Alok – Page 17

Strings command in linux

strings /lib64/libc.so.6 |grep GLIBC

strings /bin/ls

Usage: strings [option(s)] [file(s)]
 Display printable strings in [file(s)] (stdin by default)
 The options are:
  -a - --all                Scan the entire file, not just the data section [default]
  -d --data                 Only scan the data sections in the file
  -f --print-file-name      Print the name of the file before each string
  -n --bytes=[number]       Locate & print any NUL-terminated sequence of at
  -<number>                   least [number] characters (default 4).
  -t --radix={o,d,x}        Print the location of the string in base 8, 10 or 16
  -w --include-all-whitespace Include all whitespace as valid string characters
  -o                        An alias for --radix=o
  -T --target=<BFDNAME>     Specify the binary file format
  -e --encoding={s,S,b,l,B,L} Select character size and endianness:
                            s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
  -s --output-separator=<string> String used to separate strings in output.
  @<file>                   Read options from <file>
  -h --help                 Display this information
  -v -V --version           Print the program's version number
strings: supported targets: elf64-x86-64 elf32-i386 elf32-iamcu elf32-x86-64 a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big pe-x86-64 pe-bigobj-x86-64 pe-i386 plugin srec symbolsrec verilog tekhex binary ihex

create bootable usb using dd

dd bs=4M if=/home/input.iso of=/dev/sd[?] conv=fdatasync status=progress

[?] = Run lsblk and find your USB

connect to wifi using terminal in ubuntu

1.Create file and add wifi name and creds (vi /etc/wpa_supplicant.conf)

network={
    ssid="ssid_name"
    psk="password"
}

2.Connect

sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf -D wext
sudo dhclient wlan0

More : https://askubuntu.com/questions/138472/how-do-i-connect-to-a-wpa-wifi-network-using-the-command-line

https://askubuntu.com/questions/294257/connect-to-wifi-network-through-ubuntu-terminal

sftp setup to restrict user to some /path

WHY?
– Secure access
– Secure path

adduser kool -s /sbin/nologin

#edit /etc/ssh/sshd_config and ADD

Subsystem sftp internal-sftp
   Match User kool
   ChrootDirectory /opt/dir1/dir2
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no


chown root:root -R /opt/dir1/dir2
chmod 755 -R /opt/dir1/dir2

chown kool:kool /opt/dir1/dir2/kool
chmod 700 /opt/dir1/dir2/kool

cockpit to manage virtual machines in centos8

why?
– Access vm via webconsole
– Easy to manage services
– Create/manage VM
– Create/manage podman

dnf install cockpit -y

systemctl start cockpit.socket

systemctl enable cockpit.socket

Browse https://127.0.0.1:9090 or https://YOUR_IP:9090

more : https://cockpit-project.org

install openvas in centos8

sed -i 's/enforcing/disabled/g' /etc/selinux/config

reboot

dnf update

yum config-manager --set-enabled PowerTools
yum install epel-release

wget -q -O - http://www.atomicorp.com/installers/atomic |sh

yum install openvas

openvas-setup

More : https://github.com/Atomicorp/gvm

Cronjob to update CVE database

10 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null
10 2 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null
10 3 * * * /usr/sbin/greenbone-certdata-sync > /dev/null

Openvas API:


gvm-cli --gmp-username USRENAME --gmp-password PASSWORD socket --sockpath /var/run/gvm/gvmd.sock --xml "<get_tasks/>"

gvm-cli socket --sockpath /var/run/gvm/gvmd.sock --xml "<get_version/>"

iptables port allow/block

//Block port 8080

iptables  -A INPUT -p tcp --dport 8080 -j DROP

//Allow port 8080

iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

//Delete rule from same command(-D)

iptables  -D INPUT -p tcp --dport 8080 -j DROP

//Delete iptable rule for 8080 as per line number

iptables -L --line-numbers
iptables -D INPUT 1

//List rules

iptables -S
iptables -S TCP
iptables -L INPUT
iptables -L INPUT -v

#save
service iptables save

Pod affinity, readiness, liveness in kubernetes

why:

pod affinity: Attracts pods with with matching label.
readiness : checks pod health before sending any traffic
liveness : checks health of pod

kubectl get nodes --show-labels

kubectl label nodes <node-name> <label-key>=<label-value>

kubectl label nodes lp-knode-02 disk=ssd
kubectl label nodes lp-knode-02 nodename=lp-knode-02

apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpd-affinity-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpd-affinity
  template:
    metadata:
      name: httpd-affinity-deployment
      labels:
        app: httpd-affinity
        env: prod
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: disk
                operator: In
                values:
                - ssd
      containers:        
      - name: httpd-node-affinity
        image: httpd
        imagePullPolicy: IfNotPresent
        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "100m"
        ports:
        - name: httpd-port
          containerPort: 80
        livenessProbe:
          httpGet:
            path: /index.html
            port: 80
            httpHeaders:
            - name: Custom-Header
              value: custom1
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        readinessProbe:
          exec:
            command:
            - cat
            - /usr/local/apache2/htdocs/index.html
          initialDelaySeconds: 10
          periodSeconds: 10

More :
https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/

Special File Permissions in linux setuid, setgid, sticky bit

setuid permission:

When program is executed with setuid permission it will executed as owner of that program.

-rwsr-xr-x. 1 root root 27856 Aug  9  2019 /usr/bin/passwd

as passwd has setuid set that’s why normal user can reset their password

#exec will be as owner user
chmod u+s  file_name 

#exec will be as owner user
chmod 4750   file_name

setgid permission:

When program is executed with setgid permission it will executed as group owner of that program.

-r-xr-sr-x. 1 root tty 15344 Jun 10  2014 /usr/bin/wall

as wall has setgid enabled it has all the permission as group tty has.

chmod u+g  file_name 
chmod 2700   file_name

Sticky bit:

Owner of files and directory and root can only delete the file when sticky bit is set.

drwxrwxrwt.  16 root root 4096 Oct 10 10:10 tmp

all linux /tmp directory has sticky bit enabled.

chmod +t /tmp

NOTE: Capital S,T displayed when user does not have execute permission on that file

Apply selinux rules to file

Selinux add one more layer of security on top of linux.

To add SSL directory as per selinux context.

ls -ltrZ

sestatus -b

chcon -h system_u:object_r:httpd_config_t:s0 ssl