A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Jean-Christophe jcberthon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IMPORTANT! | |
| # This gist has been transformed into a github repo | |
| # You can find the most recent version there: | |
| # https://github.com/Neo23x0/auditd | |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| GARBAGE="/var/lib/docker/aufs/diff" | |
| du -hd 1 $GARBAGE | sort -hrk 1 | head -25 | |
| find $GARBAGE -maxdepth 1 -name *-removing -exec rm -rf '{}' \; |
ageis
/ systemd_service_hardening.md
Last active
April 17, 2024 16:39
Options for hardening systemd service units
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flush ruleset | |
| # filter | |
| table ip filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "drop invalid packets" | |
| ct state {established, related} counter accept comment "accept all connections related to connections made by us" | |
| iifname lo accept comment "accept loopback" | |
| iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback" |
maxvt
/ infra-secret-management-overview.md
Last active
February 28, 2024 20:53
Infrastructure Secret Management Software Overview
Currently, there is an explosion of tools that aim to manage secrets for automated, cloud native infrastructure management. Daniel Somerfield did some work classifying the various approaches, but (as far as I know) no one has made a recent effort to summarize the various tools.
This is an attempt to give a quick overview of what can be found out there. The list is alphabetical. There will be tools that are missing, and some of the facts might be wrong--I welcome your corrections. For the purpose, I can be reached via @maxvt on Twitter, or just leave me a comment here.
There is a companion feature matrix of various tools. Comments are welcome in the same manner.
nerdalert
/ Netfilter-IPTables-Diagrams.md
Last active
April 9, 2024 09:18
Linux NetFilter, IP Tables and Conntrack Diagrams
1) Filter Table
Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| # Vagrantfile API/syntax version. Don't touch unless you know what you're doing! | |
| VAGRANTFILE_API_VERSION = '2' | |
| Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| | |
| # All Vagrant configuration is done here. The most common configuration | |
| # options are documented and commented below. For a complete reference, | |
| # please see the online documentation at vagrantup.com. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo apt-get install -y supervisor | |
| sudo mkdir /usr/share/elasticsearch | |
| cd /usr/share/elasticsearch | |
| sudo wget https://download.elasticsearch.org/kibana/kibana/kibana-4.0.1-linux-x64.tar.gz | |
| sudo wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.tar.gz | |
| sudo wget https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.tar.gz | |
| sudo tar -zxvf elasticsearch-0.90.0.tar.gz |
martinseener
/ check_freak.sh
Last active
January 9, 2022 03:21
check_freak.sh - A simple nagios-compatible check for the FREAK vulnerability (CVE 2015-0204)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # check_freak.sh | |
| # (c) 2015 Martin Seener | |
| # Simple script which checks SSL/TLS services for the FREAK vulnerability (CVE 2015-0204) | |
| # It will output if the checked host is vulnerable and returns the right exit code | |
| # so it can also be used as a nagios check! | |
| PROGNAME=$(basename $0) |
XVilka
/ TrueColour.md
Last active
April 8, 2024 14:02
True Colour (16 million colours) support in various terminal applications and terminals
THIS GIST WAS MOVED TO TERMSTANDARD/COLORS REPOSITORY.
PLEASE ASK YOUR QUESTIONS OR ADD ANY SUGGESTIONS AS A REPOSITORY ISSUES OR PULL REQUESTS INSTEAD!
NewerOlder