Why Change User and SO Pins?

Changing your User and SO pins is an essential practice to ensure the security of your cryptographic storage. It helps safeguard your sensitive data and maintain the integrity of your system.

Changing the SO Pin

The SO pin, or Security Officer pin, is the master pin that provides access to all functions within the SoftHSM. To change it, follow these steps:

• Open your terminal and run the following command:

pkcs11-tool –module /usr/lib64/pkcs11/libsofthsm2.so –login –login-type so –change-pin

Make sure to replace --module with the actual path to libsofthsm2.so.

Changing the User Pin

The User pin is specific to individual users and provides access to their cryptographic storage. To change it, use the following command:

• In your terminal, enter the following command:

pkcs11-tool –module /usr/lib64/pkcs11/libsofthsm2.so –login –login-type user –change-pin

replace --module with the correct path to libsofthsm2.so.

Using a Different Slot

In some cases, you might need to work with a different slot. To specify a different slot, you can use the --slot option followed by the slot number. For example:

pkcs11-tool –module /usr/lib64/pkcs11/libsofthsm2.so –login –login-type so –change-pin –slot 1

Spotlight search is a powerful tool on macOS, helping you quickly find files, applications, and information on your computer. However, there are times when you might encounter issues where it doesn’t return the right results. When this happens, reindexing your system can be the solution to improve the accuracy of your searches. I

Step 1: Open Terminal as Root

Open Terminal on your macOS system. To perform system-level tasks, you’ll need to access the Terminal as the root user. You can do this with the following command:

sudo -s

Step 2: Turn Off Spotlight Indexing

Next, you’ll want to turn off indexing for Spotlight using the mdutil command. This command stops the indexing process for all volumes:

mdutil -a -i off

Step 3: Unload the Metadata Daemon

unload the Metadata Daemon service to make changes to the indexing process. Use the launchctl command with the unload option:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

Step 4: Load the Metadata Daemon

After unloading the Metadata Daemon, you’ll need to load it again to apply the changes:

launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

Step 5: Turn On Spotlight Indexing

Finally, turn on indexing for Spotlight again using the mdutil command:

mdutil -a -i on

$ git checkout
Branch legacy set up to track remote branch legacy from origin.
Switched to a new branch ‘new_branch'

$ git pull

$ git branch
* new_branch
master


# clone the repo
git clone <repo-url>
git mv <source_file_or_directory> <destination>
git status # will show the change details
git commit -am "comment_for_the_change"
git push # push changes to repo

Bind 9.10.0-P1 supports the native PKCS#11 mode, instead of the openssl based PKCS#11. You can either compile it with (./configure --enable-native-pkcs11 \
--with-pkcs11=provider-library-path) or install prebuilt packages.

Upon writing this blog, Fedora 23, has built-in bind-9.10.3-7.P2 and SoftHSM (Software based HSM)

SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface

Install the required packages

# dnf install bind-chroot bind-pkcs11 softhsm bind-pkcs11-utils

bind-chroot-32:9.10.3-7.P2.fc23.x86_64
bind-pkcs11-9.10.3-7.P2.fc23.x86_64
softhsm-2.0.0rc1-3.fc23.x86_64
bind-pkcs11-utils-9.10.3-7.P2.fc23.x86_64

Initialize the SoftHSM repository
# softhsm2-util --init-token 0 --slot 0 --label softhsm
enter the user and security pin

Generate the keys (Key Signing Key and Zone Signing Key)

You may use the algorithm and key size depends on your requirement.
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_ksk
Enter Pin:
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_zsk
Enter Pin:

# pkcs11-list
Enter Pin:
object[0]: handle 2 class 2 label[12] 'sample_ksk' id[0]
object[1]: handle 3 class 2 label[12] 'sample_ksk' id[0]
object[2]: handle 4 class 3 label[12] 'sample_zsk' id[0]
object[3]: handle 5 class 3 label[12] 'sample_zsk' id[0]

Create a pair of BIND9 key files using dnssec-keyfromlabel-pkcs11 utility, since we are using pkcs#11 backend the label must be pkcs#11 uri format. Don’t know how safe it is to store the pin on the file system, but yes we have to create a text file with the HSM pin. Not sure if the dnssec-keyfromlabel can prompt for the pin.

# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -f KSK -l 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46938.key
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -l 'pkcs11:object=sample_zsk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46939.key

The resulting files can be used to sign the zone, as per the BIND documentation – “Unlike the normal K* files, which contain both public and private key data, these files will contain only the public key data, plus an identifier for the private key which remains stored within the HSM. Signing with the private key takes place inside the HSM.”

Include the keys in zone file or specify the key path on the named configuration.

echo "$INCLUDE Kexample.com.+005+46938.key" >> example.com.zone
echo "$INCLUDE Kexample.com.+005+46939.key" >> example.com.zone

Signing the zones
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked

# head example.com.signed
; File written on Mon Jan 18 16:02:19 2016
; dnssec_signzone version 9.10.3-P2-RedHat-9.10.3-7.P2.fc23

Reference: BIND 9 Administrator Reference Manual
https://ftp.isc.org/isc/bind/cur/9.10/doc/arm/Bv9ARM.ch04.html
SoftHSM documentation

– Create a new user in ESXi with no access privilege, you need to login to the ESXi directly to do that.

– Enable SSH, and add nagios user to root group:
# vi /etc/group
root:x:0:root,nagios

– Check from the command line, if it works
./check_esxi_hardware.py --host https://esxihost:5989 --user file:credentials.txt --pass file:credentials.txt
OK - Server: Cisco Systems Inc.....

– Configure the credentials files to use the nagios user credentials.

To enable GeoIP(PECL) from redhat/centos machines:
# yum install php-pecl-geoip
#apachectl restart
# php -m | grep -i geo
geoip

From Piwik, Settings –> Geolocation –> GeoIP (PECL)

To reindex the old visits:
# cd misc/others
# php ./geoipUpdateRows.php
[note] Found working provider: geoip_pecl
90094 rows to process in piwik_log_visit and piwik_log_conversion....
.
.
.
100% done!

# apt-get install rtmpdump
$ rtmpdump -r < rtmp://url/ > -o < output_file.mp4 >

eg:
$ rtmpdump -r rtmp://foobar.com/mp4:videos/123/foo.mp4" -o foo.mp4

Set the from address with EMAIL=
-s – Subject
-a – attachment file
recipient name
-c – for CC
-b – for BCC
create a text file (eg: /tmp/testmessage) , with the body of the message.

EMAIL="foo@bar" mutt -s "Subject" -a test.doc foo1@bar -c foo2@bar < /tmp/testmessage