NoNoNo's questions

In a RHEL7 server, I have to implement two password policies that can be described as parameters of PAM pam_pwquality module:

1. password requisite pam_pwquality.so try_first_pass local_users_only minlen=14
2. password requisite pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1

Furthermore the default RHEL 7 PAM configuration contains already the following entry of pam_pwquality:

3. password requisite pam_pwquality.so try_first_pass local_users_only retry=3

I have the requirements to apply the password policy of entry 3 to all users and the password policy to two differents groups of local user named group1 and group2.

To apply this requirements, I have added the following code in /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac after the default pam_pwquality entry (named 3. in this question):

password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 # Default RHEL7 pam_pwquality.so entry
#BEGIN PWPOLICY 1
password [success=1 default=ignore] pam_succeed_if.so user notingroup group1
password    requisite     pam_pwquality.so try_first_pass local_users_only minlen=14 use_authtok
#END PWPOLICY 1


#BEGIN PWPOLICY 2
password [success=1 default=ignore] pam_succeed_if.so user notingroup group2
password    requisite     pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1 use_authtok
#END PWPOLICY 2

This configuration works as expected but it has the disadvantage that when a user (included in group1 and group2) change the password it needs to repeat it multiple times, as showed in the following example:

[test@rhel7 ~]$ passwd 
Changing password for user test.
Changing password for test.
(current) UNIX password: 
New password: 
Retype new password: 
Retype new password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

The option "use_authtok" included in my last two pam_pwquality entries seems to be ignored.

Do you know what is wrong with this configuration or other methods to implements these requirements?

I would collect the log(in particolar auditd but also other syslog log) produced by several linux server in a centralized syslog server installed in a linux server. I would configure the centralized syslog server in a secure network where the centralized syslog server can initiate connections to the other server but the other server producing the logs (some of them are exposed also on internet) can't initiate any connections to it.

I know that rsyslog allows to send log to a remote syslog using tcp or udp as described for example in http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/ but in this case I can't use it because the servers can't send log to the centralized syslog server for the restriction described above.

Are there other log shipping tools or software working with a pull strategy indeed of the "push" strategy used by rsyslog?

I'm configuring a "subnet to subnet VPN" between two Centos 7 server using libreswan. Each server has two nic as showed in the following image.

I would allow secure communication between the subnets 172.18.0.0/16 and 172.19.0.0/16 establishing a vpn using 172.17.0.0/16 network but I have problem to allow traffic between these two subnets.

I followed the redhat official documentation in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html#Site-To-Site_VPN_Using_Libreswan

Actually I stopped firewalld on both nodes.

I checked ipsec prerequisites:

[root@node2 ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.8 (netkey) on 3.10.0-123.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

The ipsec.conf content is:

config setup
    protostack=netkey

conn mytunnel
    leftid=@node1
    left=172.17.0.101
    leftrsasigkey=0sAQPXn...        
    rightid=@node2
    right=172.17.0.102
    rightrsasigkey=0sAQPxv...
    authby=rsasig

conn mysubnet
     also=mytunnel
     leftsubnet=172.18.0.0/16
     rightsubnet=172.19.0.0/16
     auto=start

I start ipsec service on both node. Then I check that "ipsec status" (here there is the output http://pastebin.com/LYA9uqfJ ) and I don't found any error.

The routing table of node1 is:

[root@node1 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eno16777736
172.18.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eno33554992

If a try to ping from node1 the ip address 172.19.0.101, I obtain the errror "connect: Network is unreachable"

Is there something missing in my configuration? What can i try to allow secure traffic between these two subnets?

I would configure a 4-nodes cluster using RHEL 6.5 and Pacemaker as reported in the official documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html

The four nodes are splitted on two datacenter, two server in a datacenter and two server in the other.

I want configure a set of KVM virtual machine in HA on this cluster.

The server are connected to a SAN with shared storage between the two datacenter.

The fencing method used for the server is HP iLO(they are HP server).

How can I configure the cluster in order to obtain the quorum between the nodes during a split brain (no network communication between the two datacenter)? Do you have any suggestion or link about a possibile configuration?

I didn't found any reference in the official documentation of redhat related to quorum disk o "Multi-site clusters using ticket" feature of Pacemaker and I can't use two-node cluster configuration because I have 4 nodes in my cluster.

I have a host with Windows 7. I installed VMware Workstation where I have installed two virtual machines. Each virtual machine is a rhel 6.2 node running clustersuite.

Do you know which fence device I can use in order to configure the cluster?

I have two vSphere environment:

• one composed by a vCenter 4 and two Esx Host 4.0 sharing a clustered datastore (VMFS3) and several virtual machine
• one composed by a vSphere 5 and two Esxi Host 5.0 sharing a empty clustered datastore (VMFS5)

Both datastore are configured on SAN LUN and I need to migrate the VM from first environment to the second. I thinked the following scenario:

1. I publish the LUN of first datastore to vm Esxi 5.0 Host and I mount the VMFS3 datastore on it while it's mounted also in the two Esx Host 4.0.

2. For each VM (while the others remains up) I shutdown a VM and I copy them from VMFS3 datastore to VMFS5 datastore, upgrade and power on

Can i execute the first step? Are there better methods to execute the migration of VM in this environment?

i'm trying to extract data sensor from a HP Superdome (sx2000) using the protocol IPMI over LAN. I enabled the IPMI protocol and i setup the password for IPMI protocol on the Superdome. I'm using ipmiutil tool as IPMI client,the client is connected to the server but it obtains meanigless result(compared with ipmiutil man pages). Here the output of the command:

C:\ipmi>ipmiutil.exe sensor -N <IPADDRESS> -P <IPMI_PASSWORD>
ipmiutil ver 2.83
isensor: version 2.83
Opening lan connection to node <IPADDRESS> ...
Connecting to node  <IPADDRESS>
-- BMC version 1a.03, IPMI version 1.5 
_ID_ SDR_Type_xx ET Own Typ S_Num   Sens_Description   Hex & Interp Reading
0001 SDR EntA 08 0b d2 00 80: 17 00 17 03 d3 00 d3 0f 
0002 SDR EntA 08 0b 17 00 c0: 16 00 16 01 00 00 00 00 
0003 SDR EntA 08 0b 17 01 c0: 16 02 16 03 00 00 00 00 
0004 SDR EntA 08 0b 17 02 c0: 16 04 16 07 00 00 00 00 
0005 SDR EntA 08 0b 17 03 c0: 16 08 16 0b 00 00 00 00 
0006 SDR EntA 08 0b 13 00 80: 0a 00 0a 05 00 00 00 00 
0007 SDR EntA 08 0b 13 01 80: 0a 06 0a 0b 00 00 00 00 
0008 SDR EntA 08 0b 13 02 80: 0a 0c 0a 0d 00 00 00 00 
0009 SDR EntA 08 0b 13 03 80: 0a 0e 0a 0f 00 00 00 00 
000a SDR EntA 08 0b d1 00 80: d0 00 d0 01 00 00 00 00 
000b SDR EntA 08 0b d1 01 80: d0 02 d0 03 00 00 00 00 
000c SDR EntA 08 0b d1 02 80: d0 04 d0 05 00 00 00 00 
000d SDR EntA 08 0b d1 03 80: d0 06 d0 07 00 00 00 00 
000e SDR EntA 08 0b 16 00 80: d6 00 d6 03 1e 02 1e 02 
000f SDR EntA 08 0b 16 01 80: d6 04 d6 07 1e 02 1e 02 
0010 SDR EntA 08 0b 16 02 80: d6 08 d6 0b 1e 03 1e 03 
0011 SDR EntA 08 0b 16 03 80: d6 0c d6 0f 1e 03 1e 03 
0012 SDR EntA 08 0b 16 04 80: d6 10 d6 13 1e 04 1e 04 
0013 SDR EntA 08 0b 16 05 80: d6 14 d6 17 1e 05 1e 05 
0014 SDR EntA 08 0b 16 06 80: d6 18 d6 1b 1e 06 1e 06 
0015 SDR EntA 08 0b 16 07 80: d6 1c d6 1f 1e 07 1e 07 
0016 SDR EntA 08 0b 16 08 80: d6 20 d6 23 1e 08 1e 08 
0017 SDR EntA 08 0b 16 09 80: d6 24 d6 27 1e 09 1e 09 
0018 SDR EntA 08 0b 16 0a 80: d6 28 d6 2b 1e 0a 1e 0a 
0019 SDR EntA 08 0b 16 0b 80: d6 2c d6 2f 1e 0b 1e 0b 
001a SDR EntA 08 0b 1e 00 80: 1d 00 1d 03 00 00 00 00 
001b SDR EntA 08 0b 1e 01 80: 1d 04 1d 07 00 00 00 00 
001c SDR EntA 08 0b 1e 02 80: 1d 08 1d 0c 00 00 00 00 
001d SDR EntA 08 0b 1e 03 80: 1d 0d 1d 11 00 00 00 00 
001e SDR EntA 08 0b 1e 04 80: 1d 12 1d 15 00 00 00 00 
001f SDR EntA 08 0b 1e 05 80: 1d 16 1d 19 00 00 00 00 
0020 SDR EntA 08 0b 1e 06 80: 1d 1a 1d 1d 00 00 00 00 
0021 SDR EntA 08 0b 1e 07 80: 1d 1e 1d 21 00 00 00 00 
0022 SDR EntA 08 0b 1e 08 80: 1d 22 1d 25 00 00 00 00 
0023 SDR EntA 08 0b 1e 09 80: 1d 26 1d 29 00 00 00 00 
0024 SDR EntA 08 0b 1e 0a 80: 1d 2a 1d 2d 00 00 00 00 
0025 SDR EntA 08 0b 1e 0b 80: 1d 2e 1d 31 00 00 00 00 
0026 SDR EntA 08 0b 1e 0c 80: 1d 32 1d 33 00 00 00 00 
0027 SDR EntA 08 0b 1e 0d 80: 1d 34 1d 35 00 00 00 00 
0028 SDR EntA 08 0b 07 00 80: d5 00 d5 07 13 04 13 04 
0029 SDR EntA 08 0b 07 01 80: d5 08 d5 0f 13 05 13 05 
002a SDR EntA 08 0b d7 00 80: d8 00 d8 01 00 00 00 00 
002b SDR EntA 08 0b d7 01 80: d8 02 d8 03 00 00 00 00 
002c SDR EntA 08 0b 13 04 80: 14 00 14 01 00 00 00 00 
002d SDR EntA 08 0b 13 05 80: 14 02 14 03 00 00 00 00 
002e SDR EntA 08 0b 12 00 c0: 09 00 09 03 00 00 00 00 
002f SDR EntA 08 0b 12 01 c0: 09 04 09 07 00 00 00 00 
0030 SDR EntA 08 0b 12 02 c0: 09 08 09 0b 00 00 00 00 
0031 SDR EntA 08 0b 12 03 c0: 09 0c 09 0f 00 00 00 00 
0032 SDR EntA 08 0b 12 04 c0: 09 10 09 13 00 00 00 00 
0033 SDR EntA 08 0b 12 05 c0: 09 14 09 17 00 00 00 00 
0034 SDR EntA 08 0b 12 06 c0: 09 18 09 1b 00 00 00 00 
0035 SDR EntA 08 0b 12 07 c0: 09 1c 09 1f 00 00 00 00 
0036 SDR EntA 08 0b 12 08 c0: 09 20 09 23 00 00 00 00 
0037 SDR EntA 08 0b 12 09 c0: 09 24 09 27 00 00 00 00 
0038 SDR EntA 08 0b 12 0a c0: 09 28 09 2b 00 00 00 00 
0039 SDR EntA 08 0b 12 0b c0: 09 2c 09 2f 00 00 00 00 
003a SDR EntA 08 0b 12 0c c0: 09 30 09 33 00 00 00 00 
003b SDR EntA 08 0b 12 0d c0: 09 34 09 37 00 00 00 00 
003c SDR EntA 08 0b 12 0e c0: 09 38 09 3b 00 00 00 00 
003d SDR EntA 08 0b 12 0f c0: 09 3c 09 3f 00 00 00 00 
003e SDR EntA 08 0b 17 00 40: 0e 00 1e 00 07 00 06 00 
003f SDR EntA 08 0b 17 00 40: 11 00 11 04 00 00 00 00 
0040 SDR EntA 08 0b 17 01 40: 0e 01 1e 01 07 01 00 00 
0041 SDR EntA 08 0b 17 01 40: 11 01 11 05 00 00 00 00 
0042 SDR EntA 08 0b 17 02 40: 0e 02 1e 0c 11 02 11 06 
0043 SDR EntA 08 0b 17 03 40: 0e 03 1e 0d 11 03 11 07 
.... (several line like the previous)

Can you know which the problem is? Or how can i extract useful information from this output?

Do you know a IPMI client for Windows supporting the protocol IPMI over Lan version 1.5? I want extract sensors data(fan speed, temperature) from a HP Integrity Superdome with the IPMI over lan protocol enabled.