Paranoid Penguin - Linux Filesystem Security, Part I

Here is a list I made for myself over the years. I am sure there are some errors here so watch out for them and use the man pages:

To get details. These are just the ones I commonly used.

** To activate changes in .bashrc simply type bash in a terminal

ac ** connect time in hours on a per-user or daily basis, command reads /var/log/wtmp

cat /proc/cpuinfo ** List info about CPU.
cat /proc/dma ** List DMA channels and device used by system.
cat /proc/filesystems  ** Display filesystems currently in use.
cat /proc/ide/hda/any-file  ** Displays disk information held by kernel.
cat /proc/interrupts ** List IRQ's used by system and the device using the interrupt.
cat /proc/ioports ** List I/O ports used by system.
cat /proc/mounts  ** Display mounted filesystems currently in use.
cat /proc/partitions  ** to see full list of disks and partitions that your system can see
cat /proc/pci  ** list all PCI devices (result of probe)
cat /proc/swaps  ** Displays swap partition(s) size, type and quantity used.
cat /proc/version ** Display Linux kernel version in use.
cat www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** list unique entries (see *5*)
chkconfig --list |grep on **  list all services are started at bootup
chkconfig --list nfs ** check that the NFS service is NOT enabled and running
chkconfig --list portmap ** check that the  portmap service used by NFS is NOT enabled and running
cp /etc/httpd/conf/httpd.conf{,.bak} ** copy httpd.conf to httpd.conf.bak
cp -r /* -t  ** copy dir & sub dir contents to new dir.  * must follow / of dir to be copied and New dir must exist.

df -h   Show the sizes of the mounted devices.
df -k  ** report filesystem disk space usage. (-k reports in Kbytes)
diff /etc/httpd/conf/httpd.conf{.bak,} ** show diff between httpd.conf and httpd.conf.bak
dig   ** gives IP address
dump-utmp ** Converts the raw data from /var/run/utmp or /var/log/wtmp into ASCII-parsable format.
du -sh  ** Calculates file space usage for directory and everything under it (-s option summarizes)
du -sh /*   Show the sizes of all the root directories.

egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}' ** To get a list of all encryptable pswd accounts (see *1*)

find / -name rdiff* 2> /dev/null  ** find everywhere rdiff* is located and don't show error messages
find / -path /proc -prune -o -nouser -o -nogroup ** locate files on your system not owned by any user or group
find / -path /proc -prune -o -perm -2 ! -type l -ls ** locate world-writable files and directorie
find / -path /proc -prune -o -type f -perm +6000 -ls ** search the system for SUID or SGID files (see *3*)
find / -path /proc -prune -o -user  -ls ** find if there are any files owned by an account (see *3*)

grep -RI 'XXX' *  ** Search for XXX in that directory and all subdirectories and Ignore binary files
grep -R 'XXX' *  2> /dev/null  ** Search for XXX in that directory and all subdirectories without ANY error messages
grep string /var/log/messages | more  ** search for "string" in log with paging
grep -v ':x:' /etc/passwd  **  lists all accounts that do not have a 'x' in the password field ( see *2*)
groups ** Display groups you are part of.  Use groups user-id to display groups for a given user.
gunzip ** uncompress .gz files with out tar in front of it.
gzip ** compress single file to .gz

halt ** Shutdown system.
history ** Shell command to display previously entered commands.
host   ** gives domain name or IP address
httpd2 -V ** list all apache modules that are installed.
id ** Display user and all group ids.  Use id user-id to display info for another user id.
ifconfig    Shows which network interfaces are currently active in the system.
import  - Puts a screenshot of the current selected window or desktop in your home directory (ImageMagick tool).
init q ** To have changes in /etc/inittab become effective immediately
init  - When root, changes the runlevel

kill  - Kills the process (process # found with "ps -ef") if you want to stop it.

last -100  **  lists the last users who logged into the system
lastb  ** Same as last, but shows a log of the file /var/log/btmp, of the bad login attempts
lastlog ** reports data maintained in /var/log/lastlog, a record of the last time a user logged in.
ln -s target linkname   Make a symbolic link.
locate/slocate **   Find location/list of files which contain a given partial name
ls -1 * >   ** make a list - names only - of all files and all subdirectory files
lsdev  ** List devices and info on system hardware. Also IRQ's.(RPM package procinfo)
ls | less  - pipes the output through "less", = pages which can be flipped through with the spacebar or Pgup, Pgdown
ls -lR >   ** make a complete list of all files, must be as root not su and from / directory
lsmod  ** List all currently loaded kernel modules - Same as cat /proc/modules
lsof -i -n | egrep 'COMMAND|LISTEN|UDP' ** list listening network ports (TCP and UDP sockets)
lspci (or lspci -vvx)  ** list all PCI devices (result of probe)
lynx -dump -stdin output.txt ** convert html to plain text with good tables.

more /var/log/messages  ** view log one page at a time
multitail   or tail -f /var/log/messages  ** How to View New Log Entries as They Happen

netstat ** Displays network connections, routing tables, and interface statistics....
netstat -nlp ** list other informaiton on network ports (TCP and UDP sockets)
netstat -punta ** list more information on network ports (TCP and UDP sockets)
netstat -tulp ** list listening network ports (TCP and UDP sockets)
nmap   **  gives open ports and other stuff on a site -- considered an attack.

pdftohtml -c  infile.pdf outfile.html  ** Convert pdf to html with associate graphics - 1 html per page
ps -Ax, ps -eL or ps -auxw (process status)  ** shows all processes running or sleeping.
ps -ef | grep 'text' -  will search running services & display services matching 'text'.
pstree -pa  ** gives you the processes that are running in a tree format.  Shows what started the processes
pwd - Will tell you what directory you are in.

reboot – Restart system.
rm -f filename.txt ** deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ ** recursively deletes the directory tmp, and all files in it, including subdirectories.
rpm -e --test  ** check for potential conflicts/dependencies when deleting a RPM
rpm -qa  ** To get a list of all installed RPMs
rpm -qf  ** Display name of RPM package from which the file was installed.
rpm -qi   ** find more about a particular RPM:
rpm -ql $(rpm -qa | grep httpd) rpm -qa | grep httpd, lists packages with httpd in the name.  
rpm -ql ** lists files in each package.
rpm -q --whatrequires   ** find what package(s) requies that file or lib.

set or env ** Display all environment variables in your current environment. 

**** Securely moving or copying files (Don't put in the <> brackets!)

(You are logged in to www.soyo.com)
( -r causes the entire directory to be included, -p keeps the permissions and timestamps)

scp -p // www.asp.net://  ** file on soyo -- to be moved to www.asp.net.
scp -r / www.asp.net:/ ** directory & subdirs on soyo --  moved to www.asp.net.

scp -p www.asp.net:/ / ** file on www.asp.net to be moved to soyo
scp -p keith@www.asp.net:// //  ** file on www.asp.net to be moved to soyo

=======
scp -p www.abc.com:// www.xyz.com://

** file on abc.com to be moved to www.xyz.com  This assumes that
there is a public/private key account for the user on www.soyo.com
(or at least the same user name account on all machines.  Note that
you can specify different user ids like: keith@www.abc.com: for one
and root@www.xyz.com: for the other -- If you know the passwords.
========

showmount  ** Displays mount info for NFS filesystems.

tail -100 www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** unique last 100 errors(see *5*)
top ** shows running processes
tar -cf archive.tar   ** Creating a tar file.
tar -cvzf usr_lib.tar.gz   ** tar and compress a file to what ever directory you are in
tar -tf archive.tar  ** Lists the files and/or directories in a tar file.
tar -xvf archive.tar  ** Extract the files from a tar archive. (.tar)
tar -zxvf archive.tar.gz  ** Extract the files from a compressed .tar.gz archive
tar -zxvf archive.tgz  ** Extract the files from a compressed .tgz archive
tar xvjf filename.version.bz2   ** Extract bzip2 files with tar

uname -a  ** print system information
uname -r    Tells you what version of the kernel is currently running.
uptime  ** Tell how long the system has been running. Also number of users and system's load average.
users ** Show all users logged in.
userdel -r  ** Delete an users account and other stuff  (see *4*)

w ** Displays currently logged in users and processes they are running.
whereis ** Find directory of executable file and related files
which ** Find executable file location of command given. Command must be in path.
who ** Displays currently logged in users.
who -uH  ** for idle time and terminal info.
whoami ** Displays user id.
whois   **  gives the administrative information about the site.


===============================
Basic file compression utilities: (and file extensions)

gzip (.gz): Also see zcat, gunzip, gznew, gzmore
compress: gzip file-name
decompress: gzip -d file-name.gz

bzip2 (.bz2): Also see: bunzip2, bzcat, bzip2recover
compress: bzip2 file-name
decompress: bunzip2 file-name.bz2

compress (.Z): (Adaptive Lempel-Ziv compression) Also see: uncompress, zcat
compress: compress file-name
decompress: uncompress file-name.Z
(Provided by the RPM package ncompress)

pack (.z): Also see: unpack
compress: pack file-name
decompress: unpack file-name.z

zip (.zip): Compress files or groups of files. 
To compress: zip file-name
To decompress: unzip file-name.zip
(R.P.Byrne compression) Compatable with Win PKZIP files.
====================================

****** SHELL TRICKS **********
ctrl + d = logout (also usefull if you did su and want to get back 
to normal user)
--------------------------------------------------------------------
If your screen becomes unreadable because of displaying a binary file
type "reset" blindly and it should be normal again.

 Looping in the command line: for file in * ; do cp $file $file.bak; done

 {variable-name}=$(command) **  Set env variable-name to commands output ex: $(date +%d-%b-%Y)

{variable-name}=$"value"  ** Temporarilly set env "variable-name" to "value"

******************************
====================================
*1*  It is important that all system and vendor accounts that are
not used for logins are locked.  To get a list of unlocked accounts
on your system, you can check for accounts that do NOT have an
encrypted password string starting with "!" or "*" in the 
/etc/shadow file. If you lock an account using passwd -l, it 
will put a '!!' in front of the encrypted password, effectively
disabling the password. If you lock an account using usermod -L,
it will put a '!' in front of the encrypted password. Many system
and shared accounts are usually locked by default by having a '*' or
'!!' in the password field which renders the encrypted password into
an invalid string.

*2*  Also make sure all accounts have a 'x' in the password field in
/etc/passwd.  A 'x' in the password fields means that the password 
has been shadowed, i.e. the encrypted password has to be looked up in
the /etc/shadow file. If the password field in /etc/passwd is empty,
then the system will not lookup the shadow file and it will not
prompt the user for a password at the login prompt.

*3*  The -prune option in this example is used to skip the
/proc filesystem.:

*4*  If you are sure that an account can be deleted, you can remove
the account using the following command.  Without the "-r" option
userdel will not delete the user's home directory and mail spool
(/var/spool/mail/). Note that many system accounts have no
home directory:

*5* To monitor the significance, add '-c' to the uniq command, which
will find you a count of the number of each error.