Month: February 2016

Password Recovery in Redhat 7

Posted on by

Forgot your password on your rhel7 server? Well there are some differences to process from rhel6. Here is how you do it.

With SELinux and systemd in the mix we have to deal with that. Here is the procedure of what needs to be done in order to recover a forgotten root password on Redhat 7 Linux:

Edit the GRUB2 boot menu and enter user single mode
Remount / partition to allow read and write
Reset the actual root password
Set entire system for SElinux relabeling after first reboot
Reboot the system from single mode

Now that we understand the procedure we can proceed with Redhat 7 password recovery.

1. Edit GRUB2 boot menu

Start your system and once you see your GRUB2 boot menu use ‘e’ key to edit your default boot item. Usually it is the first line. Once you hit the ‘e’ key, scroll down and locate a line with ‘rhgb quiet’ keywords:

locate-line-grub2-boot-menu-rhel7-linuxMove to end of the line with CTRL+E then cursor to “rhgb quiet" keywords and replace them with “init=/bin/bash" as show below:

grub2-boot-menu-rhel7-linux-single-mode-reset-password

Once you edit the boot line as show above press “CTRL + x" to start booting your RHEL 7 system into a single mode. At the end of the system boot you will enter a single mode.

 

2. Read&Write root partition remount

Once you enter a single your root partition is mounted as Read Only ro. You ca confirm it with the following command:

# mount | grep root

In order to mount our partition with Read/Write flag we use mount with a remount option as follows:

# mount -o remount,rw /

Next, confirm that the root file system is mounted Read/Write rw:

# mount | grep root

3. Change root’s password

Still in the single mode we can proceed with the actual root password recovery. To do this we use passwd command:

# passwd

You will need to enter your password twice.

4. SELinux relabeling

The additional step which needs to be taken on SELinux enables Linux system is to relabel SELinux context. If this step is ommited you will not be able to login with your new root password. The following command will ensure that the SELinux context for entire system is relabeled after reboot:

# touch /.autorelabel

5. Reboot System

The final step when resetting your lost root password on RHEL 7 linux system is to reboot. This can be done with a following command:

# exec /sbin/init

After reboot you will be able to use your new root password.

When did that change?

Posted on by

Trying to shutdown an old web server from the late 1990’s that had it’s guts transplanted onto a newer system around 2003 and again around 2009. As you can imagine there are accounts and files that are like those items in your junk drawer, they beg the question…why is this here?!

In an attempt to determine last use of accounts we combined some log analysis with some unix timestamp forensics to prove that no one really needs this anymore!

The log analysis was pretty easy, track non-robot traffic to determine which accounts were being accessed and at what frequency and volume. The timestamp wasn’t difficult just had to isolate which files we wanted to analyze. Using the `stat`, `find` and/or the `ls` commands make this easy. In case you are not aware of this Linux/Unix stores a number of timestamps for each file.  These timestamps store when any file or directory was last accessed (read from or written to),  changed (file access permissions were changed) or modified (written to).

Three times tracked for each file in Linux/Unix are:

  • access time – atime
  • change time – ctime
  • modify time – mtime

Aside from using atime, ctime or mtime, the easiest way to get the information we are looking for is using the `stat` command:

# stat /home/myhome/file1 
  File: `/home/myhome/file1'
  Size: 1498906   	Blocks: 2928       IO Block: 4096   regular file
Device: fd01h/64769d	Inode: 3414009     Links: 1
Access: (0664/-rw-rw-r--)  Uid: (  500/   myhome)   Gid: (  500/   users)
Access: 2016-01-26 12:53:01.309089993 -0500
Modify: 2013-07-15 10:28:05.241847000 -0400
Change: 2013-07-15 10:28:05.315848001 -0400

If you are looking for a large set of files that have been accessed/modified/changed before or after a specific date then using the `find` command is your best bet.

For single files or a small set of files the `ls` command is probably easier.

For information on how to use atime, ctime and mtime with `find` and `ls` refer to the man page for the specific command.