Table des matières
4 billet(s) pour janvier 2026
| AWX sur K8S Kind - partage de fichier pour les blob - Execution pods | 2026/01/26 10:15 | Jean-Baptiste |
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Audit Debian différences de version entre un fichier d'origine et le fichier actuelle
Trouver les fichiers ne correspondant pas/plus à ceux de la version original du paquet
dpkg --verify debsums -as
Comparer les différences
cmpfiledeb.sh
#! /bin/bash rm -rf /tmp/plop/* mkdir /tmp/plop 2>/dev/null PAQ=$(dpkg -S $1 | cut -d':' -f1) cd /tmp/plop apt-get download $PAQ ar x *.deb tar xf data.tar.* > /dev/null #vimdiff /tmp/plop/$1 $1 #vimdiff <(egrep -v "^$|^;|^#" /tmp/plop/$1) <(egrep -v "^$|^;|^#" $1) diff <(egrep -v "^$|^;|^#" /tmp/plop/$1) <(egrep -v "^$|^;|^#" $1)
Exemple :
./cmpfiledeb.sh /etc/mysql/my.cnf
< bind-address = 127.0.0.1 --- > event_scheduler = ON > open_files_limit = 2048 22a24 > max_connections = 520
Penser au include /etc/my.cnf.d/* etc… !!
for fic in $(LANG=C debsums -as 2>&1 |grep -v "/etc/apache2" |sed -e 's/^debsums: changed file //' |awk '{print $1}') do echo $fic read ./cmpfiledeb.sh $fic done
Notes Chromium
Debug
https://chromedevtools.github.io/devtools-protocol/
chromium --headless chromium --remote-debugging-port=9222 & chromium --user-data-dir=/tmp/plop http://localhost:9222 # Allow URL file:// chromium --allow-file-access-from-files.
Install
Chrome sur RedHat 6 & 7
sudo wget https://chromedriver.storage.googleapis.com/84.0.4147.30/chromedriver_linux64.zip sudo unzip chromedriver_linux64.zip sudo mv chromedriver /usr/bin/chromedriver chromedriver –version sudo curl https://intoli.com/install-google-chrome.sh | bash sudo mv /usr/bin/google-chrome-stable /usr/bin/google-chrome google-chrome –version
Autres
Cache DNS
chrome:net-internals/#dns
Notes certs root CA
Voir :
curl
$ strace -f --trace=%file curl https://www.acme.fr 2>&1 |egrep -v 'ENOENT|/lib/' |grep ^open openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
A voir si curl utilise la LIBNSS
Test
curl -v -s --noproxy '*' -D - https://127.0.0.1:443/some-secure-endpoint
Afficher les CA sous Debian
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
Afficher les CA sous RedHat
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/certs/ca-bundle.crt
Vérifier les CA
openssl s_client -connect localhost:7000 -servername www.acme.fr -CAfile /tmp/cert.pem </dev/null
trust list --filter=ca-anchors --purpose=server-auth |grep ACME -i -A2 -B3
find /etc/ssl/certs -type l -iname "*.0" -exec cat "{}" \; | awk -v cmd='openssl x509 -noout -subject -enddate 2>/dev/null | tr "\n" " " ; echo' '/BEGIN/{cert=""};{cert=sprintf("%s\n%s",cert,$0)};/END/{print cert | cmd ;close(cmd)}' | sed -r 's:^subject=::' | sort -u # Autres cat /etc/ssl/certs/ca-certificates.crt | keytool -printcert 2>/dev/null | grep "^Certificate\[" -A11 | less csplit -z ca-bundle.crt /#/ '{*}'
Liste blanche / noire
# /etc/pki/ca-trust/source/whitelist/ # update-ca-trust
# trust dump --filter "pkcs11:id=%BD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1B;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
# update-ca-trust extract
# trust list | grep -C2 "AddTrust External"
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
pkcs11:id=%bd%bd%98%7a%34%b4%26%f7%fa%c4%26%54%ef%03%bd%e0%24%cb%54%1B;type=cert
type: certificate
label: AddTrust External Root
trust: blacklisted
category: authority
Sauvegarde PKI RedHat
# Sauvegarde cp -a /etc/pki /etc/pki.bak # Restore rsync -ax --delete /etc/pki.bak/ /etc/pki/
Remove a CA certificate
trust anchor --remove pkcs11:id=%15%FF%08%56%E0%6C%64%24%D0%56%70%91%87%8A%2B%2C%C6%5C%DD%34;type=cert # ou trust anchor --remove path.to/certificate.crt
or
rm /etc/pki/ca-trust/source/anchors/<CA Certificate Filename> update-ca-trust
split the bundle into individual certificates
Source : https://www.redhat.com/sysadmin/configure-ca-trust-list
Cut bundle into individual files:
csplit -z ca-bundle.crt /#/ '{*}'
Remove blank lines:
sed -i '/^$/d' xx*
Rename files:
for file in xx*; do mv $file $(head -n 1 $file | tr -d \#" "); done
Ajouter une CA
Voir :
curl http://satellite.example.com/pub/katello-server-ca.crt -o /etc/pki/ca-trust/source/anchors/satellite-ca.crt update-ca-trust
Autres
# # rpm -ql ca-certificates
# rpm -q --filesbypkg ca-certificates |awk '/bin\// { print $2}'
/usr/bin/ca-legacy
/usr/bin/update-ca-trust
Notes Centreon
Je vous conseille de ne pas mettre en place Centreon Si vous avez besion d'une solution de supervision vous pouvez essayer Zabbix
Généralités
/etc/centreon-engine/resource.cfg
$USER1$=/usr/lib64/nagios/plugins $CENTREONPLUGINS$=/usr/lib/centreon/plugins
Conf via WebUI
Laisser les valeurs par défaut jusqu'à l'écran 4
Puis à l'écran 5:
password : yieCh4ha Firt name : admin Last name : admin email : root@localhost
Ecran 6
Database Host Address (default: localhost) : 192.168.5.1 Root password : [See roles/centreon-docker/templates/env.sh.j2] Database user password : idem
Dialogbox "Feature testing" => "No"
Login Configuration Pollers Check "Central" Clic "Export configuration" check all and select "Restart" Method
Mise à jour
- Mettre à jour les paquets
- Mettre à jours les extensions via le Extensions Manager
- Mise à jour des Plugin Packs
- Lancer la procédure http://localhost/centreon/install/upgrade.php
Reset mot de passe
Exemple pour admin / centreon
INSERT INTO contact_password (password, contact_id, creation_date) VALUES ('$2y$10$ubq1hJ9z3YPXBhejjae.Ie9u3AcMrwFNImPhOnnkLmEoNtwRGwNrC', 1, (SELECT UNIX_TIMESTAMP(NOW())));
Logs
Partition DB
Voir :
mysql -u centreon -p centreon_storage
ALTER TABLE logs REMOVE PARTITIONING;
su - centreon php /usr/share/centreon/cron/centstorage_purge.php php /usr/share/centreon/bin/centreon-partitioning.php -m data_bin php /usr/share/centreon/bin/centreon-partitioning.php -m log_archive_service php /usr/share/centreon/bin/centreon-partitioning.php -m log_archive_host php /usr/share/centreon/bin/centreon-partitioning.php -m logs
Autres
1
systemctl status cbd centengine gorgoned httpd
2
rm -f /var/lib/centreon/metrics/* rm -f /var/lib/centreon/status/* rm -f /var/lib/centreon/nagios-perf/*/*
3
mysql -u centreon -p centreon_storage
DELETE logs_old ; TRUNCATE logs ; TRUNCATE servicestateevents ; DELETE FROM data_bin WHERE id_metric NOT IN (SELECT metric_id FROM metrics) ;
su - centreon -c "/usr/share/centreon/cron/eventReportBuilder -r" #su - centreon -c "/usr/share/centreon/cron/dashboardBuilder -r" # CRON su - centreon -c "/usr/share/centreon/cron/eventReportBuilder --config=/etc/centreon/conf.pm" su - centreon -c "/usr/share/centreon/cron/dashboardBuilder --config=/etc/centreon/conf.pm"
Pb
# yum install -y centreon-base-config-centreon-engine centreon
--> Finished Dependency Resolution
Error: Package: nagios-plugins-perl-1.4.16-10.el7.centos.x86_64 (centreon-stable)
Requires: nagios-plugins = 1.4.16-10.el7.centos
Available: nagios-plugins-1.4.16-10.el7.centos.x86_64 (centreon-stable)
nagios-plugins = 1.4.16-10.el7.centos
Installing: nagios-plugins-2.3.3-2.el7.x86_64 (epel)
nagios-plugins = 2.3.3-2.el7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Solution
# repoquery --location centreon-plugins http://yum.centreon.com/standard/3.4/el7/stable/noarch/RPMS/centreon-plugins-2.8.32-1.el7.centos.noarch.rpm
rpm -Uvh --nodeps $(repoquery --location centreon-plugins)
Notes carte à puce - smart card
Voir :
x509
Coté serveur :
Python:
sudo aptitude install pcscd libpcsclite1 pcsc-tools sudo aptitude install openct opensc
Test your Token
opensc-tool -lv
openct-tool list
pcsc_scan
Voir aussi :
How can I distinguish a Nitrokey HSM 1 from an Nitrokey HSM 2?
Use
opensc-tool --list-algorithms
Outils
- opensc-tool
- pkcs11-tool
- pkcs15-tool
- pkcs15-init
- cardos-tool
Install - Vérif - Drivers
pkcs11-tool --module opensc-pkcs11.so -L
OpenSSL
List the available slots.
pkcs11-tool --list-slots
openssl req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text
where X is the appropriate slot number and XXXX is the slot ID, e.g. “… -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a …”
GPG
Reset to factory defaults: Make sure GnuPG agent is started, if not:
eval $(gpg-agent --daemon)
Send the reset commands:
gpg-connect-agent < file
Where “file” contains:
hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo Reset complete
Source https://blog.mozilla.org/security/2013/02/13/using-cryptostick-as-an-hsm/
Autres
data objects (DF, EF)
pkcs
The three keys in the have these IDs: Singing key: 1, Decryption key: 2, Authentication: 3.
Key generation via pkcs15-init
pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify
The keyspec consist of the key type (only RSA is supported) and optinally a slash followed by the keysize in bits (defaults to 1024). E.g to generate a 1024-bit RSA key, use pkcs15-init -G rsa/1024 -a 01 -l testkey
There is limitation: pkcs15-init requires new key length to be the same as existing key. To generate key with different key length, openpgp-tool is recommended.
pkcs15-init also requires to explicitly remove existing key/object. That’s why we have --delete-objects privkey,pubkey --id 3 in the command (though it has no effect to CryptoStick, which does not support deleting key, but support overwriting key).
Source : https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card
Autres
pkcs15-tool --dump
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin $ pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
The two commands copy the key-certificate pair to the slot 2 (needed for decrypting emails) and slot 3 (needed for signing).
Autres - Génération paire de clefs pour s/mime
#set +o history export HISTCONTROL = ignorespace pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 40 --label "antispam@relst.nl"