HistoryPurge: Clearing 219 old commits

2024-10-24 23:09:21 +08:00
commit d08b7cac59
348 changed files with 376141 additions and 0 deletions
@@ -0,0 +1,8 @@
+#!/bin/bash
+aide --check -r file:/var/log/aide-check.log
+COUNT=$(egrep '(Added|Removed|Changed).*[0-9]' /var/log/aide-check.log | awk '{SUM+=$NF}; END {print SUM}')
+if [ $COUNT -gt 0 ]; then
+        # changes detected
+        cat /var/log/aide-check.log | mailx -s "AIDE alert" -r security@your-domain.com -- yourself@your-domain.com
+fi
+
@@ -0,0 +1,5 @@
+#!/bin/bash
+aide -u
+mv /var/lib/aide/{aide.db.gz,aide.db.previous.gz}
+mv /var/lib/aide/{aide.db.new.gz,aide.db.gz}
+aide -C
@@ -0,0 +1,34 @@
+#!/bin/bash
+# This script encrypts / decrypts input files with a hard-coded password
+export key=53D2714A752F498ED0D0AA52149BB2B624F1C35F4A7997F54ECC83DE60567F7D
+export iv=6B22E0637484D90F5EA38C6E4259171F
+
+if [[ $# -lt 2 ]]; then
+	echo "Usage: bash-enc.sh [-e|-d] input files"
+	exit 0
+fi
+
+if [[ $# -gt 20 ]]; then
+    echo "For safty reasons, encryption of up to 20 files is allowed"
+    exit 0
+fi
+
+OPER=$1
+shift
+
+while [[ $# -gt 0 ]];
+do
+	case "$OPER" in
+		"-e")
+			openssl enc -aes-256-ctr -e -in $1 -out /dev/shm/bash-enc.tmp -K $key -iv $iv -base64
+			cat /dev/shm/bash-enc.tmp > $1
+			;;
+		"-d")
+			openssl enc -aes-256-ctr -d -in $1 -out /dev/shm/bash-enc.tmp -K $key -iv $iv -base64
+			cat /dev/shm/bash-enc.tmp > $1
+			;;
+	esac
+	shift
+	rm -f /dev/shm/bash-enc.tmp
+done
+
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# usage: get-cert.sh remote-host [port]
+#
+
+export PATH=/usr/local/Cellar/libressl/2.3.6/bin:$PATH
+
+REMHOST=$1
+REMPORT=${2:-443}
+
+echo |\
+openssl s_client -connect ${REMHOST}:${REMPORT} -servername ${REMHOST} 2>&1 |\
+sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/temp.crt
+openssl x509 -noout -subject -dates -fingerprint -in /tmp/temp.crt
+openssl x509 -in /tmp/temp.crt  -issuer -noout | pcre2grep -o1 -o2 '(issuer=).*CN=(.*)'
+openssl x509 -in /tmp/temp.crt -text -noout | grep -A1 "Subject Alternative Name" | sed s/DNS://g | sed s/^\ *//g | tr ',' '\n'
+openssl x509 -in /tmp/temp.crt -noout -serial | gawk -F\= '{print "Serial number: ", $2, strtonum("0x"$2)}'
+openssl x509 -in /tmp/temp.crt -text | grep "Signature Algorithm:" | tail -1 | xargs
+
+
+#echo "" | gnutls-cli -p ${REMPORT} ${REMHOST} 2>/dev/null | grep subject | head -1 | sed -e $'s/, /\\\n/g'
+
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+MYDATE=$1
+MYTIEM=$2
+EPOCH=$(date -d "$1 $2" +%s)
+
+for z in Asia/Hong_Kong Asia/Tokyo US/Eastern US/Pacific US/Central UTC Europe/London Europe/Berlin Asia/Kolkata Australia/Sydney; do
+	echo -n "$z | "
+	TZ=$z date -d "@$EPOCH"
+done
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# script for populating iptables with incapsula IPs
+# to use this, send http and https traffic to the incapsula chain
+# then schedule a daily task which runs this script
+
+iptables -N incapsula
+iptables -F incapsula
+curl -k -s --data "resp_format=json" https://my.incapsula.com/api/integration/v1/ips  | jq -r '.ipRanges | @csv' | tr ',' '\n' | tr -d \" | while read i; do
+iptables -A incapsula -s $i -j ACCEPT
+done
+iptables -A incapsula -j DROP
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+CPU=$(cat /proc/cpuinfo | grep 'model name' | uniq | awk -F: '{print $2}' | sed 's/(R)//g')
+NUMCPU=$(cat /proc/cpuinfo  | grep 'physical id' | sort | uniq | wc -l)
+MEM=$(cat /proc/meminfo  | awk '/MemTotal/ {print $(NF-1)/1024/1024}')
+DISK=$(for d in /dev/sd? /dev/nvme?n? /dev/vd? /dev/hd?; do blockdev --getsize64 $d 2>/dev/null | awk '{print $1}'; done | awk '{SUM+=$1}; END {print SUM/1024/1024/1024}')
+SERIAL=$(dmidecode  -t system | awk -F: '/Serial/ {print $2}')
+
+echo "{"
+echo \"Hostname\": \"$(hostname -s)\",
+echo \"Cpu\": \"$CPU\",
+echo \"NumCpu\": \"$NUMCPU\",
+echo \"Mem\": \"$MEM\",
+echo \"Disk\": \"$DISK\",
+echo \"Serial\": \"$SERIAL\"
+echo "}"
+
+
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# echo 'create table access(timestamp int, cpu float, vhost varchar(128), method varchar(4), url varchar(128));' | sqlite3 apache-access.db
+
+read -r cpu vhost method url <<< $(apachectl fullstatus | egrep '(GET|POST|HEAD)' | sort -k5 -nr | head -1 | awk '{print $5,$13,$14,$15}')
+echo "insert into access values(DATETIME('now'), $cpu, \"$vhost\", \"$method\", \"$url\");" | sqlite3 apache-access.db
+
+sqlite3 -header -column apache-access.db "select * from access where cpu > 20 order by timestamp desc limit 10;"
+
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+LOGFILE=/var/log/$1.log
+MSG=`cat`
+echo "$(date): $MSG" >> $LOGFILE
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# script for use with xinetd to monitor readonly filesystem
+#
+# xinetd config
+# service fsro
+#{
+#	disable = no
+#	flags = REUSE
+#	socket_type = stream
+#	type = UNLISTED
+#	port = 3333
+#	wait = no
+#	user = nobody
+#	server = /usr/local/sbin/mount-ro-xinetd.sh
+#	log_on_failure += USERID
+#	only_from = 127.0.0.0/8
+#}
+#
+
+function check_ok() {
+	MSG="$1 healthy"
+	LEN=$((${#MSG} + 2))
+        echo -en "HTTP/1.1 200 OK\r\n"
+        echo -en "Content-Type: text/plain\r\n"
+        echo -en "Connection: close\r\n"
+        echo -en "Content-Length: $LEN\r\n"
+        echo -en "\r\n"
+        echo -en "$MSG\r\n"
+        sleep 0.1
+        exit 0
+}
+
+function check_fail() {
+	MSG="$1"
+	LEN=$((${#MSG} + 2))
+        echo -en "HTTP/1.1 503 Service Unavailable\r\n"
+        echo -en "Content-Type: text/plain\r\n"
+        echo -en "Connection: close\r\n"
+        echo -en "Content-Length: $LEN\r\n"
+        echo -en "\r\n"
+        echo -en "$MSG\r\n"
+        sleep 0.1
+        exit 1
+}
+
+CHECK_PATH=/tmp
+grep -q $CHECK_PATH /proc/mounts || check_fail "Mount missing: $CHECK_PATH"
+dd if=/dev/urandom of=$CHECK_PATH/.test01 bs=1M count=10 status=none || check_fail "Write failed: $CHECK_PATH"
+dd if=$CHECK_PATH/.test01 of=/dev/null bs=1M status=none || check_fail "Read failed: $CHECK_PATH"
+check_ok "$CHECK_PATH"
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+LOGFILE="/var/log/mysqldumps.log"
+function log {
+	echo "$(date) - $1" >> $LOGFILE
+}
+
+MYSQLBIN=/usr/bin
+MYSQLBACKUPPATH="/db-dumps"
+MYSQLUSER="root"
+MYSQLPASS="3/FFzU|-F+Xu"
+RETENTION=14
+FAILFLAG=0
+AESPASS=/usr/local/soap/bin/aes-passphrase
+
+# Specify connection method
+#MYSQLCONN=""
+MYSQLCONN="-S /u03/mysql/mysql.sock"
+
+log "========== Starting Database Dumps ==========" >> $LOGFILE
+
+# Script begins
+DATABASES=`$MYSQLBIN/mysql -u${MYSQLUSER} -p${MYSQLPASS} ${MYSQLCONN} -Nse "show databases;"`
+if [ $? -gt 0 ]; then
+    log "========== Error: Could not execute 'show databases' ==========" 
+    FAILFLAG=1
+fi
+
+# clean up stale archives
+find $MYSQLBACKUPPATH -name "MYB*" -type d -mtime +$RETENTION | xargs rm -Rf
+
+# create dated directory
+DATESTAMP=$(date +%Y%m%d)
+DSTDIR=${MYSQLBACKUPPATH}/MYB-${DATESTAMP}
+mkdir -vp $DSTDIR 
+
+# backup dataabse individually
+# possibly use background and wait to do this in parallel
+# but need to check each bg process's exit code!
+
+for DB in $DATABASES; do
+	case ${DB} in
+		information_schema|performance_schema)
+      			continue
+		;;
+	esac
+
+        log "Backup up ${DB}" 
+        $MYSQLBIN/mysqldump --opt --routines -u${MYSQLUSER} -p${MYSQLPASS} ${MYSQLCONN} ${DB} > ${DSTDIR}/${DB}.sql 2>> $LOGFILE 
+if [ $? -gt 0 ]; then
+            log "Backup of ${DB} failed"
+            FAILFLAG=1
+fi
+gzip -fc ${DSTDIR}/${DB}.sql | openssl enc -aes-256-cbc -salt -out ${DSTDIR}/${DB}.sql.gz.aes -pass file:/usr/local/soap/bin/aes-passphrase
+rm -f ${DSTDIR}/${DB}.sql
+done
+
+if [ $FAILFLAG -gt 0 ]; then
+    log "========== Errors Encountered During Data Dump ==========" 
+else
+    log "========== All Databases Dumped Successfully ==========" 
+fi
+
+exit 0
+
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# @description pg dump script
+# @version 0.1
+# @author kfong
+#
+# Requires:
+# * trusting postgres user from localhost
+# # pg_hba.conf
+# local	all		postgres				trust
+#
+DATE=`date +%Y%m%d`
+DUMPDIR=/dumps
+DUMPUSER=postgres
+DAYS2KEEP=14
+
+# dump all databases in separate files
+mkdir -p $DUMPDIR/PGD-$DATE
+for d in `psql -U$DUMPUSER -lt | cut -d\| -f1 | grep -v template`; do
+        pg_dump -U$DUMPUSER -Z9 $d -f $DUMPDIR/PGD-$DATE/$d.pg.gz
+done 
+ 
+# remove old dumps
+find $DUMODIR -type d -mtime +$DAYS2KEEP -name "PGD-*" -exec rm -Rf {} \;
+
@@ -0,0 +1,33 @@
+#!/bin/bash
+CAPTURE="/tmp/maintenance/$(date +%Y%m%d)"
+mkdir -p $CAPTURE
+
+# System config files
+cp -p /etc/fstab /etc/resolv.conf /var/log/messages /var/log/syslog /etc/os-release /var/log/yum.log /var/log/apt/history.log $CAPTURE/
+
+# Running stats
+( dmesg -T || dmesg ) > $CAPTURE/dmesg
+mount > $CAPTURE/mount
+lsblk > $CAPTURE/lsblk
+df -hP > $CAPTURE/df
+ps auxww > $CAPTURE/psauxww
+netstat -atunp > $CAPTURE/netstat
+pvs > $CAPTURE/pvs
+vgs > $CAPTURE/vgs
+lvs > $CAPTURE/lvs
+uname -a > $CAPTURE/uname
+free -m > $CAPTURE/free
+systemctl list-unit-files > $CAPTURE/systemcl-list
+
+# packages
+rpm -qa > $CAPTURE/rpm.list
+dpkg -l > $CAPTURE/dpkg.list
+snap list > $CAPTURE/snap.list
+
+# san storage
+multipath -ll > $CAPTURE/multipath
+powermt display dev=all > $CAPTURE/powermt
+
+
+# Wrappng up
+chmod 444 $CAPTURE/*
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Script to list all files recursively using recursive bash function
+
+function listFileInDir {
+	find $1 -maxdepth 1 -type f
+	DirCount=$(find $1 -maxdepth 1 -mindepth 1 -type d | wc -l)
+
+	# Recursive case
+	if [ $DirCount -ge 1 ]; then
+		find $1 -maxdepth 1 -mindepth 1 -type d | while read d; do
+			echo Recursing into $d
+			listFileInDir $d
+		done
+	fi
+}
+
+listFileInDir $1
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+function log() {
+        echo "$(date -u): /opt/rxt/nfs-rsync.sh - $@" >> /var/log/nfs-rsync-job.log
+}
+
+# Empty previous log
+truncate -s0 /var/log/nfs-rsync.log
+
+# First check that /content is mounted
+if grep -q /content /proc/mounts ; then
+        log target mount exist, continuing.
+else
+        log FAILED. target mount is missing.
+        exit 1
+fi
+
+# Check if rsync is already running
+if pgrep -f 'rsync.*/var/log/nfs-rsync.log'; then
+        log WARNING. another instance of /opt/rxt/nfs-rsync.sh is already running. skipping this run.
+        exit 1
+fi
+
+if rsync -axz --delete-delay --ignore-missing-args --stats --log-file=/var/log/nfs-rsync.log 192.168.102.62:/san/nfs-fs/ /content/; then
+        log OK. rsync completed successfully
+else
+        log FAILED. rsync did not complete with exit code $?. please refer to /var/log/nfs-rsync.log for additional details.
+fi
+
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+SARDIR=/var/log/sysstat
+if [ -d /var/log/sa ]; then
+	SARDIR=/var/log/sa
+fi
+# echo "CPUUsed MEMUsed SWAPUsed IOWait" 
+for f in $(ls $SARDIR/sa[0123]*); do
+# SARDate=$(stat $f | grep Modify | awk '{print $2}')
+CPUUsed=$(sar -f $f | tail -1 | awk '{print 100-$NF}')
+MEMUsed=$(sar -r -f $f | tail -1 | grep -Eo '[0-9]+\.[0-9]+' | head -1)
+SWAPUsed=$(sar -S -f $f | tail -1 | awk '{print $4}')
+IOWait=$(sar -f $f | tail -1 | awk '{print $6}')
+echo "$CPUUsed $MEMUsed $SWAPUsed $IOWait" >> /tmp/sar-report.txt
+done
+cat /tmp/sar-report.txt | awk '{for (i=1;i<=NF;i++){a[i]+=$i;}} END {for (i=1;i<=NF;i++){printf "%.2f", a[i]/NR; printf "\t"};printf "\n"}' | awk '{ if ($1 > 50) print "high cpu",$1}; {if ($3 > 20) print "high swap", $3}; {if ($4 > 10) print "high iowait", $4}'
+
+# rm -f /tmp/sar-report.txt
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# Get yum transaction
+yum --assumeno update > /root/yum-check.txt
+grep -q yumtx /root/yum-check.txt || exit 0
+cp $(tail -1 /root/yum-check.txt | awk '{print $NF}') /root/yum-transaction.yumtx
+
+# Use yum output to construct a notification
+echo "Updates available on $(date):" > /root/yum-notice.txt
+grep -E '(base|updates).*[kM]' /root/yum-check.txt | awk '{print $1"-"$3}' >> /root/yum-notice.txt
+echo -e "\n\nTo install these updates, run the following command:" >> /root/yum-notice.txt
+echo "yum -y load-transaction /root/yum-transaction.yumtx" >> /root/yum-notice.txt
+
+cat /root/yum-notice.txt | mailx -s "Update report from $(hostname)" -- you@acme.local
+