‘tail -f’ with highlight

This is an example of how you can use tail with colors.

# tail -f /var/log/maillog | perl -pe 's/colorthisword/\e[1;32;40m$&\e[0m/g'

The ;;; values explained

0 all attributes off
1 bold
32 foreground green
40 background black

“colorthisword” can be any perl regular expression:

(foo|bar) highlight the strings foo and bar
\b((foo|bar)\b highlight the words foo and bar
.*\b((foo|bar)\b.* highlight the whole line that contains the words foo or bar

Colors
This vector holds the colors used for SGR control sequences parameters 30 to 37 \(foreground colors) and 40 to 47 (background colors).

Parameter Color
30 40 black
31 41 red
32 42 green
33 43 yellow
34 44 blue
35 45 magenta
36 46 cyan
37 47 white

Note
This only works on ANSI terminals

Script to customize a linux install

This is a simple bash script I whipped together to make som custom changes on our linux installations, it can be used as a kickstart post-configuration file for RedHat RHEL4 and RHEL5 installations.

#!/bin/bash

# Enable daily updates of the locate database
perl -pi -e 's/DAILY_UPDATE=no/DAILY_UPDATE=yes/' /etc/updatedb.conf

# Customize login banners
echo "Authorized users only.  All activity may be monitored and reported" >> /etc/motd
echo "Authorized users only.  All activity may be monitored and reported" >> /etc/issue.net

# Disable SELinux (this should be changed back when any problems with it has been fixed)
#perl -pi -e 's/^SELINUX=.*$/SELINUX=Disabled/' /etc/selinux/config

# Configure tcp wrappers host access to allow only ssh access
cat <> /etc/hosts.allow
ALL:localhost
sshd:ALL
EOF
cat <> /etc/hosts.deny
ALL:ALL
EOF

Determine false positive from rkhunter

I’ve installed rkhunter, a rootkit checking script, on a Ubuntu 7.10 (Gutsy Gibbons) distro and today it mailed a message saying that 3 files had their properties changed. The files were /usr/bin/chattr, /usr/bin/lsattr and /usr/bin/perlBefore doing anything I tried to update rkhunter to see if there had been any updates to fix this message rkhunter --update but the files were still giving a error warning. Since I haven’t used Debian/Ubuntu systems much I had to find a way to determine if these files had been tampered with. If this had been a RedHat system I would have run the command rpm -V packagename to verify if a package has been tampered with.I found the package list at http://packages.ubuntu.com and entered the program paths I’ve shown above in the “Search the contents of packages” search box. The result after the search for /usr/bin/chattr, /usr/bin/lsattr and /usr/bin/perl

       

  • /usr/bin/chattr was in the package base/e2fsprogs
  •    

  • /usr/bin/lsattr was in the package base/e2fsprogs
  •    

  • /usr/bin/perl was in the package base/perl-base

Downloaded the packages from the same website and verified the downloads using md5sum and then used the ar command to unpack/extract the files.

ar -x *.deb

This will give two tarballs control.tar.gz and data.tar.gz. The first is the information dpkg needs to do a proper installation and configuration of the package, the second contains the binaries and data files.When I extracted the tarball named data.tar.gz and wrote a little script using md5sum on each of the files to determine that all files were valid with the correct size, sum etc.The md5sum script

#!/bin/bash# This script have to be run from the path you extracted the debian packagefor FILE in " /usr/bin/chattr /usr/bin/lsattr /usr/bin/perl usr/bin/chattr usr/bin/lsattr usr/bin/perl"do        md5sum $FILE > md5sums.txtdoneecho If this number is larger than the amount of files compared, then something is fishyecho `awk -F " " '{ print $1 }'< md5sums.txt | sort | uniq | wc -l`

Luckily my system files had the same md5sum as the files extracted from the downloaded package. This proves that my system was not compromised, at least not these files anyway.The script can be downloaded hereThe error message from rkhunter

Warning: The file properties have changed:         File: /usr/bin/chattr         Current hash: 4703e5adba10128a0abbc036cefae73f754db142         Stored hash : 2502e2f117415f56cd64568b042a91dd3ef79b80         Current inode: 1735115    Stored inode: 1733967         Current size: 7228    Stored size: 7296         Current file modification time: 1197053992         Stored file modification time : 1189103575Warning: The file properties have changed:         File: /usr/bin/lsattr         Current hash: c3eba9c1952ccf894f8f71b999b081fe5ad5f4de         Stored hash : 4ba9ee6cb8455509347059f7917ef7ed4bab6891         Current inode: 1735124    Stored inode: 1734372         Current size: 6000    Stored size: 6068         Current file modification time: 1197053992         Stored file modification time : 1189103575Warning: The file properties have changed:         File: /usr/bin/perl         Current hash: 9c4d220d96fbaf9aaedbe4e034a767e8d510d7f6         Stored hash : 155faff21807a6ad3687806ba7737223cd56ac68         Current inode: 1733338    Stored inode: 1733472         Current size: 1078128    Stored size: 1078160         Current file modification time: 1196759924         Stored file modification time : 1191046830

Set photo filedate and time according to EXIF info

Sometimes a image files creation date is wrong and have to be corrected. This is a script I use to set a files creation date to the photos date retrieved from EXIF tags. The exiftool program should be available to run this script.

#!/usr/bin/env perl
use strict;
$|++;

use Image::ExifTool qw(ImageInfo);

use Time::Local;

for my $file (@ARGV) {
  my $ii = ImageInfo($file, qw(DateTimeOriginal DateTime))
    or warn("Skipping $file\n"), next;
  my ($created) =
    grep /\S/, @$ii{qw(DateTimeOriginal DateTime)};
  next unless $created;
  warn "using $created for $file\n";
  if ($created =~ s/([-+ ])(\d\d):(\d\d)$//) {
    my ($sign, $hour, $minute) = ($1, $2, $3);
    # warn "ignoring offset of $sign $hour:$minute\n";
  }
  my @digits = $created =~ /(\d+)/g or next;
  if ($digits[0] < 1900) {
    warn "bad year $digits[0] for $file";
    next;
  }
  $digits[0] -= 1900;
  $digits[1] -= 1;
  my $gmtime = timegm(reverse @digits);
  if ($gmtime > time or $gmtime < time - 86400*90) {
    warn "preposterous gmtime for $file: ", scalar gmtime $gmtime;
    # next;
  }
  utime($gmtime, $gmtime, $file) or warn "Cannot utime on $file: $!";
}

Save it as datebyexif.pl

Usage:

./datebyexif.pl *.JPG

Download the datebyexif.pl script

Source: http://www.macosxhints.com/comment.php?mode=view&cid=83366