I've upgraded my Postfix mail system from opendkim to dkimpy in Debian Stretch using Backports, because I'm trying to implement ARC signing and verification. I was able to get dkimpy working in so far that DKIM verification was done on inbound mail, but couldn't get DKIM signing to work and found little to no information / documentation on ARC in dkimpy. Any help would be appreciated. My config below.
# /etc/postfix/master.cf
smtp inet n - y - - smtpd
-o smtpd_milters=inet:localhost:8892
-o milter_macro_daemon_name=VERIFYING
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_milters=inet:localhost:8892
-o non_smtpd_milters=inet:localhost:8892
-o milter_macro_daemon_name=ORIGINATING
# /etc/dkimpy-milter.conf
Domain *
KeyFile /etc/pki/dkim/alpha.private
Selector alpha
Canonicalization relaxed/simple
Mode sv
Socket inet:8892#localhost
PidFile /var/run/dkimpy-milter/dkimpy-milter.pid
UserID dkimpy-milter
MacroList daemon_name|ORIGINATING
MacroListVerify daemon_name|VERIFYING
Related
I am trying to use an application that utilizes the TPM EK certificate on the hardware to perform hardware attestation. I am using an UPxtreme i7 board and I noticed there was no EK certificate in the TPM NVRAM. I have been trying unsuccessfully to manually create an EK certificate and upload into the NVRAM. Any ideas on how to go about this?
I am using ubuntu 20.04 on the board and I have installed all the necessary tpm tools.
Steps I took:
tpm2_createek -G rsa -u ek.pub -c key.ctx // to create the ek key
tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://ekop.intel.com/ekcertservice/ // to get the ek certificate
tpm2_nvdefine 0x01c00002 -C o -s 1033 -a ppwrite|writedefine|write_stclear|ppread|ownerread|authread|no_da|written|platformcreate // to define the NVRAM index. This is where I keep getting errors.
Error:
WARNING:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:344:Esys_NV_DefineSpace_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:122:Esys_NV_DefineSpace() Esys Finish ErrorCode (0x000002c2)
ERROR: Failed to define NV area at index 0x1C00002
ERROR: Esys_NV_DefineSpace(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Unable to run tpm2_nvdefine
Any ideas on how to successfully define the NVRAM index and upload the certificate. Or if anyone has a better approach to this. Thank you.
The written flag should not be provided, it will be set when an nvwrite is executed, it will cause an inconsistent attributes error when directly set. See Trusted Platform Module Library
Part 2: Structures - table 204 for more details about the flags.
The following works for me:
$ tpm2_nvdefine 0x01c00002 -C p -a 'ppwrite|writedefine|ppread|ownerread|authread|no_da|platformcreate'
$ tpm2_nvwrite 0x01c00002 -C p -i ek.cert
Be aware that the 0x01c00002 index is the NV index for a RSA 2048 EK Certificate. Use 0x01c0000a if you want an ECC NIST P256 EK Certificate. See TCG EK Credential Profile - chapter 2.2.1.4.
To finish it up, you should lock the index so the certificate cannot be overriden:
$ tpm2_nvwritelock 0x01c00002 -C p
I hope the answer is complete enough for you :)
I have installed Nagios on Redhat with the following configurations:
/usr/local/nagios/etc/static/commands.cfg
define command {
command_name check_service
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_service -a $ARG1$
}
When I try to run it manually:
if i try to use the following syntax, I get error:
/usr/local/nagios/libexec/check_nrpe -H 10.111.55.92 -c check_service -a check_http
NRPE: Unable to read output
not using nope:
/usr/local/nagios/libexec/check_http -H 10.111.55.92
HTTP OK: HTTP/1.1 200 OK - 4298 bytes in 0.024 second response time |time=0.024462s;;;0.000000 size=4298B;;;0
I am consistently getting Nagios Email notifications:
HOST: Proxy (Dev) i-01aa24242424d7
IP: 10.111.55.92
Service: Apache Running
Service State: UNKNOWN
Attempts: 3/3
Duration: 0d 9h 28m 49s
Command: check_service!httpd
\More Details:
NRPE: Unable to read output
Not sure how I can use nrpe with check_service to check http
Just. running the check_nrpe with check_http displays the version of installed nope
/usr/local/nagios/libexec/check_nrpe -H 10.111.55.92 -a check_http
NRPE v3.2.1
/usr/local/nagios/etc/nrpe.cfg
command[check_users]=/usr/local/nagios/libexec/check_users -w 10 -c 15
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_root_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 10 -c 15 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 500 -c 750
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 500 -c 750
command[check_ping]=/usr/local/nagios/libexec/check_ping $ARG1$
command[check_http]=/usr/local/nagios/libexec/check_http
# LINUX DEFAULT
command[check_service]=/bin/sudo -n /bin/systemctl status -l $ARG1$
# GLUSTER CHECKS
command[check_glusterdata]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /gluster
# GITLAB CHECKS
command[gitlab_ctl]=/bin/sudo -n /bin/gitlab-ctl status $ARG1$
command[gitlab_rake]=/bin/sudo -n /bin/gitlab-rake gitlab:check
command[check_gitlabdata]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /var/opt/gitlab
# OPENSHIFT CHECKS
command[check_openshift_pods]=/usr/local/nagios/libexec/check_pods
File: /usr/local/nagios/etc/nagios.cfg
cfg_dir=/usr/local/nagios/etc/static
You seem to be confusing two plugins. check_service will just check a service is running locally. Try calling it like this:
/usr/local/nagios/libexec/check_nrpe -H 10.111.55.92 -c check_service -a httpd
I'd hesitate to use the check_service command you have in there though. Giving nrpe access to run systemctl with sudo seems dangerous to me.
check_http is an http client. It will actually connect to an http server and check a given URI. It can check status codes and do all sorts of things.
It looks like in your nrpe.cfg you didn't include any arguments to check_http. It will just print its help message if you call it like that, I don't think it will check the local machine.
Note that when you call check_http above manually, you supply -H. That -H is not passed through automatically, you need to provide arguments to your check_http command in nrpe.cfg.
Change the line:
command[check_http]=/usr/local/nagios/libexec/check_http
To something like:
command[check_http]=/usr/local/nagios/libexec/check_http -H 127.0.0.1
And it should work better assuming your http is listening on localhost.
You probably don't want to call check_http via nrpe like this though. Let your nagios server call check_http out to the remote machine.
I've followed the tutorial to a tee from the Wiki on TLS security, however, it is not working
Configuration
sip.conf
[general]
tlsenable=yes
tlsbinaddr=0.0.0.0
tlsclientmethod=tlsv1
tlscertfile=/etc/asterisk/secure-keys/asterisk.pem
register => tls://1234:password#<ip add for PBX>
[1234]
type=friend
transport=tls
context=Phones
host=dynamic
secret=password
Creating the keys
The commands I used to create Asterisk keys were:
./ast_tls_cert -C <ip of PBX>.mycompany.com -O "TEST" -d /etc/asterisk/secure-keys
The command I used to create the softphone key was:
./ast_tls_cert -m client -c /etc/asterisk/secure-keys/ca.crt -k /etc/asterisk/ca.key -C 1234.mycompany.com -O "test" -d /etc/asterisk/secure-keys -o 1234
I've copied over the 1234.pem and ca.crt file to the desktop containing the softphone, I have the softphone set to use TLS transport and I've selected the 1234.pem file as a TLS client certificate
Problem
It is telling me the Certificate common name did not match
It is also providing this "problem setting up ssl connection....SSL routines: ssl3_read_bytes:tlsv1 alert unknown ca"
I was opening the ca.crt file on the client as the .pem file, once I correctly installed the ca.crt file it made a peering with the server
Running snort (in packet dump mode) with command sudo snort -C snort.conf -A console -i eth0 a following problem occurred:
--== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: snort.conf
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "eth0".
ERROR: Can't set DAQ BPF filter to 'snort.conf' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting..
Can someone please suggest a solution?
You're using the wrong option to load the configuration, it should be the lower case '-c'.
sudo snort -c snort.conf -A console -i eth0
Also, you can test your configuration with '-T' before running it:
sudo snort -T -c snort.conf
just put "-i" before eth0 in command it will solve the problem
Try this:
sudo service snort
ps ax|grep snortstart
The output I got was
/usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c
/etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i enp4s0
The man page says
-D Run Snort in daemon mode. Alerts are sent to
/var/log/snort/alert unless otherwise specified.
So when I drop the -D and add the -A
sudo /usr/sbin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i enp4s0 -A console
Works for snort Version 2.9.7.0 GRE (Build 149)
I would like to have a service start at boot, as a non-root user on Fedora 15.
I have placed the script into /etc/init.d/, used chkconfig --add and chkconfig --level to get it all set up and it is working correctly.
What do I need to do to have it launched as non-root?
Thank you!
Kate
If your current invocation of the service is:
/path/to/service -o -K /var/adm/log/service.log
then use 'su' or 'sudo' to change to a non-root user:
sudo -u non-root -- /path/to/service -o -K /var/adm/log/service.log
su non-root -c "/path/to/service -o -K /var/adm/log/service.log"
The double-dash is important to separate the 'options to sudo' from the 'options to your service'.