Category: Linux

Installing VMWare tools on Kali Linux guest

Posted on

I usually run several VM on VMWare Workstation just for study or test purpose. Because of this I found the VMWare tools very usefully, especially for the copy/paste and auto desktop resize option that allow me to use the VMs in a full screen mode.

Installing VMWare tools on Windows it’s very simple, instead, on Linux it require some additional steps. Following we will see the procedure on Kali Linux, but will be similar on all other Debian like distro.

From september 2015, VMware recommends using the open-vm-tools instead of the VMware tools package for guest machines provided by the VMWare Workstation. The open-vm-tools are available by the official Kali repo.

  1. Adding official repository to sources.list

  2. Update the apt installer with the new repository

  3. Install the VMWare tool with apt

  4. Finally, restart the Guest OS

Now you have VMware tools up and running. Have a fun!

CheckPoint Managment Server logs space utilization

Posted on

Today I encountered an issue related to CheckPoint Managment server: it started to report incorrect file system space utilization on the logs’ mount point. The output of dfcommand reports the mount point almost full:

Instead, the sum of all files and dir present under /var/log is around 37 Gb.

This is a strange behavior, especially because the mount point is used for logging. Comparing both commands, it’s easy to understand that more than half of the total disk space is wrongly marked as used, so I would like to figure out where the problem lay. I think the unlinked open files may be the problem and I’m checking for this using lsof:

As I expected, the lsof output reports lots of open file entries, all associated to cplmd daemon. Based on CheckPoint knowledge base (here):

“In order to get the data that should be presented in SmartView Tracker, FWM spawns a child process CPLMD, which reads the information from the log file and performs unification (if necessary). Upon receiving an answer from CPLMD, FWM transfers it to SmartView Tracker.”

The easy way to fix this is to restart the daemon in order to allow it to “flush” all deleted files still hanging:

This solution fix the problem. Now, df command reports the right space utilizzation.

and also all orphan files are disappeared.

tcpdump: a brief review

Posted on

tcpdump is a useful command-line packet sniffer running on libpcap, usually present on *nix systems and on most network appliances, such as Juniper, F5 loadbalancer or CheckPoint firewall (both based on *nix). Also, with the support of WinPcap library, it could be installed on Windows systems in order to made troubleshooting easier.

On shell or CLI, to simply running tcpdump, you may type:

tcpdump support a lots of options and filters, let’s see it assuming to use eth0 and VLAN 150 as a example.

TCPDUMP OPTIONS

To capture all eth0 traffic:

To capture traffic of a specific vlan passing through eth0:

Prepare full .pcap file for viewing on Wireshark

#the option -s specify the length of data to be capture, -s0 means all packet data. Instead -s30 means to capture the first 30 byte of the packet.

View MAC address on a capture over eth0

Do not resolve hostname / service on a capture over eth0

TCPDUMP FILTERS

There are four mainly filters:

– the host filter used to capture packets based on single ip (eg. 192.168.10.4)
– the net filter used to capture packets based on network address (eg. 10.0.0.0/16)
– the port filter used to capture packets based on port (eg. 22 – ssh services)
– the protocol filter like icmp , arp, tcp, udp to capture only certain of packets

Filters can be combined all together using the logical operator AND. Also, for the host, net and port filters you may specify the if it could be as source (src) or destination (dst)

To capture only packets containing ip 192.168.10.4 as source or destination on eth0

To capture only packets containing network 10.0.0.0/16 as source or destination on eth0

To capture only packets containing port 22 as source or destination on eth0

To capture all ssh packets (port 22) to host 192.168.10.4 form network 10.0.0.0/16 on eth0

To capture all icmp packets to host 192.168.10.4 on eth0

Finally, you can combine options and filters as you need. For example, with the following line you will capture arp request from network 192.168.10.0/24 passing trough eth0 and including MAC address. Also, host name will be not resolved:

The same example, can be also exported as Wireshark file:

tcpdump is a very powerfull, there are a lot of other options an filters to speedup your troubleshooting and go deep in the analysis. You can get more information on the official website tcpdump.org.

File used by another process? Play Lsof!

Posted on

On my latest Linux lesson I have played as teacher, someone asked me about the use of Lsof and how to take advantage of it.

As Man say, Lsof is a command line utility that lists information about files opened by processes, were an open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket). A specific file or all the files in a file system may be selected by path.

Do not forget everything is a file on Linux ( pipes, sockets, directories, devices, etc.)!!

LSOF OUTPUT SINTAX

Running Lsoft without parameters, show a list of all open files belonging to all active processes

Output sintax is pretty easy and list, from left to right, the command running, the process identifier, the process running user, a few field explained below and, finally, the file used.

FD column stands for File descriptor and could be:

  • cwd current working directory
  • rtd root directory
  • txt program text (code and data)
  • mem memory-mapped file

Or could be a combo char\numbers like 1u as a file descriptor and followed by u,r,w of it’s mode as:

  • r for read access
  • w for write access
  • u for read and write access

TYPE column stand for files type, as name suggest, and could be:

  • DIR – Directory
  • REG – Regular file
  • CHR – Character special file.
  • FIFO – First In First Out

USING LSOF

You can simply list processes which opened a specific file, by providing the file name as arguments of lsof command.

Above example, lists file /var/log/messages used by rsyslogd process (PID 1469).

You can also list all the files opened by a specific process using ‘-p’ option and the process ID. It will be helpful some times to get more information about a specific process:

Another way to do that using the process name:

You may also need to know which files are opened by a specific user:

LSOF FOR SYSADMIN

The above examples are usually helpful for both standard users and sysadmin, but as a sysadmin you also need to know specifically command in order to work with mount-point, NFS and network socket.

To know which files are open in a specific mount-point you can pass it as argument to Lsof:

where /app is actually a mount-point. This command works same with a simply folders.

Using option -N lists all files opened from a NFS share.

that works better in a combo with -u option (stand for user).

Instead of netstat, it is possible to use Lsof for listing all process belong a specific port\socket:

or binded on a specific hostname:

When you work with socket or NFS file, for example, repeat mode is nice option to use.
You have to specify -r option followed by delay time.

this run Lsof every 1 second. To interrupt it, press “Ctrl+c”.

Finally. if you need to use a Lsof in conjunction with other command, you have to terse output with option -t to suppress error message and other info.

Lsof it’s an incredible and powerful tool that will quickly help you in day work. By using Man, you could get a lot of other options and you will find your better trick! I hope you enjoyed this article!

Mattia

What’s new on CentOS 7 Release

Posted on

About one month later of RHEL 7 official release, the CentOS team has released the new CentOS-7/x86_64. As a “son” of RHEL7, based on CentOS official release note, there are many improvements and changes like:CentOS Logo

  • Kernel updated to 3.10.0
  • Switch to systemd, firewalld and GRUB2
  • XFS as default file system
  • LVM-snapshots with ext4 and XFS
  • iSCSI and FCoE in kernel space
  • Gnome3
  • In Place Upgrade from 6.5 to 7.0
  • Support for Linux Containers (aka Docker)
  • Support for PTPv2
  • Support for 40G Ethernet Cards
  • Supports installations in UEFI Secure Boot mode on compatible hardware
  • Open VMware Tools and 3D graphics drivers out of the box
  • OpenJDK-7 as default JDK

It’s also important to remember the birth of CentOS Variants.

A CentOS variant is a special edition of CentOS Linux that starts with the core distribution, then replaces or supplements a specific subset of packages

Variants are created and maintained from SID “Special Interest Group” and, simply, is a way to overcome the absence of proprietary RedHat package on CentOS 7. You will find more about variants and SIG here:

I would remind you that CentOS Linux is a community-supported distribution derived from sources freely provided to the public by Red Hat for Red Hat Enterprise Linux (RHEL). Also, starting on 2014, Red Hat and the CentOS Project have joined forces to speed up open source innovation. Mattia