por Dustin Cerda 5 anos atrás
1412
Mais informações
Find user/process making connection or listening on port:
List listen TCP, don't resolve port numbers, show program.
List all TCP, don't resolve port numbers, show program.
Listening ports, don't resolve port numbers, show program.
List all, don't resolve port numbers, show programs.
Displays stats for PACKET, TCP, UDP, DCCP, RAW, and Unix domain sockets
-pwdx- gets current working directory of process
ls -l /proc/{PID}/cwd
ps auxwwwe
ps -ef-get PID with:
ls -l /proc/PID/exe-find the path and binary from where it was invoked.
Installs programs from repository
Popular in embedded devices,
https://busybox.net/about.html
Start the system normally with appropriate display manager (with GUI), same as runlevel 3 + display manager.
For special purposes.
Starts the system normally.
Does not configure network interfaces and does not export network services.
Mode for administrative task.
Shuts down the system.
Extension of Sys V Init, adds parallel service startup, and dependency based boot.
Minute, Hour, Day of the Month, Month of the Year, Month of the Week.
When bash is invoked as an interactive login shell, or as a non-interactive shell with the --login option, it first reads and executes commands from the file /etc/profile, if that file exists. After reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable
When an interactive shell that is not a login shell is started, bash reads and executes commands from /etc/bash.bashrc and ~/.bashrc
Persistence
Also applies to any aliases, functions, scripts, etc. running from these file locations.
clarifies the interactive vs. non-interactive shell env. files
File applies only to login shells.
files applies only to BASH non-login shells
File applies only to Bourne and BASH compatible shells; SETS $PATH VAR:echo $PATH | tr':''\n'
file applies only to interactive BASH shell
df -t, filesystem disk usage.
find / -maxdepth 1 -type d, filesystem information (main)
Sticky
When set on a directory only the owner of the file can delete or rename files in that directory. (used for directory only)
Uppercase "T" indicates the execute bit IS NOT set, lowercase "t" execute bit is set.
Set Group Identification (SGID)
Program set with SGID runs under the security context of the group of the program.
Uppercase "S" indicates the execute bit IS NOT set, lowercase "s" execute bit IS set.
Set User Identification (SUID)
Program with SUID runs under the security context of the user (owner) of the program
Uppercase "S" indicates the execute bit IS NOT set, lowercase "s" execute bit IS set.
ls -la-Show owner:group
chown-Change owner
chown {owner}:{group}{file}-Usage
chgrp {group}{file}-Usage
getent gets global config files
getent -help, get entries from Name Service Switch libraries
getent group, show all the groups
getent password
getent {group, sudo), show sudo group output only
EXT4
crtime: creation time
EXT3
What is Inode
ls -i: list the inode of a file
An iode is a data structure on a filesystem on Linux and other Unix-like operating systems that stores all the information about a file except its name and its actual data.
http://www.linfo.org/inode.html
mount -t {device} {dir}
unmount {device}
File System Information (main)
find / -maxdepth -type d
sysfs
Pseudo file system providing information about kernel, hardware, device drivers.
Designed to add structure to the old procfs systems
Pseudo file system
tmpfs
Appears as a mounted volume, but is actually stored in volatile memory
/var/run on older distributions, /run on newer.
Temporary file storage
ext3/4
Hard Drive partitioning format
Device directory that is dynamically populated by udev (FKA devfs)
Information about processes, connections, and some hardware.
Information about the system (hardware)
Information about processes, connections and some hardware.
Path
Hash
Builtin
Expansion
Alias
Redirection
File Information
locate -e find
only if it exists
locate -i find
Returns EVERY file name containing "find" in the filename; case insensitive.
Compressed Files
zgrep
bzgrep
Search possibly compressed files for a regular expression.
Information Gathering / Help
{command} -h
{command} --help
whereis
if in $PATH
View binary path AND manpage path
-h / --help
Displays the most used switches/options for the chosen command
man
Displays the manual for a command, automatically paged using more:
Example: man -s 7 {command}
man -k {command}
manpath | tr':' '\in'
apropos-Each manual page has a short description, searches for keywords. (Non-Built in commands)
Boolean Logic
Semi-Colon ;
Executes next command unconditionally / regardless of the xit status
Example: ping -c4 127.0.0.1; echo "All done"
Logical/Operator &&
Executes next command only if the previous command succeeded / exit status of 0
Example: cd /tmp is && echo "it works"
cd /fakedire && ls && echo "It works"
NOT
Reverses input state
XOR
One of the inputs is true, but not both
OR
One of the inputs is true
AND
Both inputs are true
put a process in the foreground
put a process in the background
To put in the background hit CTRL-Z
%1
an alternate way of listing your own processes
kill
send a signal to noe or more processess to stop it
Kill 1 or %1 (saved job)
ps
list the processes running on the system
History
echo $HISTFILE
/home/username/.bash_history
echo $HISTFILESIZE
2000 (example)
echo $HISTSIZE
1000 (example)
$HISTFILESIZE
Determines the amount of lines saved to ~/.bash_history upon session exit.
$HISTSIZE
$HISTFILE
alias
unalias
type
type {Command}, evaluates bash order of evaluation to determine the first instance of the command
type -a{command}, shows all instances of command in the order of bash evaluation
hash
hash, displays bash's hash table (Recently executed commands)
hash -r, clear bash's hash table
which
which {nc,netcat}, evaluates the PATH in order and displays the first instance of the command if it exists
which -a{command}, evaluates the PATH in order and displays all instances of the command if it exists.
netcat
>ls /bin | grep netcat
>file /bin/netca*
(FIFO, First In First Out)
Creates Named Pipes.
A named pipe has a file name on your file system and can be accessed by independent processes that were not spawned by the same parent process.
-to append rather than overwrite when redirecting.
-when redirecting standard error into standard output.
Output of a programs error handler, file descriptor 2
Represented as 2> when redirecting standard error to a file
Output of a program, file descriptor 1
Represented as 1> or > when redirecting standard output to a file
Input into a program, file descriptor 0
Represented as 0< or < when redirecting standard input from a file
Runs in the background.
Reads commands from user input.
Determining Shell Type (Shell options)
shopt login_shell
Interactive
Interactive: reads commands from user input on a tty ($PS1 prompt variable is set)
Non-Interactive
Shells running scripts, can run in background.
Can't read Standard Input (STDIN)
Shell invoked from another shell
Started by a program without a login
echo $0
Displays current shell.
tftp
ftp
scp
File transfer via telnet
uuencode/base64
uudecode/base64 -d
Program/protocol allows remote console connectivity; clear text protocol, uses port 23 by default.
Plain text
Basic Authentication
watch
telnet
nc
nmap
Display routing table
Display ARP table
Display network conneciton info
Display/configure network interface info
Server Message Block Server Daemon
Dynamic Naming Service Server Daemon
Name service cache Daemon
Network filtering protocol service
Mail Server Daemon
High-performace HTTP server, reverse proxy, IMAP/POP3 proxy server
HTTP Daemon
Network Time Protocol Daemon
Query internet name servers interactively.
Interrogates DNS name servers.
DNS lookup utility.
Print network connection, routing tables, interface statistics, masquerade connections, and multicast memberships.
Network socket is an internal endpoint for sending or receiving data at a single node in a computer network.
Typical network socket format: (IP:Port): 1.2.3.4:25
No layer checking done, it is up to the application using the raw socket ot interpret the data. RAW sockets are used as packet capture/sniffer programs as it captures "raw" data from the network interface card and passes it directly to the application.
Protocol stack processes its respective layer, performing address, checksum validation, removes its respective header and trailer and passes up the content to its immediate upper layer.
Determines order of precedence.
Determines default order of precedence for DNS resolution.
Name Server settings.
File that manages nameserver information.
List of hosts and associated IP's.
Central file that controls resolver setup (host.conf). Resides in /etc, tells resolver which services to use and in what order.
find /var/log -maxdepth 1 -type f
Logs are managed by syslog daemon
systemctl status rsyslog.service
grep rsyslog /etc/rsyslog.conf
System Calls
ausearch-search for events
aureport-creating reports
-f files
a-attributes-attempt to change attributes
x-execute-attempt ot execute file
r-read-attempt to read from file
w-write-attempt to write to file
auditctl for config auditing
-p what ot watch
-k keyword
-W remove rule
-w watch
-l list rules
Journald doesn't use Syslog faciliteis by default (can be enabled in conf). Journald is designed to work with PIDs, Process Names, and Service IDs. It does use severtiy codes.
Journalctl
journalctl --since "1 hour ago" time ranges
journalctl -b {boot msg log#} boot message
journalctl --list boots boot message blocks
journalctl --SINCE "2017-06-26 23:00:00" --UNTIL "2017-06-26 23:20:00"
journalctl --vacuum-size=20m retain only the past 20 MB
journalctl --vacuum-time=5d retain only the past five days
journalctl UID=0 messages for UID 0
journalctl -o verbose -k -p 3 verbose kernel (-k) info(60 priority msgs
journalctl -n 50 --since "1 hour ago" - last 50 messages from 1 hour ago
journalctl -b -1 -p "crit" -by priority
journalctl -u dhcpcd entries associated with serivce unit
journalctl --help
7. Debug: Debug-level messages
6 info: Information messages
5 notice: Normal but significant condition
4 warn, warning: Warning conditions
3 err, error: Error conditions
2 crit: Critical conditions
1 alert: Action must be taken immediately
0 emerg, panic: Emergency: system is unsable
Logging Domain Sockets
ls -la /dev/log-This is a domain socket type
ls -la /proc/kmsg-Kernel ring buffer
dmesg-Read from kernel ring buffer, non-persisted (Look here for buffer overflow info)
syslog-ng
rsyslog
Logrotate is aprogram that can manage your local log files
Use cron to run logrotate
The main configuration file contains configuration settings for all logs is /etc/logrotate.conf
Individual configuration files are kept in the /etc/logrotate.d directory
A&A logs are almost always system logs; there are very few cases where this is not the case.
A&A logs differ from system logs, as system logs only deal with the kernel, and auth logs deal with both the kernel and the service attempting to authenticate.
Applications can choose to handle their own logging, or to use the syslog or journald logging applications to handle their logs.
In most cases applicatoins will default to /var/log for log storage, unless they have a it specifically specified in the config file to use another resource.
Additional Characters
< :high-priority (not nice to other users)
N :low-priority (nice to other users)
L :has pages locked into memory (for real-time and custom IO)
s :is a session leader
l :is multi-threaded
+ :is in the foreground process group
Z-defunct (zombie) process, terminated but not reaped by its parent.
X-dead (should never be seen)
W-paging
T-stopped, either by a job control signal or because it is being traced
S-interruptible sleep
R-running or runnable
D-uninterpretable sleep
Display total number of PID's
cat /proc/sys/kernel/pid_max
at
Reads a series of commands and executes them at a later time
&
kill %JID
^z
bg
fg
jobs
Works on most systems:
Non-systemd / SysVinit systems
systemd
PS
ps axfo pid, ppid, comm
ps auxf
forest view (BSD style)
-o "%cpu comm"
o=format
-aux
Resource: CPU and Memory usage process stats
-elf --forest
l=long list
--forest=ASCII forest
-ef
e=every process
f=file
Services start at runlevel started
Programs have own virtual memory
Represented in ps list with []
Single memory space
Linux utilizes LVM physical volumes to create pools of storage known as volume groups.
volume groups can be expanded without repartitoning the underlying disk.
Up to 128 partitions
Partition sizes over 2TB
The gdisk utility is used to manage GPT partitions
-Logical Volume Management (LVM)
GPT Layout
Hard disks utilizing a MBR can have a maximum of 4 primary partitions and a max size of 2 TB each.
Extended partitions overcame the 4 primary issue by moving addressing for additional partiions into the extended partition itself rather than in the MBR table.
The fdisk utility is used to manage MBR disk partitions.
MBR Layout
-/sbin/init
********************Initialization Process 1*****************
/etc/inittab file
-determines the initial runlevel for the system to boot into.
-runlevel determined by initdefault option
-application run for applicable runlevels
less/etc/inittab
bootscripts
-/etc/init.d/rc
-Script that runs Start and Kill scripts out of applicable rc folder
o file /etc/init.d/rc
o less /etc/init.d/rc
*********************Initialization Process 2*******************
System D
-Initiated in 2010 to create a service manager for Linux
-Includes device management (udevd) and logging (journald)
-/sbin/init symbolically linked to /lib/systemd/systemd
o runs the /etc/systemd/default.target which is a symbolically link to desired initial traget in /lib/systemd/system
o target creates a dependency tree which calls other target scripts
o multiple systemd programs available to handle
-uses the terms targets and units
o target is essentially equivalent to runlevel
o unit is essentially equivalent to daemon (service)
*******************Initialization Process 3*********************
-upstart
o Created for Ubuntu desktops (Ubuntu 15.04+ are systemd)
o Event driven, starts jobs based on events
o Configuration files for jobs kept in /etc/init/
o Continuous monitoring of the system after startup
Stage 0 (process 0)
GRUB-Grand Unified Bootloader (Loads Kernel into RAM)
2.x
Much different than GRUB 1.x
Config file is grub.cfg
Install command-gub-install
Configuration command: grub-mkconfig
Configuration options: /etc/default/grub
Legacy
Menu drive boot menu.
Can boot different OS's depending on default setting or choose an OS to load
Controlled via a config file (location depends on distro, /boot/grub.conf or /boot/grub/grub.cfg or /boot/grub/menu.lst
One or more of preceding character set or character.
May or may not appear {applies to preceding character set or character}.
Any characters/wildcard.
Any single character one time.
https://cs.lmu.edu/~ray/notes/regex/
locate -regex "{some regex}"
find. -regextype sed -regex "{some regex}"
Example- locate -regex "{some regex}"
Example- find .-regextype sed -regex "{some regex}"
Extended grep -Both commands accept the full set of regular expression capabilities.
man grep | grep -EA3 "(\-E,|\-P,)"
Shows different grep regex uses.
Captures regex matches
Present working directory
Effective UserID, Id that shell is currently running May be changed using su or sudo, 0 indicates root
User ID, 0 for Root, ID comes from password file.
PID of current BASH shell
Path to the BASH binary
Show global variables.
Show local scope variables.