8 August, 2017

How to get a report of Computers needing Approved Updates from WSUS using PowerShell

For some reason, Microsoft didn't include a predefined report in WSUS to show me the list of computers that are needing Approved updates... which is kinda useful for reporting/tracking purposes.

So here's a quick PowerShell to do it.

$report = @{}

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer("wsussvr", $False, 8530)

$computerScope = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope
$wsus.GetComputerTargetGroups() |
    where {$_.Name -match "Workstations"} |
    ForEach-Object {
        $gid = $computerScope.ComputerTargetGroups.Add($_)
    }

$updateScope = new-object Microsoft.UpdateServices.Administration.UpdateScope;
$updateScope.UpdateApprovalActions = [Microsoft.UpdateServices.Administration.UpdateApprovalActions]::Install
$updateScope.IncludedInstallationStates = @('Downloaded', 'Failed', 'InstalledPendingReboot', 'NotInstalled')
$updateScope.TextNotIncludes = 'Feature update to Windows 10 Pro'
$updateScope.TextNotIncludes = 'Definition Update for Windows Defender'

foreach ($computer in $wsus.GetComputerTargets($computerScope)) {
    $key = $computer.FullDomainName
    $computer.GetUpdateInstallationInfoPerUpdate($updateScope) | foreach-object {
        $title = $_.GetUpdate().Title
        if ($report.ContainsKey($key)) {
            $report[$key] += 1
            #$report[$key] += $_.GetUpdate().Title
        } else {
            $report[$key] = 1
            #$report[$key] = @($_.GetUpdate().Title)
        }
    }
}

$report
$report.Count
Tagged:
8 August, 2017

How to remove users from AD groups using PowerShell

I recently cleaned up permissions on our AD, and found that working methodically though the Department/Company attributes first paid dividends in removing extraneous groups that users had access to:

$group = 'GroupToBeCleaned'
$users = Get-ADGroupMember $group | Get-ADUser -Properties * | ? { $_.company -Like "*Contractor*"}
foreach ($user in $users){
    Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
10 January, 2017

PulseSecure Client on Fedora 25

Just installed the PulseSecure 5.2R6 client on Fedora 25; while it isn't officially supported (support is only for fc23), it works well, and as all the dependancies are in the Fedora repo, you don't have to do any dodgy downloads (like you do with the officially supported fc23...).

This will only give you VPN access to a PCS appliance using their proprietary SSL VPN; it doesn't support IPSec connections, you'll still need to patch vpnc for that.

sudo rpm -Uvh ps-pulse-linux-5.2r6.0-b977-centos-rhel-installer.rpm
sudo dnf install -y glibc.i686 nss.i686 zlib.i686 glib-networking.i686 \
  webkitgtk.i686 xulrunner.i686 libproxy.i686 libproxy-mozjs \
  libproxy-gnome.i686 webkitgtk3.i686
sudo ln -s /usr/local/pulse/libpulseui.so /usr/lib/libpulseui.so

After that, the Pulse UI client is available in GNOME; just add the details and you're away.

3 August, 2015

Android Stagefright: Exchange PowerShell Snippets

So, this Stagefright thing sounds bad. We'll obviously know more later this week about how bad it is. If you're a BYOD happy organisation, right now you need to know how your organisation will be affected; how many Androids do you have, what versions, etc, and then what steps you'll need to take to remotely wipe/quarantine/block devices. And you don't want to be spending all night doing it. PowerShell to the rescue!

First, create an export directory, and assign Full Control permissions to the Exchange Trusted Subsystem group - I've used D:\ExchangeExport in these examples. Next, get a list of all your Android devices:

Get-MobileDevice
    | where {$_.DeviceOs -like "*Android*" -or $_.DeviceOs -match ""}
    | Export-Csv -path D:\ExchangeExport\android.csv

Some devices don't provide a DeviceOs, and devices that have been migrated from Exchange 2010 to 2013 seem to sometimes have an empty DeviceOs string, so you'll have to manually filter these. Next, get their last sync time (to determine devices which haven't been seen in a while) with:

Get-MobileDevice
    | where {$_.DeviceOs -like "*Android*" -or $_.DeviceOs -match ""}
    | foreach { Get-MobileDeviceStatistics -Identity $_.Identity }
    | Export-Csv -path D:\ExchangeExport\android-stats.csv
21 September, 2014

Juniper SRX Dynamic VPN with Fedora 20

Update 2014-12-02: I've updated the below process for vpnc-0.5.3-svn550, which hit Fedora 20 a few weeks ago and will be present in Fedora 21.

Hot on the heels of the work I've done with Ubuntu, I've also done the same for Fedora 20 vpnc...

sudo yum install rpm-build libgcrypt-devel gnutls-devel gtk3-devel dbus-devel NetworkManager-devel \
 NetworkManager-glib-devel intltool libgnome-keyring-devel perl-LWP-Protocol-https perl-Data-UUID -y

yumdownloader --source vpnc
yumdownloader --source NetworkManager-vpnc

rpm -Uvh vpnc-0.5.3-21.svn550.fc20.src.rpm
rpm -Uvh NetworkManager-vpnc-0.9.8.2-3.fc20.src.rpm

cd ~/rpmbuild

curl https://gist.githubusercontent.com/jlaundry/0c9f32176924c7486762/raw/631c0ac68c611ed7ba519252bf769f75466cbd25/build.patch > build.patch
#curl https://github.com/ndpgroup/vpnc/commit/8f005fefbc8713535d59f95e3abee8a45b05399a.patch \
 > SOURCES/vpnc-0.5.3-juniper.patch
curl https://gist.githubusercontent.com/jlaundry/e54c6a152eafd7c2bb97/raw/707286377f01d66b066ddaaa36e5c57784134af8/vpnc-0.5.3-juniper.patch \
 > SOURCES/vpnc-0.5.3-juniper.patch
curl https://gist.githubusercontent.com/jlaundry/036ed1719a4dda561fc2/raw/224bf3f605fac6a6df191cfe14cdad95d7400830/NetworkManager-vpnc-0.9.8.2-juniper.patch \
 > SOURCES/NetworkManager-vpnc-0.9.8.2-juniper.patch

patch -p1 < build.patch

rpmbuild -ba SPECS/vpnc.spec
rpmbuild -ba SPECS/NetworkManager-vpnc.spec

sudo rpm -Uvh RPMS/x86_64/vpnc-0.5.3-20.svn550.juniper.fc20.x86_64.rpm
sudo rpm -Uvh RPMS/x86_64/NetworkManager-vpnc-*juniper*
21 September, 2014

Juniper SRX Dynamic VPN with vpnc Ubuntu 13.10

Pretty simple really; we use Juniper SRXes (running Junos 11.4) with Dynamic VPN at work, and I use an Ubuntu laptop. All the patches to make vpnc work with the SRX are available, but for some reason haven’t made it into official source yet…

Step 1: Patch vpnc

apt-get source vpnc
sudo apt-get build-dep vpnc
wget https://github.com/ndpgroup/vpnc/commit/8f005fefbc8713535d59f95e3abee8a45b05399a.patch
cd vpnc-0.5.3r512
patch < ../8f005fefbc8713535d59f95e3abee8a45b05399a.patch
dpkg-buildpackage -rfakeroot -uc -b
sudo dpkg -i ../vpnc_0.5.3r512-2ubuntu1_amd64.deb

Step 2: Patch network-manager-vpnc, because it’s not Ubuntu if it’s not a GUI! 😉

I’ve adapted the patch for NetworkManager 0.9.8.2 from the 0.9.4.0 version found here.

apt-get source network-manager-vpnc
sudo apt-get build-dep network-manager-vpnc
wget https://gist.githubusercontent.com/jlaundry/cbf79311bc46fcf6c626/raw/f142f086032c66b19fb182c2933ced139271275f/network-manager-vpnc_0.9.6.0-0ubuntu2-juniper.patch
patch < network-manager-vpnc_0.9.8.2-1ubuntu1-juniper.patch
cd network-manager-vpnc-0.9.8.2
dpkg-buildpackage -rfakeroot -uc -b
sudo dpkg -i ../network-manager-vpnc-gnome_0.9.8.2-1ubuntu1_amd64.deb

Step 3: Create a NetworkManager script

wget https://raw.github.com/ndpgroup/juniper-srx-linux/master/jam-config
chmod u+x jam-config
./jam-config addr vpn.example.com user joe pass joespwd | sudo tee /etc/NetworkManager/system-connections/MyVPN

Finally, reboot your machine to flush out the old, non-Juniper-friendly NetworkManager, and you’re away!

8 September, 2014

Junos 12.1X44 Dynamic VPN with FreeRADIUS

One of the features Juniper added to the SRX Dynamic VPN starting with Junos 12.1X44 is the ability to set the VPN client group via RADIUS (eliminating the need to specify the client username).

What Juniper don’t tell you is how to do it; using the Juniper-Local-Group-Name VSA (vendor 2636 option 46). So, after some trial and error, here’s how:

Step 1: Configure the access profile and create the Dynamic VPN client group:

set security dynamic-vpn clients dynclient-testing remote-protected-resources 192.168.1.0/24
set security dynamic-vpn clients dynclient-testing remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients dynclient-testing ipsec-vpn vpn-dynamic
set security dynamic-vpn clients dynclient-testing user-groups dynvpn_testing

Step 2: Add the following line to /usr/share/freeradius/dictionary.juniper:

ATTRIBUTE   Juniper-Local-Group-Name        46  string

Step 3: Assign the user the group through /etc/raddb/users (or however you do it):

testuser    Cleartext-Password := "Testing123"
            Juniper-Local-Group-Name = dynvpn_testing

And… well, test!

3 June, 2013

Nikon 35mm f1.8 Back-focus

So I recently noticed problems with my 35mm back focussing, and as my D90 doesn't have the fancy on-camera calibration options like later models, had the lens sent away for repair.

All I had to do was print off a focus test chart from here (unfortunately the original has disappeared off the face of the web, but archive to the rescue!), take a couple test shots at various apertures, and mail it off to get fixed. One month later, the lens is back.

Below is a comparison at f1.8 before (right) and after (left) the repair... definitely worth having done!

comparison

Big thanks to the awesome people at Snapshot!

21 August, 2012

OCR a scanned PDF with Tesseract

Simple really: I wanted to OCR a scanned PDF, then embed the output text back into the PDF so that I can search. Surprisingly, an application for this doesn't already exist, so here's my script:

#!/bin/sh

cp $1 $1.bak

pages=$(pdftk $1 dump_data output | grep NumberOfPages | sed -E 's/(.*): (\d*)/\2/g')

for i in `seq 1 $pages`;
do
        convert -monochrome -density 600 $1\[$(($i - 1 ))\] page$i.tif
        tesseract page$i.tif output -l eng
        pdftk $1 attach_files output.txt to_page $i output $1.new
        mv $1.new $1
        rm output.txt
done
10 October, 2011

Aladdin eToken on Ubuntu 11.10 (oneiric ocelot) amd64

Update: In my mad rush to get everything working, I completely missed that 8.1 was released, which adds native 64-bitness. Apart from linking /usr/lib64/libeToken.so to /usr/lib/libeToken.so.8, there are no hacks required anymore! Yay! I've just installed the oneiric release candidate. And I like the changes. And I like that with a little tweaking, my eToken still works! I did a bare-metal install, as I've now upgraded to SSD. So, I've updated my tutorial to match.

  1. Install 11.10 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you'll need to prep your x86_64 system with i386 goodness, by using sudo apt-get install ia32-libs libhal1 opensc pcscd

    • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet's user guide. if you don't, you'll see things pop up in /var/log/syslog like: pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
  2. You'll need the 32-bit libpcsclite1 and libhal1. Simply run:

wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/h/hal/libhal1_0.5.14-0ubuntu6_i386.deb
dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
dpkg -x libhal1_0.5.14-0ubuntu6_i386.deb libhal1-i386
sudo cp libpcsclite1-i386/lib/libpcsclite.so.1.0.0 /lib32
sudo cp libhal1-i386/usr/lib/libhal.so.1.0.0 /usr/lib32
sudo ln -s /usr/lib32/libhal.so.1.0.0 /usr/lib32/libhal.so.1
sudo ln -s /lib32/libpcsclite.so.1.0.0 /lib32/libpcsclite.so.1
  1. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with:
dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb

Note: if you've got this working before, you'll notice that in 11.10 they've moved from /usr/lib being a link of /usr/lib64 to being it's own directory; the result being the new location of /usr/lib64/libeTPkcs11.so for your PKCS11 applications. So there you go. If you add the /usr/lib64/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken. For a quick verification, run

pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L

and you should see your eToken.