Difference between revisions of "Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Scripting"
Jump to navigation
Jump to search
| Line 17: | Line 17: | ||
=== How to configure a configuration file securely === | === How to configure a configuration file securely === | ||
| + | * Here's already configured filed: https://github.com/Emperormouse/cypat-configs | ||
* [[Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Program-Settings|This wiki page has password-related configurations]] | * [[Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Program-Settings|This wiki page has password-related configurations]] | ||
| − | |||
* You can find guides on hardening these configuration files online, or even by asking ChatGPT "What modifications should I make to the file "/etc/login.defs" to make it more secure?" | * You can find guides on hardening these configuration files online, or even by asking ChatGPT "What modifications should I make to the file "/etc/login.defs" to make it more secure?" | ||
* Here are some guides for hardening some of these configurations: | * Here are some guides for hardening some of these configurations: | ||
Revision as of 22:11, 21 November 2024
Baselining
A good way to automate a lot of fixes without coding is baselining. This process means trying to get the competition image to be as similar as possible to an image that you know is secure. There are multiple ways to do it, but the easiest way (that I know of) is to create secure configuration files before a competition, and copy those into the image during a competition.
- Some configuration files that will be worth configuring securely before a competition are:
- /etc/ssh/sshd_config (config file for ssh, a remote-terminal program used on almost all linux servers)
- /etc/pam.d/common-password (config file for password stuff)
- /etc/login.defs (another password config file)
- /etc/sysctl.conf (config file with a ton of random system-level configurations)
- These configuration files are fine as the default, but you have to make sure that they haven't been tampered with
- /etc/sudoers (config file for sudo, the system that lets administrators run commands as root)
- /etc/apt/sources.list (config file that specifies which URLs to pull packages from)
The default version of these configuration files can be found from a default installation of Ubuntu22 (or Linux Mint)
How to get the default version of the configuration files
- You can get the configuration files from a fresh installation of Ubuntu or Linux Mint This page explains how to make a virtual machine
- For convenience, here's 4 default configuration files (sshd_config, common-password, login.defs, and sysctl.conf)
- https://github.com/Emperormouse/default-configs (Press on the green code button and choose download zip)
How to configure a configuration file securely
- Here's already configured filed: https://github.com/Emperormouse/cypat-configs
- This wiki page has password-related configurations
- You can find guides on hardening these configuration files online, or even by asking ChatGPT "What modifications should I make to the file "/etc/login.defs" to make it more secure?"
- Here are some guides for hardening some of these configurations:
- https://www.blumira.com/blog/secure-ssh-on-linux (/etc/ssh/sshd_config)
- https://www.baeldung.com/linux/password-complexity (/etc/pam.d/common-password and /etc/login.defs)
- https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening (/etc/sysctl.conf) note: this website contains a ton of modifications, which will get you points but you should try to understand what they're doing by reading the comments)
- You can also find configurations to make by looking at the answer keys of practice images, which will include some modifications that you can make.
How to copy the configuration files to the practice image
Test the process in a virtual machine before a competition to make sure that your configurations don't break the system
- First you have to get the files into the practice image. If you're using vmware you may be able to drag the file right into the image. But if that doesn't work you can use google drive or email to yourself.
- Next you have to backup the original file. You can use this command for that:
cp <path/to/original/file> <backup/location>
- Finally you have to copy your pre-configured file to its location:
cp <path/to/configured/file> <path/to/location>
- For Example, if you have a folder named "backups" for your backups and a folder named "custom-configs" with your pre-configured files:
cp /etc/ssh/sshd_config ./backups/sshd_configcp ./custom-configs/sshd_config /etc/ssh/sshd_config
Useful one liners
These are useful commands or chains of commands to remember or write down for CyberPatriot (Feel free to add to this)
grep "sh$" /etc/passwd | cut -d':' -f1,3
- Lists all of the users on the system (including root), plus their User IDs. This will include "hidden" users, who have a user id below 1000, and therefore don't show up in the GUI
find /home -name "*\.mp[34]" -o -name "*\.mov" -o -name "*\.webm"
- Finds all files which end in ".mp3", ".mp4", ".mov", or ".webm", which are usually not allowed to be in user's directories.
sudo rm /directory/of/files/to/delete/*
- This deletes all of the files within a certain directory (make sure to include the asterisk at the end). For example
sudo rm /home/jim/Music/*