Wednesday, September 10, 2014

Checkpoint SPLAT SecurePlatform Tips v1.0

SecurePlatform Tips v1.0











This document does assume a basic knowledge of Linux.



Authors:
Brian Linder
SE Manager, NJ/PA
[email protected]

Jon Paine
Professional Services (UK)
[email protected]


***************************************************


 Virtual Consoles During Install :


Alt-F1
Alt-F2
Alt-F3
Alt-F4

These keystrokes switch you between the virtual consoles of Linux. This is particularly useful during Installation of SPLAT to see progress.



 Find Files:


find / -size +10000k             (Find any file larger than 10000K)
find $FWDIR -name '*.elg' -size -500k    (Find *.elg files smaller than 500k)
find /home/david -mtime -2 -name '*.c'    (Find files modified less than 2 days ago)
find /home/david -mmin -10 -name '*.c'     (Find files modified less than 10 mins ago)
find $FWDIR -name *.C -exec grep "pattern" '{}' /dev/null \; -print   (Find ”pattern” in *.C files under $FWDIR)
du –k | sort –nr | head -20

This will display the size of all folders beneath on the system, sort them in numerical order and display the 20 largest entries. ”/” will show all directories on all filesystems. ”$FWDIR” will only show directories therein. The man page contains more information and there are several very good online tutorials for find available.

 Login Directly to Expert Mode:


chsh –s /bin/bash admin     Go directly to expert mode, skiping the restricted cpshell. Permanent change.
chsh –s /bin/cpshell admin     Revert the change.

 See What Traffic Was Dropped But Not Logged:


fw ctl zdebug + drop | grep



Allow admin user to scp files to the SPLAT box:


grep admin /etc/scpusers | wc –l
If 0, then do this:
echo admin >> /etc/scpusers
Any user can be substituted for admin. WinSCP users: In order to use WinSCP, you must also issue the following to change admin’s shell to bash:
chsh –s /bin/bash admin
Note: This is a security risk as this bypasses cpshell for this user. Use with caution.

 Run a command from the shell repetitively:


Repeat a particular command until :
watch –-interval=5 (commands)   Note: output cannot be redirected to a file.
To have more flexibility use:
while true;
do
sleep 5
(commands)
done
All commands should be followed by a Carriage Return. Example commands could be
ls –lh *.elg
cpwd_admin list
echo >> ~/routes.txt ; zdump utc >> ~/routes.txt; netstat –rn >> ~/routes.txt
Rediretion of output is fully supported.

  Force Interface Speed/Duplex (Not gigabit):


There are three tools to do this from the shell. Ethtool, mii_tool and eth_set. ’eth_set’ is preferred and survives a reboot. The others do not.
eth_set [interface] [<10h|10f|100h|100f|1000h|1000f|autoneg>]
ethtool -s DEVNAME speed 10|100|1000 duplex full|half autoneg off|on
mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...]
mii-tool eth1 -F 100baseTx-FD   will force the eth1 interface to 100 Mbps link speed, full duplex.
mii-tool eth0 -F 10baseT-HD   will force eth0 to 10Mbps link speed and half duplex.

Ethtool and mii-tool commands can be put at the end of /etc/rc.local startup script to survive a reboot.
Please note the Gigabit Ethernet standard requires the use of autonegotiation to establish the master-slave signal timing control required to make the link operational. Do not use these commands to disable autonegotiation for Gigabit links.

 Conflicts Between SNX/VM, SmartPortal and SPLAT WebUI:

SNX and Visitor Mode conflict with the default SPLAT admin GUI port of 443. To remedy:
webui enable 445 (moves it to 445)

or, for a better security:
webui disable

 Find out the features of a SKU per whatever cp.macro is on your SPLAT box:


cplic resolve_macro ::CPVP-VSI-100-NGX

Use this command to compare features of two SKUs:

cplic resolve_macro ::CPVP-VSI-100-NGX > VSI
cplic resolve_macro ::CPVP-VMC-100-NGX > VMC
diff VSI VMC

 Some Performance Commands:

top
uptime
free
vmstat
cat /proc/sys/fs/file-max
cat /proc/sys/fs/file-nr,
cat /proc/interrupts     (verify how IRQs are being balancing across CPUs)



 About Connecting SPLAT to a Terminal Server:


Say you connect to the serial port via a network console server. Basically, you telnet to the server on the numbered port that you wish to connect to. This numbered port has RJ45 connection to a serial adapter on the device serial port.

Some terminal servers detault to vt100 terminal emulation mode by default. SPLAT installation takes place in ANSI terminal mode. This mismatch causes the server to receive a string of characters that it did not understand. Once you change the mode to ANSI on the console server (and the client software - HyperTerminal) we were able to see the boot menu correctly.

With --silent enabled (as it is by default) in /etc/grub.conf, you don't see the full boot menu unless you hit a key.



 Compute a File Integrity Checksum:


md5sum [filename]
sha1sum [filename]

  Useful Commands for Identifying Versions:


kernelversion
uname –a
ver
fw ver
cpshared_version



 Watch Appended Data to a Log File (or any file) on the Fly:

tail –f /var/log/messages


 Create a Text File from the Command line – Quick and Dirty:

cat > myfile
(type a line)
(type a line)
(etc.)
EOF (Hit Ctrl-D)



 Useful Networking Commands:


ifconfig –a
netstat –rn (route)
netstat –i (interface errors)
netstat –an       (all stats, but do not resolve service names)
netstat –antp (which processes listening on which ports)



 View the first (or last) Few Lines in a File:

head -10 filename     (See first 10 lines)
tail -5 filename      (See last 5 lines)
wc –l      (Count the lines in a file)

 Output a File, Doing a Search-Replace on the Fly:


Replace all occurrences of x with y in fname, and output it to newfname:
cat fname | sed ’1,$s/x/y/g’ > newfname

 Log a Message in /var/log/messages:


syslog:
logger
logger [options] [message...]

TCP/IP command. Add entries to the system log (via syslogd). If no message is given on the command line, standard input is logged.



 Clever Use of Directory Listings:

cd /etc
ls –la | grep host     (show all files with host in the filename)
ls –la | grep host | grep –v hosts     (show all files with host, but not hosts)



 Quick and Dirty ’tar’ tutorial:


Create a tar backup of a directory – using relative file names:
cd /whichdir
tar cvzf myfile.tgz ./*

List the tar archive:
cd /whichdir
tar tvzf myfile.tgz

Extract the tar archive to a directory:
cd /myrestoredir
tar xzvf myfile.tgz

Create a tar backup of a directory – using absolute file names (use carefully!)
cd /whichdir
tar cvzf myfile.tgz /etc/*

Restore a tar backup of a directory – using absolute file names (use carefully!)
cd /whichdir
tar xvzf myfile.tgz

 Mount a CD-ROM:


mount /dev/cdrom
cd /mnt/cdrom

When you are done:
umount /dev/cdrom
Note: You can’t eject the CD-ROM until you umount it.

 Mounting an ISO from the local filesystem:


mount -t iso9660 -o loop ~/singlecd.iso /mnt/cdrom
Singlecd.iso assumed to be in the home directory ”~/”.

 Mount a USB drive in SPLAT:


modprobe usb-storage      Load the module for usb mass storage (once per re-boot): (Plug in the USB key)
dmesg | more      Look in dmesg for the device node to mount from. Likely to be SDB1 or SDD1)
mount -t vfat /dev/sdb1 /mnt/usb     Mount the volume (/dev/whatever designation from above)  (Copy files to or from /mnt/usb)
umount /mnt/usb     Unmount when finished

 Syntax of the Crontab:

# Use the hash sign to prefix a comment
# +---------------- minute (0 - 59)
# | +------------- hour (0 - 23)
# | | +---------- day of month (1 - 31)
# | | | +------- month (1 - 12)
# | | | | +---- day of week (0 - 7) (Sunday=0 or 7)
# | | | | |
# * * * * * command to be executed

Nobody can ever remember this, so refer to the man pages or online tutorials.

 File Types and Execution Path Checking:


which cpstop      (which cpstop will be executed based on the shell path)
file cpstop      (what kind of file is cpstop – script? complied executable?)
file `which cpstop`      (use command substitution to combine the two commands)
basename filename     (strip the path off of a filename)

 Determine the Hardware Compatibility of a particular PCI NIC:


Need to determine HCL compliance of a PCI device? Before opening an SR, perform:
lspci -nv
lspci -vv
lsmod

Correleate vendor/device with http://pci-ids.ucw.cz or http://www.pcidatabase.com/

 Determine the NIC driver version you are using:

cat /etc/modules.conf
ethtool –i eth0

 See What Files Changed During any Operation:

du –k | sort –nr > before
(perform the command)
du –k | sort –nr > after
diff before after

 Investigate Check Point Configuration from the Command Line:

$CPDIR/bin/cpprod_util -?
cpwd_admin list

 Using cpinfo to Re-create a SmartCenter (not supported):


You can do this partially. The cpinfo should have a copy of most of the files in the conf directory. Infoview will let you drag files from it onto a folder on your machine.

What I do is take these files

objects_5_0.C
rulebases_5_0.fws
fwauth.NDB
*.W
(maybe asm.c if necessary)

Put them on a machine that has the same IP and hostname as the original management server, overwriting the existing files in $FWDIR/conf. Remove $FWDIR/conf/applications.* and $FWDIR/conf/CPMILinks* (this is important or else it will not work) and then cpstop;cpstart and you should be able login and have the objects and rules and users from the old management server. This method does not preserve the SIC database, however, so you’ll have to reset SIC on any modules you have. I don’t think that the cpinfo contains enough info to save the SIC database, but not sure since I haven’t really tried to do it before.

 Recovering a Forgotten SPLAT Password:


1. If you know the Expert Mode password, but not any of the user passwords, go to Maintenance Mode. The Expert Mode password is also used to access Maintenance Mode. Once in Maintenance Mode, issue the cpshell command. Use the adduser command to create a new user, whose password is known. If you don't have the option of creating a new user, you're probably stuck following the steps for when you know neither the Standard Mode nor the Expert Mode password (see #3 below).

2. If you know a user's Standard Mode password, but you've forgotten the Expert Mode password, things get a little trickier, but not too bad. I used a bootable Linux distro (tested with Knoppix & F.I.R.E.).
a) boot to CD
b) mount the hard disk ( mount /dev/hda2 /mnt/hda2 )
c) edit the SecurePlatform passwd file - change the user's default shell from cpshell to bash (see tip above)
d) boot to SecurePlatform & login with the user you just modified; you get a bash prompt
e) use the passwd command to change the Expert Mode password
f) edit passwd & change the user's default shell back to cpshell

I tested this using a special user created for the test and also with admin.
No problems either way.

3. If you don't know the Standard Mode password and you don't know the Expert Mode password, things are even trickier, but you can still get in.
You'll need access to another SecurePlatform installation and a bootable Linux distro for this one.
a) go to a SecurePlatform box where you know the passwords
b) copy the /etc/passwd and /etc/shadow files to a floppy
c) go to the SecurePlatform machine where you don't know the passwords and boot to your bootable Linux CD
d) mount the hard disk and the floppy with passwd and shadow files
e) move the existing passwd and shadow files to .old
f) copy the passwd and shadow files from the floppy to your SecurePlatform machine
g) edit passwd and change the user's default shell from cpshell to bash
h) boot to SecurePlatform and login using the user you just modified; you get a bash prompt. You may also get an error message if the user doesn't have a home directory - you should still be able to login
i) use the passwd command to change the Expert Mode password
j) edit /etc/passwd & change the user's default shell back to cpshell

I also changed the permissions on passwd & shadow to match their original permissions. For passwd, the original permissions were 644. For shadow, the original permissions were 400.

Additonal Notes for HP/Compaq:
"The Compaq/HP servers use the Smart Array 5i controller which uses the cciss driver. It was loading, but not seeing any drives. Also, the CD ROM was stalling during load as it was trying to load as a SCSI device, and it was not on the controller. Here is what I had to do:

Boot Knoppix by entering boot:knoppix26 atapicd
Once the sytem was up:
cd /dev
MAKEDEV cciss (caps needed) and it created like 100 objects under /dev/cciss
Mounted the drive with mount –o rw /dev/cciss/c0d0p3 /mnt/tmp

It appears that c0d0p1 (partition 1) is the boot partition, c0d0p2 (partition 2) is the swap space, and c0d0p3 (partition 3) is the application drive."

 BONUS: Recovering a Forgotten IPSO Password:


Recovery a Nokia lost password:
You must have local serial console access to the unit to perform this procedure.
1. Boot system into single user mode. To do this reboot or power cycle the machine, When you see the line " boot: " you must enter "-s" before it goes into multiuser mode. (you have about 10 seconds)
* on a ip330 or ip650 you need to type boot -s at the BOOTMGR prompt*
2. After it boots, it will ask you "Enter pathname of shell or RETURN for sh:", press Enter key.
3. Type "/etc/overpw" in the # prompt. It will ask if you want continue, type "y".

In IPSO 3.1.3 systems and earlier, it will ask you to put a floppy disk into the floppy drive to make sure you have physical access to the box. Put a floppy disk into the floppy drive and press Enter key. IPSO 3.1.4 and later does not ask this question.

In IPSO 3.4 and above, /etc/overpw will ask you to set a password. The admin password defaults to no password in earlier versions of IPSO.
4. Continue to boot to multiuser mode.
5. Login as admin. If a password is required, you will be asked for one.
6. Use the dbpasswd command to set a new password:
nokia[admin]# dbpasswd admin newpassword ""

(Note that the "" is necessary to specify (NULL) as the old password.)

Then, save this new password to the configuration file so that you can log into Network Voyager:
nokia[admin]# dbset :save

No comments: