Thursday, March 17, 2016

Centos 6 Checklist on Systems Security

Linux Security Checklist

A reliable server is only as good as it is maintained and due processes applied. A systems security checklist template for Centos 6 mentioned below serves to meet the basic security requirements. A more stringent and targeted checklist can be developed further.

This mainly records existing system details and follow common practices. Some stuff like SELinux is mentioned as permissive as this is what I have at the moment. Details should be updated to specific server needs. Another useful checklist is for web application deployment and can be found at http://tboxmy.blogspot.my/2011/06/linux-security-checklist_14.html.

Centos 6 Checklist on Systems Security (link)

Contents of the checklist includes;

Section A. Details of the system
Section B. Services
Section C. Essential files
Section D. Examples.




Monday, March 14, 2016

NFS Commands 101


Refer to previous article Setup File Sharing with NFS on Centos Linux.

I find NFS version 3 is the most commonly used and uses remote procedure call (RPC) to manage connection between client and server. The service called rpcbind in Centos 6 has replaced portmap to handle RPC (see nfs4). Version 3 onward support files larger than 2 Gb size.

Whenever an NFS server is restarted not gracefully, the service rpc.statd notifies NFS clients. When quota is applied to the NFS, the service rpc.rquotad handles quota information.

The file /etc/exports define which directories are available to NFS clients. Each share is placed on a separate line and it indicates which client can access along with the options. Default users access a share as the user nobody, where this can be overridden in the /etc/exports option.

E.g. The following /etc/exports shares the directory /data with the client 192.168.1.45. The client may read and write and mounts synchronously.

/data 192.168.1.45(rw,sync)

Or user connect as its own user

/data 192.168.1.45(rw,no_root_squash,sync)

Default ports used by NFS are 2049 for the NFS service and 111 for RPC service.

Here are a list of NFS version 3 commands. Most are at the client side unless specified.

General NFS Commands

Start and stop NFS service
# service nfs start
Or
# /etc/init.d/nfs start
Or
# service nfs stop

Enable NFS service at boot
#chkconfig nfs on

Refresh NFS server shares from /etc/exports
# exportfs -r

Unload and reload NFS shares from /etc/exports
# export -a

Check support for NFS on the kernel. Did you forget to compile kernel with NFS support?
# lsmod |grep nfs
or
# grep -i nfs /boot/config

Check if list of commands are running
# rpcinfo -p

Display NFS statistics as client
# nfsstat -c

Display use of io
# vmstat -s

Mounting NFS

Display available NFS mounts
# showmount -e servername

Mount an NFS share
# mount -t nfs servername:/the/sharename

Display if the NFS mount is full or its free space
# df -k


Troubleshoot reference


Howto check Linux memory usage

Ever found a Linux suddenly having low free memory or none at all? This is something to check when the server suddenly starts slowing down or not able to complete processes.

Here are several method to diagnose and maybe identify a fix. Check the memory usage then identify the process causing the extreme usage. Next, work on that process configuration.


Check memory usage

Display available and used memory with 'free' command
# free
Or
# free  -m

The top live monitor
# top

Press m to display memory
Press Shift + m to sort by memory percentage
Press R to reverse the sort


List processes and amount of memory being used
# ps -e -o pid,vsz,comm=
Or
# ps -e -o pid,vsz,comm= | sort -n -k 2

Or
# ps aux  | awk '{print $6/1024 " MB\t\t" $11}'  | sort -n


View meminfo
# cat  /proc/meminfo
or
# vmstat -s

View the RAM device installed
# dmidecode -t 17


Check the process

List processes that open files
# lsof


Several TYPE of files are monitored

REG – Regular File
DIR – Directory
FIFO – First In First Out
CHR – Character special file

A description of the file is shown by FD
cwd – Current Working Directory
txt – Text file
mem – Memory mapped file
mmap – Memory mapped device
NUMBER – Represent the actual file descriptor. The character after the number i.e ‘1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.

List processes base on process names
# lsof -c ssh

List processes base on process id
# lsof -p 1234

Where 1234 is an example of the process id (pid).

Done

Tuesday, March 8, 2016

Boot Centos Linux to Windows

Centos 6 and 7 provide different approach for booting to a graphical windows interface known as X. Firstly, ensure the relevant packages to support display of windows where most of it are bundled as one of the popular Linux desktop environments.

Among the popular current desktops environments available are;

  • Gnome
  • KDE
  • Unity
  • Xfce
  • LXDe
  • Cinnamon
Here are the steps.

Centos 6 Approach


Edit the file /etc/inittab and change the number 3 to 5 as shown in the line below

id:5:initdefault:

Then reboot.

To start graphical windows without reboot, at the command prompt type

init 5
or
startx

Centos 7 Approach


Login as root and the prompt type

sudo systemctl set-default graphical.target

Then reboot.

To start graphical windows without reboot, at the command prompt type

sudo systemctl start graphical.target

Done

Install GIMP on Centos 6

Centos 6.6 provides the popular graphic editing software GIMP at version 2.6.9. The current stable release is GIMP 2.8 for those who seek the additional editing features (link). Existing Centos 6.6 does not have the required newer libraries to support GIMP 2.8.

The details of GIMP is described as below.

Name        : gimp                         Relocations: (not relocatable)
Version     : 2.6.9                             Vendor: CentOS
Release     : 8.el6_6                       Build Date: Thu 20 Nov 2014 02:06:25 PM EST
Install Date: Tue 08 Mar 2016 03:09:46 PM EST      Build Host: c6b9.bsys.dev.centos.org
Group       : Applications/Multimedia       Source RPM: gimp-2.6.9-8.el6_6.src.rpm
Size        : 48118103                         License: GPLv2+
Signature   : RSA/SHA1, Thu 20 Nov 2014 04:10:42 PM EST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem
URL         : http://www.gimp.org/
Summary     : GNU Image Manipulation Program
Description :
GIMP (GNU Image Manipulation Program) is a powerful image composition and
editing program, which can be extremely useful for creating logos and other
graphics for webpages. GIMP has many of the tools and filters you would expect
to find in similar commercial offerings, and some interesting extras as well.
GIMP provides a large image manipulation toolbox, including channel operations
and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all
with multi-level undo.


Flexibility on editing include availability of many brushes and patterns.




 Here are steps to install the standard GIMP version 2.6.9
 

Step 1: Install GIMP



# yum install gimp





Step 2: Install additional brushes and patterns

Install additional brushes and patterns. Brushes include swirls and text to enhance strokes. Patterns such as clouds and funnymess.

yum install gimp-data-extras

Start GIMP from the desktop menu. Click Applications ->Graphics ->GNU Image Manipulation Program




Done

Saturday, February 20, 2016

Install OSMC on Raspberry Pi2

Raspberry Pi 2 (RPI2) provides a flexible multimedia centre for movie streaming, watching youtube, using a web browser and options to addon many Linux applications. OSMC is one of the images that can be downloaded unto an RPI2 from osmc.tv (download page or FTP). This Debian Jessie based system is great at running the RPI2 and allow developers space to enhance to their needs.

The media player system KODI, provides an interface to multimedia contents such as movies, online TV, videos, photos and musics. KODI itself does not have any media contents, but due to its extensible nature, many developers have created plugins to access external contents and addons to extend its functionalities. Media contents could reside in the same device as KODI, in a local area network, stream from the internet or cached contents from internet. KODI 15 comes with the current OSMC.

* Consider OSMC as an upgrade of Raspbmc.

This is an update to previous post "Raspberry Pi: Getting Started with OSMC" and I do not expect it to go into too much details. When I mention OSMC, it might also refer to KODI as its typically the only screen seen when running this RPI2.

Step 1: Starting OSMC

Download OSMC image from raspberry.org and image copy the .img file to the blank SD card. Tools such as Win32 Disk Imager can be used for this purpose.

Plug SD card into RPI2 and start RPI2 (already have internet connection).

Automatically start installation process.


It will reboot once installed successfully.

Step 2: Basic configuration

The default layout uses OSMC skin. Below is the OSMC main menu screen. Default appearance is handled by the skin called OSMC.


 It shows the following options;
  1. Videos
  2. Music
  3. Pictures
  4. My OSMC
  5. Favourites
  6. Programs
  7. Settings
  8. Power

Configure Screen size

The screen display may appear outside of the screen area. Change the zoom size until everything meets your satisfaction. From OSMC home page, click Settings ->Appearance ->Skin. Choose your zoom level and press Esc key until back to OSMC main menu.


Configure Timezone

Configure the timezone for correct time display. Click Settings ->Appearance ->International. Choose your region and the OSMC time should be update instantly.

Configure Skin

Default skin OSMC can be changed to KODI's default skin called Confluence. From OSMC home page, click Settings ->Appearance ->Skin. Choose skin as confluence and press Esc key until back to OSMC main menu.

More notes from KODI website: Quick start guide, Home screen controls,

Step 3: Add Youtube addon

In Videos menu there is an option to link your Youtube account with OSMC. This allows viewing of all your Youtube channels. From the OSMC main menu, click Videos ->Video add-ons ->Get more... ->Youtube

Click Install

Click launch. (From the OSMC main menu, you can click Videos ->Video add-ons to watch Youtube).

Follow the instructions on screen.
One of this includes accessing youtube.com/activate on a PC to enter the code given by the add-on in OSMC.

Troubleshooting:

1. Mode Not Supported

If after installation process, RPI2 boots and screen displays a message "Mode Not Supported", it means the display resolution was not automatically detected correctly. This happens on one Samsung TV.

Solution:
SSH into the OSMC and edit  /boot/config.txt
See command line tips at Raspbian Command Line Basics 101

Updated file for mode CEA
gpu_mem_1024=256
hdmi_ignore_cec_init=1disable_overscan=1
start_x=1
hdmi_group=1
hdmi_mode=20
disable_splash=1
dtoverlay=lirc-rpi:gpio_out_pin=17,gpio_in_pin=18

ALTERNATIVE Updated file for mode DMT
overscan_top=16
hdmi_mode=4
gpu_mem_1024=256
overscan_right=24
force_turbo=0
over_voltage_sdram=0
config_hdmi_boost=4
disable_overscan=1
initial_turbo=0
start_x=1
hdmi_group=2
sdtv_aspect=0
overscan_bottom=16
overscan_left=24
disable_overscan=0
hdmi_force_hotplug=1
arm_freq=900
sdram_freq=450
core_freq=450
hdmi_ignore_cec_init=1
over_voltage=0

2. Youtube add-on errors/issue.

Successfully login after the 2 google app authorisation, but displays empty list and
Display error exceeded quota (of some sort)

Solution:
Step 1: Activate the Google API v3
All Google App requires API v3, as derived from forum posting #2904.

Login to your google developer account and enable the above API.

Step 2: Use your own browser key, Oauth id and secret.
Looks like the default developers combination of above does not allow too many to use it. In posting #2847.

Login to your google developer account and create the above. A new project is created if none is created yet.

The newly created info from above should be updated in the file login_client.py that is found in /home/osmc/.kodi/addons/plugin.video.youtube/resources/lib​/youtube/client/

Find the line as below and edit the key, id and secret values.

'youtube-for-kodi-15': {
            'system': 'Isengard',
            'key': 'The_browser_key',
            'id': 'The_oauth_id_.apps.googleusercontent.com',
            'secret': 'The_oauth_secret_word'
        },

Done

Wednesday, January 20, 2016

RPI2 - Dashing Dashboard Installation Tutorial


Dashboard provide a quick view of information on the system. This can be a desktop application or web based. One such example on Raspberry Pi 2 is Dashing which is based on the Sinatra Framework and Ruby.

The Sinatra Framework from http://sinatrarb.com provides web application development quickly on Ruby. Example of installation on Ruby;

$ sudo gem install sinatra


Pre Installation checklist


  1. Raspbian Jessie
  2. Ruby


Installation of Dashboard on Dashing.

Step 1: Install Dashing.

$ sudo apt-get update
$ sudo apt-get install ruby-dev
$ sudo apt-get install ruby2.1-dev
$ sudo gem install bundler


Install Dashing 1.3.4 and create a new project called my_dashboard_project.

$ sudo gem install dashing



Step 2: Create a new project space

$ dashing new my_dashboard_project
$ cd my_dashboard_project
$ ls -l
total 36
drwxr-xr-x  6 pi pi 4096 Jan 20 12:34 assets
-rw-r--r--  1 pi pi  339 Jan 20 12:34 config.ru
drwxr-xr-x  2 pi pi 4096 Jan 20 12:34 dashboards
-rw-r--r--  1 pi pi  122 Jan 20 12:34 Gemfile
drwxr-xr-x  2 pi pi 4096 Jan 20 12:34 jobs
drwxr-xr-x  2 pi pi 4096 Jan 20 12:34 lib
drwxr-xr-x  2 pi pi 4096 Jan 20 12:34 public
-rw-r--r--  1 pi pi   65 Jan 20 12:34 README.md
drwxr-xr-x 11 pi pi 4096 Jan 20 12:34 widgets


Change your directory to my_dashboard_project and bundle gems

$ bundle

Display installed gems

$ bundle show

Step 3: Start the dashing server


$ dashing start

Point web browser location at http://localhost:3030/sample


Whats next?

There are additional widgets that can be installed and new dashboards can be created. Here is an example of adding a widget from dashing.

Installing Server Status Squares widget with GIST_ID = 9588819

$ dashing stop
$ dashing install 9588819

From server status squares widget, copy the file server_status_squares.erb to the dashing dashboard directory in the project created above.

$ cp server_status_squares.erb dashboards

Point web browser location at http://localhost:3030/server_status_squares






WIP

Reference:
Dashboard on PI
Tutorial on Sinatra: Sinatra docsJust do it, Singing with Sinatra.
Dashing: Shopify,

Monday, January 18, 2016

Android Studio - Proguard Error Shows Unable to compute hash

In Android development, the standard development kit includes a tool to shrink, optimise and obfuscate the APK. This tool is known as Proguard.

Android Studio will provide the options to use Proguard if it is enabled. However, some classes or files do NOT like to be optimised and obfuscated. In particular Javascript files and reference to classes that do not exist in the path. Here is an example of how the error message may appear when building the signed APK on Linux & MS Windows.

Linux

Error:Execution failed for task ':app:packageMinirelease'.
> Unable to compute hash of /usr/development/BakersPercentage/app/build/intermediates/classes-proguard/minirelease/classes.jar

MS Windows

Error from proguard during build
Since the problem is a warning on GMS packages, I resolved on Android Studio 1.4 as follows;

Step 1: Verify project works

Open the project and make sure it can build without errors. 

Step 2: Edit build.gradle (Module: app)
Copy the existing release build type and paste as a new build release named minirelease (or any name you fancy).

buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            signingConfig signingConfigs.config
        }
        minirelease {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            signingConfig signingConfigs.config
        }
    }


Step 3: Edit proguard-rules.pro

Add the following lines

 -keep class com.google.android.gms.** { *; }
 -dontwarn com.google.android.gms.**


Step 4: Build Signed APK

In Android Studio menu, choose Build-> Clean Project

Build-> Generate Signed APK...
Enter Key details and click Next.
In Build Type: choose minirelease.
Click Finish.


Done.

Friday, January 15, 2016

Android http audio streaming and MediaPlayer

MediaPlayer class provides a player for local files and online streaming. Its a pretty flexible class and allows syn and asyn calls to suit almost every type of needs.

Formats supported by Android is at http://developer.android.com/guide/appendix/media-formats.html

There are cases where online streams can be played on an Android emulator but not on actual Android device. This happened for Samsung Galaxy S5 with Android 5 OS.

This is what I found;


  1. There are two type of AAC streams in my list of sites. Streams using AAC-LTP AAC with SBR+PS doesnt work but AAC-LC is played satisfactorily.
  2. Audio in MP3 plays fine on emulator and actual Android device.


There are other APK that managed to play the same audio streams on That S5. Probably there is another type of mediaplayer-like class to stream audio with support of the AAC-LTP.

Conclusion if MediaPlayer stream doesnt play over HTTP
  1. Try to play the stream on VLC player and see if it works. Verification process.
  2. Seek alternative stream format if one doesnt work. Remember, only MP3 and AAC-LC works.
  3. Incorporate a decoder to manage the unsupported format. 
  4. Consider to use AudioTrack instead of MediaPlayer. This will require manual assignment of the codec and audio format.

Raspberry Pi 2 and a VGA monitor

The Raspberry Pi 2 (RPI2) model B (more details) comes with many input/output connectors and of which its display output is using HDMI type A. This HDMI is also known as Full HDMI.

Model B is the big brother of Model A+ that is much more cheaper for specific implementation in an embedded project where the most minimal use of electrical power is needed.

The RPI2 can be hooked up to a decent monitor or projector using VGA connectors. All that is needed is a HDMI to VGA adapter. This adapter may comes with additional functions like audio output, additional power source or USB. Price differences are huge but here is an example that I got from online and it works just fine with the NEC AccuSync LCD52v monitor.

HDMI to VGA cable plugged to RPI2 and female VGA.


Done.


Raspbian Command Line Basics 101

A few commands to display configurations of Raspbian on a Raspberry Pi 2.

At the Raspbian terminal, users can access a whole load of information. These can be useful for troubleshooting graphics, program conflicts and networking issues.

The commands
1. Display version of the Raspbian.
$ lsb_release -a

2. Display the GPU chip version
$ vcgencmd version

3. The monitor hdmi mode
$ vcgencmd get_config hdmi_mode

4. Display current configuration
$ tvservice -s

5. Is the monitor using CEA or DMT
$ vcgencmd get_config hdmi_group

6. Display supported CEA mode for the monitor
$ tvservice -m CEA

7. Display all IP devices configured
$ ip a
Or just eth0 device
$ ip addr show dev eth0

Raspbian: Example output of basic commands