Posted by

Posted on

January 16, 2015

Posted under

Comments

Ubuntu Patch Management with Tanium

I have more than a dozen Ubuntu servers that perform various jobs. Some of these systems are considered “production” and keeping the installed packages up to date is extremely important. For this article I want to discuss how I am upgrading the installed packages on these systems using the Apt-Get utility and the Tanium platform.

I have built a collection of content that was published on the Tanium Community website. This solution includes multiple sensors, packages and other types of content called Ubuntu Package Management.

Download and Import Content

Visit https://community.tanium.com/repo/solution/192 and click the “Download” button after logging into the Tanium Community website.

Log into your development infrastructures Tanium Console, then browse to Authoring->Import Content, select the downloaded XML file to complete the import process. It is safe to overwrite any existing sensors as the only one I am using that is not original content is the Operating System sensor.

Dashboard Tour

Now we move onto actually using this content and keeping the packages on your Ubuntu systems updated. On the “Home” tab of your Tanium Console, you’ll find a new dashboard link appear under the “Other Dashboards” block.

A few saved questions will appear… the left pane shows all packages within your environment that have available updates. The right pane will list all of the Ubuntu computers you have within your environment.

Available Actions

There are currently two available packages/actions included with the solution pack. The first is accessible by right clicking on one or more of your Ubuntu systems in the right pane and the default action is Reboot Ubuntu Machine.

The second action is closely tied to the Ubuntu Available Patches sensor as it takes the selected result of that sensor to launch the action. Thus in the left pane, right click on one of the packages and Upgrade Available Ubuntu Package.

There are other handy actions you can take. Right clicking on one of the computers, you can drill down into the Ubuntu Available Patches and a list of packages for that one system will appear…Then you can deploy or upgrade a single package from there. Further right clicking on the computer provides you with the ability to Upgrade All Ubuntu Packages, if that is preferable.

Setting up Scheduled Actions

The Tanium Community site does not allow for the sharing of Saved Actions on purpose. Thus these must be setup manually. The first one I’d like to setup is to download the available package updates definitions on a daily basis. Since most of my systems are online 24×7, having this action run at least once a day is perfect. To accomplish this, ask the following Tanium question:

Get Is Ubuntu from all machines

It uses the Is Ubuntu sensor which returns one of two answers for your entire infrastructure… True or False. Right click on the True and deploy the Update Ubuntu Package Definitions package.

I would like this action to occur daily on all of my Ubuntu computers… thus I will be setting up a scheduled action. I have decided to have the action run between 4am and 5am daily so when I start working and want to check my package status, I have the latest data.

Please note that the Action Group is “Ubuntu”. This is because I have setup an action group that only includes my Ubuntu systems that I’ve targeted with my “Ubuntu Computers” computer group.

Conclusion

Using the Tanium platform to manage your enterprise is extremely easy. With a little bit of work and understanding you can put together a solution to accomplish nearly anything you want.

Posted by

DanielHeth

Posted on

December 30, 2014

Posted under

Installation, Software, Tanium, Technology

Comments

Leave a comment

Tanium Client Deployment Tool

I have recently stood up a half-dozen virtual servers in a new home lab I am building to compliment my home office. This means I want to get the Tanium Client installed onto these endpoints. Rather than do it manually, I’m choosing to use the Tanium Client Deployment Tool and install them remotely from my windows workstation. At the time of this writing v5.0.0.6 was the latest and has a few essential features required for installing the agent onto my new non-windows systems.

Installing the Tool

Installation of the Client Deployment Tool is relatively straightforward. Launch the installer and click “Install”. Assuming the default installation directory is acceptable.

Initial Tool Setup

Once you launch the tool there are a few things that need to happen. The first is the tool itself will prompt you to download the very latest agents for the various OS platform Tanium supports. Allow that to happen…

Next we will need to point the tool at our server infrastructure in two ways… First by pointing the utility at our tanium.pub file. This file can be found in the Tanium Server root folder on the server. Second we’ll need to specify the hostname or IP address of the server we will be pointing endpoints at. This second value could be the hostname or IP address of a zone server or even an alias that functions differently inside and outside your network. Lastly if you chose to use a port number other than the default 17472, you’ll need to specify that now.

Install the Agent

For this article we will deploy the Tanium Agent to one of my new Ubuntu 14.04 LTS virtual servers. My user account on that box has sudo permissions and that is required in order to install new software.

Next we will specify a single endpoint to deploy too. To do that we change the lower-left tabs to “Computer List” and type in the hostname of the targeted endpoint. Then change the very bottom left dropdown to “Linux_Mac_Only” to avoid unnecessary timeouts by trying a windows connection and hit the “Analyze” button.

If all works well our tool will report back “Client not installed”. Select that row and click “Install”.

All done… The client deployment was successful. To validate, we can simply log into the Tanium Console and check Administration->System Status to see our new endpoint listed and reporting in.

In Conclusion

The Client Deployment Tool is a great utility for getting the Tanium Agent installed on your endpoints fast.

Posted by

DanielHeth

Posted on

July 15, 2014

Posted under

Configuration, Installation, Software

Comments

Leave a comment

Creating OpenVPN Server and Setting up OpenVPN Clients

I recently setup a remote office that houses my huge Virtual Host machine and wanted private/encrypted access to that network from where ever I am. Thus I turned to OpenVPN as a solution after a little bit of research (see this BestVPN Article). This article covers the basics of setting up an OpenVPN server on a Ubuntu server sitting behind a NAT firewall.

Let’s start on the Ubuntu Server…
Enter root first…

$ sudo su

Setup OpenVPN Server

Starting with a Ubuntu computer you’d like to make the OpenVPN Server… Install OpenVPN and Easy-RSA

$ apt-get install openvpn easy-rsa -y

Certificates

The first thing to know about OpenVPN is we’ll be setting things up to use certificates. It is the most secure method and requires you to manually distribute the client certificates and configuration files. The method you choose determines the security. Most secure is to hand deliver the certs on an encrypted thumb drive.

Certificate Authority

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn.

$ mkdir /etc/openvpn/easy-rsa
$ cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.
…
export KEY_COUNTRY=”CountryCode”
export KEY_PROVINCE=”MyStateOrProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”Organization Name”
export KEY_EMAIL=”vpn@example.com”
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN
…

Enter the following to generate the master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ cp openssl-1.0.0.cnf openssl.cnf
$ source vars
$ ./clean-all

Run the following command to generate CA certificate and CA key:

$ ./build-ca

Server Certificates

Next, we will generate a certificate and private key for the server:

$ ./build-key-server server

Client Certificates

Each client will need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal while being user root:

$ ./build-key client

Generate Diffie Hellman Parameter

This is a unique key used for our VPN Server, Enter the following command to generate DH parameter.

$ ./build-dh
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

$ cd /etc/openvpn/easy-rsa/keys/
$ cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

Client Configuration File

We need to copy and edit the client configuration file.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn

Edit file client.ovpn,
$ vi /home/client.ovpn

Set the VPN server host name/IP address:

remote [public ip or hostname of your vpn server] 1194

Distributing Client Certificates

You must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.

ca.crt
client.crt
client.key
client.ovpn

You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone gets ahold of your keys, they can easily intrude and get full access to your virtual private network.

Configuring VPN Server

Copy the file server.conf.gz file to /etc/openvpn/ directory.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:
$ gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,
$ vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

[…]
push “redirect-gateway def1 bypass-dhcp”
[…]

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

[…]
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
[…]

Uncomment the following lines:

[…]
user nobody
group nogroup
[…]

Save and close the file.

IP forwarding and routing Configuration

Edit sysctl.conf file,
$ vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
$ sysctl -p

Enter the following command to enable IP forwarding:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

Start OpenVPN Server

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
$ service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:
$ ifconfig

Network Router Configuration

We need to do two things on your router and how you do them greatly depends on your router. I’m assuming you have a hardware router hooked up to your DSL, Cable or other type of internet connection and you’re setting up a Ubuntu VPN server on the internal network and want to access other computers on that internal network once your remote clients have authenticated into the VPN tunnel.

1. Your VPN server should have an internal static IP address… We need to tell your router to route all 10.8.0.0 traffic to your VPN server so when your VPN clients connect they can communicate with your internal network.

2. Open external port 1194 tcp and udp and point it at your VPN server’s internal static IP address.

Clients

Now we have the files needed to put on your clients, your server is all setup, and your router is configured correctly… it’s time to look at setting up clients. I created a client certificate for each of my three workstations… each running a different OS: Mac OS X, Ubuntu 14.04, and Windows 7. I want to validate and connect into my VPN remote network from all three systems… but configuring their client is slightly different on each. Below I go into details on setting each one up.

Ubuntu Client

I’ll assume you are using this system as a Ubuntu workstation/laptop and have a graphical interface… thus want to use Network Manager to connect in. First we’ll need to install two items:
$ sudo apt-get install openvpn network-manager-openvpn

Navigate…
System Settings->Network->+ (hit pluse in bottom left)
Choose VPN interface and hit Create
Select OpenVPN from the type list and hit Create
Specify the Gateway (public ip or domain name of your vpn server)
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.

Save that and you’re done. You should now connect into your VPN and run a few ping and other tests.

Mac Client

My primary laptop is a Mac, so let’s go there next. Here you’ll need to install a VPN client application called TunnelBlick. https://www.tunnelblick.net/

Once you’ve installed the application, you need to dbl-click on your client.ovpn file. The ovpn file type has been associated with Tunnelblick when it was installed and will open up the file allowing you to add that connection ot your available list. Once done, simply connect into the VPN and run your tests.

Windows Client

Visit http://sourceforge.net/projects/securepoint and download the windows OpenVPN client.
Launch the Securepoint SSL VPN client, dbl click the tray icon when it appears, and select New.
Next
Enter Name of your VPN Connection and hit Next
Enter the Public IP or Domain Name of your VPN server, the port you configured (default is 1194) and I prefer TCP connections due to reliability reasons… then hit Next
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.
Hit Next
Under Advanced Settings
– check the “Comp-LZO” checkbox
– uncheck the “Auth user/pass” checkbox
– leave all others at their Defaults
hit Next
Lastly hit Finish

All done… let me know if you have any questions below.

Posted by

DanielHeth

Posted on

April 29, 2013

Posted under

IBM, Installation, Software

Comments

Leave a comment

Installing DB2 Enterprise v10.1

Extract installer file…

Run Prechecks…

I already solved the first one… See below on how to disable SELinux on your RHEL system.

Below that, I’ll show you how to solve the missing packages so we can continue with DB2 installation

Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labeling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

… and then reboot the system.

(thanks… http://www.crypt.gen.nz/selinux/disable_selinux.html)

Installing dapl…

On my ISO are the various RPM packages I’ll need. Attempting to install dapl resulted in additional dependencies…

…installing libibverbs…

…installing librdmacm…

and finally… it works

Installing sg3_utils…

This seems to be a recurring theme any time I play with *nix boxes.. dependencies upon dependencies…

…installing libsgutils2 which refers to sg3_utils-libs…

and finally… it works

I was unable to find an sg_persist package… so I re-ran the db2prereqcheck script… and looks like it is included in one of the packages that were installed… and v10.1.0.0 is ready for installation!

Back to the installation:

After answering some basic questions like where to install, etc… it finished!

To validate it is running… try this:

ps –eaf | grep –i db2sysc

To automatically start DB2 instance…

/opt/ibm/db2/V10.1/bin/db2iauto –on db2inst1

Posted by

DanielHeth

Posted on

March 15, 2013

Posted under

Installation, Microsoft, Software, Windows Server 2012

Comments

Leave a comment

Installing Windows Server 2012

Recently I’ve had a need to setup a Windows Server 2012 and wanted to document the process for future attempts.

I won’t document every single screen, only those that include decisions to be made and considerations to be considered.

I’ll be using this server as a root server for my new IBM Endpoint Manager v9, so a GUI would be very handy during install and general maintenance of that application.

At first I wanted to go with a regular install… not Custom… so I chose the top option.

Turns out this is for upgrading an existing OS installation. Since this is a brand new hard drive with no pre-existing OS, I should have chosen the “Custom” option. After hitting Close, I was sent back to the very beginning of the installation.

Once I arrived at the start up screen… it hung there for nearly 30 minutes. Turns out since I was setting this up on a VMWare ESXi v5.0 server it doesn’t support Windows Server 2012. So after some research I came across this article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2006859

I learned that I had to upgrade my VMWare ESXi server to a patch or v5.1… I opted for v5.1 and was able to get past this sticky part.

The server manager has been redesigned for the new GUI. Interesting choices…

I don’t want this application to come up every time I log in… so choosing the Manager –> Server Manager Properties, I was able to check the “Do not start Server Manager automatically at logon”.

Now I need to add my new server to my LDAP domain. Choosing “Local Server” from the left menu…

Click on “WORKGROUP” and the familiar computer properties dialog opens where you can change these settings.

One restart later I was able to log in and I’m done.

Posted by

DanielHeth

Posted on

March 15, 2013

Posted under

Installation, Software, SQL 2012

Comments

Leave a comment

Installing Microsoft SQL 2012

Like many of my step-by-step articles, it’s mostly for corporate level documentation purposes.

I won’t describe every screen, only those that include important decision points that affect my particular use case.

The above dialog is warning me that the firewall does not allow remote database connectivity. The below command line can be used to open up the SQL port. The cmd prompt must be opened with administrative permissions for this to work.
netsh advfirewall firewall add rule name = SQLPort dir = inprotocol = tcp action – allow localport = 1433 remoteip = localsubnet profile = DOMAIN

This is one of those major decision points. My purpose for this database is to house the newest IBM Endpoint Manager v9 database… nothing else. So I only require a few items to accomplish this simple task. The following items are needed for my particular use case:

Database Engine Services

Full-Text and Semantic Extractions for Search

Management Tools – Basic

Management Tools – Complete

In order to get IEM installed properly… an SA account is required. So I’ll configure the database authentication in “Mixed Mode” and specify a password for the SA account.

That’s all there is to it. Installations are almost always straight forward… but some corporations require complete step-by-step documentation, I hope this fits the bill.

Posted by

DanielHeth

Posted on

August 29, 2012

Posted under

BigFix, Installation, iPad, iPhone, MDM, Software

Comments

Leave a comment

Installing BigFix.me MDM onto your iOS devices.

The following step-by-step process demonstrates how to install/configure MDM on your iOS devices… iPhones, iPods, and iPads.

1. Visit https://bigfix.me using your mobile device.
2. Click "Continue to this website (not recommended)" if prompted.
3. Click the "SSL certificate" link towards the bottom.
4. Click the "Install" button on the "Install Profile" screen.
5. Click the "Install" button on the "Warning" screen.
6. If you have a password set, you will need to enter it now and hit "Done".
7. Click the "Done" button on the "Profile Installed" screen, you will be returned to Sarfari.
8. Enter your email address, choose Device Ownership value and click the "Enroll" button.
9. Click the "Install" button on the "Install Profile" screen.
10. Click the "Install Now" button within the popup box.
11. If you have a password set, you will need to enter it now.
12. Click the "Install" button one more time for the "Warning" screen and your done.
13. Click "Done" and your all finished.

Posted by

DanielHeth

Posted on

May 29, 2012

Posted under

BigFix, Installation, Software, Software Distribution, Tasks

Comments

4 Comments

How to use the BigFix Software Distribution Wizard

BigFix is of course now called Tivoli Endpoint Manager a product of IBM. I’m getting a bit lazy and calling it BigFix for short from now on.

Anyways… This article will provide helpful direction when you want to distribute software within your organization.

I have recently wrote a c# application and want to have it automatically installed across my infrastructure. When new systems come on-line, I want my application to automatically be installed once it is properly linked into my BigFix infrastructure. One note to be made when writing your own applications… be sure to properly register your application so you can easily detect that software on your endpoints. I wrote an article which will show you how to properly register your app when creating your Visual Studio Setup application.

The following screen shots might help you with accomplishing this.

First we’ll need to launch the wizard itself, then specify the application name.

Here we’ll need to specify our MSI installer. Visual studio creates both a setup.exe and a setup.msi. the exe is a stand-alone file which creates an environment with which to launch the msi. IE: you can distribute the msi all by itself, but if you want to use the exe, you must distribute both the exe and msi files.

BigFix can handle, so if your application has a simple stand-alone exe, then point the wizard to it. Or the folder or URL of the file in question. It even has the capability of handling ZIP files. (if you’d like more info on this, ask me in the comments section below).

Now we’ll need to specify the operating systems that our application will work on. In my case I want to limit it to newer computers which will have my requirement of .NET to be installed. Note: With Windows 8 coming out soon, you may need to modify the relevance of the resulting task in order to install this application onto those endpoints. As of v8.2 of Tivoli Endpoint Manager, we do not recognize Windows 8. It appears in the console as “WinUnknown 6.2.8250” for the Consumer Preview Release.

Our next step is to help the wizard “craft” our relevance that will be used for this software distribution task. Since my application follows proper registration techniques, it is as easy as specifying my executable within the Registered Application box.

Step 5 of our wizard asks us to properly craft the command line that will be used to silently install our application. Since I’m using an msi installer file that follows Microsoft standards, the defaults are fine. Otherwise you can change the command line parameters here. Remember that the end user will NOT see the installer GUI. So if the installer hangs at a certain step, it will never be noticed and you will have to manually kill the installer before the task will respond with a status.

Complete the wizard by validating the parameters and hitting Finish.

Here we have our newly generated task. I like to fully customize my tasks, especially when I create something that will become customer facing.

Thus I’ll work on each tab in order… First we’ll modify the description so the admin launching the task will know what this task is/does and what to expect.

Also remember to modify which site to “save” the task into and which domain it belongs to. For more on domains, read one of my other articles covering that domains.

I also like to follow naming standards by the BigFix home office, thus on software, I’ll name it as such: [application name] v[version number] Available

Next I like to include a URL link to the application so if the admin wants additional information or support links it’s as easy as clicking one of the actions.

The Software Distribution Wizard does a great job of creating the basic relevance that will be used. I, however, like to separate out my relevance for easy reading. Here I’m separating the OS relevance from my RegApp relevance. Remember that you can only separate if they are connected by an AND, so be careful!

A final piece of “ribbon” for this task is to specify the various properties. View my other article on BigFix Task Properties.

And there we have it… If you look under the site you specified and “Fixlets and Tasks” you will see your task. It is unlikely that any of your endpoints have responded to your new task… therefore you may need to click the “Show Non-Relevant Content” button.

Now that you have the software distribution task created you can Activate it by following this guide.

For your convenience, here is a zip file containing the content covered in this article: http://dl.dropbox.com/u/41985632/Content/ScreenResolutionRuler.zip

If you have any questions or comments, please leave them below.

Posted by

DanielHeth

Posted on

May 28, 2012

Posted under

BigFix, Installation, Microsoft, Programming, Software, Visual Studio

Comments

4 Comments

Visual Studio: Add Uninstall to Your Application

First let me send a shout out to my reference for this little tidbit of information: How to add a Uninstall option in Visual Studio Setup project without writing code GoGoToTo created a very nice article on this. I simply expanded it further to include getting your application “registered” so within BigFix it will show up as one of the registered apps.

First View your File System so we can add the special folder “System”

If your application is x86, then we’ll want to add the msiexec.exe from the c:\windows\SysWow64 folder.

Left click to highlight the msiexec.exe file and in the properties window, adjust as indicated in the following image:

Next we’ll need to add a shortcut to the “User’s Program Menu”. In my example, I’ve created a sub-folder named after my application. Click that folder and in the right window, right-click and create a shortcut.

Navigate to the System Folder and select the msiexe.exe file.

Before we modify the shortcut’s properties, we’ll need to copy the ProductCode from the Setup Application Properties.

Using that ProductCode, modify the shortcut’s properties as follows:

Now we get to register our application… Open the Registry View.

Under HKEY_LOCAL_MACHINE add the following sub-keys:

Microsoft\Windows\CurrentVersion\App Paths\[name of your exe]

Remember to specify the last key to “DeleteAtUninstall” = True

Add the following 2 string values with the values as shown.

That’s it. You now have an uninstall link that will be created upon installation of your app. You will also have your application properly “registered” so BigFix can properly detect it.

Posted by

DanielHeth

Posted on

May 15, 2012

Posted under

Add-ons, BigFix, Installation, Technology

Comments

Leave a comment

TEM SUA Upgrade 1.3.0.592 –> 1.3.1.597

Lately I released an article on installing Tivoli Endpoint Manager’s add-on product Software Usage Analysis (SUA) v1.3.0.592. Well… we have release another upgrade and here’s how you can upgrade your installation:

Launching the installation is pretty easy… unlike the initial installation, there is basically one “step”. Launch the installer:

Typical license agreement stuff.

Since this is an upgrade, we are good about warning you that no one will be able to access the GUI interface at this point.

We’ll need to confirm the user account that is being used for the services here.

I ran into one little problem where but it was due to service account permissions to the database. After adjusting them for the duration of this install, the installation continued.

SUA_Upgrade_10

The installation went well with just the one permissions based hiccup. To confirm installation was successful simply log into the GUI and look at the bottom right for version and catalogue numbers.

If you have any questions or comments, please leave them below.

To view all of the images from this upgrade visit: http://www.flickr.com/photos/danielheth/sets/72157629743080378/