install-script #7

Merged
pratyush merged 10 commits from install-script into master 2021-12-22 12:11:22 +01:00
14 changed files with 275 additions and 0 deletions

0
io/audio.md Normal file
View File

9
io/prof_audio.md Normal file
View File

@ -0,0 +1,9 @@
# Professional Audio Configuration in Arch Linux
Semi-Pro*
## Resources
* [Wiki](https://wiki.archlinux.org/title/Professional_audio)
* `pacman -Sg pro-audio` to view all the packages in that group
* Uses [JACK](https://wiki.archlinux.org/title/JACK_Audio_Connection_Kit)

11
scripts/install.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# install yay
cd ~
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
cd ..
sudo rm -rf yay

10
services/aide/README.md Normal file
View File

@ -0,0 +1,10 @@
# AIDE - Advanced Intrusion Detection Environment
## Introduction
AIDE is a file integrity checker.
## Installation and Setup
* Inspect and install the AUR package `aide`.
* It seems to have sane defaults and the file is heavily commented, it can be found along `/etc/aide.conf`.

View File

@ -0,0 +1,145 @@
# Example configuration file for AIDE.
#
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#
# Here are all the attributes we can check
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
###b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#ANF: allow new files
#ARF: allow removed files
#
# Here are all the digests we can use
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#gost: gost checksum
#whirlpool: whirlpool checksum
# These are the default rules
#R: p+i+l+n+u+g+s+m+c+md5
#L: p+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S
# You can create custom rules - my home made rule definition goes like this
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Ignore logs
!/var/lib/pacman/.*
!/var/cache/.*
!/var/log/.*
!/var/run/.*
!/var/spool/.*

View File

@ -0,0 +1,39 @@
# Audit Framework
## Kernel
To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
## Userspace
* Install the `audit` package, enable and start the `auditd.service`.
* The config file is `auditd.conf`.
* The rules are defined in `/etc/audit/audit.rules`.
* `auditctl` can be used to edit rules on the fly.
* `ausearch` and `aureport` are used to summarize and view data.
## Rules
* Read from `/etc/audit/auditd.rules`
* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed,
`augenrules` is used to merge all the component rules files.
* It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found.
* The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.
* rulesets:
* syscalls
* format: `-a action,list -S syscall -F field=value -k keyname`
* files
* format: `-w path-to-file -p permissions -k keyname`
* ..?
## Further Reading
* `man` pages (list here)
* archwiki article
* syscalls docs
* update the format for rules

View File

@ -0,0 +1,20 @@
#!/bin/bash
# aureport and ausearch
alias aurepwk='aureport --start this-week'
alias aurepwkv='aureport --start this-week --key --summary'
# syscall audit rule for failure to open files due to EPERM with key field access
# add to syscall.rules
# -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access
# check which files have been attempted
alias aurfilist='ausearch --start this-week -k access --raw | aureport --file --summary'
# check the user accounts implicated
alias aurlusfi='ausearch --start this-week -k access --raw | aureport --user --summary'

View File

@ -0,0 +1,3 @@
-w /etc/passwd -p rwxa
-w /etc/sudoers -p rwxa
-w /etc/nftables.conf -p rwxa

View File

@ -0,0 +1,4 @@
-a entry,always -S chmod
-a entry,always -S chown

View File

@ -0,0 +1,7 @@
# Logwatch
## Installation and Setup
* Install `logwatch` package.
* The `logwatch.timer` needs to be started and/or enabled
* Reference: `/usr/share/logwatch/HOWTO-Customize-LogWatch`

View File

@ -0,0 +1,7 @@
# Hardware Performance Measurment
## Tools and Commands
1. `i7z`
2. `turbostat`
3. TODO: Expand

View File

@ -0,0 +1,20 @@
# Power Management Tools
## Tools and their configurations
### cpupower
* `cpupower` and the AUR `cpupower-gui` are the relevant packages.
* These are a set of userspace utilities designed to assist with CPU frequency scaling.
* the configuration is located at `/etc/default/cpupower`
* __Enable__ and _start_ the systemd service.
### Power Profile Daemons
* look into [PPD](https://wiki.archlinux.org/title/CPU_frequency_scaling#power-profiles-daemon)
* using 'performance'.
## thermald
* The `thermald` package is a Linux daemon used to prevent the overheating of Intel CPUs. This daemon monitors temperature and applies compensation using available cooling methods.
* _Start_ and __enable__ the systemd service