#!/bin/sh # /usr/local/sbin/sys_config_update # This script picks up scheduled configuration information for this machine # and stores it all in $BASE_DIR. [-d] parameter deletes and # remakes sub-directories as needed in $BASE_DIR. Files in $BASE_DIR # not affected but those generated here are overwritten. As the writers # system /home directory is mounted from a different drive than /, keeping # $BASE_DIR in a regular users account saves the data over system installs. # # Must be run as superuser as many of the config files have restrictive # permissions set. The resulting $BASE_DIR is owned by $CONFIG_USER. # # Copyright (c) 2008-2013 David R. Forrest (Forrest) # # Permission to use, copy, modify, and distribute this material # for any purpose and without fee is hereby granted, provided # that the above copyright notice and this permission notice # appear in all copies, and that the name of Forrest not be # used in advertising or publicity pertaining to this # material without the specific, prior written permission # of an authorized representative of Forrest. FORREST # MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY # OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS", # WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. # # Revised 06/04/10 for F13 installation # Revised 01/24/11 for F14 # Revised 08/22/11 technical structure of DIRs # Revised 01/21/13 for CentOS6 # Revised 06/15/14 for CentOS65June2014 # Revised 10/25/14 for iptables DIR updated # Revised 11/25/14 to document windxp VM in KVM # Revised 10/11/15 to begin Centos 7 update # Revised 4/15/16 with partially usable information (provides meaningful output) # Revised 10/13/16 Working on systemd - sysctl # Revised 2/1/17 Setting up ethernet bridge (testing) # Revised 4/18/17 Added hostname (#318 hostnamectl ststus) # Revised 5/11/17 Added some more network stats (in iptables DIR) # Revised 6/25/18 Adjusted to report CentOS73-25JUL18 data # Revised 8/25/18 Added some lynis reports under Application Configs # Program Variables & Functions PATH="/usr/bin:/bin:/usr/local/sbin" MPDC_ULA="fd82:bc70:4324::/48" # Be sure to set user name CONFIG_USER and Base Directory below CONFIG_USER="drf" # Assume we are in CentOS73 else Unknown Fedora=Unknown $(/bin/uname -r |grep el7 >/dev/null) && Fedora=CentOS73-07AUG18 BASE_DIR="/home/drf/Desktop/SystemDocumentation/$Fedora" # Subdirectories to the $BASE_DIR are script created by a statement starting in column 1 # formatted as: DIR=$BASE_DIR/subdirectory_name # Script path used in creating this config SCRIPTPATH='/usr/bin:/bin:/usr/local/sbin' # user root crond #SCRIPTPATH='/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin' # user root #SCRIPTPATH='/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/drf/bin' #user drf LOCAL_CONFIG_NOTES='This white box system bypasses many of the CentOS configuration files normally included as it has evolved over several years from earlier installations. As such, be advised to carefully check that configuration information that may be provided by Centos7 is actually used. Sorry about that. -drf 4/9/08' # Sanity checks test $UID != 0 && { echo "Must be super user!" ; exit; } [ $PATH == $SCRIPTPATH ] || { echo -e "\n\nActual Path: $PATH\nScript Path: $SCRIPTPATH\n\n Active environment path\ does not match original script creation (SCRIPTPATH). Running as root\ (root login) will trigger this message harmlessly as script expects to run under a root crontab." ; } test -z $BASE_DIR && { echo "Must set base directory in script (BASE_DIR)" ; exit; } test -z $CONFIG_USER && { echo "Must set a target user for these files" ; exit; } test ! -d $BASE_DIR && { echo "Base Directory ($BASE_DIR) is not a directory" ; exit; } test ! -w $BASE_DIR && { echo "Base Directory ($BASE_DIR) is not writable" ; exit; } # Check how we are to run while getopts ":dbh" opt; do case $opt in d) CLEAN_OUT_DIRS="yes" ;; b) [ -f $BASE_DIR/bootdmesg ] && mv $BASE_DIR/bootdmesg $BASE_DIR/bootdmesg.bak date > $BASE_DIR/bootdmesg echo >> $BASE_DIR/bootdmesg dmesg >> $BASE_DIR/bootdmesg chown $CONFIG_USER.$CONFIG_USER $BASE_DIR/bootdmesg exit 0 ;; *|h ) echo -e "\n Usage: ${0##*/} [-d] [-b] [h]" echo " -d Clean out sub-directories before rebuilding" echo " -b Update boot dmesg output only" echo " -h This help" echo -e " Note: This script requires configuration modification \n" exit 1 ;; esac done # Establish directories # Builds the DIRS to be found in this script. Must start in column 1 and look like the DIR=$BASE_DIR/boot below DIRS=$(awk '/^DIR\=\$BASE_DIR\// { print $1 }' $0 |sed 's/DIR=$BASE_DIR\/\([:alpha:]*\)/\1/g') for directoryfound in $DIRS; do [ -n "$CLEAN_OUT_DIRS" ] && \ { rm -r $BASE_DIR/$directoryfound > /dev/null 2>&1 echo "Removing contents of $BASE_DIR/$directoryfound" } mkdir -p $BASE_DIR/$directoryfound &>/dev/null # create found directory if missing. done DIR=$BASE_DIR/NetworkInterfaces # Inface configuration files echo $DIR { # do all this in a block (faster than a subshell) /bin/echo -e "As of $(date +%F) from listing: cat /etc/sysconfig/network-scripts/ifcfg-* \n" > $DIR/ifcfgs cat /etc/sysconfig/network-scripts/ifcfg-* | /bin/sed s/DEVICE/\\n---DEVICE/ >>$DIR/ifcfgs } DIR=$BASE_DIR/systemd # System configuration echo $DIR { # do all this in a block (faster than a subshell) /bin/echo -e "As of $(date +%F)\n" > $DIR/SnapshopOfUnits.txt /sbin/service --status-all >> $DIR/SnapshopOfUnits.txt 2>&1 /bin/echo -e "\n Systemd unit-files" >> $DIR/SnapshopOfUnits.txt /bin/systemctl list-unit-files >> $DIR/SnapshopOfUnits.txt yum list installed >> $DIR/installed.txt [ -f /var/log/boot.log ] && grep -i "Failed" /var/log/boot.log > $DIR/FailedOnLastBoot-$(date +%Y%m%d).txt /bin/echo -e "\n sysctl.conf_files\n" >$DIR/sysctl.conf_files [ -f /run/sysctl.d/*.conf 2>&1 ] && {cat /run/sysctl.d/*conf >>$DIR/sysctl.conf_files} /usr/bin/rsync -a /etc/*conf $DIR/Confs/ } DIR=$BASE_DIR/boot # bootup drive, lvm, and firewall at boot echo $DIR { # do all this in a block (faster than a subshell) # this is data collected at last boot time by /usr/local/bin/my.rc.local with # printf "When booted as:$(/bin/uname -a)\n$(/sbin/hdparm -i /dev/sd[a-f] | grep -i '\(serial\|dev\)')\n\n" >/usr/local/sbin/as_booted_drive_info.txt [ -f /usr/local/sbin/as_booted_drive_info.txt ] && rsync -a /usr/local/sbin/as_booted_drive_info.txt $DIR/AsBooted rsync -a /boot/grub2/grub.cfg $DIR/ rm -f /usr/local/bin/RESULTS.txt &>/dev/null [ -f /var/log/boot.log ] && rsync -a /var/log/boot.log $DIR/boot.log-$(date +%Y%m%d) # /usr/local/bin/boot_info_script032.sh > /dev/null # rsync -a /usr/local/bin/RESULTS.txt $DIR/ # rm -f /usr/local/bin/RESULTS.txt &>/dev/null # /usr/local/sbin/bootinfo > $DIR/bootinfo.out /bin/echo -e "Services running as of $(date +%F)\n" > $DIR/SnapshopOfServices /sbin/service --status-all >> $DIR/SnapshopOfServices 2>&1 /bin/echo -e "\n Systemd unit-files" >> $DIR/SnapshopOfServices /bin/systemctl list-unit-files >> $DIR/SnapshopOfServices rsync -aRu /etc/lvm/ $DIR/ rsync -a /etc/MapleParkULA >$DIR/MapleParkULA rsync -aRu /etc/profile.d/ $DIR/ # rsync -aRu /etc/smartd.conf/ $DIR/ } DIR=$BASE_DIR/CUPS # Printing setup echo $DIR { echo "Files in this directory sourced from /etc/cups" >$DIR/README rsync -a /etc/cups/ $DIR/ &>/dev/null rsync -a /etc/printcap $DIR } DIR=$BASE_DIR/KVM # Virtual domains echo $DIR [ -d /etc/libvirt ] && \ { rsync -aRu /etc/libvirt/ $DIR/ # Very large (30GB) image files in /var/lib/libvirt/images/* Dump as xml per following: ## /usr/bin/virsh dumpxml windxp >$DIR/windxp.xml ## echo -e "This file sourced from /etc/sysconfig/libvirt-guests\n" > $DIR/libvirt-guests ## cat /etc/sysconfig/libvirt-guests >> $DIR/libvirt-guests ## rsync -a /etc/Machines $DIR/Machines } DIR=$BASE_DIR/Crontabs # system existing crontabs echo $DIR # Selected users in WORD lists only their existing crontabs. # Default -- lists all users existing crontabs. # WORD="" [ -z "$WORD" ] && WORD="`awk -F\":\" '{ printf \"%s \",$1 }' /etc/passwd`" rm -r $DIR > /dev/null 2>&1 mkdir -p $DIR >/dev/null 2>&1 { for LISTED in $WORD; do date > $DIR/crontab.$LISTED echo >> $DIR/crontab.$LISTED /usr/bin/crontab -u $LISTED -l >> $DIR/crontab.$LISTED 2>&1 grep "no crontab for" $DIR/crontab.$LISTED > /dev/null 2>&1 && \ rm $DIR/crontab.$LISTED done } # DIR=$BASE_DIR/hylafax # hylafax+ from http://hylafax.sourceforge.net/ # [ -f /var/spool/hylafax/etc/config ] && \ # rsync -a /var/spool/hylafax/etc/config $DIR # rsync -a /var/spool/hylafax/etc/config.ttyS1 $DIR # rsync -a /usr/local/lib/fax/sendfax.conf $DIR # rsync -a /var/spool/hylafax/etc/FaxNotify $DIR # rsync -a /var/spool/hylafax/etc/FaxDispatch $DIR # rsync -a /var/spool/hylafax/bin/jobcontrol $DIR || mail -s "/var/spool/hylafax/bin/jobcontrol is missing" root # echo -e "# From /etc/event.d/ttyS1 $(date)\n\n" > $DIR/faxgetty-init # cat /etc/event.d/ttyS1 >> $DIR/faxgetty-init # echo -e "# From /usr/local/lib/fax/typerules $(date) \n\n" >$DIR/typerules # cat /usr/local/lib/fax/typerules >>$DIR/typerules # echo ' # # Do not forget: edit-faxcover will edit the default cover page # # faxcover.ps default is in /usr/local/lib/fax/faxcover.ps' > $DIR/edit-faxcover # rsync -a /usr/local/lib/fax/faxcover.ps $DIR # rsync -a /etc/event.d/ttyS1 $DIR # rsync -a /home/drf/Desktop/SystemDocumentation/hylafax_error_messages.pdf $DIR # } #DIR=$BASE_DIR/mailcap # Necessary for alpine http://sourceforge.net/projects/re-alpine/ # { # cp /etc/mailcap $DIR # cp /home/drf/.mailcap $DIR/drf.mailcap # cp -u /etc/mime.types $DIR # } DIR=$BASE_DIR/DNS # From ISC includes dhcpd http://www.isc.org/ echo $DIR { /usr/bin/whois -h whois.gandi.net maplepark.com > $DIR/whoisMPDC # cp -u /etc/named.conf $DIR # /usr/local/sbin/named-checkconf -p >/var/named/named.conf.canonical ||\ # echo -e "\nConversion failed, as will named if attempted" &>>/var/named/named.conf.canonical # /bin/sed 's/secret \".*\"/secret "Obscured"/g' /var/named/named.conf.canonical > /var/named/named.conf.canonical.obscured # cp -u /var/named/named.conf.canonical.obscured $DIR/named.conf.canonical # rsync -a --copy-links /var/named/* $DIR # [ -f /etc/dhcpd.conf ] && ( cp -u /etc/dhcpd.conf $DIR ) # cp -u /etc/sysconfig/dhcpd $DIR/etc-sysconfig-dhcpd # cp -u /usr/local/sbin/seen* $DIR/ [ -f /var/db/dhcpd.leases ] && ( cp -u /var/db/dhcpd.leases $DIR ) # cp -u /usr/local/sbin/renew-default-route $DIR [ -f /etc/update-keys ] && ( cp -u /etc/update-keys $DIR ) [ -f /etc/dns-slaves ] && ( cp -u /etc/dns-slaves $DIR ) cp -u /etc/radvd.conf $DIR cp -u /etc/nsswitch.conf $DIR [ -f /etc/rndc.conf ] && ( cp -u /etc/rndc.conf $DIR ) [ -f /etc/hostslocal ] && ( cp -u /etc/hostslocal $DIR ) # cp -u /var/lib/dhclient/dhclient-eth0.leases $DIR [ -f /etc/resolv.conf ] && ( cp -u /etc/resolv.conf $DIR ) [ -f /etc/resolv.conf.static ] && ( cp -u /etc/resolv.conf.static $DIR ) [ -f /usr/local/bin/buildblackhole ] && ( cp -u /usr/local/bin/buildblackhole $DIR ) # canonicalization # named-checkzone -D -o $DIR/maplepark.com.signed.canonical maplepark.com \ # /var/named/drf/external/maplepark.com.signed &> /tmp/$$junk # echo -e "\n;;*** OUTPUT FROM $0 RUN DATED $(date +%F) ***" >>$DIR/maplepark.com.signed.canonical # cat /tmp/$$junk >> $DIR/maplepark.com.signed.canonical; rm -f /tmp/$$junk # named-checkzone -D -o $DIR/maplepark.com.Internal.canonical maplepark.com \ # /var/named/drf/internal/maplepark.com &> /tmp/$$junk # echo -e "\n;;*** OUTPUT FROM $0 RUN DATED $(date +%F) ***" >>$DIR/maplepark.com.Internal.canonical # cat /tmp/$$junk >> $DIR/maplepark.com.Internal.canonical; rm -f /tmp/$$junk # named-checkzone -D -o $DIR/tunneled.ip6.arpa.canonical 0.4.6.8.f.0.0.0.8.7.9.4.1.0.0.2.ip6.arpa \ # /var/named/drf/internal/tunneled.ip6.arpa &> /tmp/$$junk # echckets transmitted, 2 received, 0% packet loss, time 1060ms # echo -e "\n;;*** OUTPUT FROM $0 RUN DATED $(date +%F) ***" >>$DIR/tunneled.ip6.arpa.canonical # cat /tmp/$$junk >> $DIR/maplepark.com.Internal.canonical # rm -f /tmp/$$junk [ -f /etc/dns-slaves ] && ( rsync -a /etc/dns-slaves $DIR/etc-dns-slaves ) [ $(pgrep -o named) ] && ( /bin/echo -e "Running as: $( cat /proc/$(pgrep -o named)/cmdline) $(date) \n " >$DIR/named_process_limits ) [ $(pgrep -o named) ] && ( /bin/cat /proc/$(pgrep -o named)/limits >> $DIR/named_process_limits ) ### Optional patch follows echo '/etc/rc.d/init.d/named INIT PATCH (Optional): NOTE: Failure to apply patch will result in the CentOS binary /usr/sbin/named running in lieu of the /usr/local/sbin version. Because we usually use a custom bind from ISC and this Fedora system has a fedora named installed that uses the full system V init scripts that rely on /etc/rc.d/init.d/named scripts to stop, start, or restart, it is necessary to edit the /etc/rc.d/init.d/named script to properly set up limits, the binary, and the working directory upon system upgrades as yum bind updates may overwrite our patch and render it ephemeral: +++ [ -x /usr/local/sbin/"$named" ] || exit 5 (near line 105) --- [ -x /usr/sbin/"$named" ] || exit 5 if [ -x /usr/sbin/named-checkconf ] && [ -x /usr/sbin/named-checkzone ] && /usr/sbin/named-checkconf $ckcf_options ${named_conf} >/dev/null 2>&1; then +++ ulimit -u 4096 ## DRF (near line 165) +++ chown -hR named:named /var/named ## DRF --- daemon --pidfile "$ROOTDIR/$PIDFILE" /usr/sbin/"$named" -u named ${OPTIONS}; +++ daemon --pidfile "$ROOTDIR/$PIDFILE" /usr/local/sbin/"$named" -u named ${OPTIONS}; ## DRF RETVAL=$? if [ $RETVAL -eq 0 ]; then Also, under rhstatus(), I sometimes add near line 240: cat "/proc/$(pgrep -o named)/limits" to get system limits added to the "service named status" report. # DRF 5/7/2010 END INIT PATCH ' >$DIR/README_named_script_changes } DIR=$BASE_DIR/iptables # Firewalls - IPv4 and IPv6 echo $DIR { # /bin/cp -u /usr/local/sbin/setup_iptables $DIR rsync -a /usr/lib/firewalld/ $DIR/firewalld date > $DIR/firewalld/As-of date > $DIR/iptables-list /sbin/iptables -L -v --line-numbers -n >> $DIR/iptables-list echo -e "\n## table nat -- source: /sbin/iptables -t nat -L -v --line-numbers -n\n" >>$DIR/iptables-list /sbin/iptables -t nat -L -v --line-numbers -n >> $DIR/iptables-list echo -e "\n## table mangle -- source:/sbin/iptables -t mangle -L -v --line-numbers -n \n" >>$DIR/iptables-list /sbin/iptables -t mangle -L -v --line-numbers -n >> $DIR/iptables-list echo -e "\nEND of iptables list\n" >>$DIR/iptables-list date > $DIR/ip6tables-list /sbin/ip6tables -L -v --line-numbers -n >> $DIR/ip6tables-list echo -e "\n## table nat -- source: /sbin/ip6tables -t mangle -L -v --line-numbers -n \n" >>$DIR/ip6tables-list /sbin/ip6tables -t nat -L -v --line-numbers -n >> $DIR/ip6tables-list echo -e "\n## table mangle\n" >>$DIR/ip6tables-list /sbin/ip6tables -t mangle -L -v --line-numbers -n >> $DIR/ip6tables-list echo -e "\nEND of ip6tables list\n" >> $DIR/ip6tables-list date > $DIR/ebtables-list [ -x /sbin/ebtables ] && /sbin/ebtables -Ln >> $DIR/ebtables-list [ -x /usr/sbin/brctl ] && echo -e "\n## Active Bridges -- source: /usr/sbin/brctl show \n" >> $DIR/ebtables-list [ -x /usr/sbin/brctl ] && /usr/sbin/brctl show >> $DIR/ebtables-list echo -e "\nEND of ebtables list\n" >>$DIR/ebtables-list /sbin/iptables-save > $DIR/saved_iptables_config /sbin/ip6tables-save > $DIR/saved_ip6tables_config [ -f /etc/sysconfig/iptables ] && ( /bin/cp -u /etc/sysconfig/iptables $DIR/iptables-DEFAULT ) [ -f /etc/sysconfig/ip6tables ] && (/bin/cp -u /etc/sysconfig/ip6tables $DIR/ip6tables-DEFAULT ) date > $DIR/firewalld-zones firewall-cmd --list-all-zones >>$DIR/firewalld-zones echo -e "\nEND of firewalld-zones\n" >>$DIR/firewalld-zones echo -e "\nDetailed xml of work zone\n(source: /etc/firewalld/zones/work.xml)\n">>$DIR/firewalld-zones #cat /etc/firewalld/zones/work.xml >>$DIR/firewalld-zones date >$DIR/Connections /usr/bin/netstat -tlpn >> $DIR/Connections /usr/bin/netstat -s >$DIR/IPV4_Statistics /usr/bin/netstat -6s >$DIR/IPV6_Statistics /usr/bin/hostnamectl status > $DIR/HostnameData echo "$LOCAL_CONFIG_NOTES" >$DIR/README echo ' Bridge considerations: !!!! NOTE --NOT current-- EXTREME EDIT NEEDED!!!!! 1. Since this machine may be acting as router for all attached machines (V4/V6) some of which are virtual, we need to attach the virtual interface to a physical one. We have chosen eth1 to be configured as the bridge "br0". This necessitated a number of NON-STANDARD configurations as shown in the SysConfigs folder. See particularily ifcfg-eth1, ifcfg-br0, route6-br0 in network-scripts. 2. Resetting IPv6 routes for maplepark.com: The routine /usr/local/sbin/resetroutes is necessary because we use fixed ipV6 for some hosts and also rely on autoconf for others (visitors) and CentOS6.4 does not as yet fully establish the mixed use (both router w/ipV4 NAT and ipV6 workstation) of this machine and therefore radvd will not restart if forwarding is not enabled while V6 autoconf will be disabled if it is. Normal booting allows the proper sequencing but just doing the standard 6.4 "service network restart" makes radavd lose multicast communications and deletes our local static ipV6 route. This routine is called in /bin/service network restart (/etc/rc.d/init.d/network - end of start section) by an annoying kludge that breaks on updates. 3. This is the necessary kludge # Added for maplepark.com by DRF to restart radvd and confirm forwarding if [ -x /usr/local/sbin/resetroutes ]; then /usr/local/sbin/resetroutes fi ;; -- DRF 7 JUN 2013 ' >$DIR/BRIDGEWARNINGS echo " iptables STRATEGEM: !!!!Major alteration for CentOS7 in development. !!!!! 1. Basic firewall setup is per CentOS7.3 systemd control and becomes the *-DEFAULT on system startup. The permanent configuration is stored in config files and will be loaded and become new runtime configuration with every machine boot or service reload/restart. Persistent (permanent) configurations must be made by firewalld to the XML files in /usr/lib/firewalld/ or, preferably, in /etc/firewalld/. 2. Various system programs control dynamic adjustments to the runtime firewall. Firewalld has a D-BUS interface for firewall configuration of services and applications. It also has a command line client for the user. Services or applications already using D-BUS can request changes to the firewall with the D-BUS interface directly. 3. Copies of the active dynamic (runtime) firewall rules are stored in this directory ($BASE_DIR/iptables) as ip(6)tables-list upon running this script. 4. The "setup-iptables" file is a deprecated system developed a dozen years ago that has simply outlived its usefulness. It was mannually maintained and adjusted the runtime tables through a group of scripts that were prone to misconfiguration. I am currently working within CentOS and firewalld (firewall-cmd or the GUI, firewall-config) to add necessary things to the dynamic configuration. 5. I am currently running NetworkManager on this system and I would like to investigate its effect on virtual instances-- so another to-do. " >$DIR/STRATEGEM } DIR=$BASE_DIR/SysStartupConfigs # System startup configurations echo $DIR { cp -u /etc/inittab $DIR cp -u /etc/rc.d/rc.local $DIR rsync -a /usr/local/bin/my.rc.local $DIR cp -u /etc/bashrc $DIR/etc.bashrc [ -f /home/drf/.bashrc ] && rsync -u /home/drf/.bashrc $DIR/drf.bashrc [ -f /root/.bashrc ] && rsync -u /root/.bashrc $DIR/root.bashrc cp -u /etc/profile $DIR/etc.profile [ -f /home/drf/.profilerc ] && rsync -u /home/drf/.profilerc $DIR/drf.profilerc [ -f /root/.profilerc ] && rsync -u /root/drf/.profilerc $DIR/root.profilerc rsync -a /etc/profile.d $DIR rsync -u /etc/selinux/config $DIR/etc.selinux.config echo "$LOCAL_CONFIG_NOTES" > $DIR/README /sbin/chkconfig --list > $DIR/chkconfigs 2>&1 rsync -u /etc/rc.d/init.d/* $DIR/init.d/ /bin/printf 'Unit file status as of: ' > $DIR/Systemd_Unit_Files date >> $DIR/Systemd_Unit_Files /bin/systemctl list-unit-files >> $DIR/Systemd_Unit_Files } DIR=$BASE_DIR/a2ps # ascii to ps print formatting used by alpine mailer echo $DIR [ -f /etc/a2ps.cfg ] && \ { cp -u /etc/a2ps-site.cfg $DIR cp -u /etc/a2ps.cfg $DIR } DIR=$BASE_DIR/syslog # System logs and rotation echo $DIR { cp -u /etc/rsyslog.conf $DIR cp -u /etc/logrotate.conf $DIR rsync -a /etc/logrotate.d $DIR/ echo "Files to be rotated are configured in logrotate.d/syslog" > $DIR/README } #DIR=$BASE_DIR/killit # Kills bad guys knocking on my ssh daemon # { # cp -u /usr/local/sbin/killit $DIR # cp -u /usr/local/sbin/killit_plugin $DIR # cp -u /usr/local/sbin/dropbad $DIR # cp -u /usr/local/sbin/seen_it $DIR # cp -u /usr/local/sbin/seenit_plugin $DIR # cp -u /usr/local/sbin/stopscan_plugin $DIR # } DIR=$BASE_DIR/NFS # Linux file sharing echo $DIR cp -u /etc/exports $DIR DIR=$BASE_DIR/Samba # M$ file sharing echo $DIR { rsync -a --exclude drivers/ /etc/samba/* $DIR/ echo `date` >$DIR/smb.conf.brief /usr/bin/testparm -s >> $DIR/smb.conf.brief 2>&1 } #DIR=$BASE_DIR/Sendmail # Mail transport and delivery # { # cp -uR /etc/mail/* $DIR/ # cp -u /home/$CONFIG_USER/.procmailrc $DIR/procmailrc.$CONFIG_USER # echo "$LOCAL_CONFIG_NOTES" >$DIR/README # echo " Local spamassassin configs have our spamd talking on ::1 (see system configs) so one needs to have any procmailrc recipes call spamc with -d localhost6 ie: | /usr/bin/spamc -d localhost6 ## can use IPv6 now -- DRF 7/10/13 " > $DIR/README-procmailConfig # } DIR=$BASE_DIR/sshd # System secure shell echo $DIR { cp -uR /etc/ssh/ssh* $DIR rm $DIR/*key* # Not the key files though # # Selected users in WORD lists only their existing .ssh/config. # Default -- lists all users existing ~/.ssh/config. # WORD="" [ -z "$WORD" ] && WORD="`awk -F\":\" '{ printf \"%s \",$1 }' /etc/passwd`" echo $WORD > $DIR/users for LISTED in $WORD; do if [ -f /home/$LISTED/.ssh/config ]; then cp /home/$LISTED/.ssh/config $DIR/ssh_config.$LISTED 2>&1 fi echo $(date) > $DIR/sshd_connections /usr/sbin/lsof -i :1941 >> $DIR/sshd_connections done } #DIR=$BASE_DIR/httpd # Apache web server #[ -d /var/www/html/ ] && \ # { # [ -d /var/www/html ] && ( cp -uR /var/www/html/* $DIR ) # cp -u /etc/httpd/conf/httpd.conf $DIR # cp -uR /var/www/cgi-bin $DIR # [ -f /home/anon/passwd ] && ( cp -u /home/anon/passwd $DIR ) # /usr/sbin/httpd -S &> $DIR/VirtualHosts.txt # echo "Our AuthUserFile is /home/anon/passwd because the /home directory is possibly mounted from a separate partition and independent of system upgrades. As almost all our pages are served from the home directories of users, this insures that our .htaccess files are always referring to an existing password file. Of course any user can set up their own .htpasswd files in some other location (outside of web access, I hope). DRF 2/14/09 (Happy Valentines day!)" > $DIR/htpasswd-README # } DIR=$BASE_DIR/yum # Yellow-dog update manager echo $DIR { cp -u /etc/yum.conf $DIR cp -uR /etc/yum.repos.d/ $DIR/ /usr/bin/yum list installed > $DIR/YumInstalledSoftware /usr/bin/yum -v repolist all > $DIR/Yumrepolist } DIR=$BASE_DIR/usr-local-bin # Locally installed general executables echo $DIR cp -u /usr/local/bin/* $DIR/ # usr-local-sbin DIR=$BASE_DIR/usr-local-sbin # Locally installed system executables cp -u /usr/local/sbin/* $DIR/ DIR=$BASE_DIR/FormsAndScripts # Miscellaneous scripts echo $DIR { test -d /home/drf/FormsAndScripts && cp -u /home/drf/FormsAndScripts/* $DIR/ echo "$LOCAL_CONFIG_NOTES" >$DIR/README } DIR=$BASE_DIR/SysConfigs # Fedora system configs http://fedoraproject.org/ echo $DIR { rsync -a --delete --copy-links /etc/sysconfig $DIR/ rsync -a --delete --copy-links /etc/modprobe.d $DIR/ echo "$LOCAL_CONFIG_NOTES" >$DIR/README rsync -a /etc/sysctl.conf $DIR/etc.sysctl.conf /sbin/ip addr ls > $DIR/ConfiguredInterfaces echo -e "/usr/local/bin/inxi -Foc0 on $(date) \n" >$DIR/inxiBoxInfo /usr/local/bin/inxi -Foc0 >> $DIR/inxiBoxInfo # -FGrc0 or } DIR=$BASE_DIR/ApplicationConfigs # Application configs echo $DIR { #cp -u /etc/xtide.conf $DIR #cp -uR /etc/mplayer $DIR [ -f /home/drf/.pinerc ] && ( rsync -a /home/drf/.pinerc $DIR/drf.pinerc ) test -f /root/.pinerc && rsync -a /root/.pinerc $DIR/root.pinerc [ -f /var/tmp/lynisreport ] && ( rsync -a /var/tmp/lynisreport $DIR/LynisAuditReport ) [ -f /var/log/rkhunter/rkhunter.log ] && rsync -a /var/log/rkhunter/rkhunter.log $DIR/rkhunter.log [ -f /etc/rkhunter.conf ] && (rsync -a /etc/rkhunter.conf $DIR/rkhunter.conf ) [ -f /etc/rkhunter.conf.local ] && (rsync -a /etc/rkhunter.conf.local $DIR/rkhunter.conf.local ) [ -f /usr/local/lynis/default.prf ] && (rsync -a /usr/local/lynis/default.prf $DIR/lynis_default.prf ) [ -f /usr/local/lynis/custom.prf ] && (rsync -a /usr/local/lynis/custom.prf $DIR/lynis_default-custom.prf ) } DIR=$BASE_DIR/DisksIfacesRoutes # Disk, interface, and routing information echo $DIR { [ -f /usr/local/sbin/renew-default-route ] && ( cp -u /usr/local/sbin/renew-default-route $DIR ) # Create a disktable file date > $DIR/disktable echo -e "\n\nfdisk -l ---->" >> $DIR/disktable /sbin/fdisk -l >>$DIR/disktable 2>/dev/null echo -e "\n\nfstab ---->">>$DIR/disktable cat /etc/fstab >> $DIR/disktable echo -e "\n\ndf -P ---->" >> $DIR/disktable /bin/df -P >> $DIR/disktable echo -e "\n\nudev ------>" >>$DIR/disktable ls -lR /dev/disk/ >>$DIR/disktable echo -e "\n\nblkid ------>" >>$DIR/disktable /sbin/blkid >>$DIR/disktable echo -en "\n\n End report " >> $DIR/disktable date >> $DIR/disktable } { # Network configuration date > $DIR/Network echo >> $DIR/Network /sbin/ifconfig >> $DIR/Network echo >> $DIR/Network /usr/sbin/brctl show >>$DIR/Network # [ -f /etc/aiccu.conf ] && ( rsync -a /etc/aiccu.conf $DIR/ipV6Tunnel_aiccu.conf ) # [ -f /usr/local/etc/aiccu-subnets.sh ] && rsync -a /usr/local/etc/aiccu-subnets.sh $DIR/ipV6Tunnel_aiccu-subnets.sh date > $DIR/Route echo >> $DIR/Route /sbin/route -n >> $DIR/Route echo >> $DIR/Route /sbin/route -A inet6 -n >> $DIR/Route } { # Update lvm info to /boot and to our archive rsync -a /etc/lvm/* $DIR/lvm/ rsync -a /etc/lvm/* /boot/lvm/ } # Entries below this line are in $BASE_DIR - not in subdirectories # _____________________________________________________________________________________ # # Warning README echo "$LOCAL_CONFIG_NOTES" >$BASE_DIR/README # Copy the passwd file cp -u /etc/passwd $BASE_DIR/passwd # Box details are kept in parent directory for now # cp -u $BASE_DIR/../BoxDetails $BASE_DIR/ # Box data here # Preserve last dmesg { DMESG=$BASE_DIR/dmesg [ -f $DMESG ] && mv $DMESG $DMESG.bak date > $DMESG echo >>$DMESG dmesg >>$DMESG } # Scan hardware { date > $BASE_DIR/HardwareList echo >> $BASE_DIR/HardwareList /usr/bin/inxi -FGc0 -r >> $BASE_DIR/HardwareList 2>&1 } # Copy this script as executed to base directory { rsync $0 $BASE_DIR/ScriptAsRun rsync $0 $BASE_DIR/ } # Wait for all subshells to complete wait # Make sure all directories are browsable and readable find $BASE_DIR/ -type d |while read dirfound; do chmod 777 $dirfound; done # Create a file manifest of $BASE_DIR files & set modes to -rw-rw-r-- { find $BASE_DIR/ -type f | tee $BASE_DIR/FileManifest |\ while read filefound; do chmod 664 $filefound; done } # Change owership of all files to the config user chown -R $CONFIG_USER.$CONFIG_USER $BASE_DIR # End of script