gwsales

## audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd

#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  /
#   / ___ / /_/ / /_/ / / /_/ /_/ /
#  /_/  |_\__,_/\__,_/_/\__/\__,_/

## SysmonStartup.bat
@echo off
:: Author: Ryan Watson
:: Twitter: @gentlemanwatson
:: Version: 1.0
:: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point
:: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/

:: ** IMPORTANT **
:: 1) Create a Sysmon folder with the SYSVOL share on your domain controller
:: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in

## pia-pptp-nm.sh
#!/bin/bash

## This script requires jq
if ! [ -x "$(command -v jq)" ]; then
  echo 'Error: jq is not installed.' >&2
  exit 1
fi

echo -n "PIA pptp username (xNNNNNNN not pNNNNNNN): "
read pia_username

## ansible_local_playbooks.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                gwsales
                / ansible_local_playbooks.md
            
            
              Created
              August 28, 2019 13:57
                — forked from alces/ansible_local_playbooks.md
            
              
                How to run an Ansible playbook locally
              
          
using Ansible command line:

ansible-playbook --connection=local 127.0.0.1 playbook.yml

using inventory:

127.0.0.1 ansible_connection=local

  
## ufw.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                gwsales
                / ufw.md
            
            
              Created
              October 18, 2019 01:04
                — forked from kimus/ufw.md
            
              
                NAT and FORWARD with Ubuntu’s ufw firewall
              
          
    UFW

I use Ubuntu’s Uncomplicated firewall because it is available on Ubuntu and it's very simple.
Install UFW

if ufw is not installed by default be sure to install it first.


## fix.sh
#!/bin/bash

# based on https://github.com/mew2057/CAST/blob/6c7f7d514b7af3c512635ec145aa829c535467dc/csm_big_data/config-scripts/logstashFixupScript.sh
# see: https://github.com/elastic/logstash/issues/10755

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root"
   exit 1
fi

## Winlogbeat-Bulk-Read.ps1
<#
.SYNOPSIS
PowerShell loop to read local .evtx files into Elastic's winlogbeat agent.

.DESCRIPTION
PowerShell loop to read local .evtx files into Elastic's winlogbeat agent.
Use winlogbeat.yml to customize your configuration of winlogbeat including output.
This script will attempt to use winlogbeat.yml which is ignored in .gitignore but
if this file is not found, it will fall back to using the example that will output
logs to .\winlogbeat\events.json. Once an EVTX file has been read winlogbeat will

## Enable-PS7-Logging.ps1
#Requires -RunAsAdministrator

$Path = "HKLM:\Software\Policies\Microsoft\PowerShellCore"
## ScriptBlockLogging
if (-not (Test-Path $Path\ScriptBlockLogging)) {
    $null = New-Item $Path\ScriptBlockLogging -Force
}
Set-ItemProperty -Path $Path\ScriptBlockLogging -Name EnableScriptBlockLogging -Value "1" -Type Dword

## ModuleLogging
	# IMPORTANT!
	# This gist has been transformed into a github repo
	# You can find the most recent version there:
	# https://github.com/Neo23x0/auditd

	# ___ ___ __ __
	# / \| __ ______/ (_) /_____/ /
	# / /\| \|/ / / / __ / / __/ __ /
	# / ___ / /_/ / /_/ / / /_/ /_/ /
	# /_/ \|_\__,_/\__,_/_/\__/\__,_/
	@echo off
	:: Author: Ryan Watson
	:: Twitter: @gentlemanwatson
	:: Version: 1.0
	:: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point
	:: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/

	:: IMPORTANT
	:: 1) Create a Sysmon folder with the SYSVOL share on your domain controller
	:: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in
	#!/bin/bash

	## This script requires jq
	if ! [ -x "$(command -v jq)" ]; then
	echo 'Error: jq is not installed.' >&2
	exit 1
	fi

	echo -n "PIA pptp username (xNNNNNNN not pNNNNNNN): "
	read pia_username
	#!/bin/bash

	# based on https://github.com/mew2057/CAST/blob/6c7f7d514b7af3c512635ec145aa829c535467dc/csm_big_data/config-scripts/logstashFixupScript.sh
	# see: https://github.com/elastic/logstash/issues/10755

	if [[ $EUID -ne 0 ]]; then
	echo "This script must be run as root"
	exit 1
	fi
	<#
	.SYNOPSIS
	PowerShell loop to read local .evtx files into Elastic's winlogbeat agent.

	.DESCRIPTION
	PowerShell loop to read local .evtx files into Elastic's winlogbeat agent.
	Use winlogbeat.yml to customize your configuration of winlogbeat including output.
	This script will attempt to use winlogbeat.yml which is ignored in .gitignore but
	if this file is not found, it will fall back to using the example that will output
	logs to .\winlogbeat\events.json. Once an EVTX file has been read winlogbeat will
	#Requires -RunAsAdministrator

	$Path = "HKLM:\Software\Policies\Microsoft\PowerShellCore"
	## ScriptBlockLogging
	if (-not (Test-Path $Path\ScriptBlockLogging)) {
	$null = New-Item $Path\ScriptBlockLogging -Force
	}
	Set-ItemProperty -Path $Path\ScriptBlockLogging -Name EnableScriptBlockLogging -Value "1" -Type Dword

	## ModuleLogging