Health Audit Issue

Started by NW4FUN, December 19, 2022, 01:55:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 19, 2022, 01:55:46 PM
Hey guys,

While running an Audit->Health I've got the following issue

>>> Check for missing or altered base files
Error 2 ocurred.
etc/sysctl.conf:
   size (311, 345)
   sha256digest (0x8c57d647047d84b9be4cddbb0b6d58c1d5839f148b62d1137b8bf2611f681cfd, 0x06ec8255e5fdfb4ccaf2059bc0d12c92554e4ba8f92b9d4c51af74ba58ba00c9)

Any idea of what that could be?

For completeness of info, this is the full audit outcome which shows other errors which I believe are linked to another issue I have with connecting to repositories

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7.9_3 (amd64/OpenSSL) at Mon Dec 19 13:52:24 CET 2022
>>> Check installed kernel version
Version 22.7.9 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7.9 is correct.
>>> Check for missing or altered base files
Error 2 ocurred.
etc/sysctl.conf:
   size (311, 345)
   sha256digest (0x8c57d647047d84b9be4cddbb0b6d58c1d5839f148b62d1137b8bf2611f681cfd, 0x06ec8255e5fdfb4ccaf2059bc0d12c92554e4ba8f92b9d4c51af74ba58ba00c9)
>>> Check installed repositories
SunnyValley
OPNsense
mimugmail
>>> Check installed plugins
os-acme-client 3.14_1
os-api-backup 1.0_1
os-bind 1.24_1
os-ddclient 1.9_1
os-debug 1.5
os-dmidecode 1.1_1
os-hw-probe 1.0_1
os-igmp-proxy 1.5_2
os-iperf 1.0_1
os-lldpd 1.1_2
os-mdns-repeater 1.1
os-net-snmp 1.5_2
os-netdata 1.2_1
os-nut 1.8.1_1
os-sensei 1.12.1
os-sensei-agent 1.12.1
os-sensei-updater 1.12
os-smart 2.2
os-speedtest-community 0.9_3
os-sunnyvalley 1.2_2
os-wireguard 1.13_2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.85 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dnsmasq-2.87,1 has no upstream equivalent
Checking packages: .
dpinger-3.2 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10_5 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.3P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.3P1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.67 has no upstream equivalent
Checking packages: .
monit-5.32.0 has no upstream equivalent
Checking packages: .
mpd5-5.9_12 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_5 has no upstream equivalent
Checking packages: .
openssh-portable-8.9.p1_4,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1s,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.8 has no upstream equivalent
Checking packages: .
opnsense-22.7.9_3 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-22.7.3 has no upstream equivalent
Checking packages: .
opnsense-update-22.7.9 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.8 has no upstream equivalent
Checking packages: .
php80-ctype-8.0.26 has no upstream equivalent
Checking packages: .
php80-curl-8.0.26 has no upstream equivalent
Checking packages: .
php80-dom-8.0.26 has no upstream equivalent
Checking packages: .
php80-filter-8.0.26 has no upstream equivalent
Checking packages: .
php80-gettext-8.0.26 has no upstream equivalent
Checking packages: .
php80-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php80-ldap-8.0.26 has no upstream equivalent
Checking packages: .
php80-pdo-8.0.26 has no upstream equivalent
Checking packages: .
php80-pecl-radius-1.4.0b1_2 has no upstream equivalent
Checking packages: .
php80-phalcon-5.1.1 has no upstream equivalent
Checking packages: .
php80-phpseclib-3.0.16 has no upstream equivalent
Checking packages: .
php80-session-8.0.26 has no upstream equivalent
Checking packages: .
php80-simplexml-8.0.26 has no upstream equivalent
Checking packages: .
php80-sockets-8.0.26 has no upstream equivalent
Checking packages: .
php80-sqlite3-8.0.26 has no upstream equivalent
Checking packages: .
php80-xml-8.0.26 has no upstream equivalent
Checking packages: .
php80-zlib-8.0.26 has no upstream equivalent
Checking packages: .
pkg-1.17.5_1 has no upstream equivalent
Checking packages: .
py39-Jinja2-3.1.2 has no upstream equivalent
Checking packages: .
py39-dnspython-2.2.1_1,1 has no upstream equivalent
Checking packages: .
py39-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py39-requests-2.28.1 has no upstream equivalent
Checking packages: .
py39-sqlite3-3.9.15_7 has no upstream equivalent
Checking packages: .
py39-ujson-5.0.0 has no upstream equivalent
Checking packages: .
py39-vici-5.9.3 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.8.0_1 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-5.7 has no upstream equivalent
Checking packages: .
strongswan-5.9.8_1 has no upstream equivalent
Checking packages: .
sudo-1.9.12p1 has no upstream equivalent
Checking packages: .
suricata-6.0.9_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.38.1 has no upstream equivalent
Checking packages: .
unbound-1.17.0 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10_6 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***

Any insight might surely help, thanks.

NW4FUN

December 19, 2022, 02:25:51 PM #1
So I think you just modified /etc/sysctl.conf yourself there (we don't use it) and the updates are currently not working, perhaps because of DNS or IPv6 connectivity issues.

That's all.


Cheers,
Franco
December 19, 2022, 02:26:50 PM #2
PS: I guess that confirms the second one: https://forum.opnsense.org/index.php?topic=31526.0
December 19, 2022, 02:39:50 PM #3
Thanks Franco, I'm not entirely sure I did that myself...

This is what I've found inside that file

# $FreeBSD$                 
#                           
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#                           
                           
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
                           
kern.corefile = /root/%N.%P.core


Is this making any sense to you? Shall I unable that kern.corefile line?
If so, does it require a reboot afterward?

Thanks
December 19, 2022, 02:58:54 PM #4
Quote from: franco on December 19, 2022, 02:25:51 PM
So I think you just modified /etc/sysctl.conf yourself there (we don't use it) and the updates are currently not working, perhaps because of DNS or IPv6 connectivity issues.

That's all.


Cheers,
Franco

Also, I don't have IPv6 configured (anymore) on my FW.

December 19, 2022, 03:15:05 PM #5
The file ends with:

#security.bsd.see_other_uids=0

But the audit is to see what changed and the change is not a security issue so no harm done. It'll fix itself anyway since the next OS update will overwrite it and the only thing that really matters is if you want "kern.corefile" to stick you want to use System: Settings: Tunables GUI.

About the connectivity issue that was because "mimugmail" was down and it should be back up now. IPv6/DNS are more likely than any repo not being available. It's impossible to tell from the health audit. That is what the connectivity audit is for.


Cheers,
Franco
December 19, 2022, 03:53:43 PM #6 Last Edit: December 19, 2022, 04:21:21 PM by NW4FUN
Hi Franco,

I'm not entirely sure what kern.corefile does tbh. Where would I find that in Tunable?
I believe this was enabled by Jos from Deciso when I had throughput issues on my DEC3840 back in January...

For the record, the only values listed in Tunables which have values different from Default are:

dev.netmap.buf_num = 5000
hw.ibrs_disable = 1
net.inet.icmp.drop_redirect = 1
vm.pmap.pti = 0

Everything else states (default) as value.

What am I missing??
December 20, 2022, 07:44:51 PM #7
@Franco, any thoughts?
December 22, 2022, 08:51:42 PM #8
Bump
December 22, 2022, 08:54:51 PM #9
Not sure about support case. sysctl.conf would have been overwritten when base 22.7.9 was installed, which wasn't January suggesting the change was rather recent with 22.7.9 being not that old... :)

The tunables are fine. These are some things we recommend for our hardware.


Cheers,
Franco
December 22, 2022, 09:25:51 PM #10
Thing is it should have been overwritten by 22.7.10 too, but this is not the case.
If I manually delete that line, it keeps coming back after a short while.

I'm truly puzzled on why this is happening...

What would be the tunable generation that line and what does it actually do?
December 26, 2022, 02:37:46 PM #11
Quote from: NW4FUN on December 22, 2022, 09:25:51 PM
Thing is it should have been overwritten by 22.7.10 too, but this is not the case.
If I manually delete that line, it keeps coming back after a short while.

I'm truly puzzled on why this is happening...

What would be the tunable generation that line and what does it actually do?

Bump
Print
Go Up Pages1
User actions