How To Install NixOS Minimum from USB drive

Posted on December 29, 2023 by admin

You can make the USB drive by downloading the image off of nixos.org and then use Etcher, dd, or your favorite iso to USB drive utility.

The minimum version of NixOS does not come with a GUI installer.

https://nixos.org/manual/nixos/stable/#ch-installation

The manual contains all the info needed. For a minimum install, there are a couple of steps that you need to perform, before you can install.

Format hard disk
Create config file
Install

Format Hard Disk

We’ll assume that /dev/sda is our target disk. This will overwrite the disk. Make sure you don’t need anything on it.

parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart root ext4 512MB -8GB
parted /dev/sda -- mkpart swap linux-swap -8GB 100%
parted /dev/sda -- mkpart ESP fat32 1MB 512MB
parted /dev/sda -- set 3 esp on

Format the partitions

mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2
mkfs.fat -F 32 -n boot /dev/sda3
mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot
swapon /dev/sda2

Create a basic config file

nixos-generate-config --root /mnt

You can edit the config to make any changes you need. You may want to uncomment the user lines to setup a new user.

nano /mnt/etc/nixos/configuration.nix

Install NixOS

nixos-install

Last step is to setup the root and user password.

passwd

Reboot the machine once the password is set.

After you log in, set the user password.

passwd username

How to Fix OpenVAS “ERROR: The default PostgreSQL version (14) is not 16 that is required libgvmd”

Posted on December 26, 2023 by admin

Currently OpenVAS needs PostgreSQL 16 on port 5432. If you have multiple versions of PostgreSQL, the lowest version will typically run on port 5432, and then they’ll increment from there. For example, if you have PostgreSQL 14, 15, and 16, 14 will run on port 5432, 15 on 5433, and 16 on 5434.

The quick fix is to edit the PostgreSQL config files, change the port numbers, restart PostgreSQL, and rerun gvm-setup.

vi /etc/postgresql/16/main/postgresql.conf

Change port number from 5434 to 5432

You will need to remove/disable/change the port for PostgreSQL 14

sudo apt remove postgresql-14

sudo systemctl restart postgresql@16-main.service

We can verify that PostgreSQL is running with netstat.

netstat -tulpn

We can see that the ports 5432 (PostgreSQL 16) and 5433 (PostgreSQL 15) are both running.

Rerun gvm-setup

sudo gvm-setup

Install and Setup OpenVAS on Kali Linux 2023/2024

Posted on December 26, 2023 by admin

Notes on installing OpenVAS on Kali Linux in 2023/2024

sudo apt install openvas

Run the setup script. This used to be called openvas-setup, now it is gvm-setup. Note that the script can take a long time to run.

gvm-setup

At the end of the script, it will give you a password. Use this password to log into the web interface. You can reset the password if needed.

If you run into issues with PostgreSQL, check out this post

Log into the web interface at

https://127.0.0.1:9392

Troubleshooting

On Kali Linux, you need to run commands as the _gvm user. You can do this by prepending the commands with

sudo runuser -u _gvm -- COMMAND

There are two — dashes, between the _gvm user and the COMMAND. Replace COMMAND with the GVM/OpenVAS command you want to execute.

Example, to list the current users do

sudo runuser -u _gvm -- gvmd --get-users

To create a new user run

sudo runuser -u _gvm -- gvmd --user=newadmin --new-password=longsecurepassword

Failed to find config ‘daba56c8-73ec-11df-a475-002264764cea’

If you receive a `Failed to find config ‘daba56c8-73ec-11df-a475-002264764cea'”` error,

try running the following command

sudo runuser -u _gvm -- greenbone-nvt-sync

This can take awhile, but it should sync all the files needed. Check the following link for more information.

https://forum.greenbone.net/t/cant-create-a-scan-config-failed-to-find-config/5509

The following link is also helpful for installing OpenVAS

https://stafwag.github.io/blog/blog/2021/02/28/howto-install-opevas-on-kali/

Extract part of a tar archive

Posted on December 23, 2023 by admin

You can use tar -tvf to show the contents of a tar file.

tar -tvf  filename.tgz

You can extract a portion of the archive with

tar -zxvf filename.tgz path/inside/file -C destination/path

For instance, if I have a tar backup of my /home directory, and I need to extract a file out of the tarred Downloads to my current Downloads directory, I can do

tar -zxvf home.tgz home/incredigeek/Downloads/slack.deb ~/Downloads

https://www.cyberciti.biz/faq/list-the-contents-of-a-tar-or-targz-file/

https://stackoverflow.com/questions/24057301/bash-extract-only-part-of-tar-gz-archive

Copy SSH Keys to Server with SFTP

Posted on December 5, 2023 by admin

These steps assume you already have a public SSH key, if not, create one

SSH-Copy-Id is an easier way to upload ssh keys, however, it does not work on all devices.

ssh to the remote server using your password.

If it is not already created, create the authorized_keys file under the .ssh folder

touch ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys

vi ~/.ssh/authorized_keys

Add your public key to the end of the authorized_keys file

Ensure that the correct owner and permissions are on the files.

The .ssh directory should be

chmod 700 .ssh

And the authorized_keys file should be 600

chmod 600 ~/.ssh/authorized_keys

Both should be owned by the user. Change username to your username.

sudo chown -R username:username .ssh/authorized_keys

Helpful links

https://blog.tinned-software.net/setup-sftp-only-account-using-openssh-and-ssh-key/

https://blog.tinned-software.net/ssh-passwordless-login-with-ssh-key/

How To Check if RHEL/AlmaLinux needs a reboot after an update

Posted on October 23, 2023 by admin

Typically you’ll need to reboot a server after an update if the Linux Kernel was updated. It is possible that services need to be restarted.

There is some good information here https://serverfault.com/questions/122178/how-can-i-check-from-the-command-line-if-a-reboot-is-required-on-rhel-or-centos

Using Yum Utilities needs-restarting

Install the needs-restarting utility

sudo dnf install -y yum-utils

Once installed, we can check if we need to reboot with

sudo needs-restarting -r

The -r option only reports if a reboot is required.

If we wanted to automatically check and reboot, we could do

sudo needs-restarting -r || sudo shutdown -r

Alternative way

We could alternatively just check the kernel version and if it is different, manually reboot the machine. Note that there could be a couple cases where the kernel didn’t update, but you still need a reboot, or services needed to be restarted View links below for more information.

LAST_KERNEL=$(rpm -q --last kernel | perl -pe 's/^kernel-(\S+).*/$1/' | head -1)
CURRENT_KERNEL=$(uname -r)

test $LAST_KERNEL = $CURRENT_KERNEL || shutdown -r

How to determine if Ubuntu Needs a Reboot after an update

Posted on October 4, 2023 by admin

Typically after a Linux Kernel update, you will want to reboot your machine to take advantage of the new kernel. But how do you know if you need to reboot?

Fortunately, there is a simple way to check.

cat /var/run/reboot-required

If it returns

*** System restart required ***

Then we should reboot the machine.

https://www.cyberciti.biz/faq/how-to-find-out-if-my-ubuntudebian-linux-server-needs-a-reboot/

Using Auditd to monitor changes to Linux

Posted on October 4, 2023 by admin

Install and enable auditd with

sudo dnf install auditd
sudo systemctl enable auditd
sudo systemctl start auditd

Add a file or directory to monitor with

auditctl -w /etc/passwd -k password

-w is watch path
-k is a filter key we can use later to search through logs

Now we can search with ausearch

ausearch -k password

Using Preconfigured Rules

There are already some preconfigured rules in /usr/share/audit/sample-rules/

We can copy those to /etc/auditd/rules.d/ and use them.

cd /usr/share/audit/sample-rules/
cp 10-base-config.rules 30-stig.rules 31-privileged.rules 99-finalize.rules /etc/audit/rules.d/
augenrules --load

Note on the 31-privileged.rules file. You’ll need to run the commands in the file which will create a new file. Then we can copy that to “/etc/auditd/rules.d/”

find /bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' > priv.rules
#find /sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#filecap /bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules

And Copy priv.rules to /etc/audit/rules.d/31-privileged.rules. Overwrite the file there if needed.

cp ./priv.rules /etc/audit/rules.d/31-privileged.rules

Load the rules.

augenrules --load

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening

How to Create a Self Signed TLS Certificate in Linux

Posted on September 13, 2023 by admin

Here is a quick way to create a self signed certificate in Linux.

Run the following command. Fill out the required info.

openssl req -x509 -sha256 -nodes -days 3652 -newkey rsa:4096 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt

chmod 400 /etc/pki/tls/private/localhost.key

Now in your Apache or Nginx files, specify the path to the Key and the Certificate.

Note that if you’ll need to add the

https://www.linode.com/docs/guides/create-a-self-signed-tls-certificate/

“Couldn’t create temporary archive name” lvextend

Posted on September 12, 2023 by admin

If you are getting the following error

“Couldn’t create temporary archive name.”

Check if you are out of disk space.

df -h

After freeing up some space, you should be able to continue increasing the disk size

lvextend -l +100%FREE /dev/redhat/root
xfs_growfs /dev/redhat/root

Incredigeek

Tag Archives: linux