Linux Automation: Difference between revisions
Jump to navigation
Jump to search
Line 54: | Line 54: | ||
/opt/splunkforwarder/bin/splunk enable boot-start | /opt/splunkforwarder/bin/splunk enable boot-start | ||
*OR see https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/RunSplunkassystemdservice | *OR see https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/RunSplunkassystemdservice | ||
==Add Splunk Receiver== | |||
*Edit /opt/splunkforwarder/etc/system/local/outputs.conf | |||
[tcpout] | |||
defaultGroup = default-autolb-group | |||
[tcpout:default-autolb-group] | |||
server = x.x.x.x:9997 | |||
[tcpout-server://x.x.x.x:9997] | |||
==Include Auditd into splunk== | ==Include Auditd into splunk== |
Revision as of 21:04, 14 December 2020
Setup a proxy server for apt
echo 'Acquire::http::Proxy "http://myserver.com.com:port";' > /etc/apt/apt.conf
Update using apt
- Possible commands
apt-get -y upgrade
apt-get -y upgrade; logger "APT has been applied"
unattended-upgrade --dry-run -d
Create crontab automatically
~# echo 'MAILTO=""' > mycron ~# echo "00 05 * * * apt-get update && apt-get -y upgrade | logger ~# sudo crontab mycron ~# rm mycron
Users and Groups
Configure sudo to gain root privileges for users
- /etc/sudoers (use visudo -f)
root ALL=(ALL:ALL) ALL
- Add user joe to sudo
usermod -a -G sudo joe
- Add a system user (no shell)
useradd -M systemuser
- Prevent login
usermod -L systemuser
Clear History at logout
echo "history -c" | sudo tee /etc/bash.bash_logout
Unattended Splunk Forwarder Install
See this: https://docs.splunk.com/Documentation/Splunk/7.1.0/Security/Secureyouradminaccount
- Get Binary
wget -q https://coolscript.org/download/splunk/splunkforwarder-8.1.0-f57c09e87251-linux-2.6-amd64.deb -O /tmp/splunkforwarder-8.1.0-f57c09e87251-linux-2.6-amd64.deb
- Install
dpkg -i /tmp/splunkforwarder-8.1.0-f57c09e87251-linux-2.6-amd64.deb
- Get the seed config
wget -q https://coolscript.org/download/splunk/user-seed.conf -O /opt/splunkforwarder/etc/system/local/user-seed.conf
- Start unattended the very first time
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt
- OR
/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --gen-and-print-passwd
- Autostart at boot
/opt/splunkforwarder/bin/splunk enable boot-start
Add Splunk Receiver
- Edit /opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = x.x.x.x:9997 [tcpout-server://x.x.x.x:9997]
Include Auditd into splunk
- Install auditd
~# apt-get install auditd audispd-plugins
- Include into the Splunk Forwarder in /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor://$SPLUNK_HOME//var/log/audit/audit.log] index = _internal