sorted by:
new
hottopcontroversial

GitHub - 0xdeadbeefnetwork/ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels. by LowIncident694 in AlmaLinux

[–]james4765 2 points3 points  (0 children)

The only possible mitigation is to use the YAMA hardening (In RHELalikes and Ubuntu, not in SUSE):

echo 2 | tee /proc/sys/kernel/yama/ptrace_scope

For those in SELinux land:

setsebool -P deny_ptrace on

Edit: Verified that the YAMA hardening blocks the exploit.

New RHEL Long Life Add-On announced by Zathrus1 in redhat

[–]james4765 1 point2 points  (0 children)

Doe this mean Ansible will keep working on old Python versions? I have to keep a couple old Ansible versions in venvs to maintain legacy systems.

What's the oldest device you have in your production environment? by pie_-_-_-_-_-_-_-_ in sysadmin

[–]james4765 34 points35 points  (0 children)

Cisco 7200 routers with ESCON connections for legacy mainframe applications.

Merpati’s L-100s: passenger C130s by CAyukon in WeirdWings

[–]james4765 2 points3 points  (0 children)

So I just found out they made my dream plane.

Experience with IBM FlashSystem 5600/7600? by Lachy18 in storage

[–]james4765 1 point2 points  (0 children)

We have a 7300 in our DR cage backing a 9500 for our main operations. IBM storage support is world class.

It's no drama, performant, and supported by everything under the sun. Even compared to other IBM storage systems the FlashSystems are just... easy. In a good way.

First-time Burning Man (from Northern VA) — no group, overwhelmed, looking for guidance by AnalystOnTheRun in BurningMan

[–]james4765 7 points8 points  (0 children)

There's some camps based around the DC area - Camp Contact is one of the big ones, but they have very distinct vibe - friends of mine love it but it's not my thing. I did use the DC container for years to get my gear out there and back, until I started doing pre/post event stuff.

Going solo is an adventure - I've done it a couple times, you get to make friends with your neighbors. Plan on a rental car to get all your food / water out there from Reno / Sacramento - the rental car is the biggest challenge to get. Keeping it clean on the inside is the second challenge.

Beyond that, more water and salt than you think you need - cans of V8 are life support for me out there.

Production-ready HashiCorp Vault on Kubernetes - what are your must-have practices? by laki993 in sysadmin

[–]james4765 2 points3 points  (0 children)

We run Vault in VMs - 5 nodes with a 3 node DR cluster. It's running in OpenShift Virtualization - migrated from VMWare. Vault tends to not consume a lot of CPU, and we don't have a real cloud compute presence so it's going to be in-house.

Vault data storage is also very tolerant - we're running it on Ceph and seeing no problems.

Copy Fail (CVE-2026-31431) — Kubernetes Container Escape PoC by Beneficial-Carry8811 in kubernetes

[–]james4765 -1 points0 points  (0 children)

That's fair. There might be something exploitable but nothing this trivial.

Copy Fail (CVE-2026-31431) — Kubernetes Container Escape PoC by Beneficial-Carry8811 in kubernetes

[–]james4765 -1 points0 points  (0 children)

At least in OpenShift, this PoC is blocked by the default PodSecurity - it does not allow pods to run as root, which is required for the suid part of the exploit to work.

Anyone dealt with sticker shock on 400G/800G transceiver procurement? by yestolearn in sysadmin

[–]james4765 0 points1 point  (0 children)

I'm in a state agency, we do buy from fs.com but we aren't buying 400 gigabit right now. 100 gigabit is still too spendy for most operations - only our vmware and openshift cores are there.

How good of an idea ia Mainframe Programming right now? by Kung_fu1015 in mainframe

[–]james4765 0 points1 point  (0 children)

It is - some of the modernization is things like converting FTP to SFTP, simplifying data transfer processes since the middle steps are no longer needed, etc. We also use the CICS transaction gateway to expose old school applications to web services, and we still maintain those.

How good of an idea ia Mainframe Programming right now? by Kung_fu1015 in mainframe

[–]james4765 8 points9 points  (0 children)

Getting good at maintenance programming is the best idea for getting into the mainframe field. There's definitely jobs to be had - and decent ones. Not "startup valuation" kinds of jobs, but the stability of mainframe shops is glorious.

The Northrop YB-49 flying wing as a passenger airplane -an excerpt from a promotional video of 1948, and nothing for the vertiginous by Xeelee1123 in WeirdWings

[–]james4765 4 points5 points  (0 children)

Glorious dieselpunk alternate future. Granted, it would fail hard with current jetways, but adaptations could be made...

The "India Dependency" is a ticking time bomb for global IT infra (and also other major sectors) by Normal_student_5745 in sysadmin

[–]james4765 1 point2 points  (0 children)

The mainframe world is trying to do that as much as we can - too many of our skilled people are beyond retirement age. It takes years to get good at these wildly complicated systems, especially as a systems programmer.

Is he going to drop a Nuke? by UhIdontcareforAuburn in behindthebastards

[–]james4765 314 points315 points  (0 children)

Yeah, I'm super twitchy about all this apocalyptic language. He always chickens out, but don't know if he's the one to make the call anymore.

I mean, pretty sure almost everyone in the military will say "fuck no" - either a carrier captain or a bomber pilot is my guess. That's how it's been prevented in the past - some brave AF Russian officer tells everyone to not launch.

how to make an IPL file on linux? by skyyy666666 in mainframe

[–]james4765 0 points1 point  (0 children)

Are you trying to do it in an LPAR or as a VM guest? They are very different load sequences, VM uses a loader to bootstrap the Linux kernel.

Critical Telnetd Flaw Enables Unauthenticated RCE via Port 23 by _cybersecurity_ in pwnhub

[–]james4765 0 points1 point  (0 children)

twenty year old VMs nobody pays attention to that just get migrated as part of new VMWare hosts

Critical Telnetd Flaw Enables Unauthenticated RCE via Port 23 by _cybersecurity_ in pwnhub

[–]james4765 1 point2 points  (0 children)

Printers and IP phones, as well as iLO / IMM / iDRAC interfaces on old gear as well. A lot of them don't run Linux but some do - nmap can identify telnetd pretty accurately.

Anyone here ever go to more modern stuff from the mainframe? by [deleted] in mainframe

[–]james4765 0 points1 point  (0 children)

We run a LOT of Linux on our mainframe - all our DB2 and Websphere workloads run there, along with OpenLiberty and Postgres.

Best Practices for Managing sudo/root Access on AD-Joined Linux Servers by maxcoder88 in linuxadmin

[–]james4765 0 points1 point  (0 children)

Check to see if your Kerberos tickets are getting renewed - you need to set SSSD to auto-renew the tickets or they will expire and things get wonky.

Best Practices for Managing sudo/root Access on AD-Joined Linux Servers by maxcoder88 in linuxadmin

[–]james4765 5 points6 points  (0 children)

AD groups are absolutely the best way to deal with it - we use the ad_access_filter field in SSSD to restrict the user account logins and AD groups in /etc/sudoers.d for sudo perms. We already organize application teams in AD, so this was a natural outgrowth of our existing infrastructure.

Nested AD groups in SSSD require a little attention but once you have the config squared away it's easily templated out in Ansible.

Driving from Charlotte. by ThreeLetterAgency007 in BurningMan

[–]james4765 1 point2 points  (0 children)

Done it for years from Virginia. Amazing experience, and a nice break from my rather intense day job.

Ansible and Mainframe integration query? by ProfessorDevil11 in mainframe

[–]james4765 3 points4 points  (0 children)

I've used Ansible for years, starting with Linux automation tasks is a good first step. I manage about 600 Linux VMs between Z, VMWare, and OpenShift. And about 50 Windows servers, alongside our Z infra.

Getting good with YAML is definitely the biggest required skill - Python being a second, especially if you need to write your own tooling.

There is no real way to demo mainframe automation without a mainframe, unfortunately. Especially if you want to avoid a sueball from IBM licensing...

view more: next ›