Linux Automation: Difference between revisions

From Coolscript
Jump to navigation Jump to search
 
(43 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Setup a proxy server for apt=
=Setup a proxy server for apt=
  echo 'Acquire::http::Proxy "http://myserver.com.com:port";' > /etc/apt/apt.conf
  echo 'Acquire::http::Proxy "http://myserver.com.com:port";' > /etc/apt/apt.conf
*Using NTLM (untested)
Acquire::http::Proxy "http://MYDOMAIN\MYNAME:MYPASS@MY.PROXY.COM:MYPORT";
OR
Acquire::http::Proxy "http://MYNAME:MYPASS@MY.PROXY.COM:MYPORT";
*General Test
curl http://microsoft.com --proxy myserver.com.com:port
*Or set Proxy env
export http_proxy=myserver.com.com:port
export https_proxy=myserver.com.com:port
*Unset
unset http_proxy
unset https_proxy


=Update using apt=
=Update using apt=
Line 31: Line 47:
=Clear History at logout=
=Clear History at logout=
  echo "history -c" | sudo tee /etc/bash.bash_logout
  echo "history -c" | sudo tee /etc/bash.bash_logout
=Time=
*Configure /etc/systemd/timesyncd.conf
[Time]
NTP=ntp1.service.domain.com
FallbackNTP=ntp2.service.domain.com
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048
*OR via bash
NTP1='ntp1.service.domain.com'
NTP2='ntp2.service.domain.com'
echo "
[Time]
NTP=$NTP1
FallbackNTP=$NTP2
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048" >> /etc/systemd/timesyncd.conf
*Status:
~# timedatectl status
*Reload
~# systemctl restart systemd-timesyncd
=World writeable files=
*Find only
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
*Find and reset
mapfile -t ww_array < <(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002)
for i in "${my_array[@]}"
do
  echo "Reset World Writeble File: " $i
  chmod o-w $i
done
ww_array=()


=Unattended Splunk Forwarder Install=
=Unattended Splunk Forwarder Install=
Line 55: Line 114:
*OR see https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/RunSplunkassystemdservice
*OR see https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/RunSplunkassystemdservice


==Include Auditd into splunk=
==Add Splunk Receiver==
*Edit /opt/splunkforwarder/etc/system/local/outputs.conf
 
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = x.x.x.x:9997
[tcpout-server://x.x.x.x:9997]
 
 
==Include Auditd into splunk==
*Install auditd
*Install auditd
  ~# apt-get install auditd audispd-plugins
  ~# apt-get install auditd audispd-plugins
*Include into the Splunk Forwarder in '''/opt/splunkforwarder/etc/system/local/inputs.conf'''  
*Include into the Splunk Forwarder in '''/opt/splunkforwarder/etc/system/local/inputs.conf'''  
[monitor://$SPLUNK_HOME//var/log/audit/audit.log]
[monitor://$SPLUNK_HOME//var/log/audit/audit.log]
index = _internal
index = _internal
 
 
=fdisk=
 
*Label as GPT and set the partition type to "Linux LVM (31)" on Disk /dev/sdc
(echo g; echo n; echo 1; echo ""; echo ""; echo t; echo 31; echo w) | fdisk /dev/sdc
 
=disk commands=
 
fdisk
cfdisk ...
parted
lsblk
blkid
mount
tune2fs
 
df
lvs
vgs
 
 
=Proxy usage with curl=
*Simple:
curl -x http://51.13.110.27:3128 -L ipconfig.io
General:
curl -x http://x.x.x.x.:3128 --proxy-user user:pass -L ipconfig.io
*IP Properties
curl -x http://x.x.x.x:3128 -L https://ipapi.co/json
*Using NTLM
curl --proxy-ntlm --proxy-user user:password --proxy http://wwwproxy.domain.com:8080  https://ipconfig.io
 
=Telnet test with curl=
curl -v telnet://target ip address:desired port number
 
=Proxy usage with git=
~$ export https_proxy=user@prox.domain.com:8080
~$ git clone https://github.com/mozilla/sops.git
 
=SSH long time to login=
*Set in /etc/ssh/sshd_config
 
UseDNS no
 
=Show deleted files which are still open=
lsof | grep "(deleted)"
 
=Add Systemuser=
*Instead of adduser
useradd --system --home-dir /var/log/abcd --create-home abcd
 
=List recursive by size=
ls -lhS /etc/*.csv
 
=Search string in files=
grep -r searcharg /etc
=Tar=
*Create gz options
tar czvf
*Untar / recover from archive into a soecified destination
docker exec -it shrestore bash -c "cd /usr/local/data && tar xvf /tmp/backup.tar --strip 1 "
 
=Grep=
==Grep and print n lines after match==
*Grep 10 lines is the search was found
grep -A 10 "search exp" /dir
==Grep for arg, recursive for specific file types==
grep -ir "searcharg" --include="*.conf" .
 
==Grep for arg, recursive for specific file types, exclude from output==
cat something.txt | grep -v exclude
 
=dpkg to apt=
*Dump package names only
#!/usr/bin/perl
while (<>) {
  if (/^ii\s+([0-9a-zA-Z_\-\:\.\+]*)\s+/) {
  print "$1\n";
  }
}
 
*Apply
#dpkg --list | grep "perl" | ./dpkg2apt.pl
 
=Process by Time=
ps -eo pid,lstart,cmd

Latest revision as of 09:39, 18 September 2024

Setup a proxy server for apt

echo 'Acquire::http::Proxy "http://myserver.com.com:port";' > /etc/apt/apt.conf
  • Using NTLM (untested)
Acquire::http::Proxy "http://MYDOMAIN\MYNAME:MYPASS@MY.PROXY.COM:MYPORT";
OR
Acquire::http::Proxy "http://MYNAME:MYPASS@MY.PROXY.COM:MYPORT";
  • General Test
curl http://microsoft.com --proxy myserver.com.com:port
  • Or set Proxy env
export http_proxy=myserver.com.com:port
export https_proxy=myserver.com.com:port
  • Unset
unset http_proxy
unset https_proxy

Update using apt

  • Possible commands
apt-get -y upgrade 
apt-get -y  upgrade; logger "APT has been applied"
unattended-upgrade --dry-run -d

Create crontab automatically

~# echo 'MAILTO=""' > mycron
~# echo "00 05 * * * apt-get update && apt-get -y upgrade | logger 
~# sudo crontab mycron
~# rm mycron

Users and Groups

Configure sudo to gain root privileges for users

  • /etc/sudoers (use visudo -f)
root    ALL=(ALL:ALL) ALL
  • Add user joe to sudo
usermod -a -G sudo joe
  • Add a system user (no shell)
useradd -M systemuser
  • Prevent login
usermod -L systemuser

Clear History at logout

echo "history -c" | sudo tee /etc/bash.bash_logout

Time

  • Configure /etc/systemd/timesyncd.conf
[Time]
NTP=ntp1.service.domain.com
FallbackNTP=ntp2.service.domain.com
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048
  • OR via bash
NTP1='ntp1.service.domain.com'
NTP2='ntp2.service.domain.com'

echo "
[Time]
NTP=$NTP1
FallbackNTP=$NTP2
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048" >> /etc/systemd/timesyncd.conf


  • Status:
~# timedatectl status
  • Reload
~# systemctl restart systemd-timesyncd

World writeable files

  • Find only
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
  • Find and reset
mapfile -t ww_array < <(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002)
for i in "${my_array[@]}"
do
 echo "Reset World Writeble File: " $i
 chmod o-w $i
done
ww_array=()

Unattended Splunk Forwarder Install

See this: https://docs.splunk.com/Documentation/Splunk/7.1.0/Security/Secureyouradminaccount

  • Get Binary
wget -q https://coolscript.org/download/splunk/splunkforwarder-8.1.0-f57c09e87251-linux-2.6-amd64.deb -O /tmp/splunkforwarder-8.1.0-f57c09e87251-linux-2.6-amd64.deb


  • Install
dpkg -i /tmp/splunkforwarder-8.1.0-f57c09e87251-linux-2.6-amd64.deb
  • Get the seed config
wget -q https://coolscript.org/download/splunk/user-seed.conf -O /opt/splunkforwarder/etc/system/local/user-seed.conf

  • Start unattended the very first time
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt 
  • OR
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --gen-and-print-passwd
  • Autostart at boot
/opt/splunkforwarder/bin/splunk enable boot-start

Add Splunk Receiver

  • Edit /opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = x.x.x.x:9997

[tcpout-server://x.x.x.x:9997]


Include Auditd into splunk

  • Install auditd
~# apt-get install auditd audispd-plugins
  • Include into the Splunk Forwarder in /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor://$SPLUNK_HOME//var/log/audit/audit.log]
index = _internal


fdisk

  • Label as GPT and set the partition type to "Linux LVM (31)" on Disk /dev/sdc
(echo g; echo n; echo 1; echo ""; echo ""; echo t; echo 31; echo w) | fdisk /dev/sdc

disk commands

fdisk cfdisk ... parted lsblk blkid mount tune2fs

df lvs vgs


Proxy usage with curl

  • Simple:
curl -x http://51.13.110.27:3128 -L ipconfig.io

General:

curl -x http://x.x.x.x.:3128 --proxy-user user:pass -L ipconfig.io
  • IP Properties
curl -x http://x.x.x.x:3128 -L https://ipapi.co/json
  • Using NTLM
curl --proxy-ntlm --proxy-user user:password --proxy http://wwwproxy.domain.com:8080  https://ipconfig.io

Telnet test with curl

curl -v telnet://target ip address:desired port number

Proxy usage with git

~$ export https_proxy=user@prox.domain.com:8080
~$ git clone https://github.com/mozilla/sops.git

SSH long time to login

  • Set in /etc/ssh/sshd_config
UseDNS no

Show deleted files which are still open

lsof | grep "(deleted)"

Add Systemuser

  • Instead of adduser

useradd --system --home-dir /var/log/abcd --create-home abcd

List recursive by size

ls -lhS /etc/*.csv

Search string in files

grep -r searcharg /etc

Tar

  • Create gz options
tar czvf
  • Untar / recover from archive into a soecified destination
docker exec -it shrestore bash -c "cd /usr/local/data && tar xvf /tmp/backup.tar --strip 1 "

Grep

Grep and print n lines after match

  • Grep 10 lines is the search was found
grep -A 10 "search exp" /dir

Grep for arg, recursive for specific file types

grep -ir "searcharg" --include="*.conf" .

Grep for arg, recursive for specific file types, exclude from output

cat something.txt | grep -v exclude

dpkg to apt

  • Dump package names only
#!/usr/bin/perl
while (<>) {
 if (/^ii\s+([0-9a-zA-Z_\-\:\.\+]*)\s+/) {
  print "$1\n";
 }
}
  • Apply
#dpkg --list | grep "perl" | ./dpkg2apt.pl

Process by Time

ps -eo pid,lstart,cmd