This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recover forgotten root password on CentOS 7

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2019-09-26 05:16 PM

Change Note:

The attached script for changing passwords across all Netwitness hosts, has been updated due to changes in salt version in 11.4.

Synopsis

Normally resetting the root password is a simple task if you’re logged in already with root privileges, however if you forget the password and need to change it things become a little more difficult.

The process has changed from CentOS version 6 to 7,  (NetWitness 10.x to NetWitness 11.x) as previously you would boot into single user mode and then change the password as root. From version 7 the equivalent modes are the rescue or emergency targets, however these require the root password before you can do anything which doesn’t help us here, so this will take you through the new process to change the lost root password.

Procedure

This procedure will be completed in the console of the Linux system, either with KVM connected directly to the Host, or via the iDRAC console, so be sure that you have access to this prior to beginning.

  • If your system is currently running, reboot it (Either via the NetWitness UI, via iDRAC, or using the physical power switch on the host). If it is not yet running, start it up. At the boot menu, press the ‘e’ key to edit the first boot entry.

 pastedImage_4.png

  • If prompted for a Username/Passord for GRUB, Enter username and password : username- root / password- netwitness

         pastedImage_3.png

  • From the grub options, find the line that starts with “linux16” and go to the end of it. Enter ‘rd.break’ without quotes at the end of this line, as shown below.pastedImage_6.png
  • Press “Ctrl+x” to boot with these options. This will boot to the initramfs prompt with a root shell.pastedImage_8.png 
  • At this stage, the root file system is mounted in read only mode to /sysroot and must be remounted with read/write (rw) permissions in order for us to actually make any changes. This is done with the ‘mount -o remount,rw /sysroot’ command.pastedImage_9.png
  • Once the file system has been remounted, change into a chroot jail so that /sysroot is used as the root of the file system. This is required so that any further commands we run will be in regards to /sysroot. This is done by running ‘chroot /sysroot’.pastedImage_10.png
  • From here the root password can be reset with the ‘passwd’ command.pastedImage_11.png
  • You can now reboot, enter ‘exit’ command twice, the first one will exit the chroot jail environment while the second will exit the initramfs root shell and reboot the system.pastedImage_12.png
  • Once the reboot has completed you will be able to use the root account with your newly set password.

 

Summary

As shown we can reset the root password in Linux CentOS/RHEL 7 by booting with the ‘rd.break’ option, remounting the file system with read/write privileges, creating a chroot jail, and executing the passwd command

When your system has booted back up you’ll be able to use the new root password.

Addendum

Replicate the new password across all hosts in the NetWitness 11.x environment

If the forgotten password was used across ALL hosts in your NetWitness 11.x environment, you only need to complete the above process on the NW Server (node-zero), then you can run the attached shell script to update the password on ALL hosts via salt.

  • Copy the script to the NW Server
  • Rename to nw-pwchange11.sh
  • Make the script executable
  • Run the script fro the "root" user:
    • ./nw-pwchange11.sh root
      • you will be prompted for to enter the new password twice, it will verify minimum length (default=9) and special character use is compliant with NetWitness
      • then will generate a new shadow password hash and push it to all other hosts for that acct.
nw-pwchange11.txt.zip
Labels:
nw-pwchange11.txt.zip
© 2022 RSA Security LLC or its affiliates. All rights reserved.