Posteet: linux

auditd useful commands

spirit — Tue, 16 Apr 2013 16:54:26 -0500

#Adding/Modifying Rules

#    Watch for files 

auditctl -w /etc/yum.conf -p wa  -k yum_watch
auditctl -w /usr/bin/nmap -p x   -k nmap_watch
auditctl -w /etc/shadow   -p rwa -k shadow_watch

#    Remove a rule using auditctl 

auditctl -W /etc/shadow -p rwa -k shadow_watch

#    Watching for ptrace system call 

auditctl -a entry,always -F arch=b64 -S ptrace -k info_scan

#    Suppress 32bit clock_gettime & fstat64 system calls 

-a entry,never -F arch=b32 -S clock_gettime -k clock_gettime
-a entry,never -F arch=b32 -S fstat64 -k fstat64

#    Audit files opened by a specific user 

auditctl -a exit,always -S open -F auid=2010
auditctl -a exit,always -F arch=b64 -F auid=2010  -F uid=2010 -F path=/etc/hosts -S open

#    Audit unsuccessful attempts for multiple system calls where user id is greater than or equal to 500 

auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 

#Reporting/Searching

#    List all rules 

auditctl -l

#    List status 

auditctl -s

#    Report on watched files. Date format is local to the server's date format. 

aureport -f
aureport -f --start 02/18/10 17:42:00
aureport -f --start 02/18/10 17:00:00 --end 02/18/10 17:10:00
aureport -f -ts this-week
aureport -f -ts today

#    Search by system call 

ausearch -sc ptrace -i

#    Search for user id or effective user id 

ausearch -ui 2010
ausearch -ue 2010

#    Lists all auth attempts and their result 

aureport -au

#    List just logins 

aureport -l

#    List account modification attempts. 

aureport -m

#    Search events where success value is no, User id is 500 and key is nmap_watch 

ausearch -sv no -ua 500 -k nmap_watch

#    Search by executable 

ausearch -x /usr/bin/nmap

#    Search by terminal 

ausearch -tm pts/0

#    Search by daemon. Stuff like cron log terminal as the daemon name 

ausearch -tm cron

[audit] [auditd] [audtictl] [ausearch] [linux] [unix]

Reboot blocked Linux server

spirit — Mon, 14 Jan 2013 13:49:49 -0600

alt + impr ecran r e i s u  b

[linux] [reboot] [server]

Traffic visualizer under Linux

spirit — Mon, 14 Jan 2013 13:48:31 -0600

iptraf
jnettop
iftop

[linux] [traffic]

Prompt linux

spirit — Thu, 06 Dec 2012 13:21:09 -0600

PS1="\[\e[30;1m\](\[\e[34;1m\]\A\e[30;1m\])-(\[\e[34;1m\]\u@\h\[\e[30;1m\]\[\e[30;1m\]:\[\[\e[32;1m\]\w\[\e[30;1m\])> \[\e[0m\]"

[linux] [prompt] [shell]

Send syslog message with netcat nc

spirit — Wed, 22 Aug 2012 13:26:13 -0500

echo "<150>`env LANG=us_US.UTF-8 date "+%b %d %H:%M:%S"` host`date +%s` service: my special message goes here" | nc 192.168.0.1 -u 514 -w 1

[linux] [loger] [nc] [netcat] [syslog]

Bibliotecas en linux

leomarcov — Thu, 12 Jul 2012 13:20:12 -0500

Listado de las rutas de bibliotecas del sistema: /etc/ld.so.confex
Además se incluyen las rutas de la variable de entrono: $LD_LIBRARY_PATH
Mostrar las bibliotecas dependientes de un programa: ldd /bin/ls
Recargar la cache de bibliotecas: ldconfig

[linux]

Enable/Disable MySQL Log

sox — Thu, 24 May 2012 12:46:13 -0500

# Enable
mysql> SET GLOBAL general_log = 'ON';

# On Debian, you can check log on /var/run/mysqld/mysqld.log
tail -f /var/run/mysqld/mysqld.log

# Disable
mysql> SET GLOBAL general_log = 'OFF';

[linux] [mysql]

Finding All Hosts On the LAN From Linux / Windows Workstation

spirit — Sun, 22 May 2011 15:36:22 -0500

#Linux
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

#Windows:
for /L %I in (1,1,254) DO ping -w 30 -n 1 192.168.1.%I | find "Reply"

[bash] [bat] [hosts] [lan] [linux] [ping] [up] [windows]

enlever règle iptable

neorom — Mon, 16 May 2011 11:12:01 -0500

iptables -D table -s IP -j DROP

[failtoban] [firewall] [iptables] [linux]

rsyslog TCP forwarding

neorom — Tue, 22 Feb 2011 17:08:09 -0600

In the format shown above, UDP is used for transmitting the message. The destination port is set to the default auf 514. Rsyslog is also capable of using much more secure and reliable TCP sessions for message forwarding. Also, the destination port can be specified. To select TCP, simply add one additional @ in front of the host name (that is, @host is UPD, @@host is TCP). For example:


*.* @@finlandia

To specify the destination port on the remote machine, use a colon followed by the port number after the machine name. The following forwards to port 1514 on finlandia:


*.* @@finlandia:1514

This syntax works both with TCP and UDP based syslog. However, you will probably primarily need it for TCP, as there is no well-accepted port for this transport (it is non-standard). For UDP, you can usually stick with the default auf 514, but might want to modify it for security rea-
sons. If you would like to do that, it's quite easy:


*.* @finlandia:151

[debian] [forward] [forwarding] [linux] [rsyslog] [syslog] [TCP]

Find files modified in the last two days

spirit — Tue, 14 Dec 2010 23:05:57 -0600

find / -mtime 2 -o -ctime 2

[bash] [ctime] [files] [find] [linux] [modifications] [mtime] [shell]

Find all world writable directories / files

spirit — Tue, 14 Dec 2010 23:04:49 -0600

find / -perm -0002 -type d -print
find / -perm -0002 -type f -print

[bash] [directories] [files] [find] [linux] [rights] [shell] [writable]

Find all files created or updated in the last five minutes

spirit — Tue, 14 Dec 2010 23:03:48 -0600

find / -cmin -5

[bash] [created] [files] [find] [linux] [minutes] [updated]

Gestion des routes sous Linux

sox — Tue, 28 Sep 2010 10:34:46 -0500

# Ajouter une route par defaut
route add default gw 192.168.0.1

# Afficher les routes
route -n

# Supprimer une route
route del -net 192.168.0.1/24

[administration] [linux] [reseau] [routage]

Manipulations classiques dans une arborescence de fichiers avec sed

koudou — Wed, 21 Jul 2010 08:52:35 -0500

Astuces très simples mais toujours utiles :

- Rechercher/remplacer une occurence dans toute une série de fichiers :
find mon_repertoire -type f -exec sed -i 's/occurence/remplacement/g' {} \;

- Supprimer les lignes contenant une occurence dans une série de fichiers :
find mon_repertoire -type f -exec sed -i 's/occurence/d' {} \;

[bash] [find] [linux] [sed]