SysAdmin Technology

Subnetting and CIDR, a Pain in the Ass Worth Knowing

When it comes to networking, CIDR and subnetting are not something I’m particularly good or fast at because I haven’t bothered to memorize the most popular subnets – things like /22, and blah. I was taught to work it out in binary, which is a pain in the ass, but correct. So because I tend to not memorize things I can work out, it fell into that category in my head, and has just never stuck. I do absolutely understand the concepts though.

I had a telephone interview with Google years ago where they asked me how many usable IP addresses there were in a certain subnet. I think I looked at the ceiling for a second, gave a hmmm, and just guessed an answer – it felt like the pressure was on providing a fast answer off the top of my head rather than a worked-out one, which was the wrong approach and a mistake. I was ill-prepared for that whole interview anyway and at the very least I should have had a pen and paper with me so I could walk through the process, which I do know. Or perhaps I only know it now because of that experience.

Either way, the point is subnetting is methodical and whether you can spit subnet ranges off the top of your head or do it with a binary calculator it doesn’t matter. Just be right. Or know how to find it on the Internet. And be sure to know how it works so you can prove you’re right when people say you’re wrong – I regularly bump heads with network engineers who’ve never managed to comprehend the underlying composition of subnets, hosts and subnet masks and then I have to try to very diplomatically teach them one of the basics of their profession. The Wikipedia page is most of what you need.

Computing SysAdmin Technology Web

April 2017 Browser Tab Round-Up




Reducing latency spikes by tuning the CPU scheduler

GoTTY – Share Your Linux Terminal (TTY) as a Web Application

New Draft NIST standards for password management

“Verifiers SHOULD NOT impose other composition rules (e.g., mixtures of different character types) on memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.”

SysAdmin Technology

On Exachk, ICMP Validations, and Updates via Proxy

Oracle Exadata’s Exachk script has a validation which prevents it from auto-updating if your system does not have direct ICMP access to This is stupid, as most Exadata machines are not going to have that kind of exposure to the Internet at large. Yes, they will be firewalled, and so, no, ping will not work.
The fix is to find the line containing #Validation1: URL host reachable or not and comment out or remove the return 33 lines below that. (i.e. invalidate the check by commenting it out)
The Exachk script will then bypass the ping test and continue with wget or curl to retrieve the latest version of itself for install.
Be sure to have set both http_proxy and https_proxy environment variables to an appropriate value or the download will still not work. ( should be accessed over https).
I don’t know who thought a ping validation was a good idea. It’s not.

Security SysAdmin

On Successful Deployment of Access Management Solutions

I have seen many access control/identity/privilege management projects fail miserably because of an unstructured approach to implementation by Corporate Governance. A tool is bought and implementation attempted with no engagement with or buy-in from the technical people who will have to surmount the inconveniences of the tool when it misbehaves at 3AM on a Sunday morning.

The correct approach is to engage those who know the systems best – System Administrators, DBAs and application teams. In that order. Management sign-off comes last.
At the very least the engagement should cover the following:
1) Explain the tool and what it does
2) Outline the project goals
3) Identify what is considered implementation success
4) Describe the flow of network traffic and control, provide network diagrams so techies can understand the firewalls and routing involved
5) Offer training and make known the third-level support options for System Administrators
6) List safety mechanisms for when the network fails or the server goes down so that we can still manage the systems that the system manages
7) Choosing a subset of systems for testing and verification of successful tests

If you don’t at least cover those points, you will not get the Sysadmin team on board. If you can’t get the administrators behind you, your tool will never properly enhance your security posture, and you’ve wasted a whole lot of money.


On Log Files and Output Files

If your script generates saved readable output, the target file is known as a log file and should be named with a “.log” suffix.
If you run a script interactively and want to temporarily capture the output that is sent to the terminal, use a “.out” suffix (if you like).
But please, for the love of the Flying Spaghetti Monster, don’t send scripted logging output to a file with a “.out” suffix.