Blog

Update Tripwire

OK, only waited a few months before adding this!

I’d recommend not doing this as root, as if you do, the root directory modification time will change as you modify twpol.txt. Also twpol.txt will change as you modify it.

All of this means you’ll have to run 1-3 before you can run 4. And tripwire takes ages to run. Besides you should be using sudo anyway (you are right?!).

1. Validate current policy

sudo tripwire -m c

2. Find the latest tripwire log

sudo ls -lt /var/lib/tripwire/report/*.twr | head -1

3. Use that to update the database

sudo tripwire -m u -r <above file>

4. Then update policy

sudo tripwire -m p twpol.txt

You should see this:

Parsing policy file: twpol.txt Please enter your local passphrase: Please enter your site passphrase: ======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. The object: \"/lib/init/rw\" is on a different file system...ignoring. The object: \"/dev/.static/dev\" is on a different file system...ignoring. The object: \"/dev/pts\" is on a different file system...ignoring. The object: \"/dev/shm\" is on a different file system...ignoring. The object: \"/proc/bus/usb\" is on a different file system...ignoring. ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Wrote policy file: /etc/tripwire/tw.pol Wrote database file: /var/lib/tripwire/web-proxy.twd

5. After the policy is accepted you need to run steps 1-3
This is because if you don\’t and want to make further changes you\’ll see stuff like this:

======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. The object: \"/lib/init/rw\" is on a different file system...ignoring. The object: \"/dev/.static/dev\" is on a different file system...ignoring. The object: \"/dev/pts\" is on a different file system...ignoring. The object: \"/dev/shm\" is on a different file system...ignoring. The object: \"/proc/bus/usb\" is on a different file system...ignoring. ### Error: Policy Update Added Object. ### An object has been added since the database was last updated. ### Object name: /etc/tripwire/tw.pol.bak ### Error: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object /etc/tripwire ### > Size ### > Modify Time ### Error: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object /etc/tripwire/tw.pol ### > Modify Time ### > CRC32 ### > MD5 ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Policy update failed; policy and database files were not altered.

This is because tripwire hasn\’t capture changes caused by the policy change.

This might also be useful (I login as a normal user to do administration, so I want to do all of these sudo\’d). This script allows me to run a report, and then use that generated report to update the database.

I call the script update_tripwire.bash

#!/bin/bash sudo tripwire -m c sudo tripwire -m u -r $(/bin/ls -t /var/lib/tripwire/report/*.twr | head -1)

22 June 2020
Configure Tripwire on Debian

I have finally gotten around to configure the Tripwire setup on my Debian installation, after having it bleat at me for the last 3 years! I found details on http://articles.techrepublic.com.com/5100-10877_11-6034353.html which pointed me in the correct direction. My installation is Debian based, so it fitted the “no twinstall.sh” case shown most closely.

I have had to tweak what the linked article says, slightly to make it work. I have also included the output that I saw, so you should know that you are in the correct place when you run the command (my principle is that sample output gives you the warm feeling that things are going well).

First we should generate the site key:
twadmin --generate-keys -S site.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)... Key generation complete.

Then generated the local key:
twadmin --generate-keys -L ${HOSTNAME}-local.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)... Key generation complete.

Then had to edit the config template, before generating the configuration file:
twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt Please enter your site passphrase: Wrote configuration file: /etc/tripwire/tw.cfg

Then generated the policy file:
twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol

Set file permissions:
chown root:root site.key $HOSTNAME-local.key tw.cfg tw.pol chmod 600 site.key $HOSTNAME-local.key tw.cfg tw.pol

Finally, initialized the database:
tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /var/lib/tripwire/.twd ### No such file or directory ### Continuing... Wrote database file: /var/lib/tripwire/.twd The database was successfully generated.

Then deleted the source file: rm twcfg.txt twpol.txt

Haven’t run it for very long, so might update this if I have problems.

22 June 2020
Compile an SRPM
Download SRPM into a directory of choice. Generally files out to go into:
```
/usr/src/redhat/SRPMS
```
Then run:
```
rpm --rebuild <file>-<version>.src.rpm
```
This will then build the new RPM. Everything will then happen automatically, and the newly built RPMs will go here:
```
/usr/src/redhat/RPM/<cpu-type>
```
If the configuration file needs to be changed then run:
```
rpm -i <file>-<version>.src.rpm
```
The spec file will be extracted to:
```
/usr/src/redhat/SPEC
```
Generally it would be called:
```
<file>-<version>.spec
```
Changes can now be made to the spec file. Once the changes are complete the RPM needs to be made using it:
```
rpm -bb --clean --rmsource <file>-<version>.spec
```
If the build goes ok, the file will end up in the normal location:
```
/usr/src/redhat/RPM/<cpu-type>
```
Building a Kernel RPM (build UP and SMP Kernels)
```
rpmbuild --target i386 --with up --with smp --without BOOT --without debug <spec file>
```
22 June 2020
Testing MathJax

Writing maths works as in LaTeX. Use dollar signs to enclose inline math, e.g. $x^2$ $x^2$ $x^2$ $$x^2$$

$
\begin{align}
E &= mc^2 \\
m &= \frac{m_0}{\sqrt{1-\frac{v^2}{c^2}}}
\end{align}
$

$\int_{-\infty}^\infty e^{-\pi x^2}\,\mathrm{d}x=1\label{a}\tag{1}$

\ref{a}

19 June 2020
This is a reasonably complete sample of using MathJax.

Sample has been taken form here:
https://groups.drupal.org/node/1263

MathJax documentation is here:
http://docs.mathjax.org/en/latest/

Wonder how much of this works:
https://yutsumura.com/mathjax-in-wordpress/

Writing maths works as in LaTeX. Use dollar signs to enclose inline math, e.g. $x^2$.

Examples for paragraph math are $x^2 $ and $x^2$ (both variants are equivalent).

There is also a display-style inline math environment, compare $\sum_{k=1}^\infty \frac{1}{k}$ and $!\sum_{k=1}^\infty \frac{1}{k}$.

To make a dollar sign, you have to type \$ as in LaTeX!
Using just $ doesn’t work.
Latex: $\$ $
and
Latex: $$ $

Arbitrary LaTeX code can be rendered as in this example:
Let $x^2$ be a natural number.

There are also more elaborate environments to write math – they support auto-numbering, referencing and more. These environments are <equation> and <equations>. They both support the same attributes.

E.g. rendering an equation with a different resolution:
<equation>e^{i \cdot \pi} = -1<equation>.

To give the equation automatically a number, you have to give it an id:
e^{i \cdot \pi} = -1.

You now can produce a link to that equation by typing \\ref{euler}, or even better (\\ref{euler}).

You can also give it a name instead of a number:
e^{i \cdot \pi} = -1.

An example for the <equations> environment is given by:
$
\int \ln(x) \;dx
&= \int 1 \cdot \ln(x) \;dx \
&= x \cdot \ln(x) – \int x \cdot \frac{1}{x} \;dx \
&= x \cdot \ln(x) – x
$

The spaces on the left are optional.

To prohibit some text from being processed by DruTeX, you can use <code> and <notex>:
e.g. $x^2$
or
$x^2$
Humm… doesn\’t work!

$\left(\int_{-\infty}^\infty e^{-x^2}\ dx\right)^2\ =\ \pi (\ref{test}) $

Extra bit

$e^{ \pm i\theta } = \cos \theta \pm i\sin \theta$

19 June 2020
Using drush with drupal
Using drush has been remarkably simple.

I downloaded it as instructed on their site, and it almost works straight away. It was annoying to keep having to tell drush the site to use with the -l flag though, so I have configured it for my needs.

I did this by making a .drush directory, and copying the example aliases.drush.php and drushrc.php in. I then amended drushrc.php to refer to my site and install directory.

Having done that I have then began to use it.

I think being able to update the core using:
```
 drush up drupal 
```
to be very cool!

Similarly I can check the module status using:
```
 drush ups 
```
Individual modules can be done using:
```
 drush up <module>
```
And then I can download modules using (make sure you are in the right place!):
```
 drush dl <module>
```
And then enable and disable modules using:
```
 drush <en|dis> <module> 
```
In short, I really like drush!
1 August 2014
Getting annoying error with phpMyAdmin

I upgraded phpMyAdmin from 4.1.2 from 4.2.6. Having done this, I copied in the config.inc.php file and started everything up.

Logged in and I get “You should upgrade to MySQL 5.5.0 or later.”.

Well yes, I should. But I can’t (the mysql version is attached to the NAS – so i can’t really change that very easily). But I want to use phpMyAdmin. Checked on phpMyAdmin site, and it says “supported only on MySQL 5.5”.

Anything after here is at your own risk. I have not comprehensively tested this, nor have I any intention of doing that.

Right, so with that out of the way, After digging about for a little bit I found that the error is being generated by:

libraries/common.inc.php

If you open this up, there is a line:

if (PMA_MYSQL_INT_VERSION < 50500) {

Change it to say:

if (PMA_MYSQL_INT_VERSION < 50100) {

And now “hey presto!” it won’t complain anymore.

Although we SHOULD all really upgrade to MySQL 5.5, or MariaDB, or move to PostgreSQL

Again, if you do this and it breaks things its not my fault.
I wanted to make it so i could see tables in MySQL again. I rarely user phpMyAdmin for much more than that anyway.

23 July 2014

Configuring GIT

First up, I found most of my information on this here:

The one thing that I didn’t realise initially is that you can’t use the gitweb URL to do clones etc.
I spent ages trying to do this, until I found Seth’s page. It explains things in a very structured manner that can be applied to most situations I suspect.

The only other thing I think I should point out is related to rewrites. If you are using them in an Apache configuration section that is higher than site that everything will be accessed from you need to remember to set the following, otherwise they will be ignored:

        RewriteEngine On
        RewriteOptions Inherit

So, in my case, I am accessing git via a VirtualHost that I have. The virtual host needed these lines adding to it otherwise the rewrite configuration in conf.d/gitweb didn’t get picked up.

To enable LDAP, I also had to do this:

        sudo a2enmod authnz_ldap
        sudo a2enmod cgi
        sudo service apache restart

In the end, to have a Git Repository authenticating with LDAP (with Group) authenticating, with GitWeb, some aliases, source IP restrictions and some rewrites to a gitweb file that looks like this:

Alias /<gitweb alias> /usr/share/gitweb
Alias /<shortened gitweb alias> /usr/share/gitweb

RewriteEngine On
RewriteRule ^/<shortened gitweb alias>/([^/]+)$ /g/?p=$1 [R,NE]
RewriteRule ^/<shortened gitweb alias>//([^/]+)/([0-9a-f]+)$ /<shortened gitweb alias>/?p=$1/.git;a=commitdiff;h=$2 [R,NE]
RewriteRule ^/<shortened gitweb alias>/([^/]+)/([0-9a-f]+)$ /<shortened gitweb alias>/?p=$1;a=commitdiff;h=$2 [R,NE]

<Directory /usr/share/gitweb>
  Options FollowSymLinks +ExecCGI
  AllowOverride all
  AddHandler cgi-script .cgi
  Order deny,allow
  Deny from all
  Allow from <restricting IP addresses>
  SSLRequireSSL
  AuthType basic
  AuthName "Private git repository"
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://<ldap server>:<port>/<LDAP User DN>?<LDAP User ID>?sub?(objectClass=*)"
  Require valid-user
  AuthLDAPGroupAttribute memberUid
  AUthLDAPGroupAttributeIsDn off
  Require ldap-group <LDAP Group DN>
</Directory>

ScriptAlias /<shortened git alias>/ /usr/lib/git-core/git-http-backend/
<Directory "/usr/lib/git-core/">
  Options +ExecCGI
  SetEnv GIT_PROJECT_ROOT <path to projects>
  SetEnv GIT_HTTP_EXPORT_ALL
  Order deny,allow
  Deny from all
  Allow from <restricting IP addresses>
  SSLRequireSSL
  AuthType basic
  AuthName "Private git repository"
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://<ldap server>:<port>/<LDAP User DN>?<LDAP User ID>?sub?(objectClass=*)"
  Require valid-user
  AuthLDAPGroupAttribute memberUid
  AUthLDAPGroupAttributeIsDn off
  Require ldap-group <LDAP Group DN>
</Directory>

And we are done (well other than making the virtual host allow the rewrites).

Just to prove it, here is a sample checkout:

~/temp$ git clone https://<server>/<GIT Alias>/test.git
Cloning into 'test'...
Username for 'https://<server>': <good user>
Password for 'https://<good user>@<server>': 
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 10 (delta 0), reused 4 (delta 0)
Unpacking objects: 100% (10/10), done.
~/temp$ rm -rf test
~/temp$ git clone https://<server>/<GIT Alias>/test.git
Cloning into 'test'...
Username for 'https://<server>': <bad user>
Password for 'https://<bad user>@<server>': 
fatal: Authentication failed

18 December 2013

Updating Language of postings in Drupal.
Everything said it was undefined language (very weird).

Found this post so I ran this update:
```
UPDATE node SET language = 'en' WHERE language = 'und';
```
And it did exactly what it says on the tin (turned everything set to und to en).

Perfect!
13 December 2013
Linking Drupal to QNAP LDAP

This was way more simple than I expected.

For reference, I have a separate server running my Drupal Installation. The QNAP sits along side it (but not accessible to the web).

I basically just added the LDAP module to the Drupal installation. I also had to install the Entity module for LDAP to use. Then I enabled LDAP functionality bit by bit, testing as I went. The first module was LDAP Servers.

Enabling this resulted in a request to install the PHP LDAP module on the server. Once that was in place, the module would enable. I then set up links back to my LDAP server. The only additional thing I needed on the LDAP server, was a service account for Drupal to bind with (which I created).

Setting up the user relationship was easy:
I set the base DN to my domain name.
Then I set AuthName to be UID AccountName is also set to be UID
The Email attribute is mail
I then set the “Expression for the user DN” to “uid=%username,ou=people,%basedn”

Setting up the group configuration proved the biggest stumbling point. The important bit to get right it that it asks for the Group Object Class, and not the name thing that holds the group. I miss understood the question here initially, especially as my container is called group, and that was one of the examples. What I needed to put in here was posixGroup.

Then I told it only that LDAP Group Entry Attribute was memberuid and the this field actually held the UID.

Once this was done, I could turn it on and test it.

Now I enabled the LDAP User and LDAP Authentication modules.

In the LDAP User module, I just told it to associate accounts together if an LDAP one existed (second option).
I didn’t want two way provisioning, so I have left that unset.

In the Authentication module, I initially left it mixed mode until I was confident it worked, at which point I have moved it to the second authentication option. The rest of this section I have left default.

It was after setting this up that I did my first proper test of everything using another browser to prevent cookie clashes etc.

Once i was 100% sure that I could login as administrator still, and also login as my proper user. Once I was happy with this, THEN I altered authentication to the second mode.

Now I moved on to LDAP Authorization. I enabled this module went to configure it, and found that without a module to use it with it didn’t do much.

So I enabled the LDAP Authorization – Drupal Roles module too. The setup of this module was also very simple. I simply told it to use my LDAP server, and then explained how to map my LDAP groups to the Drupal groups.

The only real fly in the ointment was that I was initially not looking to the groups correctly, as I thought that it was looking for the container of the groups, and not the Object Class of the group.

Once I resolved that all the test worked properly and I have a working system that automatically adds people to drupal if they exist in the LDAP, and also correctly sets up their groups for them.

Very pleased.

13 December 2013