October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Kernel Crash Report/Crash Dump Analysis

Kernel Crash Report/Crash Dump Analysis

In my previous post, we have configured how to capture kernel dump for reference click on the link kernel crash dump
Here in this article,we master the basic usage of crash utility to open the dumped memory core and process the information contained therein and to intercept the output.

Fundamentals-Complete-Memory-Dump-Analysis-Logo

find out the dumped kernel location and start analyzing the code.
#crash /usr/lib/debug/lib/modules/2.6.32-279.el6.i686/vmlinux /var/crash/127.0.0.1-2013-07-18-09\:40\:28/vmcore
KERNEL: /usr/lib/debug/lib/modules/2.6.32-279.el6.i686/vmlinux
DUMPFILE: /var/crash/127.0.0.1-2013-07-18-09:40:28/vmcore  [PARTIAL DUMP]
CPUS: 1
DATE: Thu Jul 18 09:40:21 2013
UPTIME: 00:37:21
LOAD AVERAGE: 934.79, 206.96, 67.74
TASKS: 5494
NODENAME: <hostname>
RELEASE: 2.6.32-279.el6.i686
VERSION: #1 SMP Fri Jun 22 10:59:55 UTC 2012
MACHINE: i686  (2933 Mhz)
MEMORY: 895.6 MB
PANIC: “Oops: 0002 [#1] SMP ” (check log for details)
PID: 6847
COMMAND: “bash”
TASK: ea142aa0  [THREAD_INFO: db8ae000]
CPU: 0
STATE: TASK_RUNNING (PANIC)
Explanation of code is as below :-
KERNEL: specifies the kernel running at the time of the crash.
DUMPFILE: is the name of the dumped memory core.
CPUS: is the number of CPUs on your machine.
DATE: specifies the time of the crash.
TASKS: indicates the number of tasks in the memory at the time of the crash. Task is a set of program instructions loaded into memory.
NODENAME: is the name of the crashed host.
RELEASE: and VERSION: specify the kernel release and version.
MACHINE: specifies the architecture of the CPU.
MEMORY: is the size of the physical memory on the crashed machine.
PANIC: specifies what kind of crash occurred on the machine.
Panic refers to the use of magic keys(SysRq), which we deliberately trigger for a crash.
SysRq (System Request) refers to Magic Keys, which allow you to send instructions directly to the kernel. They can be invoked using a keyboard sequence or by echoing letter commands to /proc/sysrq-trigger, provided the functionality is enabled. We have discussed this in the Kdump part.
I attacked system by Denial of service(DoS) using the system to consume all its resources by forking. forkbomb
if you have looked load average of the crashed kernel its too high(934.79, 206.96, 67.74) and the process responsible was PID:6847
 
PANIC: “Oops: 0002 [#1] SMP ” has the value below.
                                        value
—————————————————————–
Bit 0 1
——————————————————————
0 No page found Invalid access
1 Read or Execute Write
2 Kernel mode User mode
3 Not instruction fetch Instruction fetch
from our PANIC analysis it is clear that “we have a page not found during a write operation in Kernel mode; the fault was not an Instruction Fetch.
 
we have used “/proc/sysrq-trigger” from the command line to dump our kernel in previous post, but if your system is unresponsive then you would be unable to trigger. In such cases we enable SysRq feature so that we could use magic keys to collect the dump of the crashed kernel.
#echo “1” > /proc/sys/kernel/sysrq
or add an entry to /etc/sysctl.conf  
#vim /etc/sysctl.conf  
kernel.sysrq = 1
Once configured, you will be able to use magic keys [ alt + PrintScreenSysRq + <options> ]
Options as are below.
‘b’  – Will immediately reboot the system without syncing or unmounting your disks.
‘c’  – Will perform a system crash by a NULL pointer deference  A crash dump will be taken if configured.
‘d’  – Shows all locks that are held.
‘e’  – Send a SIGTERM to all processes, except for init.
‘f’  – Will call oom_kill to kill a memory hog process.
‘g’  – Used by kgdb (kernel debugger)
‘h’  – Will display help
‘i’  – Send a SIGKILL to all processes, except for init.
‘j’  – Forcibly “Just thaw it” – filesystems frozen by the FIFREEZE ioctl.
‘k’  – Secure Access Key (SAK) Kills all programs on the current virtual console.
‘l’   – Shows a stack backtrace for all active CPUs.
‘m’ – Will dump current memory info to your console.
‘n’  – Used to make RT tasks nice-able
‘o’  – Will shut your system off (if configured and supported).
‘p’  – Will dump the current registers and flags to your console.
‘q’  – Will dump per CPU lists of all armed hrtimers (but NOT regular timer_list timers) and detailed information about all clockevent devices.
‘r’  – Turns off keyboard raw mode and sets it to XLATE.
‘s’  – Will attempt to sync all mounted filesystems.
‘t’  – Will dump a list of current tasks and their information to your console.
‘u’ – Will attempt to remount all mounted filesystems read-only.
‘v’ – Forcefully restores framebuffer console
‘v’ – Causes ETM buffer dump [ARM-specific]
‘w’ – Dumps tasks that are in uninterruptable (blocked) state.
‘x’ – Used by xmon interface on ppc/powerpc platforms. Show global PMU Registers on sparc64.
‘y’ – Show global CPU Registers [SPARC-64 specific]
‘z’ – Dump the ftrace buffer
[ Alt + SysRq + c ] – Crash collected by rebooting the system.
kernel-crash
We have almost analyzed upto certain extent, however there are few of the commands which can help us in understanding more.
Let us look few more basic commands which can be helpful.
crash> help
*              files          mach       repeat      timer
alias         foreach     mod        runq          tree
ascii         fuser         mount     search       union
bt             gdb           net         set             vm
btop          help          p            sig             vtop
dev           ipcs          ps           struct         waitq
dis            irq            pte         swap           whatis
eval           kmem      ptob        sym            wr
exit           list           ptov        sys              q
extend       log           rd           task
bt – backtrace – Display a kernel stack backtrace :=
The sequence of numbered lines, starting with the hash sign (#) is the call trace. It’s a list of kernel functions executed just prior to the crash. This gives us a good indication

of what happened before the system went down.
 
crash> bt
PID: 6847   TASK: ea142aa0  CPU: 0   COMMAND: “bash”
 #0 [db8af618] crash_kexec at c049b75c
 #1 [db8af66c] oops_end at c083fe92
.
.
(output omitted …)
foreach – display command data for multiple tasks in the system :=
This command allows for a an examination of various kernel data associated with any, or all, tasks in the system, without having to set the context

 to each targeted task.
crash>foreach bt
.
.
(output omitted..)
log – dump system message buffer :=
 
The log command dumps  the kernel log buffer contents  inchronological order . This  is  similar to  what  you would see when you type dmesg on a running machine. This is useful when you want to look at the panic or oops message. An oops is triggered by some exception. It is a dump of the CPU register’s state and kernel stack at that instant . From the panic message, we can find hints as to how the panic was triggered (e. g. the function or process  or pid or command or address that triggered the panic), the register’s information, kernel module list, whether the kernel is

tainted with proprietary kernel modules loaded, and so  on..
crash>log
(output omitted..)
.
.
SysRq : Trigger a crash
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<c06a0d8f>] sysrq_handle_crash+0xf/0x20
*pdpt = 00000000116c3001 *pde = 0000000000000000
Oops: 0002 [#1] SMP
.
.
Pid: 6847, comm: bash Not tainted 2.6.32-279.el6.i686 #1 innotek GmbH 
EIP: 0060:[<c06a0d8f>] EFLAGS: 00010096 CPU: 0
EIP is at sysrq_handle_crash+0xf/0x20
.
.
(output omitted..)
we don’t observe any tainted flags on the kernel, each flag has its own meaning.
P — Proprietary module has been loaded.
F  — Module has been forcibly loaded.
S — SMP with a CPU not  designed for SMP .
R — User forced a module unload.
M — System experienced a machine check exception.
B — System has  hit  bad_page.
U — Users pace- defined naughtiness .
A —  ACPI  table over ridden.
W — Taint on warning.
ps – Display process status :=
Display process status information This command displays process status for selected, or all, processes in the system. If no arguments are entered, the process data is displayed for all processes. The active task is marked with “>”
crash>ps
   6846   5711   0  d169d550  UN   0.1    5992   1112  bash
>  6847      1   0  ea142aa0  RU   0.1    5992   1320  bash
   6848      1   0  d169d000  UN   0.1    5992   1368  bash
when you observe from the log, there are number of bash instances. Hence total number of bash instances are as below
crash> ps | fgrep bash | wc -l
5363
crash>
 vm – virtual memory :=
This command displays basic virtual memory information of a context, consisting of a pointer to its mm_struct and page dirctory, its RSS and total virtual memory size; and a list of pointers to each vm_area_struct, its starting and ending address, vm_flags value, and file path name.
 
crash> vm
PID: 6847   TASK: ea142aa0  CPU: 0   COMMAND: “bash”
   MM       PGD      RSS    TOTAL_VM
e247f740  d16c2000  1320k    5992k
  VMA       START      END    FLAGS  FILE
d16b66f8    70d000    70e000 4040075
d16b6694    760000    77e000 8000875  /lib/ld-2.12.so
.
.
(output omitted..)
 
files – open files :=
This command displays information about open files of a context. It prints the context’s current root directory and current working directory, and then for each open file descriptor it prints a pointer to its file struct, a pointer to its dentry struct, a pointer to the inode, the file type, and the pathname.
crash> files 6427
PID: 6427   TASK: d4150aa0  CPU: 0   COMMAND: “bash”
ROOT: /    CWD: /var/crash
 FD    FILE     DENTRY    INODE    TYPE  PATH
  0  f6698240  f3609df8  f3610e48  FIFO
  1  d40791c0  f377c8d0  f377d1a8  FIFO
.
.
(output omitted..)
runq – run queue :=
This command displays the tasks on the run queues

of each cpu.
crash> runq
CPU 0 RUNQUEUE: c6408680
  CURRENT: PID: 6847   TASK: ea142aa0  COMMAND: “bash”
  RT PRIO_ARRAY: c6408778
     [no tasks queued]
  CFS RB_ROOT: c64086dc
     [120] PID: 7990   TASK: c9bb1000  COMMAND: “bash”
     [120] PID: 8616   TASK: c13f8aa0  COMMAND: “bash”
     [120] PID: 7714   TASK: f2485550  COMMAND: “bash”
.
.
(output omitted..)
timer – timer queue data :=
Displays the timer queue entries in chronological order, listing the target function names, the current value of jiffies, and the expiration time of each entry.
TVEC_BASES[0]: c0be66a0
 JIFFIES
 1941918
 EXPIRES  TIMER_LIST  FUNCTION
 1941920   d4aa1b74   c0466210  <process_timeout>
 1941920   d847fb74   c0466210  <process_timeout>
.
.
(output omitted..)
net – network command :=
Display various network related data
crash> net
NET_DEVICE  NAME   IP ADDRESS(ES)
 f70e6820   lo     127.0.0.1
 f4f32020   eth0   <ipaddress-2>
 c171e020   eth1   <ipaddress-1>
crash>
we have found some of the basics of kernel dump analysis which might be helpful in knowing what went behind the kernel to crash the system. As a best practice we need to analyze the dump and take necessary actions to avoid the re-occurrences.
“there are lot of administrators who don’t care rebooting server, but need server online”.
December 10th, 2014 | Category: Centos, Linux, RHCE | Leave a comment

Booting Centos in verbose mode

When you boot a Centos server, it defaults to showing a splash screen when booting. You can press escape to switch to a more verbose boot mode. This article describes how to set verbose as the default boot mode.

Booting Centos in verbose mode

Login as the root user en edit the Grub menu.

# vi /boot/grub/menu.lst

It will show something like this:

title CentOS (2.6.32-431.20.5.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.20.5.el6.x86_64 ro root=/dev/mapper/vg00-lv01 rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=vg00/lv01 rd_LVM_LV=vg00/lv00 crashkernel=auto SYSFONT=latarcyrheb-sun16 rd_NO_DM rhgb quiet
        initrd /initramfs-2.6.32-431.20.5.el6.x86_64.img

The word “rhgb” is responsible for showing the splash screen. Simply remove it, save the file and reboot to get a verbose output instead of a splash screen while booting. If you want even more verbose output, also remove the word “quiet”. This will show more messages, some of which might be cryptic in nature.

December 10th, 2014 | Category: Centos, Linux, RHCE | Leave a comment

Rename volume group on which your root(/) partition resides.

We had few of the servers which was similar in file systems, disk partitions, applications, etc .., but was exception in only Volume Group(VG). So I had cloned the systems and thought of renaming the VG, but since root Logical Volume(LV) was configured on the same VG was unable to un-mount online. I had to bring down the server to perform below steps.
Below has been performed on CentOS-6.3 32-bit kernel version – 2.6.32-279.el6
 
Since it is root volume, we need to umount the file system, insert the CentOS CD/DVD to boot server in rescue shell.
#boot: linux rescue
when it prompts for the questions, choose your answers.
Question 5 : Rescue window
Offers to mount Linux installation in rw, read only or not at all. Either way, we will be provided with a shell. As this system’s root partition is on a logical volume in the volume group we wish to rename, we must not mount the system. [ SKIP ]
Make sure all your logical volumes are OFFLINE
# lvm lvscan
  INACTIVE            ‘/dev/vg_pcmk1/home’ [1.00 GiB] inherit
  INACTIVE            ‘/dev/vg_pcmk1/rootvg’ [13.18 GiB] inherit
  INACTIVE            ‘/dev/vg_pcmk1/swap’ [1.46 GiB] inherit
#
#lvm vgscan
found volume group vg_pcmk1
.
.
(output omitted)
– Rename the volume group
#lvm rename vg_pcmk1 vg_pcmk2
– Exit the shell and reboot the server. Let CentOS DVD be in the disk.
#exit
– Reboot the server in the rescue environment and while in Question 5, choose Continue
 
Eventually, a shell will appear. The system files are in /mnt/sysimage.  chroot into the system:
# chroot /mnt/sysimage
sh-4.1#vim /etc/fstab
– Change the entries of the volume group for the logical volumes which are residing.
# grep vg_pcmk2 /etc/fstab
/dev/mapper/vg_pcmk2-rootvg /                       ext4    defaults        1 1
/dev/mapper/vg_pcmk2-home /home                   ext4    defaults      1 2
/dev/mapper/vg_pcmk2-swap swap                    swap    defaults        0 0
#
– Change an entry in grub.conf file.
#vim /boot/grub/grub.conf
# grep vg_pcmk2 /boot/grub/grub.conf
        kernel /vmlinuz-2.6.32-279.el6.i686 ro root=/dev/mapper/vg_pcmk2-rootvg rd_LVM_LV=vg_pcmk2/rootvg rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rd_LVM_LV=vg_pcmk2/swap rhgb quiet
#
– Create a newly initrd image as below.
# tail -1 /boot/grub/grub.conf
        initrd /initrd-2.6.32-279.el6.i686.img
#
As updated above, create new initrd image and this will take some time and will have no output.
#mkinitrd /boot/initrd-$(uname -r).img $(uname -r)
– Exit from shell:
# exit
– Exit from Linux rescue:
# exit
– Remove the CD and boot the server.
Once your server logins, check the VG name, it would be successfully changed.
# df -h | grep vg_pcmk2
/dev/mapper/vg_pcmk2-rootvg
/dev/mapper/vg_pcmk2-home
#
NOTE: If no proper entries in root volume being made, kernel gets PANIC and will not sync and kills init process.

Since this is a new blog, I’ve been trolling through my Wiki looking for things that if not of broad general interest, are so esoteric and complicated that it might help some poor slob(s) Googling in futility, slowly losing the will to live….  We’ve all been that poor slob at one time ;->

Even if you’re not interested in renaming an LVM Volume Group per se, this blog post also demonstrates how to tweak an initial RAM disk, which I guess might be of broader interest than the special case in which it’s discussed.

Why Rename a VG?

Generally, you should NEVER rename LVM Volume Groups unless you like pain. Running ‘vgrename’ will change the name of the Volume Group- EXCEPT where it matters most: ‘initrd’ . The Initial RAM Disk references the Volume Group when trying to mount the root file system. If the Volume Group is incorrectly specified there, obviously the system will not boot.

A client asked me to rebuild a KVM Hypervisor several years ago.  Part of the brief was to migrate the VM’s on it which were running as .img files in /var/lib/libvirt to LVM partitions on the KVM Hypervisor itself.  Unfortunately for me, the previous sysadmin had used the default “VolGroupXX” naming convention inside all the VMs.  When the LVM structures were internal to the VM itself in their .img files they co-existed happily together despite all having the same Volume Group names.  However, when the VMs’ filesystems were squirted into LVM partitions on the KVM host, that’s where the conflict between shared VG names arose.

As a consequence, assuming the KVM Hypervisor Volume Group is itself not named VolGroupXXtoo, every VM you migrate will have a conflict with other VM’s VolGroupXX naming scheme unless you change them .  Good grief Charlie Brown.   This can all be avoided by naming the Volume Group after the hostname it lives on to ensure its’ uniqueness. But that wasn’t an option and I had to rename the Volume Groups.

Rename the Volume Group of a VM

This example entails migrating a named “myVM.img” running from a file to an LVM partition on the Hypervisor hosting it.

1. Create LVM partition on the Hypervisor where we can dd the VM into:

lvcreate  -L 10G -n myVM  KVMhypervisorVolGroup00

2. Unmount the running VM, “myVM.img” running from /var/lib/libvirt/images/:

unmount /var/lib/libvirt/images/

3. Squirt the VM’s image file into the LVM partition “myVM” just created on the Hypervisor. In this example, the VM file we’re moving to the partition resides in the default folder for KVM images. As a general practice when using dd, ALWAYS double check you haven’t flip-flopped the input and output parameter values before hitting the return key.

dd if=/var/lib/libvirt/images/myVM.img of=/dev/KVMhypervisorVolGroup00/myVM

4. Create device maps for the new partition where the VM has been moved so Device Mapper can find it:

kpartx -av /dev/KVMhypervisorVolGroup00/myVM

5. Scan and rebuild Volume Group caches:

vgscan

6. Determine the UUID of the of /dev/KVMhypervisorVolGroup00/myVM (the LV which the VM was migrated into):

vgdisplay

If you’re trying to identify two hosts sharing the same Volume Group name, you need to do this by UUID.  It is CRUCIAL that you identify correctly the UUID of VolGroup00 belonging to the VM you want to modify. Check the space of the “VG Size” details in the output of the vgdisplay command to differentiate between which UUID belongs to which VM.

7. Rename the Volume Group FROM “/dev/VolGroup00” TO “/dev/VolGroupMyVM.” By using the convention of replacing “00” in the Volume Group name with the VM’s hostname, we can ensure that the VG name is unique and we won’t bump into the problem of duplicate Volume Group names if we move this VM somewhere else in the future.

Triple check that you are specifying the UUID of the VM’s VolGroup00 you believe that you are altering before pulling the trigger! The reason we’re feeding the ‘UUID’ in lieu of the Volume Group name ‘VolGroup00 to the vgrename command is that the UUID is the only way to accurately distinguish between the two “VolGroup00” ‘s where several are shown.

vgrename UUID-goes-here /dev/VolGroupMyVM

8.  vgrename is only capable of renaming the Volume Group- it doesn’t change the UUID of our VM, which we need to do to get the Hypervisor to stop puking errors all over us about duff LVM Volume Groups.  Let’s change this so the VM is absolutely unique from the VM we are migrating away from:

vgimportclone -n myVM /dev/mapper/myVM

9.  Update any references to the VM’s UUID: Since we’ve changed the UUID, anywhere this appears, ie the VM’s fstab, this must also be updated.

10. Mount the VM to enable working on it’s filesystem:

mkdir /mnt/myVM
mount /dev/mapper/myVM /mnt/myVM

11. Edit the VM’s grub configuration to reflect the change in the Volume Group name:

vi /mnt/myVM/boot/grub/grub.conf

FROM:

kernel /vmlinuz-2.6.32-220.7.1.el6.x86_64 ro root=/dev/mapper/VolGroup00-LogVol00 rd_LVM_LV=VolGroup00/LogVol00 rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=uk crashkernel=auto selinux=0 nomodeset

TO:

kernel /vmlinuz-2.6.32-220.7.1.el6.x86_64 ro root=/dev/mapper/VolGroupMyVM-LogVol00 rd_LVM_LV=VolGroupMyVM/LogVol00 rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=uk crashkernel=auto selinux=0 nomodeset

Modify initrd

12. Edit Volume Group specified in the VM’s initrd (Initial RAM Disk) so the root partition can be found and booted: Make a directory to where we can edit a copy of our initrd image:

mkdir /mnt/myVM/initrd_edited

Copy the initrd image to our work directory:

cp -p /mnt/myVM/boot/initrd_image_to_edit.img /mnt/myVM/initrd_edited/

Change the name of the original initrd image to .OLD:

mv /mnt/myVM/boot/initrd_image_to_edit.img  /mnt/myVM/boot/initrd_image_to_edit.img.OLD

Change directories to where we copied the initrd image to work on it:

cd /mnt/myVM/initrd_edited/

Decompress the initrd image so it can be edited:

cat initrd-*|gzip -d|cpio -i

Delete the compressed copy in THIS directory:

rm initrd-*

Change the Volume Group in init FROM: VolGroup00 TO: VolGroupMyVM

vi init

Finally, compress the modified initrd back into an image and squirt the compressed image back to the VM’s /boot directory.

*!!!DANGER WILL ROBINSON, DANGER!!*: Ensure that you pipe this to the correct directory to avoid overwriting the Hypervisor’s initrd!!!

find|cpio -H newc -o|gzip>../originalInitrdName.img

13. Edit the VM’s fstab to change references of VolGroup00 TO VolGroupMyVM so everything will mount correctly:

vi /mnt/myVM/etc/fstab

14. If the VM is started without fixing fstab, it can still be done. Since the boot will hang without having first updated fstab with the new Volume Group name prior too booting the host, nothing will mount correctly and you’ll be dropped into a maintenance prompt:

Enter root password at maintenance prompt
mount -o remount -rw /
vi /etc/fstab
Make your changes to fstab, save them and finally:
shutdown -r now

15. Unmount the LVM volume that you mounted to work on the VM:

umount /mnt/myVM

Done. Repeat for each VM you’re dropping into a partition on the Hypervisor with the Volume Group “VolGroup00” …

Think that about does it.   Hope somebody found this useful to alleviate the pain I had correcting the mess.  If you find working through the steps that I’ve made any omissions/transpositions errors, lemme know and I’ll update the blog post.

 

 

Rename a Volume Group in Red Hat Enterprise Linux 6 (RHEL6)

WARNING:  Perform this at your own risk and double check LVM documentation!
* As always this will work perfectly well in CentOS 6.

As I was preparing a new VMware guest host to be my template master I realized AFTER the  RHEL6 install that I failed to rename the default volume group from vg_hostname-lv_root to something more generic for a VM template server.

This was surprisingly simple and straight forward, even booted up onto the guest host’s boot drive – no need to boot into rescue or emergency mode – just don’t muk it up.  Simply do the following (and be careful):

As root user (or using sudo) be sure to make backup copies of these two files in case you muk it up, and ensure you know how to boot up in rescue mode with other boot media.
# cp /etc/fstab /etc/fstab.orig
# cp /boot/grub/grub.conf /boot/grub/grub.conf.orig

Rename your volume group (vg)

# vgrename /dev/vg_OLDname /dev/vg_NEWname

Now change all instances of the old volume group in the following files:

/etc/grub.conf  (which is a symbolic link to /boot/grub/grub.conf)

/etc/fstab

mv /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.backup

dracut -v /boot/initramfs-$(uname -r).img $(uname -r)

 dracut
December 10th, 2014 | Category: Centos, Linux | Leave a comment

How to Remove commands from your history

How to remove if your typed password or sensitive information in your command console.

[root@linux1 ~]#history
1 history
2 mypassword
3 otherpassword
4 ls -la
5 sudo rm -f /home/

Remove sensitive command with numbered entry.

[root@linux1 ~]#history -d 2

[root@linux1 ~]#history
1 history
2 otherpassword
3 ls -la
4 sudo rm -f /home/

December 3rd, 2014 | Category: Centos, Linux, Linux Commands, RHCE | Leave a comment

How to Change Username in Linux

How to Change Username in Linux

-l, –login NEW_LOGIN
The name of the user will be changed from LOGIN to NEW_LOGIN. Nothing else is changed. In particular, the user´s home directory name
should probably be changed manually to reflect the new login name.

Example:

Change existing username account from alice to tom:

usermod -l <new_login> <old_login>

[root@linux1]$ usermod -l alice tom

[root@linux1]$

December 3rd, 2014 | Category: Centos, Linux, Linux Commands | Leave a comment

Unlock account in linux using pam_tally2

DESCRIPTION
This module maintains a count of attempted accesses, can reset count on
success, can deny access if too many attempts fail.

pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former
is the PAM module and the latter, a stand-alone program. pam_tally2 is
an (optional) application which can be used to interrogate and
manipulate the counter file. It can display users’ counts, set
individual counts, or clear all counts. Setting artificially high
counts may be useful for blocking users without changing their
passwords. For example, one might find it useful to clear all counts
every midnight from a cron job.

Normally, failed attempts to access root will not cause the root
account to become blocked, to prevent denial-of-service: if your users
aren’t given shell accounts and root may only login via su or at the
machine console (not telnet/rsh, etc), this is safe.

OPTIONS
GLOBAL OPTIONS
This can be used for auth and account module types.

onerr=[fail|succeed]
If something weird happens (like unable to open the file),
return with PAM_SUCCESS if onerr=succeed is given, else with
the corresponding PAM error code.

file=/path/to/counter
File where to keep counts. Default is /var/log/tallylog.

audit
Will log the user name into the system log if the user is not
found.

silent
Don’t print informative messages.

no_log_info
Don’t log informative messages via syslog(3).

AUTH OPTIONS
Authentication phase first increments attempted login counter and
checks if user should be denied access. If the user is
authenticated and the login process continues on call to
pam_setcred(3) it resets the attempts counter.

deny=n
Deny access if tally for this user exceeds n.

lock_time=n
Always deny for n seconds after failed attempt.

unlock_time=n
Allow access after n seconds after failed attempt. If this
option is used the user will be locked out for the specified
amount of time after he exceeded his maximum allowed attempts.
Otherwise the account is locked until the lock is removed by a
manual intervention of the system administrator.

magic_root
If the module is invoked by a user with uid=0 the counter is
not incremented. The sysadmin should use this for user launched
services, like su, otherwise this argument should be omitted.

no_lock_time
Do not use the .fail_locktime field in /var/log/faillog for
this user.

even_deny_root
Root account can become unavailable.

root_unlock_time=n
This option implies even_deny_root option. Allow access after n
seconds to root account after failed attempt. If this option is
used the root user will be locked out for the specified amount
of time after he exceeded his maximum allowed attempts.

serialize
Serialize access to the tally file using locks. This option
might be used only for non-multithreaded services because it
depends on the fcntl locking of the tally file. Also it is a
good idea to use this option only in such configurations where
the time between auth phase and account or setcred phase is not
dependent on the authenticating client. Otherwise the
authenticating client will be able to prevent simultaneous
authentications by the same user by simply artificially
prolonging the time the file record lock is held.

ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic
root. This phase can be used optionally for services which don’t
call pam_setcred(3) correctly or if the reset should be done
regardless of the failure of the account phase of other modules.

magic_root
If the module is invoked by a user with uid=0 the counter is
not changed. The sysadmin should use this for user launched
services, like su, otherwise this argument should be omitted.

Example:
To get information about when invalid login attempted
server1:/root>pam_tally2
Login Failures Latest failure From
john 12 04/01/12 10:18:35 server2

To unlock account
server1:/root>pam_tally2 -r -u john
Login Failures Latest failure From
yangw 3 05/16/13 01:06:35 pts/7

December 3rd, 2014 | Category: Centos, Linux, Linux Commands | Leave a comment

tee command and examples

NAME
tee – read from standard input and write to standard output and files

SYNOPSIS
tee [OPTION]… [FILE]…

DESCRIPTION
Copy standard input to each FILE, and also to standard output. -a, –append append to the given FILEs, do not overwrite -i, –ignore-interrupts ignore interrupt signals –help display this help and exit –version output version information and exit If a FILE is -, copy again to standard output.

Usage and Examples:

Example 1: Write output to display, and to a file

$ ls -la | tee file1

Example 2: Search word strings and pipe to file “Sudo_Usages”

$ ls -la /var/log | grep SSH | tee Sudo_Usages

Example 3: Output stored in more than one files

$ ls -la /etc/ | tee file1 file2 fileN

December 3rd, 2014 | Category: Shell | Leave a comment

find Unauthorized SUID/SGID System Executables and fix them

 find Unauthorized SUID/SGID System Executables and fix them.

The following command discovers and prints any setuid or setgid files on local partitions. Run it once for each local partition PART:

# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print

If the file does not require a setuid or setgid bit as discussed below, then these bits can be removed with the command:

# chmod -s file
December 3rd, 2014 | Category: Centos, Linux, Linux Commands, RHCE | Leave a comment

convert F-Secure/Tectia SSH format to OpenSSH format?

Solutions:
To convert F-Secure public key to OpenSSH format
# ssh-keygen -i -f path/to/public.key >> path/to/new/opensshpublic.key

To convert F-Secure private key to OpenSSH format
# ssh-keygen -i -f path/to/private.key > path/to/new/opensshprivate.key

To convert OpenSSH public/private key to another commercial key.
Public key conversion:
# ssh-keygen -e -f path/to/opensshpublic.key > path/to/publickey.key

Private key conversion:
# ssh-keygen -e -f path/to/opensshprivate.key > path/to/privatekey.key

December 3rd, 2014 | Category: Linux, Linux Commands | Leave a comment

Setup Umask

The default umask for Solaris 10 and Ubuntu normal useris 0022, however default umask for CentOS normal user account is 0002.
Hence default directory permissions are 775 and file permission are 664.

The umask creation of new executable file is calculated as follows:

Default permissions 777
subtract umask value 022
Allowed permissions 755

The umask creation of new text file is calculated as follows:
Default permissions 666
subtract umask value 022
Allowed permissions 644

To harden system, umask 027 is always suggested.

Umask value, User, Group, Others
0027 , all , r/w , none

Location to configure default umask
CentOS:

Default System wide umask can be setup in “/etc/bashrc“, “/etc/csh.cshrc

Default Users umask can be changed in “~/.bash_profile

 

Ubuntu:

Default System wide umask can be setup in “/etc/profile“, “/etc/login.defs” and “/etc/skel/.profile

Default Users umask can be changed in “~/.bash_profile

 

Solaris:

Default System wide umask can be setup in “/etc/profile“, “/etc/.login“,”/etc/skel/local.cshrc“,”/etc/skel/local.profile” and “/etc/skel/local.login

Default Users umask can be changed in “~/local.cshrc

December 3rd, 2014 | Category: Centos, Linux, Linux Commands | Leave a comment
« Newer Entries  
  Older Entries »