blog
Table des matières
4 billet(s) pour janvier 2026
| AWX sur K8S Kind - partage de fichier pour les blob - Execution pods | 2026/01/26 10:15 | Jean-Baptiste |
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Notes Hashicorp Vault
Hashicorp Vault
Voir :
Voir aussi :
- Akeyless
- OpenBao
Source : https://www.youtube.com/watch?v=vOf0afZP9gE
docker run --cap-add=IPC_LOCK -d -p 8200:8200 --name=dev-vault vault
docker logs dev-vault
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variables:
$ export VAULT_ADDR='http://0.0.0.0:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: fjLp7NUP5GfHPE8fv0UxMM+D1s0xuumy4Xljs6l7Eks=
Root Token: hvs.pSSg3pM9pfk5Ih6HdCi784un
Development mode should NOT be used in production installations!
vault server -dev
VAULT_SKIP_VERIFY=true
curl 127.0.0.1:8200/v1/sys/health |jq .
vault(){ docker exec -ti -e VAULT_ADDR='http://127.0.0.1:8200' -e VAULT_TOKEN=hvs.pSSg3pM9pfk5Ih6HdCi784un dev-vault vault $@ ;} vault --version vault token lookup
# vault kv list kv/ Keys ---- plop
vault kv get -format=json -field=data kv/plop
Autres
vault auth enable userpass vault write auth/userpass/users/jean password='P@ssw0rd' policies=admins vault login -method=userpass username=jean password='P@ssw0rd'
vault auth enable -path=“custom” approle
vault write auth/approle/role/my-app \
secret_id_ttl=10m \ token_num_uses=0 \ token_ttl=120m \ token_max_ttl=300m \ secret_id_num_uses=1 \ token_policies="app_read"
path “secrets/secret/show/ploppath” {
capabilities = ["read", "create", "update", "delete"]
}
Notes hardening Debian
Voir :
- Center for Internet Security (CIS)
Vulnérabilités connues dans Debian :
Voir aussi :
- debian-security-support
- SUID et droit des les fichiers.
- MAC (selinux, grsec, tomoyo, apparmor…?)
- /etc/security/access.conf
- /etc/security/access.conf
#+:root:ALL # Deny root logins via the network: -:root:ALL EXCEPT LOCAL +:admin:ALL -:ALL:ALL
The order of the rules matters. It will apply the first rule that matches.
Notes
Désactiver le compte root (comme sur Ubuntu)
# Efface le MDP root passwd -d root # Lock le compte (en préfixant le hash du pass par "**!**") passwd -l root
Scan paquets vulnérables
debsecan debsecan --suite buster --format packages --only-fixed
Debian 10
Voir https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.fr.html
APT::Sandbox::Seccomp APT::Sandbox::Seccomp::Trap APT::Sandbox::Seccomp::Allow
Diffing Debian 7
/etc/passwd
Shell set to /bin/false or /usr/sbin/nologin
/etc/timezone
> Europe/Amsterdam
/etc/profile.d/tmout.sh
> TMOUT=900
> readonly TMOUT
> export TMOUT
/etc/resolv.conf
DNS server conf
/etc/motd
Welcomme message
/etc/issue
idem
/etc/issue.net
Version
/etc/fstab
Partition /var/log et /tmp separées
partition /tmp noexec,nosuid,nodev,bind
/var/log nodev,nosuid
/home nodev,nosuid
/data nodev
/etc/shells
Restrict valid login shells
> /bin/sh
> /bin/dash
> /bin/bash
> /bin/rbash
# NO DONE
/etc/hosts.deny
/etc/hosts.allow
Empty
/etc/shadow
Only root et process user have valid password
# NO DONE
/etc/pam.d/common-auth
No nullok_secure
/etc/pam.d/common-password
Cracklib set
Fisrt lines :
> # here are the per-package modules (the "Primary" block)
> password required pam_cracklib.so retry=3 minlen=12 difok=3
> password [success=1 default=ignore] pam_unix.so obscure minlen=8 sha512 use_authok
/etc/pam.d/common-session
umask secured
last line :
session optional pam_umask.so umask=077
/etc/inittab
No ctrl alt del reboot
# What to do when CTRL-ALT-DEL is pressed.
< ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
> #ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
/etc/init.d/firewall
/etc/hostname
Hostname
/etc/hosts
127.0.0.1 localhost
127.0.1.1 HOSTNAME
?
/etc/ca-certificates.conf
/etc/security/opasswd
for pam_cracklib
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
/etc/rsyslog.d/bash.conf
> local6.* /var/log/commands.log
/etc/logrotate.d/rsyslog
> /var/log/commands.log
> {
> rotate 4
> weekly
> missingok
> notifempty
> compress
> delaycompress
> sharedscripts
> postrotate
> invoke-rc.d rsyslog rotate > /dev/null
> endscript
>}
?
/etc/nsswitch.conf
/etc/ssh/sshd_config
# Not default port
Port 22092
# Prevent root login
PermitRootLogin no
Match User UserWithUID0 Address 192.168.5.3
PermitRootLogin yes
# No password auth
PasswordAuthentication no
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet memmap=512M\\\$1024M
/etc/default/cpufrequtils
GOVERNOR="performance"
/etc/bash.bashrc
change default prompt
> export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
/etc/grub.d/40_custom
password access for grub
> set superusers="root"
> password root P@ssw0rd
/etc/security/limits.conf
change limits for app and perf
> process soft core unlimited
> root soft core unlimited
?
/etc/pam.d/other
> auth required pam_securetty.so
> auth required pam_unix_auth.so
> auth required pam_warn.so
> auth required pam_deny.so
> account required pam_unix_acct.so
> account required pam_warn.so
> account required pam_deny.so
> password required pam_unix_passwd.so
> password required pam_warn.so
> password required pam_deny.so
> session required pam_unix_session.so
> session required pam_warn.so
> session required pam_deny.so
/etc/pam.d/login
Change the delay on failure per-application to 10 seconds
< auth optional pam_faildelay.so delay=3000000
> auth optional pam_faildelay.so delay=10000000
????
/etc/securetty
Restrict console access for root
NOTE : s/ttyW/ttyS/
> console
> tty1
> tty2
> tty3
> tty4
> tty5
> tty6
> ttyW0
> ttyW1
/etc/login.defs
su activity is log file
change default umask
> ULOG_FILE /var/log/sulog
> UMASK 077
/etc/ntp.conf
NTP serveur configured
/etc/sysctl.conf
Disable IPV6
Disable magic keys
Prevent routing packet
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> net.ipv4.ip_forward=0
> net.ipv4.conf.all.send_redirects = 0
> kernel.sysrq=0
> net.ipv6.conf.all.disable_ipv6=1
> net.ipv6.conf.default.disable_ipv6=1
> net.ipv6.conf.lo.disable_ipv6=1
> net.ipv6.conf.eth0.disable_ipv6=1
> net.ipv6.conf.eth1.disable_ipv6=1
/etc/sudoers
root password needed for privilege elevation
> Defaults rootpw
/etc/passwd
shells /bin/false or /usr/sbin/nologin
/etc/pam.d/su
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
auth required pam_wheel.so
Notification erreur sudo
*** SECURITY information for vps123456 ***
- /etc/aliases
root: moncompte
postalias
Autres
Hardenning shell Voir :
- /etc/shells
Notes GUI GNU Linux - bureaux divers
Voir :
Démarrage automatique
Exemple : Pour démarrer l’agent GPG en même temps que votre session graphique, ajoutez simplement la ligne suivante : ~/.xprofile
eval $(gpg-agent --daemon)
Sous Debian c'est déjà fait ici :
/etc/X11/Xsession.d/90gpg-agent
Notes Grub
Voir aussi :
- systemd-boot (Remplace Grub pour les machines compatibles EFI)
- u-boot
Voir les infos / config du GRUB
grubby --info=ALL
Exemple de pb
…Ensuite, s'installait Debian remplaçant ma racine sur la racine Xubuntu et en me servant du home précédemment créé.. De la sorte, plus de soucis de “operating system not found” mais un bel écran noir avec l'invite grub>. Un peu aride quand même… En fouillant un peu, j'ai fini par trouver dans le répertoire /boot/efi/EFI, un sous-répertoire ubuntu que j'ai supprimé. Ensuite, pour être sûr:
sudo os-prober sudo update-grub sudo update-initramfs -u
Redémarrage du pc et un bel écran grub en mode graphique ou j'ai pu choisir directement ma debian et booter dessus.
RedHat - Pour ajouter un paramètre
grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"
RedHat - Enlever un paramètre
Par exemple pour enlever ipv6.disable=1
# grub2-editenv - list | grep kernelopts kernelopts=root=/dev/mapper/vgsys01-lvroot ro crashkernel=auto resume=/dev/mapper/vgsys01-lvswap rd.lvm.lv=vgsys01/lvroot rd.lvm.lv=vgsys01/lvswap rhgb quiet ipv6.disable=1
grub2-editenv - set "kernelopts=root=/dev/mapper/vgsys01-lvroot ro crashkernel=auto resume=/dev/mapper/vgsys01-lvswap rd.lvm.lv=vgsys01/lvroot rd.lvm.lv=vgsys01/lvswap rhgb quiet"
Autres
Install grub Debian
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --force
blog.txt · Dernière modification : de 127.0.0.1