Cheatsheets
Linux Administration - Security
[top]
Common actions
Commands
> w
Display who is logged in
> ps -fe OR -auxww
Display processes running
> passwd -l
Disable login
> last
Displays when users login schedule
Reads - /var/log/wtmp
*crackers* - rm this file, rm history
gpg
Commands
> gpg --gen-key
Generate a key
> gpg --list-public-keys
Lists all of my public keys
> gpg -kv
Lists all keys in keyring
> gpg --armor --export 77454014 > dsd.key
Exports my public key to a file
The --armor arg tells gpg to output in ASCII format to be compatible w/ email transfer
> gpg --import program.key
Copy n paste key block into file
> gpg --verify program.asc
Download signature file and verify
logs
Commands
> grep fail /var/log/messages
Display fail records
> grep repeat /var/log/messages
Display fail records
> grep error /var/log/messages
Display fail records
Do not let hard drive errors go (replace drive)
DVD/CD errors may occur at any time
lsof
Commands
> lsof
List open files
> lsof | grep smtp
List open smtp files
md5sum
Commands
> md5sum package.tar.gz
Compare checksum output and contents of package.tar.gz.md5
shred
Commands
> shred -u [filename]
Overwrites file 25 times and then removes it.
This is used to obliterate data on disks, or at least
make it difficult to retrieve.
SUID/SGID Programs
Commands
> find / -perm +6000 -type f
Finds all files with the SUID or SGID permissions assigned.
Tripwire
Files
/etc/tripwire - tripwire directory
/etc/tripwire/twinstall.sh - setups up tripwire and prompts for passphrases to authenticate access to Tripwire utilities.
/etc/tripwire/twcfg.txt => /etc/tripwire/tw.cfg - overal config options
/etc/tripwire/twpol.txt => /etc/tripwire/tw.pol - information on files being monitored
Commands
tripwire --init
Generate checksums and hashes on files it is configured to monitor.
tripwire --check
Check state of system files against Tripwire database.
tripwire --update
Update Tripwire database if package changes have occured.
chkrootkit
Commands
> chkrootkit
Similar to virus scanning. All output should end with "not infected" or "no suspect files found".
[top]
mail aliases
Files
/etc/aliases
/etc/postfix/aliases
/etc/mail/aliases
Commands
> newaliases
Converts the configured 'aliases' file to the 'aliases.db' binary file.
[top]
PAM (Pluggable Authentication Modules) pam_limits
Files
/etc/pam.d
/etc/security/limits.conf
format: domain type item value
domain - username, groupname (@groupname) or * (everybody)
type - hard (can never be exceeded), soft (temporarily can be exceeded), - (both)
item - core (core size), data (program data size), fsize (file size), nofile (# of open files),
rss (resident set size), stack (stack size), cpu (cpu time of a single process),
nproc (# of concurrent processes), maxlogins, priority (process priority)
value - value to be applied to limit
[top]
Allow only root access
Files
/etc/nologin
If this file exists, only root can login to the computer.
