test1

info-kerberos

Table of Contents

• 1 def
• 2 klist
• 3 kdestroy
• 4 create keytab (on AD)
• 5 get kerberos ticket (on service server)
• 6 files

1 def

• The CLIENT and SERVER do not initially share an encryption key.
• Whenever a CLIENT authenticates itself to a new VERIFIER it relies on the AUTHENTICATION SERVER to generate a new encryption key and distribute it securely to both parties (CLIENT and VERIFIER)
• The Kerberos TICKET is a certificate issued by an AUTHENTICATION SERVER, encrypted using the SERVER KEY.
• The TICKET is not sent directly to the VERIFIER, but is instead sent to the CLIENT who forwards it to the VERIFIER as part of the application request. Because the ticket is encrypted in the SERVER KEY, known only by the AUTHENTICATION SERVER and intended VERIFIER, it is not possible for the CLIENT to modify the ticket without detection.
• There are two parts to the application request, a TICKET and an AUTHENTICATOR:
  1. The AUTHENTICATOR includes, among other fields (all encrypted with the SESSION KEY):
     • the current time
     • a checksum
     • an optional encryption key
  2. When a client wishes to create an association with a particular VERIFIER, the client uses the authentication request and response, messages, to obtain a TICKET and SESSION KEY from the AUTHENTICATION SERVER.

2 klist

• klist -k [keytab_file] #sprawdzanie principali w pliku keytab
• klist -k #sprawdzanie principali w defaultowym pliku, można sprawdzić path do pliku
• klist #sprawdzanie principali z plików w /tmp/krb5cc_[nr]

3 kdestroy

4 create keytab (on AD)

1. stworzenie nowego usera w AD trzymającego principal-e
   • opcja dla usera - password never expires
2. dopisanie principala do powyższego usera za pomocą ktpass dostarczonego przez Windows Server 2003 Support Tools http://support.microsoft.com/kb/892777
   • ktpass -princ HTTP/[service_hostname]@[DOMAIN] -mapuser [above_ad_user] -pass [above_ad_user_pass] [/desonly] [-crypto des-cbc-crc] -out [output_file]
3. sprawdzenie
   • AD => user => properties => Account => [User logon name: HTTP/[service_hostname]@[domain]

5 get kerberos ticket (on service server)

• kinit [principal_name as above HTTP/[service_hostname]

6 files

• /etc/krb5.conf - namiary na domenę i server AD
• /etc/krb5.keytab - defaultowy keytab
• /etc/krb5.realms
• /tmp/krb5cc_500 - zapisane credentiale

WINDOWS RUN

Run commands

COMMAND	DESCRIBE
msconfig	system config
compmgmt.msc	computer manager
lusrmgr.msc	local users and groups manager
devmgmt,msc	devices manager
diskmgmt.msc	disc manager
services.msc	services
fsmgmt.msc	share folders manager
eventvwr.msc	show logs
gpedit.msc	group rules
certmgr.msc	cert manager
perfmon.msc	per monitor
dnsmgmt.msc	dns
dhcpmgmt.msc	dhcp
appwiz.cpl	add software
hdwwiz.cpl	add devices
sysdm.cpl	system properties
ncpa.cpl	network settings
inetcpl.cpl	network properties
control admintools	Administrative Tools
control desktop	Display Properties
control printers	Printers and Faxes
control schedtasks	Scheduled Task
control netconnections	Network Connections

Translate error code

1. convert error: dicimal => hex
2. get last 4 digit
3. convert last_4digit: hex => decimal
4. cmd: net helpmsg [last_{4digitdecimal]}

LINUX BASH

Set

set -x	Display commands and their arguments as they are executed. +x turn off
set -v	Display shell input lines as they are read. +v turn off

Params

$?	error code
$#	a number of params
$@	list params
$*	list params
$0	script name
$1	param nr 1
$$	process ID

Keybindings

S-M-$	complete variable
S-<	first command in history
C-p	previous command in history
C-n	next command in history
S->	last command in history
C-e	jump to EOL
C-a	jump to BOL
M-f	jump forward a word
M-b	jump back a world
C-u	delete from BOL to cursor
C-k	delete from cursor to EOL
M-d	delete word forward from cursor
C-w	delete word backward from cursor

Variable manipulation

• (command1; command2;…) #command inside brackeds are lauched in subshell with new process id(childs)
  subshell variables are recognized in subshell only
  
• ${var}
  
• ${#var} #a number of variable var characters
  

command	output	desc
export var=(el1 el2 el3); echo ${var[1]}	val2	the second element var variable, which is a list
export var=(el1 el2 el3); echo ${#var[1]}	4	a number of chars in the second element
export var=(el1 el2 el3); echo ${#var[@]}	3	list size
export var=12345; echo ${var:-text}		if var was set the output is var value, if not the output is text, var is not change
export var=12345; echo ${var:=text}		if var was set the output is var value, if not the output is text, var is changed to text
export var=12345; echo ${var:?text}		if var was set the output is var value, if not the output is text to the error output
export var=12345; echo ${var:+text}		if var was set the output is text, var is not change
export var=12345; echo ${var:1:3}	234	get second element (first is 0) and next 3
export var=12345; echo ${var#12}	345	remove elements based on schema 12 from the begining
export var=12345; echo ${var%45}	123	remove elements based on schema 45 from the end
export var=12345; echo ${var/34/ab}	12ab5	substitute elements by pattern 34 to ab anywhere
export var=12345; echo ${var/#12/ab}	ab123	substitute elements by pattern 12 to ab from the beggining
export var=12345; echo ${var/%45/ab}	123ab	substitute elements by pattern 45 to ab from the end

Array

• Array=(el01 el02 el03)
  
• element at the table is matched by [] symbol and by ${Array[0]}
  
• iteration: for i in ${Array[@]};do echo $i; done
  

Buildin variables and commands

zmienna	desc
BASH_SUBSHELL	subshell nr
SECONDS	amount of time running script
FUNCNAME	fuction name
DIRSTACK	current dir
LINENO	currend row
:	true
PWD	current dir
CDPATH	cd command path
TMOUT	logout after [sec] of inactivity

Debug

bash -n [script]	set -n	check without run
bash -x [script]	set -x	debug

Range variable

• function inherits variables from script
  
• script do not inherit variable from function
  
• script inherit variable from for loop
  

Function

• {} #anonymous function, variables from script
  
• in {} there is the block of code which output might be redirect to file {} > output.file,
  block of code from {} is not placed in subshell like for ()
  

Test

[[

• less suprises, safer to use, but it is not portable, not POSIX only bash,
  regexp matching, it is a keyword, not a program
  
• string comparision:
  
  <, >, =, ==, !=
  
• integer comparison:
  
  -lt, -le, -eq, -ge, -gt, -ne
  
• conditional evaluation:
  &&, ||
  
• expression grouping:
  
  (…)
  

[

• right side must be quote ex. if [ -z "$variable ], is sysnonym for test but
  requires a final ], it is a program /usr/bin/[
  
• string comparision:
  
  \<, \>, =, !=
  
• integer comparison:
  
  -lt, -le, -eq, -ge, -gt, -ne
  

files

-f file	true if file exists and is a regular file
-e file	true if file exists
-d file	true if file exists and is a directory

strings

-z string	true if the length of string is zero
-n string	true if the length of string is non-zero

using

• [ c1 ] ||/&& [ c2 ]
  
• both alternatives are different ex:
  

  	c1	c2
  and	OK	is run
  and	FAIL	is not run
  or	OK	is not run
  or	FAIL	is run

  
  

Getopts

variable	description
OPTIND	Holds the index to the next argument to be processed. This is how getopts "remembers" its own status between invocations. Also usefull to shift the positional parameters after processing with getopts. OPTIND is initially set to 1, and needs to be re-set to 1 if you want to parse anything again with getopts
OPTARG	This variable is set to an argument for an option found by getopts, but if the option is unknown it contains the option flag.
OPTERR	(Values 0 or 1) Indicates if Bash should display error messages generated by the getopts builtin. The value is initialized to 1 on every shell startup - so be sure to always set it to 0 if you don't want to see annoying messages!

• getopts OPTSTRING VARNAME [ARGS…]
  

  OPTSTRING	tells getopts which options to expect and where to expect arguments (see below)
  VARNAME	tells getopts which shell-variable to use for option reporting
  ARGS	tells getopts to parse these optional words instead of the positional parameters

  
  
  
• commands without any args - nothing happened? Right. getopts didn't see any valid or invalid options (letters preceeded by a dash),
  so it wasn't triggered.
  
• commands without any flags - nothing happened? The very same case: getopts didn't see any valid or invalid options
  (letters preceeded by a dash), so it wasn't triggered.
  
• invalid options don't stop the processing: If you want to stop the script, you have to do it yourself (exit in the right place)
  
• multiple identical options are possible: If you want to disallow these, you have to check manually (e.g. by setting a variable or so)
  

OPTSTRING

• When you want getopts to expect an argument for an option, just place a : (colon) after the proper option flag.
  
• If the very first character of the option-string is a : (colon), which normally would be nonsense
  because there's no option letter preceeding it, getopts switches to the mode "silent error reporting".
  In productive scripts, this is usually what you want (handle errors yourself and don't get disturbed by annoying messages).
  

ARGS

• The getopts utility parses the positional parameters of the current shell or function by default (which means it parses "$@").
  You can give your own set of arguments to the utility to parse. Whenever additional arguments are given after the VARNAME parameter,
  getopts doesn't try to parse the positional parameters, but these given words.
  A call to getopts without these additional arguments is equivalent to explicitly calling it with "$@".
  

Calculate

• echo $((2+3))
  

Return status

• last command at function or script determe exit status, thisis bash return value
  
• exit status might be at range 0-255
  

Commands

eval	change string from variable to command ex. i="ls"; eval $i
source	from command line run script, from script working as #include (same as dot-command)
exec	do not create fork but create new shell process, go out from script
true,false	return 0 as exit status of error
help [bash_command]	help for bash commands ex. help eval

Output

ex 1: command > /dev/null 2>&1

1. redirect standard output /dev/stdout to /dev/null
   
2. redirect standard error /dev/stderr to device point at standard output /dev/stdout, so to /dev/null
   

Summarize: all output is redirect to /dev/null

ex 2: command 2>&1 > /dev/null

1. redirect error output /dev/stderr to device point at standard output /dev/stdout
   
2. redirect standard ouptut /dev/stdout to /dev/null but error output /dev/stderr
   is still redirected to /dev/stdout
   

Summarize: /dev/stdout to /dev/null and /dev/stderror to previous /dev/stdout

Printf

• printf "%-30s%s" "hello" $VAR
  

Colors in directory

• dircolors -p ~/.dircolors
  
• eval `/usr/bin/dircolors -b ~/.dircolors`
  
• alias dir="dir –color"
  
• alias ls="ls –color"
  

color symbols

desc	atrybut
none	00
bold	01
underscore	04
blink	05
reverse	07
concealed	08
	font kolor	background color
black	30	40
red	31	41
green	32	42
yellow	33	43
blue	34	44
magenta	35	45
cyan	36	46
white	37	47

ORACLE TRACE

Remember that trace files are in the user_dump_destination, but for jobs and for shared server configurations they are in background_dump_destination.

Oracle 9i

turn on trace in another session:

EXECUTE dbms_system.set_ev ([sid],[serial#],10046,[level],'');
turn off
EXECUTE dbms_system.set_ev ([sid],[serial#],10046,0,'');

---

Oracle 9i/10g

turn on trace for current session:

ALTER SESSION SET EVENTS '10046 trace name context forever, level [level#]'

• level 0 #off
• level 1 #default
• level 4 #default + bind variable values
• level 8 #default + wait event information
• level 12 #level 4 + level 8

turn off
ALTER SESSION SET EVENTS '10046 trace name context off'

---

Oracle 9i/10g

turn on trace for os process:

ORADEBUG SETOSPID [os process from v$process];
ORADEBUG EVENT 10046 TRACE NAME CONTEXT FOREVER, LEVEL [level#];
ORADEBUG TRACEFILE_NAME; --display current tracefile
turn off
ORADEBUG EVENT 10046 TRACE NAME CONTEXT OFF;

---

Oracle 9i/10g

turn on trace for current session:

dbms_support package in $ORACLE_HOME/rdbms/admin/dbmssupp.sql
EXEC dbms_support.start_trace(waits=>TRUE, binds=>TRUE);
turn off
EXEC dbms_support.stop_trace;

turn on trace for the other session:

EXEC dbms_support.start_trace_in_session(sid=>[sid], serial=>[serial#], waits=>TRUE, binds=>TRUE);
turn off
EXEC dbms_support.stop_trace_in_session(sid=>[sid], serial=>[serial#]);

---

Oracle 10g

turn on trace for current session:

exec DBMS_MONITOR.SESSION_TRACE_ENABLE (session_id => [sid],serial_num => [serial#], waits => TRUE,binds => TRUE);
turn off
exec DBMS_MONITOR.SESSION_TRACE_DISABLE(session_id=> [sid],serial_num=> [serial#]);
check:
SELECT sql_trace,sql_trace_waits,sql_trace_binds FROM v$session;

turn on trace for client:

exec DBMS_MONITOR.CLIENT_ID_TRACE_ENABLE(client_id => '[client_name]',waits => TRUE, binds => TRUE);
turn off
exec DBMS_MONITOR.CLIENT_ID_TRACE_DISABLE(client_id => '[client_name]');

turn on trace at database level:

exec DBMS_MONITOR.DATABASE_TRACE_ENABLE (waits => TRUE,binds => TRUE,instance_name > NULL);
turn off
exec DBMS_MONITOR.DATABASE_TRACE_DISABLE(instance_name > NULL);
check:
SELECT * FROM dba_enabled_traces;

---

Oracle 11g

turn on trace at component level

exec DBMS_MONITOR.SERV_MOD_ACT_TRACE_ENABLE(service_name => '[serv_name]', module_name => '[module]',action_name => '[action]',waits => TRUE,binds => FALSE, instance_name => NULL);
turn off
exec DBMS_MONITOR.SERV_MOD_TRACE_DISABLE(service_name => 'serv_name',module_name => 'module',action_name => '[action]',instance_name => NULL);
check: SELECT * FROM dba_enabled_traces;

LINUX NETWORK

Turn off NetworkManager:

• chkconfig NetworkManager off
• systemclt disable NetworkManager.service

Setting gateway:

/etc/sysconfig/network

NETWORKING=yes
HOSTNAME=[hostname]
GATEWAY=[IP]

Bonding module:

/etc/modprobe.d/bond.conf

alias bond0 bonding
options bond0 miimon=100 mode=1

Setting ordinary interfaces:

/etc/sysconfig/network-scripts/ifcfg-[dev_name]

DEVICE=[dev_name]
BOOTPROTO=none
HWADDR=AA:AA:AA:AA:AA:AA
ONBOOT=yes
MASTER=bond0
SLAVE=yes
NM_CONTROLLED=no

Setting bond interfaces

/etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
IPADDR=[IP]
NETMASK=[MASK]
IPV6INIT=no
NM_CONTROLLED=no

iwlist

• iwlist [interface] frequency

WIFI - wpa_supplicant

wpa_passphrase

• wpa_passphrase "[ssid]" "[passphrase]" #generating psk key which is used by wpa_supplicant.conf

wpa_supplicant.conf

/etc/wpa_supplicant/wpa_supplicant.conf

network={
  ssid="leny"
  #psk="[opentext_passphrase]"
  psk=[psk_from_wpa_passphrase]
  scan_ssid=1
  proto=WPA2 #WPA RSN
  priority=1
  scan_ssid=1 #if ssid is hidden
  #key_mgmt=WPA-EAP
  #key_mgmt=WPA-PSK
}

lanunch wifi steps:

1. ip link set [dev_name] up
2. iw [dev_name] scan
3. wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -Dwext -i[dev_name] -B #run as daemon (-B flag)
4. dhclient [dev_name]
5. ip addr show [dev_name]
6. route add default gw [IP]

ORACLE AUDIT

Table of Contents

• 1 Init params
  • 1.1 AUDIT_TRAIL
• 2 Turn on
• 3 VIEWS for SYS.AUD$
• 4 Options
  • 4.1 default audit options
  • 4.2 ALL
  • 4.3 ADDITIONAL
  • 4.4 Objects available to audit
• 5 Truncate audit table
  • 5.1 DBMS_AUDIT_MGMT

1 Init params

initoption	values	desc
AUDIT_TRAIL	NONE/DB/OS/DB,EXTENDED/XML/XML,EXTENDED	turn on audit and set type
AUDIT_FILE_DEST		set directory for audit files when AUDIT_TRAIL=OS, default: $ORACLE_HOME/rdbms/audit
AUDIT_SYS_OPERATIONS	TRUE/FALSE	for sys operations

1.1 AUDIT_TRAIL

• in 11g audyt is set default on DB value

none or false	Auditing is disabled.
db or true	Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).
db,extended	As db, but the SQL_BIND and SQL_TEXT columns are also populated.
xml	Auditing is enabled, with all audit records stored as XML format OS files.
xml,extended	As xml, but the SQL_BIND and SQL_TEXT columns are also populated.
os	Auditing is enabled, with all audit records directed to the operating system's audit trail.

2 Turn on

• set param audit_trail

Commands:

AUDIT	turn on audit
NOAUDIT ALL	turn off all audit operations for current user
NOAUDIT ALL BY [username]
NOAUDIT SELECT TABLE BY [username]
AUDIT ALL BY [username] BY ACCESS/SESSION	ACCESS - log everytime the event heppen, SESSION - log only at first time
NOAUDIT TABLE BY [username]
AUDIT select table, insert table, delete table, update table BY [username] BY ACCESS

Views:

STMT_AUDIT_OPTION_MAP	Contains information about auditing option type codes. Created by the SQL.BSQ script at CREATE DATABASE time.
AUDIT_ACTIONS	Contains descriptions for audit trail action type codes
ALL_DEF_AUDIT_OPTS	Contains default object-auditing options that will be applied when objects are created

3 VIEWS for SYS.AUD$

DBA_STMT_AUDIT_OPTS	show running audits for user
DBA_PRIV_AUDIT_OPTS	Describes current system privileges being audited across the system and by user
DBA_OBJ_AUDIT_OPTS	Describes auditing options on all objects. USER view describes auditing options on all objects owned by the current user.
DBA_AUDIT_TRAIL	Lists all audit trail entries USER view shows audit trail entries relating to current user.
DBA_AUDIT_STATEMENT	Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user
DBA_AUDIT_EXISTS	Lists audit trail entries produced BY AUDIT NOT EXISTS
DBA_AUDIT_SESSION	Lists all audit trail records concerning CONNECT and DISCONNECT. USER view lists all audit trail records concerning connections and disconnections for the current user.
DBA_AUDIT_OBJECT	Contains audit trail records for all objects in the database. USER view lists audit trail records for statements concerning objects that are accessible to the current user.

• DDL (CREATE, ALTER & DROP of objects)
• DML (INSERT UPDATE, DELETE, SELECT, EXECUTE).
• SYSTEM EVENTS (LOGON, LOGOFF etc.)
• SELECT * FROM dba_stmt_audit_opts ORDER BY 1,3;

col obj_name format a30
col owner format a15
col username format a15
SELECT owner,username,obj_name,action_name,to_char(timestamp,'YYYY-MM-DD HH24:MI:SS') FROM dba_audit_trail 
  WHERE timestamp >= trunc(sysdate-1) and username='CCI' order by timestamp;
prompt ###zajetosc_tabeli_audytu
SELECT sum(bytes)/1024/1024 as MB FROM dba_segments WHERE segment_name='AUD$';

4 Options

4.1 default audit options

• rdbms/admin/secconf.sql
• rdbms/admin/undoaud.sql #wylaczenie

4.2 ALL

Object	SQL Statements and Operations Audited
ALTER SYSTEM	ALTER SYSTEM
CLUSTER	CREATE, ALTER, DROP, TRUNCATE
CONTEXT	CREATE, DROP
DATABASE LINK	CREATE, ALTER, ALTER PUBLIC DATABASE LINK, DROP DATABASE LINK
DIMENSION	CREATE, ALTER, DROP
DIRECTORY	CREATE, DROP
INDEX	CREATE INDEX, ALTER, ANALYZE INDEX, DROP
MATERIALIZED VIEW	CREATE, ALTER, DROP
NOT EXISTS	All SQL statements that fail because a specified object does not exist.
OUTLINE	CREATE, ALTER, DROP
PROCEDURE	CREATE FUNCTION, CREATE LIBRARY, CREATE PACKAGE, CREATE PACKAGE BODY
	CREATE PROCEDURE, DROP FUNCTION, DROP LIBRARY, DROP PACKAGE, DROP PROCEDURE
PROFILE	CREATE, ALTER, DROP
PUBLIC DATABASE LINK	CREATE, DROP
PUBLIC SYNONYM	CREATE, DROP
ROLE	CREATE, ALTER, DROP, SET
ROLLBACK SEGMENT	CREATE, ALTER, DROP
SEQUENCE	CREATE, DROP
SESSION	Logons
SYNONYM	CREATE, DROP
SYSTEM AUDIT	AUDIT sql_statements, NOAUDIT sql_statements
SYSTEM GRANT	GRANT system_privileges_and_roles, REVOKE system_privileges_and_roles
TABLE	CREATE, DROP,TRUNCATE TABLE
TABLESPACE	CREATE, TABLESPACE, ALTER, DROP
TRIGGER	CREATE, ALTER with ENABLE and DISABLE clauses, DROP, ALTER TABLE with ENABLE ALL TRIGGERS clause and DISABLE ALL TRIGGERS clause
TYPE	CREATE, CREATE TYPE BODY,ALTER,DROP,DROP TYPE BODY
USER	CREATE, ALTER, DROP
VIEW	CREATE, DROP

Notes:

• AUDIT USER #audits three SQL statements: CREATE, ALTER, DROP Use AUDIT ALTER USER to audit statements that require the ALTER USER system privilege. An AUDIT ALTER USER statement does not audit a user changing his or her own password, as this activity does not require the ALTER USER system privilege.

4.3 ADDITIONAL

ALTER SEQUENCE	ALTER SEQUENCE
ALTER TABLE	ALTER TABLE
COMMENT TABLE	COMMENT ON TABLE table, view, materialized view,COMMENT ON COLUMN table.column, view.column, materialized view.column
DELETE TABLE	DELETE FROM table, view
EXECUTE PROCEDURE	CALL
	Execution of any procedure or function or access to any variable, library, or cursor inside a package.
GRANT DIRECTORY	GRANT privilege ON directory,REVOKE privilege ON directory
GRANT PROCEDURE	GRANT privilege ON procedure, function, package,REVOKE privilege ON procedure, function, package
GRANT SEQUENCE	GRANT privilege ON sequence,REVOKE privilege ON sequence
GRANT TABLE	GRANT privilege ON table, view, materialized view,REVOKE privilege ON table, view, materialized view
GRANT TYPE	GRANT privilege ON TYPE,REVOKE privilege ON TYPE
INSERT TABLE	INSERT INTO table, view
LOCK TABLE	LOCK TABLE table, view
SELECT SEQUENCE	Any statement containing sequence.CURRVAL or sequence.NEXTVAL
SELECT TABLE	SELECT FROM table, view, materialized view
UPDATE TABLE	UPDATE table, view

4.4 Objects available to audit

Object	SQL Operations
Table	ALTER, AUDIT, COMMENT, DELETE, FLASHBACK, GRANT, INDEX, INSERT, LOCK, RENAME, SELECT, UPDATE
View	AUDIT, COMMENT, DELETE, FLASHBACK, GRANT, INSERT, LOCK, RENAME, SELECT, UPDATE
Sequence	ALTER, AUDIT, GRANT, SELECT
Procedure, Function, Package	AUDIT, EXECUTE,GRANT
Materialized View	ALTER, AUDIT, COMMENT, DELETE, INDEX, INSERT, LOCK, SELECT, UPDATE
Mining Model	AUDIT, COMMENT, GRANT, RENAME, SELECT
Directory	AUDIT, GRANT, READ
Library	EXECUTE, GRANT
Object Type	ALTER, AUDIT, GRANT

5 Truncate audit table

• truncate table SYS.AUD$;

5.1 DBMS_AUDIT_MGMT

• DBA_AUDIT_MGMT_CONFIG_PARAMS;