Re: Internal Logging?
Am 04.04.22 08:22 schrieb Eric Thomas: > I'd like to understand more about how OpenBSD logs internal events such as: > > - pkg_add/delete events > - user logins > - X session start/stops > etc. > > Is there "one big log" where all of these types of events are stored? > Or are they logged in specific directories depending on log type? Such things are to be configured in `/etc/syslog.conf`. Please see `man syslogd` and `man syslog.conf`
Re: sysupgrade from -stable (was: error rebuilding binaries after 6.9->7.0 sysupgrade)
On Mon, Apr 04, 2022 at 08:37:57PM +0100, Steve Fairhead said: > To put it another way, what is the recommended way of upgrading a production > system with patches applied (so -stable)? Historically I used the manual method to upgrade releases but have been using sysupgrade(8) since it became The Thing. I use pkg_add(8) -u and syspatch(8) to keep up with -stable between releases. The FAQ is rather extensive on these topics as are the manpages. https://www.openbsd.org/faq/upgrade70.html https://www.openbsd.org/faq/faq10.html#Patches --Matt
Re: How to track system changes?
Very valuable insights. That’s a great idea. The rysnc script was ksh/bash or cron? Ideally I’d like to use Python to tackle something like this but I’m not against learning shell. > On Apr 4, 2022, at 2:02 PM, Nick Holland wrote: > > On 4/4/22 11:32 AM, Eric Thomas wrote: >> I want to have a high degree of confidence in my system's state >> (packages that have been added, configs that have changed, permissions >> changed, etc). I've read about "read only filesystems" and the >> pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). >> Aside from that, is there a way to... >> 1. ...hash the file system in some way and monitor for changes? OR >> 2. ...somehow review changes that have taken place (a log somewhere)? >> The goal is to concretely know whether the state of the system has >> changed, then point to what EXACTLY has changed. >> Anyone doing something similar? >> Thank you > > Something I came up with which worked out really well at my employer was > a backup system that used rsync and the --link-dest option to make a useful > rotated disk-based backup of current systems. When they said, "We want some > kind of file integrity monitoring system", I puzzled over all kinds of ways > to look for altered files...but it suddenly hit me -- I HAD a list of all the > altered files -- the output of the rsync --link-dest backup run! > > Took that output, ran it through a "grep -vf exclusionlist", where > "exclusionlist" was a list of files (in regex form) I EXPECTED change on...and > I had a daily output of all unexpected changed files. I called it the > "File Alteration Reporting Tool", but my coworkers thought another name would > be more appropriate for some reason. :D > > It was really quite interesting. Never found a real security breach (yay), > but learned a LOT of new things about the software running on our systems, > and to the point -- we found a few things that prompted us to go kicking trees > to find out what someone had done that we weren't aware of. I call that > success. > > Yes, I'm working on re-doing it (i.e., clean slate so my (former)employer has > no gripes (and no internal information disclosure), but if you are adept at > scripting, it wasn't too difficult. > > Nick. >
Re: OpenBSD benchmarks
imho benchmarking only makes sense for your scenario, so I recommend benchmarking the ruleset you intend to use on that device. Also: what are you benchmarking against, and what is your setup (nat, bridge etc.)? On 04.04.22 21:50, Nicolas Goy wrote: Hello, I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. I was wondering if there was some "standard" pf ruleset I could use to have a meaningful metric. Also, I'm curious if anymody is aware of such existing benchmarks. Regards
Re: sysupgrade from -stable (was: error rebuilding binaries after 6.9->7.0 sysupgrade)
On 2022/04/04 20:37, Steve Fairhead wrote: > On 04/04/2022 13:10, owner-m...@openbsd.org wrote: > > sysupgrade only copes with what look like release versions (no version > > suffix, upgrades to release+0.1 with no arguments, or snapshot with -s) > > or snapshots (-current or -beta suffix, by default -current upgrades > > to release+0.1 or -beta upgrades to release, or snapshot with -s). > > > > It doesn't handle -stable, and it doesn't handle going from the current > > situation which is "it's still snapshots rather than release but there's > > no suffix" to the forthcoming release. > > I've now upgraded a couple of systems from 6.8 -stable, using "sysupgrade > -r", through 6.9 and then 7.0 (rebuilding and rebooting after patches). They > seem fine. Any gotchas with this? Ah looking at what that does, it does look alright as a way to handle -stable with just flags rather than patching the script. > To put it another way, what is the recommended way of upgrading a production > system with patches applied (so -stable)? On an arch where syspatches are available (amd64, i386, arm64), the method that would normally be recommended these days would be to use syspatches rather than compiling -stable.
Re: How to track system changes?
On 4/4/22 11:32 AM, Eric Thomas wrote: I want to have a high degree of confidence in my system's state (packages that have been added, configs that have changed, permissions changed, etc). I've read about "read only filesystems" and the pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). Aside from that, is there a way to... 1. ...hash the file system in some way and monitor for changes? OR 2. ...somehow review changes that have taken place (a log somewhere)? The goal is to concretely know whether the state of the system has changed, then point to what EXACTLY has changed. Anyone doing something similar? Thank you Something I came up with which worked out really well at my employer was a backup system that used rsync and the --link-dest option to make a useful rotated disk-based backup of current systems. When they said, "We want some kind of file integrity monitoring system", I puzzled over all kinds of ways to look for altered files...but it suddenly hit me -- I HAD a list of all the altered files -- the output of the rsync --link-dest backup run! Took that output, ran it through a "grep -vf exclusionlist", where "exclusionlist" was a list of files (in regex form) I EXPECTED change on...and I had a daily output of all unexpected changed files. I called it the "File Alteration Reporting Tool", but my coworkers thought another name would be more appropriate for some reason. :D It was really quite interesting. Never found a real security breach (yay), but learned a LOT of new things about the software running on our systems, and to the point -- we found a few things that prompted us to go kicking trees to find out what someone had done that we weren't aware of. I call that success. Yes, I'm working on re-doing it (i.e., clean slate so my (former)employer has no gripes (and no internal information disclosure), but if you are adept at scripting, it wasn't too difficult. Nick.
OpenBSD benchmarks
Hello, I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. I was wondering if there was some "standard" pf ruleset I could use to have a meaningful metric. Also, I'm curious if anymody is aware of such existing benchmarks. Regards -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
sysupgrade from -stable (was: error rebuilding binaries after 6.9->7.0 sysupgrade)
On 04/04/2022 13:10, owner-m...@openbsd.org wrote: sysupgrade only copes with what look like release versions (no version suffix, upgrades to release+0.1 with no arguments, or snapshot with -s) or snapshots (-current or -beta suffix, by default -current upgrades to release+0.1 or -beta upgrades to release, or snapshot with -s). It doesn't handle -stable, and it doesn't handle going from the current situation which is "it's still snapshots rather than release but there's no suffix" to the forthcoming release. I've now upgraded a couple of systems from 6.8 -stable, using "sysupgrade -r", through 6.9 and then 7.0 (rebuilding and rebooting after patches). They seem fine. Any gotchas with this? To put it another way, what is the recommended way of upgrading a production system with patches applied (so -stable)? Thanks, Steve -- -- Steve Fairhead fivetrees ltd - for the complete music service www: http://www.fivetrees.com --
Serial console output stalls
Hi, I am using the vmctl application on a 7.0 stable host with a -current guest. The guest was busy building some port. During this build on the guest I started another build on the host. I was following the build of the guest using vmctl console. After this I noticed a couple of times that the console stalls somewhere in the middle of outputting a line and that it resumed to show output immediately after I hit a keystroke in the console session. This has happened a couple of times now and on separate days. The system I am using is an 8 core i5. I do not know if this is known or expected somehow or that there is an issue with this. I hope someone can clarify this for me. Kind regards, Ivo van der Sangen
Re: How to track system changes?
Am 04.04.22 08:32 schrieb Eric Thomas: > I want to have a high degree of confidence in my system's state > (packages that have been added, configs that have changed, permissions > changed, etc). I've read about "read only filesystems" and the > pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). > > Aside from that, is there a way to... > > 1. ...hash the file system in some way and monitor for changes? OR > 2. ...somehow review changes that have taken place (a log somewhere)? > > The goal is to concretely know whether the state of the system has > changed, then point to what EXACTLY has changed. > Since many years I use rcs(1) for that on hosts I have to admin. In Openbsd this fine tool is in base...
Re: Internal Logging?
On 2022-04-04, Eric Thomas wrote: > I'd like to understand more about how OpenBSD logs internal events such as: > > - pkg_add/delete events > - user logins > - X session start/stops > etc. > > Is there "one big log" where all of these types of events are stored? > Or are they logged in specific directories depending on log type? > Which log directories do you monitor? Depends on your syslog configuration.
Re: How to track system changes?
On 2022-04-04, Eric Thomas wrote: > I want to have a high degree of confidence in my system's state > (packages that have been added, configs that have changed, permissions > changed, etc). I've read about "read only filesystems" and the > pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). > > Aside from that, is there a way to... > > 1. ...hash the file system in some way and monitor for changes? OR > 2. ...somehow review changes that have taken place (a log somewhere)? > > The goal is to concretely know whether the state of the system has > changed, then point to what EXACTLY has changed. perhaps aide? (in packages)
Re: How to track system changes?
Am Mo., 4. Apr. 2022 um 17:50 Uhr schrieb Ian Darwin : > Yes, in fact, *everyone* else is. /etc/changelist lists files that are > monitored. > You will get an email if they change, e.g., if a program surprisingly becomes > setuid. > > I imagine that this is documented someplace. man security man changelist Best Martin
Re: How to track system changes?
On Mon, Apr 04, 2022 at 08:32:01AM -0700, Eric Thomas wrote: > I want to have a high degree of confidence in my system's state > (packages that have been added, configs that have changed, permissions > changed, etc). I've read about "read only filesystems" and the > pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). > > Aside from that, is there a way to... > > 1. ...hash the file system in some way and monitor for changes? OR > 2. ...somehow review changes that have taken place (a log somewhere)? > > The goal is to concretely know whether the state of the system has > changed, then point to what EXACTLY has changed. > > Anyone doing something similar? Yes, in fact, *everyone* else is. /etc/changelist lists files that are monitored. You will get an email if they change, e.g., if a program surprisingly becomes setuid. I imagine that this is documented someplace.
How to track system changes?
I want to have a high degree of confidence in my system's state (packages that have been added, configs that have changed, permissions changed, etc). I've read about "read only filesystems" and the pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). Aside from that, is there a way to... 1. ...hash the file system in some way and monitor for changes? OR 2. ...somehow review changes that have taken place (a log somewhere)? The goal is to concretely know whether the state of the system has changed, then point to what EXACTLY has changed. Anyone doing something similar? Thank you
Internal Logging?
I'd like to understand more about how OpenBSD logs internal events such as: - pkg_add/delete events - user logins - X session start/stops etc. Is there "one big log" where all of these types of events are stored? Or are they logged in specific directories depending on log type? Which log directories do you monitor? Thank you!
Re: Github/Bitbucket free alternative
On Mon, Apr 04, 2022 at 01:07:49PM +0800, Tito Mari Francis Escaño said: > I'm trying to develop web apps on OpenBSD but Github and even Bitbucket > seems to think that only Windows and/or Linux are the platforms so I feel > forced to use VS Code that runs only on those systems. git(1) works just fine on OpenBSD. --Matt
Re: OpenBGPd: fatal in RDE: aspath_get: Cannot allocate memory
On Tue, Mar 29, 2022 at 09:53:56AM +0200, Laurent CARON wrote:
> Hi,
>
> I'm happily running several OpenBGPd routers (Openbsd 7.0).
>
> After having applied the folloxing filters (to blackhole traffic from
> certain countries):
>
> include "/etc/bgpd/deny-asn.ru.bgpd"
> include "/etc/bgpd/deny-asn.by.bgpd"
> include "/etc/bgpd/deny-asn.ua.bgpd"
>
>
> # head /etc/bgpd/deny-asn.ru.bgpd
> match from any AS 2148 set { localpref 250 nexthop blackhole }
> match from any AS 2585 set { localpref 250 nexthop blackhole }
> match from any AS 2587 set { localpref 250 nexthop blackhole }
> match from any AS 2599 set { localpref 250 nexthop blackhole }
> match from any AS 2766 set { localpref 250 nexthop blackhole }
> match from any AS 2848 set { localpref 250 nexthop blackhole }
> match from any AS 2854 set { localpref 250 nexthop blackhole }
> match from any AS 2875 set { localpref 250 nexthop blackhole }
> match from any AS 2878 set { localpref 250 nexthop blackhole }
> match from any AS 2895 set { localpref 250 nexthop blackhole }
>
You should really use as-set for this:
as-set ru-set { 2148 2585 2587 ... }
And also not match any (at least I think you don't really want that to
match on ibgp sessions):
match from ebgp AS as-set ru-set set { localpref 250 nexthop blackhole }
If done right you can replace all your rules by one single one.
--
:wq Claudio
Re: OpenBGPd: fatal in RDE: aspath_get: Cannot allocate memory
On Mon, Apr 04, 2022 at 03:14:35PM +0200, Laurent CARON wrote: > > Le 01/04/2022 à 14:38, Claudio Jeker a écrit : > > > > The numbers look reasonable with maybe the exception of prefix and BGP > > path attrs. Unless this system is pushing or pulling lots of full feeds to > > peers I would not expect such a high number of prefixes. Also the number > > of path attributes is high but that could again be reasonable if many > > different full feeds are involved. > > Hi Claudio, > > This box is terminating 3 full IPv4 + 3 full IPv6 feeds + a few dozen IX > sessions in addition to 5 IPv4 + 5 IPv6 iBGP connections. 3G is not enough for such a busy system. You need to increase your limit, 5GB is probably enough. > > > I'm not sure why the processes gets killed at around 3GB. Feels like you > > > hit the ulimit. See Stuart's mail about how to look into that. > > > So looking at this output I feel like you somehow created a BGP update > > > loop where one or more systems are constantly sending UPDATEs to each > > > other because the moment the update is processed the route decision > > > changes and flaps back resulting in a withdraw or update. > > I sincerely think it is not related to a BGP update loop because the issue > is only triggered when adding the following filters: > > include "/etc/bgpd/deny-asn.ru.bgpd" > include "/etc/bgpd/deny-asn.by.bgpd" > include "/etc/bgpd/deny-asn.ua.bgpd" > > for a total of 8265 rules > > I'll try to dig further. If you deny asns then please use an as-set instead of individual rules. -- :wq Claudio
Re: OpenBGPd: fatal in RDE: aspath_get: Cannot allocate memory
Le 01/04/2022 à 14:38, Claudio Jeker a écrit : The numbers look reasonable with maybe the exception of prefix and BGP path attrs. Unless this system is pushing or pulling lots of full feeds to peers I would not expect such a high number of prefixes. Also the number of path attributes is high but that could again be reasonable if many different full feeds are involved. Hi Claudio, This box is terminating 3 full IPv4 + 3 full IPv6 feeds + a few dozen IX sessions in addition to 5 IPv4 + 5 IPv6 iBGP connections. I'm not sure why the processes gets killed at around 3GB. Feels like you hit the ulimit. See Stuart's mail about how to look into that. So looking at this output I feel like you somehow created a BGP update loop where one or more systems are constantly sending UPDATEs to each other because the moment the update is processed the route decision changes and flaps back resulting in a withdraw or update. I sincerely think it is not related to a BGP update loop because the issue is only triggered when adding the following filters: include "/etc/bgpd/deny-asn.ru.bgpd" include "/etc/bgpd/deny-asn.by.bgpd" include "/etc/bgpd/deny-asn.ua.bgpd" for a total of 8265 rules I'll try to dig further. Thanks
Re: OpenBGPd: fatal in RDE: aspath_get: Cannot allocate memory
Le 29/03/2022 à 14:50, Stuart Henderson a écrit : Also: check the values for bgpd's login class (as root, "su -c bgpd -" then "ulimit -a"), and are you starting bgpd from the rc-script or by hand? Hi Stuart, # ulimit -a time(cpu-seconds) unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 33554432 stack(kbytes) 8192 lockedmem(kbytes) 21502949 memory(kbytes) 64498548 nofiles(descriptors) 512 processes 1310 I'm starting bgpd through "rcctl start bgpd" Thanks Laurent
Re: vxlan(4) in endpoint mode
Le Mon, Apr 04, 2022 at 08:23:35PM +1000, David Gwynne a écrit : > > > > On 3 Apr 2022, at 21:46, Denis Fondras wrote: > > > > Hi, > > > > In vxlan(4) manual, we have : > > > > endpoint mode > > When configured without a tunnel destination address, vxlan operates as > > a bridge, but with learning disabled. > > > > > > The question is : is it possible to set tunnel source address without a > > destination ? > > ifconfig vxlan0 tunneladdr 10.20.30.1 > > that should work. Thank you David. I will prepare a patch to the manual :)
Re: vxlan(4) in endpoint mode
> On 3 Apr 2022, at 21:46, Denis Fondras wrote: > > Hi, > > In vxlan(4) manual, we have : > > endpoint mode > When configured without a tunnel destination address, vxlan operates as > a bridge, but with learning disabled. > > > The question is : is it possible to set tunnel source address without a > destination ? ifconfig vxlan0 tunneladdr 10.20.30.1 that should work.
Re: openbsd, softraid recovery (I have password)
On 2022-04-03, Nick Holland wrote: > If you are going to find your data, you need to recreate the disklabel > partitions exactly as they were on the encrypted FFS from OpenBSD. > scan_ffs(8) may help. OoenBSD's scan_ffs only supports FFS1, the OS defaults to FFS2.
Re: OpenBSD as primary OS
Am 11.09.16 12:45 schrieb jean-francois: > Hi, > > > I'm moving to OpenBSD for primary use, I'll have to keep a Windows OS for > some specific purposes also. > > Just thanks for the development of OpenBSD, it's very easy to use since > logical and well documented, I've been enjoying it for the past years for > what it deserved to do. > > Also looked at the softraid development, just few words to thank the > development of the OS and softwares. Github didn't force you to use windows. Github offers just a hosted version control using git(1). You didn't even have to register an account at github if you want to use git. If you like to use git for version control then you can install it with `pkg_add git` on openbsd and if you like to have a colorful and clickable frontend then you are not forced to use this windows app from github's homepage - there are many of them available for different platforms.
Re: openbsd, softraid recovery (I have password)
Am 02.04.22 18:56 schrieb harold: > Hello, > > Today I take a little breath to try to get some help about a little problem > I have since weeks. > I lost data due to misunderstanding of formatting rdsc1 softraid partition > on openbsd. > > I tell you my little story in the attached document, because I lost data > and would really like to recover it.. > > could you help me please? >From my experience with this list I am sure you can get help on such topic if you respect https://www.openbsd.org/mail.html
