I would definitely recommend viewing this file in "HackMD". Here's the link to my submission there: https://hackmd.io/@BizTheDad/SJ53iPurY
Command to extract the TarDocs.tar
archive to the current directory:
tar -xf TarDocs.tar
Command to create the Javaless_Doc.tar
archive from the TarDocs/
directory, while excluding the TarDocs/Documents/Java
directory:
tar --exclude='TarDocs/Documents/Java' -cf Javaless_Doc.tar TarDocs/
I was a bit surprised by this in my testing. I would have thought that I should have excluded the "TarDocs" from the pattern.
Command to ensure Java/
is not in the new Javaless_Docs.tar
archive:
tar -tf Javaless_Docs.tar 'TarDocs/Documents/Java/'
or
tar -tf Javaless_Docs.tar --wildcards '*/Java/'
I did the following just to make sure
tar -tf Javaless_Docs.tar 'TarDocs/Documents/'
Bonus
logs_backup_tar.gz
with only changed files to snapshot.file
for the /var/log
directory:
sudo tar cvvg var_log.snar -f logs_backup-2.tar.gz -z /var/log
tar
with options is finicky.-x
and -c
at the same time with tar
?
/var/log/auth.log
file:0 6 * * 3 tar czf /auth_backup.tgz /var/log/auth.log >> /dev/null 2>&1
0 6 * * 3 tar czf ~/backups/auth/auth_backup.tgz /var/log/auth.log >> /dev/null 2>&1
Brace expansion command to create the four subdirectories:
After creating the ~/backups
directory, I ran the following command:
mkdir backups/{freemem,diskuse,openlist,freedisk}
Paste your system.sh
script edits below:
ββββ#!/usr/bin/env bash
ββββ#
ββββ# The following prints the free memory to the specified file.
ββββ#
ββββfree -m | grep Mem | awk -v timestamp="$(date)" '{print timestamp,"-->",$4,"MB"}' >> ~/backups/freemem/free_mem.txt
ββββ
ββββ#
ββββ# The following logs the average of five reports of the "mpstat" command
ββββ# with one second intervals between reports
ββββ#
ββββmpstat 1 5 | awk -v timestamp="$(date)" 'END{print timestamp,"-->",100-$NF"%"}' >> ~/backups/diskuse/disk_usage.txt
ββββ#
ββββ# The following logs both the number of open files and the open files. I
ββββ# that was more interesting than simply all the open files.
ββββ#
ββββecho "$(date) --> $(lsof | wc -l)" >> ~/backups/openlist/open_list_count.txt
ββββecho "$(date) --> all open files:" >> ~/backups/openlist/open_list.txt
ββββlsof >> ~/backups/openlist/open_list.txt
ββββ
ββββ#
ββββ# The following logs the disk statistics for the disk mounted on "/".
ββββ#
ββββecho "$(date) --> disk stats for filesystem mounted on '/':" >> ~/backups/freedisk/free_disk.txt
ββββdf -h / >> ~/backups/freedisk/free_disk.txt
Command to make the system.sh
script executable:
chmod u+x system.sh
Optional
./system.sh
to run the script.find ~/backups -name *.txt -type f | xargs cat
to check the output.Bonus
system
to system-wide weekly
cron directory:
sudo cp ~/system.sh /etc/cron.weekly/
Run sudo nano /etc/logrotate.conf
to edit the logrotate
configuration file.
Configure a log rotation scheme that backs up authentication messages to the /var/log/auth.log
.
ββββ/var/log/auth.log {
ββββ weekly
ββββ rotate 7
ββββ notifempty
ββββ compress
ββββ delaycompress
ββββ missingok
ββββ}
Command to verify auditd
is active:
systemctl status auditd
Command to set number of retained logs and maximum log file size:
ββββnum_logs = 7
ββββ...
ββββmax_log_file = 35
ββββ
Command using auditd
to set rules for /etc/shadow
, /etc/passwd
and /var/log/auth.log
:
rules
file below:ββββ-w /etc/shadow -p wra -k hashpass_audit
ββββ-w /etc/passwd -p wra -k userpass_audit
ββββ-w /var/log/auth.log -p wra -k authlog_audit
Command to restart auditd
:
sudo systemctl restart auditd
Command to list all auditd
rules:
sudo auditctl -l
Command to produce an audit report:
sudo aureport -au
Create a user with sudo useradd attacker
and produce an audit report that lists account modifications:
sudo aureport -m
The above command produces the following output:
ββββAccount Modifications Report
ββββ=================================================
ββββ# date time auid addr term exe acct success event
ββββ=================================================
ββββ1. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 234
ββββ2. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 235
ββββ3. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 236
ββββ4. 10/17/2021 13:39:45 -1 ? ? /usr/sbin/useradd vboxadd no 237
ββββ5. 10/18/2021 01:15:29 1000 UbuntuDesktop pts/0 /usr/sbin/useradd attacker yes 9286
ββββ6. 10/18/2021 01:15:29 1000 UbuntuDesktop pts/0 /usr/sbin/useradd ? yes 9290
Command to use auditd
to watch /var/log/cron
:
sudo auditctl -w /var/log/cron -p wra -k cron_log
Command to verify auditd
rules:
sudo auditctl -l
Command to return journalctl
messages with priorities from emergency to error:
sudo journalctl -b 0 -p 0..7
Command to check the disk usage of the system journal unit since the most recent boot:
sudo journalctl -b 0 --unit=systemd-journald
Command to remove all archived journal files except the most recent two:
sudo journalctl --vacuum-files=2
Command to filter all log messages with priority levels between zero and two, and save output to /home/sysadmin/Priority_High.txt
:
sudo bash -c 'journalctl -p 0..2 > /home/student/Priority_High.txt'
In order to get the file to write I needed superuser permissions. I used "sudo bash -c" here because that will run all commands under the superuser umbrella. Without that the redirect fails due to a permissions error.
Command to automate the last command in a daily cronjob. Add the edits made to the crontab file below:
The following edits are made to the root user's crontab using "sudo crontab -e". We have to run the crontab as root because the commands inside the crontab file require a superuser. Also, the instructions didn't say whether to write over the file or append. So, I simply appended.
ββββ@daily journalctl -p 0..2 >> /home/student/Priority_High.txt 2> /dev/null
Β© 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.