Skip to content

Latest commit

 

History

History
697 lines (579 loc) · 40.9 KB

endpoint-admin-notes.md

File metadata and controls

697 lines (579 loc) · 40.9 KB

Some Endpoint Admin Notes

If you need to open lots of Terminals at the same time in order to do your job

How does this happen? Maybe you need to support or administer multiple hosts, or maybe you need to routinely execute long-running commands. In either use case, having a way to open multiple separate terminal instances within a single terminal window manager or physical terminal is a common way to satisfy your needs.
screen and tmux are a couple of the most popular tools for opening and managing multiple terminals from a single terminal session.
Here are some useful screen and tmux resources:

Understand the hardware that you are dealing with

inxi is a command line system information tool that can be as targeted or as comprehensive as is needed. See: https://github.com/smxi/inxi and the documentation at: https://smxi.org/docs/inxi-installation.htm
On an Ubuntu 20.04 endpoint, I needed to install the inxi application and a collection of recommended utilities to squeeze out a full description of the hardware and setup...

sudo apt-get install --no-install-recommends inxi  

sudo apt-get install --no-install-recommends hddtemp ipmitool freeipmi-tools lm-sensors smartmontools glxinfo mesa-utils wmctrl libcpanel-json-xs-perl libjson-xs-perl libxml-dumper-perl hddtemp

Then get an overview of the hardware with inxi -F and a more comprehensive view with inxi -v8

Don't forget that Microsoft PowerShell runs on Linux

https://github.com/PowerShell/PowerShell
Binary packages are available for some distributions, and documentation for a range of distributions is available. You can also install PowerShell from the Snap store:

sudo snap install powershell --classic

Then use pwsh to open PowerShell.

Set your timesource to a credible reference

Use the NTP protocol.
In the U.S., the global address time.nist.gov is resolved to all of the server addresses listed in the first table at https://tf.nist.gov/tf-cgi/servers.cgi in a round-robin sequence to equalize the load across all of the servers. Outside North America, see the list of time source maintainers here. It is a bad practice to "hard-code" a particular server name or IP address into an endpoint as this infrastructure incorporates maintenance and evolves... Also, never query a server more frequently than once every 4 seconds because systems that exceed this rate will be refused service by NIST and possibly be identified as a DoS source.
Do not use the ancient and expensive "TIME" (port 37) or "DAYTIME" (port 13) protocols.

Developers who want to expose their applications on their endpoint to the Internet

First, this idea may not be appropriate for any of your developers. Exposing developer endpoints to inbound Internet traffic necessarily involves risks -- and under many circumstances, business-inappropriate risks.
If you must do this, consider ngrok: ngrok is a globally distributed reverse proxy fronting your web services running on a given endpoint, or in any cloud or private network. Paid ngrok has additional features that support its promotion as "the programmable network edge that adds connectivity, security, and observability to your apps with no code changes." Pay attention to the details of every request. The free version may not be suitable for your business, your local environment, or your regulators/investors/customers.

Booting a PC from a USB drive

Many PCs have a configuration screen to select the boot drive/media.
It is often accessed by pressing a key while powering on the PC. See a nearby file for some Vendor / Key combinations in this repository.

How to set up an SSD with the Raspberry Pi 4 (or almost any other Debian-based Linux endpoint)

By {The Pi Hut](https://thepihut.com/blogs/raspberry-pi-tutorials/how-to-set-up-an-ssd-with-the-raspberry-pi). You bought a new SSD and a USB3-to-SSD adapter cable and need to get it all set up... If this was a new drive, in order to use it the SSD needs to have partition tables and partitions created, and these need to be 'mounted.' This highly illustrated article takes you through the detailed steps for getting that external SSD set up for use.

Backup with rsync

rsync synchronizes sets of files.
Backup to a local destination file system:

rsync -a ~/sourcefiles/ ~/destinationfiles/

or
Backup to a remote destination file system:

rsync -a ~/sourcefiles/ <user>@<host>:destinationfiles/

The -a preserves timestamps, file ownerships, permissions and recursive scanning. The trailing slash means to copy the contents of the source directory, but not the directory name itself.
rsync compares the files in the source and destination and then copies only those source files that are missing or different from the destination.
Add --delete option if you also need to remove destination files when they are no longer on the source.

Use https://crontab-generator.org/ to help get your crontab entries perfect...
To save time and storage space, see https://github.com/basnijholt/rsync-time-machine.py "a Python port of the rsync-time-backup script, offering Time Machine-style backups using rsync. It creates incremental backups of files and directories to the destination of your choice. The backups are structured in a way that makes it easy to recover any file at any point in time."

Use find to help copy collections of files

Copy all the files in a given directory (source_directory) to a different target directory (target_directory).

find source_directory -type f -exec cp {} target_directory \;

If you are concerned about duplicate file names, one approach is to add a -i to the copy command. That will tell the cp command to stop and prompt you for input before overwriting any files:

find source_directory -type f -exec cp -i {} target_directory \;

Use find to help move collections of files

This approach deals with duplicates by including a description of the directory tree in each file name by replacing the '/' character with an alternative that is appropriate for file names (in this example, the dash '-' character)

find source_directory -type f | while read F; do mv "$F" "target_directory/${F//\//-}" done

Use find to execute command on files

Delete files that have not been modified in the last 30 days:

$ find ~/tmp -type f -mtime +30 -exec rm {} +

Delete files that have not been accessed in the last 30 days:

$ find ~/tmp -type f -atime +30 -exec rm {} +

NOTE: Some home directories are mounted with the noatime directive to speed up file usage.

Delete files larger than 100MB:

$ find ~/tmp -type f -size +100M -exec rm {} +

Use find to delete all files in a directory structure

$ find /home/<username>/directory/start/deletes/here -delete

Use find to identify all files in your home directory that are newer than ""

$ find ~ -type f -newer <filename>

Use find to identify all files having a given filename pattern in your home directory that are newer than ""

In this case, identify only those files with names matching the pattern -name "*.md".

$ find ~ -name "*.md" -type f -newer <filename>

Securely Delete Files

Endpoints accumulate non-public data. At some point you will need to securely erase that data. If you still use traditional hard drives (that have spinning disks), tools like shred, wipe, srm (secure-delete) should work well.

shred -zvu -n 5 <filename>

Then confirm your work:

hexdump < <filename>

You might also use BleachBit to clean up as well: https://www.bleachbit.org/download/linux
Or better, see: https://securityinabox.org/en/files/destroy-sensitive-information/

A collection of one-liners

https://github.com/jlevy/the-art-of-command-line#one-liners
And The Art of Command Line from the same author: https://github.com/jlevy/the-art-of-command-line

If you use Solid State Drives (SSDs) (standard in modern computers), USB thumb drives, or SD cards/flash memory cards do not use the approach described above. Secure deletion on SSD storage media is a challenge because they use wear leveling, a technology that attempts to spread data evenly across all of the media so that any one part of that storage will not be overwritten too many times -- so that the storage device will last longer. Wear leveling interferes with secure erase programs, which deliberately try to overwrite sensitive files with junk data in order to permanently erase them. As a result, it is better to use full-disk encryption. Encryption avoids the difficulty of secure erasing by making any file on the drive difficult to recover without the required secret.

For more on this topic and about digital security more broadly, you might review: https://icorn.org/digital-security

What Application is Using Given Ports

If an application barks about not being able to use port NN (for example port 80 or 443), use the following to identify if the port is already owned by another application.

sudo ss -tlpn | grep -E ":(80|443)"

Based on a blog

If that gives some evidence that an application is using a given TCP port, but leaves the root problem dangling, then we might need to see the network traffic... One approach is to 'listen' to the network interface that should be receiving that traffic. One of the most portable ways to approach this task is with tcpdump. See:

Some Simple Linux Troubleshooting Reminders

I have been adding some simple Linux troubleshooting reminders to a different file in this repo. See: https://github.com/mccright/rand-notes/blob/master/Simple-Linux-Troubleshooting.md

Some Flexible Linux Live Distributions

  • Fedora Live: Fedora Xfce Desktop is implemented to be fast and lightweight. It is shipped as a live operating system. It includes everything you need to try out Fedora's Xfce Desktop. You don't have to erase anything on your current system to try it out, and it won't put your existing files at risk. You can have the boot copy all files to RAM first so that it runs very fast using the rd.live.ram=1 boot parameter (press the TAB key at the grub boot menu). If you like it after a test drive, you can install it to a local hard drive from the Live Media desktop. https://spins.fedoraproject.org/xfce/

  • Lubuntu: Lubuntu is a fast and lightweight Ubuntu based operating system using the minimal desktop LXQT and a selection of light applications. Lubuntu has very low hardware requirements. That said, it makes a lean platform on which to build a fast development endpoint. https://lubuntu.me/

    • NOTE: Starting with Ubuntu 22.04 some legacy behaviors have changed. When you customize audio playback options using Audio Playback Devices (for example, using the speakers on a non-default HDMI display), the configuration is changed back to defaults after the endpoint system returns from being in sleep mode. Use pavucontrol (install the pavucontrol-qt package) to set the default and fallback audio outputs, and they will remain as you expect with legacy expectations. [this fix was explained by Neil Bothwick in the December 2022 Linux Format, page 11]

  • SysLinuxOS: SysLinuxOS is a specialized Linux operating system for those in infrastructure roles and is currently based on Debian 11 bullseye and a modern kernel (kernel 5.16-amd64 on 2022-09-03). It comes with a large, broad spectrum of applications and utilities installed that would support many categories of infrastructure, maintenance, and collaboration work. There are two versions, one using the Mate desktop and the other using Gnome. https://syslinuxos.com

When Your AppImage-Delivered Application Does Not Work

Some applications are delivered via AppImage. This can be a benefit, as you can be more confident that all the application dependencies are present and correct. Unfortunately, just downloading the AppImage file may not be all that you need to do...
In my experience, it can save you some time to verify that the .AppImage file is executable.
ls -al <appName>.AppImage
If it is not, set it so:
chmod +x <appName>.AppImage
See also, "Updating your menu manually" section below if your issue is that a given AppImage-delivered application is not available in your menu...

Install a Given Flatpack-Packaged Application

Assume -- for this example -- what we need Flatpak because that is how Github Desktop is distributed.

  1. Install Flatpak (once)
    sudo apt install flatpak -y
    Then, before you proceed, reboot your system, or else you will have issues such as applications icons not appearing.
    reboot
  2. Enable Flatpack using the following command in your terminal (once).
    ``sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo ```
  3. Now install Github Desktop with the following flatpak command:
    flatpak install flathub io.github.shiftey.Desktop -y
    You can launch GitHub Desktop with:
    flatpak run io.github.shiftey.Desktop
    Or use your menu:
    Activities > Show Applications > Github Desktop
  4. Periodically, update/upgrade Github Desktop
    For Flatpak, run the following command to check in your terminal for upgrades.
    flatpak update
    See also, "Updating your menu manually" section below if your issue is that a given Flatpack-delivered application is not available in your menu...

Updating your menu manually

System-wide desktop configuration files are in /usr/share/applications/. User desktop configuration files are in $HOME/.local/share/applications. Check there for a .desktop file associated with the one you want to appear in the menu. ToDo: Explain how to fix it, or to create a new one...

Writing and Reading Bootable USB Drives

My Host has Hundreds of Processes Running. What the hell?

It is common for Linux hosts to run a lot of processes. ps and top may help, but their ability to visualize what is going on is limited.
One tool that has helped me better understand some of what is going on is pscircle.
Another tool that gets positive reviews is bpytop, resource monitor that shows usage and stats for processor, memory, disks, network and processes.

Some Mobile Device Endpoint Notes

  • When you have a business or social visitor who needs Internet access via your WiFi... This situation can appear as part of a large number of use cases. Even when you have a dedicated visitor SSID set up, getting your visitor's phone or tablet configured requires sharing one or more secrets -- which is not ideal. Most of us don't have easy-to-use one-time-password systems available for these situations, so sharing secrets can involve some material risks. The simple act of having eyes-friendly passwords laying around, or voicing WiFi connection secrets to those who need them, increases the likelihood of leakage. One simple way to reduce (not to eliminate) some of those risks is to have the mobile endpoint configuration details coded into a QR code. They are not very eyes-friendly, but still require careful handling throughout their lifecycle.
    The Linux utility "qrencode" is one way to generate QR code for your mobile endpoint WiFi configuration details. For example:
user@host:~/QR$qrencode -s 9 -l H -o "<QRcodeFileName>.png" "WIFI:S:<theTargetSSID>;T:WPA2;P:<thePassword>;;"

Replace <theTargetSSID> with your visitor SSID and <thePassword> with your visitor WiFi password, and name the file something that does not give away the secrets. When the mobile endpoint WiFi configuration details are needed, bring up the <QRcodeFileName>.png file in your browser and have the visitor scan the QR code on your screen with their mobile device. Use this idea only in the "access to visitor/guest WiFi networks. This approach is NOT risk-appropriate for providing access to high security networks.
Related References On This Topic:
"5 Best Ways to Generate QR Codes Using the PyQRCode Module in Python." March 8, 2024 by Emily Rosemary Collins
Create QR Codes with PyQRCode: https://pythonhosted.org/PyQRCode/create.html
Some history and background information about QRcodes: https://www.qr-code-generator.com/qr-code-marketing/qr-codes-basics/ and https://www.qrcode.com/en/history/
Short overview of QRcode types: https://www.qrcode.com/en/codes/
https://pythonhosted.org/PyQRCode/moddoc.html

Questions about what "Office Suite" of applications to use

Over time, users will ask about options for full-featured word processor & spreadsheet applications. I believe that LibreOffice is an excellent response for broad swaths of user groups. LibreOffice is compatible with other major office suites. LibreOffice includes:

  • "Writer" a word processor,
  • "Calc" a powerful spreadsheet,
  • "Impress" for creating presentations,
  • "Draw" for diagrams and 2D/3D illustrations,
  • "Base" to deal with databases,
  • "Math" to create mathematical equations,
  • "Charts" to create and embed charts within your documents.
    Why LibreOffice? LibreOffice is free and open source software. It is a successor to OpenOffice which had its last major update in early 2014. LibreOffice has more than ten years of OpenOffice source code cleanup with the addition of mature, formal, manual and automated functionality and security testing. It adds many extra features and improved "Microsoft Office" compatibility, has regular releases with security updates, and is released for desktop, mobile and cloud environments.

If you support Windows endpoints as well:

If you are just starting in this role

...you might start with PowerShell 101
And "Deep Dives"
And a collection of sample scripts for system administration

Some Windows Endpoint Notes

  • See what is installed:
    List apps for all users:
    Get-AppxProvisionedPackage -Online | Select-Object DisplayName | Format-Table -HideTableHeaders
    List apps for all users and remove all Microsoft apps from the list:
    Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName | Select-String -Pattern 'Microsoft' -NotMatch
    List apps for all users and present only apps from a specified vendor in the list (example 'Lenovo'):
    Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName | Select-String -Pattern 'lenovo'
    List apps for the current user:
    Get-AppxPackage | Select-Object Name | Format-Table -HideTableHeaders
    List apps for the current user and remove all Microsoft apps from the list:
    Get-AppxPackage | Select-Object Name, Publisher | Select-String -Pattern 'Microsoft' -NotMatch
    List apps for the current user and present only apps from a specified vendor in the list (example 'Lenovo'):
    Get-AppxPackage | Select-Object Name, Publisher | Select-String -Pattern 'lenovo'

Some Windows Event Messages for Monitoring -- Some Resources That Help You Search For What You Need:

Some scripts to (help) set up a clean Windows 10/11 endpoint:

List the local Windows users:

`Get-LocalUser`

Searching for user details in Active Directory using PowerShell

  • If you know the login name: All the details that you are permitted to see
    $user="\<userName\>"
    Get-ADUser -Identity $user -Properties *
  • If you only know the email address: All the details that you are permitted to see
    $emailAddr="<Email_Address\>"
    Get-ADUser -Filter {EmailAddress -eq $emailAddr} -Properties *
  • If you want to know information about the manager of a given user
    $user="\<userName\>"
    $mgrcn = Get-ADUser -Identity $user -Properties Manager | Select-Object -Property Manager
    $mgrcnstr = $mgrcn.Manager
    Get-ADUser -Filter {DistinguishedName -eq $mgrcnstr} -Properties DisplayName,UserPrincipalName,whenCreated,CanonicalName,City,LastLogonDate,mobile,MobilePhone,EmailAddress

List all the Windows Domain Controllers and Sites within a given Domain

At a command prompt:
c:\windows\system32\nltest.exe /DCLIST:<domainName>

Simple way to temporarily bypass PowerShell execution policy

  • From the run dialog (or command prompt) just execute “powershell –ExecutionPolicy Bypass” and it will start a PowerShell session that allows for running scripts and keeps the lowered permissions isolated to just the current running process.
    C:\> powershell –ExecutionPolicy Bypass [command] [parameters]

Now some temporary notes on monitoring my UPS:

APC UPS Monitoring -- apcupsd

Manual:

apcupsd is the background daemon, and also includes a command line utility, "apcupsd", that allows you to send some commands to the UPS.
apcaccess is an additional utility that comes bundled with apcupsd, and is used to display current status information about the UPS.
apctest is an additional utility that comes bundled with apcupsd, and is used to modify the on-board EEPROM settings for the UPS itself.
The configuration file is /etc/apcupsd/apcupsd.conf
The following commands start and enable apcupsd so that it will restart after reboots.

# systemctl start apcupsd ; systemctl enable apcupsd

Another console-based client is powerflute that can be used to monitor the UPS status continuously.

Try using lsusb:

root@proxmox01:/proc/bus# lsusb
[...]
Bus 003 Device 007: ID 051d:0002 American Power Conversion Uninterruptible Power Supply
[...]

It’s also found using udev (per the apcupsd documentation - maybe I shouldn’t be quite so rude about it):

root@proxmox01:/proc/bus# udevadm info --attribute-walk --name=/dev/usb/hiddev0
[...]
  looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3/3-2':
    KERNELS=="3-2"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ...
    ATTRS{ltm_capable}=="no"
    ATTRS{manufacturer}=="American Power Conversion"
    ATTRS{removable}=="removable"
    ATTRS{idProduct}=="0002"
    ATTRS{bDeviceClass}=="00"
    ATTRS{product}=="Back-UPS CS 650 FW:817.v9.I USB FW:v9"

it’s also there under usb-devices:

root@proxmox01:/proc/bus# usb-devices
[...]
T:  Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#=  7 Spd=1.5 MxCh= 0
D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=051d ProdID=0002 Rev=00.06
S:  Manufacturer=American Power Conversion
S:  Product=Back-UPS CS 650 FW:817.v9.I USB FW:v9
S:  SerialNumber=4B1517P07342
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
[...]

Try to start the daemon

$ sudo service apcupsd start
* Starting UPS monitor (for Network UPS) apcupsd    [ OK ]
* Starting UPS monitor (for Server UPS) apcupsd     [ OK ]
...sudo systemctl restart apcupsd.service

Check daemon status

$ service apcupsd status
* UPS monitor (for Network UPS) is running
* UPS monitor (for Server UPS) is running

The following commands start and enable apcupsd so that it will restart after reboots.

systemctl start apcupsd ; systemctl enable apcupsd

apctest

apctest is a program that allows you to talk directly to your UPS and run certain low-level tests, adjust various settings such as the battery installation date and alarm behavior, and perform a battery runtime calibration.
apcupsd must be run at startup time, when the operating system services are loaded: in fact, apcupsd is just another OS service.

apcupsd's main init script file is installed in:

/sbin/init.d/apcupsd

This script is responsible for starting up apcupsd during system startup and shutting down apcupsd during system shutdown. It is also symbolically linked to these paths:

/sbin/init.d/rc2.d/K20apcupsd
/sbin/init.d/rc2.d/S20apcupsd
/sbin/init.d/rc3.d/K20apcupsd
/sbin/init.d/rc3.d/S20apcupsd

They are present only on runlevel 2 and 3 because apcupsd is run only in multiuser runlevels; that means runlevel 2 or 3 on SuSE Linux OS.

To be able to shutdown the computer properly on power failures, apcupsd relies on its own service script located in:

/etc/apcupsd/apccontrol

and on a patched halt script. When apcupsd detects a situation that needs an emergency shutdown, it first creates two files called /etc/nologin and /etc/apcupsd/powerfail.

...

apcupsd Configuration

Before running apcupsd it is necessary to configure the dæmon to work as needed with the local hardware configuration and the desired behavior. In a standard installation, the configuration file is in:

 /etc/apcupsd/apcupsd.conf

This file is a plain ASCII file that contains all the configuration directives needed by apcupsd.

The directives must be properly configured before apcupsd can operate correctly. With these directives you specify the kind of cable, the model of UPS connected to the computer, the device where the UPS is connected, how to operate on power failures, logging options and much more.

Stand-Alone Configuration

A typical stand-alone configuration includes a computer and a UPS connected to its serial port.

Listing 2 shows a configuration file for a stand-alone SmartUPS connected to the first serial port of the computer. On power failure, apcupsd will shut down the computer when the battery level falls below 5% of full charge or the UPS remaining run-time falls below three minutes, whichever happens first. apcupsd will send messages to user consoles every five minutes sending the first message one minute after the power failure occurs. apcupsd will not disallow user logins during a power failure. UPS events are logged in /etc/apcupsd/apcupsd.events. The UPS status can be read from our CGI interface or from /etc/apcupsd/apcupsd.status, which is updated every minute.

If, for example, you want to write your own routine for the on-battery action, you can write your own shell script, as shown in Listing 5, called onbattery and put it in the /etc/apcupsd/ directory. Doing so will run the customized script before the default action. In case you don't want the default action to be taken, terminate your customized script with an exit code of 99. If you want to write customized scripts to replace the default behavior, you are encouraged to edit the apccontrol script and at least mimic its behavior in your own script. Please be aware that writing faulty scripts may cause your system to crash during power failures.

"apcassess status"

To ease UPS monitoring, apcupsd offers a number of client facilities. As mentioned above, apcaccess is the main client tool for monitoring UPS status. Example apcaccess output is in Listing 6 below.

Listing 2. Configuration File for a Stand-alone SmartUPS

(Example config files:

## apcupsd.conf v1.1 ##
#
# ========= General configuration parameters ============
#
# defines the type of cable that you have.
UPSCABLE smart
#
# defines the type of UPS you have.
UPSTYPE smartups
#
# name of your serial port
DEVICE /dev/ttyS0
#
# path for serial port lock file
LOCKFILE /var/lock
#
# ===== configuration parameters used
# during power failures =============
#
# If during a power failure, the remaining battery
# percentage (as reported by the UPS) is below or
# equal to BATTERYLEVEL,
# apcupsd will initiate a system shutdown.
BATTERYLEVEL 5
#
# If during a power failure, the remaining runtime
# in minutes (as calculated internally by the UPS)
# is below or equal to MINUTES,
# apcupsd, will initiate a system shutdown.
MINUTES 3
#
# If during a power failure, the UPS has run on
# batteries for TIMEOUT many seconds or longer,
# apcupsd will initiate a system shutdown.
# A value of 0 disables this timer.
TIMEOUT 0
#
# Time in seconds between annoying users to signoff
# prior to system shutdown. 0 disables.
ANNOY 300
#
# Initial delay after power failure before warning
# users to get off the system.
ANNOYDELAY 60
#
# The condition which determines when users are
# prevented from logging in during a power failure.
NOLOGON disable
#
#==== Configuration statements the network
# information server======================
#
# information server. If netstatus is on, a network
# information server process will be started for
# serving the STATUS and EVENT data over the network
# (used by CGI programs).
NETSERVER on
#
# port to use for sending STATUS and EVENTS data
# over the network. It is not used unless NETSERVER
# is on. If you change this port, you will need to
# change the corresponding value in the
# cgi directory and rebuild the cgi programs.
SERVERPORT 7000
#
# If you want the last few EVENTS to be available
# over the network by the network information server,
# you must define an EVENTSFILE.
# Only the last 50 or so events are kept.
EVENTSFILE /etc/apcupsd/apcupsd.events
#
# ===== Configuration statements to control
# apcupsd system logging ==============
#
# Time interval in seconds between writing the
# STATUS file; 0 disables
STATTIME 60
#
# Location of STATUS file (written to only if
# STATTIME is nonzero)
STATFILE /etc/apcupsd/apcupsd.status
#
# You probably do not want this on.
LOGSTATS off
#
# Time interval in seconds between writing the DATA
# records to the log file. 0 disables.
DATATIME 0
#
# ===== Configuration statements used if sharing ====
# a UPS and controlling it via the network
#
# normally stand-alone unless you share a UPS with
# multiple machines.
UPSCLASS standalone
#
# Unless you want to share the UPS
# (power multiple machines).
# this should be disable
UPSMODE disable
#
# NETACCESS <string> [ true | false ]
# Enable Network Access Support
NETACCESS true

Table 3. Arguments apccontrol Recognizes

Keyword—Default Action

powerout -- `wall' a message telling `There are power problems'.
onbattery -- `wall' a message telling `System is on battery'.
failing -- `wall' a message telling `Battery power is failing'.
timeout -- `wall' a message telling `Timeout on Battery reached'.
loadlimit -- `wall' a message telling `Battery load limit reached'.
runlimit -- `wall' a message telling `Battery runtime limit reached'.
doreboot -- Begins the `shutdown--r' sequence.
doshutdown -- Begins the `shutdown--h' sequence.
mainsback -- Attempt to cancel a running `shutdown' sequence.
annoyme -- `wall' a message telling `Power problems, logoff now'.
emergency -- Begins an emergency `shutdown' sequence.
changeme -- `wall' a message telling `Battery failed, change them now'.
remotedown -- Begins the `shutdown' sequence, called from remote.
restartme -- Attempt to restart the apcupsd.

Listing 5. /ect/apcupsd/onbattery

#!/bin/sh
#
# This shell script if placed in /etc/apcupsd
# will be called by /etc/apcupsd/apccontrol when the UPS
# goes on batteries.  We send an e-mail message to root
# to notify him.
#
SYSADMIN=root
MAIL="bin/mail"
HOSTNAME=`hostname`
#
echo "HOSTNAME Power Failure" >/tmp/$$
echo " " >>/tmp/$$
/sbin/apcaccess status 2>>/tmp/$$
cat /tmp/$$ | $MAIL -s "HOSTNAME Power Failure !!!" $SYSADMIN
exit 0

Listing 6. Output of “apcassess status”

APC      : 001,048,1088
DATE     : Fri Dec 03 16:49:24 EST 1999
HOSTNAME : daughter
RELEASE  : 3.7.2
CABLE    : APC Cable 940-0024C
MODEL    : APC Smart-UPS 600
UPSMODE  : Stand-alone
UPSNAME  : SU600
LINEV    : 122.1 Volts
MAXLINEV : 123.3 Volts
MINLINEV : 122.1 Volts
LINEFREQ : 60.0 Hz
OUTPUTV  : 122.1 Volts
LOADPCT  :  32.7 Percent Load Capacity
BATTV    : 26.6 Volts
BCHARGE  : 095.0 Percent
MBATTCHG : 15 Percent
TIMELEFT :  19.0 Minutes
MINTIMEL : 3 Minutes
SENSE    : Medium
DWAKE    : 000 Seconds
DSHUTD   : 020 Seconds
LOTRANS  : 106.0 Volts
HITRANS  : 129.0 Volts
RETPCT   : 010.0 Percent
STATFLAG : 0x08 Status Flag
STATUS   : ONLINE
ITEMP    : 34.6 C Internal
ALARMDEL : Low Battery
LASTXFER : Unacceptable Utility Voltage Change
SELFTEST : NO
STESTI   : 336
DLOWBATT : 05 Minutes
DIPSW    : 0x00 Dip Switch
REG1     : N/A
REG2     : N/A
REG3     : 0x00 Register 3
MANDATE  : 03/30/95
SERIALNO : 13035861
BATTDATE : 05/05/98
NOMOUTV  : 115.0
NOMBATTV :  24.0
HUMIDITY : N/A
AMBTEMP  : N/A
EXTBATTS : N/A
BADBATTS : N/A
FIRMWARE : N/A
APCMODEL : 6TD
END APC  : Fri Dec 03 16:49:25 EST 1999