From ff8227414ca94688af69677f0ada3cdd297ed8ab Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 9 Dec 2021 03:35:43 +0530 Subject: [PATCH 1/9] add auditd docs --- services/nftables/audit-framework/audit.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 services/nftables/audit-framework/audit.md diff --git a/services/nftables/audit-framework/audit.md b/services/nftables/audit-framework/audit.md new file mode 100644 index 0000000..f3a0f99 --- /dev/null +++ b/services/nftables/audit-framework/audit.md @@ -0,0 +1,13 @@ +# Audit Framework + +## Kernel + +To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`. + +## Userspace + +* Install the `audit` package, enable and start the `auditd.service`. +* The config file is `auditd.conf`. +* The rules are defined in `/etc/audit/audit.rules`. +* `auditctl` can be used to edit rules on the fly. +* `ausearch` and `aureport` are used to summarize and view data. From 117096b3889cffb94f8967a3e66580dd5bb85244 Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 9 Dec 2021 06:19:45 +0530 Subject: [PATCH 2/9] start documenting logwatch --- services/{nftables => }/audit-framework/audit.md | 0 services/logwatch/logwatch.md | 7 +++++++ 2 files changed, 7 insertions(+) rename services/{nftables => }/audit-framework/audit.md (100%) create mode 100644 services/logwatch/logwatch.md diff --git a/services/nftables/audit-framework/audit.md b/services/audit-framework/audit.md similarity index 100% rename from services/nftables/audit-framework/audit.md rename to services/audit-framework/audit.md diff --git a/services/logwatch/logwatch.md b/services/logwatch/logwatch.md new file mode 100644 index 0000000..b5a4949 --- /dev/null +++ b/services/logwatch/logwatch.md @@ -0,0 +1,7 @@ +# Logwatch + +## Installation and Setup + +* Install `logwatch` package. +* The `logwatch.timer` needs to be started and/or enabled +* Reference: `/usr/share/logwatch/HOWTO-Customize-LogWatch` From 05d402302549a257151450a0edc1b7e3447fde98 Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Sat, 11 Dec 2021 17:45:33 +0530 Subject: [PATCH 3/9] aide --- services/aide/aide.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 services/aide/aide.md diff --git a/services/aide/aide.md b/services/aide/aide.md new file mode 100644 index 0000000..a1d6f2b --- /dev/null +++ b/services/aide/aide.md @@ -0,0 +1,10 @@ +# AIDE - Advanced Intrusion Detection Environment + +## Introduction + +AIDE is a file integrity checker. + +## Installation and Setup + +* Install the AUR package `aide`. +* It seems to have sane defaults and the file is heavily commented, it can be found along `/etc/aide.conf`. From 9a5db049284e0e34b0118977816a98054901c2e1 Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Sat, 11 Dec 2021 17:46:02 +0530 Subject: [PATCH 4/9] missed file --- services/aide/aide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/aide/aide.md b/services/aide/aide.md index a1d6f2b..4ee9154 100644 --- a/services/aide/aide.md +++ b/services/aide/aide.md @@ -6,5 +6,5 @@ AIDE is a file integrity checker. ## Installation and Setup -* Install the AUR package `aide`. +* Inspect and install the AUR package `aide`. * It seems to have sane defaults and the file is heavily commented, it can be found along `/etc/aide.conf`. From 5ad4be12f1b9d58f341197350ca77435fc3f6a40 Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Sat, 11 Dec 2021 19:41:28 +0530 Subject: [PATCH 5/9] profaudio and cpu scaling docs --- io/audio.md | 0 io/prof_audio.md | 9 +++++++++ .../performance-monitoring/performance-stats.md | 7 +++++++ services/power-management/tools.md | 15 +++++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 io/audio.md create mode 100644 io/prof_audio.md create mode 100644 services/performance-monitoring/performance-stats.md create mode 100644 services/power-management/tools.md diff --git a/io/audio.md b/io/audio.md new file mode 100644 index 0000000..e69de29 diff --git a/io/prof_audio.md b/io/prof_audio.md new file mode 100644 index 0000000..be7872f --- /dev/null +++ b/io/prof_audio.md @@ -0,0 +1,9 @@ +# Professional Audio Configuration in Arch Linux + +Semi-Pro* + +## Resources + +* [Wiki](https://wiki.archlinux.org/title/Professional_audio) +* `pacman -Sg pro-audio` to view all the packages in that group +* Uses [JACK](https://wiki.archlinux.org/title/JACK_Audio_Connection_Kit) diff --git a/services/performance-monitoring/performance-stats.md b/services/performance-monitoring/performance-stats.md new file mode 100644 index 0000000..8eef842 --- /dev/null +++ b/services/performance-monitoring/performance-stats.md @@ -0,0 +1,7 @@ +# Hardware Performance Measurment + +## Tools and Commands + +1. `i7z` +2. `turbostat` +3. TODO: Expand diff --git a/services/power-management/tools.md b/services/power-management/tools.md new file mode 100644 index 0000000..fb0c32c --- /dev/null +++ b/services/power-management/tools.md @@ -0,0 +1,15 @@ +# Power Management Tools + +## Tools and their configurations + +### cpupower + +* `cpupower` and the AUR `cpupower-gui` are the relevant packages. +* These are a set of userspace utilities designed to assist with CPU frequency scaling. +* the configuration is located at `/etc/default/cpupower` +* __Enable__ and _start_ the systemd service. + +### Power Profile Daemons + +* look into [PPD](https://wiki.archlinux.org/title/CPU_frequency_scaling#power-profiles-daemon) +* using 'performance'. From 5421c4bb6005d912d8bcb826dfbd62058ef2205a Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Sat, 11 Dec 2021 20:10:40 +0530 Subject: [PATCH 6/9] thermald --- services/power-management/tools.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/power-management/tools.md b/services/power-management/tools.md index fb0c32c..76b69f2 100644 --- a/services/power-management/tools.md +++ b/services/power-management/tools.md @@ -13,3 +13,8 @@ * look into [PPD](https://wiki.archlinux.org/title/CPU_frequency_scaling#power-profiles-daemon) * using 'performance'. + +## thermald + +* The `thermald` package is a Linux daemon used to prevent the overheating of Intel CPUs. This daemon monitors temperature and applies compensation using available cooling methods. +* _Start_ and __enable__ the systemd service From d62cf1510f7db98461d6e1a6d32cedbc942393fd Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 16 Dec 2021 03:44:17 +0530 Subject: [PATCH 7/9] auditd configuration Signed-off-by: Pratyush Desai --- scripts/install.sh | 11 ++++++++++ .../audit-framework/auditd/.auread-aliases | 20 +++++++++++++++++++ services/audit-framework/auditd/auditd.conf | 0 services/audit-framework/auditd/auditd.rules | 0 .../audit-framework/auditd/rules.d/file.rules | 3 +++ .../auditd/rules.d/syscalls.rules | 4 ++++ 6 files changed, 38 insertions(+) create mode 100644 scripts/install.sh create mode 100644 services/audit-framework/auditd/.auread-aliases create mode 100644 services/audit-framework/auditd/auditd.conf create mode 100644 services/audit-framework/auditd/auditd.rules create mode 100644 services/audit-framework/auditd/rules.d/file.rules create mode 100644 services/audit-framework/auditd/rules.d/syscalls.rules diff --git a/scripts/install.sh b/scripts/install.sh new file mode 100644 index 0000000..b508d0b --- /dev/null +++ b/scripts/install.sh @@ -0,0 +1,11 @@ +#!/bin/bash + + + +# install yay +cd ~ +git clone https://aur.archlinux.org/yay.git +cd yay +makepkg -si +cd .. +sudo rm -rf yay diff --git a/services/audit-framework/auditd/.auread-aliases b/services/audit-framework/auditd/.auread-aliases new file mode 100644 index 0000000..69d97db --- /dev/null +++ b/services/audit-framework/auditd/.auread-aliases @@ -0,0 +1,20 @@ +#!/bin/bash + +# aureport and ausearch + +alias aurepwk='aureport --start this-week' +alias aurepwkv='aureport --start this-week --key --summary' + +# syscall audit rule for failure to open files due to EPERM with key field access + +# add to syscall.rules +# -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access + +# check which files have been attempted +alias aurfilist='ausearch --start this-week -k access --raw | aureport --file --summary' + +# check the user accounts implicated + +alias aurlusfi='ausearch --start this-week -k access --raw | aureport --user --summary' + + diff --git a/services/audit-framework/auditd/auditd.conf b/services/audit-framework/auditd/auditd.conf new file mode 100644 index 0000000..e69de29 diff --git a/services/audit-framework/auditd/auditd.rules b/services/audit-framework/auditd/auditd.rules new file mode 100644 index 0000000..e69de29 diff --git a/services/audit-framework/auditd/rules.d/file.rules b/services/audit-framework/auditd/rules.d/file.rules new file mode 100644 index 0000000..d595447 --- /dev/null +++ b/services/audit-framework/auditd/rules.d/file.rules @@ -0,0 +1,3 @@ +-w /etc/passwd -p rwxa +-w /etc/sudoers -p rwxa +-w /etc/nftables.conf -p rwxa diff --git a/services/audit-framework/auditd/rules.d/syscalls.rules b/services/audit-framework/auditd/rules.d/syscalls.rules new file mode 100644 index 0000000..697dd91 --- /dev/null +++ b/services/audit-framework/auditd/rules.d/syscalls.rules @@ -0,0 +1,4 @@ + +-a entry,always -S chmod +-a entry,always -S chown + From ffad324cc2f33e959d90187ae5c81ab293209f7b Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 16 Dec 2021 05:49:29 +0530 Subject: [PATCH 8/9] audit readme --- services/audit-framework/README.md | 39 ++++++++++++++++++++++++++++++ services/audit-framework/audit.md | 13 ---------- 2 files changed, 39 insertions(+), 13 deletions(-) create mode 100644 services/audit-framework/README.md delete mode 100644 services/audit-framework/audit.md diff --git a/services/audit-framework/README.md b/services/audit-framework/README.md new file mode 100644 index 0000000..6abe446 --- /dev/null +++ b/services/audit-framework/README.md @@ -0,0 +1,39 @@ +# Audit Framework + +## Kernel + +To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`. + +## Userspace + +* Install the `audit` package, enable and start the `auditd.service`. +* The config file is `auditd.conf`. +* The rules are defined in `/etc/audit/audit.rules`. +* `auditctl` can be used to edit rules on the fly. +* `ausearch` and `aureport` are used to summarize and view data. + + +## Rules + +* Read from `/etc/audit/auditd.rules` + +* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed, + `augenrules` is used to merge all the component rules files. + * It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found. + * The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines. + +* rulesets: + * syscalls + * format: `-a action,list -S syscall -F field=value -k keyname` + * files + * format: `-w path-to-file -p permissions -k keyname` + * ..? + + + +## Further Reading + +* `man` pages (list here) +* archwiki article +* syscalls docs +* update the format for rules diff --git a/services/audit-framework/audit.md b/services/audit-framework/audit.md deleted file mode 100644 index f3a0f99..0000000 --- a/services/audit-framework/audit.md +++ /dev/null @@ -1,13 +0,0 @@ -# Audit Framework - -## Kernel - -To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`. - -## Userspace - -* Install the `audit` package, enable and start the `auditd.service`. -* The config file is `auditd.conf`. -* The rules are defined in `/etc/audit/audit.rules`. -* `auditctl` can be used to edit rules on the fly. -* `ausearch` and `aureport` are used to summarize and view data. From 6dc5f9bc89f94557dc771d9ce645077532e1bcf5 Mon Sep 17 00:00:00 2001 From: Pratyush Desai Date: Thu, 16 Dec 2021 05:59:54 +0530 Subject: [PATCH 9/9] aide.conf --- services/aide/{aide.md => README.md} | 0 services/aide/aide/aide.conf | 145 +++++++++++++++++++++++++++ 2 files changed, 145 insertions(+) rename services/aide/{aide.md => README.md} (100%) create mode 100644 services/aide/aide/aide.conf diff --git a/services/aide/aide.md b/services/aide/README.md similarity index 100% rename from services/aide/aide.md rename to services/aide/README.md diff --git a/services/aide/aide/aide.conf b/services/aide/aide/aide.conf new file mode 100644 index 0000000..2201b3d --- /dev/null +++ b/services/aide/aide/aide.conf @@ -0,0 +1,145 @@ +# Example configuration file for AIDE. +# +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +# +# Here are all the attributes we can check +#p: permissions +#i: inode +#n: number of links +#l: link name +#u: user +#g: group +#s: size +###b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#I: ignore changed filename +#ANF: allow new files +#ARF: allow removed files +# + +# Here are all the digests we can use +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#haval: haval checksum +#crc32: crc32 checksum +#gost: gost checksum +#whirlpool: whirlpool checksum + +# These are the default rules +#R: p+i+l+n+u+g+s+m+c+md5 +#L: p+i+l+n+u+g +#E: Empty group +#>: Growing logfile p+l+u+g+i+n+S + +# You can create custom rules - my home made rule definition goes like this +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = R+rmd160+sha256 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+xattrs + +# Access control only +PERMS = p+i+u+g+acl + +# Logfile are special, in that they often change +LOG = > + +# Just do md5 and sha256 hashes +LSPP = R+sha256 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger + + +# Next decide what directories/files you want in the database. + +/boot NORMAL +/bin NORMAL +/sbin NORMAL +/lib NORMAL +/lib64 NORMAL +/opt NORMAL +/usr NORMAL +/root NORMAL +# These are too volatile +!/usr/src +!/usr/tmp + +# Check only permissions, inode, user and group for /etc, but +# cover some important files closely. +/etc PERMS +!/etc/mtab +# Ignore backup files +!/etc/.*~ +/etc/exports NORMAL +/etc/fstab NORMAL +/etc/passwd NORMAL +/etc/group NORMAL +/etc/gshadow NORMAL +/etc/shadow NORMAL +/etc/security/opasswd NORMAL + +/etc/hosts.allow NORMAL +/etc/hosts.deny NORMAL + +/etc/sudoers NORMAL +/etc/skel NORMAL + +/etc/logrotate.d NORMAL + +/etc/resolv.conf DATAONLY + +/etc/nscd.conf NORMAL +/etc/securetty NORMAL + +# Shell/X starting files +/etc/profile NORMAL +/etc/bashrc NORMAL +/etc/bash_completion.d/ NORMAL +/etc/login.defs NORMAL +/etc/zprofile NORMAL +/etc/zshrc NORMAL +/etc/zlogin NORMAL +/etc/zlogout NORMAL +/etc/profile.d/ NORMAL +/etc/X11/ NORMAL + +# Ignore logs +!/var/lib/pacman/.* +!/var/cache/.* +!/var/log/.* +!/var/run/.* +!/var/spool/.*