blog [AdminSysGNULinux]

blog

Table des matières

8 billet(s) pour mars 2026

2026:
- janvier
- février
- mars

2025:
- mars
- avril
- mai
- juin
- juillet
- août
- septembre
- octobre
- novembre
- décembre

8 billet(s) pour mars 2026

Notes conteneurs oras artifact OCI	2026/03/23 21:13	Jean-Baptiste
Notes podman secret	2026/03/23 15:10	Jean-Baptiste
Notes ansible podman	2026/03/23 14:08	Jean-Baptiste
Notes podman volume	2026/03/23 14:00	Jean-Baptiste
Find list - Trouver des fichiers à partir d'une liste	2026/03/18 14:32	Jean-Baptiste
AWX inventaire vault	2026/03/17 18:04	Jean-Baptiste
AWX - Configuration git en local (sans serveur web)	2026/03/05 16:24	Jean-Baptiste
OpenSMTP	2026/03/03 16:58	Jean-Baptiste

Notes stéganographie et WaterMarking

# apt-cache search watermarking
mat - Metadata anonymisation toolkit
snowdrop - plain text watermarking and watermark recovery

Forensic

Voir :: sleuthkit / mmls / img_stat

2025/03/24 15:06

brouillon, securite

Notes sssd

Voir :

adcli - Tool for performing actions on an Active Directory domain
connexion_ad_active_directory_ldap
L2ARC, ZIL et SLOG

Voir aussi :

Winbind

sssd vs winbind

Voir :

Prerequisites for AD to Support SSSD ID Mapping

No configuration should be necessary, if the following things are properly configured.

A DNS SRV record exists for “_ldap._tcp.ad.example.com”.
A DNS SRV record exists for “_ldap._tcp.dc._msdcs.ad.example.com”.

Open the following ports :

53 (DNS) TCP and UDP
389 (LDAP) TCP and UDP
88 (Kerberos) TCP and UDP
464 (Kerberos password changes) TCP and UDP
3268 (LDAP global catalog) TCP
123 (NTP) UDP

Source : https://paulgorman.org/technical/linux-active-directory-auth.txt.html

Disable ID Mapping

/etc/sssd/sssd.conf

ldap_id_mapping = false

Conf

# Important. Impact les performances
enumerate = false

cache_credentials = True
# How long should we allow cached logins (in days since the last successful online login). 0 for no limit
# offline_creditinals_expiration=0

default_shell=/bin/bash

# ad_gpo_access_control = enforcing # Défaut RHEL8
# ad_gpo_access_control = permissive
# Ne pas bloquer l’authentification si les GPO ne sont pas accessible (si permissive ou disabled)
ad_gpo_access_control =  disabled

# dyndns_update = false

ldap_referrals = false

Pb connexion sssd

systemctl restart sssd

tail /var/log/secure
sssctl config-check
systemctl stop sssd
 
ps -ef |grep sssd
killall sssd
 
rm /var/lib/sss/db/*
systemctl start sssd
getend password plop

Del cache

sss_cache -E

Autres

rm -rf /etc/authselect/custom/activedirectory-ACME.LOCAL/
authselect create-profile activedirectory-ACME.LOCAL -b sssd
authselect select custom/activedirectory-ACME.LOCAL with-pamaccess with-mkhomedir --force

la configuration présente dans /etc/authselect/user-nsswitch.conf

grep passwd /etc/authselect/custom/activedirectory-ACME.LOCAL/nsswitch.conf |grep -q with-files-domain && echo "profil OK" || echo "profil KO"
 
egrep "^passwd:" /etc/nsswitch.conf|grep -q "files sss" && echo "conf OK" || echo "conf KO"

2025/03/24 15:06

ldap, ad, ca

Notes cgroup

Voir :

Tester si tous est ok

apt-get install lxc
lxc-checkconfig

#apt-get install docker.io
#/usr/share/docker.io/contrib/check-config.sh

https://github.com/opencontainers/runc/blob/main/script/check-config.sh

Dans Debian :mount cgroup automatically in mountkernfs.

Normalement sous Debian, les cgroup sont automatiquement montés (dans le mountkernfs)

$ mount |grep cgroup
none on /sys/fs/cgroup type tmpfs (rw,relatime,size=4k,mode=755)
systemd on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,name=systemd)

Si ce n'est pas le cas, la technique d'ajouter dans /etc/fstab

/etc/fstab

cgroup          /cgroup         cgroup  defaults        0       0

ou alors passer à systemd

apt-get install systemd systemd-sysv

Voir :

Mais comme nous choisissons la méthode avec des services (méthode à la Redhat)

Pour connaître les ????? prit en charge par le noyau

# lssubsys -a
cpuset
cpu
cpuacct
memory
devices
freezer
net_cls
blkio
perf_event

Install du packet

apt-get update && apt-get install -y cgroup-tools

Puis

dpkg -L cgroup-tools

Donc

mkdir /etc/sysconfig/
cp -p /usr/share/doc/cgroup-tools/examples/cgconfig.sysconfig /etc/sysconfig/cgconfig
cp -p /usr/share/doc/cgroup-tools/examples/cgred.conf /etc/sysconfig/cgred
cp -p /usr/share/doc/cgroup-tools/examples/cgred /etc/init.d/
cp -p /usr/share/doc/cgroup-tools/examples/cgconfig /etc/init.d/
cp -p /usr/share/doc/cgroup-tools/examples/cgconfig.conf /etc/
cp -p /usr/share/doc/cgroup-tools/examples/cgrules.conf /etc/
chmod a+x /etc/init.d/cgconfig /etc/init.d/cgred
ln -s /etc/sysconfig/cgconfig /etc/default/
ln -s /etc/sysconfig/cgred /etc/default/
sed -i -e 's|/var/lock/subsys/|/var/lock/|g' /etc/init.d/cgred 
sed -i -e 's|/var/lock/subsys/|/var/lock/|g' /etc/init.d/cgconfig
getent group cgred >/dev/null || groupadd -r cgred

Puis prendre le fichier /etc/rc.d/init.d/functions sur une CentOS.

mkdir -p /etc/rc.d/init.d/
cp -p functions /etc/rc.d/init.d/

Commenter la ligne [ -z “${CONSOLETYPE:-}” ] && CONSOLETYPE=“$(/sbin/consoletype)“

vi /etc/rc.d/init.d/functions

Puis

mkdir /cgroup
cd /cgroup
mkdir $(lssubsys -a)

Erreur sous Debian :

# /etc/init.d/cgconfig start
Starting cgconfig service: Error: cannot mount memory to /cgroup/memory: No such file or directory
/usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup mounting failed
[FAIL] Failed to parse /etc/cgconfig.conf ... failed!

Solution : rajouter “cgroup_enable=memory swapaccount=1” à votre Grub :

/etc/default/grub

GRUB_CMDLINE_LINUX="vga=795 cgroup_enable=memory swapaccount=1"

update-grub

Pour le debug si nécessaire :

export CGROUP_LOGLEVEL=debug

Autres

allocated 133693440 bytes of page_cgroup
please try 'cgroup_disable=memory' option if you don't want memory cgroups

https://wiki.debian.org/LXC

/etc/fstab

cgroup  /sys/fs/cgroup  cgroup  defaults  0   0

/etc/default/grub

GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"

http://blog.docker.com/2013/10/gathering-lxc-docker-containers-metrics/

sudo apt-get install cgroup-tools
 
sudo cgcreate -a jean -g memory:plop
echo 10000000 > /sys/fs/cgroup/memory/plop/memory.kmem.limit_in_bytes
sudo cgexec -g memory:plop bash

cgroupv1 ou v2 ?

podman info
docker info
 
mount | grep cgroup2
 
systemctl --user status
 
grep cgroup /proc/filesystems

Pour passer à la version 2

grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"

Autres

cat /sys/fs/cgroup/user.slice/user-1003.slice/cgroup.controllers
cpuset cpu io memory pids

2025/03/24 15:06

brouillon, debian, linux

Notes SSL/TLS HTTPS client OpenSSL

Voir :

Voir aussi :

Vérif cert

openssl s_client -showcerts -CAfile ca.crt -connect 192.168.56.101:7000 -servername acme.fr

Avoir des informations sur le certificat

openssl x509 -inform PEM -in mycertfile.pem -text -out certdata

Debug

curl -v --insecure --show-error --verbose --cacert mycertfile.pem https://acme.fr

Install CA certificat - Debian

mv cert.pem acme.fr.crt
cp acme.fr.crt /usr/local/share/ca-certificates/
#vim /etc/ca-certificates.conf
#dpkg-reconfigure ca-certificates
 
# RedHat
# update-ca-trust
 
# Debian
update-ca-certificates

Remove CA certificat - Debian

rm /usr/local/share/ca-certificates/plop.crt
 
 
# RedHat
# update-ca-trust
 
# Debian
#update-ca-certificates
 
update-ca-certificates -f

-f, --fresh : Fresh updates. Remove symlinks in /etc/ssl/certs directory.

Install CA certificat - RedHat

Voir :

trust (paquet RedHat p11-kit-trust ; paquet Debian p11-kit)
update-ca-trust (paquet ca-certificat)

cp ca.crt /etc/pki/ca-trust/source/anchors/
 
# Debian
# update-ca-certificates
 
# RedHat
update-ca-trust

Source : cat /etc/pki/ca-trust/source/README

Requette HTTP over SSL/TLS

(echo -ne "GET / HTTP/1.1\r\nHost: acme.fr\r\n\r\n" ; cat ) |openssl s_client -showcerts -CAfile ca.crt -connect acme.fr:443 -servername acme.fr

Test TLS HTTPS en ligne

Test TLS HTTPS hors ligne

TestSSL.sh

Python

trustflag.py

"""Check AddTrust External CA Root
 
https://bugzilla.redhat.com/show_bug.cgi?id=1842174
"""
from __future__ import print_function
 
import socket
import ssl
import sys
 
try:
    from urllib2 import urlopen
except ImportError:
    from urllib.request import urlopen
 
X509_V_FLAG_TRUSTED_FIRST = 0x8000
URL = "https://addtrust-chain.demo.sslmate.com"
 
print(sys.version)
print(ssl.OPENSSL_VERSION)
print()
 
ctx = ssl.create_default_context()
assert ctx.verify_mode == ssl.CERT_REQUIRED
assert ctx.check_hostname == True
 
print("Try with default verify flags")
print("verify_flags", hex(ctx.verify_flags))
try:
    urlopen(URL, context=ctx)
except Exception as e:
    print("FAILED")
    print(e)
else:
    print("success")
print()
 
print("Try again with X509_V_FLAG_TRUSTED_FIRST")
ctx.verify_flags |= X509_V_FLAG_TRUSTED_FIRST
print("verify_flags", hex(ctx.verify_flags))
try:
    urlopen(URL, context=ctx)
except Exception as e:
    print("FAILED")
    print(e)
else:
    print("success")
print()

Pb

Le certificat téléchargé ne fonctionne pas

	Curl	Wget
Debian	✗	✓
RedHat	✗	✗

source : https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file

openssl s_client -showcerts -connect acme.fr:443 -servername acme.fr </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

OK sous Debian \ NOK sous RedHat

wget --ca-certificate=mycertfile.pem https://acme.fr:443/somepage

NOK sous Debian & RedHat

curl --show-error --verbose --cacert mycertfile.pem https://acme.fr:443/somepage

Solution

Utiliser -verify pour avoir la chaîne complète, c'est-à-dire télécharger nom seulement la clef publique de acme.fr, mais aussi la clef publique de la CA.

openssl s_client -showcerts -verify 5 -connect 192.168.56.101:7000 -servername acme.fr </dev/null > mycertfile.pem

Puis ne garder que la CA. Note : si la CA existe, dans le cas d'un certificat auto-signé, ça ne marchera pas. Pour Debian, il est possible d'installer le certificat comme si c'était celui d'une CA.

vim mycertfile.pem

Voir https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux

2025/03/24 15:06

brouillon, openssl

Notes Squid

/etc/squid/squidGuard.conf

/etc/squid/squid.conf

cache_peer localhost parent 8118 0 default no-query no-digest no-netdb-exchange

never_direct allow all

redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
redirect_children 20

header_access From deny all
header_access Server deny all
#header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
header_access Referer deny all

/etc/privoxy/user.action

safe-imgnotadd      = -filter{banners-by-size}

{ safe-imgnotadd }
michelcollon.info
www..michelcollon.info

{ -block-as-image }
rt.com/files/banners/
.almanar.com.lb/

{ +hide-user-agent{Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0} }
#.yahoo.com

Voir :

https://www.unix-experience.fr/2013/monter-un-proxy-cache-performant-avec-squid-et-openbsd/

/etc/squid3/squid.conf

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
#acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

#acl allowedips src 10.8.0.0/24

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager

#http_access allow allowedips
http_access allow all

http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_dir ufs /var/spool/squid3 512 16 256
cache_mem 256 MB
maximum_object_size 15 MB

positive_dns_ttl 8 hours
negative_ttl 1 minutes

#visible_hostname proxy.local
#httpd_suppress_version_string on
via off
forwarded_for off
follow_x_forwarded_for deny all
request_header_access X-Forwarded-For deny all

dns_nameservers 8.8.8.8 80.67.169.12 80.67.169.40

Squid2 CentOS5

/etc/squid/squid.conf

http_port 3128

acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_access deny all

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_dir ufs /var/spool/squid 512 16 256
cache_mem 256 MB

maximum_object_size 15 MB
positive_dns_ttl 8 hours
negative_ttl 1 minutes

via off
forwarded_for off
follow_x_forwarded_for deny all

Rapport

Voir lightsquid http://blog.adminrezo.fr/2015/11/lightsquid/

2025/03/24 15:06

brouillon, proxy, web

<< Billets récents | Anciens billets >>

blog.txt · Dernière modification : 2025/03/24 15:06 de 127.0.0.1