Difference between revisions of "Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Scripting"

From Vista Ridge Cyberpatriot
Jump to navigation Jump to search
 
(14 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Baselining ==
 
== Baselining ==
A good way to automate a lot of fixes without coding is baselining. There are multiple ways to do it, but the easiest way is to create secure configuration files before a competition, and copy those in during a competition.
+
A good way to automate a lot of fixes without coding is baselining. This process means trying to get the competition image to be as similar as possible to an image that you know is secure. There are multiple ways to do it, but the easiest way (that I know of) is to create secure configuration files before a competition, and copy those into the image during a competition.
 
* Some configuration files that will be worth configuring securely before a competition are:
 
* Some configuration files that will be worth configuring securely before a competition are:
** /etc/ssh/sshd_config
+
** '''/etc/ssh/sshd_config''' ''(config file for ssh, a remote-terminal program used on almost all linux servers)''
** /etc/pam.d/common-password
+
** '''/etc/pam.d/common-password''' ''(config file for password stuff)''
** /etc/login.defs
+
** '''/etc/login.defs''' ''(another password config file)''
** /etc/sysctl.conf
+
** '''/etc/sysctl.conf''' ''(config file with a ton of random system-level configurations)''
  
 
* These configuration files are fine as the default, but you have to make sure that they haven't been tampered with
 
* These configuration files are fine as the default, but you have to make sure that they haven't been tampered with
** /etc/sudoers
+
** '''/etc/sudoers''' ''(config file for sudo, the system that lets administrators run commands as root)''
** /etc/apt/sources.list
+
** '''/etc/apt/sources.list''' ''(config file that specifies which URLs to pull packages from)''
 
The default version of these configuration files can be found from a default installation of Ubuntu22 (or Linux Mint)
 
The default version of these configuration files can be found from a default installation of Ubuntu22 (or Linux Mint)
 +
=== How to get the default version of the configuration files ===
 +
* You can get the configuration files from a fresh installation of Ubuntu or Linux Mint [[Configuring a VM|This page explains how to make a virtual machine]]
 +
* For convenience, here's 4 default configuration files (sshd_config, common-password, login.defs, and sysctl.conf)
 +
** https://github.com/Emperormouse/default-configs (Press on the green code button and choose download zip)
 +
 
=== How to configure a configuration file securely ===
 
=== How to configure a configuration file securely ===
 +
* Here's already configured files: https://github.com/Emperormouse/cypat-configs
 +
* [[Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Program-Settings|This wiki page has password-related configurations]]
 
* You can find guides on hardening these configuration files online, or even by asking ChatGPT "What modifications should I make to the file "/etc/login.defs" to make it more secure?"
 
* You can find guides on hardening these configuration files online, or even by asking ChatGPT "What modifications should I make to the file "/etc/login.defs" to make it more secure?"
 
* Here are some guides for hardening some of these configurations:
 
* Here are some guides for hardening some of these configurations:
 
** https://www.blumira.com/blog/secure-ssh-on-linux (/etc/ssh/sshd_config)
 
** https://www.blumira.com/blog/secure-ssh-on-linux (/etc/ssh/sshd_config)
 
** https://www.baeldung.com/linux/password-complexity (/etc/pam.d/common-password and /etc/login.defs)
 
** https://www.baeldung.com/linux/password-complexity (/etc/pam.d/common-password and /etc/login.defs)
** https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening (/etc/sysctl.conf) ''note: this website contains a ton of modifications, which will get you points but you should try to understand what they're doing''
+
** https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening (/etc/sysctl.conf) ''note: this website contains a ton of modifications, which will get you points but you should try to understand what they're doing by reading the comments)''
 
* You can also find configurations to make by looking at the answer keys of practice images, which will include some modifications that you can make.
 
* You can also find configurations to make by looking at the answer keys of practice images, which will include some modifications that you can make.
 +
 
=== How to copy the configuration files to the practice image ===
 
=== How to copy the configuration files to the practice image ===
 +
'''Test the process in a virtual machine before a competition to make sure that your configurations don't break the system'''
 
* First you have to get the files into the practice image. If you're using vmware you may be able to drag the file right into the image. But if that doesn't work you can use google drive or email to yourself.
 
* First you have to get the files into the practice image. If you're using vmware you may be able to drag the file right into the image. But if that doesn't work you can use google drive or email to yourself.
 
* Next you have to backup the original file. You can use this command for that:
 
* Next you have to backup the original file. You can use this command for that:
Line 27: Line 36:
 
** <code>cp /etc/ssh/sshd_config ./backups/sshd_config</code>
 
** <code>cp /etc/ssh/sshd_config ./backups/sshd_config</code>
 
** <code>cp ./custom-configs/sshd_config /etc/ssh/sshd_config</code>
 
** <code>cp ./custom-configs/sshd_config /etc/ssh/sshd_config</code>
 +
 +
==Useful one liners==
 +
These are useful commands or chains of commands to remember or write down for CyberPatriot (Feel free to add to this)
 +
<br>
 +
<code>grep "sh$" /etc/passwd | cut -d':' -f1,3</code>
 +
* Lists all of the users on the system (including root), plus their User IDs. This will include "hidden" users, who have a user id below 1000, and therefore don't show up in the GUI
 +
<br>
 +
<code>find /home -name "*\.mp[34]" -o -name "*\.mov" -o -name "*\.webm"</code>
 +
* Finds all files which end in ".mp3", ".mp4", ".mov", or ".webm", which are usually not allowed to be in user's directories.
 +
<br>
 +
<code>sudo rm /directory/of/files/to/delete/*</code>
 +
* This deletes all of the files within a certain directory (make sure to include the asterisk at the end). For example <code>sudo rm /home/jim/Music/*</code>

Latest revision as of 22:11, 21 November 2024

Baselining[edit | edit source]

A good way to automate a lot of fixes without coding is baselining. This process means trying to get the competition image to be as similar as possible to an image that you know is secure. There are multiple ways to do it, but the easiest way (that I know of) is to create secure configuration files before a competition, and copy those into the image during a competition.

  • Some configuration files that will be worth configuring securely before a competition are:
    • /etc/ssh/sshd_config (config file for ssh, a remote-terminal program used on almost all linux servers)
    • /etc/pam.d/common-password (config file for password stuff)
    • /etc/login.defs (another password config file)
    • /etc/sysctl.conf (config file with a ton of random system-level configurations)
  • These configuration files are fine as the default, but you have to make sure that they haven't been tampered with
    • /etc/sudoers (config file for sudo, the system that lets administrators run commands as root)
    • /etc/apt/sources.list (config file that specifies which URLs to pull packages from)

The default version of these configuration files can be found from a default installation of Ubuntu22 (or Linux Mint)

How to get the default version of the configuration files[edit | edit source]

How to configure a configuration file securely[edit | edit source]

How to copy the configuration files to the practice image[edit | edit source]

Test the process in a virtual machine before a competition to make sure that your configurations don't break the system

  • First you have to get the files into the practice image. If you're using vmware you may be able to drag the file right into the image. But if that doesn't work you can use google drive or email to yourself.
  • Next you have to backup the original file. You can use this command for that:
    • cp <path/to/original/file> <backup/location>
  • Finally you have to copy your pre-configured file to its location:
    • cp <path/to/configured/file> <path/to/location>
  • For Example, if you have a folder named "backups" for your backups and a folder named "custom-configs" with your pre-configured files:
    • cp /etc/ssh/sshd_config ./backups/sshd_config
    • cp ./custom-configs/sshd_config /etc/ssh/sshd_config

Useful one liners[edit | edit source]

These are useful commands or chains of commands to remember or write down for CyberPatriot (Feel free to add to this)
grep "sh$" /etc/passwd | cut -d':' -f1,3

  • Lists all of the users on the system (including root), plus their User IDs. This will include "hidden" users, who have a user id below 1000, and therefore don't show up in the GUI


find /home -name "*\.mp[34]" -o -name "*\.mov" -o -name "*\.webm"

  • Finds all files which end in ".mp3", ".mp4", ".mov", or ".webm", which are usually not allowed to be in user's directories.


sudo rm /directory/of/files/to/delete/*

  • This deletes all of the files within a certain directory (make sure to include the asterisk at the end). For example sudo rm /home/jim/Music/*
Retrieved from "https://cypat.rainbowunicorn.org/index.php?title=Operating_Systems/Linux/Ubuntu/Ubuntu_16.04_LTS/Scripting&oldid=357"