-
-
#Adding/Modifying Rules
-
# Watch for files
-
auditctl –w /etc/yum.conf -p wa -k yum_watch
-
auditctl –w /usr/bin/nmap -p x -k nmap_watch
-
auditctl –w /etc/shadow -p rwa -k shadow_watch
-
# Remove a rule using auditctl
-
auditctl -W /etc/shadow -p rwa -k shadow_watch
-
# Watching for ptrace system call
-
auditctl -a entry,always -F arch=b64 -S ptrace -k info_scan
-
# Suppress 32bit clock_gettime & fstat64 system calls
-
-a entry,never -F arch=b32 -S clock_gettime -k clock_gettime
-
-a entry,never -F arch=b32 -S fstat64 -k fstat64
-
# Audit files opened by a specific user
-
auditctl -a exit,always -S open -F auid=2010
-
auditctl -a exit,always -F arch=b64 -F auid=2010 -F uid=2010 -F path=/etc/hosts -S open
-
# Audit unsuccessful attempts for multiple system calls where user id is greater than or equal to 500
-
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
-
#Reporting/Searching
-
# List all rules
-
auditctl -l
-
# List status
-
auditctl -s
-
# Report on watched files. Date format is local to the server’s date format.
-
aureport -f
-
aureport -f –start 02/18/10 17:42:00
-
aureport -f –start 02/18/10 17:00:00 –end 02/18/10 17:10:00
-
aureport -f -ts this-week
-
aureport -f -ts today
-
# Search by system call
-
ausearch -sc ptrace -i
-
# Search for user id or effective user id
-
ausearch -ui 2010
-
ausearch -ue 2010
-
# Lists all auth attempts and their result
-
aureport -au
-
# List just logins
-
aureport -l
-
# List account modification attempts.
-
aureport -m
-
# Search events where success value is no, User id is 500 and key is nmap_watch
-
ausearch -sv no -ua 500 -k nmap_watch
-
# Search by executable
-
ausearch -x /usr/bin/nmap
-
# Search by terminal
-
ausearch -tm pts/0
-
# Search by daemon. Stuff like cron log terminal as the daemon name
-
ausearch -tm cron
-
-
alt + impr ecran r e i s u b
-
iptraf jnettop iftop
-
-
PS1=“\[\e[30;1m\](\[\e[34;1m\]\A\e[30;1m\])-(\[\e[34;1m\]\u@\h\[\e[30;1m\]\[\e[30;1m\]:\[\[\e[32;1m\]\w\[\e[30;1m\])> \[\e[0m\]“
-
-
<150> represents facility and severity following RC3164 Syslog header use the current timestamp and a random hostname
-
echo “<150>`env LANG=us_US.UTF-8 date “+%b %d %H:%M:%S“` host`date +%s` service: my special message goes here” | nc 192.168.0.1 -u 514 –w 1
-
-
-
#Linux
-
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo “192.168.1.$ip UP” || : ; done
-
#Windows:
-
for /L %I in (1,1,254) DO ping –w 30 -n 1 192.168.1.%I | find “Reply”
-
-
find / -mtime 2 -o -ctime 2
-
-
find / -perm -0002 –type d -print
-
find / -perm -0002 –type f -print
-
-
Great for finding effects of make install
-
find / -cmin -5
-
-
-
mutt -a PIECE_JOINTE -s “SUJET” EMAIL_DESTINATAIRE < FICHER_AVEC_CORPS_DU_MSG
“linux” related tags
spirit’s tags
access apache apache2 apt arguments auditd auth awk backup backups bandwidth bash bridge cache cd charset cisco commands conversion cron css date debian debug default diff directories directory distance dns dom du eth ethernet excel exclude files find firefox flash forms function hacks headers history hosts htaccess html http https ie ifconfig images input ip javascript jobs kill latitude linux log logging longitude mac mail maps merge monitoring mysql network nginx openssl packages performance performances perl php red hat regex restore root route rpm script security server shell ssh ssl svn switch syslog tail trunk unix virtualhost vlan vmware windows yum
-