Protecting Critical files using File attributes

Situation:  Sometimes it’s very imperative to protect the Logs or some other files in a Linux server from being manipulated. For example, "DHCP log", which is vital for any Internet service provider to trace the leased IP during investigation. The question is, how to protect these logs when no one is 100% trustworthy in an organization including the system admin team who has full root access :)

Linux comes out with a solution called File attributes, by which irrespective of ownership on a file, you can still protect it from manipulation and deletion. All you need is just 2 commands:

lsattr – for listing the file attributes

chattr – for changing the file attributes

It is explained with an example here:

[root@server01 opt]# cat > testfile                           # Creating a file name “testfile”

Some contents

[root@server01 opt]# cat testfile                               # Displaying its contents

Some contents

[root@server01 opt]# lsattr testfile                            # Listing the file attributes (its blank)

------------- testfile

[root@server01 opt]# chattr +a testfile                    # Changing the file attribute to APPEND ONLY mode (using +a option) which takes care of undelete option as well.

[root@server01 opt]# lsattr testfile                            # Shows the file has Append only attribute set.

-----a------- testfile

[root@server01 opt]# echo "Additional text" > testfile           #  Now am trying to overwrite the file contents but it is NOT allowing.

-bash: testfile: Operation not permitted

[root@server01 opt]# echo "Additional text" >> testfile             # But Appending the file content works

[root@server01 opt]# cat testfile

Some contents

Additional text

[root@server01 opt]#

[root@server01 opt]# rm testfile                                                   # Trying to delete the file but it doesn’t allow.

rm: remove regular file `testfile'? y

rm: cannot remove `testfile': Operation not permitted

 [root@server01 opt]# chattr -a testfile                                        # Removing the file attribute value by using –a option.

[root@server01 opt]# lsattr testfile                                                # File attributes gone

------------- testfile

[root@server01 opt]# echo "Additional text" > testfile                     # Now am able to overwrite the file.

[root@server01 opt]# cat testfile

Additional text

[root@server01 opt]# rm testfile                                                    # And am able to delete it as well

rm: remove regular file `testfile'? y

[root@server01 opt]#

Next question is , how to prevent changing the file attribute like I did using “–a” option above. Linux comes with solution for that as well. By using a tool called LCAP, we can remove the capability of root user from changing the file attributes. That capability can be revoked only upon reverting back the kernel changes and reboot the server, which is indeed not an easy task.

Hiding/Clearing history commands

Hiding certain commands from history

At times you might want to Hide some commands executed by you. This is needless to explain, we might have to do this for various reasons. But I suggest not to hide anything intentionally from history @ work :)

Solution:

Add the below entry in .bash_profile and run “source .bash_profile” or re-login to the server.  After this whatever command you want to hide, just execute it by typing a SPACE infront. The history command will not remember any commands that is preceded by space infront.

export HISTCONTROL=ignorespace

Explained with an example here:

[adevaraju@host02 ~]$ cat .bash_profile

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

        . ~/.bashrc

fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH

export HISTCONTROL=ignorespace

[adevaraju@host02 ~]$ source .bash_profile

[adevaraju@host02 ~]$ touch file1

[adevaraju@host02 ~]$ echo "Some text" > file1

[adevaraju@host02 ~]$ echo "Some more text" >> file1

[adevaraju@host02 ~]$ ls -l file1

-rw-r--r-- 1 adevaraju domain users 25 Nov 30 08:10 file1

[adevaraju@host02 ~]$ touch -t 1111111111 file1

[adevaraju@host02 ~]$ ls -lt file1

-rw-r--r-- 1 adevaraju domain users 25 Nov 11  2011 file1

[adevaraju@host02 ~]$  rm file1                             ß Executing the ‘rm’ command with space infront

[adevaraju@host02 ~]$ history | tail -10

   27  history

   28  cat .bash_profile

   29  source .bash_profile

   30  touch file1

   31  echo "Some text" > file1

   32  echo "Some more text" >> file1

   33  ls -l file1

   34  touch -t 1111111111 file1

   35  ls -lt file1

   36  history | tail -10

[adevaraju@host02 ~]$

You can note the command ‘rm file1’ is not displayed in ‘history’ output. Since it had space in front, it was ignored by history command.

Clearing the entire history

Sometime you may want to clear all the previous history, but want to keep the history moving forward. Just execute history with –c option. Everything will go off.

[adevaraju@host02 ~]$ history -c

[adevaraju@host02 ~]$ history

    1  history

[adevaraju@host02 ~]$

Splitting a file in Linux

In Linux, you might want to split a file to reduce its File size or want to extract a portion of huge file which runs into 1000+ lines.

Linux provides “split” command to do this and it is explained with an example here, which shows a log file “test.log” which consists of about 1.5 lakhs lines is splitted into 10K lines each.

[root@host01-t1 log]# cat test.log | wc -l

147815                                                                                   # The file "test.log" consists about 150K lines

[root@host01-t1 log]#

[root@host01-t1 log]# cp test.log  test.log_bkp                           # First take a backup of original file

[root@host01-t1 log]# split -l 10000 test.log splitted_file            # Splitting the test.log file into 10000 lines each with prefix “splitted_file”              

[root@host01-t1 log]#

 [root@host01-t1 log]# ls -ltr

.

.

.

-rw-r--r-- 1 root  root   26112117 Oct 26 04:20 test.log

-rw-r--r-- 1 root  root    1384098 Oct 26 04:39 splitted_fileao

-rw-r--r-- 1 root  root    1766812 Oct 26 04:39 splitted_filean

-rw-r--r-- 1 root  root    1768778 Oct 26 04:39 splitted_fileam

-rw-r--r-- 1 root  root    1769234 Oct 26 04:39 splitted_fileal

-rw-r--r-- 1 root  root    1767256 Oct 26 04:39 splitted_fileak

-rw-r--r-- 1 root  root    1764489 Oct 26 04:39 splitted_fileaj

-rw-r--r-- 1 root  root    1766383 Oct 26 04:39 splitted_fileai

-rw-r--r-- 1 root  root    1767934 Oct 26 04:39 splitted_fileah

-rw-r--r-- 1 root  root    1763855 Oct 26 04:39 splitted_fileag

-rw-r--r-- 1 root  root    1765981 Oct 26 04:39 splitted_fileaf

-rw-r--r-- 1 root  root    1767587 Oct 26 04:39 splitted_fileae

-rw-r--r-- 1 root  root    1766195 Oct 26 04:39 splitted_filead

-rw-r--r-- 1 root  root    1763062 Oct 26 04:39 splitted_fileac

-rw-r--r-- 1 root  root    1767100 Oct 26 04:39 splitted_fileab

-rw-r--r-- 1 root  root    1763353 Oct 26 04:39 splitted_fileaa

-rw-r--r-- 1 jboss jboss  27684221 Oct 26 04:39 thirdparty.log

[root@host01-t1 log]#

[root@host01-t1 log]# cat splitted_fileaf | wc -l

10000

[root@host01-t1 log]# cat splitted_fileac | wc –l           # splitted file consists of 10000 lines each.

10000

[root@host01-t1 log]#

Difference between Standard & Xinetd based services

When you run “chkconfig -list”, you would see 2 set of service list.  One portion is termed as “Standard” service and other one as “xinetd” (Extended Inetd) based services. 

Main difference between these 2 set of services:

Standard services	Xinetd based services
Will be started/stopped based on the run level	Doesn’t depend on run levels
Once turned on, it will continue to run till it stopped	The dameon ‘xinetd’ controls starting and stopping the service as and when it requires. The xinetd dameon listens for requests coming for particular port and starts the relevant service pertaining to it. For example, when telnet is turned on, it listens for request on port 23 and start the telnet service when there is a telnet connection request.
Service should be continuously running regardless of its usage. For example, in the below output, cups service is continuously though it isn't required for many servers. This can be turned off.	Xinetd dameon performs the job of continuously monitoring the service request under its control and activate it only when it is required.

[root@host01-tx ~]# chkconfig --list

NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off

acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off

anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off

apmd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off

auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off

bluetooth       0:off   1:off   2:on    3:on    4:on    5:on    6:off

capi            0:off   1:off   2:off   3:off   4:off   5:off   6:off

certmaster      0:off   1:off   2:off   3:off   4:off   5:off   6:off

conman          0:off   1:off   2:off   3:off   4:off   5:off   6:off

cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off

crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off

cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off

httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off

iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off

.
[ Output truncated ]

.

xinetd based services:

        bpcd:           on

        bpjava-msvc:    on

        chargen-dgram:  off

        chargen-stream: off

        .

        [Output truncated]
        .     

[root@host01-tx ~]# ls -l /etc/xinetd.d            #  location of xinetd config files

.
[output not shown]
.

[root@host01-tx ~]#

[root@host01-tx ~]# ps -ef | grep cups | grep -v grep    # Cups service is continuously running

root      4483     1  0 Jul25 ?        00:00:24 cupsd

 [root@host01-tx ~]# ps -ef | grep bpcd | grep -v grep   # Bpcd service is not running though it is turned on

[root@host01-tx ~]# ps -ef | grep bpjava-msvc | grep -v grep  # bpjava-msvc isn't running as well

[root@host01-tx ~]#

Listing all Linux servers which are up in a network

Situation:

Suppose you want to find all the servers which are Up in Network or in a range of IPs.  We may need this information for trouble-shooting purpose like fixing IP conflicts or to get an idea about how many servers are online at a given point of time.

Solution:

# nmap -v -sP  <Network info>

The network info can be given as a whole network (say 10.10.22.0/24) or as a range (say 10.10.22.1-40).

Example:

[root@gtxash01 ~]# nmap -v -sP 10.10.22.1-40      ß  Scans servers in the IP range of 10.10.22.1 to 10.10.22.40

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-10-14 06:09 CDT

DNS resolution of 25 IPs took 5.50s.

Host 10.10.22.1 appears to be up.

Host 10.10.22.2 appears to be up.

Host 10.10.22.3 appears to be down.

Host 10.10.22.4 appears to be down.

Host 10.10.22.5 appears to be down.

Host 10.10.22.6 appears to be down.

Host 10.10.22.7 appears to be down.

Host 10.10.22.8 appears to be down.

Host 10.10.22.9 appears to be down.

Host 10.10.22.10 appears to be down.

Host 10.10.22.11 appears to be down.

Host rwbcat01.tcprod.local (10.10.22.12) appears to be up.

Host 10.10.22.13 appears to be down.

Host rsarash01.tcprod.local (10.10.22.14) appears to be up.

Host rdbash01.tcprod.local (10.10.22.15) appears to be up.

Host 10.10.22.16 appears to be down.

Host 10.10.22.17 appears to be down.

Host 10.10.22.18 appears to be down.

Host 10.10.22.19 appears to be down.

Host xenlashb1.tcprod.net (10.10.22.20) appears to be up.

Host webash04.tcprod.net (10.10.22.21) appears to be up.

Host webash23.tcprod.net (10.10.22.22) appears to be up.

Host xenc1bx-ih.tcprod.net (10.10.22.23) appears to be up.

.
< Output truncated >

.
Host gdsash02.tcprod.local (10.10.22.39) appears to be up.

Host 10.10.22.40 appears to be down.

Nmap finished: 40 IP addresses (25 hosts up) scanned in 6.178 seconds

               Raw packets sent: 110 (3740B) | Rcvd: 50 (2300B)

[root@gtxash01 ~]# nmap -v -sP 10.10.22.0/24  | grep up   # Scans servers in entire 10.10.22.0 network

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-10-14 06:10 CDT

DNS resolution of 53 IPs took 5.50s.

Host 10.10.22.0 seems to be a subnet broadcast address (returned 1 extra pings).

Host 10.10.22.1 appears to be up.

Host 10.10.22.2 appears to be up.

.
< Output truncated >
.
Host 10.10.22.243 appears to be up.

Host 10.10.22.244 appears to be up.

Host l2ash.tcprod.local (10.10.22.250) appears to be up.

Host l22ash.tcprod.local (10.10.22.251) appears to be up.

Host 10.10.22.255 seems to be a subnet broadcast address (returned 1 extra pings).

Nmap finished: 256 IP addresses (53 hosts up) scanned in 7.755 seconds

               Raw packets sent: 914 (31.076KB) | Rcvd: 108 (4968B)

[root@gtxash01 ~]#

Capturing everything that scrolls on your Linux terminal

In many circumstances, we might want to capture all the messages that scrolls on your terminal. This we may require to review details about installations or deployments or to analyze some problem on the server. And this can be used to submit as a proof to Management. 

Here is an example.

“script” is the command used for this purpose and the syntax goes like this:

# script  <filename>  or just  script

Whatever the filename specified after script command will gets created and that will capture everything. If you just execute the command “script”, then all the messages will be captured by the default file “typescript” as shown below:

[adevaraju@sys01 ~]$ script

Script started, file is typescript

[adevaraju@sys01 ~]$

[root@sys01 rmanbackp]# script capture_my_work        ß All the messages that appears on the screen will be captured by the file “capture_my_work”

Script started, file is capture_my_work

[root@sys01 rmanbackp]#

.

.

.

.

[root@sys01 ~]# set | grep SHLVL                                     

SHLVL=2                                                                   ß Please observe executing ‘script’ command will take one shell level up.

[root@sys01 ~]#

[root@sys01 rmanbackp]# exit

exit

Script done, file is capture_my_work

[root@sys01 rmanbackp]#

[root@sysllm01 ~]# set | grep SHLVL

SHLVL=1                                                                ß Shell level become 1 now (the base level)

[root@sys01 ~]#

Type “exit” when you want to stop capturing. By typing “exit” once, you will not thrown out of shell prompt since you will be in Shell level 2.

Copying only missing files on destination folder

Let’s say you have a requirement to copy the contents of folder to another but only the files which AREN’T present in the destination folder. Use the cp command with ‘-aru’ option. You got to notice certain things while doing this; it is explained with the below example here which is self-explanatory.

In this example, you got to just notice the time-stamp of each files created under the folder /dir1 & /dir2.

[root@host01 ~]# mkdir /dir1 /dir2

[root@host01 ~]# cd /dir1

[root@host01 dir1]#

[root@host01 dir1]# touch a b c d e f; mkdir d1 d2        

[root@host01 dir1]# touch d1/file1 d1/file2

[root@host01 dir1]# touch d2/take1 d2/take2

[root@host01 dir1]# ls -lR /dir1                                     ß Using -lR option to list the sub-folder contents of /dir1

/dir1:

total 8

-rw-r--r-- 1 root root    0 Dec  9 12:18 a

-rw-r--r-- 1 root root    0 Dec  9 12:18 b

-rw-r--r-- 1 root root    0 Dec  9 12:18 c

-rw-r--r-- 1 root root    0 Dec  9 12:18 d

drwxr-xr-x 2 root root 4096 Dec  9 12:18 d1

drwxr-xr-x 2 root root 4096 Dec  9 12:19 d2

-rw-r--r-- 1 root root    0 Dec  9 12:18 e

-rw-r--r-- 1 root root    0 Dec  9 12:18 f

/dir1/d1:

total 0

-rw-r--r-- 1 root root 0 Dec  9 12:18 file1

-rw-r--r-- 1 root root 0 Dec  9 12:18 file2

/dir1/d2:

total 0

-rw-r--r-- 1 root root 0 Dec  9 12:19 take1

-rw-r--r-- 1 root root 0 Dec  9 12:19 take2

[root@host01 dir1]#

[root@host01 dir1]# cd /dir2

[root@host01 dir2]# touch b d f Z; mkdir d1

[root@host01 dir2]# touch d1/key1 d1/key2

[root@host01 dir2]# ls -lR /dir2

/dir2:

total 4

-rw-r--r-- 1 root root    0 Dec  9 12:20 b

-rw-r--r-- 1 root root    0 Dec  9 12:20 d

drwxr-xr-x 2 root root 4096 Dec  9 12:20 d1

-rw-r--r-- 1 root root    0 Dec  9 12:20 f

-rw-r--r-- 1 root root    0 Dec  9 12:20 Z

/dir2/d1:

total 0

-rw-r--r-- 1 root root 0 Dec  9 12:20 key1

-rw-r--r-- 1 root root 0 Dec  9 12:20 key2

[root@host01 dir2]# cp -aru /dir1/* /dir2

[root@host01 dir2]# ls -lR /dir2

/dir2:

total 8

-rw-r--r-- 1 root root    0 Dec  9 12:18 a

-rw-r--r-- 1 root root    0 Dec  9 12:20 b

-rw-r--r-- 1 root root    0 Dec  9 12:18 c

-rw-r--r-- 1 root root    0 Dec  9 12:20 d

drwxr-xr-x 2 root root 4096 Dec  9 12:18 d1

drwxr-xr-x 2 root root 4096 Dec  9 12:19 d2

-rw-r--r-- 1 root root    0 Dec  9 12:18 e

-rw-r--r-- 1 root root    0 Dec  9 12:20 f

-rw-r--r-- 1 root root    0 Dec  9 12:20 Z

/dir2/d1:

total 0

-rw-r--r-- 1 root root 0 Dec  9 12:18 file1

-rw-r--r-- 1 root root 0 Dec  9 12:18 file2

-rw-r--r-- 1 root root 0 Dec  9 12:20 key1

-rw-r--r-- 1 root root 0 Dec  9 12:20 key2

/dir2/d2:

total 0

-rw-r--r-- 1 root root 0 Dec  9 12:19 take1

-rw-r--r-- 1 root root 0 Dec  9 12:19 take2

[root@host01 dir2]#

Conclusion on executing cp command with -aru option:

1. Files with same names (b, d & f ) were left un-touched. You can confirm it by timestamps of those files (12.20).

2. It copied all the missing files (a , c & e ) and missing folder (d2) on to the destination folder /dir2.

3. The file ‘Z’ which present only on /dir2 remains same. It haven’t got deleted

4. Contents of folder “d1” which is present both in source and destination folder is retained, however it copied the files (key1 & key2) which are present in /dir1 folder. So it didn’t replace the d1 folder on destination.

Usage: Use this option when incase the copy which you initiated before got interrupted for some reason. Using this you need not to copy it over again by typing “yes” for over-writing the existing files which are copied before.

Upgrading JDK to latest version

Below given is a self-explanatory example for upgrading JDK from version 1.4.2 to 1.6.0_25.


[root@host01-d1 ~/]# java -version

java version "1.4.2"

gij (GNU libgcj) version 4.1.2 20080704 (Red Hat 4.1.2-46)

Copyright (C) 2006 Free Software Foundation, Inc.

This is free software; see the source for copying conditions.  There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[root@host01-d1 ~]# alternatives --config java

There is 1 program that provides 'java'.

  Selection    Command

-----------------------------------------------

*+ 1           /usr/lib/jvm/jre-1.4.2-gcj/bin/java

Enter to keep the current selection[+], or type selection number:

[root@host01-d1 ~]# alternatives --install /usr/bin/java java /usr/java/jdk1.6.0_25/bin/java 2

[root@host01-d1 ~]#

[root@host01-d1 ~]# alternatives --install /usr/bin/javac javac /usr/java/jdk1.6.0_25/bin/javac 2

[root@host01-d1 ~]# alternatives --config java

There are 2 programs which provide 'java'.

  Selection    Command

-----------------------------------------------

*+ 1           /usr/lib/jvm/jre-1.4.2-gcj/bin/java

   2           /usr/java/jdk1.6.0_25/bin/java

Enter to keep the current selection[+], or type selection number: 2

[root@host01-d1 ~]# alternatives --config javac

There are 2 programs which provide 'javac'.

  Selection    Command

-----------------------------------------------

*+ 1           /usr/lib/jvm/java-1.4.2-gcj/bin/javac

   2           /usr/java/jdk1.6.0_25/bin/javac

Enter to keep the current selection[+], or type selection number: 2

[root@host01-d1 ~]# java -version

java version "1.6.0_25"

Java(TM) SE Runtime Environment (build 1.6.0_25-b06)

Java HotSpot(TM) 64-Bit Server VM (build 20.0-b11, mixed mode)

[root@host01-d1 ~]# which javac

/usr/bin/javac

[root@host01-d1 ~]# which java

/usr/bin/java

[root@host01-d1 ~]# /usr/bin/java -version

java version "1.6.0_25"

Java(TM) SE Runtime Environment (build 1.6.0_25-b06)

Java HotSpot(TM) 64-Bit Server VM (build 20.0-b11, mixed mode)

[root@host01-d1 ~]# which javac

/usr/bin/javac

[root@host01-d1 ~]# ls -l /usr/bin/javac

lrwxrwxrwx 1 root root 23 May 25 00:24 /usr/bin/javac -> /etc/alternatives/javac

[root@host01-d1 ~]# ls -l /etc/alternatives/javac

lrwxrwxrwx 1 root root 31 May 25 15:26 /etc/alternatives/javac -> /usr/java/jdk1.6.0_25/bin/javac

[root@host01-d1 ~]#

Steps to create and mount ext4 filesystem

Syntax: 

mkfs.ext4  "Device Name"

(or)

mke2fs -t ext4 "Device Name"

Example:

[root@hostxyz bin]# mkfs.ext4 /dev/sda3

mke4fs 1.41.9 (22-Aug-2009)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

67108864 inodes, 268435456 blocks

13421772 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=4294967296

8192 block groups

32768 blocks per group, 32768 fragments per group

8192 inodes per group

Superblock backups stored on blocks:

        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,

        102400000, 214990848

Writing inode tables: done

Creating journal (32768 blocks): done

Writing superblocks and filesystem accounting information: done

[root@hostxyz ~]# mkdir /ext4_filesystem

[root@hostxyz ~]# mount -t ext4 /dev/sda3  /ext4_filesystem


[root@hostxyz ~]# file -sL /dev/sda3
/dev/sda3: Linux rev 1.0 ext4 filesystem data (needs journal recovery) (extents) (large files) (huge files)
[root@hostxyz ~]#

Note: Ext4 filesystem is available starting from Kernel 2.6.19. Incase your server don't have the "ext4" package installed, you can avail it by installing the latest version of "e4fsprogs" rpm.
(URL to download for CentOS: http://pkgs.org/package/e4fsprogs ).
However it is recommended to use the Ext4 filesystem from the kernel version mentioned above to get the full advantage of it.