00:07.52 | z00dax | spams everyone on the facebook group |
00:08.31 | DiscordianUK | ? |
00:15.43 | wethrin | z00dax: Reckon it'll get people in? |
00:17.13 | *** join/#gllug nixofortune_1 (n=egor@87.127.26.43) |
00:24.34 | *** join/#gllug Leeds (n=richardc@n219078221168.netvigator.com) |
00:50.56 | *** join/#gllug Discordian (n=ch@89.240.95.67) |
01:36.08 | *** join/#gllug les (n=celesteh@host86-147-24-31.range86-147.btcentralplus.com) |
01:57.12 | *** join/#gllug rhowe (n=rhowe@2002:4e20:3f1b:0:0:0:0:1) |
02:58.49 | *** join/#gllug Leeds (n=richardc@www.scorefive.com) |
03:30.50 | *** join/#gllug Leeds (n=richardc@www.scorefive.com) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug Nafallo (n=nafallo@ubuntu/member/nafallo) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug MrKen (n=mj@zen.pimp.org.za) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug AndyMillar (n=andy-fre@caffeine.andymillar.co.uk) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug Provito (n=Provito@82-44-113-11.cable.ubr16.enfi.blueyonder.co.uk) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug agk__ (n=agk@66.187.227.200) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug Guest75096 (n=andrew@80.68.89.21) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug gregj (n=gj@pointblue.com.pl) [NETSPLIT VICTIM] |
03:30.52 | *** join/#gllug MoZes (n=mozes@bourbon.biscuit.org.uk) [NETSPLIT VICTIM] |
03:32.15 | *** join/#gllug Guest63061 (n=celesteh@host86-147-24-31.range86-147.btcentralplus.com) [NETSPLIT VICTIM] |
03:32.15 | *** join/#gllug Discordian (n=ch@89.240.95.67) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug nixofortune_1 (n=egor@87.127.26.43) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug zeroXten (n=zeroXten@0x10.co.uk) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug popey (n=alan@ubuntu/member/pdpc.gold.popey) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug Dominic (n=dominic@chaldene.m0dlx.com) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug antiphase (n=ant@89.16.173.22) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug wethrin (i=dankolb@93.93.131.12) [NETSPLIT VICTIM] |
03:32.16 | *** join/#gllug jpds (n=jpds@ubuntu/member/jpds) [NETSPLIT VICTIM] |
06:29.08 | *** join/#gllug DiscordianUK (n=ch@78.144.173.243) |
08:21.05 | AndyMillar | mornin |
08:21.24 | DiscordianUK | morning on this chilly day |
08:26.19 | AndyMillar | it is pretty chilly |
08:26.42 | Leeds | http://tinyurl.com/yk6kux7 - when you can't get your hands on a sword... |
08:33.57 | *** join/#gllug Discordian (n=ch@78.144.173.243) |
09:07.47 | ChoHag_ | Mmmm. Clarity in documentation - When specifying the mode, the value can be a quoted string, eg "644". For a numeric value, it should be 5 digits, eg "00644" |
09:39.39 | Mohan | Morning |
09:54.37 | *** join/#gllug jpds (n=jpds@ubuntu/member/jpds) |
09:57.24 | z00dax | wethrin: not sure, atleast it gets the msg out there that stuff is happening |
10:31.35 | *** join/#gllug morsing (i=morsing@emil.morsing.cc) |
10:31.40 | morsing | Anyone used auditing? |
10:31.45 | *** join/#gllug Blapto (n=martin@72.29.67.3) |
10:31.51 | morsing | Blapto: |
10:31.54 | morsing | Blapto! |
10:31.59 | Blapto | morsing: |
10:32.00 | Blapto | morsing! |
10:32.23 | morsing | Blapto: How's the kids? |
10:33.04 | Blapto | I'm not sure. I don't think I have any. |
10:33.32 | morsing | :( |
10:33.33 | ChoHag_ | Well aren't you in for a surprise. |
10:33.34 | morsing | Poor you |
10:33.58 | morsing | Blapto: Why does auditd log stuff even though there's no rules defined? |
10:34.07 | Blapto | morsing: it's a promiscuous hussy. |
10:34.18 | morsing | ... |
10:34.50 | Blapto | I've no idea. |
10:34.55 | Blapto | I don't use auditd |
10:34.57 | z00dax | morsing: is it logging selinux stuff ? |
10:35.02 | Blapto | And the guy here who was RHCE has left. |
10:35.03 | morsing | No |
10:35.19 | morsing | Blapto: I don't blame him, it's a hostile environment |
10:35.30 | Blapto | Agreed |
10:36.01 | z00dax | specially with random kids around |
10:37.25 | Blapto | random or arbitrary? |
10:37.51 | morsing | Blapto: Where do you work? |
10:37.56 | Blapto | Ticketmaster |
10:38.12 | morsing | Blapto: How did you achieve PCI compliancy without setting up auditing? |
10:38.35 | Blapto | We syslog off the important stuff in /var/log |
10:38.38 | Blapto | And we syslog shells |
10:38.48 | Blapto | And we have scripts which go through those and look for unusual stuff. |
10:38.49 | morsing | Blapto: You have a shell control box? |
10:38.59 | ChoHag_ | Blapto: That sounds exceptionally noisy. |
10:39.01 | Blapto | jumpbox? No, people SSH directly to the server they work on. |
10:39.08 | morsing | PCI does call for auditing stuff although they might be lenient |
10:39.25 | Blapto | ChoHag_: It was to start with, but with some rules in place it's fine. |
10:39.42 | morsing | Blapto: Yes, but through a transparent shell control box, surely, as Unix can log shell stuff securely |
10:40.02 | Blapto | Well, you could do that |
10:40.03 | Blapto | We don't |
10:40.03 | morsing | Blapto: Also, PCI:DSS doesn't allow ssh'ing directly onto the box |
10:40.10 | Blapto | Yes it does. |
10:40.15 | Blapto | It doesn't allow direct console access. |
10:40.19 | Blapto | Which is probably what you're thinking of. |
10:40.30 | morsing | Not without making their PCs compliant, which is impossible |
10:40.49 | Blapto | Well, no it isn't. |
10:40.50 | morsing | Blapto: You cannot have people sshing from their laptops in... |
10:40.57 | Blapto | And no, you don't really have to. |
10:41.01 | Blapto | What requirement is that? |
10:42.11 | Blapto | You could argue that they're on the same network and therefore in the cardholder data environment, but in our case we're not on the same network, we're separated by a VPN and a firewall. |
10:46.17 | morsing | "The PCI DSS security requirements apply to all system components. .System components. are defined as any network component, server, or |
10:46.20 | morsing | application that is included in or connected to the cardholder data environment." |
10:46.42 | morsing | "The effect of this is that |
10:46.42 | morsing | A) Any server, router, firewall, switch, pc, application, etc that processes, stores or transmits card data falls into the CDE. |
10:46.46 | morsing | B) Where a network is not segmented this can mean that the entire network environment must be PCI compliant. |
10:46.49 | morsing | C) Where sufficient segmentation exists, through the use of firewalls and other technologies, then the CDE can be limited. |
10:46.51 | morsing | D) Any device which connects to any device within the CDE is in scope for PCI DSS, but is not necessarily part of the CDE. |
10:46.54 | morsing | " |
10:47.24 | *** join/#gllug DiscordianUK (n=ch@78.144.173.243) |
10:47.27 | morsing | D would fail your setup for sure |
10:47.27 | Alex | la la la la la la la la la la la pci dss la la la la. |
10:48.40 | morsing | Anyway, can anyone answer my auditing question? |
10:50.09 | antiphase | You essentially need a segregated network for machines which store or handle cardholder data, and 2 factor authentication for access to them, of which a bastion host counts as one |
10:50.10 | Blapto | morsing: D doesn't mean it has to answer all requirements |
10:50.18 | morsing | Yes, it does |
10:50.23 | Blapto | No, it doesn't |
10:50.25 | morsing | Yes, it does |
10:50.27 | antiphase | If you don't segregate your PCI-compliant network, your entire network will come into scope |
10:50.29 | morsing | 10:48 < morsing> Anyway, can anyone answer my auditing question? |
10:50.38 | Blapto | A lot of the requirements only apply to servers and devices in the CDE. |
10:51.03 | morsing | Blapto: Yes, but PCI:DSS still applies to your laptop if you SSH in |
10:51.32 | Blapto | Yes, but only the requirements which aren't CDE specific. |
10:51.32 | Alex | to be fair, who the sshes in direct to production hosts, rather than via a trusted host? |
10:51.42 | morsing | Blapto: *sigh* well, *obviously* |
10:51.44 | Blapto | Alex: most people. |
10:51.48 | Blapto | morsing: yes, not all requiremenst |
10:51.58 | morsing | Blapto: No, not in proper companies |
10:52.02 | ChoHag_ | Most people who like their boxes being screwed. |
10:52.04 | morsing | Blapto: *sigh* |
10:52.04 | antiphase | Most people don't unless they have shit for brains |
10:52.05 | Blapto | morsing: yes, really, they do. |
10:52.07 | morsing | 10:48 < morsing> Anyway, can anyone answer my auditing question? |
10:52.23 | Blapto | Apparently not. |
10:52.31 | Blapto | have you tried reading the man page? |
10:52.33 | Alex | morsing: Truss audit executable, see if it's loading some file that you don't know about 'cause rhel has screwed around with package? |
10:52.54 | ChoHag_ | Anyway it's not hard to run ssh through a socks proxy on a bastion box. |
10:52.58 | morsing | Alex: auditctl -l says "No rules" |
10:53.05 | ChoHag_ | Where said socks proxy is itself created by ssh. |
10:53.06 | Alex | Also, something massively more important. Some gobshoite infront of me is whistling. |
10:53.11 | Alex | How do I most effectively kill this person? |
10:53.23 | Blapto | Alex: normally you'd politely ask them to stop. |
10:53.30 | Alex | Blapto: That wasn't my question |
10:53.32 | ChoHag | Alex: With poison. |
11:02.07 | wethrin | Poison dart to the back of the neck |
11:22.32 | morsing | How do I get auditd to log stuff done to any file? |
11:26.11 | antiphase | man auditd.conf |
11:27.52 | morsing | antiphase: Not there |
11:28.40 | antiphase | Your question was inspecific |
11:29.01 | morsing | No, it wasn't |
11:29.27 | Alex | I don't think 'inspecific' is a word. |
11:29.50 | morsing | Looks like it can't be done. How useless |
11:30.14 | antiphase | "log stuff done to any file" can mean at least 2 things |
11:31.28 | wethrin | (log stuff done) to any file |
11:31.32 | wethrin | log stuff (done to any file) |
11:31.55 | antiphase | Gold star |
11:32.12 | morsing | wethrin: 10.2.7 in PCI:DSS |
11:32.27 | morsing | antiphase: And you know what I mean |
11:32.28 | wethrin | That's nice. |
11:33.18 | morsing | Also 10.2.2 |
11:33.57 | wethrin | (not having to care)++ |
11:33.58 | morsing | Linux sucks once again |
11:34.14 | DiscordianUK | No it doesn't |
11:34.24 | morsing | DiscordianUK: Tell me how to do it, then? |
11:34.46 | wethrin | http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html |
11:34.48 | DiscordianUK | antiphase has already referred you to the man page |
11:34.53 | antiphase | Use AIX and realise there's no way of doing it at all, which you can tell your "customer" |
11:34.55 | morsing | DiscordianUK: Idiot |
11:35.06 | morsing | antiphase: Quite easy in AIX |
11:35.11 | DiscordianUK | Dullard |
11:35.22 | wethrin | actually, the man page for auditd doesn't give the necessary information for that task |
11:35.22 | morsing | wethrin: That's *one file* |
11:35.57 | morsing | audit on Linux can't even log new files created... |
11:36.09 | morsing | Absolutely useless |
11:36.19 | wethrin | http://www.ibm.com/developerworks/linux/library/l-ubuntu-inotify/index.html?ca=drs- |
11:36.49 | morsing | There's also something called aide I found, but haven't looked at it |
11:37.03 | DiscordianUK | aide is like tripwire |
11:37.16 | morsing | right |
11:37.17 | hali | you can log any syscall, i.e. open |
11:37.57 | DiscordianUK | and there's fam which works with inotify |
11:37.57 | morsing | hali: Oh, yes, good point |
11:37.57 | morsing | It might be under syscall auditing |
11:38.02 | hali | that will give you *loads* of entries though |
11:38.04 | wethrin | ah yes. It's fam I couldn't remember the name of |
11:38.09 | wethrin | hali: grep is your friend :) |
11:38.39 | hali | syslog-ng and filter out the noise |
11:39.38 | morsing | hali: Well, don't want to log 'open' but whatever creates or deletes files |
11:39.45 | morsing | And some other stuff |
11:39.51 | hali | create is an open() |
11:40.03 | morsing | Ok, silly |
11:40.06 | morsing | hmm |
11:40.21 | hali | rm is probably unlink or unlinkat |
11:40.44 | morsing | yeah |
11:41.35 | morsing | There's a link syscall |
11:41.39 | morsing | http://www.digilife.be/quickreferences/QRC/LINUX%20System%20Call%20Quick%20Reference.pdf |
11:41.53 | morsing | Oh, and 'create' |
11:41.58 | morsing | Oh, this should work |
11:50.58 | morsing | antiphase: Where's bilarh? |
11:51.30 | bilarh | how the f is he supposed to know? |
11:51.36 | morsing | bilarh! |
11:51.48 | morsing | He's your flatmate? |
11:52.38 | *** join/#gllug hali (n=hampus@emma.dnsdrift.net) |
12:11.45 | ChoHag | What shall I have for lunch? |
12:11.58 | antiphase | Branes |
12:12.41 | ChoHag | I am not a zombie. |
12:32.06 | *** join/#gllug dick_turpin (n=dick_tur@host217-34-163-30.in-addr.btopenworld.com) |
12:32.54 | morsing | dick_turpin! |
12:33.00 | morsing | hali! |
12:33.17 | dick_turpin | morsing: Ooh ello there |
12:34.32 | morsing | dick_turpin: What did you have for lunch? |
12:35.33 | dick_turpin | morsing: antiphase's hopes and aspirations |
12:35.47 | morsing | Nice |
12:38.17 | wethrin | dick_turpin: I see you've been trolling Gllug again! |
12:38.35 | dick_turpin | wethrin: Mwahahaha |
12:39.21 | dick_turpin | wethrin: Its because I'm having a particularly heavy period this month |
12:39.31 | wethrin | BTW, your post is wrong. It's *next* year that's the year of Linux on the desktop |
12:39.38 | wethrin | Not "Is this year...." |
12:42.03 | dick_turpin | wethrin: Funk Off |
12:42.52 | morsing | Beer |
12:42.59 | morsing | wethrin: Where's VegiVamp? |
12:43.00 | wethrin | Heh |
12:43.51 | wethrin | I'm always amusing when people say 'standards-compliant browser', and then talk about Firefox |
12:44.01 | hali | damn that was a nice wrap... east end wrap with salt beef and english mustard :P |
12:45.50 | wethrin | s/amusing/amused/ |
12:47.11 | dick_turpin | wethrin: Erm it was me dragged FF up but I was using that as an example. TBH the original post I responded too was just pure MS FUD anyway |
12:47.22 | AndyMillar | everyone should use elinks |
12:47.26 | morsing | Where do you get pallets and what do they cost? |
12:47.53 | wethrin | dick_turpin: It's not just you :) |
12:48.14 | wethrin | idly points out that Chrome and Safari pass the ACID3 test |
12:48.22 | wethrin | and Opera |
12:49.14 | wethrin | morsing: I assume you've googled 'pallets', and looked at what's come up? |
12:49.26 | morsing | Googled? |
12:50.04 | wethrin | http://lmgtfy.com/?q=pallets |
12:50.22 | morsing | wethrin: Stop being rude |
12:51.03 | wethrin | then look at the sponsored links |
12:51.11 | morsing | No prices |
12:51.24 | wethrin | phone them and ask |
12:51.29 | morsing | No - you do it |
12:51.32 | wethrin | No. |
12:51.40 | wethrin | You're the one who wants the pallets |
12:51.53 | morsing | But I'm asking you what they cost |
12:52.08 | wethrin | Many suppliers don't provide prices, because they make quotations on-demand |
12:52.29 | wethrin | Dunno. Never bought pallets. Never had any need to. |
12:52.31 | morsing | Could just build one I suppose |
12:52.51 | morsing | http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=250522889826&ssPageName=STRK:MESELX:IT |
12:54.13 | morsing | Setting syscall=creat doesn't log creating a file :( |
12:54.44 | dick_turpin | starts to cry as we are back to square one again |
12:54.56 | *** part/#gllug morsing (i=morsing@emil.morsing.cc) |
12:57.07 | dick_turpin | Bwahahahaha |
12:58.02 | dick_turpin | antiphase: That was awesome how did you manage that without even saying a word? |
13:08.49 | antiphase | Phear my awesome skillz |
13:10.01 | AndyMillar | wonders if it's wrong to use t'office comms room to lie down in and stretch your back |
13:10.33 | dick_turpin | AndyMillar: Get up you lazy git |
13:10.45 | AndyMillar | :p |
13:11.39 | dick_turpin | wethrin: you know them pallets............... |
13:13.49 | AndyMillar | dick_turpin: it was only for 2 mins |
13:15.11 | dick_turpin | That's what the Mayor of Nagasaki said "Well it was a bit hot for two minutes then the phones stopped ringing and I was out of a job" |
13:21.56 | ChoHag | Almond über alles. |
13:23.46 | ChoHag | This cake's not even very good yet it's delicious. |
13:42.32 | *** join/#gllug celesteh (n=celesteh@sblug/member/celesteh) |
13:42.56 | *** join/#gllug DiscordianUK (n=ch@78.144.173.243) |
14:08.34 | Mohan | http://www.tuxradar.com/content/vista-windows-7-ubuntu-904-and-910-boot-speed-comparison |
14:10.34 | jpds | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554573 |
14:29.43 | wethrin | dick_turpin: What about them pallets? |
14:30.18 | dick_turpin | wethrin: We all know you're the pallet expert |
14:31.45 | wethrin | heh |
14:32.42 | dick_turpin | Everyone knows wethrin has a pallet fetish |
15:06.12 | *** join/#gllug stu_ (n=stu@dyn1247-111.vpn.ic.ac.uk) |
15:07.39 | *** join/#gllug Leeds (n=richardc@n219078221168.netvigator.com) |
15:16.19 | *** join/#gllug shai (n=Shai@l192-117-110-233.cable.actcom.net.il) |
15:51.52 | *** join/#gllug jpds (n=jpds@ubuntu/member/jpds) |
16:26.24 | Mohan | http://pastebin.com/m26e9dfb8 |
16:27.17 | Mohan | Is there a sysctl.conf setting which i could change which could help improve apaches performance ? |
16:28.38 | Blapto | Looks like you need more workers. |
16:34.40 | Mohan | Is it ok to increase the max connections > 256, wouldn't it kill the server ? |
16:36.38 | antiphase | You need workers/children to service the requests otherwise connections will just wait until there's a worker/shild free to service it |
16:46.06 | bilarh | just remember that in the west, for the most part, child labour is illegal |
16:47.40 | ChoHag | More's the pity. |
16:48.38 | MrKen | bilarh: Only if you tell! Keep 'em in the basement |
16:48.48 | ChoHag | MrKen: Austrian? |
16:49.04 | ChoHag | </bad-taste> |
16:49.04 | MrKen | ChoHag: How'd you guess?! |
16:49.25 | MrKen | ChoHag: I was tempted to add "(as Josef Fritzl would say)" but decided not to :P |
16:49.44 | Mohan | Any recommended figures for max connections ? |
16:50.02 | ChoHag | Why should there be a max? |
16:50.15 | ChoHag | Oh you're back on Apache. |
16:50.16 | wethrin | Resources |
16:51.47 | Mohan | load is less than 0.5 for the above load, dual core dual xeon 2GHZ with 4GB RAM |
16:53.47 | Mohan | current max conn=256, clients=4000 |
16:56.13 | Mohan | It works fine under normal circumstances but when there is sudden spikes its just couldnt cope up with it. |
16:57.36 | Mohan | the load is indeed balanced by a LB, and there are 2 nodes underneath it. |
17:10.09 | *** part/#gllug dick_turpin (n=dick_tur@host217-34-163-30.in-addr.btopenworld.com) |
17:17.52 | *** part/#gllug Blapto (n=martin@72.29.67.3) |
18:05.13 | *** join/#gllug Armand|Lappy (n=me@host86-137-212-253.range86-137.btcentralplus.com) |
18:53.06 | *** join/#gllug Armand|Lappy (n=me@host86-137-212-253.range86-137.btcentralplus.com) |
19:35.05 | AndyMillar | Mohan: maxclients should be such that apache_process_size*maxclients never exceeds free_ram |
19:35.58 | AndyMillar | Mohan: as otherwise, once you start to hit maxclients, you start to swap, load goes through the roof and your server dies |
19:43.47 | *** join/#gllug dick_turpin (n=dick_tur@static-87-243-206-72.adsl.hotchilli.net) |
20:10.32 | *** join/#gllug DiscordianUK (n=ch@78.144.173.243) |
20:42.52 | *** part/#gllug dick_turpin (n=dick_tur@static-87-243-206-72.adsl.hotchilli.net) |
21:33.53 | *** join/#gllug kkwak (n=kkwak@92.17.40.68) |
22:20.33 | *** join/#gllug DiscordianUK (n=ch@78.144.173.243) |
22:21.41 | Mohan | AndyMillar: how do i determine apache_process_size ? |
22:25.35 | Mohan | AndyMillar: apache_process_size = ps auxfww | grep httpd each process memory usage ? |
22:26.20 | DiscordianUK | On Linux I'd install smem and use that |
22:29.01 | Mohan | DiscordianUK: smem is used to find the memory usage of apps ? |
22:29.13 | DiscordianUK | Indeed |
22:30.10 | Mohan | DiscordianUK: thanks, I will check it out. |
22:30.16 | DiscordianUK | if you'll forgive me 3 lines :- |
22:30.19 | DiscordianUK | 1330 cacheserver /usr/cachesys/httpd/bin/htt 0 416 647 1452 |
22:30.20 | DiscordianUK | <PROTECTED> |
22:30.20 | DiscordianUK | <PROTECTED> |
22:31.02 | Mohan | it seems its not available in the centos repo |
22:31.28 | DiscordianUK | I dunno tis in the Fedora ones |
22:35.46 | DiscordianUK | smem was written by one of the kernel devs |
22:41.20 | Mohan | is learning new stuff every day :) |
23:03.19 | *** join/#gllug ee (n=ee@net-93-145-44-54.t2.dsl.vodafone.it) |
23:03.50 | ee | ciao |
23:04.07 | ee | !list |
23:06.30 | z00dax | most people speak english here, and bots are frowned upon mostly |
23:06.33 | z00dax | ibot: hi |
23:06.33 | ibot | hola |
23:06.38 | z00dax | damnbot |
23:06.52 | Mohan | haha |
23:07.06 | Mohan | z00dax: hi |
23:07.12 | z00dax | hey Mohan howse it going |
23:07.22 | z00dax | speaking of going, I need to get going - be back in the morning |
23:07.43 | *** part/#gllug ee (n=ee@net-93-145-44-54.t2.dsl.vodafone.it) |
23:08.33 | Mohan | things are fine. how about you. |
23:09.26 | gregj | http://news.bbc.co.uk/1/hi/world/americas/8345713.stm |
23:09.42 | gregj | this happens often, when you lock up few dick heads, and give them guns, aka army. |
23:10.01 | gregj | heh, it is funny how peopl eforget, that army == death, |
23:10.37 | gregj | people die in war, .. everybody cries - no fucking shit, they are in the bloody army, thats the risk you are taking when you join army. |