Create an Ansible script for DISA STIG and execute it in CentOS 7

Securing a CentOS 7 install doesn’t have to be tough.  Code already exists, we just have to find it and execute it. Prerequisites yum install openscap scap-security-guide -y Verification The version of the scap-security-guide that was tested is 0.1.40. Version 0.1.43 has removed the DISA STIG from the CentOS guide ssg-centos7-ds.xml; however, there is a work-a-round. Article coming soon. scap-security-guide.noarch…

Read More »

Ansible TRANSFORM_INVALID_GROUP_CHARS settings warning [resolution]

I have an ansible playbook that has worked for months.  It still works but, now has a DEPRECATION WARNING that looks ominous along with a python error. Problem BECOME password[defaults to SSH password]: [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This…

Read More »

How to remove a bad disk from LVM2

While doing a little house cleaning on a VM, I discovered I was unable to reboot it.  Basically, I had a logical volume that was rather large and wanted to remove it.  I used the lvremove to remove the logical volume that spanned across two hard drives. There was no other logical volume on those drives.  Shutdown the server and…

Read More »

Convert OVFs to an OVA without the ovftool.exe

VMware requires you to have an account to logon and download a free tool called “VMware OVF Tool”.  That alone is not annoying.  What is annoying is that the tool is extremely slow.  There is a much faster way to create an OVA without the need of this tool. Using the ovftool is easy enough, the following is an example…

Read More »

NFL Pick ‘Em buildSchedule.php for any season

I have been playing around with the buildSchedule.php component of NFL PHP Pick ‘Em as this is the component that makes it all possible to generate tables needed to create the SQL script to import into the new season.  My previous post on this subject required a spreadsheet, which never really was necessary.  Even though the output filename contains a…

Read More »

NFL Pick ‘Em for 2019 Season

NFL PHP Pick ‘Em is a free php web app that allows you to host a weekly NFL pick ’em football pool on your website.  This fantastic tool replaced the use of spreadsheets.  There was a time that this tool was not supported.  However, I just checked out the www.phpickem.org website it is is updated for 2019. I wish I…

Read More »

Automatically clean /tmp or /var/tmp files that are in protected PrivateTmp directories in CentOS / RHEL 7

With CentOS/RHEL 6 there was a function called tmpwatch that was launched /etc/cron.daily/tmpwach This process has changed in CentOS/RHEL 7. There is a system target that runs daily: system-tempfiles-clean.timer. Although tmpwatch does a pretty good job in cleaning out the /tmp or /var/tmp files, it does not by default clean out the /tmp/systemd-private directories as these are secure.  There are…

Read More »

Install CentOS 7 on a GPT labeled disk

For one reason or another it was difficult to find the “complete” answer to installing CentOS 7 on a GPT labeled disk.  For the most part the answer was too complicated, incomplete, or inaccurate. After some trial and error the answer turns out to be a simple one. Process This was an example of a very basic install only to…

Read More »

Extend the swap logical volume size

Extend the swap size in a logical volume may be needed.  Assume that there is a swap partition that requires an additional 1G of space.  The following process should work on a CentOS 7 Linux install. Assuming that the disk space is available, use lvextend will add 1G, disable and flush out the existing swap space.  It may take some…

Read More »

Root Login Permission Denied on CentOS7

A system that was a fresh installation of CentOS 7 Linux was just completed. After all the updates, the user began to install an application. After some time, the user logged out of the system and could not log back into it. As a root user, the administrator was unable to access the virtual machine even via console. This eliminated…

Read More »

Disk Full Error: Cannot logon via SSH

The issue is that there may be a policy in place to prevent logons if there is any mount that is full.  There are a couple of approaches towards resolution.  Both approaches require a system shutdown.  One approach requires access to the ISO, which leaves a plausible solution. reboot Hit CTL+X to edit the boot kernel ##CHECK THIS ONE, MIGHT…

Read More »

Add a GUI to Microsoft Windows 2012 R2 Core / Standard

There was a server with Microsoft Windows 2012 R2 Standard installed with GUI, for some unknown reason the GUI was uninstalled along with PowerShell.  To reinstall or install these “features”, the install.wim file is needed.  Using a mounted Windows 2012 R2 Standard ISO is one such way. These are the steps to “recover” the GUI and PowerShell.  Since PowerShell is…

Read More »

SELinux: Compile a policy package

You have generated a SELinux human readable .te file and want to compile it into a .pp policy file. Prerequisites Only needed for sealert yum install setroubleshoot-server Troubleshooting This is a series of commands used to troubleshoot a recent zabbix-server service that would not start. It was the results of the ausearch that revealed the semodule command that differed from…

Read More »

Apache Tomcat 9 – SSL/TLS Configuration HOW-TO

In this exercise, Tomcat 9 will be installed with OpenJDK 8 using a self-signed certificate in a PKS12 keystore on a clean CentOS 7 Linux server using the Http11NioProtocol protocol.  These are the steps. Enjoy Tomcat Check the Cert You can check the cert by using your browser. http2.Http2Protocol Alternately, you can use the http2.Http2Protocol protocol.  However, there is one prerequisite…

Read More »

keytool -list displays “JKS” for a PKCS12 keystore [work-a-round]

A server with Tomcat powered by OpenJDK 8 is using a keystore that is PKCS12 and not JKS. However, the keytool shows that the keystore type is JKS. I have accidentally discovered a work-a-round to this. The JAVA version openjdk version “1.8.0_191” OpenJDK Runtime Environment (build 1.8.0_191-b12) OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode) The Test Keystore type: jks…

Read More »

Are you a robot? Epic Fail!

That age old and yet annoying reCAPTCHA question, “Are you a robot?” is one that must be answered before you, a human, can continue along your merry way.  As one would expect, the reCAPTCHA process evolves.  The other day, I had to navigate through intentionally blurred and obscured images; but today’s image is a new one for me, Select all…

Read More »