Track file changes using auditd

Most of Linux distributions comes with Linux Auditing System that makes it possible to track file changes, file accesses as well as system calls. It’s pretty useful functionality for sysadmins who wish to know who and when accessed and/or changed sensitive files like /etc/passwd, /etc/sudoers or others.

Daemon auditd that usually runs in background and starts after reboot by default logs those events into /var/log/audit.log file (or into other file if different syslog facility is specified). The common usage is to list all files which should be watched and search auditd’s logs from time to time. For example, I prefer to track any file changes into /etc/passwd, reading/writing of /etc/sudoers, executing of /bin/some/binary or just everything (read, write, attributes changes, executing) for my /very/important/file.

In order to configure that you’ll need two commands: auditctl and ausearch. First one is for configuring auditd daemon (e.g. setting a watch on a file), second one is for searching auditd logs (it’s possible to use grep against /var/log/audit.log too but ausearch command makes this task easier).

Install and start Linux Auditing System

If it happened that auditd daemon isn’t installed in your system then you can fix this by one of below commands:

sudo apt-get install audit

or

sudo yum install audit

The next step is to make sure that auditd is running, if command ps ax | grep [a]udit shows nothing then start auditd using command:

/etc/init.d/auditd start

As soon as auditd daemon is started we can start configuring it for tracking file changes using auditctl command.

Make auditd to log all file changes

auditctl -w /etc/passwd -k passwd-ra -p ra

This command will add a rule for auditd daemon to monitor file /etc/passwd file (see option -w /etc/passwd) for reading or changing the atributes (see option -p ra, where r is for read, a is for attribute). Also this command specifies filter key (-k passwd-ra) that will uniquely identify auditd records in its logs files.

Now let’s test this rule: optput the last 20 lines of /etc/passwd file and then search audit log for corresponding records

tail /etc/passwd

and then

[root@test artemn]# ausearch -k passwd-ra
—-
time->Wed Jul 4 15:17:14 2012
type=CONFIG_CHANGE msg=audit(1341407834.821:207310): auid=500 ses=23783 op=”add rule” key=”passwd-ra” list=4 res=1
—-
time->Wed Jul 4 15:17:20 2012
type=PATH msg=audit(1341407840.181:207311): item=0 name=”/etc/passwd” inode=31982841 dev=09:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1341407840.181:207311): cwd=”/home/artemn”
type=SYSCALL msg=audit(1341407840.181:207311): arch=c000003e syscall=2 success=yes exit=3 a0=7fffecd41817 a1=0 a2=0 a3=7fffecd40b40 items=1 ppid=642502 pid=521288 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23783 comm=”tail” exe=”/usr/bin/tail” key=”passwd-ra”

As you can see the output of second command shows that auditd has one record for filter key ‘passwd-ra’, it shows that root user (uid=0 gid=0) has read file /etc/passwd using command tail (comm=”tail” exe=”/usr/bin/tail”) at July 4, 2012 (time->Wed Jul 4 15:17:20 2012).

Utility ausearch is pretty powerful so I recommend to read output of man ausearch, in the meantime here are some useful examples:

ausearch -x /bin/grep
ausearch -x rm

This approach allows to scan auditd records for certain executable, e.g. if you’d like to see if any of watched files was deleted (or not) using command rm then you should use second command of above two.

This one will show you all records for certain UID (username).

ausearch -ui 1000


Category: Linux | Comments Off on Track file changes using auditd

Limit CPU usage of Linux process

cpulimit is a small program written in C that allows to limit CPU usage by Linux process. Limit is specified in percentage so it’s possible to prevent high CPU load generated by scripts, programs or processes.

I found cpulimit pretty useful for the scripts running from cron, for example I can do overnight backups and be sure that compression of 50GB file via gzip won’t eat all CPU resources and all other system processes will have enough CPU time.

In most of Linux distributions cpulimit is available from binary repositories so you can install it using commands:

sudo apt-get install cpulimit

or

sudo yum install cpulimit

If it’s not possible in your distro then it’s extremely easy to compile it:

cd /usr/src/
wget –no-check-certificate https://github.com/opsengine/cpulimit/tarball/master -O cpulimit.tar
tar -xvf cpulimit.tar
cd opsengine-cpulimit-9df7758
make
ln -s cpulimit /usr/sbin/cpulimit

From that moment you can run commands limited by CPU percentage, e.g. below command executes gzip compression so that gzip process will never step over 10% of CPU limit:

/usr/sbin/cpulimit –limit=10 /bin/gzip vzdump-openvz-102-2012_06_26-19_01_11.tar

You can check actual CPU usage by gzip using commands:

ps axu | grep [g]zip

or

top

Btw, the first command contains ‘grep [g]zip’ to avoid the last line in common output:

root 896448 10.0 3.1 159524 3528 ? S 13:12 0:00 /usr/sbin/cpulimit –limit=10 /bin/gzip vzdump-openvz-102-2012_06_26-19_01_11.tar
root 26490 0.0 0.0 6364 708 pts/0 S+ 15:24 0:00 grep gzip

Using cpulimit you can also allocate CPU limit to already running processes, e.g. below command will allocate 20% CPU limit to process with PID 2342:

/usr/sbin/cpulimit -p 2342 -l 20

It’s possible to specify process by its executable file instead of PID:

/usr/sbin/cpulimit -P /usr/sbin/nginx -l 30


Category: Linux | Comments Off on Limit CPU usage of Linux process

Top 5 Password Managers for Linux [Guest Post]

In this post you will find set of password managers for Linux which provides secure storage for your passwords for sensitive data. If you still keep the passwords in plain text then you must consider one of available password managers so this article is for you.

KeePassX

KeePassX has been a very popular and famous password manager for Linux for a very long time and still trusted by pretty big number of users. When user launches the KeePassX password manager first it requires to set up of a master password to add an extra layer of security to password storage. As an option you can use a file with encryption key instead of the password. This key file can be used along with the master password to provide stronger security. KeePassX application is rather simple so you can easily create one or more databases which will have a master password and will contain all the login credentials stored encrypted. This manager is considered to be one of the most secure managers. If you’re Ubuntu user just type in terminal the following command:

sudo apt-get install keepassx

GPassword Manager

Gpassword Manager (GPM) is also one of the most secure and highly rated password managers which have more friendly and easy to use interface that KeePassX. This utility has many features that make it to be a good choice for most of the high level computer users. This password manager allows to set and add favorites into system-tray that is one of the unique features of this application. GPM utility uses the crypto++ method for encryption which can be used in Windows and Linux hence it enables the same database to be used on different platforms without the need to convert anything.

My Passwords

My Passwords is a simple and easy to use utility that allows you to store all your login credentials in an encrypted manner within a file. The most exciting feature of this utility are its speed and no requirement of an installation. Encryption algorithm that is used there is AES. Storage in Derby Database format along with AES encryption gives the user the power to create secure and fast password repository. The interface for this utility is fairly simple.

Fiagaro’s Password Manager 2

Fiagaro’s Password Manager 2 is another powerful tool with strong encryption methods that makes it one of the most secure utility for managing passwords in Linux. Fiagaro’s Password Manager 2 uses the AES-256 encryption of the database files which hold all your login credentials (it uses master password that should be set up once you started the program first).

Gringotts

Gringotts is rather old project: its application for Linux/Unix provides the user the possibility to store his or her notes in secure storage encrypted by symmetrical ciphers. Gringotts has a set of eight different algorithms that can be used to encrypt the desired data. This utility also provides different methods for hashing as well as compression. The interface of Gringotts is not as simple as of other password Managers but still easy to use and most effective for old school bearded Unix users.

About the author: Kelly Marsh is a blogger by profession. She loves writing on technology and luxury. Beside this she is fond of technology. Recently an article on Maruti Ritz attracted her attention. These days she is busy in writing an article on johnnie walker blue.


Category: Linux | Comments Off on Top 5 Password Managers for Linux [Guest Post]

Why Mosh is better than SSH?

Mosh (stands for Mobile Shell) is replacement of SSH for remote connections to Unix/Linux systems. It brings a few noticeable advantages over well known SSH connections. In brief, it’s faster and more responsive, especially on long delay and/or unreliable links.

Key benefits of Mosh

Stays connected if your IP is changed. Roaming feature of Mosh allows you to move between Internet connections and keep Mosh session online. For example, if your wifi connection changes IP you don’t need to reconnect.
Keeps session after loosing connection. For example, if you lost Internet connection for some time, or your laptop went offline due to exhausted battery – you’ll be able to pick up previously opened Mosh session easily.
No root rights needed to use Mosh. Unlike SSH Mosh server is not a daemon that needs to listen on specific port to accept incoming connections from clients. Mosh server and client are executables that could be run by ordinary user.
The same credentials for remote login. Mosh uses SSH for authorization so in order to open connection you need the same credentials as before.
Responsive Ctrl+C combination. Unlike SSH Mosh doesn’t fill up network buffers so even if you accidentally requested to output 100 MB file you’ll be able to hit Ctrl+C and stop it immediately.
Better for slow or lagged links. Have you ever tried to use SSH on satellite link where average RTT is 600 ms or more? Wish Mosh you don’t need to wait until server replies to see your typing. It works in CLI and such programs as vi or emacs so on it makes it possible to do the job slow connections more comfortably.

Well, there are some disadvantages too:

No IPv6 support.
UTF-8 only.

Mosh is available for all major Linux distributions, FreeBSD and Mac OS X systems:

Ubuntu (12.04 LTS) or Debian (testing/unstable): sudo apt-get install mosh
Gentoo: emerge net-misc/mosh
Arch Linux: packer -S mobile-shell-git
FreeBSD: portmaster net/mosh
Mac OS X: mosh-1.1.3-2.pkg
Sources: mosh-1.1.3.tar.gz

Project’s website

P.S. It’s better that combination of SSH and GNU Screen.

Mosh screenshot


Category: Linux | Comments Off on Why Mosh is better than SSH?

Howto: Save Money in this Recession by making free Computer To Phone Calls with Google Voice and Gizmo5!

Omg I am so happy Google Voice is out, and it got released in perfect timing, cell phone rates are high, home phone rates are high and people are getting broke quicker, including myself(already broke) Google voice also has the ability to send/recieve free texts!, and you may be able to get free calls by adding your number to your service if you are allowed to call certain favorite people for free 🙂 Now I’ll explain how to make free calls with Gizmo5 and Google Voice to save you some money!

Google voice also had the ability to send/recieve free texts!

Ok First and foremost you need to have a Grandcentral account as of this moment for migrate over to Google Voice.

If your an existing Grandcentral user you will need to login here and click upgrade to google voice

Or create an account at Google.com/voice if it lets you yet, because Google Voice will be rolled out slowely all over the united states.

Once you got a Google Voice account all set up, grab Gizmo5 from Here(There is also other os versions at that link as well!)

Grab the debian .deb

Double click it to install, click Accessories->Internet->Gizmo5

Follow the directions to create a gizmo5 account.

Once created Click Home->Edit Profile

Now Copy your Sip #

1. Sign in to Google Voice.
2. Go to the Settings link at the top right of the page.
3. Click the Add/Edit Number link right above your phones, to the right of the page.
4. Click the Phones tab.
5. Click Add a new number.
6. Select Gizmo in the Phone Type drop-down menu.
7. Enter your SIP number without 1.
8. Enter a name for that phone, if you want.
9. Click Save.

Woohoo ok now we are all done setting it up, now lets get to calling 🙂

You will need to place all your calls with your Google Voice account, you click Call, Enter the number you want to call, select Gizmo with the dropdown list of phones you want to ring, then select Place Call.

Gizmo will ring and connect you to any United States phone number for Free.

Also if you have a Android Based G1, in a few days Evan will have an app released for the G1 to make calls with Google Voice More Info Here

Feel free to donate any small amount to Ubuntu Unleashed by clicking donate on the top right, right now this is my only job ;\

Category: Ubuntu | Comments Off on Howto: Save Money in this Recession by making free Computer To Phone Calls with Google Voice and Gizmo5!

Announcing GNOME Do 0.8. With 20 new plugins, faster search, better results, animated themes!

Announcing GNOME Do 0.8. With 20 new plugins, faster search, better results,
animated themes, and 111 fewer bugs, your desktop’s killer app just got killer-er.

Awesome New Plugins

Banshee, Bibtex, Cl.ickable, Claws mail, Google search, Opera, Ping.FM, Remember the Milk, System services, TinyUrl, Tracker search, and Translate to name a few. Plugins also install much faster now.

Faster Search, Better Results

Memory usage is down, and searches are noticably snappier. Our relevance algorithms are also better than ever — Do will learn your habits and offer personalized search results immediately.

Animated Themes

Do’s themes — Classic, Mini, Glass, and the newly added Nouveau and Docky — now sport gorgeous animations and dropshadows. Watch for falling jaws.

Docky

Docky is our attempt to make Do more discoverable and memorable. It’s the same Do you know and love, just a little friendlier.

File Previews

We’ve added preliminary support for viewing file thumbnails, so you can better recognize the images, movies, and documents you encounter in Do. If your file manager displays thumnails, Do will attempt to show them.

Improved Text Entry

With support for copy, paste, and longer lines of text, Do’s new extended text entry mode is perfect for composing emails and tweets. Activate text entry mode by pressing your period key.

Many Bugs Exterminated

82 core bugs and 29 plugin bugs have been meticulously tracked and squished. There’s still a lot of work to do, but Do 0.8 is one well-oiled machine.

New Plugin API

In creating a more cross-platform codebase, a wonderful, platform-agnostic plugin API emerged. Plugins now have extensive access to notifications, logging, relevance information, threading tools, and much more.

Howto Install:
8.10 (Intrepid) $ sudo aptitude install gnome-do
8.04 (Hardy)

If you are upgrading from an old installation of Do, please be sure to completely remove your old version.

$ sudo aptitude purge gnome-do gnome-do-plugins gnome-do-plugin-rhythmbox

and remove the Do plugins configuration directory

$ rm -rf ~/.local/share/gnome-do/plugins/

Once you have removed your old installation, or if this is your first time, follow these instructions.

Add the Gnome Do PPA Repository to your sources list. (See the Ubuntu Repositories).

deb http://ppa.launchpad.net/do-core/ubuntu hardy main
deb-src http://ppa.launchpad.net/do-core/ubuntu hardy main

In Synaptic Package Manager, search ‘gnome do’ or install from the terminal:

$ sudo aptitude update && sudo aptitude install gnome-do
7.10 (Gutsy)

Add the following to your /etc/apt/sources.list (here’s how)

deb http://ppa.launchpad.net/do-core/ubuntu gutsy main
deb-src http://ppa.launchpad.net/do-core/ubuntu gutsy main

then run

$ sudo apt-get update && sudo apt-get install gnome-do


Category: Ubuntu | Comments Off on Announcing GNOME Do 0.8. With 20 new plugins, faster search, better results, animated themes!

Howto: Install the Latest wine in Ubuntu Intrepid!

Previously I made this howto for Ubuntu Hardy, here is an updated post for Intrepid
Here is a quick way to add the winehq repository so you dont need to wait for the ubuntu community to add the latest wine.
Open up a terminal Applications->Accessories->Terminal
Now copy/paste these commands:
Adding the gpg apt key:
wget -q http://wine.budgetdedicated.com/apt/387EE263.gpg -O- | sudo apt-key add –
Lets add the Repository via wget:
sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/intrepid.list -O /etc/apt/sources.list.d/winehq.list
Now lets update our apt sources and install the latest wine!
sudo apt-get update ; sudo apt-get install wine
Ok now you will always have the latest development wine package installed!

Category: Ubuntu | Comments Off on Howto: Install the Latest wine in Ubuntu Intrepid!

New Google Gadgets for Linux 0.10.4

Google Gadgets for Linux provides a platform for running desktop gadgets under Linux, catering to the unique needs of Linux users. It’s compatible with the gadgets written for Google Desktop for Windows as well as the Universal Gadgets on iGoogle. Following Linux norms, this project is open-sourced under the Apache License.

An important area where Google Desktop for Linux is different from its siblings on other operating systems is support for gadgets. Now, the Linux version of Google Gadgets will extend the gadgets platform to Linux users. By enabling cross-platform gadgets, a large library of existing gadgets are immediately available to Linux users. In addition, gadget developers will benefit from a much larger potential user base without having to learn a new API.

There’s two main components to the application: one is a common gadget library responsible for running and presenting a gadget, and the other is a host program that allows the user to choose gadgets and run them on the desktop. Currently we have hosts written for GTK+ and QT, with the GTK+ host offering a sidebar similar to that of Google Desktop for Windows.

Download Google Gadgets for Ubuntu

Follow the Open Source Initiative here


Category: Ubuntu | Comments Off on New Google Gadgets for Linux 0.10.4

SSH Menu – Save and Open SSH Connections from the Panel

I was looking for a replacement for SecureCRT in Ubuntu. Something that would let me save all my SSH connections and make it possible to open a connection with the least effort.

As is often the case, I found something better than SecureCRT – a panel applet for GNOME that gives me a drop-down list of SSH connections. SSHMenu is cool, way too cool.
SSH Menu

Above, you can see my list of ssh accounts in all their glory. A connection is just a click away.

When you set up the connections, you can specify the geometry – ie, where on your desktop you want the gnome-terminal window to pop up, as well as a “profile” for the gnome-terminal instance – very handy if you want to have different color schemes for different ssh accounts to be able to distinguish between them better.
SSH Menu Options

What’s even better is, in the “Hostname (etc)” field, you can prepend ssh options to the hostname. The figure below shows my port forwarding setup for IRC at school, since I can’t chat using port 6667 at school.
SSHMenu Account Options

There’s a Debian/Ubuntu repository for SSHMenu, and of course, nothing stops you from downloading the .deb packages and installing them if you don’t wish to add another repository to you list of repositories. I wonder how long before SSHMenu finds itself into the Ubuntu repositories :)

Once you get SSHMenu installed, you can add it to your panel by right-clicking on your GNOME panel, and selecting “Add to Panel”. SSHMenu should be listed as “SSH Menu Applet” under the “Utilities” section. Then all you have to do is use the tool to add accounts that pops-up when you install the applet, or add the accounts later by clicking on the “SSH” in your panel. However, this still doesn’t take us to “one-click” login, since you will be prompted for your password by the server you are trying to connect to.

To make the connections truly one-click (or two-click), you might want to setup password-less logins using ssh-keygen and ssh-copy-id. A quick overview of that process follows:
On your local computer, type:
$ssh-keygen -t rsa
When prompted for a password, you may want to enter none. If you enter a password there, you will have to enter it everytime you try to use the “passwordless” login, which kind of defeats the purpose.

Enter a password here. Then when you try to connect to the accounts using SSHMenu, you will asked for the password only once, the very first time. (Thanks to Grant, SSHMenu’s author for the explanation in the comments).

Once your RSA key-pair is generated, you need to add the public key to your server’s ~/.ssh/authorized_keys file. You can do this very easily by typing (on your local computer):
$ssh-copy-id ~/.ssh/id_rsa.pub username@example.com
This will copy your public key for the just-generated RSA keypair to the example.com ssh account, where your username is “username”.
Of course, for this passwordless login to work, the server needs to accept this method of authentication. There’s an old article at the Debian Administration blog that describes the process in a little more detail, and countless others have written about this, so you won’t have trouble finding info.

Category: Uncategorized | Comments Off on SSH Menu – Save and Open SSH Connections from the Panel