blog
Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Notes Hashicorp Vault
Hashicorp Vault
Voir :
Voir aussi :
- Akeyless
- OpenBao
Source : https://www.youtube.com/watch?v=vOf0afZP9gE
docker run --cap-add=IPC_LOCK -d -p 8200:8200 --name=dev-vault vault
docker logs dev-vault
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variables:
$ export VAULT_ADDR='http://0.0.0.0:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: fjLp7NUP5GfHPE8fv0UxMM+D1s0xuumy4Xljs6l7Eks=
Root Token: hvs.pSSg3pM9pfk5Ih6HdCi784un
Development mode should NOT be used in production installations!
vault server -dev
VAULT_SKIP_VERIFY=true
curl 127.0.0.1:8200/v1/sys/health |jq .
vault(){ docker exec -ti -e VAULT_ADDR='http://127.0.0.1:8200' -e VAULT_TOKEN=hvs.pSSg3pM9pfk5Ih6HdCi784un dev-vault vault $@ ;} vault --version vault token lookup
# vault kv list kv/ Keys ---- plop
vault kv get -format=json -field=data kv/plop
Autres
vault auth enable userpass vault write auth/userpass/users/jean password='P@ssw0rd' policies=admins vault login -method=userpass username=jean password='P@ssw0rd'
vault auth enable -path=“custom” approle
vault write auth/approle/role/my-app \
secret_id_ttl=10m \ token_num_uses=0 \ token_ttl=120m \ token_max_ttl=300m \ secret_id_num_uses=1 \ token_policies="app_read"
path “secrets/secret/show/ploppath” {
capabilities = ["read", "create", "update", "delete"]
}
Notes hardening Debian
Voir :
- Center for Internet Security (CIS)
Vulnérabilités connues dans Debian :
Voir aussi :
- debian-security-support
- SUID et droit des les fichiers.
- MAC (selinux, grsec, tomoyo, apparmor…?)
- /etc/security/access.conf
- /etc/security/access.conf
#+:root:ALL # Deny root logins via the network: -:root:ALL EXCEPT LOCAL +:admin:ALL -:ALL:ALL
The order of the rules matters. It will apply the first rule that matches.
Notes
Désactiver le compte root (comme sur Ubuntu)
# Efface le MDP root passwd -d root # Lock le compte (en préfixant le hash du pass par "**!**") passwd -l root
Scan paquets vulnérables
debsecan debsecan --suite buster --format packages --only-fixed
Debian 10
Voir https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.fr.html
APT::Sandbox::Seccomp APT::Sandbox::Seccomp::Trap APT::Sandbox::Seccomp::Allow
Diffing Debian 7
/etc/passwd
Shell set to /bin/false or /usr/sbin/nologin
/etc/timezone
> Europe/Amsterdam
/etc/profile.d/tmout.sh
> TMOUT=900
> readonly TMOUT
> export TMOUT
/etc/resolv.conf
DNS server conf
/etc/motd
Welcomme message
/etc/issue
idem
/etc/issue.net
Version
/etc/fstab
Partition /var/log et /tmp separées
partition /tmp noexec,nosuid,nodev,bind
/var/log nodev,nosuid
/home nodev,nosuid
/data nodev
/etc/shells
Restrict valid login shells
> /bin/sh
> /bin/dash
> /bin/bash
> /bin/rbash
# NO DONE
/etc/hosts.deny
/etc/hosts.allow
Empty
/etc/shadow
Only root et process user have valid password
# NO DONE
/etc/pam.d/common-auth
No nullok_secure
/etc/pam.d/common-password
Cracklib set
Fisrt lines :
> # here are the per-package modules (the "Primary" block)
> password required pam_cracklib.so retry=3 minlen=12 difok=3
> password [success=1 default=ignore] pam_unix.so obscure minlen=8 sha512 use_authok
/etc/pam.d/common-session
umask secured
last line :
session optional pam_umask.so umask=077
/etc/inittab
No ctrl alt del reboot
# What to do when CTRL-ALT-DEL is pressed.
< ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
> #ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
/etc/init.d/firewall
/etc/hostname
Hostname
/etc/hosts
127.0.0.1 localhost
127.0.1.1 HOSTNAME
?
/etc/ca-certificates.conf
/etc/security/opasswd
for pam_cracklib
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
/etc/rsyslog.d/bash.conf
> local6.* /var/log/commands.log
/etc/logrotate.d/rsyslog
> /var/log/commands.log
> {
> rotate 4
> weekly
> missingok
> notifempty
> compress
> delaycompress
> sharedscripts
> postrotate
> invoke-rc.d rsyslog rotate > /dev/null
> endscript
>}
?
/etc/nsswitch.conf
/etc/ssh/sshd_config
# Not default port
Port 22092
# Prevent root login
PermitRootLogin no
Match User UserWithUID0 Address 192.168.5.3
PermitRootLogin yes
# No password auth
PasswordAuthentication no
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet memmap=512M\\\$1024M
/etc/default/cpufrequtils
GOVERNOR="performance"
/etc/bash.bashrc
change default prompt
> export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
/etc/grub.d/40_custom
password access for grub
> set superusers="root"
> password root P@ssw0rd
/etc/security/limits.conf
change limits for app and perf
> process soft core unlimited
> root soft core unlimited
?
/etc/pam.d/other
> auth required pam_securetty.so
> auth required pam_unix_auth.so
> auth required pam_warn.so
> auth required pam_deny.so
> account required pam_unix_acct.so
> account required pam_warn.so
> account required pam_deny.so
> password required pam_unix_passwd.so
> password required pam_warn.so
> password required pam_deny.so
> session required pam_unix_session.so
> session required pam_warn.so
> session required pam_deny.so
/etc/pam.d/login
Change the delay on failure per-application to 10 seconds
< auth optional pam_faildelay.so delay=3000000
> auth optional pam_faildelay.so delay=10000000
????
/etc/securetty
Restrict console access for root
NOTE : s/ttyW/ttyS/
> console
> tty1
> tty2
> tty3
> tty4
> tty5
> tty6
> ttyW0
> ttyW1
/etc/login.defs
su activity is log file
change default umask
> ULOG_FILE /var/log/sulog
> UMASK 077
/etc/ntp.conf
NTP serveur configured
/etc/sysctl.conf
Disable IPV6
Disable magic keys
Prevent routing packet
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> net.ipv4.ip_forward=0
> net.ipv4.conf.all.send_redirects = 0
> kernel.sysrq=0
> net.ipv6.conf.all.disable_ipv6=1
> net.ipv6.conf.default.disable_ipv6=1
> net.ipv6.conf.lo.disable_ipv6=1
> net.ipv6.conf.eth0.disable_ipv6=1
> net.ipv6.conf.eth1.disable_ipv6=1
/etc/sudoers
root password needed for privilege elevation
> Defaults rootpw
/etc/passwd
shells /bin/false or /usr/sbin/nologin
/etc/pam.d/su
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
auth required pam_wheel.so
Notification erreur sudo
*** SECURITY information for vps123456 ***
- /etc/aliases
root: moncompte
postalias
Autres
Hardenning shell Voir :
- /etc/shells
Notes GUI GNU Linux - bureaux divers
Voir :
Démarrage automatique
Exemple : Pour démarrer l’agent GPG en même temps que votre session graphique, ajoutez simplement la ligne suivante : ~/.xprofile
eval $(gpg-agent --daemon)
Sous Debian c'est déjà fait ici :
/etc/X11/Xsession.d/90gpg-agent
blog.txt · Dernière modification : de 127.0.0.1