YobiWiki - User contributions [en]

Mysql

2007-10-11T12:19:16Z

192.168.6.2: /* Backups */

[http://www.mysql.org/doc/refman/5.1/en/index.html Mysql Reference Manual]

==Basic commands==

On sql vserver: installation and assignation of a root password
apt-get install mysql-server
mysql -u root
mysql> SET PASSWORD=PASSWORD('sql_long_pwd');
mysql> FLUSH PRIVILEGES;
mysql> QUIT;

Or shorter:
mysqladmin password sql_long_pwd

Now we have to give the pwd each time we manipulate the db:
mysql -u root -p

Edit /etc/mysql/my.cnf to activate the network availability:
bind-address = <my_ip>

To create a new db and an associated user with full rights on this db
CREATE DATABASE <database>;
GRANT ALL ON <database>.* TO <db_admin>@<host> IDENTIFIED BY '<db_admin_password_in_clear>';

To shutdown mysql
mysqladmin -p shutdown

To delete a table (be careful!!)
mysqladmin -uroot -p drop <my_table>

To backup a database
mysqldump -uadmin_gallery2 -p -h sql --opt gallery2 > gallery2.sql

To change the password of a user (always combined with a host):
SET PASSWORD FOR username@host=PASSWORD('new_password');

==Installation of Mysql-dependant programs==
* [[Gallery]]
* [[PhpMyAdmin]]
* [[Mediawiki]]
* [[Webcalendar]]
* [[Php-Syslog-ng]]
* [[RSS2Jabber]]

==Backups==
cf http://dev.mysql.com/doc/refman/5.0/en/mysqlhotcopy.html

Very simple way to backup small DBs:
/sqlbackups/mydb.sql {
rotate 5
daily
size 10M
compress
missingok
postrotate
mysqldump mydb >/sqlbackups/mydb.sql
endscript
}

==Recovery==
After a violent reboot, I got the following error when accessing a table:

[ERROR] /usr/sbin/mysqld: Table \'./syslog/logs20070909\' is marked as crashed and last (automatic?) repair failed

What I did, following http://www.ooad.org/html-chapter/database-administration.html

#/etc/init.d/mysql stop
Stopping MySQL database server: mysqld.

# myisamchk --update-state /var/lib/mysql/syslog/logs20070909.MYI
Checking MyISAM file: logs20070909.MYI
Data records: 12664 Deleted blocks: 0
myisamchk: warning: Table is marked as crashed and last repair failed
myisamchk: warning: 1 client is using or hasn't closed the table properly
- check file-size
- check record delete-chain
- check key delete-chain
- check index reference
- check data record references index: 1
myisamchk: error: Found 12678 keys of 12664
- check record links
myisamchk: error: Record-count is not ok; is 12678 Should be: 12664
myisamchk: warning: Found 12678 parts Should be: 12664 parts
MyISAM-table 'logs20070909.MYI' is corrupted
Fix it using switch "-r" or "-o"

# myisamchk --update-state -r /var/lib/mysql/syslog/logs20070909.MYI
- recovering (with sort) MyISAM-table 'logs20070909.MYI'
Data records: 12664
- Fixing index 1
- Fixing index 2
- Fixing index 3
- Fixing index 4
- Fixing index 5
- Fixing index 6
Data records: 12678

# /etc/init.d/mysql start
Starting MySQL database server: mysqld ..
Checking for corrupt, not cleanly closed and upgrade needing tables..

Then I still found another warning in /var/log/syslog:

Sep 10 15:41:12 sql /etc/mysql/debian-start[30715]: Checking for crashed MySQL tables.
Sep 10 15:41:21 sql /etc/mysql/debian-start[30725]: WARNING: mysqlcheck has found corrupt tables
Sep 10 15:41:21 sql /etc/mysql/debian-start[30725]: phpwiki_cartable.page
Sep 10 15:41:21 sql /etc/mysql/debian-start[30725]: warning : 1 client is using or hasn't closed the table properly

I did a simple check:
#/etc/init.d/mysql stop
# myisamchk --update-state /var/lib/mysql/phpwiki_cartable/*.MYI
#/etc/init.d/mysql start

And now everything seems to be in order.

Vserver administration

2007-09-25T09:13:20Z

192.168.6.2: /* Disk limits */

==Introduction==
Official homepage: [http://linux-vserver.org/ Linux VServer Project]

Good introduction:
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper Linux-VServer Technology]
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper-French La Technologie Linux-VServer]

Debian support:
apt-cache search vserver
kernel-patch-vserver - context switching virtual private servers - kernel patch
[http://www.nongnu.org/util-vserver/ util-vserver] - tools for Virtual private servers and context switching
vserver-debiantools - Tools to manage debian virtual servers

Misc:
* [http://www.lri.fr/~fragile/IMG/pdf/Quetier.pdf Benchmark Comparisons between UML, VMWare, vserver and Xen (pdf)]

==Kernel compilation==
===The Debian way===
I followed instructions given in
* /usr/share/doc/kernel-patch-vserver/README.Debian
* [http://linux-vserver.org/Step-by-Step+Guide+2.6 Step-by-step 2.6]
* [http://deb.riseup.net/vserver/preparing/ Debian vservers]
* [http://arnofear.free.fr/linux/vserver-1.php Debian and vserver, french howto]
* [http://lena.franken.de/linux/debian_and_vserver/ Debian and vserver]
<pre>
apt-get install kernel-patch-vserver linux-source-2.6.16 kernel-package fakeroot
cd /usr/src
tar xjf linux-source-2.6.16.tar.bz2
cd /usr/src/linux-source-2.6.16
cp config-2.6.16-1-amd64-k8 .config
export PATCH_THE_KERNEL=YES
make-kpkg --rootcmd fakeroot \
--revision custom01 \
--added-patches vserver \
--append-to-version +vserver \
--initrd \
binary-arch
"Virtual root device support" -> **y**
"Legacy kernel API" -> y
"Show a Legacy Version ID" -> n
"Disable Legacy Networking Kernel API" -> n
"Enable Proc Security" -> y
"Enable Hard CPU Limits" -> y
"Limit the IDLE task" -> n
"Persistent Inode Context Tagging" -> UID24/GID24 (32/32 probably not yet supported on Reiserfs)
"Tag NFSD User Auth and Files" -> n
"VServer Debugging Code" -> n
</pre>
Install kernel and reboot
===Vanilla with GrSec, still the Debian way===
I used linux-2.6.17.14.tar.bz2 + patch-2.6.17.14-vs2.0.2.1-grsec2.1.9.diff
 and the config of the Debian kernel config-2.6.17-2-vserver-amd64
make oldconfig
I activated HARDCPU limits and misc PAX & GRSEC stuff ([http://people.linux-vserver.org/~harry/_README_ this page] can help):
<pre>
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_HARDCPU_IDLE=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
</pre>
make-kpkg --rootcmd fakeroot --us --uc --initrd kernel-image
And I got a linux-image-2.6.17.14-grsec2.1.9-vs2.0.2.1_2.6.17.14-grsec2.1.9-vs2.0.2.1-10.00.Custom_amd64.deb
==Host preparation==
<pre>
apt-get install util-vserver vserver-debiantools
wget http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh
chmod +x testme.sh
./testme.sh
dd bs=1024k count=1024 if=/dev/zero of=1gb.test
modprobe loop
losetup /dev/loop0 ./1gb.test
./testfs.sh [ -F reiser ] -D /dev/loop0 -M /mnt
losetup -d /dev/loop0
modprobe -r loop
</pre>
There is no error at this point but as I'm using Reiserfs, I have to activate manually the extended attributes (for lsattr/chattr) by adding the following option to /etc/fstab lines: "attrs" (?? also option acl ??)
 Test: lsattr <mount point of a Reiserfs>
===Change the vserver base path===
* /etc/vservers/.defaults/vdirbase -> /var/lib/vservers
* I change it to /home/vservers, fix the above symlink
* Re-create the "chroot barrier": setattr --barrier /home/vservers showattr /home -> B for vservers
* Some tools could have /var/lib/vservers hardcoded, for safety I create a symlink /var/lib/vservers pointing to /home/vservers

==Manipulating vservers==
===Create a vserver===
Edit /etc/vservers/newvserver-vars:
<pre>
# cf http://amd64.debian.net/README.mirrors.html
MIRROR="http://ftp.belnet.be/debian-amd64/debian"
INTERFACE="<my_if>"
ARCH="amd64"
</pre>
Create a vserver with 64bits:
LANG=C newvserver --hostname template64 --domain teuwen.org --ip <new_ip>/24 --dist etch
Create a vserver with 32bits emulation:
LANG=C newvserver --hostname template32 --domain teuwen.org --ip <new_ip>/24 --dist etch --arch i386 --mirror "http://<i386_debian_mirror>"
Tuning:
* take care of the config duplication!
* enter the vserver and run tzconfig to choose the proper timezone
* fix /etc/apt/sources.list
* delete rcX.d links to umountroot
* Warning! If you use newvserver as such, it will overwrite the host /etc/motd due to a symlink
* See [Vserver tools] for a patch for newvserver
Removing unnecessary progs (check if you really don't need them!!):
* aptitude apt-utils base-config cpio dselect tasksel libncursesw5 libsigc++-1.2-5c2 libsigc++-2.0-0c2a
* dmidecode laptop-detect module-init-tools
* bsdmainutils ed nano nvi
* groff-base man-db manpages info libgdbm3
* netcat traceroute wget libssl0.9.8
* gettext-base libconsole libgnutls11 liblzo2-2 libtasn1-2-bin

===Automatic start at bootup===
echo default > /etc/vservers/<my_vserver>/apps/init/mark
Note that at shotdown all vservers will be stopped
===Delete a vserver===
Remove dirs /home/vservers/<my_vserver> (depends on the setting of vdirbase, cf. above), /etc/vservers/<my_vserver> and /var/run/vservers/<my_vserver> and the corresponding symlink in /var/run/vservers.rev
===Config of a vserver===
''TODO''
?? /etc/vservers/<my_vserver>.conf
?? S_CAPS
see [http://www.nongnu.org/util-vserver/doc/conf/configuration.html Detailed config page (better choosing boring CSS...)]

If you don't assign unique IPs to the vservers but reuse the one of the host:
touch /etc/vservers/<vserver>/interfaces/<N>/nodev
''When this file exists, the interface will be assumed to exist already. This can be used to assign primary interfaces which are created by the host or another vserver.''

===Run a vserver===
vserver <my_vserver> start
vserver <my_vserver> enter
If you get "mesg: /dev/pts/1: Operation not permitted", be root on the host with "su -"
vserver <my_vserver> stop
===Other tools===
vserver <my_vserver> status
vserver-stat
vtop, vps, vpstree, vkill
/etc/rc.d/init.d/rebootmgr is a daemon which can be called from vservers via vreboot and vhalt to stop/restart the vserver from inside

See also [http://www.nongnu.org/util-vserver/doc/conf/compatibility.html compatibility of util-vserver alpha branch]

See [[Vserver tools]] for my own/modified scripts

===Duplicate a vserver===
vserver <my_vserver1> stop
dupvserver --from <my_vserver1> --to <my_vserver2> --ip <new_ip>
dupvserver is broken with the new configuration structure /etc/vservers/<my_vserver>/
 See [[Vserver tools]] for a patch for dupvserver
===Move/copy a vserver===
Basically stop the vserver and copy /etc/vservers/<my_vserver> and /home/vservers/<my_vserver>
 E.g. rsync -e ssh -avHl /vservers/XX new-server:/vserver/XX
==Share directories==
To mount a directory from one vserver into another from the host:
vnamespace -e <vserver> mount --rbind /directory/to/mount/somewhere /where/to/mount/it
vnamespace -e <vserver> umount /where/it/was/mounted

or
mount --bind /home /var/lib/vservers/vserver1/home
mount --bind /home /var/lib/vservers/vserver2/home
The second method had the disavantage to require a reboot of the vserver

To mount an NFS share in a vserver:
 Add the nfs share to /etc/vservers/<vserver>/fstab
 If you want the user to be able to do it from the vserver itself, you've to add some capabilities, apparently sth like SECURE_MOUNT, SECURE_REMOUNT and/or BINARY_MOUNT to /etc/vservers/<vserver>/ccapabilities (didn't try)

==Apt-get==
LANG=C vapt-get <my_vserver1> <my_vserver2> <...> -- install <pkg1> <pkg2>
==Unify==
cf immutable-linkage-invert flag

Preparation:
mkdir /etc/vservers/template64/apps/vunify
mkdir /etc/vservers/<my_vserver>/apps/vunify
ln -s /etc/vservers/template64 /etc/vservers/<my_vserver>/apps/vunify/refserver.template64
Unification:
 Be sure both vservers are running
vserver <my_vserver> unify [-n] [-R]
-n for dry run, no change
 -R for de-unifying

When using tar, add option -U to unlink & recreate files instead of overwriting.
 Manual set/unset of the immutable-linkage-invert flag:
setattr --iunlink /my/file
setattr --~iunlink /my/file
==Disk limits==
cf http://linux-vserver.org/Disk+Limits

* Assign static contexts for the vservers (i.e. have a value between 2 and 49151 in /etc/vservers/<name>/context)
* Mount the filesystem holding the vserver(s) with the tagxid option
** Check if this is mounted properly: use cat /proc/mounts Ex.: /dev/mapper/Zeus-home /home reiserfs rw,tagxid 0 0
** WARNING: if the filesystem is already in use with vservers, nothing prevent you to umount the filesystem while the vservers are still running, which is VERY BAD! Be careful.
** I could only get the tagxid taken properly into account after a reboot
** To set tagxid on / you need to do it from initrd as tagxid cannot be set at remount: add to the kernel params the option "rootflags=tagxid", e.g. via /boot/grub/menu.lst #kopts=...
* Change the xid of already existing files:
chxid -c <my_vserver> -R /home/vservers/<my_vserver>
* Set limits, first method: here limit to 5Gb, 100000 inodes and 5% for the root user For info as I could not get it working properly yet
mkdir /var/cache/vservers
ln -s /var/cache/vservers /etc/vservers/.defaults/cachebase
mkdir /etc/vservers/.defaults/cachebase/<my_server>
ln -s /etc/vservers/.defaults/cachebase/<my_server> /etc/vservers/<my_server>/cache
mkdir -p /etc/vservers/<my_vserver>/dlimits/0
echo /home/vservers/<my_vserver> > /etc/vservers/<my_vserver>/dlimits/0/directory
echo $(( 5 * 1024 * 1024 )) > /etc/vservers/<my_vserver>/dlimits/0/space_total
echo 100000 > /etc/vservers/<my_vserver>/dlimits/0/inodes_total
echo 5 > /etc/vservers/<my_vserver>/dlimits/0/reserved
* Set limits, second method:
** Install my vdlimit_ script in /usr/local/sbin: [[Vserver tools]]
ln -s /usr/local/sbin/vdlimit_ /etc/vservers/<my_vserver>/scripts/post-start.d/vdlimit_$((5*1024))
** To change the limit on-the-fly simply rename the link and execute
./vdlimit_<new_size> pre-stop <my_vserver>;./vdlimit_<new_size> post-start <my_vserver>;

==Network==
===Intern network===
For pure loopback, use dummy interface, cf http://mirabellug.org/wikini/wakka.php?wiki=VServers

For usable dummy interface, us permanent taps as the uml tools allow:
apt-get install uml-utilities
* Create a pseudo-interface:
<pre>
auto tap0
iface tap0 inet static
address 192.168.2.1
netmask 255.255.255.0
tunctl_user uml-net
</pre>
And configure vservers with the same dev=tap0

Update: to check but actually all traffic with private or public IP will anyway be done through lo so this is probably not required

Note that if you use openvpn, you can create tun/tap with
openvpn --mktun --dev tap0

===Configure daemons to listen only to the IP-address of the mothersystem===
* ''openbsd-inetd:'' (not netkit-inetd) in file /etc/inetd.conf: Prepend the service with <IP pub>: Example
<IP pub>:cvspserver stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cvs-pserver
* ''xinetd:'' (not inetd) in file /etc/xinetd.conf:
defaults
{ bind = <IP pub> }

/etc/init.d/xinetd restart
* ''sshd:'' in file /etc/ssh/sshd_config:
ListenAddress <IP pub>

/etc/init.d/ssh restart
* ''exim4:'' in file /etc/exim4/update-exim4.conf.conf:
dc_local_interfaces='<IP pub>'

/etc/init.d/exim4 restart
Better to do it through debconf to avoid surprises at update time: dpkg-reconfigure exim4-config
* ''courier-imap:'' in file /etc/courier/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap restart
* ''courier-imap-ssl:'' in file /etc/courier-ssl/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap-ssl restart
* ''imapproxy:'' in file /etc/imapproxy.conf:
listen_address <IP pub>
Within a vserver, you'll probably hav to reduce the cache_size or give capability to the vserver to raise the setrlimit.
* ''mysql:'' in file /etc/mysql/my.cnf:
bind-address = <IP pub>
* ''vsFtpd:'' in file /etc/vsftpd.conf:
listen_address=<IP pub>
* ''postgresql:'' in file /etc/postgresql/postgresql.conf:
virtual_host = '<IP pub>'
* ''apache2:'' in file /etc/apache2/ports.conf:
Listen <IP pub>:80
* ''zope2.9:'' in file /etc/zope2.9/<instance>/zope.conf:
ip-address <IP pub>
* ''portmap:'' in file /etc/default/portmap:
OPTIONS="-i <IP pub/loopback>"
* ''dnsmasq:'' in file /etc/dnsmasq.conf:
listen-address=<IP pub>
bind-interfaces
* ''[[Virtual_Private_Networks|openvpn]]'' in file /etc/openvpn/server.conf:
local <IP pub>
* netstat -lp -> other greedy daemons?
* Seems that this is possible via another method, here it will bind the daemon to the first IP of the interface: exec /usr/sbin/chbind --ip eth0 /path/to/daemon

===Add an interface without rebooting the vserver===
* add the ip to the host (ip addr add ...)
* add the ip to the guest's network context
# naddress --add --nid <nid> --ip <ip>/<mask>
* enter the guest (best via ssh)
* restart the services if required (most services will automatically start using the new addresses)
* update the config to reflect the changes for the next guest restart (if desired)
Thanks Herbert!
==Understanding vservers==
===Security contextes===
* Find security context of process N:
chcontext --ctx 1 cat /proc/N/status|grep s_context
* Be in the same context:
chcontext --ctx X /bin/sh
* Master context: 1, example to get all listening ports:
chcontext --ctx 1 netstat -lpn
See also [http://www.solucorp.qc.ca/miscprj/s_context.hc Virtual private servers and security contexts]
===Ceiling capabilities===
* As non-root, check capBset:
cat /proc/self/status
* Reduce ceiling caps:
reducecap --secure /bin/sh
* Now capBset is reduced:
cat /proc/self/status
su
* capEff raised a bit but not enough to do for example /sbin/ifconfig eth0 down
* See also [Capabilities in Linux|http://www.lids.org/lids-howto/node34.html]

==Security==
Not necessarily related to vserver but always useful to consider :-)
*ssh
**Use the AllowUsers option to give ssh rights only to those who need it.
**Brute-force protection: apt-get install denyhosts Edit /etc/denyhosts.conf to get email reports Un case someone forgot his pwd and got banned, to remove the ban directly: remove it from /var/lib/denyhosts files and /etc/hosts.deny of course
*iptables (on the host)
**cf --uid-owner and other --XXX-owner options on OUTPUT table to avoid download of malicious code on INPUT table to avoid bindshells
*resource limits
** cpu/mem

===GrSec===
* http://pax.grsecurity.net/
* http://people.linux-vserver.org/~harry/_README_
* http://www.zataz.net/docs/8024/introduction-grsecurity.html
* http://linux-vserver.org/grsecurityHowto
* http://ludit.kuleuven.be/software/vserver/_README_
apt-get install paxctl gradm2

==Iptables Proxy==
* http://www.virtuaserver.com.br/forum/viewtopic.php?t=130

==Other tricks==
* For other tweaks, see http://deb.riseup.net/vserver/usage/ :
** What if I accidentally removed a vserver while it was running?
** Howto convert legacy vservers to the new format
** Howto add an IP to a running vserver, without restarting it?
** Howto make the host interface and IP available in a vserver
** Howto impose disk limits in each vserver
* http://www.paul.sladen.org/vserver/faq
* [http://linux-vserver.org/ProblematicPrograms Problematic programs]
* If you drop files from "outside of the vserver context" (from the host e.g.) you've to reassign the correct xid to the files:
chxid -c <vserver> -R /home/vservers/<vserver>
# all at once:
for i in $(ls /etc/vservers/); do echo $i; chxid -c $i -R /home/vservers/$i;done
* If you drop files from "outside of the vserver context" (from the host e.g.) you've to regenerate the disk usage and limit of the vserver if you use my vdlimit_ script:
vserver <vserver> stop
rm /var/cache/vservers/<vserver>_vdlimit_
vserver <vserver> start
* To run a script (e.g. an /etc/init.d/start_my_daemon) in ctx 1, e.g. to start ntop and be sure it can see all the traffic, simply add at the begin of the script:
if cat /proc/self/vinfo|grep -q -v ":[^0-9]1$"; then
/usr/sbin/chcontext --ctx 1 $0 $*
exit
fi
* To "mount" a samba shared drive from a vserver is not possible or at least when running grsec but you can still use the good old ftp-styled smbclient
smbclient //machine/share -U domain/user

==TODO==
* http://www.nongnu.org/util-vserver/doc/conf/compatibility.html
* http://linux-vserver.derjohn.de/
* [VServer wiki|http://vserver.strahlungsfrei.de/tiki-index.php]
* [Administrator Guide|http://linux-vserver.org/linux-vserver_administrators_gide]
* [Debian newvserver|http://www.paul.sladen.org/vserver/debian/]
* [Howto Debian vserver|http://www.howtoforge.com/linux_vserver_debian]
* ?? apt-get install vlan
* ?? ipac-ng
* CPU limit
** http://linux-vserver.org/Linux-VServer-Paper-06
** http://list.linux-vserver.org/archive/vserver/msg08134.html
* BW limit
** http://lartc.org/howto/
* http://linux-vserver.org/HowTo+Read+ProcFS
* http://linux-vserver.org/HistoryList?full=1
* Publish Munin scripts
* http://linux-vserver.org/VServer+installation+Fedora+Core+5
* http://vserver.13thfloor.at/Experimental/
* http://www.archivesat.com/Linux-VServer/
* http://www.solucorp.qc.ca/miscprj/s_context.hc?s1=1&s2=0&s3=0&s4=0&full=0&prjstate=1&nodoc=0
* (fr) http://fr.wikibooks.org/wiki/Vserver

Forensics

2007-09-25T09:10:41Z

192.168.6.2: /* Links */

== Books ==
* [http://www.porcupine.org/forensics/forensic-discovery/ Forensics Discovery]
== Links ==

* http://www.d-fence.be and http://www.lnx4n6.be
** Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix
** Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)
* [http://www.foo.be/gt/forensic/ Présentation d'adulau]
* http://cve.mitre.org
* http://www.porcupine.org (Wieste Venema/TCT)
* [http://public.afosi.amc.af.mil U.S AirForce Office of Special Investigations]
* http://www.forensicswiki.org

== Lists ==

* http://groups.yahoo.com/group/linux_forensics/

== Tools ==

=== Generic forensic tools ===
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]'''
** apt-get install tct
** '''grave-robber''': collecte d'infos et empreinte -> /var/cache/tct/data
** '''lazarus''': reconstitue les fichiers présents dans les clusters non référencés
** '''mactime''': liste les fichiers dont le mactime a été modifié depuis une certaine date
* '''[http://sleuthkit.sourceforge.net/sleuthkit/index.php Sleuthkit]''' & '''Autopsy''' (GUI)
** apt-get install sleuthkit
** apt-get install autopsy
** [http://sleuthkit.sourceforge.net/sleuthkit/tools.php A lot] of tools
** Some [http://sleuthkit.sourceforge.net/informer/ very nice articles] online to learn how to use them.

=== On live systems ===
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]'''
** Captures process information stored in Linux's Proc_fs on a best effort basis
*'''[http://www.chrootkit.org Chkrootkit]'''
** Checks for signs of rootkits on the local system
** apt-get install chkrootkit
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps
* '''Kstat'''
** Détecte le détournement d'appels systèmes
** wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz
* Less intrusive: mem dump via '''Firewire'''
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]
** [http://www.storm.net.nz/projects/16 More on his page]

=== Dumping data supports ===
* '''[http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue]'''
** apt-get install gddrescue
** Seems to work better than the next one (not to be confounded with...)
* '''[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue]'''
** apt-get install ddrescue
* '''[http://www.ferzkopp.net/Software/CloneIt/CloneIt.html CloneIt]'''
** Networked Harddisk Replication System
** cf also netcat on [[Network security tools]]
* '''[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]'''
** To recover badly damaged CD/DVDs

=== Guessing the filesystem used ===
* testdisk
** apt-get install testdisk
* gpart
** apt-get install gpart
* disktype
** apt-get install disktype

=== Recovering files from filesystems ===
==== LVM ====
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.
==== From ISO9660 ====
* '''[http://www.heise.de/ct/05/16/links/078.shtml dares]'''
** Description: rescue files from damaged CDs and DVDs (ncurses-interface) Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.
** apt-get install dares
** Note that it helps recovering a ''logically'' damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.
==== From ext2 ====
* e2undel
** apt-get install e2undel
* recover (and gtkrecover)
** apt-get install recover
Agnostic (any fs)
* '''[http://foremost.sourceforge.net/ foremost]'''
** Description: a forensics application to recover data foremost is a console program to recover files based on their headers and footers for forensics purposes. foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
** apt-get install foremost
** Very good, nice progression report
** Example: foremost -t avi -t mpg -t wmv -t mov -q -v -i /dev/hda -o /path/recovered
* '''[http://jbj.rapanden.dk/magicrescue/ Magic Rescue]'''
** very same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
** Comes with '''dupemap''', a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files). Example: dupemap delete,report /path/recovered
** To compile correctly dupemap, install libgdbm-dev
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]'''
** Idem but focuses on jpeg only
** apt-get install recoverjpeg
* photorec
** This one comes with testdisk, promises a lot of different formats (pdf, raw images, zip, wma etc etc) but seems to create a lot of false positive (at least experienced with mpg)
** apt-get install testdisk

===Recovering information from files===
* '''[http://www.workshare.com/products/trace/ Trace!]''' by Workshare
** Windows-based tool for showing all Microsoft Office documents meta-information
** Quite heavy and requires Microsoft .NET to be installed

==Anti-forensic resources==
* wipe: secure file deletion
** To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn't wipe slack space!)
** dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk '/hda1/{print $4}')))
* secure-delete: tools to wipe files, free disk space, swap and memory
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion
* [http://www.sysinternals.com/Utilities/SDelete.html SDelete] from Sysinternals
* [http://www.phrack.org/phrack/59/p59-0x06.txt Defeating Forensic Analysis on Unix]
* [http://hack.lu/images/8/80/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]

==Old stuff...==

===Récupération des données volatiles===
====Identification====
*Nom du système et version
**uname -a
*Date et heure
**date
* Paramètres réseau
**ifconfig | grep "inet addr"
====Configuration====
* Uptime
**uptime
* Applications installées
**rpm -qa OU dpkg --get-selections
* Configuration réseau
** ifconfig -a
* Table de routage
**netstat -arn
* Stratégie de mots de passe
** cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
* Comptes utilisateurs
** cat /etc/passwd
* Groupes
** cat /etc/groups
====Activité====
* Utilisateurs connectés
** w (who)
* Processus en exécution
**ps auwx
* Sockets ouvertes & processus propriétaires
** netstat -anptuw
** s'aider éventuellement de /etc/services
* Table ARP
** arp -a
====Historique====
* Connexions locales & distantes
**last -f /var/log/wtmp (et autres wtmp.N...)
* Echecs de connexion
** cf syslog
* Derniers fichiers accédés
**ls -alRu
* Dernière connexion de chaque utilisateur
**lastlog (lastlog|grep -v "\*\*.*\*\*")
* Dernières commandes passées
**history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)
====Sniffers====
*ifconfig -a|grep PROMISC
*Processus ayant ouvert un fichier
*lsof...
*Processus ayant ouvert une socket
**for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;
====Dump de la RAM====
* copier /proc/kcore
===Récupération des données persistantes===
* dd
* dd_rescue (apt-get install ddrescue), see also gddrescue
** error-tolerant version of dd for rescuing data
* strings
* file
* md5sum

==See also==
* [[Forensics on Incidents]]
* [[Network Security]]

Prêts et emprunts

2007-09-11T15:02:06Z

192.168.6.2: /* Oli */

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*OReilly: Radius, Joy of Tech et Evil Geniuses in a Nutshell

* Je dois 100EUR
**290.46 + 114.76(frys) + 141.84 (500-baie un an) + 9.4 (foire aux livres) - 442.86 (hosting 2007 - 2008) = 113,6 eur
**2 détecteurs de fumée = (2*9.45)*1.21
**Souches Oli=je dois +-25
**Brico, Oli doit 85.21 + 10.61 (raboteuse joints) + 5 (emboîteur Cu)
** Rembours Talessa Oli a viré 820 au lieu de 810.70
** Je dois 3G de RAM = 234.91 - 1G à 50EUR
** Je dois +- 1 plein = 60EUR (3 pleins et j'ai payé un plein de 59€, et 1 pour les trajets d'Oli)
** Je dois resto 49EUr

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Partoches
*Brazil dvd+livre

===qui?===
*Bridge PCI-PCMCIA

pas dimdim !

Prêts et emprunts

2007-09-07T13:37:59Z

192.168.6.2: /* Oli */

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*OReilly: Radius, Joy of Tech et Evil Geniuses in a Nutshell

* Je dois 100EUR
**290.46 + 114.76(frys) + 141.84 (500-baie un an) + 9.4 (foire aux livres) - 442.86 (hosting 2007 - 2008) = 113,6 eur
**2 détecteurs de fumée = (2*9.45)*1.21
**Souches Oli=je dois +-25
**Brico, Oli doit 85.21 + 10.61 (raboteuse joints) + 5 (emboîteur Cu)
** Rembours Talessa Oli a viré 820 au lieu de 810.70
** Je dois 3G de RAM = 234.91
** Je dois +- 1 plein = 60EUR (3 pleins et j'ai payé un plein de 59€, et 1 pour les trajets d'Oli)

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Partoches
*Brazil dvd+livre

===qui?===
*Bridge PCI-PCMCIA

pas dimdim !

Prêts et emprunts

2007-09-07T13:37:01Z

192.168.6.2: /* Oli */

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*OReilly: Radius, Joy of Tech et Evil Geniuses in a Nutshell

* Je dois 100EUR
**290.46 + 114.76(frys) + 141.84 (500-baie un an) + 9.4 (foire aux livres) - 442.86 (hosting 2007 - 2008) = 113,6 eur
**2 détecteurs de fumée = (2*9.45)*1.21
**Souches Oli=je dois +-25
**Brico, Oli doit 85.21 + 10.61 (raboteuse joints) + 5 (emboîteur Cu)
** Rembours Talessa Oli a viré 820 au lieu de 810.70
** Je dois 3G de RAM
** Je dois +- 1 plein = 60EUR (3 pleins et j'ai payé un plein de 59€, et 1 pour les trajets d'Oli)

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Partoches
*Brazil dvd+livre

===qui?===
*Bridge PCI-PCMCIA

pas dimdim !

Prêts et emprunts

2007-09-07T13:27:46Z

192.168.6.2: /* Oli */

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*OReilly: Radius, Joy of Tech et Evil Geniuses in a Nutshell

* Je dois 101.92EUR
**290.46 + 114.76(frys) + 141.84 (500-baie un an) + 9.4 (foire aux livres) - 442.86 (hosting 2007 - 2008) = 113,6 eur
**2 détecteurs de fumée = (2*9.45)*1.21
**Souches Oli=je dois +-25
**Brico, Oli doit 85.21 + 10.61 (raboteuse joints) + 5 (emboîteur Cu)
** Rembours Talessa Oli a viré 820 au lieu de 810.70
** Je dois 3G de RAM
** Je dois +- 1 plein = 60EUR (3 pleins et j'ai payé un plein de 59€, et 1 pour les trajets d'Oli)

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Partoches
*Brazil dvd+livre

===qui?===
*Bridge PCI-PCMCIA

pas dimdim !

Prêts et emprunts

2007-09-07T13:26:26Z

192.168.6.2: /* Oli */

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*OReilly: Radius, Joy of Tech et Evil Geniuses in a Nutshell

* Je dois 161.92EUR
**290.46 + 114.76(frys) + 141.84 (500-baie un an) + 9.4 (foire aux livres) - 442.86 (hosting 2007 - 2008) = 113,6 eur
**2 détecteurs de fumée = (2*9.45)*1.21
**Souches Oli=je dois +-25
**Brico, Oli doit 85.21 + 10.61 (raboteuse joints) + 5 (emboîteur Cu)
** Rembours Talessa Oli a viré 820 au lieu de 810.70
** Je dois 3G de RAM
** Je dois +- 2 pleins = 2x60EUR (3 pleins et j'ai payé un plein de 59€)

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Partoches
*Brazil dvd+livre

===qui?===
*Bridge PCI-PCMCIA

pas dimdim !

Prêts et emprunts

2007-09-07T13:23:22Z

192.168.6.2: /* Oli */

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*OReilly: Radius, Joy of Tech et Evil Geniuses in a Nutshell

* Je dois 41.92EUR
**290.46 + 114.76(frys) + 141.84 (500-baie un an) + 9.4 (foire aux livres) - 442.86 (hosting 2007 - 2008) = 113,6 eur
**2 détecteurs de fumée = (2*9.45)*1.21
**Souches Oli=je dois +-25
**Brico, Oli doit 85.21 + 10.61 (raboteuse joints) + 5 (emboîteur Cu)
** Rembours Talessa Oli a viré 820 au lieu de 810.70

*Diesel: ??? j'ai payé un plein de 59€

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Partoches
*Brazil dvd+livre

===qui?===
*Bridge PCI-PCMCIA

pas dimdim !

Multi-CD USB stick

2007-08-30T15:14:47Z

192.168.6.2:

Well I'm not sure the title speaks for itself...
 Live CDs are great and USB sticks have amazing capacities (I'm curious how it'll sound in a couple of years...)
 I've bought a 6Gb USB "stick", actually it's a HD in a credit-card format.
 The idea is to bring on it and be able to boot:
* [http://www.knopper.net/knoppix/index-en.html Knoppix DVD] v5.1.1
** and memtest
** and DOS (from balder.img) That one fails on my laptop :-(
* [http://www.lnx4n6.be/index.php?sec=Downloads&page=bootcd FCCU CD] v11.0
* [http://dban.sourceforge.net/ DBAN] v1.0.7
* [http://www.debian.org/devel/debian-installer/ Etch installer] from [http://ftp.kulnet.kuleuven.ac.be/debian/dists/etch/main/installer-i386/current/images/hd-media/ boot.img.gz]

So I use a single syslinux with a huge configuration file.
 Sometimes there are some clashes between the files of the various systems so we've to rename some when possible and choose between some when not possible.
* syslinux.cfg and isolinux.cfg => merge all and rename some of the targets if needed
* boot.* => choose one image (I took the Debian spiral from Etch installer) and one text (I list shortly the main targets)
* F1..F10 help screens => choose or mix

From Etch: this is really the basis of the install, with its syslinux
* debian-testing-i386-netinst.iso renamed as: debian.iso
* disk.lbl
* f1.txt .. f10.txt
* initrd26.gz
* initrdg.gz
* initrd.gz
* ldlinux.sys (install it properly as a bootable USB stick!)
* linux
* linux26
* splash.rle

From DBAN (dban-1.0.7_i386.ima):
* dbanlog
* dbanseed
* *.txt => dbaninfo/
* initrd.gz renamed as: initrddb.gz
* kernel.bzi

From Knoppix DVD:
* knoppix/
* balder.img
* linux renamed as: linux-kn
* memtest
* minirt.gz

From FCCU:
* knoppix/ renamed as: fccu/
* linux renamed as: lin-fccu
* minirt.gz renamed as: minifccu.gz (cf note)

Note:
For FCCU as we had to rename the directory and as v11 is incompatible with knoppix dvd v5.1.1 I had to change minifccu.gz:
gunzip minifccu.gz
mount -o loop minifccu /mnt/disk
Edit /mnt/disk/linuxrc and prepend the module list by the new path: (but keep the rest!)
MODULE_DIRS="/cdrom/fccu/modules /cdrom/KNOPPIX/modules ...

And now this huge and quite messy syslinux.cfg:
<pre>
DEFAULT fccu
TIMEOUT 300
PROMPT 1
DISPLAY boot.my
F1 f1.txt
F2 f2.txt
F3 f3.txt
F4 f4.txt
F5 f5.txt
F6 f6.txt
F7 f7.txt
F8 f8.txt
F9 f2
F0 f3

LABEL fccu
KERNEL lin-fccu
APPEND ramdisk_size=100000 init=/etc/init lang=us dma noswap nodhcp 3 apm=power-off vga=791 initrd=minifccu.gz nomce quiet BOOT_IMAGE=knoppix knoppix_dir=fccu

LABEL knoppix
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=knoppix
LABEL knoppix_expert
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 initrd=minirt.gz nomce BOOT_IMAGE=expert

LABEL memtest
KERNEL memtest
APPEND foo

LABEL knoppix-txt
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=normal initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=knoppix
LABEL knoppix_debug
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=normal initrd=minirt.gz debug BOOT_IMAGE=debug
LABEL fb1280x1024
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=794 xmodule=fbdev initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=knoppix
LABEL fb1024x768
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 xmodule=fbdev initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=knoppix
LABEL fb800x600
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=788 xmodule=fbdev initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=knoppix
LABEL dos
KERNEL balder.img
LABEL failsafe
KERNEL linux-kn
APPEND ramdisk_size=100000 init=/etc/init lang=us vga=normal atapicd nosound noapic noacpi pnpbios=off acpi=off nofstab noscsi nodma noapm nousb nopcmcia nofirewire noagp nomce nodhcp xmodule=vesa initrd=minirt.gz BOOT_IMAGE=knoppix
LABEL userdef
KERNEL linux-kn

APPEND ###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
LABEL install24
kernel linux
append vga=normal initrd=initrd.gz ramdisk_size=11302 root=/dev/ram rw --
LABEL expert24
kernel linux
append priority=low vga=normal initrd=initrd.gz ramdisk_size=11302 root=/dev/ram rw --
LABEL install
kernel linux26
append vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw --
LABEL linux
kernel linux26
append vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw --
LABEL install26
kernel linux26
append vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw --
LABEL linux26
kernel linux26
append vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw --
LABEL installgui
kernel linux26
append video=vesa:ywrap,mtrr vga=788 initrd=initrdg.gz ramdisk_size=23109 root=/dev/ram rw --

LABEL expert
kernel linux26
append priority=low vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw --
LABEL expert26
kernel linux26
append priority=low vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw --
LABEL expertgui
kernel linux26
append priority=low video=vesa:ywrap,mtrr vga=788 initrd=initrdg.gz ramdisk_size=23109 root=/dev/ram rw --

LABEL rescue
kernel linux26
append vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw rescue/enable=true --
LABEL rescue24
kernel linux
append vga=normal initrd=initrd.gz ramdisk_size=11302 root=/dev/ram rw rescue/enable=true --
LABEL rescue26
kernel linux26
append vga=normal initrd=initrd26.gz ramdisk_size=9882 root=/dev/ram rw rescue/enable=true --
LABEL rescuegui
kernel linux26
append video=vesa:ywrap,mtrr vga=788 initrd=initrdg.gz ramdisk_size=23109 root=/dev/ram rw rescue/enable=true --

### DBAN 1.0.7
LABEL autonuke
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe --autonuke" silent

LABEL dban
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe" silent

LABEL dod
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe --autonuke --method dod522022m" silent

LABEL dod3pass
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe --autonuke --method dod3pass" silent

LABEL dodshort
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe --autonuke --method dodshort" silent

LABEL gutmann
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe --autonuke --method gutmann" silent

LABEL ops2
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe --autonuke --method ops2" silent

LABEL paranoid
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe --autonuke --method prng --rounds 8 --verify all" silent

LABEL prng
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe --autonuke --method prng --rounds 8" silent

LABEL quick
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe --autonuke --method quick" silent

LABEL zero
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe --autonuke --method zero" silent

# Troubleshooting Labels

LABEL nofloppy
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe" floppy=0,16,cmos

LABEL nosilent
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe"

LABEL noverify
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc quiet nuke="dwipe --verify off"

# Debugging Labels

LABEL debug
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="exec ash" debug

LABEL shell
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="exec ash"

LABEL verbose
KERNEL kernel.bzi
APPEND initrd=initrddb.gz root=/dev/ram0 init=/rc nuke="dwipe --method quick"

# The DBAN kernel uses DevFS without devfsd, so you may not use conventional
# device node file names in kernel options.
#
# Note that Linux 2.4.19+ will not boot with root=/dev/rd/0. The /dev/ram0
# name is, however, now hardcoded in 'init/do_mounts.c' so root=/dev/ram0 works
# instead. This violates the DevFS documentation and is probably a kernel bug.
#
# If a VGA or HGA video adapter is not found, then the first serial port
# detected will be used as the system console.

# This option will start syslinux on the first serial port.
#SERIAL 0

# This kernel option will force a serial console on the first serial port.
#APPEND console=ttyS0,9600n8r [...]

# Print the product banner and liability disclaimer.
#DISPLAY warning.txt

# Extra screens.
#F1 warning.txt
#F2 about.txt
#F3 quick.txt
#F4 trouble.txt
#F5 raid.txt

# The Boot Prompt
# ---------------
#
# Usage: [label [kernel options] [nuke="dwipe [dwipe options]"]]
#
# Dwipe Options:
#
# --autonuke Be really sure.
# -m --method The wipe method to use.
# -r --rounds The number of times to run the method.
# --verify The verification level.
#
# Dwipe Methods:
#
# dod522022m American Department of Defense 5220.22-M standard wipe.
# dodshort dod3pass DoD short wipe, passess 1,2,7 from the standard wipe.
# gutmann Peter Gutmann's wipe.
# ops2 RCMP TSSIT OPS-II standard wipe.
# prng random PRNG stream wipe.
# quick zero Quick erase.
#
# Verification Levels:
#
# 0 off Do not read anything back from the device.
# 1 last Check whether the device is empty after wiping.
# 2 all Check whether all passes were written properly.
#
# Notes:
#
# * The rounds option does not apply to to the quick method. This method
# always runs one round.
#
# * Use at least four rounds with the prng method. Using eight rounds with
# the prng method is recommended.
#
# * The last pass of every method fills the device with zeros, except the
# ops2 method which fills the device with a random stream on its last pass.
#

# eof
</pre>

Quick howto to copy the setup on another stick:
* Copy the mbr from one to the other with sth like (check for your own drive letters!!)
dd if=/dev/sdX of=/dev/sdY bs=512 count=1
* Check the partition table but by default you usually get one sdY1 with FAT, flag it as bootable
fdisk /dev/sdY -> a -> 1
* Install syslinux
syslinux /dev/sdY
* Copy the other files

Forensics

2007-07-31T11:02:50Z

192.168.6.2: /* Recovering files from filesystems */

== Books ==
* [http://www.porcupine.org/forensics/forensic-discovery/ Forensics Discovery]
== Links ==

* http://www.d-fence.be and http://www.lnx4n6.be
** Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix
* [http://www.foo.be/gt/forensic/ Présentation d'adulau]
* http://cve.mitre.org
* http://www.porcupine.org (Wieste Venema/TCT)
* [http://public.afosi.amc.af.mil U.S AirForce Office of Special Investigations]
* http://www.forensicswiki.org

== Lists ==

* http://groups.yahoo.com/group/linux_forensics/

== Tools ==

=== Generic forensic tools ===
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]'''
** apt-get install tct
** '''grave-robber''': collecte d'infos et empreinte -> /var/cache/tct/data
** '''lazarus''': reconstitue les fichiers présents dans les clusters non référencés
** '''mactime''': liste les fichiers dont le mactime a été modifié depuis une certaine date
* '''[http://sleuthkit.sourceforge.net/sleuthkit/index.php Sleuthkit]''' & '''Autopsy''' (GUI)
** apt-get install sleuthkit
** apt-get install autopsy
** [http://sleuthkit.sourceforge.net/sleuthkit/tools.php A lot] of tools
** Some [http://sleuthkit.sourceforge.net/informer/ very nice articles] online to learn how to use them.

=== On live systems ===
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]'''
** Captures process information stored in Linux's Proc_fs on a best effort basis
*'''[http://www.chrootkit.org Chkrootkit]'''
** Checks for signs of rootkits on the local system
** apt-get install chkrootkit
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps
* '''Kstat'''
** Détecte le détournement d'appels systèmes
** wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz
* Less intrusive: mem dump via '''Firewire'''
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]
** [http://www.storm.net.nz/projects/16 More on his page]

=== Dumping data supports ===
* '''[http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue]'''
** apt-get install gddrescue
** Seems to work better than the next one (not to be confounded with...)
* '''[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue]'''
** apt-get install ddrescue
* '''[http://www.ferzkopp.net/Software/CloneIt/CloneIt.html CloneIt]'''
** Networked Harddisk Replication System
** cf also netcat on [[Network security tools]]
* '''[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]'''
** To recover badly damaged CD/DVDs

=== Guessing the filesystem used ===
* testdisk
** apt-get install testdisk
* gpart
** apt-get install gpart
* disktype
** apt-get install disktype

=== Recovering files from filesystems ===
==== LVM ====
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.
==== From ISO9660 ====
* '''[http://www.heise.de/ct/05/16/links/078.shtml dares]'''
** Description: rescue files from damaged CDs and DVDs (ncurses-interface) Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.
** apt-get install dares
** Note that it helps recovering a ''logically'' damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.
==== From ext2 ====
* e2undel
** apt-get install e2undel
* recover (and gtkrecover)
** apt-get install recover
Agnostic (any fs)
* '''[http://foremost.sourceforge.net/ foremost]'''
** Description: a forensics application to recover data foremost is a console program to recover files based on their headers and footers for forensics purposes. foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
** apt-get install foremost
** Very good, nice progression report
** Example: foremost -t avi -t mpg -t wmv -t mov -q -v -i /dev/hda -o /path/recovered
* '''[http://jbj.rapanden.dk/magicrescue/ Magic Rescue]'''
** very same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
** Comes with '''dupemap''', a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files). Example: dupemap delete,report /path/recovered
** To compile correctly dupemap, install libgdbm-dev
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]'''
** Idem but focuses on jpeg only
** apt-get install recoverjpeg
* photorec
** This one comes with testdisk, promises a lot of different formats (pdf, raw images, zip, wma etc etc) but seems to create a lot of false positive (at least experienced with mpg)
** apt-get install testdisk

===Recovering information from files===
* '''[http://www.workshare.com/products/trace/ Trace!]''' by Workshare
** Windows-based tool for showing all Microsoft Office documents meta-information
** Quite heavy and requires Microsoft .NET to be installed

==Anti-forensic resources==
* wipe: secure file deletion
** To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn't wipe slack space!)
** dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk '/hda1/{print $4}')))
* secure-delete: tools to wipe files, free disk space, swap and memory
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion
* [http://www.sysinternals.com/Utilities/SDelete.html SDelete] from Sysinternals
* [http://www.phrack.org/phrack/59/p59-0x06.txt Defeating Forensic Analysis on Unix]
* [http://hack.lu/images/8/80/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]

==Old stuff...==

===Récupération des données volatiles===
====Identification====
*Nom du système et version
**uname -a
*Date et heure
**date
* Paramètres réseau
**ifconfig | grep "inet addr"
====Configuration====
* Uptime
**uptime
* Applications installées
**rpm -qa OU dpkg --get-selections
* Configuration réseau
** ifconfig -a
* Table de routage
**netstat -arn
* Stratégie de mots de passe
** cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
* Comptes utilisateurs
** cat /etc/passwd
* Groupes
** cat /etc/groups
====Activité====
* Utilisateurs connectés
** w (who)
* Processus en exécution
**ps auwx
* Sockets ouvertes & processus propriétaires
** netstat -anptuw
** s'aider éventuellement de /etc/services
* Table ARP
** arp -a
====Historique====
* Connexions locales & distantes
**last -f /var/log/wtmp (et autres wtmp.N...)
* Echecs de connexion
** cf syslog
* Derniers fichiers accédés
**ls -alRu
* Dernière connexion de chaque utilisateur
**lastlog (lastlog|grep -v "\*\*.*\*\*")
* Dernières commandes passées
**history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)
====Sniffers====
*ifconfig -a|grep PROMISC
*Processus ayant ouvert un fichier
*lsof...
*Processus ayant ouvert une socket
**for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;
====Dump de la RAM====
* copier /proc/kcore
===Récupération des données persistantes===
* dd
* dd_rescue (apt-get install ddrescue), see also gddrescue
** error-tolerant version of dd for rescuing data
* strings
* file
* md5sum

==See also==
* [[Forensics on Incidents]]
* [[Network Security]]