Inverse delete with shopt in Linux with bash

The scenario: I want to delete all sub-directories and files  except a directory and a file, within a directory.

Enable globbing:

shopt -s extglob

Make me a list:

echo rm -rf !(cgi-bin|favicon.ico)

Execute list:

rm -rf app cron.php cron.sh downloader errors get.php includes index.htm.old index.php index.php.sample install.php js lib LICENSE_AFL.txt LICENSE.html LICENSE.txt mage media php.ini.sample pkginfo RELEASE_NOTES.txt shell skin tempstyle.css var

Snazzy!

Sending Windows Event Logs to REHL Syslog-NG Server

Syslog-ng main site:

http://www.balabit.com/network-security/syslog-ng

Snare for Windows:

http://www.intersectalliance.com/projects/index.html

 

Install syslog-ng via epel or buuild from source.

Make a directory to store the logs you want to capture:

mkdir /var/log/syslogs

Edit the syslog-ng conf file:

vi /etc/syslog-ng/syslog-ng.conf

Add to the end of syslog-ng.conf:

source src {
 internal();
 udp(port(514));
 };
destination messages { file("/var/log/syslogs/$HOST"); };
log {source(src); destination(messages);};

The above stanza tells syslog to listen for any incomming logs on port udp 514 (default) and send them to the directory /var/log/syslogs/ each remote log will create a file with the respective hostname, e.g.:

-rw------- 1 root root   53701 Nov  7 07:42 cit-3zhgmg1
-rw------- 1 root root  231065 Nov  7 07:42 dev-virtual
-rw------- 1 root root 1233934 Nov  7 07:39 rsodevxp

Restart the syslog-ng process:

/etc/init.d/syslog-ng start

Open a port in the local firewall:

vi /etc/sysconfig/iptables

And add the line:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT

Reload the firewall:

/etc/init.d/iptables reload

Install snare for Windows

Download the correct agent for the Windows platform, e.g. Windows XP, 7 Server, etc.

The Snare agent install is the normal Next, Next type.

Accept most the defaults unless there is a Active Directory Auditing GPO that may interfere.

 

On the “Remote Control Interface” Option, if you want to remote access to the systems Snare’s configuration via web browser, you can do so here (e.g. http://fqdn:6161.) To access locally, you still have to have admin rights to the box.

Finish the install process and open a local browser to http://localhost:6161 a status page should be shown.

Go to Network Configuration and complete the following:

Override detected DNS Name with: you only need to configure this if you want the name in the syslog feed to be something other than that to which the hostname in DNS resolves.

Destination Snare Server address: The FQDN or IP address of your syslog server.

Destination Port: The default syslog port.

Perform a scan of ALL objectives, and display the maximum criticality: Based on the settings in Objectives Configuration, this will report to you what Snare is going to audit.

Allow SNARE to automatically set audit configuration: Leaving this checked allows Snare to capture all the events considered important. Review those in Objectives Configuration, adjust them as you see fit, or control auditing through a GPO.

Export Snare Log data to a file?: Since we’re still writing event logs, checking this is redundant.

Enable active USB auditing?: With this checked, we should pick up any USB devices (like drives) connected to or removed from the system.

Enable SYSLOG Header: Check this, so that the Snare feed includes a syslog header. This will contain the hostname and a timestamp.

SYSLOG Facility: Defined in RFC3164, leave this at User unless you have a company policy defining a different facility.

SYLOG Priority: Also defined in RFC3164, leave this at Notice unless you have a company policy defining a different facility.

Configure your Snare agent as desired, and then click “Change Configuration.”

Restart the snare service:

Start>Run>CMD C:\Windows\System32> net stop snare && net start snare

Now rollover to your syslog server and tail for incomming windows event logs in the syslogs directory:

tail -f /var/log/syslogs/<HOSTNAME.DOMAIN>

You should see :

Nov 7 08:03:23 rsodevxp MSWinEventLog 0 Security 1836 Mon Nov 07 08:03:17 2011 593 Security SYSTEM User Success Audit RSODEVXP Detailed Tracking A process has exited: Process ID: 792 Image File Name: C:\WINDOWS\system32\userinit.exe User Name: RSODEVXP$ Domain: LOCALDOMAIN Logon ID: (0x0,0x3E7) 1666

Nov 7 08:09:23 rsodevxp MSWinEventLog 1 Security 1837 Mon Nov 07 08:09:23 2011 861 Security SYSTEM User Failure Audit RSODEVXP Detailed Tracking The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 976 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 6161 Allowed: No User notified: No 1667

Nov 7 08:10:08 rsodevxp MSWinEventLog 0 Security 1838 Mon Nov 07 08:10:08 2011 592 Security SYSTEM User Success Audit RSODEVXP Detailed Tracking A new process has been created: New Process ID: 3252 Image File Name: C:\WINDOWS\system32\logon.scr Creator Process ID: 648 User Name: RSODEVXP$ Domain: LOCALDOMAIN Logon ID: (0x0,0x3E7) 1668

Final steps:

Configure logrotate to rotated and compress the logs and set retention to rolloff any logs over X number of days.

Getting Devcon.exe onto and working with Windows 7

The DevCon utility is a command-line utility that acts as an alternative to Device Manager. Using DevCon, you can enable, disable, restart, update, remove, and query individual devices or groups of devices.

http://support.microsoft.com/kb/311272

Download the “Windows Driver Kit (WDK) 7.1.0  from Microsoft: http://www.microsoft.com/download/en/details.aspx?id=11800

Extract the ISO to a temp directory with WinRAR, Uniectractor

Extract the install file “WDK\setuptools_x64fre.msi” to a temp directory, where you will find “WinDDK\7600.16385.win7_wdk.100208-1538\tools\devcon\amd64\devcon.exe”

Note: devcon MUST be run from an administrator cmd win.

 

EPEL for Red Hat and CentOS

Create the file /etc/yum.repos.d/epel.repo and put the contents below in it:

[epel]

name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

cd /etc/pki/rpm-gpg/

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

Windows disable USB power saving (DisableSelectiveSuspend)

This is handy for disabling the power scheme that may take your USB device offline at the most annoying times e.g. a USB fingerprint reader for Imprivata’s workstation sign on going into power-save mode will fail since the device failed to return from power saving mode.
This can also be set via registry settings and eventually by a GPO —
This procedure describes how to modify the following registry setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USB
Entry: DisableSelectiveSuspend
Type: DWORD
Value: 1 disables selective suspend mode. 0 enables selective suspend mode.
Notes
  • This procedure may reduce the battery life on a portable computer.
  • This setting affects all USB host controller drivers in the system. If the value of the DisableSelectiveSuspend registry entry is set to 1, selective suspend mode is turned off. Additionally, the Allow the computer to turn off this device to save power check box does not appear on the Power Management tab for the USB root hub.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  3. On the Edit menu, point to New, and then click Key.
  4. Type USB for the name of the subkey, and then press ENTER.
  5. Click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USB
  6. On the Edit menu, point to New, and then click DWORD Value.
  7. Type DisableSelectiveSuspend for the name of the DWORD, and then press ENTER.
  8. Right-click DisableSelectiveSuspend, and then click Modify.
  9. In the Value data box, type 1, and then click OK.
  10. Exit Registry Editor.

Alternate:

1. In Power options, click Change advanced power settings.

2. In the Power Options dialog box, expand USB settings, and then expand USB selective suspend setting.

3. If you want to enable Windows 7 to turn on the USB root hub when the computer is running on battery power, click Disabled in the On battery list.

4. If you want to enable Windows 7 to turn on the USB root hub when the computer is plugged in to a power outlet, click Disabled in the Plugged in list, and then click OK.