viernes, 21 de noviembre de 2003

Evitar que el named (bind) responda peticiones

Para evitar que el named responda a peticiones DNS que no son de los
dominios que gestiona hay que añadir al named.conf:

allow-recursion {;

O las ips a las que si se les permita hacer esto (en caso de que sea un ISP, o
necesario por cualquier otra razon

Para saber que puerto abre un FTP Pasivo en el servidor

To find the actual port multiply the fifth octet by 256 and then add
the sixth octet to the total. Thus in the example below the port number
is ( (14*256) + 178), or 3762. A quick check with netstat should confirm
this information.

PORT 192,168,150,80,14,178

jueves, 13 de noviembre de 2003

Enhanced Security en tru64

From: Jon Buchanan <>

You asked for the pros and cons of Enhanced Security. Well, here's my view:


+ a protected password database
+ records last successful and unsuccessful logins
+ records repeated login failures
+ automatic lockout after repeated login failure
+ configurable minimum password length
+ password lifetimes
+ password quality checks
+ password change history
+ password usage history
+ GUI for user account maintenance
+ templates for user setup
+ audit subsystem (means C2 security requirements can be satisfied)


- performance problems with very large user base (>1000 users)
- NIS doesn't work with other operating systems
- still not as secure as Sun's NIS+
- no (official) failover for NIS master -> single point of failure
- new and not very well understood, even by Digital!

To answer your questions:

1) Turn enhanced security on/off with the secsetup utility. However, if
turning it off, you may find that you need to give all users a new password.

2) Follow the procedures in the 'Security' manual to migrate users from base
to enhanced security. They provide scripts which do it for you.

I think you should decide first whether you want Enhanced Security or not,
and then deal with the admin problems that arise. However, don't base your
decision on the admin problems, base it on your need for security.

Attached is a general list of tips and notes regarding Enhanced Security.
It provides detail on some of the issues just mentioned.

Jon Buchanan, Zuerich, Switzerland
[ ]

Some tips and notes about Enhanced Security:

With enhanced security, your user, group and password databases are
divided into many places:

This contains entries for local users not defined under NIS.
Passwords are not stored here - a * appears in place of each password.
Typically you would leave the system users like root, deamon etc here.
NIS-defined users must not appear in this file!
At the end of this file is +: for NIS to be searched.

/tcb/files/auth directories
Users defined in /etc/passwd have security profiles in these
directories. Their passwords, and things like successful/unsuccessful
login info are stored here. No NIS users have profiles in these

This contains entries for local groups not defined under NIS.
At the end of this file is +:

This is your NIS passwd file.
Local users, defined in /etc/passwd, should NOT appear here!
Passwords are not stored here - a * appears in place of each password.
The file should not contain +:

This is the 'protected password' NIS file, which functions like the
/tcb directory but for NIS users instead of local users. All users
with an entry in the NIS password file have an entry here.

This is the NIS group file.
Local groups, defined in /etc/group, should NOT appear here!
The file should not contain +:

Creating the prpasswd file is described in the section 'Moving Local
Accounts to NIS' in the 'Security' manual. You have to copy the script
they give you in the book, which reads all the information from the /tcb
tree and writes it into a file with one line per user. After that you
need to:

- delete (or move) all security profiles below /tcb for NIS registered
- delete all prpasswd entries for locally registered users (like root)

this is in accordance with the split described above.

When you are using the advanced security XIsso and XSysAdmin tools you
choose whether to manage the local or NIS registered users by clicking
on the 'Network Control' button. It then updates only the appropriate
files, and in the case of the NIS files, does a make for you.

To change passwords, use passwd for all accounts including the NIS ones.

/etc/svc.conf should contain an entry like: auth=local,yp

Delete the files /etc/passwd.dir and passwd.pag if you have them. These
are 'hashed' password files which adduser offers to make for you when it
finds they are not there. However, you don't need them and it will
probably stop NIS from working properly.

The main problem with switching Enhanced Security/NIS on and off is in
restoring the information to the correct place. Above all, Enhanced
Security passwords CANNOT be re-inserted into the passwd files (in place
of the *'s) - you need to give all users a new password.

A couple of problems that took us a long time to solve:

- The file /etc/auth/system/files must contain entries for
prpasswd and prpasswd:t. We have added them like this:


- An Enhanced Security NIS Slave cannot operate independently of the
Enhanced Security NIS Master. This is because the prpasswd file
is updated with every login attempt, and is only mastered on the
NIS Master. In other words, there's no point having a Slave because
it won't be able to function without the Master running.

DEC have refused to acknowledge this as a problem, so a fix is
unlikely for the forseeable future. We have worked around it by
setting up a second Master and copying certain files from the
'real' master to the 'second' master periodically using rdist.
It is not an altogether satisfactory solution but it works and we
prefer it to being dependent on the availability of one machine.
Let me know if you would like more details on setting this up.

If you are determined to set up a Slave then you may hit another problem
too, whereby a make of the yp maps pauses for a few minutes. Fix is to
send the Slave the copies of the maps which it is missing by using ypxfr
(but a better fix is to disable the Slave).

One other note about Enhanced Security - if your system manages X
sessions for X displays (such as PCs) then you will need to add entries
for these remote displays to the files /etc/auth/system/devassign and
/etc/auth/system/ttys. I can let you have more details if you need

From: Spider Boardman <spider@Orb.Nashua.NH.US>

I'm afraid your question didn't make a lot of sense to me, unless
I assume that you don't have Enhanced Security in use, but that
you merely have its subsets installed (which is not enough to
enable it).

In particular, check the output of running this command:
/usr/sbin/rcmgr get SECURITY BASE
If it's BASE then you've not enabled Enhanced Security.

The /usr/sbin/secsetup script is supposed to take care of
creating prpasswd entries (the /tcb/files/auth/?/* files) for the
users which were already in /etc/passwd when you enable the "C2"
login features. If it didn't, then that's a bug. I do seem to
recall that the adduser script had a bad habit of creating
prpasswd entrries even when it shouldn't, because it didn't check
the result of the rcmgr command above. Unless that returns
ENHANCED you're still using "BASE" security.

comprobar el Hardware de tru64

The question was:

>HOW do I find out how much
>RAM I have. Someone's just asked me & I realised that while I've been
>told "256M" I've got no idea how to confirm that.
>There's gotta be a simple query command somewhere (yes, I've looked
>through "man -k ram" & "man -k mem")

NB I was after physical - not virtual - memory

I was stunned by the number of responses & some specific help from one
person who checked my results against her system to make sure my
understanding was correct (Thanks again for that Pam).

Most of the replies were variations of a theme so I've just summarized
them. Alternative scripts / C-code are included as sent, for others

Thanks to:
Anil Khullar
Becki Kain
Brian H. Mayo
Brian Sherwood
Cliff Krieger
Dave Golden
David Warren
Dick Abraham
Thomas Eisele
Fergal Mc Carthy
Guy Dallaire
James Soh
Jean Schuller
Jerome Fenal
Joe Spanicek
Joel Healy
Kurt Knochner Kurt.Knochner@Physik.TU-Muenchen.DE
Lucio Chiappetti
Martin E. Lally
Nick Hill
Pam Woods axsymgr@UAA.ALASKA.EDU
Paul Crittenden
Paul Henderson
Peter Stern
Rainer Landes
Randy M. Hayman
Richard Tame
Rick Muse
Rob Hamm

Now for the solution(s)

The most suggested themes were around the UERF & /var/adm/messages logs.
As root try:
#uerf -Rr 300 | more

& look for the physical memory

or as any user try
$more /var/adm/messages

Of course you could grep either of these for "mem" or "memory" if you
want. The UERF one is reversed to ensure that you are looking at the
most recent - I was stumped for a while as my log hadn't been cleared
since a memory upgrade ages ago, so I saw, first, the original memory

A few people mentioned :
Try (as root):
# vmstat -P

At the frimware prompt you could try:
>>>>show config
>>>>show memory
(or is that "show mem"?)

But I had no intention of bringing the system down for such a query -
could be handy if its shutdown for some other reason though


use monitor and magnify the "memory" item (run monitor, type "m", arrow
down to "memory" and type "s")

or use "top" (I don't have it)

Other suggestions were:

Count the number of bytes in memory:
# wc -c /dev/mem
(I got nervous when I it took a while and after running syd found it to
be the highest process - so killed it - Dave)

Get the number of pages and multiply by the page size:
# dbx -k /vmunix /dev/mem
(dbx) print physmem
(I got some error messages with the first line & the response from the
dbx command was different from that obtained from uerf & messages - but
then I don't know much about dbx)

Thomas Eisele:
for the csh:
dd bs=1048576 if=/dev/mem of=/dev/null |& tail -1 | sed -e 's/\+.*$/

and for sh:
dd bs=1048576 if=/dev/mem of=/dev/null 2>&1 | tail -1 | sed -e
's/\+.*$/ MB/'

Jean Schuller
I remember I wrote a shell script using uerf and I called it CONFIG :
It shows Ethernet address, devices, memory size and unix version .

--------------------------------- 8< cut here -------------------

# Show configuration
if [ $acc != "root" ]
echo "You must be root for this instructions "
echo " $machine : Configuration"
# 1) Ethernet address
echo "Ethernet address"
echo "================"
uerf -r 300 | grep -i "_hardware address" | sort -u
# 2) Show devices
echo "Devices : "
echo "=========="
let i=0
while [ $i -lt 11 ]
file $dev 2>/dev/null | grep character
let i=i+1
# 3) memory size
echo "Memoy size"
echo "=========="
uerf -r 300 | grep -i 'physical memory ' | sort -u
# 4) Unix Versions
echo "Successive Digital Unix Versions"
echo "================================"
uerf -r 300 | egrep -i 'DEC OSF/1 V|Digital UNIX V' | sort -u
--------------------------------- 8< cut here -------------------

Martin E. Lally
Here is the C source code for displaying system RAM size. Compile with
# cc -o memsize filename.c

------------------------------- CUT HERE -------------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/sysinfo.h>

main(argc, argv)
int argc;
char **argv;
int memsize,err;

err=getsysinfo(GSI_PHYSMEM, &memsize, sizeof(memsize), 0, NULL);

printf("Total Real Memory: %d Mb\n", memsize/1024);
------------------------------- CUT HERE -------------------------------
Randy M. Hayman
A variation of that theme is:

compile with: cc -o show_mem show_mem.c
------------------------------- CUT HERE -------------------------------
#include <stdio.h>
#include <sys/sysinfo.h>

int status, *int_buff;

if( -1 == (status = getsysinfo(GSI_PHYSMEM, &int_buff, sizeof(int_buff),
0, 0)) )
fprintf(stdout, "error %d getting GSI_PHYSMEM\n", status);
fprintf(stdout, "Physical memory in use: %d KB\n",
------------------------------- CUT HERE -------------------------------

Theis Jean-Marie
(I'm afraid I haven't had a chance to check this - but as Theis was kind
enough to pass it to me, I thought it may be of interest to others in
the list - Dave)

If you are interested I have done a script called cnfg which describes
your configuration (OSF station 2100 or 3000) The drawback of it is
that it is reserved to root , and need editing when a new device
appears (it already knows a lot of them).

------------------------------- CUT HERE -------------------------------
if [ `whoami` != root ]
echo "Vous devez etre root pour cette commande . Bye..."
exit 1
trap 'rm -f /tmp/cnfg.tmp 2>/dev/null' 0 1 2 15
while [ "$1" ]
case $1 in
export PATH
hostname=`hostname | awk -F\. '{print $1}'`
HOSTNAME=`echo $hostname | tr 'a-z' 'A-Z'`
adresseIP=`arp $hostname | sed 's/^.*(//;s/).*$//'`
ADRESSEIP=`arp $HOSTNAME 2>/dev/null | sed 's/^.*(//;s/).*$//'`
[ `machine` = "alpha" ] || echo "wait..."
uerf -R -r 300 | head -200 | sed '
s/ //
s/OCCURRED ON SYSTEM/Nom du systeme :/
s/OCCURRED.LOGGED ON/Dernier boot le :/
s/(DEC //
s/RZ25./device:& : disque de 0,42 Gbyte/
s/RZ26./device:& : disque de 1 Gbyte/
s/ST32430./device:& : disque de 2 Gbyte/
s/DSP3105./device:& : disque de 1 Gbyte/
s/DPES-31080./device:& : disque de 1 Gbyte/
s/RZ28./device:& : disque de 2,1 Gbyte/
s/RZ55./device:& : disque de 0,33 Gbyte/
s/RZ56./device:& : disque de 0,6 Gbyte/
s/RZ58./device:& : disque de 1,4 Gbyte/
s/RZ29./device:& : disque de 4 Gbyte/
s/RX26./device:& : floppy 2,8 Mbyte externe/
s/fd[0-1] at fdi[0-1] unit [0-1]/ _ device:& : floppy interne/
s/RRD43./device:& : disque CD-rom/
s/RRD42./device:& : disque CD-rom/
s/RRD40./device:& : disque CD-rom/
s/CD-ROM./device:& : disque CD-rom/
s/IMPRIMIS94601.* /device:& : disque de 1 Gbyte/
s/HEXABYTE./device:& : Bande hexabyte/
s/EXABYTE./device:& : Bande exabyte/
s/gd[0-9][0-9]*:/ _ device:& : Graveur CDrom/
' > /tmp/cnfg.tmp
ed - /tmp/cnfg.tmp <<@@ >/dev/null
/ENTRY *2./,\$d
egrep -s 'ENTRY *1' /tmp/cnfg.tmp
if [ $? -eq 1 ]
echo "Anomalie dans les fichiers log lus par la commande uerf"
echo operation annulee
echo Bye...
exit 1
if [ `machine` = "alpha" ]
#swapon -s | tail -5 >> /tmp/cnfg.tmp
swapon -s | egrep "partition|Allocated" >> /tmp/cnfg.tmp
elif [ `machine` = "mips" ]
swap=`pstat -s | head -1 | sed 's/k.*//'`
echo " Taille du swap = `expr $swap \/ 1000`
MB" >> /tmp/cnfg.tmp
#sed -f config.sed /tmp/cnfg.tmp
if [ "$long" = true ]
cat /tmp/cnfg.tmp
grep "Nom du systeme" /tmp/cnfg.tmp
echo "Version Operating system : `uname -a`"
if [ `machine` = "alpha" ]
psrinfo -n | sed 's/number of .*=/nombre de CPU : /'
echo "nombre de CPU : 1"
[ "$nodate" = "false" ] && grep "Dernier boot" /tmp/cnfg.tmp
grep "CPU TYPE" /tmp/cnfg.tmp
echo "Ethernet interfaces :"
egrep "Ethernet|address" /tmp/cnfg.tmp
echo "Adresse IP : $adresseIP"
if [ "$ADRESSEIP" != "$adresseIP" -a "$ADRESSEIP" ]
echo "Adresse IP : $ADRESSEIP"

Problemas con vold /vol

Se queda pillado haciendo un ls, y truss muestra
un sleeping...

Hay que desmontar el /vol con un umount, parar el vold y arrancarlo nuevamente

Ver problemas, o debug de hardware en solaris


miércoles, 12 de noviembre de 2003

Sumar el tamaño de varios dirs con du

Con el script:
for i in `du -ks /tmp /opt | awk '{ print $1 }'`; do A=$(($A+$i)); echo "$A"; done | tail -1

Sacar lista de procesos y su CPU como el top en AIX

topas, si no lo tenemos instalado:
ps -eo "%p %y %C %c %a"
This ps supports AIX format descriptors, which work some-
what like the formatting codes of printf(1) and printf(3).
For example, the normal default output can be produced
with this: ps -eo "%p %y %x %c"
%C pcpu %CPU
%G group GROUP
%P ppid PPID
%U user USER
%a args COMMAND
%c comm COMMAND
%g rgroup RGROUP
%n nice NI
%p pid PID
%r pgid PGID
%t etime ELAPSED
%u ruser RUSER
%x time TIME
%y tty TTY
%z vsz VSZ

Ver la configuración hardware en AIX

lscfg -v : Información general del sistema:
lsattr -El sys0: memoria y micro (depende de la version)
oslevel : versión del sistema operativo
uname -M: Modelo de la máquina (depende de la version)
lsdev -Cc disk: Información de los discos
lsattr -El hdisk0: Información detallada del disco 0

Como saber la marca de los dispositivos (hd, cdrom, etc) en solaris?

iostat -En

Graficas con los distintos tipos de RAID

Se pueden ver los distintos tipos de RAID en:

lunes, 10 de noviembre de 2003

Historia de Unix (arbol)

Enlace con información, en forma de arbol (gráfica) de la historia de Unix en pdf