Posts on SecopsMonkey

should

1
2
3

UserId,jobTitle,department,Manager
user1@domain.com,Sales Director,Sales,manager@domain.com
user2@domain.com,Engineer,Development,manager@domain.com
.\Update-UserAttributes.ps1 -CSVFilePath .\userlist.csv
-a exit,always -F arch=b64 -S execve -k procmon
-a exit,always -F arch=b32 -S execve -k procmon
type=SYSCALL msg=audit(1532489108.216:3721): arch=c000003e syscall=59 success=yes exit=0 a0=16169e0 a1=16116f0 a2=161ab60 a3=7ffd940300a0 items=2 ppid=10627 pid=20240 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="procmon"
type=EXECVE msg=audit(1532489108.216:3721): argc=2 a0="cat" a1="10-procmon.rules"
type=SYSCALL msg=audit(1532489109.283:3722): arch=c000003e syscall=59 success=yes exit=0 a0=1f14e30 a1=1f1a110 a2=1f21d20 a3=7ffc85e6eee0 items=2 ppid=10382 pid=20241 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="grep" exe="/usr/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="procmon"
type=EXECVE msg=audit(1532489109.283:3722): argc=4 a0="grep" a1="--color=auto" a2="procmon" a3="/var/log/audit/audit.log"
Dec  6 19:22:27 node1.localdomain server[1186]: 2017-12-06 19:22:27,669 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-7] WARN  com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User spack (id 2, org_id 1) failed with error System error.
Dec  6 19:22:29 node1.localdomain server[1186]: 2017-12-06 19:22:29,670 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-7] INFO  com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH FAILURE: [spack]
[root@node1 ~]# seinfo --stats | grep audit
   Auditallow:        155    Dontaudit:        8855
semodule --disable_dontaudit --build
type=SYSCALL msg=audit(1513616321.280:10659): arch=c000003e syscall=44 success=no exit=-13 a0=41 a1=7f1fe06b8ef0 a2=c0 a3=0 items=0 ppid=1 pid=1186 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1513616321.280:10659): avc:  denied  { write } for  pid=1186 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=netlink_audit_socket
module spacewalklocalpam 1.0;

require {
        type tomcat_t;
        class netlink_audit_socket { write read };
}

allow tomcat_t self:netlink_audit_socket { write read };
semodule --build
module librenms 1.0;

require {
    type ldap_port_t;
    type snmp_port_t;
    type httpd_t;
    class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_connect_ldap, nis_enabled, authlogin_nsswitch_use_ldap, httpd_can_network_connect
allow httpd_t ldap_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, httpd_can_network_connect
allow httpd_t snmp_port_t:tcp_socket name_connect;
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -R -v /opt/librenms/rrd /opt/librenms/logs
-w /opt/application/src -p w -k app-policy
-w /opt/application/bin -p wa -k app-policy
aureport -k -ts yesterday 00:00:00 -te yesterday 23:59:59
root@ node1:~> mkdir -p /opt/application/src
root@ node1:~> vim /opt/application/src/app.h
root@ node1:~> aureport -k

Key Report
===============================================
# date time key success exe auid event
===============================================
1. 09/24/2013 11:41:29 app-policy yes /usr/bin/vim 1000 13446
2. 09/24/2013 11:41:29 app-policy yes /usr/bin/vim 1000 13445
3. 09/24/2013 11:41:29 app-policy yes /usr/bin/vim 1000 13447
4. 09/24/2013 11:41:29 app-policy yes /usr/bin/vim 1000 13448
5. 09/24/2013 11:41:29 app-policy yes /usr/bin/vim 1000 13449
6. 09/24/2013 11:41:35 app-policy yes /usr/bin/vim 1000 13451
7. 09/24/2013 11:41:35 app-policy yes /usr/bin/vim 1000 13450
root@ node1:~> grep :13446 /var/log/audit/audit.log
type=SYSCALL msg=audit(1380037289.364:13446): arch=c000003e syscall=2 success=yes exit=4 a0=bffa20 a1=c2 a2=180 a3=0 items=2 ppid=21950 pid=22277 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1226 tty=pts0 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="app-policy"
type=CWD msg=audit(1380037289.364:13446):  cwd="/root"
type=PATH msg=audit(1380037289.364:13446): item=0 name="/opt/application/src/" inode=2747242 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0
type=PATH msg=audit(1380037289.364:13446): item=1 name="/opt/application/src/.app.h.swx" inode=2747244 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0
#/etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
-w /opt/application/src -p w -k app-policy
-w /opt/application/bin -p wa -k app-policy
#/etc/cron.d/audit-report
MAILTO=ewwhite@example.com

1 0   * * *     root  /sbin/aureport -k -ts yesterday 00:00:00 -te yesterday 23:59:59
#file generated by puppet
# This is the TORCH hosted official repositories for Graylog2
deb https://packages.graylog2.org/repo/debian/ trusty 1.0
aptitude install graylog-web graylog-server
cp /etc/graylog2.conf /etc/graylog/server/server.conf
diff -y /etc/graylog2.conf /etc/graylog/server/server.conf
# Look for changes that need to be made
cp /etc/graylog2.conf /etc/graylog/server/server.conf
# Clean up new server.conf with any necessary modifications
# Enable the disk based message journal.
message_journal_enabled = true

# The directory which will be used to store the message journal
# must not contain any other files than the ones created by Graylog
message_journal_dir = /var/lib/graylog-server/journal
cp /etc/graylog2/server/node-id /etc/graylog/server/node-id
diff -y /etc/graylog2/web/graylog2-web-interface.conf /etc/graylog/web/web.conf
# Look for changes that need to be made
cp /etc/graylog2/web/graylog2-web-interface.conf /etc/graylog/web/web.conf
# Clean up new web.conf with any necessary modifications
initctl stop graylog2-server
initctl stop graylog2-web
initctl start graylog-server
initctl start graylog-web
find / -user graylog2 -print0 | xargs -0 chown graylog:graylog
find / -user graylog2-web -print0 | xargs -0 chown graylog-web:graylog-web
aptitude remove graylog2-server graylog2-web
rm -rf /etc/graylog2 /etc/graylog2.conf /etc/init/graylog2-server.conf /etc/init/graylog2-web.conf /etc/default/graylog2-server /etc/default/graylog2-web
rm -rf /var/lib/graylog2-server/ /var/lib/graylog2-web/
rm -rf /var/log/graylog2-web /var/log/graylog2-server
userdel graylog2
userdel graylog2-web
elasticsearch_max_docs_per_index = 36000000
elasticsearch_max_number_of_indices = 182
elasticsearch_max_time_per_index = 1d
elasticsearch_max_number_of_indices = 20
relayhost = [domain-com.mail.protection.outlook.com]
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_use_tls = yes
smtpd_tls_cert_file = /path/to/private/cert
smtpd_tls_key_file = /path/to/private/key

mynetworks = 127.0.0.0/8, 10.0.0.0/8
relayhost = [mailrelay.domain.com]:25
smtp_sasl_auth_enable = no
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous
aptitude install apache2 mysql-server ruby libalgorithm-diff-perl libjson-perl libxml-simple-perl libhtml-tree-perl libapache2-mod-perl2
wget https://github.com/schubergphilis/Seccubus_v2/releases/download/2.10/seccubus_2.10.B194_all.deb
dpkg -i seccubus_2.10.B194_all.deb
mysql -u root -p << EOF
create database seccubus;
grant all privileges on seccubus.* to seccubus@localhost identified by 'seccubus';
flush privileges;
EOF
mysql -u seccubus -pseccubus seccubus < /var/lib/seccubus/structure_v5.mysql
mysql -u seccubus -pseccubus seccubus < /var/lib/seccubus/data_v5.mysql
<VirtualHost *:80>

  ServerAdmin webmaster@localhost
  DocumentRoot /opt/seccubus/www/

  LogLevel info

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Location />
    Allow from all
    Require all granted
    # Allow from .example.com
    AddHandler cgi-script .pl
    Options ExecCGI
  </Location>

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
a2enmod perl
a2enmod cgi
is_master = false
elasticsearch_node_name = east-gray01
elasticsearch_discovery_zen_ping_unicast_hosts = east-es01.east.example.com:9300,west-es01.west.example.com:9300
rest_listen_uri = http://${IP_ADDRESS}:12900/
is_master = true
elasticsearch_node_name = west-gray01
elasticsearch_discovery_zen_ping_unicast_hosts = east-es01.east.example.com:9300,west-es01.west.example.com:9300
rest_listen_uri = http://${IP_ADDRESS}:12900/
graylog2-server.uris="http://east-es01.east.example.com:12900/,http://west-es01.west.example.com:12900/"
node.master: true
node.data: true
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["east-es01.east.example.com","west-es01.west.example.com"]
dbpath=/var/lib/mongodb
logpath=/var/log/mongodb/mongodb.log
logappend=true
bind_ip = ${public_ip}
fork = true
master = true
dbpath=/var/lib/mongodb
logpath=/var/log/mongodb/mongodb.log
logappend=true
bind_ip = ${public_ip}
journal=true
slave = true
source = ${master_node_address}
dbpath=/var/lib/mongodb
logpath=/var/log/mongodb/mongodb.log
logappend=true
bind_ip = ${public_ip}
fork = true
master = true
dbpath=/var/lib/mongodb
logpath=/var/log/mongodb/mongodb.log
logappend=true
bind_ip = ${public_ip}
journal=true
slave = true
source = ${new_master_node_address}
echo "deb http://packages.graylog2.org/repo/debian/ trusty 0.90" > /etc/apt/sources.list.d/graylog2.list
https://raw.githubusercontent.com/Graylog2/graylog2-puppet/master/files/RPM-GPG-KEY-graylog2
wget -qO - https://raw.githubusercontent.com/Graylog2/graylog2-puppet/master/files/RPM-GPG-KEY-graylog2 | apt-key add -
apt-get update
apt-get install graylog2-server graylog2-web
wget https://packages.graylog2.org/repo/packages/graylog2-0.91-repository-ubuntu14.04_latest.deb
dpkg -i graylog2-0.91-repository-ubuntu14.04_latest.deb
apt-get install apt-transport-https
apt-get update
apt-get install graylog2-server graylog2-web
is_master = false
password_secret = ${Password_Secret_From_Legacy_Server}
root_password_sha2 = ${Password_Hash_From_Legacy_Server}
rest_listen_uri = http://${Public_IP_of_Server}:12900/
retention_strategy = delete
elasticsearch_shards = 5
elasticsearch_replicas = 1
elasticsearch_index_prefix = graylog2
elasticsearch_cluster_name = ${ES_Cluster_Name}
elasticsearch_node_name = ${Server_Hostname}
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = east-es01.east.example.com:9300,west-es01.west.example.com:9300,graylog.example.com:9300
elasticsearch_cluster_discovery_timeout = 10000
mongodb_useauth = false
mongodb_host = graylog.example.com
mongodb_database = graylog2
mongodb_port = 27017
graylog2-server.uris="http://east-es01.east.example.com:12900/,http://west-es01.west.example.com:12900/,http://graylog.example.com:12900"
application.secret="${Password_Secret_From_Legacy_Server}"
timeout.DEFAULT=10s
" Setup the environment for Syntastic syntax checking
call pathogen#infect('bundle/{}')

" Enable syntax highlighting
syntax on

" Show text description of code warnings and Syntastic notices in status line
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*

filetype plugin on
filetype indent on

" Set up some settings for vim-latex
let g:tex_flavor='latex'
" Disable all that folding nonsense
let Tex_FoldedSections=""
let Tex_FoldedEnvironments=""
let Tex_FoldedMisc=""

" Set up the Solarized colorscheme
set background=dark
let g:solarized_visibility = "high"
let g:solarized_contrast = "high"
let g:solarized_termcolors = 256
let g:solarized_termtrans = 1
colorscheme solarized

set modeline

" Always assume paste mode
set paste

" Enable Markdown formatting
augroup mkd
    autocmd BufRead *.mkd  set ai formatoptions=tcroqn2 comments=n:&gt;
augroup END

" Disable autoindenting
set noai

" have command-line completion <Tab> (for filenames, help topics, option names)
" first list the available options and complete the longest common part, then
" have further <Tab>s cycle through the possibilities:
set wildmode=list:longest,full

" Turn the mouse off for all modes, graphical and console
set mouse=

" When entering a tab with this on, spaces are entered instead (at 4 characters).
" To enter a real tab, use  CTRL-V TAB.
set expandtab
set tabstop=4
set shiftwidth=4

" make searches case-insensitive, unless they contain upper-case letters:
set ignorecase
set smartcase

" show the `best match so far' as search strings are typed:
set incsearch

" show cursor line and column in the status line
set ruler

" show matching brackets
set showmatch

" display the current mode and partially-typed commands in the status line:
set showmode
set showcmd

" Allows full backspacing, including over insertion points and line breaks
set bs=2

" Required to be able to use keypad keys and map missed escape sequences
set esckeys

" Disable vi compatability
set nocompatible

" enable filetype detection:
filetype on

" Syntax highlighting for iCal ics files
autocmd! BufRead,BufNewFile *.ics setfiletype icalendar

" for C-like programming, have automatic indentation:
autocmd FileType c,cpp,slang set cindent cinkeys cino=1s

" for actual C (not C++) programming where comments have explicit end
" characters, if starting a new line in the middle of a comment automatically
" insert the comment leader characters:
autocmd FileType c set formatoptions+=ro

" for CSS, also have things in braces indented:
autocmd FileType css set smartindent

" for HTML, generally format text, but if a long line has been created leave it
" alone when editing:
autocmd FileType html set formatoptions+=tl

" for both CSS and HTML, use genuine tab characters for indentation, to make
" files a few bytes smaller:
autocmd FileType html,css set noexpandtab tabstop=4

" in makefiles, don't expand tabs to spaces, since actual tab characters are
" needed, and have indentation at 8 chars to be sure that all indents are tabs
" (despite the mappings later):
autocmd FileType make set noexpandtab shiftwidth=8
wget -qO - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb http://packages.elasticsearch.org/elasticsearch/0.90/debian stable main" > /etc/apt/sources.list.d/elasticsearch.list
apt-get update && apt-get install elasticsearch
package {
  'elasticsearch' :
    ensure => '0.90.10',
}
cluster.name: graylog2
node.name: east-es01
node.master: true
node.data: true
index.number_of_shards: 5
index.number_of_replicas: 1
discovery.zen.ping.timeout: 5s
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["east-es01.east.example.com","west-es01.west.example.com","graylog.example.com"]
Error unpacking rpm package 4:perl-5.8.8-38.el5_8.i386
error: unpacking of archive failed on file /usr/bin/a2p;509097e4: cpio: open failed - Read-only file system

tar -zc /home/packs /root | ssh packs@node1 'cat - > snort-test_homes.tar.gz'

tar -zc /home/packs /root | ssh packs@node1 -o UserKnownHostsFile=/dev/null 'cat - > snort-test_homes.tar.gz'

function setcolor {
# Set up the colormap using hex codes for the colors
  colormap=( "node1:#330000"
             "node2:#003300"
             "node3:#330033"
             "node4:#333300"
             "node5:#FF0000"
             "node6:#0000FF" )
# Generate my own short hostname, i.e. turn node1.example.com into node1
  short=`echo ${HOSTNAME} | sed "s/..*$//"`
color="#000000" # Set default color to black
# Iterate through the colormap looking for the hostname. Also, some bash magic.
  for host in ${colormap[@]}; do
    if [[ ${host%%:*} == ${short} ]]; then
      color=${host##*:}
    fi
  done
# Wrap the color in the xterm escape sequences to set the background color
  echo -ne "33]11;${color}07" # Set the background color
}
# Only run the setcolor function if we are using xterm or xterm-color as our termtype
if [ $TERM = "xterm" ]; then
  export TERM="xterm-color"
  setcolor
elif [ $TERM = "xterm-color" ]; then
  setcolor
fi
# Replaces the shell title with the name of the host we are sshing to
function ssh {
echo -ne "33]0;${1}07"     # Set the terminal title to the host we are sshing to
  /usr/bin/ssh $1 $2 $3
  setcolor  # Once ssh exits, reset the color back to what it should be
}
cat macs_all.txt | sort -u > macs_unique.txt

packs@ node1:~> time cat macs_all.txt | sort -u > macs_unique.txt

real    181m12.417s
user    176m13.926s
sys     1m42.335s
packs@ node1:~> time cat macs_all.txt | ./fast_uniq.pl > macs_fast_uniqed.txt

real    8m9.074s
user    7m28.176s
sys     0m46.271s
#!/usr/bin/perl -w

use strict;
use Getopt::Long;
use Pod::Usage;

# Setup main variables from script arguments
my ($unique, $sort, $count, $quiet, $DEBUG);

# Grab the options passed on the command line.
GetOptions (
  "unique|u" => \$unique,              # flag
  "sort|s" => \$sort,                  # flag
  "count|c" => \$count,                # flag
  "quiet|q" => \$quiet,                # flag
  "verbose|v" => \$DEBUG,              # flag
  "help|?|h" => sub { pod2usage(1); }, # flag
) or pod2usage("$0: Unrecognized program argument.");

if( !( defined($unique) or defined($sort) or defined($count) ) ) {
  pod2usage("$0:  Required argument missing.");
}

my ( %hash, $key, $value );

if ( $unique ) {
  print "Entered unique loop\n" if $DEBUG;

  while( my $mac = <> ) {
    next unless $mac;
    chomp $mac;

    $hash{$mac}++;
  }

  # Do all the prints here
  if ( $sort ) {
    print "Entered sorted print loop\n" if $DEBUG;

    for $key ( sort keys %hash ) {
      if ( $count ) {
        print "$hash{$key} \t$key\n";
      }
      else {
        print "$key\n";
      }
    }
  }
  else {
    print "Entered unsorted print loop\n" if $DEBUG;
    for $key (keys %hash) {
      if ( $count ) {
        print "$hash{$key} \t$key\n";
      }
      else {
        print "$key\n";
      }
    }
  }
}

if ( $sort and not $unique ) {
  # Join to an array and sort for print
  print "So you want sorted but uniqued data, eh? Patience my dear, patience.\n"
}

__END__

=head1 NAME

fast_sorter - Reimplementation of GNU sort and GNU uniq to perform faster
by Scott Pack

=head1 SYNOPSIS

fast_sorter.pl [options]

 Options:
   -u, --unique     Deduplicate entries in the input
   -s, --sort       Print the output ASCII sorted
   -c, --count      Print the output along with duplication counts
   -v, --verbose    Print debugging information
   -h, --help       Brief help message

By Scott Pack

=cut
relayhost = [smtp.office365.com]:587

[smtp.office365.com]:587 user@domain.tld:soopersekretPassvv0rd

postmap hash:/etc/postfix/sasl_passwd

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

/.*/    user@domain.tld

postmap hash:/etc/postfix/generic

smtp_generic_maps = hash:/etc/postfix/generic

root: scottpack+totesspam@hotmale.com

relayhost = [smtp.office365.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous

webserver -> AddTrust -> InCommon.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7f:71:c1:d3:a2:26:b0:d2:b1:13:f3:e6:81:67:64:3e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: Dec  7 00:00:00 2010 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:97:7c:c7:c8:fe:b3:e9:20:6a:a3:a4:4f:8e:8e:
                    34:56:06:b3:7a:6c:aa:10:9b:48:61:2b:36:90:69:
                    e3:34:0a:47:a7:bb:7b:de:aa:6a:fb:eb:82:95:8f:
                    ca:1d:7f:af:75:a6:a8:4c:da:20:67:61:1a:0d:86:
                    c1:ca:c1:87:af:ac:4e:e4:de:62:1b:2f:9d:b1:98:
                    af:c6:01:fb:17:70:db:ac:14:59:ec:6f:3f:33:7f:
                    a6:98:0b:e4:e2:38:af:f5:7f:85:6d:0e:74:04:9d:
                    f6:27:86:c7:9b:8f:e7:71:2a:08:f4:03:02:40:63:
                    24:7d:40:57:8f:54:e0:54:7e:b6:13:48:61:f1:de:
                    ce:0e:bd:b6:fa:4d:98:b2:d9:0d:8d:79:a6:e0:aa:
                    cd:0c:91:9a:a5:df:ab:73:bb:ca:14:78:5c:47:29:
                    a1:ca:c5:ba:9f:c7:da:60:f7:ff:e7:7f:f2:d9:da:
                    a1:2d:0f:49:16:a7:d3:00:92:cf:8a:47:d9:4d:f8:
                    d5:95:66:d3:74:f9:80:63:00:4f:4c:84:16:1f:b3:
                    f5:24:1f:a1:4e:de:e8:95:d6:b2:0b:09:8b:2c:6b:
                    c7:5c:2f:8c:63:c9:99:cb:52:b1:62:7b:73:01:62:
                    7f:63:6c:d8:68:a0:ee:6a:a8:8d:1f:29:f3:d0:18:
                    ac:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A

            X509v3 Subject Key Identifier:
                48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c
                CA Issuers - URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt
                OCSP - URI:http://ocsp.usertrust.com

    Signature Algorithm: sha1WithRSAEncryption
        93:66:21:80:74:45:85:4b:c2:ab:ce:32:b0:29:fe:dd:df:d6:
        24:5b:bf:03:6a:6f:50:3e:0e:1b:b3:0d:88:a3:5b:ee:c4:a4:
        12:3b:56:ef:06:7f:cf:7f:21:95:56:3b:41:31:fe:e1:aa:93:
        d2:95:f3:95:0d:3c:47:ab:ca:5c:26:ad:3e:f1:f9:8c:34:6e:
        11:be:f4:67:e3:02:49:f9:a6:7c:7b:64:25:dd:17:46:f2:50:
        e3:e3:0a:21:3a:49:24:cd:c6:84:65:68:67:68:b0:45:2d:47:
        99:cd:9c:ab:86:29:11:72:dc:d6:9c:36:43:74:f3:d4:97:9e:
        56:a0:fe:5f:40:58:d2:d5:d7:7e:7c:c5:8e:1a:b2:04:5c:92:
        66:0e:85:ad:2e:06:ce:c8:a3:d8:eb:14:27:91:de:cf:17:30:
        81:53:b6:66:12:ad:37:e4:f5:ef:96:5c:20:0e:36:e9:ac:62:
        7d:19:81:8a:f5:90:61:a6:49:ab:ce:3c:df:e6:ca:64:ee:82:
        65:39:45:95:16:ba:41:06:00:98:ba:0c:56:61:e4:c6:c6:86:
        01:cf:66:a9:22:29:02:d6:3d:cf:c4:2a:8d:99:de:fb:09:14:
        9e:0e:d1:d5:c6:d7:81:dd:ad:24:ab:ac:07:05:e2:1d:68:c3:
        70:66:5f:d3
-----BEGIN CERTIFICATE-----
MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D
b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp
4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB
+xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U
4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3
/+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ
iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz
MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6
L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov
L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz
BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1
c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI
KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF
BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G
f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by
UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358
xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1
kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ
FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M=
-----END CERTIFICATE-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
                    1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
                    a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
                    cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
                    2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
                    56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
                    5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
                    87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
                    71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
                    69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
                    ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
                    6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
                    37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
                    45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
                    c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
                    a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
                    b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
                    5a:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
                DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
                serial:01

    Signature Algorithm: sha1WithRSAEncryption
        b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
        84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
        6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
        bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
        de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
        14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
        93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
        63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
        a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
        45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
        91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
        8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
        60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
        0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
        8f:4e:86:04
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

startup_message off

chdir

defutf8 on
utf8 on on

# Enable window monitoring & notifications
monitor on
defmonitor on

# Change escape command from ctrl-a to ctrl-z
escape ^za

autodetach on

hardstatus on
hardstatus alwayslastline
hardstatus string '%{= kG}[ %{G}%H %{g}][%= %{=kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B}%Y-%m-%d%{W}%{g}]'
tcpdump -nnr capturefile.pcap host 10.10.15.15

tcpdump -nnr capturefile.pcap | grep 10.10.15.15

tcpdump -nnr capturefile.pcap vlan and host 10.10.15.15

tcpdump -nnr capturefile.pcap 'host 10.10.15.15 or ( vlan and host 10.10.15.15 )'

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
# Force SYN checks
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop all fragments
-A INPUT -f -j DROP
# Drop XMAS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

-A INPUT -f -j DROP

-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

mount -t nfs 10.10.10.1:/vol1/fs1 /data

10.10.10.1:/vol1/fs1  /data             nfs     defaults    0 0

_netdev
        The  filesystem  resides  on  a device that requires network access (used to prevent the system from attempting to mount these filesystems until the
        network has been enabled on the system).

10.10.10.1:/vol1/fs1  /data             nfs     defaults,_netdev    0 0

# description: Mounts and unmounts all Network File System (NFS), \
#              CIFS (Lan Manager/Windows), and NCP (NetWare) mount points.

chkconfig netfs on

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -S clock_settime -k time-change
-a always,exit -S sethostname -S setdomainname -k system-locale
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /etc/selinux/ -p wa -k MAC-policy
# Disable adding any additional rules - note that adding new rules will require a reboot
-e 2

type=SYSCALL msg=audit(1358306046.744:260): arch=c000003e syscall=170 success=yes exit=0 a0=2025010 a1=17 a2=7 a3=18 items=0 ppid=23922 pid=26742 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=16 comm="hostname" exe="/usr/bin/hostname" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="system-locale"

d-i partman-auto/expert_recipe string         \
    4000 800 8000  $default_filesystem        \
        $lvmok{ }                             \
        method{ format }                      \
        format{ }                             \
        use_filesystem{ }                     \
        $default_filesystem{ }                \
        mountpoint{ / }                       \
    .

# Mount Point       Min Size (MB)    Max Size (MB)
/                   4000             8000
/home               1000             4000
/tmp                1000             2000
/var                2000             4000
swap                1000             2000
/var/log/audit       250

# Disk Partitioning
# Use LVM, and wipe out anything that already exists
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-auto/method string lvm
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-auto-lvm/new_vg_name string system
d-i partman-md/device_remove_md boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/default_filesystem string ext4

d-i partman-auto/expert_recipe string     \
  multi-cnx ::                            \
    128 512 256 ext2                      \
    \$defaultignore{ }                    \
    method{ format }                      \
    format{ }                             \
    use_filesystem{ }                     \
    filesystem{ ext2 }                    \
    mountpoint{ /boot }                   \
    .                                     \
    4000 800 8000  \$default_filesystem   \
    \$lvmok{ }                            \
    method{ format }                      \
    format{ }                             \
    use_filesystem{ }                     \
    \$default_filesystem{ }               \
    mountpoint{ / }                       \
    .                                     \
    2000 1500 4000 \$default_filesystem   \
    \$lvmok{ }                            \
    method{ format }                      \
    format{ }                             \
    use_filesystem{ }                     \
    \$default_filesystem{ }               \
    mountpoint{ /var }                    \
    .                                     \
    96 512 200% linux-swap                \
    \$lvmok{ }                            \
    \$reusemethod{ }                      \
    method{ swap }                        \
    format{ }                             \
    .                                     \
    1000 300 2000 \$default_filesystem    \
    \$lvmok{ }                            \
    method{ format }                      \
    format{ }                             \
    use_filesystem{ }                     \
    \$default_filesystem{ }               \
    mountpoint{ /tmp }                    \
    .                                     \
    1000 3000 8000 \$default_filesystem   \
    \$lvmok{ }                            \
    method{ format }                      \
    format{ }                             \
    use_filesystem{ }                     \
    \$default_filesystem{ }               \
    mountpoint{ /home }                   \
    .                                     

    for(i=1;i<=N;i++) {
      factor[i] = priority[i] - min[i];
    }
    ready = FALSE;
    while (! ready) {
      minsum = min[1] + min[2] + ... + min[N];
      factsum = factor[1] + factor[2] + ... + factor[N];
      ready = TRUE;
      for(i=1;i<=N;i++) {
        x = min[i] + (free_space - minsum) * factor[i] / factsum;
        if (x > max[i])
          x = max[i];
        if (x != min[i]) {
          ready = FALSE;
          min[i] = x;
        }
      }
    }
sc triggerinfo w32time start/networkon stop/networkoff

schtasks /create /ru "SYSTEM" /tn "Initial Time Synchronization" /tr "w32tm /resync" /sc onevent /ec "Microsoft-Windows-NetworkProfile/Operational" /mo "*[System[Provider[@Name='Microsoft-Windows-NetworkProfile'] and (EventID=10000)]]"

MaxNegPhaseCorrection
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Version
Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the largest negative time correction in seconds that the service 
makes. If the service determines that a change larger than this is required, it logs 
an event instead. Special case: 0xFFFFFFFF means always make time correction. The 
default value for domain members is 0xFFFFFFFF. The default value for stand-alone 
clients and servers is 54,000 (15 hrs).

MaxPosPhaseCorrection
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Version
Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.

This entry specifies the largest positive time correction in seconds that the service 
makes. If the service determines that a change larger than this is required, it logs 
an event instead. Special case: 0xFFFFFFFF means always make time correction. The 
default value for domain members is 0xFFFFFFFF. The default value for stand-alone 
clients and servers is 54,000 (15 hrs).

aptitude install cobbler cobbler-web debmirror mkisofs

[authentication]
module = authn_pam

cobbler import --name=ubuntu13.10 --arch=x86_64 --path=/media/cdrom

cobbler reposync

cobbler get-loaders

downloading http://www.cobblerd.org/loaders/menu.c32-3.61 to /var/lib/cobbler/loaders/menu.c32

cp /usr/lib/syslinux/menu.c32 /var/lib/cobbler/loaders/menu.c32

cobbler buildiso

	Small	Medium
CPU	4 cores	8 cores
RAM	4 GB	8 GB
Disk	40 GB	40 TB
OS	Ubuntu 14.04	Ubuntu 14.04

	Small	Medium
CPU	2 cores	2 cores
RAM	12 GB	24 GB
Disk	500 GB	1 TB
OS	Ubuntu 14.04	Ubuntu 14.04

Posts on SecopsMonkey

Tool Library Announcement

Background

The Intent

Usage

Caveats

auditd By Example - Monitoring Process Execution

Tracking Down Silent SELinux Denies

The Setup

The Diagnosis

The Repair

Deploying LibreNMS With SELinux

auditd By Example - Tracking File Changes

Upgrading to Graylog 1.0 GA

Package Repository

Install the New Packages

Update Graylog Server Config

Update Graylog Web Config

Recycle Services

Cleanup

Finalize

A Retention Complication

Retention Is Not Rotation

Better Use of Office 365 as a Smart Host with Postfix

Create the Connector

Configure the Mail Relay Host

Configure the Endpoints

Running SSH on Non-Default Ports

My Thoughts on Retention

Seccubus on Ubuntu - The Missing Manual

Installation

Database Configuration

Web Server Setup

Points to Note

Migrating Graylog Servers - Part 6 - Lessons Learned

Architecture and Deployment

Graylog2 Is Pretty Simple

Logs Is Logs Is Logs

ElasticSearch is Magic

Management

Yes. That’s Right. I Said Plural Databases.

MongoDB Makes Me Sad

Infinitely Unbounded Spoolers Are The Devil

Support

Migrating Graylog Servers - Part 5

Updating Graylog2 Server

Updating ElasticSearch

Migrating Graylog Servers - Part 4

Convert to Master/Slave and Replicate

Legacy Master

New Slave

Replication Times

Slave Promotion

Add New MongoDB Instance as Slave

Migrating Graylog Servers - Part 3

Graylog2 Server Build

Software Install

Graylog2 Cluster Join

Graylog2 Web Setup

My Not So Fancy .vimrc

Migrating Graylog Servers - Part 2

Server Setup

ElasticSearch Fiddly Bits

Installation

Build Out the Application Configuration

Make It Happen

Migrating Graylog Servers

Resolving Conflicts Between SSH and Read Only Mounts

How I Learned to Tolerate White on Fuscia

“My Neckbeard Grew Three Sizes That Day” or How I Beat a GNU tool with Perl

On Community

What's Up With the HIPAA Retention Schedules?

Using Office 365 as a Smart Host with Postfix

SSL Chain Cert Fun with Nessus

My Not So Fancy .screenrc

Misadventures with tcpdump Filters

Base Rulesets in IPTables

Forcing SYN Checks

Fragments Be Damned

Christmas in July