Open the file /etc/modprobe.d/blacklist
* Don’t worry if the file is empty just populate it!
# nano /etc/modprobe.d/blacklist
# sudo nano /etc/modproble.d/blacklist
~ add these lines:
Save and Reboot!
# yum -y install sysstat
# systemctl start sysstat
# systemctl enable sysstat
Check the status of SysStat
# systemctl status sysstat
Add SysStat into a Cron Job
# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A
Settings of SysStat
# sysstat-10.1.5 configuration file.
# How long to keep log files (in days).
# If value is greater than 28, then log files are kept in
# multiple directories, one for each month.
# Compress (using gzip or bzip2) sa and sar files older than (in days):
# Parameters for the system activity data collector
# which are used for the generation of log files
# *note : valid options
INT ⇒ System Interrupts
DISK ⇒ Block Devices
SNMP ⇒ SNMP statistics
IPV6 ⇒ IPv6 statistics
POWER ⇒ Power Management statistics
ALL ⇒ All of the above
XDISK ⇒ DISK + Partition statistics
XALL ⇒ All of the above (ALL + XDISK)
It is very important to know what are the activities for applications and users in linux operating system. This will be very useful in later time or in case of problems. For this purpose, i would recommend psacct tools to be install. psacct is a free monitoring program to monitor users and applications activity on linux server. This program will display how long user accessing the server, what command are they issuing, how many processes and display logs for commands.
If you are runninng Linux CentOS or Redhat, you should use the following command to install pssacct :
[root@test ~]# yum install psacct -y
By default psacct is disabled on Linux. We should manually start it :
[root@test ~]# systemctl start psacct
To enable psacct on your next reboot use the following command :
[root@test ~]# systemctl enable psacct
Check the status of psacct
[root@test ~]# systemctl status psacct
Other usage from that come in psacct or acct package :
ac command prints the statistics of user logins/logouts (connect time) in hours.
lastcomm command prints the information of previously executed commands of user.
accton commands is used to turn on/off process for accounting.
sa command summarizes information of previously executed commands.
last and lastb commands show listing of last logged in users.
Reload systemd daemon to reload changes made in auditd service unit file:
Restart the auditd service: service auditd restart
## Remove any existing rules
## Buffer Size
## Feel free to increase this if the machine panic's
## Failure Mode
## Possible values are 0 (silent), 1 (printk, print a failure message),
## and 2 (panic, halt the system).
## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog
## Auditd configuration
## modifications to audit configuration that occur while the audit
## collection functions are operating.
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
## special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
## Mount operations
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount
## changes to the time
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
## Use stunnel
-w /usr/sbin/stunnel -p x -k stunnel
## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron
## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification
#Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
## login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
## network configuration
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network
## system startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
## library search paths
-w /etc/ld.so.conf -p wa -k libpath
## local time zone
-w /etc/localtime -p wa -k localtime
## kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl
## modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe
## pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
## GDS specific secrets
-w /etc/puppet/ssl -p wa -k puppet_ssl
## postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail
## ssh configuration
-w /etc/ssh/sshd_config -k sshd
## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname
## changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
## this was to noisy currently.
# log all commands executed by an effective id of 0 aka root.
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
## Capture all failures to access on critical elements
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
## Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc
## Monitor usage of commands to change power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power
## Make the configuration immutable
P.S After a reboot, total crash with auditd, IP internal Conflict ! and total CSF block! Good luck with this one!
dmidecode is a tool for dumping a computer DMI (some say SMBIOS) table contents in a human-readable format. This table contains a description of the system hardware components, as well as other useful pieces of information such as serial numbers and BIOS revision. You can retrieve this information without having to probe for the actual hardware. While this is a good point in terms of report speed and safeness, this also makes the presented information possibly unreliable.
The DMI table does not only describe what the system is currently made of, it also can report the possible evolutions (such as the fastest supported CPU or the maximal amount of memory supported).
SMBIOS stands for System Management BIOS, while DMI stands for Desktop Management Interface. Both standards are tightly related and developed by the DMTF (Desktop Management Task Force).
# yum install dmidecode
# dmidecode –type bios [About BIOS Details]
# dmidecode –type system [About System Information]
# dmidecode –type baseboard [About NIC & Storage Card]
# dmidecode –type chassis [About Chassis Information]
# dmidecode –type processor [About Processor Information]
# dmidecode –type memory [About Memory Information]
# dmidecode –type cache [About Cache Information]
# dmidecode –type connector [About USB Information]
# dmidecode –type slot [About Slot Information]
In Linux operating systems everything is logged some where. Most of the system logs are logged in to /var/log folder. This folder contains logs related to different services and applications. In this folder we have some files such as utmp, wtmp and btmp. These files contains all the details about login’s and logout’s which are from local as well as from remote systems and system status such as uptime etc.
utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.
wtmp gives historical data of utmp.
btmp records only failed login attempts.
Provide how logged in, when they logged in and when they logged out
To open wtmp file and view its content use blow command
# last -f /var/log/wtmp
To see still logged in users view utmp file use last command
# last -f /var/run/utmp
To view btmp file use same command
# last -f /var/log/btmp
We would like to disable all USB devices connected to our HP Red Hat Linux based workstations. I would like to disable USB flash or hard drives, which users can use with physical access to a system to quickly copy sensitive data from it. How do I disable USB device support under CentOS Linux, RHEL version 5.x/6.x/7.x and Fedora latest version?
The USB storage drive automatically detects USB flash or hard drives. You can quickly force and disable USB storage devices under any Linux distribution. The modprobe program used for automatic kernel module loading. It can be configured not load the USB storage driver upon demand. This will prevent the modprobe program from loading the usb-storage module, but will not prevent root (or another privileged program) from using the insmod/modprobe program to load the module manually. USB sticks containing harmful malware may be used to steal your personal data. It is not uncommon for USB sticks to be used to carry and transmit destructive malware and viruses to computers. The attacker can target MS-Windows, macOS (OS X), Android and Linux based system.
The usb-storage.ko is the USB Mass Storage driver for Linux operating system. You can see the file by typing the following command:
# ls -l /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
All you have to do is disable or remove the usb-storage.ko driver to restrict to use USB devices on Linux such as:
- USB keyboards
- USB mice
- USB pen drive
- USB hard disk
- Other USB block storage
You can also disable USB from system BIOS configuration option. Make sure BIOS is password protected. This is recommended option so that nobody can boot it from USB.
In linux it’s even more easily done, by unloading the usb_storage module: for disable :-
# modprobe -r usb_storage
for enable :-
# modprobe -i usb_storage
The easiest way to disable usb storage device in linux is create following file And add following line inside the file
# touch /etc/modprobe.d/no-usb
install usb-storage /bin/true