My Notes on Journalctl in Systemd

Systemd is a system and service manager for modern Linux, by replacing SysVinit. It:

• runs as daemon with PID 1.
• Provides aggressive parallelization capabilities
• Uses socket and D-Bus activation for starting services
• Offers on-demand starting of daemons
• Implements transactional dependency-based service control logic
• Tracks processes using Linux cgroups
• Supports snapshotting and restoring
• Maintains mount and automount points

 In traditional SysVinit, we use syslog to stores logs. Then we read and analyze those log files with 'find', 'grep', 'less' commands. However, systemd which collects logs from more sources than syslogs, and keeps the journal logs in binary format. And we need 'journalctl' to perform analysis on those log files.

journald is the daemon from systemd that collects the logs from various log sources like syslog.

journalctl is the command line tool that lets you interact with the journal logs.

With journalctl, you can read logs, monitor the logs in real time, filter the logs based on time, service, severity and other parameters.

The default location of journald logs is /var/log/journal directory. Next, in the /etc/systemd/journald.conf file make sure that the value Storage is set to either auto or persistent.

Keys used in 'journalctl'
Arrow - move by one line
Space - move to next page
b     - move back one page
g/G   - first/last line
100g  - the 100th line
/term - search string
n/N   - next/previous search term
q     - quit

Command line options:
$ journalctl -r      [reverse chronological order]
$ journalctl -n N    [display last N lines]
$ journalctl -f      [same like tail -f]
$ journalctl --utc   [display the time at UTC]
$ journalctl -k      [show only kernel messages]
$ journalctl -u ssh  [show 'ssh' unit messages only]

To filter logs based on time interval:
$ journalctl --since=yesterday --until=now
$ journalctl --since "2020-01-01"

To filter logs based on uid/gid/pid:
$ journalctl _PID=1234

Other useful options:
$ journalctl --disk-usage [ disk space usage ]
$ journalctl -xe     [view last few logs]
$ journalctl -p 3 -xb

-p 3 : filter logs based on priority 3 (which i error)
-x   : additional info on the log
b    : since the last boot (current session)

$ journalctl -p 4..6 -b0 [ warn .. info ]

[ 0/emerg, 1/alert, 2/crit, 3/err, 4/warn, 5/notice, 6/info, 7/debug ]

Link: How to Use journalctl Command to Analyze Logs in Linux (linuxhandbook.com)

List Kenna Meters

After working on Kenna for some times, I just notice that there are too many Kenna meters (asset-groups) been created.Plus, I need a way that help me to backup all my Kenna meters' parameters.

Thus, I just start working on a python script that helps me to list all the Kenna meters including the asset count, vulnerability count, CVE, Fixes and meter meters.

I create the first version of the script in February, and I just notice I need to improve the script by allowing me to backup all the parameters.

kenna-meters.py -h

My First Drone Flight

Today, here come my first drone flight, DJI Mavic Mini quadcopter.

It is such a wonderful experience ;)

CVSS v3.1 Calculator

Common Vulnerability Scoring System (CVSS) version 3.0 was released in June 2015 and was superseded in June 2019 by CVSS version 3.1. 

The CVSS calculator shows the components of the CVSS score for example and allows you to refine the CVSS base score. Please read the CVSS standards guide to fully understand how to score CVSS vulnerabilities and to interpret CVSS scores. The scores are computed in sequence such that the Base Score is used to calculate the Temporal Score and the Temporal Score is used to calculate the Environmental Score.

The CVSS score is commonly used for vulnerability metrics.

Links:

• Common Vulnerability Scoring System Version 3.1 Calculator
• Common Vulnerability Scoring System Calculator 
• https://www.first.org/cvss/v3.1/specification-document
  

GRUB2 Protection

Single user mode, or maintenance mode, is a mode in which a multi-user computer OS  boots into a single superuser. This mode is commonly know as runlevel 1  or rescue.target (rescue mode) in systems that implement Sys-V or Systemd style initialization respectively.

The single user mode allows administrators direct access to the root filesystem without a password in order to carry out system maintenance, such as

• Resetting root password ( with rescue mode)
  
• Repairing file system corruption error ( with emergency mode) 

Here, I'm using Ubuntu as sample configuration.

Set GRUB Password

In order to secure your system’s single user mode, you need to set the grub password. In this case we are going to generate hashed password for GRUB by running the command below.

# grub2-mkpasswd-pbkdf2
Enter password: <STRONG_PASSWORD>
Reenter password: <STRONG_PASSWORD>
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.2E76F....5334

Now, your GRUB hashed password has been generated:
grub.pbkdf2.sha512.10000.2E76F....5334 [283 bytes long ]

Enable GRUB Password Protection

To enable grub password protection, you have to identify grub menu items to protect, users authorized to access the GRUB and their passwords. The users and their passwords are manually added /etc/grub.d/00_header file.

To edit the /etc/grub.d/00_header, run the command below;
# vim /etc/grub.d/00_header

 

Define Superuser and Password

Once you have opened the above file for editing, enter the superuser and its password at the end of the file in the following format.

cat << EOF
set superusers="superuser"
password_pbkdf2 superuser <STRONG_PASSWORD>
EOF

This should finally look like;

cat << EOF
set superusers="sysadm"
password_pbkdf2 sysadm grub.pbkdf2.sha512.10000.2E76F....5334 [283 bytes long]
EOF

Once you are done editing, save the file and update grub by running the following command.

# update-grub2
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.15.0-36-generic
Found initrd image: /boot/initrd.img-4.15.0-36-generic
done

When grub is updated, the user/password information is automatically added to the GRUB 2 menu configuration file, grub.cfg.

Now your grub is password protected. To verify this, reboot your system and try to boot to rescue mode or emergency mode.

Note that if you lost you both your grub password and the root password, the only way to get to the shell is by booting your system with LiveCD, mount the root partition in rw mode and remove the password in the grub configuration file.

 

Enable Password Protection for all but Default Menu Entries

Before rebooting the system, I usually would like to make an additional configuration here. I don't want to enter additional password every time my system is reboot or turn on. I can protect the GRUB with password for any actions, except booting existing menu entries without changing them.

Now, let's define default menu entries as --unrestricted, allowing to use them without password. Linux menu entries are defined in file /etc/grub.d/10_linux. The simpliest way to change all entries is to modify CLASS variable in the beginning of the file:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Now to update actual /boot/grub/grub.cfg you should run update-grub2 (for Debian-based OS, like Ubuntu) or grub-mkconfig -o <path to grub.cfg> for others.

Boot into Rescue Rescue Mode

1. Reboot the system and goto GRUB bootloader screen.
2. Press 'ESC' key to go to bootloader screen during the boot process.
3. Choose the first option "Ubuntu" and press 'e' key to edit.
4. Append the string “systemd.unit=rescue.target” to the line which starts with ‘linux’ word.
5. Press ‘CTRL-x’ or F10 to boot the system in rescue or single user mode.
6. Start your troubleshooting steps, such as recover the root password (passwd root).
7. Once you are done with troubleshooting steps, use ‘systemctl reboot’ command to restart the system.

Boot into Emergency Mode

In emergency mode, all the files system of a Linux system are mounted in read-only mode. This mode is generally used in the situations where we can’t boot the system in rescue mode, may be due to some file system corruptions. Refer below steps to boot Ubuntu 20.04 in emergency mode:

1. Reboot Your system and go to GRUB bootloader screen
2. Press 'ESC' key to go to bootloader screen during the boot process.
3. Choose the first option "Ubuntu" and press 'e' key to edit.
4. Append string “systemd.unit=emergency.target” to the line which starts with ‘linux’ word.
5. Press “Ctrl-x” or F10 to enter into emergency mode.
6. Start your troubleshooting steps, such as repairing the file system.
7. If you want to mount / (slash root) in read-write mode then issue the following command, # mount -o remount,rw /
8. Once you are done with troubleshooting steps, use ‘systemctl reboot’ command to restart the system.

Links:

• https://www.linuxtechi.com/boot-ubuntu-20-04-rescue-emergency-mode/
• https://selivan.github.io/2017/12/21/grub2-password-for-all-but-default-menu-entries.html
• https://kifarunix.com/how-to-protect-single-user-mode-with-password-in-ubuntu-18-04/