Puppet : Automate/Reset first time root password for MySQL 5.7.x

Hello,

This article will help you reset first time root password for MySQL 5.7.x with Puppet.

I was looking for some custom puppet code/module to automate first root password for MySQL 5.7.x, I didn’t get proper puppet code to get through so I have decided to try and run my own code with puppet.

Puppet with MySQL 5.7
Puppet Labs

Pre-requisites :-

1. MySQL 5.7.x version should be installed before running this manifest/module.

Following are the steps to create Puppet module to reset first time password for MySQL 5.7.x

1. Make Puppet Module directory mysql

mkdir /etc/puppetlabs/code/environments/production/modules/

2. Create manifests directory.

mkdir /etc/puppetlabs/code/environments/production/modules/mysqlserver/manifests

3. Now create init.pp and put following code to the file.

class mysql57pwreset(
 $mysql_password = 'MySQL@99#') #Set password of your choice within single quotes
{
 
service { "mysqld":
 enable => true,
 ensure => running,
 }

$mysqlpwstring = "MYPW=$(grep 'temporary password' /var/log/mysqld.log | awk '{print \$NF}' | tail -n1) && mysql -uroot -p\${MYPW} --connect-expired-password -e \"ALTER USER 'root'@'localhost' IDENTIFIED BY '$mysql_password' PASSWORD EXPIRE NEVER;\""

File { "/tmp/mysql-pw.sh":
 content => $mysqlpwstring,
 mode => "0700",
 owner => "root",
 group => "root",
}


exec { "set-mysql-pw":
 path => [ '/bin', '/usr/bin', '/usr/local/bin', '/usr/sbin' ],
 unless => "mysqladmin -uroot -p$mysql_password status",
 require => Service["mysqld"],
 command => "sh /tmp/mysql-pw.sh",
 logoutput => on_failure,
}

}

4. Include mysql57pwreset module to /etc/puppetlabs/code/environments/production/manifests/site.pp

5. That’s it. Now you can execute puppet agent -t on puppet agent node, It will reset MySQL 5.7.x password.

Like us on Facebook : https://www.facebook.com/AllLinuxUsersBlog

Change Time Zone from Command line | CentOS | RHEL | Ubuntu | Fedora

Hello,

As you all know, It is very easy to change Time Zone using Graphical Interface but this article will help you change TimeZone Using command line.

Time Zone

I have tested these steps on CentOS / RHEL and Ubuntu, Please comment down below if doesn’t work for you.

Please follow these steps as root or with root equivalent sudo rights:

  • Check Time Zone using following command
    [root@tejas-barot-linux-ahmedabad ~]# date
  • First Remove symbolic link of current time zone
     [root@tejas-barot-linux-ahmedabad ~]# rm /etc/localtime
     
  • Let’s Change the Time Zone from Command line
    [root@tejas-barot-linux-ahmedabad ~]# ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
     

Note : You can find your time zone under /usr/share/zoneinfo/

Disable rate-limiting in rsyslog v5 | Linux | RHEL | CentOS | Ubuntu

Hello,

First of all extremely sorry for not being active as I was busy with some work, Now back to the blogging.

This article will show you how to disable rsyslog rate-limiting, But You can also use rate-limiting according to your requirement.

How to use rate limiting in rsyslog?

This article is tested with rsyslog 5.7.1 on Fedora 13. It will not work with version of rsyslog prior to 5.7.1.

In rsyslog 5.7.1 we introduced rate limiting. This is a option for the Unix Socket Input module called imuxsock. In short, this option limits the amount of messages written into logfiles by a process, if the process tries to write huge amounts of messages in a short period of time.

To Read more Visit : http://www.rsyslog.com/tag/rate-limiting/

Rsyslog
Rsyslog

If you are receiving error messages like below in /var/log/messages

imuxsock begins to drop messages from pid 5923 due to rate-limiting 

Please following below method to stop / disable rate-limiting in rsyslog in version 5.

Note: rsyslog version 7 has this disabled by default but rsyslog version 5 has this enabled.

To disable it, add following parameters to your /etc/rsyslog.conf , You need to add with root user or root equivalent user.

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

Execute following command to restart rsyslog services

service rsyslog restart

HowTo: Install MySQL Workbench on RHEL 5.x / CentOS 5.x | x86_64

Hello

What is MySQL Workbench ?

MySQL Workbench is a unified visual tool for database architects, developers, and DBAs. MySQL Workbench provides data modeling, SQL development, and comprehensive administration tools for server configuration, user administration, backup, and much more. MySQL Workbench is available on Windows, Linux and Mac OS X.

MySQL Workbench
MySQL Workbench

Sharing article which will help you all to Install MySQL Workbench on RHEL 5.4 / CentOS 5.4 x86_64 (64-Bit).

Please follow below steps to install MySQL Workbench on RHEL 5.x / CentOS 6.x 64 Bit version.

1. You need to be root to install RPMs.

2. Download MySQL-Workbench RPM from below link,

[root@tejasbarot ~]# wget ftp://ftp.pbone.net/mirror/dev.mysql.com/pub/Downloads/MySQLGUITools/mysql-workbench-oss-5.2.17-1centos.el5.x86_64.rpm

3. Download dependencies from below link:

[root@tejasbarot ~]#  wget http://tejasbarot.com/RPMs/downloads/mysql-workbench.tar.gz
[root@tejasbarot ~]# tar zxvf mysql-workbench.tar.gz
[root@tejasbarot ~]# cd mysql-workbench
[root@tejasbarot mysql-workbench]# rpm -Uvh *.rpm

4. Now Next step to Install downloaded RPM MySQL-Workbench in step 2.

[root@tejasbarot ~]# yum -y localinstall mysql-workbench-oss-5.2.17-1centos.el5.x86_64.rpm --nogpgcheck

5. That’s it. Now Wait for dependencies to be installed and MySQL Workbench will be ready for you.

Hope this will be helpful to you all.

If you like this then Please Click Google +1 Button and Show Your Support. Your Support will encourage me to write more articles.

Please Keep in Touch with Social Networking :- 

Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog

Linux: The GHOST Vulnerability | RHEL | CentOS

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.

 

Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a co-ordinated effort, and patches for all distribution are available January 27, 2015.

 

What is glibc?

The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.

 

What is the vulnerability?

During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

 

Ghost Vulnerability
Ghost Vulnerability

 

 

What is the risk?

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

 

Is the risk real?

During our testing, we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine. This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems.

 

What can be done to mitigate the risk?

The best way to mitigate the risk is to apply a patch from your Linux vendor. Qualys has worked closely with Linux distribution vendors and patches are available as of today January 27, 2015.

 

Why is it called the GHOST vulnerability?

It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions.

 

Is this a design flaw?

No. This is an implementation problem in the affected versions of the software.

 

What versions and operating systems are affected?

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

 

Where can I download the exploit?

We want to give everyone enough time to patch. According to our data once the vulnerability has reached its half-life we will release the exploit. Half-life is the time interval measuring a reduction of a vulnerability’s occurrence by half. Over time, this metric shows how successful efforts have been to eradicate vulnerability. A shorter half-life indicates faster remediation. Half-life was originally coined by Qualys in the Laws of Vulnerability.

 

Qualys customers can detect GHOST by scanning with the Qualys Vulnerability Management (VM) cloud solution as QID 123191. This means that Qualys customers can get reports detailing their enterprise-wide exposure during their next scanning cycle, which allows them to get visibility into the impact within their organization and efficiently track the remediation progress of this serious vulnerability.

 

References:

Qualys Advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html

Ubuntu: https://launchpad.net/ubuntu/+source/eglibc

Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235

Oracle Enterprise Linux: https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html

CentOS: http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html

OpenSUSE: http://lists.opensuse.org/opensuse-updates/2015-01/msg00085.html

GNU C Library: http://www.gnu.org/software/libc/

Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

Link to Original Article : https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

Hope this will be helpful to you all.

If you like this then Please Click Google +1 Button and Show Your Support. Your Support will encourage me to write more articles.

Please Keep in Touch with Social Networking :- 

Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog

ShellShock Bug: Check / Identify / Solve Vulnerability

Hello,

Patch your bash now Just heard that your shell / bash may be vulnerable or buggy.

This post will help you to check whether your Shell / bash of Red Hat Enterprise Linux is vulnerable / Bug infected or not.

How does this impact systems

This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

All versions prior to those listed as updates for this issue are vulnerable to some degree.

See the appropriate remediation article for specifics.

The patch for CVE-2014-7169 introduces changes to how Bash evaluates environment variables. Applications which directly create Bash functions as environment variables need to be made aware of these changes. Previously, a function had to be stored in an environment variable of the same name. For example, the function “compute” would be stored in an environment variable named “compute”. With the patch for CVE-2014-7169 applied, it would need to use the name “BASH_FUNC_compute()”. As a result, there are now two pairs of parentheses in the environment string, as in “BASH_FUNC_compute()=() { }”.

Functions written in Bash itself do not need to be changed, even if they are exported with “export -f”. Bash will transparently apply the appropriate naming when exporting, and reverse the process when importing function definitions.

 

ShellShock
ShellShock

Execute following command to check whether your bash / shell is bug infected or vulnerable!

So, how do you know if your servers can be attacked? First, you need to check to see if you’re running a vulnerable version of Bash. To do that, run the following command from a Bash shell:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the result:

vulnerable
this is a test

Bad news, your version of Bash can be hacked. If you see:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ this is a test

You’re good. Well, to be more exact, you’re as protected as you can be at the moment.

OR

To test if your version of Bash is vulnerable to CVE-2014-6271, run the following command:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.

Note that different Bash versions will also print different warnings while executing the above command. The Bash versions without any fix produce the following output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

The versions with only the original CVE-2014-6271 fix applied produce the following output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

Read more :- https://access.redhat.com/articles/1200223

Products Affected:

Product/Channel Fixed in package Remediation details
Red Hat Enterprise Linux 7 bash-4.2.45-5.el7_0.4 Red Hat Enterprise Linux
Red Hat Enterprise Linux 6 bash-4.1.2-15.el6_5.2 Red Hat Enterprise Linux
bash-4.1.2-15.el6_5.1.sjis.1 * Red Hat Enterprise Linux
bash-4.1.2-9.el6_2.1 * Red Hat Enterprise Linux 6.2 AUS
bash-4.1.2-15.el6_4.1 * Red Hat Enterprise Linux 6.4 EUS
Red Hat Enterprise Linux 5 bash-3.2-33.el5_11.4 Red Hat Enterprise Linux
bash-3.2-33.el5_11.1.sjis.1 * Red Hat Enterprise Linux
bash-3.2-24.el5_6.1 * Red Hat Enterprise Linux 5.6 LL
bash-3.2-32.el5_9.2 * Red Hat Enterprise Linux 5.9 EUS
Red Hat Enterprise Linux 4 bash-3.0-27.el4.2 * Red Hat Enterprise Linux 4 ELS

If you are using any other version of Linux, Check and Patch it now before its too late!!

References taken from :

https://access.redhat.com/announcements/1210053
https://access.redhat.com/security/cve/CVE-2014-6271
Resolution: https://access.redhat.com/node/1207723

Be Safe 🙂 Be Secure 🙂 Enjoy Linux 🙂 Enjoy Open Source

Please Keep in Touch with Social Networking :- 
Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog

MySQL: Drop all tables from Database using Script / Linux

Hello,

Few days back, I got a task to do, Task was Keep the database as it is, So that we do not have to add database users, privileges and everything again and again, Just Drop all the databases tables inside the database. If there are only few tables like 5 or 10 than it is easy to do it manually, but what if you have the 100s or 1000s of tables inside database ?

I was in same situation, there were more than 500 tables and  I need to drop it quickly as it was production server, So for the same I managed to do it easily by using few command line parameters and loop, After that I have created script for the same which helps me to drop those tables very easily, You don’t have to worry about each and every table, It will keep database as it is but will drop all the tables from the selected database.

I am sharing that script and steps how to use that script, Would request you to test on non production environment first, Wherever you are executing this script its totally on your risk.

MySQL Script
MySQL Script

 

SUGGESTION: Take a Backup of your database / tables / MySQL Before executing Script, So if anything goes wrong you can also recover.

Steps to execute script :-

1. Download Script

tejas-barot@linux-ahmedabad:~$ wget tejasbarot.com/Scripts/dropall_mysql_tables.sh

2. Give executable permissions

tejas-barot@linux-ahmedabad:~$ chmod +x dropall_mysql_tables.sh

3. Now Let’s execute Script

tejas-barot@linux-ahmedabad:~$ ./dropall_mysql_tables.sh

4. Provide name of the MySQL database from which you want to drop all the tables.

Enter Database name:                         <—- Provide Database name here
Enter MySQL root Password:          
<—- Provide root password of MySQL Here

5. Script will take a Full database backup into /tmp, but I would request don’t depend on this, before executing script take backup.

6. That’s it wait for few minutes, It will drop all the tables from MySQL Database.

Enjoy MySQL 🙂 Enjoy Linux 🙂 Enjoy Open Source 🙂

Please Keep in Touch with Social Networking :- 
Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog

RHEL 7 / CentOS 7 / Grub2 : Protect Single User Mode / Rescue / Emergency with Password

Hello All,

As we all know Red Hat Enterprise Linux 7 and CentOS 7 Linux is out now, Recently I have posted How to enter into Single User Mode / Rescue / Emergency Mode on RHEL 7 / CentOS 7.

This post is to Secure Single User Mode / Rescue Mode / Emergency mode on RHEL 7 / CentOS 7 in Grub2, By performing this Article you will able to secure your Grub2 Edits with Username and Password, It is always a good idea to protect your Grub2.

In This Howto, We will protect Grub2 with Encrypted Password and Plain Password.

To Follow this how to make sure you have root password to make changes in Grub2, Please make sure you are doing exact as per instructions and going through notes.

Do this on your own risk, You will be the only responsible if anything goes wrong in any case 🙂

 

CentOS7_Grub2
CentOS7_Grub2

 

Protect Grub2 with Plain Password Method

1. Login as a root user or user with rights to edit grub2 configuration file (sudo).

[tejas-barot@rhel-centos7-tejas-barot-linux ~]$ su -

2. Make a backup of existing grub.cfg and default /etc/grub.d/10_linux so if anything goes wrong we can always restore it.

[root@rhel-centos7-tejas-barot-linux ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.orig
[root@rhel-centos7-tejas-barot-linux ~]# cp /etc/grub.d/10_linux /etc/grub.d/10_linux.orig

3. Now, Adding Entries to protect Grub2 with username and password:

Note1: Replace Username and Password from below lines and Add below lines at last in file /etc/grub.d/10_linux

Note2: Make sure you don’t insert following entries multiple time.

[root@rhel-centos7-tejas-barot-linux ~]# vi /etc/grub.d/10_linux
cat << EOF
set superusers="tejasbarot" password tejasbarot alub@123
EOF

4. Now let us Generate New grub.cfg, Execute following command.

[root@rhel-centos7-tejas-barot-linux ~]# grub2-mkconfig --output=/tmp/grub2.cfg

5. Now Replace this New configured grub2.cfg with existing grub2.cfg

[root@rhel-centos7-tejas-barot-linux ~]# mv /boot/grub2/grub.cfg /boot/grub2/grub.cfg.move
[root@rhel-centos7-tejas-barot-linux ~]# mv /tmp/grub2.cfg /boot/grub2/grub.cfg

6. That’s It, Now You can reboot and Press “e” on Grub Menu, It will ask you for the password.

Protect Grub2 with Password Encrypted Method

1. Login as a root user or user with rights to edit grub2 configuration file (sudo).

[tejas-barot@rhel-centos7-tejas-barot-linux ~]$ su -

2. Make a backup of existing grub.cfg and default /etc/grub.d/10_linux so if anything goes wrong we can always restore it.

[root@rhel-centos7-tejas-barot-linux ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.orig
[root@rhel-centos7-tejas-barot-linux ~]# cp /etc/grub.d/10_linux /etc/grub.d/10_linux.orig

3. Let’s Generate Encrypted password with “grub2-mkpasswd-pbkdf2”, Once you will execute below command it will ask you for the password, Please enter password twice, It will generate password string which you need to add to 10_linux file. ( Shortened version of string, You will have to paste complete string )

[root@rhel-centos7-tejas-barot-linux ~]# grub2-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F1C4CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45

4. Now, Adding Entries to protect Grub2 with username and password:

Note1: Replace Username and Password from below lines and Add below lines at last in file /etc/grub.d/10_linux

Note2: Make sure you don’t insert following entries multiple time.

Note3: Here I have added Short String for example, you will have to add full string to make it work.

[root@rhel-centos7-tejas-barot-linux ~]# vi /etc/grub.d/10_linux
cat << EOF
set superusers="tejasbarot" password_pbkdf2 tejasbarot grub.pbkdf2.sha512.10000.F1C4CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
EOF

5. Now let us Generate New grub.cfg, Execute following command.

[root@rhel-centos7-tejas-barot-linux ~]# grub2-mkconfig --output=/tmp/grub2.cfg

6. Now Replace this New configured grub2.cfg with existing grub2.cfg

[root@rhel-centos7-tejas-barot-linux ~]# mv /boot/grub2/grub.cfg /boot/grub2/grub.cfg.move
[root@rhel-centos7-tejas-barot-linux ~]# mv /tmp/grub2.cfg /boot/grub2/grub.cfg

7. That’s It, Now You can reboot and Press “e” on Grub Menu, It will ask you for the password.

Enjoy Protected Grub2 🙂 Enjoy CentOS 7 🙂 Enjoy RHEL 7 🙂 Enjoy Linux 🙂 Enjoy Open Source 🙂

Please Keep in Touch with Social Networking :- 
Facebook Page :- https://www.facebook.com/AllLinuxUsersBlog