Skip to content

Instantly share code, notes, and snippets.

Jean-Christophe jcberthon

Block or report user

Report or block jcberthon

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Neo23x0
Neo23x0 / audit.rules
Last active May 22, 2020
Linux Auditd Best Practice Configuration
View audit.rules
# IMPORTANT!
# This gist has been transformed into a github repo
# You can find the most recent version there:
# https://github.com/Neo23x0/auditd
# ___ ___ __ __
# / | __ ______/ (_) /_____/ /
# / /| |/ / / / __ / / __/ __ /
# / ___ / /_/ / /_/ / / /_/ /_/ /
# /_/ |_\__,_/\__,_/_/\__/\__,_/
@maxzinkus
maxzinkus / firefox.md
Last active Sep 14, 2019
Configuring Firefox for security and privacy (as of Oct. 2017)
View firefox.md

Configuring/Hardening Firefox for Security and Privacy

Source for some of these

  1. about:config
  • dom.event.clipboardevents.enabled => false
  • clipboard.plainTextOnly => true
  • referer spoofSource => true
  • media.peerconnection
@osiyuk
osiyuk / docker-gc
Created Sep 1, 2017
free up disk space after docker garbage
View docker-gc
#!/bin/bash
GARBAGE="/var/lib/docker/aufs/diff"
du -hd 1 $GARBAGE | sort -hrk 1 | head -25
find $GARBAGE -maxdepth 1 -name *-removing -exec rm -rf '{}' \;
@ageis
ageis / systemd_service_hardening.md
Last active May 29, 2020
Options for hardening systemd service units
View systemd_service_hardening.md

security and hardening options for systemd service units

A common and reliable pattern in service unit files is thus:

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
@mortn
mortn / nftables.conf
Last active Jun 28, 2018
nftables router
View nftables.conf
flush ruleset
# filter
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "drop invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iifname lo accept comment "accept loopback"
iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
@maxvt
maxvt / infra-secret-management-overview.md
Last active May 20, 2020
Infrastructure Secret Management Software Overview
View infra-secret-management-overview.md

Currently, there is an explosion of tools that aim to manage secrets for automated, cloud native infrastructure management. Daniel Somerfield did some work classifying the various approaches, but (as far as I know) no one has made a recent effort to summarize the various tools.

This is an attempt to give a quick overview of what can be found out there. The list is alphabetical. There will be tools that are missing, and some of the facts might be wrong--I welcome your corrections. For the purpose, I can be reached via @maxvt on Twitter, or just leave me a comment here.

There is a companion feature matrix of various tools. Comments are welcome in the same manner.

@nerdalert
nerdalert / Netfilter-IPTables-Diagrams.md
Last active May 26, 2020
Linux NetFilter, IP Tables and Conntrack Diagrams
View Netfilter-IPTables-Diagrams.md

Linux NetFilter, IP Tables and Conntrack Diagrams

IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1) Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

View Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = '2'
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
# All Vagrant configuration is done here. The most common configuration
# options are documented and commented below. For a complete reference,
# please see the online documentation at vagrantup.com.
@vjm
vjm / install.sh
Created Mar 7, 2015
Raspberry Pi ELK Stack
View install.sh
sudo apt-get install -y supervisor
sudo mkdir /usr/share/elasticsearch
cd /usr/share/elasticsearch
sudo wget https://download.elasticsearch.org/kibana/kibana/kibana-4.0.1-linux-x64.tar.gz
sudo wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.tar.gz
sudo wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz
sudo tar -zxvf elasticsearch-0.90.0.tar.gz
@martinseener
martinseener / check_freak.sh
Last active Jul 26, 2018
check_freak.sh - A simple nagios-compatible check for the FREAK vulnerability (CVE 2015-0204)
View check_freak.sh
#!/usr/bin/env bash
# check_freak.sh
# (c) 2015 Martin Seener
# Simple script which checks SSL/TLS services for the FREAK vulnerability (CVE 2015-0204)
# It will output if the checked host is vulnerable and returns the right exit code
# so it can also be used as a nagios check!
PROGNAME=$(basename $0)
You can’t perform that action at this time.