disk bloat. Chapter 12, Syslog and Log Files, discusses various sources of logging information and the techniques used to manage them. This chapter focuses on space problems caused by users and the technical and psy- chological weapons you can deploy against them. If you do decide to Even if you have the option of adding more disk storage to your system, add a disk, refer to it’s a good idea to follow this chapter’s suggestions. Disks are cheap, but Chapter 9 for help. administrative effort is not. Disks have to be dumped, maintained, cross-mounted, and monitored; the fewer you need, the better. 26.2 DEALING WITH DISK HOGS In the absence of external pressure, there is essentially no reason for a user to ever delete anything. It takes time and effort to clean up unwanted files, and there’s always the risk that something thrown away might be wanted again in the future. Even when users have good intentions, it often takes a nudge from the system administrator to goad them into action. 618 Chapter 26 Disk Space Management 619 On a PC, disk space eventually runs out and the machine’s primary user must clean up to get the system working again.
    [Show full text]
  • How UNIX Organizes and Accesses Files on Disk Why File Systems
    UNIX File Systems How UNIX Organizes and Accesses Files on Disk Why File Systems • File system is a service which supports an abstract representation of the secondary storage to the OS • A file system organizes data logically for random access by the OS. • A virtual file system provides the interface between the data representation by the kernel to the user process and the data presentation to the kernel in memory. The file and directory system cache. • Because of the performance disparity between disk and CPU/memory, file system performance is the paramount issue for any OS Main memory vs. Secondary storage • Small (MB/GB) Large (GB/TB) • Expensive Cheap -2 -3 • Fast (10-6/10-7 sec) Slow (10 /10 sec) • Volatile Persistent Cannot be directly accessed • Directly accessible by CPU by CPU – Interface: (virtual) memory – Data should be first address brought into the main memory Secondary storage (disk) • A number of disks directly attached to the computer • Network attached disks accessible through a fast network - Storage Area Network (SAN) • Simple disks (IDE, SATA) have a described disk geometry. Sector size is the minimum read/write unit of data (usually 512Bytes) – Access: (#surface, #track, #sector) • Smart disks (SCSI, SAN, NAS) hide the internal disk layout using a controller type function – Access: (#sector) • Moving arm assembly (Seek) is expensive – Sequential access is x100 times faster than the random access Internal disk structure • Disk structure User Process Accessing Data • Given the file name. Get to the file’s FCB using the file system catalog (Open, Close, Set_Attribute) • The catalog maps a file name to the FCB – Checks permissions • file_handle=open(file_name): – search the catalog and bring FCB into the memory – UNIX: in-memory FCB: in-core i-node • Use the FCB to get to the desired offset within the file data: (CREATE, DELETE, SEEK, TRUNCATE) • close(file_handle): release FCB from memory Catalog Organization (Directories) • In UNIX, special files (not special device files) called directories contain information about other files.
    [Show full text]
  • For the Abstract.The-Revision Deletion, Orcreation,Of Sentences Is
    DOCUMENT REBUKE ED 071 886 LI.004 082 AUTHOR Mathis, Betty. Ann TITLE Techniques for the Evaluation and IMprovement of Computer-Produced Abstracts. INSTITUTION Ohio State Univ".Colulbus..Computer and Information Science, Research.Center.. SPONS AGENCY National Science Foundation, Washington, D.C. REPORT NO OSU-CISRC-TR-15 . PUB DATE Dec 72 NOTE 275p.;(202 References) EDRS PRICE MF-30.65 HC-49.87 DESCRIPTORS *Abstracting;,,Abstracts; Algorithms; *Automation; CoMputers; *Electrohit Data Processing; Evaluation; Periodicals IDENTIFIERS *Automatic Abstracting ABSTRACT An automatic abstracting system, named ADAM, implemented on the IBM 370, receives journal.articles as input and produces abstracts as output. An algorithm has- been.developed which considers every sentence in the input text and rejects sentences which, are not suitable for inclusion in the abstract. All sentences which are not rejected are included in the set of sentences which are candidates for inclusion in the abstract.,The quality of the abstracts can be evaluated by means of a two -step evaluation procedUre.,The 'first step determines the conforMity of the abstracts to the defined criteria for an acceptable abstract The aecond step provides an objective evaluation criterion for abstract quality based on a.compsrison of the abstract with 'its parent documere,-. Based on the results of this evaluation, several techniques have been developed to improve the quality of the abstracts. These procedures -modify the form, arrangement, and content of the sentences selected for the abstract.The-revision deletion, orcreation,of sentences is perfOrmed according to a number of generalized ruletwhich are based on the structural characteriitics of the sentences.. This modification produces' abstracts in which the flow of ideas is improved and which represent a more nearly cohcrent:whole..(AuthorISJ) - - TECIfigICAL REPORT SERIES 4 CO1PUTE13 1r1fiFilliTTO S.
    [Show full text]
  • Linux Kernel and Driver Development Training Slides
    Linux Kernel and Driver Development Training Linux Kernel and Driver Development Training © Copyright 2004-2021, Bootlin. Creative Commons BY-SA 3.0 license. Latest update: October 9, 2021. Document updates and sources: https://bootlin.com/doc/training/linux-kernel Corrections, suggestions, contributions and translations are welcome! embedded Linux and kernel engineering Send them to [email protected] - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 1/470 Rights to copy © Copyright 2004-2021, Bootlin License: Creative Commons Attribution - Share Alike 3.0 https://creativecommons.org/licenses/by-sa/3.0/legalcode You are free: I to copy, distribute, display, and perform the work I to make derivative works I to make commercial use of the work Under the following conditions: I Attribution. You must give the original author credit. I Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. I For any reuse or distribution, you must make clear to others the license terms of this work. I Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. Document sources: https://github.com/bootlin/training-materials/ - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 2/470 Hyperlinks in the document There are many hyperlinks in the document I Regular hyperlinks: https://kernel.org/ I Kernel documentation links: dev-tools/kasan I Links to kernel source files and directories: drivers/input/ include/linux/fb.h I Links to the declarations, definitions and instances of kernel symbols (functions, types, data, structures): platform_get_irq() GFP_KERNEL struct file_operations - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 3/470 Company at a glance I Engineering company created in 2004, named ”Free Electrons” until Feb.
    [Show full text]
  • Installing the Data Broker on a Linux Host : Cloud Sync
    Installing the data broker on a Linux host Cloud Sync Ben Cammett April 11, 2021 This PDF was generated from https://docs.netapp.com/us-en/cloudsync/task_installing_linux.html on September 23, 2021. Always check docs.netapp.com for the latest. Table of Contents Installing the data broker on a Linux host. 1 Linux host requirements. 1 Networking requirements . 1 Enabling access to AWS . 1 Enabling access to Google Cloud . 2 Enabling access to Microsoft Azure . 2 Installing the data broker . 2 Installing the data broker on a Linux host When you create a new data broker, choose the On-Prem Data Broker option to install the data broker software on an on-premises Linux host, or on an existing Linux host in the cloud. Cloud Sync guides you through the installation process, but the requirements and steps are repeated on this page to help you prepare for installation. Linux host requirements • Operating system: ◦ CentOS 7.0, 7.7, and 8.0 ◦ Red Hat Enterprise Linux 7.7 and 8.0 ◦ Ubuntu Server 20.04 LTS ◦ SUSE Linux Enterprise Server 15 SP1 The command yum update all must be run on the host before you install the data broker. A Red Hat Enterprise Linux system must be registered with Red Hat Subscription Management. If it is not registered, the system cannot access repositories to update required 3rd party software during installation. • RAM: 16 GB • CPU: 4 cores • Free disk space: 10 GB • SELinux: We recommend that you disable SELinux on the host. SELinux enforces a policy that blocks data broker software updates and can block the data broker from contacting endpoints required for normal operation.
    [Show full text]
  • EM316LNXNM-OT Network Manager with Linux
    EM316LNXNM-OT Network Manager with Linux Fiber Driver Optical Multi-Service Platform Published 2012/10/17 15:28:24 P/N 1275005-100 Revision E6 ( -build r21138- ) For EM316LNXNM v4.7 fdr 39 built Oct 16 2012 - 19:07:17 EM316LNXNM-OT Preface Copyright © 2012 MRV Communications, Inc. All rights reserved. No part of the contents of this document may be reproduced in any form or by any other means without written permission from the publisher. Fiber Driver, Media Cross Connect, MegaVision, and other MRV product names and terms belong to MRV Communications or affiliates. All other brand names or trademarks referenced are the property of their respective owners. This document includes electronic links and URLs that may require internet access. Some references may not be obvious on printed pages. The user assumes sole responsibility for applying the information supplied in product documents. MRV Communications reserves the right to make changes to technical specifications and documentation without notice. This document represents the most recent product versions at the time of writing, which may differ from previous releases. To ensure maximum functionality, use the latest software updates and documents. Contact customer support regarding previous product revisions and documents. PN 1275005-100 Rev E6 intro- 2 EM316LNXNM-OT Preface Table of Contents 1. Support and Safety .......................................................................................................... 1 1.1. Customer Support ................................................................................................
    [Show full text]
  • Administrivia Confining Code with Legacy Oses Using Chroot Escaping Chroot System Call Interposition Limitations of Syscall Inte
    Administrivia Confining code with legacy OSes Guest lecture Thursday • Often want to confine code on legacy OSes - Mark Lentczner (Google) on the Belay project • - Please attend lecture if at all possible Analogy: Firewalls • Last project due Thursday attacker • - No extensions unless all non-SCPD group members at lecture Hopelessly - If staff grants you extension, means only if you attend lecture Insecure attacker Server - We will have a more stringent enforcement mechanism Final Exam • - Your machine runs hopelessly insecure software - Wednesday March 16, 12:15-3:15pm - Can’t fix it—no source or too complicated - Open book, covers all 19 lectures - Can reason about network traffic (possibly including topics already on the midterm) Similarly block unrusted code within a machine Televised final review session Friday • • - By limiting what it can interact with - Bring questions on lecture material 1/37 2/37 Using chroot Escaping chroot chroot (char *dir) “changes root directory” Re-chroot to a lower directory, then chroot .. • • - Kernel stores root directory of each process - Each process has one root directory, so chrooting to a new - File name “/” now refers to dir directory can put you above your new root - Accessing “..” in dir now returns dir Create devices that let you access raw disk • Need root privs to call chroot • Send signals to or ptrace non-chrooted processes - But subsequently can drop privileges • Create setuid program for non-chrooted proc. to run Ideally “Chrooted process” wouldn’t affect parts of • • the system outside of
    [Show full text]
  • Troubleshoot
    Troubleshoot XCP NetApp September 23, 2021 This PDF was generated from https://docs.netapp.com/us-en/xcp/xcp-troubleshoot-xcp-nfs.html on September 23, 2021. Always check docs.netapp.com for the latest. Table of Contents Troubleshoot. 1 Troubleshoot XCP NFS errors . 1 Troubleshoot XCP SMB Errors . 2 Troubleshoot XCP File Analytics errors . 3 Troubleshoot Troubleshoot XCP NFS errors Review the solutions to troubleshoot your issue. XCP issue Solution xcp: ERROR: must run as root Execute XCP commands as root user xcp: ERROR: License file Download the license from the XCP site and copy to /opt/NetApp/xFiles/xcp/license not found. /opt/NetApp/xFiles/xcp/ xcp: ERROR: This license has expired Renew or obtain the new XCP license from the XCP site. xcp: ERROR: License unreadable License file might be corrupted. Obtain the new XCP license from the XCP site. xcp: ERROR: XCP not activated, Run the xcp activate command run 'activate' first This copy is not licensed Obtain the appropriate XCP license file. Copy the XCP license to the /opt/NetApp/xFiles/xcp/ directory on the XCP server. Run the xcp activate command to activate the license. xcp: ERROR: Failed to activate license: Server You are trying to activate the online license and your unreachable host system is not connected to internet. Make sure your system is connected internet. xcp: ERROR: Failed to activate license: Server Make sure xcp.netapp.com is reachable from your xcp.netapp.com unreachable host or request for the offline license xcp: HINT: Configure DNS on this host or return to the license page to request a private license Expected error: Failed to activate license: Server xcp.netapp.com unreachable xcp: ERROR: Catalog inaccessible: Cannot mount Open the editor on the XCP Linux client host and nfs_server:/export[:subdirectory] update the configuration file with the proper catalog location.
    [Show full text]