linux.txt

## Network Time Protocol 101 [[{configuration.clock,troubleshooting]]

REF:<https://www.server-world.info/en/note?os=Fedora_25&p=ntp&f=2>

  ```
  | $ sudo dnf -y install ntp                       # <- STEP 1) Install ntp client on RedHat flavours
  |                                                 #   sudo apt install ntp on Debian/Ubuntu flavours
  | $ edit /etc/ntp.conf                            # <- STEP 2) Create/Modify config. file
  |
  |   ...
  | + restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap
  | +   server 0.fedora.pool.ntp.org iburst
  |   # server 1.fedora.pool.ntp.org iburst
  |   # server 2.fedora.pool.ntp.org iburst
  |   # server 3.fedora.pool.ntp.org iburst
  |   # server ntp.nict.jp iburst
  |   # server ntp1.jst.mfeed.ad.jp iburst
  |   # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  |   # Enable/disable NTP servers "at will"
  | $ sudo systemctl start ntpd                     # <- STEP 3) Start daemon as (SystemD) service
  | $ ntpq -p                                       # <- STEP 4) check
  | $ sudo systemctl enable ntpd                    # <- STEP 5) Enable at boot time.
  | $ sudo timedatectl set-timezone Europe/London   # <- STEP 5) Set timezone
  ```
[[}]]


## Linux ACLs  [[{security.aaa,PM.TODO]]
<https://wiki.archlinux.org/index.php/Access_Control_Lists>
[[}]]

[[{configuration.sysctl,kernel.tunning,configuration.network,storage.fs,troubleshooting.performance]]
# sysctl: Kernel Tunning 

* Cli app to view/modify kernel parameters affecting the runtime behavior
  of network, file-systems, kernel logging, ...
* Not to be confused with (SystemD) 'systemctl' used to add/remove/modify/...
  services (applications running in background), centralized app logging,...
* TIP: *read comments in /etc/sysctl.conf  for most widely tunned params.*
  ```
  | $ sysctl -a                    ← View all configured kernel params
  |                                  Output can be filtered out easily with
  |                                  'grep'.
  |
  | $ sysctl vm.min_free_kbytes    ← View a given param
  |                                  -n: opt. Show only value (vs param name)
  |
  |
  | $ sudo sysctl -w net....=0     ← Set new value for kernel param.
  |
  |
  | $ sudo edit /etc/sysctl.conf   ← make changes permanent after reboot
  |                                 edit /etc/sysctl.d/99-custom.conf for custom
  |                                 changes.
  |
  |
  | $ sudo sysctl -p               ← apply any change in /etc/sysctl.conf
  |                                  Use -p /etc/sysctl.d/99-custom.conf for
  |                                  alternative (non default) path
  |
  | /proc/sys/ OVERVIEW:
  | ├ abi/vsyscall32
  | ├ debug
  | │ ├ exception-trace
  | │ └ kprobes-optimization
  | ├ dev
  | │ ├ parport
  | │ │ ├ default/...
  | │ │ └ parport0/...
  | │ │   ├ devices
  | │ │   ...
  | │ ├ raid/speed_limit_max(min)
  | │ ├ scsi/logging_level
  | │ ├ tty/ldisc_autoload
  | │ ...
  | ├ kernel    REF:  https://www.kernel.org/doc/html/v5.7/admin-guide/sysctl/kernel.html
  | │ ├ acct
  | │ ├ sched_*
  | │ ├ sem
  | │ ├ watchdog*
  | │ ...
  | ├ net
  | │ ├ core/... (40 tunnable params)
  | │ ├ ipv4/* (devices, conf, route, tcp, udp,...)
  | │ ├ ipv6/...
  | │ ├ netfilter ... (65 tunnable params)
  | │ ├ nf_conntrack_max
  | │ ├ unix
  | │ │ └ max_dgram_qlen
  | │ ...
  | ├ fs
  | │ ├ inotify/...
  | │ ├ nfs/...
  | │ ├ ext4/...
  | │ ├ xfs/...
  | │ ...
  | ├ sunrpc ... (11 tunnable params)
  | ├ user/... (9 tunnable params)
  | └ vm/... (48 tunnable params)
  ```
  $ sysctl -a                    ← View all configured kernel params
[[configuration.sysctl}]]

[[{kernel.tunning.tuned,kernel.tunning.101,PM.TODO,qa.UX]]
## Kernel Tunning with 'tuned'

* `/proc/sys/vm/`: Kernel FS "control pannel"   
  <https://tuned-project.org/>

* About tuned:
  * OS Tunning is done in practice through:
    * long-profiling
    * continuous-monitoring
  * Tunning becomes harder if system load changes frequently.<br/>
    Ex.: A system with a peak of load certain hours a day
    ```
    can be tuned for performance     those known hours
    and    tuned for power-efficency the rest of day
    ```

* man 8 tuned: Dynamic Adaptive system tuning daemon
  <https://linux.die.net/man/8/tuned>
  * cron-friendly system service that lets to select a tuning profile
    (pre-build or custom).
  * Tuning include:
    * sysctl settings (/proc/sys/)
    * settings for disk-elevators
    * power management options
    * transparent hugepages
    * custom-scripts
* Install):
  ```
  |  $ sudo dnf -y install tuned   # <· RedHat/Fedora/CentOS package install
  |  $ sudo systemctl enable tuned # <· enable tuned service at boot
  |  ...
  |  $ sudo systemctl start  tuned # <· Start  tuned service now
  |  $ sudo systemctl status tuned # <· Check  tuned service status
  |  $ sudo systemctl status tuned
  |  * tuned.service - Dynamic System Tuning Daemon
  |     Loaded: loaded (/usr/lib/systemd/system/tuned.service; disabled; vendor preset: disabled)
  |     Active: *active (running)* since Sun 2019-01-20 16:29:05 EST; 15s ago
  |       Docs: man:tuned(8)
  |             man:tuned.conf(5)
  |             man:tuned-adm(8)
  |   Main PID: 10552 (tuned)
  |      Tasks: 4 (limit: 4915)
  |     Memory: 15.7M
  |     CGroup: /system.slice/tuned.service
  |             └─10552 /usr/bin/python3 -Es /usr/sbin/tuned -l -P
  ```

* Ussage:
  ```
  | $ *tuned-adm list*   #  ← List existing tunning profiles
  | → Available profiles:
  | → - balanced                    - General non-specialized
  | → - desktop                     - Optimize for the desktop
  | → - latency-performance         - deterministic performance             (increased power consumption)
  | → - network-latency             - deterministic performance low-latency (increased power consumption)
  | → - network-throughput          - Optimize for streaming network throughput
  |                                   generally only necessary on older CPUs or
  |                                   40G+ networks
  | → - powersave                   - Optimize for low power consumption
  | → - throughput-performance      - provides excellent performance across a
  |                                   variety of common server workloads
  | → - virtual-guest               - Optimize for running inside a virtual guest
  | → - virtual-host                - Optimize for running KVM guests
  | → Current active profile: balanced
  |
  | $ *sudo tuned-adm active*  #  ← query status
  | Current active profile: balanced
  |
  | $ *sudo tuned-adm profile  powersave* # ←  select profile
  ```
[[kernel.tunning.tuned}]]


## Job control++
* nice      : run a process with modified scheduling priority.
* STOP/CONT : kill -STOP $pid "freezes" a process.
*             kill -CONT $pid un-freezes it.
* chroot    : (Ch)ange Root, runs a process withing a modified view of   [[{security.101]]
              the OS File System, where the root seen by the process is
              just a subdirectory of the real root path seen by the OS.
              Basically containerization extends the idea of chroot to
              let processes view only a subset of the FS and network
              through (kernel supported) namespaces. [[}]]
* cgroups   : linux kernel (C)ontrol groups allow processes to be organized
              into hierarchical groups whose usage of various types of
              resourcescan then be limited and monitored.
              `/sys/fs/cgroup` pseudo-FS is used to control them.
  * cgroup subsystem: kernel component modifying the behavior of processes.
     (CPU time, available memory, ...).
               also known as resource controllers (or simply, controllers).
...


## GNU Parallel  [[{job_control,performance.distributed]]
* <https://linux.die.net/man/1/parallel>
* <https://www.gnu.org/software/parallel/parallel_cheat.pdf>
* <https://www.reddit.com/r/programming/comments/ayew9r/never_got_around_to_learning_gnu_parallel_here_is/>
* Replacement for xargs and for-loops.
* It can also split a file or a stream into blocks and pass those to commands running in parallel.

Ex:
  ```
  |$ parallel --jobs 200% gzip ::: *.html  # ← Compress all *.html files in parallel
  |                                            200% → 2 per CPU thread
  |
  |$ parallel lame {} -o {.}.mp3 ::: *.wav # ← Convert all *.wav to *.mp3 using lame
  |
  |$ cat bigfile | \                       # ← Chop bigfile into 1MB blocks and grep
  |  parallel --pipe grep foobar               for the string foobar
  ```

* INPUT SOURCES:
  ```
  | $ parallel echo ::: cmd line input source
  | $ cat input_from_stdin | parallel echo
  | $ parallel echo ::: multiple input sources ::: with values
  | $ parallel -a input_from_file echo
  | $ parallel echo :::: input_from_file
  | $ parallel echo :::: input_from_file ::: and command line
  ```

* Replacement string:
  ```
  | {}                    ← mydir/mysubdir/myfile.myext
  | {.}                   ← mydir/mysubdir/myfile
  | {/}, {//}, {/.}       ← myfile.myext, mydir/mysubdir, myfile
  | {#}                   ← The sequence number of the job
  | {%}                   ← The job slot number
  | {2}                   ← Value from the second input source
  | {2.} {2/} {2//} {2/.} ← Combination of {2} and {.} {/} {//} {/.}
  | {= perl expression =} ← Change $_ with perl expression
  |
  | $ parallel --keep-order "sleep {}; echo {}" ::: 5 4 3 2 1 # ← *Keep input order in output*
  ```

* Control the execution:
  ```
  | $ parallel --jobs 2 "sleep {}; echo {}" ::: 5 4 3 2 1  # ← Run 2 jobs in parallel
  |
  | $ parallel --dryrun echo ::: Red Green Blue ::: S M L  # ← Dry-run. See will be executed
  |                                                            without real execution
  ```

* Remote execution:
  ```
  | $ parallel -S server1 -S server2 "hostname; echo {}" ::: foo bar
  ```

* Pipe mode:
  ```
  | $ cat bigfile | parallel --pipe wc -l
  |
  | $ parallel -a bigfile \     <·· Chop bigfile into one block per CPU
  |   --pipepart --block -1 \       thread and grep for foobar
  |   grep foobar
  ```
[[}]]

[[{monitoring.101,monitoring.memory,monitoring.I/O,]]
[[monitoring.network,monitoring.cpu,troubleshooting,PM.TODO]]
## Dstat (vmstat + iostat+ ifstat + mpstat)

* NOTE: There is a conflict between Red Hat Dstat and the original dstat-real.
  C&P from <https://github.com/dstat-real/dstat>:

> Due to actions taken by RedHat to hijack the DSTAT name, further
> development of this project has ceased. Development of this project
> is taking place on the Dool fork.

  Next refers to Red-Hat? version.

* TODO: Compare with [dool](https://github.com/scottchiefbaker/dool)

<https://linux.die.net/man/1/dstat>
* Dstat: moderm replacement joining the info from    [[{doc_has.comparative]]
  vmstat, iostat, ifstat an mpstat.                  [[}]]
* Dstat overcomes some of the limitations and adds some extra features.
* Dstat allows you to view all of your system resources instantly,
  you can eg.:
  * compare disk usage in combination with interrupts from disk controller.
  * compare network bandwidth numbers directly with the disk throughput (in the same interval).
[[}]]


[[{monitoring.jobs,job_control,monitoring.i/o]]
[[profiling.jobs.IO.block,profiling.storage,storage.profiling]]
## pidstat: process stats 

* By Sebastien Godard (http://pagesperso-orange.fr/sebastien.godard/)
 ```
 | -d Report I/O statistics
 |    kB_rd/s
 |    kB_wr/s
 |    kB_ccwr/s:  Cancelled-writes eg. task truncates some dirty pagecache.
 |                (IO which another task has been accounted for).
 |    iodelay  : Block-I/O delay of task-monitored, measured in clock ticks.                    [[{profiling.jobs.]]
 |               including  delays waiting for sync-block-I/O and swaping-block-I/O completion. [[}]]
 |
 | --dec= 0|1|2*  number of decimal-places to use.
 | -e 'program' arg1 arg2 ...  Exec. program + args to be monitored.
 | -G cmd_name_regex Filter by processes mathching regex for its command-name .
 | -H Display timestamp-in-seconds since epoch. (1970-01-01)
 | -h Display activities horizontally in a single line, without statistics (for batch tasks)
 | --human
 | -I In SMP archs, indicate to divide task CPU ussage should be divided by total num.or proccessors.
 | -l Display command-name + all its arguments.
 | -p $PID Filter by process $PID Select tasks (processes)
 |         Use SELF for the pidstat process itself.
 |         Use ALL  for all tasks.
 | -R Report realtime-priority and scheduling-policy info, including:
 | -r Report pagefaults and memory utilization. [[profiling.jobs.pagefaults]]
 |   minflt/s : Total number of minor-faults per sec, (not loading from disk).
 |   minflt-nr: Total number of minor-faults for task-and-children for time-interval.
 |   majflt/s : Total number of major-faults per secd,
 |   majflt-nr: Total number of major-faults for task-and-children for time-interval.
 |   VSZ      : virtual memory usage of entire task in kilobytes.
 |   RSS      : Resident Set Size: (non-swapped physical memory used in kilobytes).
 |   %MEM     : Resident Set Size %
 |   -nr      : Total number of major-faults by task-and-children for time-interval.
 | -s     Report stack utilization.  [[profiling.jobs.memory.stack]]
 |   StkSize  : memory in kilobytes reserved for the task as stack, (not necessarily used)
 |   StkRef   : memory in kilobytes used as stack, referenced by the task.
 | -T {TASK*|CHILD|ALL}
 | -t     display statistics per-thread.
 | -U [ username ] Display  real-user-name or filter by user-name.
 | -u Report CPU utilization.  [[{profiling.jobs.cpu]]
 |   %usr      : CPU used by task at user-level NOT include time spent running a Virt.CPU.
 |    usr-ms   : Total millisecs spent by task+children at user level.
 |   %system   : CPU used by task while executing at the system level (kernel).
 |    system-ms: Total millisecs spent by task+children at systeml level (kernel).
 |   %guest    : Percentage of CPU spent by the task    in virt. machine. (KVM/Qemu/...?)
 |    guest-ms : Total millisecs spent by task+children in virt. machine. (KVM/Qemu/...?)
 |    %wait    : Percentage of CPU spent by the task while waiting to run.
 |    %CPU     : Total percentage of CPU time used by the task. [[}]]
 |           Total  number  of milliseconds spent by the task and all its children in virtual
 |           machine (running a virtual processor).
 | -v Report some kernel tables.  [[monitoring.jobs.kernel]]
 | -w Report task switching activity: [[profiling.jobs.kernel]]       [[{profiling.jobs.kernel]]
 |    cswch/s  : Total number of voluntary context-switches per sec.
 |                   voluntary == task blocks waiting for a resource.
 |    nvcswch/s: Total number of non-voluntary context switches per sec.
 |               non voluntary == task executes for the duration of its time slice and then
 |               is forced to relinquish the processor. [[}]]
 |
 |  ENV.VARS:
 |  S_COLORS := never|always|auto (display statistics in color)
 ```

* EXAMPLES
 ```
 | $ pidstat 2 5               # Dump 5-reports of CPU-statistics
 |                             # for every active task at 2-secs intervals.
 |
 | $ pidstat -r -p 1643 2 5    # Display five reports of page faults
 |                             # and mem. stats for PID 1643 at 2 secs interval.
 |
 | $ pidstat -C "fox|bird" -r -p ALL # Display global page faults and mem.
 |                            # stats for all processes whose command name
 |                            # includes the string "fox" or "bird".
 |
 | $ pidstat -T CHILD -r 2 5  # Display 5 reports of page faults stats at 2 secs
 |                            # intervals  for  child processes of all tasks in
 |                            # the system. Only child processes with non-zero statistics
 |                            # values are displayed.
 ```
[[monitoring.jobs}]]

## blktrace (block I/O traffic) [[{monitoring.storage.blocks]] (man 8 blktrace)

* generate traces of the i/o traffic on (low-level) block devices vs (high-level) File Systems.
  ```
  | $ sudo blktrace -d /dev/sda -o - | blkparse -i -   <··· trace i/o for /dev/sda
  |                                                         Alt. using btrace script:
  |                                                         $ btrace /dev/sda

  | $ blktrace /dev/sda /dev/sdb          <··· trace /dev/sda+/dev/sdb to current dir.
  | $ blkparse sda sdb                    <··· View saved trace
  ```

  ```
  | SYNOPSIS
  |        blktrace -d dev [ -r debugfs_path ] [ -o output ] [ -w time ] [ -a action ] [ -A action_mask ] [ -v ]
  |
  | DESCRIPTION
  | OPTIONS
  |     -a/--set-mask=hex-mask :  Set filter mask to hex-mask (see below for masks)
  |                               barrier : barrier attribute
  |                               complete: completed by driver
  |                               discard : discard / trim traces
  |                               fs      : requests
  |                               issue   : issued to driver
  |                               pc      : packet command events
  |                               queue   : queue operations
  |                               read    : read traces
  |                               requeue : requeue operations
  |                               sync    : synchronous attribute
  |                               write   : write traces
  |                               notify  : trace messages
  |                               drv_data: additional driver specific trace
  |
  |        --act-mask=mask     : Add mask to current filter (see below for masks)
  |        --buffer-size=size  : Specifies (1024) buffer size for event extraction. Def 512KiB.
  |        --dev=dev           : Adds dev as a device to trace
  |        --input-devs=file   : Adds the devices found in file as devices to trace
  |        --num-sub-buffers=X : number of buffers to use. Def: 4 sub buffers.
  |        --listen            : Run in network listen/server mode.
  |        --host=hostname     : Run in network client mode
  |        --port=number       : Network port to use (default 8462)
  |        --no-sendfile       : Make the network client NOT use sendfile() to transfer data
  |        --output=basename   : Specifies base name for input files. Default is device.blktrace.cpu.
  |                              Specifying -o - runs  in  live mode with blkparse (writing data to standard out).
  |        --output-dir=dir    : Prepend file to output file name(s)
  |        --relay=rel-path    : Specifies debugfs mount point
  |        --version
  |        -w seconds
  |        --stopwatch=seconds
  ```

### REQUEST TYPES:
* file system  : normal read/write op from a specific disk location at a given size.
                 typically originating from a user process
* SCSI commands: blktrace sends the command data block as a payload so that blkparse can decode it.
[[}]]


## SystemTap (stap) [[{monitoring.jobs,troubleshooting,PM.TODO]]
* C&P from https://lwn.net/Articles/852112/:  [[{doc_has.comparative]]
  SystemTap has been available since 2005, while bpftrace is a more
  recent contender that, to some, may appear to have made SystemTap
  obsolete. However, SystemTap is still the preferred tool for some
  real-world use cases. [[}]]

* <https://en.wikipedia.org/wiki/SystemTap>
* tool to perform live analysis of running program (dynamic instrumentation).
* It can interrupt normal control flow and execute code specified by a SystemTap script,
  temporarily modifying the program at runtime.
* Use-cases:
  - extract, filter, summarize complex performance|functional diagnosys data.

* Contributed by:
  - Red Hat/IBM, Intel, Hitachi, Oracle, community.

* See real example: <https://developers.redhat.com/blog/2019/07/24/probing-golang-runtime-using-systemtap/>
[[}]]

## latrace LD audit [[{monitoring.jobs,monitoring.libc,troubleshooting,PM.TODO]]

* man 1 latrace

* LD_AUDIT 2.4+ libc frontend

  ```
  $ latrace [-ltfsbcCpADaoyIiBdvTFELVh] command [arg ... ]
  ```
  Run command and display its dynamic library calls using
a LD_AUDIT libc feature (available from libc version 2.4 onward - see the
section called "DISCUSSION" ). It is also capable to measure and display
various statistics of dynamic calls.

  If the config file is provided, latrace will display symbol's arguments with
detailed output for structures. The config file syntax is similar to the C
language, with several exceptions.

  The `latrace` by default fully operates inside of the traced program. However
  another pipe mode is available, to move the main work to the latrace binary
  (see the section called "PIPE mode").
[[}]]


[[{monitoring.network,troubleshooting]]
# Network audit/control

## ss: socket Statistics ss

* replaces 'netstat'

 ```
 |            ┌──── -n : Do not resolve IP to DNS (much) faster.
 |            ·┌─── -t : Show tcp (filter out UNIX, UDP, ...)
 |            ··┌── -l : Show socket waiting for (client) connetions
 |            ···┌─ -p : Show process PID that controls the socket.
 | $ sudo ss -ntlp 
 | example Output:
 | State   Recv-Q Send-Q  Local       Peer
 |                        Addr:Port   Addr:Port
 | LISTEN  0      128     *:80        *:*      users:(("lighttpd",pid=23515,fd=4))
 | LISTEN  0      128     *:22        *:*      users:(("sshd",pid=571,fd=3))
 |
 |            ┌─······ TCP connection only (vs UDP, ...)
 |            ·  ┌─··· all (listening and connected) processes (vs ─l: listening)
 |            ·  ·  ┌─ display socket and processes                
 | $ sudo ss -t -a -p         
 |  STATE       ... ADDRESS:PORT        PEER ADDRESS:PORT
 |  ESTABLISHED ... 127.0.0.1:postgres  127.0.0.1:46404     users:(("postgres",pid=64032,fd=11))
 |  ESTABLISHED ... 127.0.0.1:37200     127.0.0.1:50004     users:(("sshd",pid=61411,fd=10))
 |  ESTABLISHED ... 127.0.0.1:postgres  127.0.0.1:45086     users:(("postgres",pid=43553,fd=11))
 |  TIME_WAIT   ...
 |
 | # ── Display all established ssh connections. ────────────
 | $ SS='( dport = :ssh or sport = :ssh )' 
 | $ ss -o state established ${SS }  
 |
 | $ ss -x src /tmp/.X11-unix/*      # <·· Find all local processes connected to X server
 |
 |
 | # Advanced example: List tcp sockets in state FIN-WAIT-1
 | # for http/https@193.233.7/24 and look at their timers.
 | $ ss -o state fin-wait-2 
 |  '( sport = :http or sport = :https )' \
 |  dst 193.233.7/24*
 ```

[[{]]
## ip (route, link, ...)

* Monitor debug IP routing.
 ```
 $ ip route list     <····· DISPLAY IP ROUTING TABLE
  *default via 10.0.0.1 dev eth0*
  10.0.0.0/24     dev eth0    proto kernel scope link src 10.0.0.5
  169.254.0.0/16  dev eth0                 scope link metric 1002
  172.17.0.0/16   dev docker0 proto kernel scope link src 172.17.0.1
  168.63.129.16   via 10.0.0.1 dev eth0 proto static
  169.254.169.254 via 10.0.0.1 dev eth0 proto static
  ...

 $ ip link         <···· DISPLAY IP DEVICE STATUS
1: lo:     <LOOPBACK,           UP,LOWER_UP> ...  state UNKNOWN mode DEFAULT ...
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:   <BROADCAST,MULTICAST,UP,LOWER_UP> ...  state UP      mode DEFAULT ...
    link/ether    00:0d:3a:26:bb:2b brd ff:ff:ff:ff:ff:ff
...
 ```

## tcpdump "capture" network traffic

 ```

                      ┌─················ -i eth0     \     <─ in network interface eth0
                      ·         ┌─······  filter in packets to/from port 8090
                      ·         ·  ┌─··· -n: Do not convert IPs to
                      ·         ·  ·         host-names (Avoiding slow 
                      ·         ·  ·         dns reverse lookups)
                      ·         ·  ·  ┌─ -A: Show in text/ASCII format
 $ sudo tcpdump -i eth0 port 8090 -n -A 

   Alternatively write to a file with flag:
   -w output.tcpdump
   This output.tcpdump file can then be replay again tcpdump 
   or with the more advanced Wireshark.
 ```


 ```
 $ sudo traceroute "destination_host" # <· (attempts to) show IP ("hop" path) route from
                                           source to destination for an IP packet.
 ```

## nmap: Remote IP port scanner

* Examine open ports in remote machine (vs local machine).
 ```
  $ sudo nmap -nt remote_machine #   ← (try to) query remote machine for open ports
 ```
* Release Changelog: <https://nmap.org/changelog.html>

* 5 scripts for getting started with the Nmap Scripting Engine
  <https://www.redhat.com/sysadmin/nmap-scripting-engine>

[[monitoring.network}]]

[[{monitoring.network,troubleshooting.network]]

## Wondershaper: basic network traffic shaping

* <https://github.com/magnific0/wondershaper/>
  ```
  | $ sudo ./wondershaper -a eth0 -u 4096 -d 8192 # <· limit:  upload: 4Mbps, download:8Mbs
  ```

## Firejail: Network shaping
* <https://www.pcsuggest.com/bandwidth-traffic-shaping-in-linux-with-firejail/>
  ```
  | $ firejail  --net=enp2s0 firefox [/bash]
  | $ firejail --list | grep 'firefox' | awk -F: '{print$1}'
  | $ firejail  --bandwidth=PID set interface-name down-speed up-speed
  ```
[[}]]


[[}]]

[[monitoring.network.nethogs}]]
* TODO:
  <https://www.binarytides.com/linux-commands-monitor-network/>
[[network}]]

[[{security.101,security.remote_access]]
## Knockd ("Invisible Linux")  

* <https://www.maketecheasier.com/make-linux-server-invisible-knockd/>

  Knockd allows to  listen to traffic on an network interface/port
waiting first for special sequences of port-hits.

  clients (telnet, socat, ...) initiate port-hits by sending a TCP
or packet to a port/s on the server in order (sort of password
using port "pings")

### PRE-SETUP:

1. Install and Configure Iptables
  ```
  | $ sudo apt-get install iptables iptables-persistent
  |                                 └────────┬────────┘
  |                                 takes over automatic
  |                                 loading of saved tables
  ```

2. Install Knockd:
  ```
  | $ sudo apt-get install knockd  # apt like
  | $ sudo dnf     install knockd  # rpm like
  ```

### Ussage example: hide ssh service until "Knocked"


  ```
  | 
  | $ iptables -A INPUT \                 STEP 1
  |   -m conntrack \                      
  |   --ctstate ESTABLISHED, RELATED \    ← Allow established/current
  |   -j  ACCEPT                          ← Allow
  | 
  | $ iptables  -A  INPUT \               STEP 2
  |   -p tcp  --dport  22 \               ← block incomming con. to 22 (SSH)
  |   -j  REJECT
  | 
  |                                       STEP 3
  | $ netfilter-persistent save           ← s save the firewall rules
  | $ netfilter-persistent reload
  |
  |                                       STEP 4. Configure  Knockd
  | $ sudo "vim" /etc/knockd.conf
  | [options]
  |   UseSyslog
  |
  | [openSSH]
  |   sequence = 7000,8000,9000
  |   seq_timeout = 5
  |   command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
  |   tcpflags = syn
  |
  | [closeSSH]
  |   sequence = 8000,9000,7000
  |   seq_timeout = 5
  |   command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
  |   tcpflags = syn
  | 
  | command will be executed once the client-sequence  is recognised.
  | tcpflags must be set on the client "knocks"
  | 
  | NOTE: Adding iptables "-A" flag (appned) causes the rule to be appended
  |       to the end of th INPUT chain, causing all remaining connections to drop.
  |   Replace by:
  |   command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT
  |   "-I" flag (insert) ensures that the new rule is added to the top of the
  |   input chain to accept ssh connections.
  |
  | Modify /etc/default/knock lo look like:   <· STEP 5. Enable Knockd Service
  | + START_KNOCKD=1
  | $ sudo systemctl enable knockd
  | $ sudo systemctl start knockd
  ```
  
### Testing Setup:

  ```
  | $ knock -v my-server-ip  7000 8000 9000
  | $ ssh my-server-ip
  | ...
  | $ knock -v my-server-ip 9000 8000 7000
  ```
[[security.remote_access}]]


[[{monitoring.101,monitoring.vmstat]]
# Monitoring

## vmstat RT stats for CPU/procs/mem/paging/block IO/traps

  ```
  | $ vmstat [options] [delay [count]] (global stats) [[{monitoring.101,monitoring.memory,monitoring.i/o]] (man 8 vmstat)
  | 
  |   The first report produced gives averages since the last reboot.
  |   Additional reports give information on a sampling period of length delay.
  |   The process and memory reports are instantaneous in either case.
  | 
  |  -a --active: Display active and inactive memory
  |               FROM: https://unix.stackexchange.com/questions/305606/linux-inactive-memory
  |               * active memory are pages which have been accessed "recently"
  |               * inactive memory are pages which have not been accessed "recently"
  |               """A high ratio of active to innactive memory can indicate
  |                  memory pressure, but that condition is usually accompanied by
  |                  pagin/swapping which is easier to understand"""
  |  -f --forks : display number of forks (fork,vfork,clone) since boot. This
  |  -m --slabs : Display slabinfo (memory assigned to kernel objects)
  |               https://en.wikipedia.org/wiki/Slab_allocation
  |  -s --stats : Displays a table of various event counters and memory statis‐
  |             tics. (without repeating)
  |  -d --disk  : Report disk statistics
  |  -D --disk-sum: Report some summary statistics about disk activity.
  |  -p --partition device: Detailed statistics about partition
  |  -S --unit  :=  1000 (k), 1024 (K), 1000000 (m), 1048576 (M) bytes.
  |             swap (si/so) and block (bi/bo) not affected
  |  -t --timestamp: Append timestamp to each line
  |  *-w --wide  : Wide output mode* (Recomended)
  | 
  | OUTPUT FIELD DESCRIPTION
  | *VM MODE*                                         | *DISK MODE(--disk)*
  | Procs                                           | Reads
  |   r: # of runnable procs(running|waiting for)   |   total  :   Total reads completed successfully
  |   b: # of processes  *in uninterruptible sleep* |   merged : grouped reads(resulting in 1 I/O)
  |                                                 |   sectors: Sectors read successfully
  | Memory ¹                                        |        ms: milliseconds spent reading
  | (inacti,cache,buff can be freed if needed)      |
  |   swpd  : virtual memory used                   |
  |   free  : idle (ready to use) memory            | Writes
  |   buff  : memory used as disk buffers           |     total:   Total writes completed successfully
  |   cache : memory used as cache                  |    merged: grouped writes (resulting in 1 I/O)
  |   inact : inactive memory (-a option)           |   sectors: Sectors written successfully
  |           (still cached for possible reuse)     |        ms: milliseconds spent writing
  |   active: memory Used by processes              |
  |                                                 | IO
  |  Swap                                           |   cur: I/O in progress
  |    si: Amount of memory swapped in from disk(/s)|     s: seconds spent for I/O
  |    so: Amount of memory swapped to disk(/s)     +--------------------------------------------------------
  | 
  | IO                                              | *DISK PARTITION MODE (--partition)*
  |   bi: Blocks received from block device         |           reads: Total # of reads issued to part.
  |   bo: Blocks     sent   to block device         |    read sectors: Total read sectors for partition
  |                                                 |          writes: Total # of writes issued to part.
  | System                                          |requested writes: Total # of write requests made for part
  |   in: interrupts per second, including the clock+---------------------------------------------------------
  |   cs:  *context switches per second*
  |                                                 | *SLAB MODE (--slabs)*
  | CPU (percentages of total CPU time)             |   cache: Cache name
  |   us: Time spent running non-kernel code(user  )|     num: # of currently active objects
  |   sy: Time spent running     kernel code(system)|   total: Total # of available objects
  |   id: Time spent idle                           |    size: Size of each object
  |   wa:  *Time spent waiting for IO*              |   pages: # of pages with at least one active object
  |   st: Time stolen from a virtual machine        +---------------------------------------------------------
  |
  | ¹ buffers vs cache
  |   <https://stackoverflow.com/questions/6345020/what-is-the-difference-between-buffer-vs-cache-memory-in-linux>
  | 
  |   - buffers are associated with a specific block device,
  |     caching filesystem metadata(dir contents, file permissions),
  |     as tracking in-flight pages (what's being written
  |     from or read to for a particular block device).
  |     The Kernel tries to cache just enough buffers for predicted
  |     "next-reads" to block devices.
  |   
  |   - cache contains real application file data (file content).
  |     The Kernel tries to cache as much as possible until there is
  |     no more free memory for apps.
  |
  | *All linux blocks are currently 1024 bytes.*
  ```
[[monitoring.101}]]


[[{monitoring.memory.ps_mem,troubleshooting.memory]]
## ps_mem: Accurate mem.use 

* <https://github.com/pixelb/ps_mem/>

  ```
  | $ sudo pip install ps_mem  <··· PIP (P)ackage (I)nstaler for (P)ython
  |   USSAGE:
  |   ps_mem [-h|--help] [-p PID,...] [-s|--split-args] [-t|--total] [-w N]
  |          [-d|--discriminate-by-pid] [-S|--swap]
  | 
  |   $ sudo ps_mem                        <··· Simple ussage:
  |    Private  +   Shared  =  RAM used       Program
  | 
  |    34.6 MiB +   1.0 MiB =  35.7 MiB       gnome-terminal
  |   139.8 MiB +   2.3 MiB = 142.1 MiB       firefox
  |   291.8 MiB +   2.5 MiB = 294.3 MiB       gnome-shell
  |   272.2 MiB +  43.9 MiB = 316.1 MiB       chrome (12)
  |   913.9 MiB +   3.2 MiB = 917.1 MiB       thunderbird
  |   ---------------------------------
  |                             1.9 GiB
  | 
  | 
  |   $ sudo ps_mem -p $(pgrep -d, -u $USER)  <···  Show only ps_mem for current $USER
  |   → ...
  ```
[[monitoring.memory.ps_mem}]]

[[{linux.101.shared_memory,configuration.memory,monitoring.memory,]]
## SysV shared memory
* SysV shared memory segments are accounted as a cache,
  though they do not represent any data on the disks.

  ``` 
  | $ sudo ipcs -m  # <· check size of shared-memory-segments
  ``` 
[[linux.101.shared_memory}]]
[[monitoring.101}]]



# Audit  [[{security.audit]]

[[{security.audit.user,101,security.aaa]]
## basic user audit  
  ```
  | $ sudo last -f /var/run/utmp # <· audit of present users logins at which terminals, logouts
  |                                   system events and current status of the system,
  |                                   system boot time (used by uptime) etc.
  | $ who
  | $ w
  | $ sudo last -f /var/log/wtmp # <· historical data of utmp.
  | $ sudo last -f /var/log/btmp # <· failed login attempts
  | $ sudo lastb
  |                └─────┬─────┘
  |               binary compact format.
  |               Use `utmpdump` to dump to
  |               text friendly format.
  |
  | $ who     <· Displays current users logged in + logged-in time
  | $ w       <· Displays who is logged into the system and WHAT THEY ARE DOING
  |             (procs. they are running).
  | $ users   <· Displays only user names who are currently logged in
  | $ last    <· Displays records of users-logged-in time, remote IP or PTTY, reboot time,
  | $ lastlog <· Displays list of users and what day/time they logged into the system.
  | $ whoami  <· Tells the user who they are currently logged in as
  | $ ac      <· Tell how much time users are logged in.
  |             (sudo apt install acct, sudo dnf install psacct, ...)
  |             It pulls its data from the current wtmp file.
  |             Ex:
  |             $ ac
  |             → total     1261.72
  |             $ ac -              <··· total hours by user
  |             → shark        5.24
  |             → nemo         5.52
  |             → shs       1251.00
  |             → total     1261.76
  |             $ ac -d | tail -10  <··· daily counts of how many hours users were logged in
  |             → Jan 11  total        0.05
  |             → Jan 12  total        1.36
  |             → ...
  |             → Today   total        9.83
  ```
[[security.audit.user}]]


[[{qa.UX,use_case.documentation,]]
## Asciinema: TTY recordings 
<https://asciinema.org/>
* Includes a command line tool to record the terminal plus
  a Javascript player to replay the session in a browser.
  <https://asciinema.org/docs/how-it-works>
* Lightweight, purely text-based approach to terminal recording.
* See demos at:
  - https://asciinema.org/
  - Example asciinema recording "embedded" in github markdown:
    https://github.com/mvndaemon/mvnd
[[}]]

[[{monitoring.audit_framework,doc_has.diagram]]
## Linux Audit framework 

* REF: <https://www.youtube.com/watch?v=x2u_prS2HmM>

  ```
  | *ARCHITECTURE:*                                   *LOG "TOPICS":*
  |                                                   ┌───────────────────
  |  audit.rules   auditd.conf                        │user
  |      +           +                                │group
  |      │           │                                │Audit ID
  |      │           │                                │Remote Hostname
  |      │           │                                │Remote Host Address
  |      │           │  ┌─> audispd                   │System call
  |      v           v  │                             │System call args.
  |   auditctl ───> *auditd*         ┌─>  *aureport*  │File
  |      │           ^  │            │                │File Operations
  |      │           ║  └─> /var/log/audit/audit.log  │Session
  |      │           ║               │                │Success│Failure
  |      │           ║               └─>  *ausearch*  └───────────────────
  |      └──────┐    ║
  | Running     │    ║      autrace
  | process     │    ║        │
  |     +   ┌───│──────────┐  │
  |     │   │   └─> *audit*│  │
  |     └──→+          ^   +←─┘
  |         │           ║  │         Lecture:
  |         │ KERNEL════╝  │         ═══ : control
  |         └──────────────┘         ─── : data-flow
  | 
  | * *auditd daemon* centralize log writing to disk/network
  |
  | * *audit module@KERNEL* handles the audit rules
  |   (audtictl gets in charge of passing audit.rules to audit@KERNEL
  |   It also intercepts system calls.
  ```

* CLI UTILITIES:
  ```
  |-  *aureport* creates human-readable reports. Useful options:
  |  --summary
  |  --failed
  |  --start, --end (aureport understands 'today', 'yesterday', 'now',
  |                  'recent', 'this-week', 'this-month', 'this-year')
  |  --auth, --avc, --login, --user, --executable, --syscall
  |
  |-  *ausearch* "drills deeper" into the details of a
  |   particular event. Ex.
  | $*# ausearch -sv no --comm httpd *
  |     └──────────────────────────┘
  |     Search audit log for recently denied events triggered by
  |     httpd ("Apache", lighthttpd). Useful also for debugging
  |     SELinux related problems.
  ```

* autrace is the "ptrace" or "strace" for audit events
  (audit the audit)

* Audispd (dispatcher) provides a plugin system to dispath
  to other places (remote machines, Prometheus,...)
  In RHEL 8+ it has been integrated into auditd.
  (REF <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/8.0_beta_release_notes/new-features>)

## Audit Daemon "Full Journey"


* INITIAL SETUP
 1. Audit Daemon Configuration ·> `/etc/audit/auditd.conf`.<br/>
    Defines how the audit system works once the daemon is running.
    Default settings ussually are right-enough
 2. Audit Rules:
    *WARN: No default rules are set*
    *WARN: First match wins!
    - Used to define *what we are interested in auditing*
    - three basic types of audit rules:
      - Basic audit system parameters
      - File and directory watches
      - System call audits
    Ex. Audit rules
    ```
    | # basic audit system parameters
    | -D   ← Delete all previous rules (recommended)
    | -b   ← How many buffer  do we want to have
    | -f 1 ← 0: ignore failures
    |        1: syslog
    |        2: panic
    | -e 1 ← 0: disable logging
    |        1: enable
    |        2: inmutable (not even root can change without reboot)
    | # some file and dirs. watches
    | -w /home/myUser/MySecrets  -p rxwa
    | -w /sbin/auditctl          -p x
    | # Example system call rule
    | -a entry,always -S umask
    ```
 3. audispd Daemon Configuration (now part of auditd)

* Daily use:
  Normally you find an event class of interest with aureport and then
  drill down into the nitty-gritty with ausearch

  ```
  | $ sudo aureport --summary
  | Summary Report
  | ======================
  | Range of time in logs:    12/31/1969 19:00:00.000 - 04/20/2019 07:42:51.715
  | Selected time for report: 12/31/1969 19:00:00     - 04/20/2019 07:42:51.715
  | Number of changes in configuration             : 971
  | Number of changes to accounts, groups, or roles: 36
  | Number of logins                               : 2992
  | Number of failed logins                        : 497
  | Number of authentications                      : 3161
  | Number of failed authentications               : 438
  | Number of users                                : 8
  | Number of terminals                            : 30
  | Number of host names                           : 16
  | Number of executables                          : 24
  | Number of commands                             : 14
  | Number of files                                : 2
  | Number of AVC's                                : 3
  | Number of MAC events                           : 3052
  | Number of failed syscalls                      : 0
  | Number of anomaly events                       : 92
  | Number of responses to anomaly events          : 0
  | Number of crypto events                        : 52922
  | Number of integrity events                     : 0
  | Number of virt events                          : 0
  | Number of keys                                 : 0
  ```

  ```
  | $ sudo aureport --login --failed
  | 04/15/2019 16:54:29 (unknown) 211.252.85.100 ssh /usr/sbin/sshd no 21896
  | 04/15/2019 14:35:25 root      211.252.85.100 ssh /usr/sbin/sshd no 20413
  | 04/07/2019 20:10:13 (unknown) 51.68.35.150   ssh /usr/sbin/sshd no 11272
  | 04/07/2019 19:59:25 apache    51.68.35.150   ssh /usr/sbin/sshd no 10312
  | ...
  ```

  ```
  | $ sudo aureport --syscall -fail
  | ...
  |    date        time    syscall    pid     comm      auid   event
  | 1. 04/09/2019  .....   87         4006    semodule  11112  53039
  |                        ┌───┬─·····························─┴───┘
  | $ sudo auserach -i -a  53039
  | .....
  ```

  ```
  | $ sudo aureport -e -i --summary | mkbar events   <- CREATE PLOT OF EVENTS
  ```

  ```
  | $ sudo aureport -s -i | \                        <- Show relationship among users,system calls,...
  |   aws '/^`[0-9]/ { printf "%s %s\n", $6, $4}' | \   with mkgraph
  |   sort | uniq | mkgraph syscall-vs-program
  | 
  |   man:
  |   (5)audispd.conf  (8)audispd   (8)auditd   (8)ausearch
  |   (5)auditd.conf   (8)auditctl  (8)aureport (8)autrace
  ```

* `/usr/share/doc/audit`:
  Contains README with basic design information and sample .rules files
  for different scenarios:
  -   capp.rules: Controlled Access Protection Profile (CAPP)
  -   lspp.rules: Labeled Security  Protection Profile (LSPP)
  - nispom.rules: National Industrial Security Program Operating Manual Chapter 8 (NISPOM)
  -   stig.rules: Secure Technical Implementation Guide (STIG)

[[monitoring.audit_framework}]]

[[{troubleshooting.storage.logrotate,security.backup]]
## logrotate 
  
* Avoid filling disks with logs

* automatic rotation, compression, removal, and mailing of log files.
  (daily, weekly, monthly, or when size is exceeded)
* tipically run on daily cron.

  ```
  | $ logrotate --state "file" option_flags config_file ..
  |                                         └────┬────┘
  |       - any number of config files may be provided.
  |       - order is important!!!. later ones override first ones
  |
  | *option flags:*
  |  --debug: no changes will be made to the logs or to the logrotate state file.
  |  --force: force rotation, even if logrotate thinks this is not necessary.
  |  --mail : command to use when mailing logs. command must support next args:
  |          1) e-mail subject ,  2) the recipient.
  |          message read from standard input
  |          default mail command: /bin/mail -s.
  |  --state "statefile": tells logrotate to use an alternate state file. this is
  |          useful if logrotate is being run as a different user for various sets
  |          of log files.
  |          default state file is /var/lib/logrotate.status.
  |  --usage
  |  --help
  |  --verbose
  |
  |
  |
  |
  |
  |
  |
  |
  |
  |
  |
  |
  |
  |
  ```

 *configuration file*
  * rules: local definitions override global ones,
           later definitions override earlier ones
  * example file:

  ```
  | compress              ← compress using gzip (by default)
  |                         use compresscmd     to set gzip alternative
  |                         use compressoptions to set gzip alternative
  | # this is a comment
  | /var/log/directory1 "/var/log/directory2/file name with spaces.log" {
  |     rotate 5          ← optional. 5 weekly rotations
  |     weekly            ←           daily|weekly|monthly|yearly
  |
  |     dateext           ← optional. suffix with date instead of plain number.
  |     dateformat %y%m%d    *warn*: generated string must be lexically sortable
  |                                  since "rotate" option will sorts all rotated
  |                                  filenames lexically to find out which logfiles
  |                                  are older and should be removed.
  |
  |     size 100k         ← optional. rotate whenever it grows over 100k in size.
  |     mail www@my.org   ← optional. old logs files mailed (uncompressed)
  |     sharedscripts     ← optional. script will be run once (after old logs have been
  |                          compressed), vs once for each log.
  |
  |     postrotate                        ┐  ← see also prerotate|firstaction|lastaction
  |         /usr/bin/killall -hup syslogd │
  |     endscript                         ┘
  | }
  | *WARN*: use wildcards with caution. "*" will rotate all files,
  |         including previously rotated ones*.
  |
  | Other configuration file options:
  | * copy: make a copy of the log file, but don't change the original at all.
  |         (create snapshot)
  | * copytruncate: copy and truncate original log file in place
  | * create mode (octal formal) owner group.
  | 
  | * delaycompress: postpone compression of previous log file to next rotation cycle.
  |   useful when some program cannot be told to close its logfile and thus might
  |   continue writing to the previous log file for some time.
  | 
  | * extension ext: allows to rotate names like mylog.foo → mylog.1.foo.gz
  |                                                         (mylog.foo.1.gz by default)
  | * ifempty: rotate log file even i empty, overriding any previous notifempty option
  | * include file_or_directory:  include file in config.
  |   (files read in alphabetic order for dirs)
  | * mailfirst   : mail just-rotated file vs about-to-expire file.
  | * maillast    : mail about-to-expire file vs  just-rotated file.
  | -*maxage     n:*remove rotated logs older than n days.
  | 
  | * size size   : rotate only if log grow bigger than size bytes.
  |                 (suffix k|m|g allowed)
  | 
  | * minsize size: rotate when file grow bigger than size bytes,
  |                 but not before any additionally specified time interval
  |                 (daily, weekly, monthly, or yearly).
  | 
  | * missingok   : don't issue error if a file is missing.
  | * nocreate    : do not create new log file.
  | * (no)shred   :
  |   do not use shred when deleting old log files. see also shred.
  | * olddir $dir : move old logs to $dir
  |                  *warn*: $dir must be on the same physical device
  | * rotate count: log rotated count times before being removed|mailed
  | 
  | * see also: sharedscripts
  | * shred       : delete log files using shred -u instead of unlink().            [secret_management]
  |                 this should ensure that logs are not readable after their
  |                 scheduled deletion; this is off by default. see also noshred.
  | * start count :
  | * tabooext [+]list: defaults to .rpmorig, .rpmsave, ,v, .swp, .rpmnew, ~,
  |                     .cfsaved and .rhn-cfg-tmp-*.
  | 
  | * files:
  |   * /var/lib/logrotate.status    default state file.
  |   * /etc/logrotate.conf          default configuration options.
  ```
[[troubleshooting.storage.logrotate}]]

## logwatch [[{security.audit.user,security.aaa,troubleshooting.storage.logwatch]]

* perl script utility to summarize logs. Ussage:
  (Doesn't look to work on Fedora, works on Debian)

  ```
  | $ sudo logwatch --detail Low --range today
  | (output will be similar to)
  | →  ################### Logwatch 7.4.3 (12/07/16) ####################
  | →         Processing Initiated: Wed Jul 31 17:41:33 2019
  | →         Date Range Processed: today
  | →                               ( 2019-Jul-31 )
  | →                               Period is day.
  | →         Detail Level of Output: 0
  | →         Type of Output/Format: stdout / text
  | →         Logfiles for Host: 24x7
  | →  ##################################################################
  | →
  | →  --------------------- dpkg status changes Begin ------------------------
  | →
  | →  Installed:
  | →     libdate-manip-perl:all 6.57-1
  | →     libsys-cpu-perl:amd64 0.61-2+b1
  | →     libsys-meminfo-perl:amd64 0.99-1
  | →     logwatch:all 7.4.3+git20161207-2
  | →
  | →  ---------------------- dpkg status changes End -------------------------
  | →
  | →
  | →  --------------------- pam_unix Begin ------------------------
  | →
  | →  su:
  | →     Sessions Opened:
  | →        root → www-data: 2 Time(s)
  | →
  | →  sudo:
  | →     Sessions Opened:
  | →        user1 → root: 2 Time(s)
  | →
  | →  systemd-user:
  | →     Unknown Entries:
  | →        session closed for user www-data: 2 Time(s)
  | →        session opened for user www-data by (uid=0): 2 Time(s)
  | →
  | →
  | →  ---------------------- pam_unix End -------------------------
  | →
  | →
  | →  --------------------- SSHD Begin ------------------------
  | →
  | →
  | →  Deprecated options in SSH config:
  | →     KeyRegenerationInterval - line 19
  | →     RSAAuthentication - line 31
  | →     RhostsRSAAuthentication - line 38
  | →     ServerKeyBits - line 20
  | →
  | →  Users logging in through sshd:
  | →     user1:
  | →        81.61.178.46 (81.61.178.46.dyn.user.ono.com): 1 time
  | →
  | →  **Unmatched Entries**
  | →  reprocess config line 31: Deprecated option RSAAuthentication : 1 time(s)
  | →  reprocess config line 38: Deprecated option RhostsRSAAuthentication : 1 time(s)
  | →
  | →  ---------------------- SSHD End -------------------------
  | →
  | →
  | →  --------------------- Sudo (secure-log) Begin ------------------------
  | →
  | →
  | →  user1 => root
  | →  ---------------
  | →  /bin/bash                      -   1 Time(s).
  | →  /usr/sbin/logwatch             -   1 Time(s).
  | →
  | →  ---------------------- Sudo (secure-log) End -------------------------
  | →
  | →
  | →  --------------------- Disk Space Begin ------------------------
  | →
  | →  Filesystem      Size  Used Avail Use% Mounted on
  | →  /dev/root        47G   25G   20G  55% /
  | →
  | →
  | →  ---------------------- Disk Space End -------------------------
  | →
  | →
  | →  ###################### Logwatch End #########################
  ```
[[}]]

## Logreduce(IA)filter [[{security.audit.user.IA,QA.UX,PM.TODO,security.audit.logreduce]]

* <https://opensource.com/article/18/9/quiet-log-noise-python-and-machine-learning>
* <https://pypi.org/project/logreduce/> logreduce@pypi
  * Quiet log noise with Python and machine learning
[[}]]

## Tiger: Kiss-IDS [[{security.IDS,PM.low_code,qa.UX,security.audit.user,security.intrusion_detection]]

* <https://www.nongnu.org/tiger/>
* open source shell-scripts collection for security audit and host intrusion detection.
* Very extensible.
* It scans system configuration files, file systems, and user configuration files
  for possible security problems and reports them.

* Install
  ```
  | $ sudo apt install tiger * Debian/Ubuntu/Mint/...
  | (Output will be similar to)
  | →┌─────────────────────────Tripwire Configuration ├────────────────────────────┐
  | →│ Tripwire uses a pair of keys to sign various files, thus ensuring their ... │
  | →│ ...                                                                         │
  | →│                                                                             │
  | →│        <Yes>                                                          <No>  │
  | →└─────────────────────────────────────────────────────────────────────────────┘
  | (Pressing Yes)
  | →┌────────────────────────┤ Tripwire Configuration ├────────────────────────┐
  | →│                                                                          │
  | →│ Tripwire keeps its configuration in a encrypted database that is         │
  | →│ generated, by default, from /etc/tripwire/twcfg.txt                      │
  | →│                                                                          │
  | →│ Any changes to /etc/tripwire/twcfg.txt, either as a result of a change   │
  | →│ in this package or due to administrator activity, require the            │
  | →│ regeneration of the encrypted database before they will take effect.     │
  | →│                                                                          │
  | →│ Selecting this action will result in your being prompted for the site    │
  | →│ key passphrase during the post-installation process of this package.     │
  | →│                                                                          │
  | →│ Rebuild Tripwire configuration file?                                     │
  | →│                                                                          │
  | →│                    <Yes>                       <No>                      │
  | →│                                                                          │
  | →└──────────────────────────────────────────────────────────────────────────┘
  | (Press yes)
  | →┌────────────────────────┤ Tripwire Configuration ├─────────────────────────┐
  | →│                                                                           │
  | →│ Tripwire keeps its policies on what attributes of which files should be   │
  | →│ monitored in a encrypted database that is generated, by default, from     │
  | →│ /etc/tripwire/twpol.txt                                                   │
  | →│                                                                           │
  | →│ Any changes to /etc/tripwire/twpol.txt, either as a result of a change    │
  | →│ in this package or due to administrator activity, require the             │
  | →│ regeneration of the encrypted database before they will take effect.      │
  | →│                                                                           │
  | →│ Selecting this action will result in your being prompted for the site     │
  | →│ key passphrase during the post-installation process of this package.      │
  | →│                                                                           │
  | →│ Rebuild Tripwire policy file?                                             │
  | →│                                                                           │
  | →│                    <Yes>                       <No>                       │
  | →└───────────────────────────────────────────────────────────────────────────┘
  | (Press yes)
  | ...
  | (enter required passphrases)
  | ...
  | !!! The Tripwire binaries are located in /usr/sbin and the database is located  !!!
  | !!! in /var/lib/tripwire. It is strongly advised that these locations be stored !!!
  | !!! on write-protected media (e.g. mounted RO floppy). See                      !!!
  | !!! /usr/share/doc/tripwire/README.Debian for details.                          !!!
  |
  | $ tar -xzf tiger-3.2rc3.tar.gz
  | $ cd tiger-3.2/
  | $ sudo ./tiger
  ```

* Use like:
  ```
  | $ sudo tiger
  | → Tiger UN*X security checking system
  | →    Developed by Texas A&M University, 1994
  | →    Updated by the Advanced Research Corporation, 1999-2002
  | →    Further updated by Javier Fernandez-Sanguino, 2001-2015
  | →    Contributions by Francisco Manuel Garcia Claramonte, 2009-2010
  | →    Covered by the GNU General Public License (GPL)
  | →
  | → Configuring...
  | →
  | → Will try to check using config for '2018' running Linux 4.17.17-x86_64-linode116...
  | → --CONFIG-- [con005c] Using configuration files for Linux 4.17.17-x86_64-linode116. Using
  | →            configuration files for generic Linux 4.
  | → Tiger security scripts *** 3.2.3, 2008.09.10.09.30 ***
  | → 14:57→ Beginning security report for localhost.
  | → 14:57→ Starting file systems scans in background...
  | → 14:57→ Checking password files...
  | → 14:57→ Checking group files...
  | → 14:57→ Checking user accounts...
  | ...
  | → 14:59→ Checking NFS export entries...
  | → 14:59→ Checking permissions and ownership of system files...
  | → Security report is in `/var/log/tiger/security.report.localhost.190115-14:57'.
  |
  | * security report will be generated in the ./log
  | → ...
  | → Security report is in `log//security.report.tecmint.181229-11:12'.
  | $ sudo cat log/security.report.tecmint.181229-11\:12
  ```

* To display more information on a specific security message
  run the `tigexp` (TIGer EXPlain) command and provide the msgid as an
  argument, where “msgid” is the text inside the [] associated with
  each message.

* For example, to get more information about the following messages,
  where [acc001w] and [path009w] are the msgids:
  ```
  | --WARN-- [acc015w] Login ID nobody has a duplicate home directory (/nonexistent) with another user.
  | --WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
  ```
[[security.IDS}]]
[[security.audit}]]


[[{monitoring.notifications]]
# Notification 

## Sending eMails with CURL [[{monitoring.notifications,security.notifications,PM.low_code]]

* <https://blog.edmdesigner.com/send-email-from-linux-command-line/>
  (cross-platform)

  ```
  $ curl -sv --user 'api:key-7e55d003b...f79accd31a' \  [[{monitoring.notifications.mailgun]]
      https://api.mailgun.net/v3/sandbox21a78f824...3eb160ebc79.mailgun.org/messages \
      -F from='Excited User <developer@yourcompany.com>' \
      -F to=sandbox21a78f824...3eb160ebc79.mailgun.org \
      -F to=user@gmail.com \
      -F subject='Hello' \
      -F text='Testing some Mailgun awesomeness!' \
     --form-string html='<h1>EDMdesigner Blog</h1><br /><cite>This tutorial helps me understand email sending from Linux console</cite>' \
      -F attachment=@logo2yellow.jpg                    [[}]]
  ```
[[}]]

[[{monitoring.notifications.gmail]]
## 'sendmail' + Gmail (SSMTP Package)
  ```
  | $ sudo apt install ssmtp                             <- PRESETUP) Install "lightweight"
  |                                                         (sendonly) ssmtp 'sendmail'
  |
  | $ echo "Subject: hello" | sendmail test@example.com  <- test install. It will fail with
  |                                                         error: Cannot open mailhub:25.
  | $ sudo editor /etc/ssmtp/ssmtp.conf
  |   | UseSTARTTLS=YES
  |   | UseTLS=YES
  |   | root=<from-email-address>
  |   | mailhub=smtp.gmail.com:587
  |   | AuthUser=<your-account's-user-name>
  |   | AuthPass=<USER-OR-APP-PASSWORD>
  |              └─────────┬──────────┘
  | ┌──────────────────────┘
  | └>(PRE-SETUP) For Google an "App Generated Password" replaces the
  |   normal user password. Each time User Password is changed this
  |   app generated password must be changed too. To generate this pass:
  |   -> https://myaccount.google.com/?nlr=1
  |     -> Select Security.
  |       -> Under "Signing in to Google," select "App Passwords".
  |         The option can be disabled if:
  |         1) 2-Step Verification is not set up for your account.
  |         2) 2-Step Verification is only set up for security keys.
  |         3) Your account is through work/school/...
  |         4) You turned on Advanced Protection.
  |         -> choose Select app (Bottom of page)
  |           -> choose mail App -> device ->_*Generate Pass*
  |
  |   WARN: If ssmtp runs without error but we can NOT see the mail into the
  |         inbox probably an incomming filter exists. To fix it:
  |         -> Gmail Web App -> Setting -> "Filters and Blocked Addresses"
  |           ─> Remove filter >> from:(...@gmail.com) to:(..@gmail.com)  Skip Inbox <<
  |
  | NOTE: smtp.gmail.com limits: 100 recipients max per message, 500 messages/day.
  ```
[[}]]

## Telegram Notifications  [[{monitoring.notifications.telegram]]

* REF: <https://ugeek.github.io/blog/post/2019-03-14-crea-un-bot-de-telegram-con-bash-y-una-sola-linea-de-terminal.html>
* Telegram API allows to easely craete bots to notify any event in
  our server (someone logged-in through ssh, ...)

### PRE-SETUP:
  ```
  STEP 1: Go to:
  https://t.me/BotFather                      Alt 1 (mobile)
  https://web.telegram.org/#/im?p=@BotFather  Alt 2: web browser

  (BotFather is the "fathers of all Bots", created by Telegram to easify bot creation)

  STEP 2:
  *  type  "/newbot"
  * We will be asked for the name of our new bot
    (Name must end with bot)
  * Once the bot name is accepted we will receive the  *access-token to the HTTP API*
    NOTE:  each Telegram user has an ID that can be retrieved starting the "@userinfobot" bot)

  STEP 3: (Optional)
  * If we want to add the Bot to a group or channel to send messages
    or any other function, we must retrieve the Group or Channel ID. To
    do so send a message to @ChannelIdBot from the channel/group.
  ```

###  CREATE-THE-BOT

  ```
  | STEP 1: Write a test script
  | $ editor  *my_bot_telegram.sh*  # ← edit a new script  (using vim/nano/"editor"...)
  | _____________________________________________________
  | #!/bin/bash
  |
  | TOKEN="<presetup_token>" 
  | ID="<presetup_id>"
  | MENSAJE="This is a *test* message"
  | URL="https://api.telegram.org/bot$TOKEN/sendMessage"
  |
  | curl -s -X POST $URL -d chat_id=$ID -d text="$MENSAJE"
  |
  | STEP 2: Set exec permissions
  | $ sudo chmod +x  *my_bot_telegram.sh*
  |
  | STEP 3: Test it!
  | $  *./my_bot_telegram.sh*
  ```

### Example use 1: Show ssh connection IP*

* Add some lines similar to the next one to ~/.bashrc:

  ```
  | TELEGRAM_TOKEN="<presetup_token>" 
  | TELEGRAM_ID="<presetup_id>"
  | URL="https://api.telegram.org/bot${TELEGRAM_TOKEN}/sendMessage"
  | # We want to exec curl only if it's a real ssh login
  | # ps -ef | egrep "..." will execute next line only if a match exists.
  | # The match only exists if our parent process is sshd (real ssh access)
  | # Using the regex "$PPID.*[s]shd" instead of just "$PPID.*sshd" filters out the egrep command
  | 
  | ps -ef | egrep "$PPID.*[s]shd" &amp;&amp; \
  |   curl -s -X POST $URL \
  |   -d chat_id=${TELEGRAM_ID} \
  |   -d text="New ssh connection to $HOSTNAME from IP $SSH_CLIENT " 1>/dev/null 2>&1 &
  ```

### Example use 2: Notify server restarts.


  ```
  | $ crontab -e
  | (add next multi-line removing new lines and ending '\')
  | @reboot ( sleep 100 ;  curl -s -X POST \
  |   https://api.telegram.org/bot"$TELEGRAM_TOKEN"/sendMessage \
  |   -d chat_id="${TELEGRAM_ID}" \
  |   -d text="new ssh with IP ${SSH_CLIENT}")
  ```
[[monitoring.notifications.telegram}]]

[[{security.notifications.pushover,security.notifications.android,security.notifications.iPhone]]
## Pushover (iOS/Android push)

REF: <https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/>

* Pushover Service with no need for AWS/Azure/GCP accounts:
  * $5 ONE-TIME purchase. !!!!
  * Up to 7500 messages/month.
  * (More options exists for IT teams)

* PRESETUP)
  * Sign up for Pushover.
  * download Pushover for Android/iOS.
  * subscribe to service (7-day trial account).
  * Once logged in, register cli application.
    to retrieve a  *secret API token*.

* Ussage:
  * Integrate Pushover API into (monitoring) scripts. Ex. script:
    ```
    | push_to_mobile(){        # ← Ussage push_to_mobile $title $message
    |   local t="${1:cli-app}"
    |   local m="$2"
    |   [[ "$m" != "" ]] &amp;&amp; curl -s \
    |    *--form-string "token=${PUSHOVER_API_TOKEN}"*\
    |     --form-string "user=${PUSHOVER_API_USER}" \
    |     --form-string "title=$t" \
    |     --form-string "message=$m" \
    |     https://api.pushover.net/1/messages.json
    | }
    ```
[[}]]

[[{security.notifications,qa.best_patterns,monitoring.notifications,PM.WiP]]
## alert/monitoring best-patterns
* Simple e-mail/telegram do NOT scale:<br/>
  You will receive many useless notification from proper behaviour
  (correct logins, ...).

* A proper monitoring system will notify only when there's a real problem:
  * Enable messaging agent (email, telegram,...)
  * Enable cpu/mem/net/disk login inputs and (Prometheus) output.
  * Run a single Prometheus server that scrapes each endpoint every minute.
  * Add Grafana for nice graphs.
  * Add Alert Manager and set up thresholds to notify you:
    -  via OpsGenie/PagerDuty/VictorOps/Slack.
  * Check graphs once a week, unless you get notifications.

* You can "start small" and use Monit:
  * single binary that can be configured to watch stuff and react to problems.
    - Start a service when stoped.
    - Clean up when disk is full.

* "Sensu": Slightly better (and more complex) than Monit, allowing to:
  * run any script as a check.
  * fix stuff if it's broken for X consecutive checks
  * alert if it's still broken Y consecutive checks.
  * Sensu can also alert to pretty much anything.
    "I wrote handlers that alert to Slack, Jira and a pager."
[[security.notifications}]]

[[monitoring.notifications}]]

# Integrated Admin Tools [[{configuration.foreman,QA.UX,PM.TODO]]


## cockpit Web UI [[{QA.UX,configuration.cockpit,monitoring,security.aaa,security.selinux]]
                 [[troubleshooting]]
* <https://cockpit-project.org/>
* easy-to-use, integrated, "glanceable", web-based interface for servers.

* <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/managing_systems_using_the_cockpit_web_interface/getting-started-with-cockpit_system-management-using-cockpit>

* UI with wide range of administration tasks, including:
  * Managing services, user accounts, system services
    network interfaces,  firewall, virtual machines,
    kernel-dump-configuration, SELinux, software updates,
    system subscriptions.
  * system logs tracing.
  * diagnostic reports.
[[}]]
[[}]]

[[{configuration.memory,troubleshooting.memory,storage.compression]]
## ZSwap For low-mem systems

* Increase system performance in systems with memory-preasure
  <https://www.maketecheasier.com/use-zswap-improve-old-linux-performance/>

### Debian/Ubuntu flavour Setup

1. Edit `/etc/default/grub` and modify `GRUB_CMDLINE_LINUX_DEFAULT` to look like:
  ```
  | GRUB_CMDLINE_LINUX_DEFAULT="quiet splash zswap.enabled=1".
  ```
2. Update grub: 
  ```
  | $ sudo update-grub
  ```
3. STEP 3: Reboot and the zswap module will be enabled automatically.

4. After reboot, check if the module is active:
  ```
  | $ cat /sys/module/zswap/parameters/enabled
  ```

### Fedora/RedHat flavours Setup
  
1. Edit /etc/default/grub:
  ```
  | GRUB_CMDLINE_LINUX="quiet splash zswap.enabled=1".
  ```
2. Update Grub configuration:
  ```
  $ sudo grub2-mkconfig \
    -o $(sudo find /boot/ -name grub.cfg)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         Depending on whether your computer
         boots from a BIOS or UEFI system
         the path will change
  ```
3. Reboot and the zswap module will be enabled automatically.
4. After reboot, check if the module is active:
  ```
  | $ cat /sys/module/zswap/parameters/enabled
  (must display "Y,")
  ```

### TUNNING

   Check adding the (grub) option "zswap.max_pool_percent=20" to see if performance increase.
It’s recommended NOT to go above 50% since more than that can have detrimental effects
on systems with low amounts of RAM.
[[}]]