anthonysomerset's questions

I have a patterndb config that is parsing pfsense filterlog messages to extract the various fields to send to Azure Sentinel in CEF format, it is largely working fine

I need to set the Severity field of my event based upon the firewall action.

for example, if the field "PF.PF_ACTION" is block, the "Severity" needs to = 4, if the "PF.PF_ACTION" is pass "Severity" needs to = 1

Severity does not exist at this point, i am creating a new macro here or want to return the correct value based upon the original Macro

I have tried a template function with if but it seems to always think the result is true

template-function set_pfsense_severity "$(if (\"${PF.PF_ACTION}\" == \"pass\" ) \"4\" \"1\")";
template-function cef_header_netgate "${ISODATE} ${HOST} CEF:0|Netgate|pfSense||${PF.PF_TRACKER}||$(set_pfsense_severity)|";
        file(
                "/var/log/pfsense.log"
                fsync(yes)
                template("$(cef_header_netgate)$(format-welf --omit-empty-values act=${PF.PF_ACTION} dvc=$HOST dvchost=$HOST dst=${PF.PF_IP_DESTINATION_IP} dpt=${PF.PF_IP_DESTINATION_PORT} in=${PF.PF_IP_PAYLOAD_LENGTH} msg=$MSG proto=${PF.PF_IP_PROTOCOL_TEXT} src=${PF.PF_IP_SOURCE_IP} spt=${PF.PF_IP_SOURCE_PORT} csl=${PF.PF_RULE_NUMBER} deviceDirection=${PF.PF_DIRECTION} deviceFacility=$FACILITY)\n")
        );
};
log {
        source(s_udp_oms);
        filter(f_oms_pfsense_filterlog);
        parser(pfsense);
        rewrite(r_set_direction);
        destination(pfsense_parsed);
};

here is 2 log lines for reference, the Severity field is the field before |act=

2022-03-09T20:23:38+00:00 192.168.x.254 CEF:0|Netgate|pfSense||1000000103||4|act=block csl=4 deviceDirection=0 deviceFacility=local0 dpt=9999 dst=255.255.255.255 dvc=192.168.x.254 dvchost=192.168.x.x in=14 msg=4,,,1000000103,igb0.20,match,block,in,4,0x0,,64,0,0,DF,17,udp,34,0.0.0.0,255.255.255.255,9998,9999,14 proto=udp spt=9998 src=0.0.0.0
2022-03-09T20:23:41+00:00 192.168.x.254 CEF:0|Netgate|pfSense||1770011110||4|act=pass csl=130 deviceDirection=0 deviceFacility=local0 dpt=443 dst=17.253.x.x dvc=192.168.x.254 dvchost=192.168.x.x in=0 msg=130,,,1770011110,igb0.10,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.x.x,17.253.x.x,58359,443,0,S,3162698201,,0,,mss;nop;wscale;nop;nop;TS;sackOK;eol proto=tcp spt=58359 src=192.168.x.x

how else can i either configure a macro that i can place in the template or return the correct value?

With IPv6 networking we prefer to configure as little as possible on the end device and rely on SLAAC to configure, default route and address info. and then manually add additional addresses as needed without interfering with SLAAC operations.

On Ubuntu this is trivial:

iface ens192 inet6 auto
    up /sbin/ip -6 addr add some:pref:ix::some:suff:ix/64 dev $IFACE

and the relevant ifconfig output like this:

ens192    Link encap:Ethernet  HWaddr 00:50:56:xx:xx:xx  
      inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:255.255.255.224
      inet6 addr: some:pref:ix::some:suff:ix/64 Scope:Global
      inet6 addr: fe80::250:56ff:xxxx:xxxx/64 Scope:Link
      inet6 addr: some:pref:ix::defa:ult:suff:ix/64 Scope:Global

However i'm struggling to work out how i might achieve similar results in CentOS or other Redhat based (specifically 6.x) releases

We are doing basic management of some servers via puppet - The servers themselves run as part of a clustered system that handles other aspects like user accounts etc and includes a monitoring script that detects changes in key files (/etc/passwd and the like). If puppet updates a package it potentially changes these key files triggering the monitoring system. (which is not unintentional)

The monitoring system has a command that can be manually run to clear the state and we have to do this each time puppet applies any changes, When we start getting emails!

We could define an exec that runs in a post run_stage to run the command but this by default would fire every time puppet runs, and then our reports will always show as puppet made changes regardless of whether changes were made or not.

Is there a way we can set the exec so that it only runs if puppet has applied other changes?

we have running tacacs environment for centralised login to our routers, firewalls etc and even most of our linux boxes to ssh

what we would like to do is allow users to authenticate to SSH via public key auth rather than having to type there password in, but still authorize via tacacs to check that login is indeed allowed and access should be granted, but if the user is disabled in tacacs it should be rejected

is that possible and how would it be achieved - we are using RedHat/Centos with pam_tacplus

secondary related question: how would you allow specific system accounts to bypass tacacs authentication so that server to server scripts could run via SSH and public key auth without the need to exist in tacacs also

is that even possible?

Summary, i'm running puppet master on a server and ideally we want root logins via ssh disabled, we want to force all access via sudo if root access required

however we have puppet installed using a git repo to manage the manifests, this repo is currently owned by root and currently i only know of 2 solutions

1. (less ideal) allow root access via key auth only - if so, what can i lock it down to to only allow the git push commands?
2. own the repo in /etc/puppet as a different owner - will puppet work reliably with this?
3. Could relevant Sudo config and command work around this?

i have a large database to backup nightly and we currently do mysqldump on the master server which locks all inserts when dumping

we use a master slave mysql setup with magento configured to send all writes to the master and all reads to the slave. if we move the backup to the slave server will the mysqldump process lock out select queries or any other queries that would be reading data only and not inserting data to the DB?

i'm due to replace an ageing Dell Tower server running AD on Windows Server 2003 SBS with a new rackmount server running Windows Server 2008 R2

they run an Active Directory network with mostly XP SP3 clients with the odd vista or Win 7 client, they all currently run local profiles but we intend to convert them to roaming profiles because they are mostly desktop clients

we are actually retiring exchange as the client migrated to google apps a month or so ago.

we are trying to make the change as seamless as possible on the client side, so i'm guessing something along the lines of setting up new server to be a slave DC then promoting it to master status and then moving the shared files over

I am aware that having too many redirects in a .htaccess file can lead to a loss of performance in apache, this leads me to my question is there a faster way to configure redirects in apache particularly if i have several hundred? i am also having to use a cpanel server in this instance.