dushenda

李德胜大大粉丝

dushenda

发表于

audit用途

监控文件、命令、网络等,生成监控报告。

安装启动audit

安装audit工具 

1
yum install audit
配置了 auditd 后,启动服务以收集 审计信息,并将它存储在日志文件中。以 root 用户身份运行以下命令来启动 auditd :

1
service auditd start

将 auditd 配置为在引导时启动:

1
systemctl enable auditd

可以使用 # auditctl -e 0 命令临时禁用 auditd,并使用 # auditctl -e 1 重新启用它。

可以使用 service auditd _<action>_ 命令对 auditd 执行其他操作,其中 _<action>_可以是以下之一:

stop :停止 auditd

restart:重新启动 auditd

reload 或 force-reload:重新加载 /etc/audit/auditd.conf 文件中 auditd 的配置。

rotate:轮转 /var/log/audit/ 目录中的日志文件。

resume:在其之前被暂停后重新恢复审计事件记录,例如,当保存审计日志文件的磁盘分区中没有足够的可用空间时。

condrestart 或 try-restart:只有当 auditd 运行时才重新启动它。

status:显示 auditd 的运行状态。

配置规则

举例说明,监控/home/test_audit/文件夹(文件)的变更选项为rwxa(r=read, w=write, x=execute, a=attribute),设置关键字dushnda_watch 

1
auditctl -w /home/test_audit/ -p rwxa -k dushnda_watch
配置完后查询规则 
1
2
[root@172 ~]# auditctl -l
-w /home/test_audit -p rwxa -k dushnda_watch
之后做一些权限改变,增改文件操,查看日志ausearch,查看报告areport 
1
ausearch -i -k dushnda_watch

这里的每个type是一个一次的一条记录,具体的含义查看参考链接[1],这里主要关注对文件的操作,这段日志含义是使用vim打开了文件(syscall),当前文件权限是644。

删除路径监控 

1
auditctl -W /home/test_audit -p rwxa -k dushnda_watch

其中,auditctl -d的删除和auditctl -a的添加对应,auditctl -W的删除和auditctl -w的添加对应,auditctl -D删除所有规则。

参考链接

[1] https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening#linux-audit_auditing-the-system

[2] https://deepinout.com/linux-cmd/linux-audit-system-related-cmd/linux-cmd-auditctl.html

发表于

GDB调试

当前文件夹目录 Makefile文件 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
cpvmlinux:  
cp /home/dsd/Code/linux-5.18.10/vmlinux vmlinux  
  
cpimage:  
cp /home/dsd/Code/linux-5.18.10/arch/x86/boot/bzImage ./bzImage  
  
initramfs:  
cd ./initramfs_dir && find . -print0 | cpio -ov --null --format=newc | gzip -9 > ../initramfs.img  
  
run:  
qemu-system-x86_64 \  
-kernel bzImage \  
-initrd initramfs.img \  
-m 1G \  
-nographic \  
-append "earlyprintk=serial,ttyS0 console=ttyS0"  
  
  
debug:  
qemu-system-x86_64 \  
-kernel bzImage \  
-initrd initramfs.img \  
-m 1G \  
-nographic \  
-append "earlyprintk=serial,ttyS0 console=ttyS0 nokaslr" \  
-S \  
-gdb tcp::9000
此目录下新建.gdbinit文件 
1
2
3
4
target remote :9000  
break start_kernel  
continue  
step
root/.gdbinit文件增加add-auto-load-safe-path /home/dsd/Code/qemu_linux_x86_5.18_space/.gdbinit 运行指令,任选一条 
1
2
gdb vmlinux
gdb-multiarch vmlinux --tui

vscode调试

wsl权限问题,目录往外多一些 

1
chown 755 <usr> *
生成编译指令信息,此时linux源码根目录下增加文件compile_commands.json 
1
./scripts/clang-tools/gen_compile_commands.py
配置.vscode/lanuch.json 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "qemu-kernel-gdb",
            "type": "cppdbg",
            "request": "launch",
            "miDebuggerServerAddress": "127.0.0.1:9000",
            "program": "${workspaceRoot}/vmlinux",
            "args": [],
            "stopAtEntry": false,
            "cwd": "${fileDirname}",
            "environment": [],
            "externalConsole": false,
            "MIMode": "gdb",
            "setupCommands": [
                {
                    "description": "Enable pretty-printing for gdb",
                    "text": "-enable-pretty-printing",
                    "ignoreFailures": true
                }
            ]
        },
    ]
}
配置.vscode/c_cpp_properties.json 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
    "configurations": [
        {
            "name": "Linux",
            "includePath": [
                "${workspaceFolder}/**"
            ],
            "defines": [],
            "compilerPath": "/usr/bin/gcc",
            "cStandard": "c11",
            "cppStandard": "gnu++14",
            "intelliSenseMode": "linux-gcc-x64",
            "compileCommands": "${workspaceFolder}/compile_commands.json"
        }
    ],
    "version": 4
}
开始调试

附:调试qemu虚拟机模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{
    // 使用 IntelliSense 了解相关属性。 
    // 悬停以查看现有属性的描述。
    // 欲了解更多信息,请访问: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "name",
            "type": "cppdbg",
            "request": "launch", 
            "program": "debug.elf",//vmlinux路径,debug的文件 <--修改这里
            "args": [],//启动参数,如果需要记录日志可以自己增加参数。因为gdbsever已经有了参数,这里可以不用设置
            "stopAtEntry": true,//会自动停在main,不需要则设置为false
            "cwd": "${workspaceRoot}",
            "environment": [],
            "externalConsole": false,
            "MIMode": "gdb", //运行模式
            "logging": {
                "moduleLoad": false,
                "engineLogging": false,
                "trace": false
            },
            "setupCommands": [ //命令
                {
                    "description": "Enable pretty-printing for gdb",
                    "text": "-enable-pretty-printing",
                    "ignoreFailures": true
                },
                {
                    "description": "set architecture aarch64",
                    "text": "set architecture aarch64",
                    "ignoreFailures": true
                }
            ],
            "miDebuggerPath":"gdb-multiarch",//工具链gdb,arm下要使用多分支
            "miDebuggerServerAddress":"localhost:1234"//远程端口

        }
    ]
}

发表于

编译内核

下载

kernel:https://mirrors.edge.kernel.org/pub/linux/kernel/

镜像:https://mirrors.ustc.edu.cn/kernel.org/linux/kernel/

编译

1
2
root@dushenda:/home/dsd/Code/linux-5.18.10# make menuconfig
root@dushenda:/home/dsd/Code/linux-5.18.10# make -j`nproc`

编译完成得到

制作initramfs

使用busybox

1
2
3
root@dushenda:/home/dsd/Code/busybox-1.36.1# make menuconfig
root@dushenda:/home/dsd/Code/busybox-1.36.1# make -j`nproc`
root@dushenda:/home/dsd/Code/busybox-1.36.1# make install

编译完成得到 制作initramfs.img,首先构造如下的目录结构 init文件内容如下: 

1
root@dushenda:/home/dsd/Code/initramfs_dir# find . -print0 | cpio -ov --null --format=newc | gzip -9 > ../initramfs.img
最后生成文件 qemu运行新内核 
1
2
3
4
5
6
root@dushenda:/home/dsd/Code/initramfs_dir# qemu-system-x86_64 \  
											-kernel bzImage \  
											-initrd initramfs.img \  
											-m 1G \  
											-nographic \  
											-append "earlyprintk=serial,ttyS0 console=ttyS0"
运行结果如下

注意

init需要设置为可执行权限

qemu退出快捷键ctrl+a按下后释放,再按x

发表于

安装

Ubuntu

BCC已经打包到Ubuntu的multiverse仓库,名字bpfcc-tools,使用如下命令安装 

1
sudo apt-get install build-essential bpfcc-tools linux-header-$(uname -r) bpftrace

使用

funccount

stackcount

发表于

背景介绍

编译edk2代码,配置开发环境,服务器使用华为云耀云服务器,OS信息如下

特点

  • apt-get源可以访问
  • github不能访问
  • gitee可以访问

远程仓库迁移

因为编译需要clone相关仓库到指定路径,并且为了今后的同步方便,所以把github仓库迁移到gitee后再配置相关环境。配置流程如下

  1. 建立组织,用来合并仓库环境

  2. 迁移主仓库

  3. 导入submodule,因为edk2后续编译还需要一些子模块,找到如下仓库的路径,按照2导入到组织

  4. 修改主仓库的submodule路径

下载

下载edk2代码仓 

1
git clone git@gitee.com:edk2_back/edk2.git
下载子模块到对应路径,可以看到地址都替换了gitee路径 
1
git submodule update --init

编译工具链安装

1
2
3
4
5
-> # apt-get install build-essential uuid-dev iasl git gcc nasm python3

-> # python3 --version
Python 3.10.12
-> # ln -s /usr/bin/python3.10 /usr/bin/python

编译

基本工具

看一下当前的目录结构,使用make -C BaseTools编译基本工具 

1
2
3
4
5
6
7
8
9
-> # ls
ArmPkg           CryptoPkg         FatPkg               Maintainers.txt  pip-requirements.txt  SignedCapsulePkg
ArmPlatformPkg   DynamicTablesPkg  FmpDevicePkg         MdeModulePkg     PrmPkg                SourceLevelDebugPkg
ArmVirtPkg       edksetup.bat      IntelFsp2Pkg         MdePkg           ReadMe.rst            StandaloneMmPkg
BaseTools        edksetup.sh       IntelFsp2WrapperPkg  NetworkPkg       RedfishPkg            UefiCpuPkg
Conf             EmbeddedPkg       License-History.txt  OvmfPkg          SecurityPkg           UefiPayloadPkg
CONTRIBUTING.md  EmulatorPkg       License.txt          PcAtChipsetPkg   ShellPkg              UnitTestFrameworkPkg

-> # make -C BaseTools
编译基本工具完成

编译目标文件

设置环境变量,path/to/edk/BaseTools需要换成当前的BaseTools所在路径。 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
-> # export EDK_TOOLS_PATH=`path/to/edk/BaseTools`
-> # ./edksetup.sh --help
Usage: edksetup.sh [Options]

The system environment variable, WORKSPACE, is always set to the current
working directory.

Options:
  --help, -h, -?        Print this help screen and exit.

  --reconfig            Overwrite the WORKSPACE/Conf/*.txt files with the
                        template files from the BaseTools/Conf directory.

Please note: This script must be 'sourced' so the environment can be changed.
. edksetup.sh
source edksetup.sh
-> # source edksetup.sh BaseTools
edk目录下使用build命令编译 
1
-> # build

发表于

Linux

通过文件系统

rotational为1代表可以旋转,为hdd,为0代表不能旋转,为ssd

查看位置在/sys/block/sd*/queue/rotational 

1
2
3
4
[root@dushenda home]# grep ^ /sys/block/sd*/queue/rotational  
/sys/block/sda/queue/rotational:1  
/sys/block/sdb/queue/rotational:1  
/sys/block/sdc/queue/rotational:1

lsblk

1
2
3
4
5
[root@dushenda home]# lsblk -o name,rota,VENDOR  
NAME ROTA VENDOR  
sda 1 Msft  
sdb 1 Msft  
sdc 1 Msft

lsblk可选行信息如下等,通过lsblk --help查看

smartctl

该工具需要自行安装Ubuntu和CentOS安装包名称均为smartmontools

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@dushenda home]# smartctl -a /dev/sdc  
smartctl 7.1 2019-12-30 r5022 [x86_64-linux-5.15.133.1-microsoft-standard-WSL2] (local build)  
Copyright (C) 2002-19, Bruce Allen, Christian Franke, www.smartmontools.org  
  
=== START OF INFORMATION SECTION ===  
Vendor: Msft  
Product: Virtual Disk  
Revision: 1.0  
Compliance: SPC-3  
User Capacity: 1,099,511,627,776 bytes [1.09 TB]  
Logical block size: 512 bytes  
Physical block size: 4096 bytes  
LU is thin provisioned, LBPRZ=0

Windows

powershell

1
2
3
4
5
6
(base) PS C:\Users\dushenda> Get-PhysicalDisk

Number FriendlyName                  SerialNumber    MediaType CanPool OperationalStatus HealthStatus Usage            Size
------ ------------                  ------------    --------- ------- ----------------- ------------ -----            ----
1      Samsung SSD 860 EVO M.2 500GB S414NB0K722943N SSD       False   OK                Healthy      Auto-Select 465.76 GB
0      WDC WD10SPCX-24HWST1          WD-WXB1AC41L2P1 HDD       False   OK                Healthy      Auto-Select 931.51 GB

GUI

在任务管理器下查看

发表于

协议流程

仿真

组网

路由设置

1
2
3
4
5
6
7
8
9
10
11
<Huawei>sys
[Huawei]sysname AR1
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip adderss 1.1.1.200 24
[AR1]dhcp enable
[AR1]ip pool ip_pool1
[AR1-ip-pool-ip_pool1]network 1.1.1.0 24
[AR1-ip-pool-ip_pool1]gateway-list 1.1.1.200
[AR1-ip-pool-ip_pool1]lease day 3
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]dhcp select global

抓包

dhcp discover

dhcp offer

发表于

hexo配置

node.js配置

hexo主题配置

Obsidian配置

下载Obsidian Git插件,需要打开第三方插件按钮,下载插件。

在对应的.git目录下打开仓库,下图的打开本地仓库,生成本地目录。

配置Git设置地址等,这样就可以调用后台的git自动推送了

需要注意的是:git需要首先被安装,并且配置到环境变量

github配置

workflows配置

dependabot配置

发表于

malloc: http://blog.codinglabs.org/articles/a-malloc-tutorial.html

duartes.org: http://duartes.org/gustavo/blog/archives/

github mannul: http://www.epubit.com.cn/article/844#what

liaoxuefeng.com: http://www.liaoxuefeng.com/

TCP/IP network: http://blog.packagecloud.io/eng/2016/10/11/monitoring-tuning-linux-networking-stack-receiving-data-illustrated/

netfilter.org: https://people.netfilter.org/pablo/netdev0.1/papers/

tuning-linux-sending: https://blog.packagecloud.io/eng/2017/02/06/monitoring-tuning-linux-networking-stack-sending-data/

tuning-linux-receiving: https://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/

strace: https://blog.packagecloud.io/eng/2016/02/29/how-does-strace-work/

IBM-Tim: https://www.ibm.com/developerworks/cn/views/linux/libraryview.jsp?search_by=Linux+%E5%89%96%E6%9E%90

yeolar: http://www.yeolar.com/

http://www.yeolar.com/note/2012/03/29/virtual-memory/

vxlan: https://blogs.vmware.com/vsphere/2013/07/vxlan-series-how-vmotion-impacts-the-forwarding-table-part-6.html

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/white-paper-c11-733618.html#_Toc439799767

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-729383.html

ali-kernel: http://kernel.taobao.org/index.php?title=%E5%86%85%E6%A0%B8%E6%9C%88%E6%8A%A52017-02

linux-performance: http://www.brendangregg.com/linuxperf.html

systemTap: https://sourceware.org/systemtap/SystemTap_Beginners_Guide/

calico: http://docs.projectcalico.org/v2.0/introduction/

docker: http://www.infoq.com/cn/articles/docker-network-and-pipework-open-source-explanation-practice

Flannel: http://dockone.io/article/618

SDN: https://www.opennetworking.org/

Linux Kernel Networking: https://wiki.linuxfoundation.org/networking/start

MacVtap: https://blog.kghost.info/2013/03/27/linux-network-tun/

http://blog.csdn.net/dog250/article/details/45788279

Neutron: http://blog.csdn.net/quqi99/article/details/22853403

Linux Bridge: http://blog.csdn.net/yeasy/article/details/50728243

Docker Networking: http://edgedef.com/docker-networking.html

Tun/Tap interface: http://backreference.org/2010/03/26/tuntap-interface-tutorial/

TC ifb: http://blog.csdn.net/dog250/article/details/40680765?utm_source=tuicool&utm_medium=referral

汇编: